To get the most out of your red and blue teams and to improve detection and response capabilities, give them a common goal; ensuring a company’s controls are effective and working as intended, AKA Purple Teaming. I will cover the benefits of this approach. I will walk you through some of the early challenges we faced and how we overcame these. How we leveraged the MITRE ATT&CK™ Framework to establish a common language and approach as well as how we measured success through each engagement.

Policy is the bane of everyone. But why? Too intrusive, doesn't represent the actual environment? Throughout his 20+ years in IT and 13 years dedicated to information security, I've realized most security issues happen because of bad security policies. We don't hate policy, we hate bad, ineffective policy. In this talk we're going back to basics to understand how to use policy as effective instructions on building a secure infrastructure.

In the hacking world, physical access is the ultimate goal for attackers. To defend against this threat, sophisticated physical access control systems are installed, but are often misconfigured and not used to their full potential. Even worse, some misconfigurations can turn a multi-million-dollar physical access control implementation into an attacker's best friend; allowing them to essentially become invisible to traditional detection methods. This session will provide the audience with a foundational understanding of a traditional physical security environment, demonstration of trending attacks, and a roadmap to locking down deployed implementations.

Do you want to be even more awesome than you already are, but it’s impossible to improve upon your existing greatness? Well, you’re right. However, in the off chance you want to learn the black magic of human centered design (HCD) and how to apply it to work, life, love, and future campaigns to destroy your enemies, then this is the talk for you. During this session we will cover the foundations of HCD: inspiration, ideation, and execution. Once this ground work is laid, we will walk through easy sample projects to show how you can improve the design of your software products, mental health, and plans for world domination. Attendees to this talk will leave with a personal sense of being awesome, tools to create meaningful change, and a framework they can apply to any area of their life. The goal of this talk is to empower everyone with the HCD techniques to design a better life, job, or a robot.

Cyberspace is a warfighting domain, on par with other warfighting domains: Land, Sea, Air, and Space. It is a force multiplier, securing and enhancing the effectiveness of other domains and their missions. It is also the world’s newest warfighting asset that demands attention; defensive and offensive as well as tactical and strategic. When I took on this endeavor, many have often asked, how can I cover such a broad and enigmatic topic? Particularly, when so many still argue over the definition of cyber, how, where and when it should be applied? Who should be in charge of it and when command and control is delegated. Someone(s) has made this more complex than it needs to be. The realization of cyber and its proper application has been long overdue for the laying of plans. Cyberwar is an integral part of war, Sun Tzu having already laid the groundwork.Sun Tzu said: 1. The art of war is of vital importance to the state.2. It is a matter of life and death, a road either to safety or ruin.There is much to be said about the correlation between the Art of War and the Art of Cyberwar; however, that being said this not a replacement for the Art of War nor is it an evolution. It is simply, like its namesake, a framework and foundation; empirical guidance on what is important and why. The Art of Cyberwar starts with the ‘Tenets of Cyberwar’. And, comparable to Sun Tzu, “The General that harkens to my counsel and acts upon it, will conquer: let such a one be retained in command! The General that hearkens not to my counsel nor acts upon it will suffer defeat: let such a one be dismissed.” The Tenets of Cyberwar are: Reduce the Threat Surface (Reduce/Eliminate Access, TRU Encryption: ‘in-Transit, at-Rest, in-Use’, Defense-in-Depth, Deny by Default/Allow by Exception), Cyber Terrain, Defensive Cyber Operations (DCO), Offensive Cyber Operations (OCO), Threat Actors, Legal-Ease, Cyber Partners and Emerging Technologies. It is these key tenets that help highlight the importance of cyber in war, in its element, cyberspace. Cyberspace is a key tenet of kinetic success – on and off the battlefield. Cyberwar targeting and attack does not exist in a battlefield vacuum! In Cyberwar, all cyber services (Financial, Medical, Alert Systems/First Responders: Fire, Police, Ambulance, Industrial, SCADA, Transportation, Communication Networks, Supply Chains, etc.) are all impacted. In addition, to the military aspect!An attack by a threat actor/adversary does not and will not limit itself to battlefield targets; at one time, separation between battlefield and the actual nation state was dependent on where the actual battle was fought with the location of the battlefield taking the biggest negative impact. However, it is no longer the situation. Anyone, anywhere, with the right capabilities, resources and skill sets can impact any country without co-location to the country or battlefield. The Art of Cyberwar requires a change in how countries prosecute their wars, how they plan and prepare, and how they determine and define war. The world is already at war. Some countries know it; others simply don’t or don’t want to believe it and getting up to speed is the true challenge. It is a mission impossible. But, unlike the old TV series and recent movies, every country, company and infrastructure must start with the basics…the best offense is a good defense. In cyberspace, they who attack without the benefit of good defenses is mutually assuring their destruction.

