We are very pleased to announce Capital One is our sponsor for the CTF this year! Please stop by and say hi to their representatives in the Capture the Flag room.
Bronze Sponsor Feature: Sycom
Founded in 1996, SyCom designs, delivers and supports IT solutions that optimize business results. With offices in Richmond, Roanoke, Virginia Beach, Vienna and Huntington, WV our focus is primarily the mid-Atlantic with national delivery capability. With more than $70 million in revenue, we are one of the largest systems integrators on the East Coast. Named “Best Place to Work in Richmond,” SyCom is an employer of choice for the best IT talent in the region. More than 70% of our engineers have an average of 12 years of experience —underlining our commitment to provide sage advice that you can trust.
Speaker Feature: Joey Peloquin
Joey Peloquin
Joey Peloquin
Joey has more than 20 years of experience in the information technology industry, specializing in information security for over 15 years. Prior to joining the Citrix Security team, he served as the director of professional services for GuidePoint Security, heading up the security assessments, application and mobile, and cloud security consulting practices. Joey is an active member of the information security community, speaking frequently at conferences and events such as BSides, RVAsec, OWASP, and TakeDownCon. He has also written, or appeared in, articles by Hakin9, SC Magazine, SD Times, and Network World.
Deceptive Defense: Beyond Honeypots
Everyone knows malicious hackers utilize deception all the time. Maybe it’s a tactical DDoS attack, meticulously timed to misdirect defenders from an initial intrusion, or perhaps a data exfiltration event. Attackers reuse competitors’ code, and compile malware in languages other than their own to encourage false attribution. The examples are endless. Quarterbacks are masters of deception, too. This talk compares deceptive practices of top NFL quarterbacks with practical deception in the Enterprise, and offers suggestions on how security practitioners can utilize ruses, disinformation, misdirection, and other techniques to increase the cost of targeting an organization to the point that the risk no longer justifies the reward. The presentation covers effective recommendations deployed in production environments today that don’t require purchasing expensive deception systems.
Silver Sponsor Feature: Checkpoint
Since 1993, Check Point has been dedicated to providing customers with uncompromised protection against all types of threats, reducing security complexity and lowering total cost of ownership. We are committed to staying focused on customer needs and developing solutions that redefine the security landscape today and in the future.
Come see us at RVAsec! Register now.
Speaker Feature: Inga Goddijn and Becky Swanson
Inga Goddijn & Becky Swanson
www.riskbasedsecurity.com & www.markelcorp.com
Risk Based Security / Markel
Becky Swanson
Becky Swanson
Becky Swanson is the Managing Director of Miscellaneous E&O at Markel; this includes the Misc. Professional Liability, Information Technology Professional and Data Breach Liability coverage. She began her insurance career in 1996 and is an experienced miscellaneous professional, technology professional and cyber liability specialist with experience in all professional liability insurance coverages. Managed a team of underwriters providing training and leadership with a focus on misc./technology professional and employment practices liability risks. Her focus has been on Miscellaneous and Technology Professional and Cyber liability coverage for the past 10 years. As the Managing Director of Misc. E&O, Technology and Cyber Liability products at Markel Corporation, she is responsible for policy language analysis and development, creation and implementation of underwriting guidelines, rate strategy analysis, training and continued education. Presentations including continuing education instructor on Cyber and Misc. Professional Liability insurance, coverage panels sponsored by brokerage firms, Data Privacy and Security Exposures for public entities, Panel discussions for ACI’s Cyber & Data Forum, NetDiligence Cyber Forum, PLUS panel discussions on Emerging Trends in Professional Liability and What’s New in the Realm of Real Estate and Cyber Security World panel on cyber insurance.
Inga Goddijn
Inga Goddijn
Inga has been involved with technology risk and specialty insurance coverages since 1993 and has a wealth of experience with information risk identification and transfer. Her focus is the strategic management of data privacy and security exposures, with an emphasis on leveraging data-driven risk assessment to build sustainable and scalable programs.
As the leader of the insurance practice group at Risk Based Security, Inga is responsible for a variety of client advisory services including management and mitigation of data security and privacy risk, policyholder risk reduction programs and the development and implementation of cost effective breach response solutions. As a strong advocate for sharing knowledge, Inga has presented at a variety of industry forums and has led many continuing educations sessions throughout the U.S. She currently holds a CIPP/US designation.
Show Me The Money! Uncovering The True Cost of a Breach
It’s become the quintessential million dollar question, how much does a data breach cost? Unfortunately reliable open sources for answering that question are few and far between. With budgets under a microscope and resources stretched thin, being able to reasonably estimate breach costs is an import part of gaining buy-in for new security initiatives and defining acceptable levels of risk. This session will demystify the process of estimating breach costs by taking a closer look at the different factors that drive event expenses. Using real case examples taken from actual breaches, the session will break down the various elements that contribute to the cost of a breach and include ideas for calculating these expense factors. We’ll round out the session with a discussion of how the breach, along with the response effort, influences “soft” costs as well, such as reputation damage and lost business.
Silver Sponsor Feature: Palo Alto Networks
As the next-generation security company, we are leading a new era in cybersecurity by safely enabling all applications and preventing advanced threats from achieving their objectives for tens of thousands of organizations around the world. We are one of the fastest growing security companies in the market because of our deep expertise, commitment to innovation, and game-changing security platform focused on bringing an end to the era of breaches by uniquely integrating our Next-Generation Firewall, Advanced Endpoint Protection, and Threat Intelligence Cloud.
