2015 BASC Presentations - Revision history

Tom Conner at 18:20, 5 October 2015

2015-10-05T18:20:45Z

Tom Conner at 16:15, 2 October 2015

2015-10-02T16:15:10Z

Tom Conner at 16:08, 2 October 2015

2015-10-02T16:08:53Z

Tom Conner at 02:45, 2 October 2015

2015-10-02T02:45:09Z

Tom Conner at 15:49, 1 October 2015

2015-10-01T15:49:14Z

Tom Conner at 13:26, 1 October 2015

2015-10-01T13:26:51Z

Tom Conner at 13:22, 1 October 2015

2015-10-01T13:22:59Z

Tom Conner at 03:42, 1 October 2015

2015-10-01T03:42:29Z

Tom Conner at 02:54, 1 October 2015

2015-10-01T02:54:29Z

Tom Conner at 22:24, 30 September 2015

2015-09-30T22:24:41Z

@@ Line 104: / Line 104: @@
 techniques.
-{{2015_BASC:Presentaton_Info_Template|How To Make Threat Modeling Work For You|Robert Hurlbut| | | }}
+{{2015_BASC:Presentaton_Info_Template|How To Make Threat Modeling Work For You|Robert Hurlbut| }}
 Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. In this session, you will learn practical strategies in using threat modeling in secure software design and how to apply risk management in dealing with the threats.

@@ Line 90: / Line 90: @@
 {{2015_BASC:Presentaton_Info_Template|Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks|Amin Kharraz| | | }}
-In this talk, we present the results of a long-term study of ransomware attacks that have been observed in the wild. We also provide a holistic view on how ransomware attacks have evolved during this period by analysing thousands of samples that belong to different ransomware families. Our results show that, despite a continuous improvement in the encryption, deletion, and communication techniques in the main ransomware families, the number of families with sophisticated destructive capabilities remains quite small. In fact, our analysis reveals that in a large number of samples, the malware simply locks the victim's computer desktop or attempts to encrypt or delete the victim's files using only superficial techniques. Our analysis also suggests that defending against ransomware attacks is not as complex as it has been previously reported. For example, we show that by monitoring abnormal file system activity, it is possible to design a practical defense system that could stop a large number of ransomware attacks, even those using sophisticated encryption capabilities. A close examination on the file system activities of multiple ransomware samples suggests that by looking at I/O requests and protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.
+In this talk, we present the results of a long-term study of ransomware attacks that have been
-Our findings contradict some security community discussions that suggest the impossibility of detecting or stopping these types of attacks due to the use of sophisticated, destructive techniques.
+observed in the wild. We also provide a holistic view on how ransomware attacks have evolved
 {{2015_BASC:Presentaton_Info_Template|How To Make Threat Modeling Work For You|Robert Hurlbut| | | }}

@@ Line 70: / Line 70: @@
 Assessing the security of web applications is similar to penetration testing but also has certain key differences.  In this presentation we will discuss what some of those similarities and differences are based on both academic research and real-world experience.  Based on these similarities and differences, we will present the penetration testing practices we have found can be leveraged, the practices that need to be modified, and the practices that should be discard when conducting web application security assessments.
-{{2015_BASC:Presentaton_Info_Template|Can Buffer Overflow Attacks Be Stopped? |Satya Gupta| | | }}
+{{2015_BASC:Presentaton_Info_Template_2|Can Buffer Error Attacks Be Stopped?|Satya Gupta|Ray DeMeo| | }}
-Buffer Overflow attacks are one of the most insidious and difficult to thwart exploits that exist in today’s modern IT security infrastructure. Most enterprise IT professionals have little understanding of how they work and why existing options generally fail in stopping them. While user input-based attacks are well understood and solutions exist and are emerging for them, buffer overflow attacks remain the bane of application security professionals everywhere.
+This presentation will focus on dissecting how buffer error attacks work, why they
 succeed through existing types of security products and an entirely new way of thinking
-This presentation will focus on dissecting how buffer overflow attacks work, why they succeed through existing types of security products and an entirely new way of thinking regarding how to stop them. Using examples from Virsec hacking labs, we will discuss this critical area of the security and new advancements, as well as demonstrate a buffer overflow attack that is thwarted using this new approach.
+regarding how to stop them. Using examples from Virsec’s research labs, we will
 {{2015_BASC:Presentaton_Info_Template|Cryptography: The Devil is in the Details|Matt Cheung| | | }}

@@ Line 117: / Line 117: @@
 {{2015_BASC:Presentaton_Info_Template|Securing Hadoop Application Ecosystem|Biju Nair| | | }}
-With more enterprises embracing Hadoop ecosystem to store, manage and  process large volumes data, securing it is vital. In this talk we will go over the fundamentals of Hadoop ecosystem and how it can be secured as it stands today.
+With more enterprises embracing Hadoop ecosystem to store, manage and process large volume of data, securing it is vital. In this talk we will go over the fundamentals of Hadoop ecosystem and how it can be secured as it stands today.
 {{2015_BASC:Presentaton_Info_Template|Threat Modeling Global Catastrophic Risks|Luke Donoho| | | }}