Accurate time synchronization underpins the entire connected landscape we rely on for our day-to-day modern existence – what happens when the heartbeat of society is interrupted? This presentation will provide an overview of the various ways we rely on precisely distributed timing signals for our basic existence and describe some of the threat vectors that will send us back to the stone age if we don’t proactively develop new solutions and approaches. Specific topics include less-than-publicized examples of previous incidents with the single-point-of-failure that 10% of our U.S. GDP relies on, the single command that could take down bitcoin, and basic network topology advice that could save your organization from being the next newsworthy victim of a hack – should be a good time!

Many cyber security and IT professionals consider themselves introverts and find comfort in their relationship with their computer and the network(s) they are protecting. Although these professionals are very astute in protecting their organizations network environment, many struggle with adequately being heard by leadership as they present the threats and solutions required to keep the organization running safely and effectively. Just as technology is a science, cracking the code to the human mind is also a learned science. Although many feel they are not naturally inclined at connecting and communicating with others, the science can be learned to allow a professional to grow to higher levels of success as he learns and implements the skills required to connect with and persuade others. Cracking the Code will simplify the complex and unnerving skill set of persuasion so that all IT and Cyber Security professionals can not only hack technology, but also hack the human mind.

Writing for the Foreign Policy Association's Great Decisions 2019 Briefing Book, national security expert Dr. Richard Andres argues that the world is in the midst of a great geopolitical shift, in which US dominance will be threatened by rising cyber powers Russia and China. This presentation will analyze Andres's arguments and, by providing real-world examples, challenge Andres's conclusions. While Andres correctly sees a threat to US dominance in cyber conflict, the future may be more worrisome than even he predicts.

It's a common belief that SysAdmins make great Infosec professionals. Many believe this is due to their wide knowledge of software and technologies. In reality, it's because THEY KNOW WHERE THE DEAD BODIES ARE! That's right. Learn from the mistakes of real sysadmins. Witness and learn the mistakes and confessions of current and former Systems Admins.These stories were collected from my 23 years of in the trenches, handed down from one generation of sysadmin to the next, and from Twitter. :). We'll cover topics like misconfiguration of applications, circumvention of controls, and plain-old laziness have introduced countless amounts of risk to organizations . Most importantly, we'll talk about how controls can be introduced to counter Inside Risk such as this and why sharing these confessions is actually a good thing.

There are a few certainties in life, you'll pay taxes and your company will have an incident. Unfortunately many of these incidents are discovered by employees who are not familiar with evidence handling, containment, or escalation. These seemingly small mistakes at the beginning can mean the difference between a successful or inconclusive investigation. In this talk, Vadon is going to go over common mistakes first responders commit during an incident and how you can overcome them.

Executive Order (EO) 13556 was signed by President Barack Obama on November 4, 2010. EO 13556 called for the protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations. The EO 13556 set in motion the National Archives and Record Administration (NARA) as well as the National Institute of Standards and Technology (NIST) in defining CUI, and developing guidance for protecting CUI. In this session you will learn exactly what CUI is, and how it may be present in your system, even though your organization does not deal directly with the Federal government. You will also learn the requirements for protecting CUI within your systems and how to implement a risk management framework per NIST guidance.

“The Making of Ch0mps - How the Bitcoin Crash Facilitated the Making of an Affordable Monster” is the complete journey of how I followed Sean Peterson’s direction to “train my Kraken”. Sean gave us the technical foundation of passwords and hash use, direction for cracking passwords, and what we could hope to expect. I will be taking you through my journey of leveraging the Bitcoin crash and using custom mining hardware to build an affordable password cracking rig that can rival the big boys with large budgets at a small fraction of the cost. The specific technical hurdles and errors experienced will be presented along with their fixes. My goal is to provide attendees with a highly valuable experience including all of the information they will need to build their own monster at a fraction of the expected cost; while also providing a friction-less build experience by providing a “heads up” for all of the hurdles they can expect to face, alongside the necessary fixes to get over said hurdles. I will not be rehashing (no pun intended) previously discussed material on password cracking.