Come see us at RVAsec! Register Now.
Badges: Hack.RVA At It Again!
We are very pleased that Hack.RVA will be the masterminds behind our badges once again! They have been with us since the very beginning and this makes it the 5th conference in a row. We know just how much work is involved with this project and we are privileged to have their creations at our conference!
We recently spoke with Morgan Stuart and Paul Bruggeman about the badges:
(RVAsec) The badges have always been a huge hit at RVAsec. Can you tell us a little about the badges and the process over the years?
For us, the goal of the RVAsec badge has always been to make something that gets the conference goers talking and engaging with each other. That means puzzles, games, and usually some way to screw with each other.
This year, like the past years, the badges have all been built by hand, right here in RVA by a bunch of crazy HackRVA members. We start from bare copper boards, etch out our custom design, place surface-mount parts, hand-solder through-hole components, and flash them with our own firmware. This removes any manufacturing cost, which frees up some green to stuff the board with cool features and components. It also gives the badges a unique look that you won’t find anywhere else.
This will be the fourth RVAsec badge that Paul and I have organized out of HackRVA, and each year we try and find ways to improve on the end result. It’s been challenging, but everyone is proud of the progress we make each year. We’ll have all the past year’s badges on display at our booth, so newcomers and nostalgia-seekers should come check it out.
(RVAsec) What are the plans for the badges this year? What are the new features?
We really liked last year’s hardware, and felt that the design could stick around at least one more year. Still, we reworked the layout quite a bit to help prevent the hardware failures we were seeing and improve some of the functionality. Since we didn’t have to redesign the hardware from scratch, or implement drivers for new components, we could procrastinate bit more on the whole project. In all seriousness, we’ve used the extra time to involve more people and start thinking a little bigger with software. We have a lot more people cranking out code, including some special attention to power management. We’re looking forward to the inevitable commit/merge frenzy in the final days.
(RVAsec) How is the badge build process going this year?
We’ve etched, placed parts, and performed an initial QC on over 350 Badges. Now we’re soldering on the final through hole components and doing a more thorough QC pass on every board.
(RVAsec) It was rumored the badges played a part in the CTF last year. Can you tell us more?
It wasn’t a secret – last year we had a wide range of challenges for people to complete on the badge that would net them points in the conference CTF. Difficulty ranged from following simple instructions within the badge’s menu, to parsing through the raw firmware, to decoding low-frequency serial transmissions. And yes, there will be more badge CTF challenges this year!
(RVAsec) If someone wanted to hack them, what would they need to do?
The badges will again have standard USB, which can be used to re-flash the firmware or even call many of the core routines.
(RVAsec) Can you give attendees any other hints about the badges?
We’ve always enjoyed adding some nostalgia-factors to the badge, and this year will be no different. Also, this year’s badges should match almost any outfit…
(RVAsec) Anything else?
Obviously Paul and I are not doing this alone, we’ve had amazing help from some very dedicated volunteers out of HackRVA. We start in the fall with hour-long meetings each week and we slowly ramp up to 4 hour build sessions in the spring. It’s quite the commitment and support grows every year. Quick shout-out to some of those that have been contributing:
-
Jon Lundquist
-
Alan Ford
-
Lloyd Flanagan
-
Jason Phillips
-
Allison Sands
-
Thad Martin
-
Eli Woods
-
Giovanni Viscardi
-
Charles Nelson
We are very excited to see the badges this year and know RVA5sec attendees will love them again!
If you have time to visit one of their Thursday night Open Houses that occur every week, like tonight, you should go check them out!
Speaker Feature: Caleb “chill” Crable & Evan “detro” Keiser
Caleb “chill” Crable & Evan “detro” Keiser
Cylance
Caleb is a Malware Analyst at Cylance, practicing dirtywhitehat, and frequent contributor to the information security community both online and at technology security events. Caleb enjoys long walks on the beach with polymorphic malware in his leisure.
Evan also serves as a Malware Analyst at Cylance, constantly disseminating new threat intelligence among his team and performing security incident 
reconstruction in his spare time. Based in Raleigh-Durham, North Carolina, in his free time Evan is an avid lock picking enthusiast and penetration tester who enjoys finding holes in virtual and physical security controls of all kinds, belgian waffles and hacking all the things.
Cloud & Control: Where do we go from here?
With so many people taking advantage of the cloud, no one really thinks about how the cloud is taking advantage of you. We will be taking an in-depth look at the pros, and mostly cons, of the datacenter clusters that we harmlessly refer to as cloud infrastructure. Whether it be saucy selfies, bank or medical records, or even just highly valued data in general; How safe do you actually think it is…on someone else’s computer?
RVA5ec Schedule Now Posted!
The full schedule for the RV5sec 2016 conference is now published!
With the huge success of last year we have kept things pretty consistent for 2016.
Registration & breakfast start at 8 AM on Thursday, June 4th and end at 6 PM (followed by the after party).
Registration and breakfast start again at 8 AM Friday, June 5th and end at 4 PM, followed immediately by the closing reception at VCU.
For the full details and times for specific talks, please see the schedule page.
Silver Sponsor Feature: GE
GE (NYSE: GE) is the world’s Digital Industrial Company, transforming industry with software-defined machines and solutions that are connected, responsive and predictive. GE is organized around a global exchange of knowledge, the “GE Store,” through which each business shares and accesses the same technology, markets, structure and intellect.
Come see us at RVAsec! Register now.