@@ Line 52: / Line 52: @@
 Please join Rob in this highly interactive workshop for a deeper dive down the security communication rabbit hole and experience a new way of communicating.
-{{2015_BASC:Presentaton_Info_Template|Resume Room|Roy Wattanasin and Jennifer Stitt| | | }}
+===Resume Room===
 "Resume Room" (2-hour session) BASC 2015's inaugural session

@@ Line 31: / Line 31: @@
 Please join me in this frank & interactive discussion of what it means to communicate information security outside of our echo chamber, and discuss some specific strategies for doing so.
 {{2015_BASC:Presentaton_Info_Template|InfoSec Communication Workshop|Rob Cheyne| | | }}
@@ Line 60: / Line 52: @@
 Please join Rob in this highly interactive workshop for a deeper dive down the security communication rabbit hole and experience a new way of communicating.
 {{2015_BASC:Presentaton_Info_Template|Can Buffer Overflow Attacks Be Stopped? |Satya Gupta| | | }}

← Older revision		Revision as of 13:22, 1 October 2015
Line 39:		Line 39:

	Assessing the security of web applications is similar to penetration testing but also has certain key differences. In this presentation we will discuss what some of those similarities and differences are based on both academic research and real-world experience. Based on these similarities and differences, we will present the penetration testing practices we have found can be leveraged, the practices that need to be modified, and the practices that should be discard when conducting web application security assessments.		Assessing the security of web applications is similar to penetration testing but also has certain key differences. In this presentation we will discuss what some of those similarities and differences are based on both academic research and real-world experience. Based on these similarities and differences, we will present the penetration testing practices we have found can be leveraged, the practices that need to be modified, and the practices that should be discard when conducting web application security assessments.
		+
		+	{{2015_BASC:Presentaton_Info_Template\|InfoSec Communication Workshop\|Rob Cheyne\| \| \| }}
		+
		+	When presenting, teaching, or leading a discussion on technical topics, a big part of the secret to success is the ability to clearly explain technical information, and the impact it has on business risks. For some this comes more naturally than others, but this is absolutely a learnable skill.
		+
		+	In the time I’ve been teaching, I have had to come up with many ways of explaining information security concepts (both technical and non-technical) to vastly different audiences in a way that everyone gets it. In some cases, I’ve even been tasked with teaching security to hostile audiences, and had to figure out ways to get them to care.
		+
		+	One of the most important skills you can develop is the ability to explain something technical in a way that everyone can follow along, while simultaneously persuading your audience to care what you are talking about and leave them wanting more.
		+
		+	The formula often boils down to:
		+
		+	* using specific strategies to keep everyone engaged
		+	* conveying a story
		+	* clearly explaining the necessary details, and only the necessary details
		+	* not condescending to the technical folks in the room with overly simplistic explanations
		+	* simultaneously not leaving the less technical (or non-technical) folks in the room behind
		+
		+	This workshop session will provide you with practical tips and tricks for doing exactly this, and also provide some opportunities for practice. Practice makes perfect!
		+
		+	Please join Rob in this highly interactive workshop for a deeper dive down the security communication rabbit hole and experience a new way of communicating.
		+

	{{2015_BASC:Presentaton_Info_Template\|Can Buffer Overflow Attacks Be Stopped? \|Satya Gupta\| \| \| }}		{{2015_BASC:Presentaton_Info_Template\|Can Buffer Overflow Attacks Be Stopped? \|Satya Gupta\| \| \| }}

← Older revision		Revision as of 03:42, 1 October 2015
Line 92:		Line 92:

	This presentation explores the connections between threat modeling the Future of Humanity Institute’s (FHI) “Global Catastrophic Risks” and software threat modeling concepts, including the OWASP guide to Threat Risk Modeling. The impact to civilization from a technology perspective hinges on ensuring that proper risk is considered when developing technologies that the FHI has identified as catastrophic risks. While several risks are identified in by this institute, technological areas of focus are artificial intelligence and nanotechnology. An overview of each of these technology areas will be provided, as well as a deep dive into their associated risk. As these technologies continue to gain momentum, a risk assessment of their activities and impacts require a closer level of review and scrutiny as each implementation is evaluated. The most consistent finding in reviewing the various technologies is that an open framework of technological guidelines and threat models must be reviewed, applied, and revised by many professional security practitioners to assist in securing the long term fruition of our society and its inevitable technological reliance.		This presentation explores the connections between threat modeling the Future of Humanity Institute’s (FHI) “Global Catastrophic Risks” and software threat modeling concepts, including the OWASP guide to Threat Risk Modeling. The impact to civilization from a technology perspective hinges on ensuring that proper risk is considered when developing technologies that the FHI has identified as catastrophic risks. While several risks are identified in by this institute, technological areas of focus are artificial intelligence and nanotechnology. An overview of each of these technology areas will be provided, as well as a deep dive into their associated risk. As these technologies continue to gain momentum, a risk assessment of their activities and impacts require a closer level of review and scrutiny as each implementation is evaluated. The most consistent finding in reviewing the various technologies is that an open framework of technological guidelines and threat models must be reviewed, applied, and revised by many professional security practitioners to assist in securing the long term fruition of our society and its inevitable technological reliance.
−
−	~~{{2015_BASC:Presentaton_Info_Template\|Towards Effective Developer Training\|Casey Dunham\| \| \| }}~~
−
−	As a security consultant I do a lot of developer training sessions where I am routinely asked to go in front of a group of developers I have never met before, and teach them how to write more secure code. My approach to training is constantly evolving. After every training I do, self reflection occurs and materials are updated in preparation for the next session. Throughout the past year as I have performed trainings, I have learned a few techniques and topics that resonate, and a few that do not. In this talk I discuss what makes an effective program and offer my guidance on building it out.