We all know passwords are a major pain point for the security industry. But the biggest problem isn’t password reuse, Password123! or users who fall for a phish too easily. It’s that the current design of password authentication in the browser is fundamentally flawed. Asking users to submit their passwords in the body of POST requests may have made sense back in the early days of the Web, but not anymore. Between flaws in the transport layer, malicious JavaScript and phishing websites, it is simply too risky to transmit passwords into the DOM and through HTTP, and neither multifactor authentication nor federated identity management solves these problems. But we can do better: all we need to do is deploy some well-established crypto and rethink how we prove and verify possession of a password. This talk will describe and demonstrate a redesign of browser-based password authentication that adds phishing resistance and protects against man-in-the-middle attackers while training users on good security habits.

Hackers have similar traits to intelligence operatives, both are intelligent, patient, skilled in their craft and very aware of their surroundings. However, the odds are always in the favor of hackers, they need to only win once out of numerous attempts. Organizations, on the other hand, are understaffed, underbudgeted, have tight deadlines and employ individuals who often lack the skillsets to defend the organization. Worst of all, the organization must always win. How are organizations to compete? This talk will cover the hacker methodology, organization weaknesses and the benefits of championing inexpensive and effective education programs for their employees.

Red teaming requires the use of specialized tools. However, this should not exclude operators from using the same technology, adhering to the same procedures, and following the same policies as their colleagues throughout the organization. Some argue that this will prevent operators from executing on their duties. The contrary is true. With a few exceptions in place and thoughtful architecture considerations, treating red teamers as regular employees will improve their testing and reduce the risk that red teamers bring to organizations.

Penetration testing has become a vast sub-industry of the Information Security industry as we know it today. This presentation will be an overview of measuring true risk in testing reports, separation of vulnerability management and penetration testing, and a deep dive on vendor management and vendor engagement.

This talk will outline how a company was brought down to its knees from a ransomware attack, how it rose from the ashes, and how it now has a full security organization. Ryan will take you through the thrilling adventure of building incident response, system architecture, disaster recovery, and system operations on the fly while the business was down - and how the group ensured the business could come back online without risk of reinfection. Then, he will discuss how he started a security organization from scratch and talk through the challenges of maturing an organization that was on the brink of destruction just a few months ago.

Cloud, local, network, portable. These storage types have the potential to leave your company’s proprietary and confidential data at risk for both data loss and compliance issues. Let’s discuss the advantages and security pitfalls of these storage types and how organizations can better secure their data. We will also discuss ways that organizations can hone their policies to prevent data loss from malicious attacks or accidents.

InfoSec has a problem. We can't keep up with the needs of our organizations and networks. We are often overwhelmed by the amount of things we need to learn and we struggle to help those coming up behind us. This is a huge issue. While Kevin is no Richard Feynman, he is an admirer. And as such there is a realization that we as an industry are failing at one of the things that has made us what we are today; training and learning. In this presentation, Kevin Johnson of Secure Ideas will walk people through the how and why we need to build mentorship and apprenticeship programs within our organizations and communities. This talk will use real world security issues and examples to explain how these programs work and how we can be better then we are.

TLSv1.3 was approved recently and, despite the deceptively minor version bump from v1.2, there are major changes in the protocol. Learn about the changes and how they might affect you. In this talk, I will go over the basics of the TLS protocol and then dive into the details of how TLSv1.3 is significantly different than any of the previous versions.

Attackers love it when defenses fail. Implementing defenses without properly understanding the risks and threats is usually a waste of money and resources. This is a frank discussion of what control failures an attacker looks for when attempting to breach an enterprise, as well as how an effective control can help prevent an attacker from being successful. Jayson will walk through real-world scenarios that have led to successful compromise of different companies through control failures. He will also give detailed analysis of controls that led to his attacks being effectively thwarted. Learn how to understand and assess real-world risks, as well as simple defenses which can be implemented to better protect your organization. With a 95% chance of not using any fireworks or minor explosives Jayson will thrill the audience with ways to better defend their networks from criminals, nation states and Suzy in accounting! Come for the Explosive hyperbole but stay for the hugs! While his talk is in English AWESOME is universal!!