	{{2015_BASC:Presentaton_Info_Template\|Using OSINT to Attack Web Applications\|Casey Dunham\| \| \| }}		{{2015_BASC:Presentaton_Info_Template\|Using OSINT to Attack Web Applications\|Casey Dunham\| \| \| }}

← Older revision		Revision as of 02:54, 1 October 2015
Line 32:		Line 32:
	Please join me in this frank & interactive discussion of what it means to communicate information security outside of our echo chamber, and discuss some specific strategies for doing so.		Please join me in this frank & interactive discussion of what it means to communicate information security outside of our echo chamber, and discuss some specific strategies for doing so.

−	A discussion of current trend of account checking attacks and the tools used to execute them. Data breaches have given attackers a large list of usernames and passwords that are often valid on many other unrelated sites. Cybercriminals use botnets in an attempt to gain access to rewards points and financial information in automated fashion. Attackers span from professionals running custom tools hosted worldwide to advanced penetration testers
	{{2015_BASC:Presentaton_Info_Template\|Account Checking and User Credential Fraud\|Kellen Kleinfelter\| \| \| }}		{{2015_BASC:Presentaton_Info_Template\|Account Checking and User Credential Fraud\|Kellen Kleinfelter\| \| \| }}

← Older revision		Revision as of 22:24, 30 September 2015
Line 5:		Line 5:
	We would like to thank our speakers for donating their time and effort to help make this conference successful.		We would like to thank our speakers for donating their time and effort to help make this conference successful.

		+	{{2015_BASC:Presentaton_Info_Template\|How I Teach Security\|Rob Cheyne\| \| \| }}
		+
		+	After spending over 10 years as a builder of software systems, and the next five years on the breaking side of things, I then spent over a decade teaching information security concepts to over 25,000 people around the world at leading global organizations.
		+
		+	Over the course of this work, I’ve noticed some interesting patterns across my body of students and clients.
		+
		+	In most organizations, I have seen have at least one critical area of the business where basic information security best practices were not implemented where they should be. In many cases, this is because people are either not factoring in an accurate representation of infosec risks into their planning & project life cycles, or they willfully ignore them.
		+
		+	The reason for this often boils down to one thing: the overall level of security awareness in most places is pretty low, even amongst developers, and even in organizations where you would think it should be a lot higher. Amongst business and management groups, it can be practically non-existent because security is still often assumed to be the purview of the security group, the infrastructure team, or the developers.
		+
		+	In such an environment, business requirements often take precedence over security requirements, even when the security requirements are truly protecting the best interests of the business.
		+
		+	I have seen that many people within a typical organization:
		+	* have little to no understanding of the actual risks they face.
		+	* have no idea how to balance rational security options against business requirements to mitigate those risks.
		+	* think that security is somebody else’s job, and ignore it accordingly.
		+	* believe that internal systems are somehow safe from attack
		+	* think that the data breach will never happen to them
		+
		+	I have come to believe strongly that this is as much as much our failure to communicate and influence information security initiatives as it is the business' failure to understand. Given the shortage of infosec professionals in the marketplace, I believe the only way we can scale ourselves is to communicate what we know more effectively.
		+
		+	In short, we need to learn how to communicate what we know much, much better than we are doing today.
		+
		+	Security is arguably much more of a people problem than a technology problem, and the ability to communicate rational security wisdom to people outside of the “InfoSec echo chamber” is a highly underrated skill. There are many areas of security where we have solid best practices, but they aren’t followed because the people who need to hear the message the most simply never receive it.
		+
		+	Please join me in this frank & interactive discussion of what it means to communicate information security outside of our echo chamber, and discuss some specific strategies for doing so.
		+
		+	A discussion of current trend of account checking attacks and the tools used to execute them. Data breaches have given attackers a large list of usernames and passwords that are often valid on many other unrelated sites. Cybercriminals use botnets in an attempt to gain access to rewards points and financial information in automated fashion. Attackers span from professionals running custom tools hosted worldwide to advanced penetration testers
	{{2015_BASC:Presentaton_Info_Template\|Account Checking and User Credential Fraud\|Kellen Kleinfelter\| \| \| }}		{{2015_BASC:Presentaton_Info_Template\|Account Checking and User Credential Fraud\|Kellen Kleinfelter\| \| \| }}