RVAsec 2019

While the complexity of modern security breaches continues to increase security professionals have to find a way to handle the increasing number and complexity of attacks. Security automation is key to maintaining network security but has not been heavily adopted. This presentation will use NIST-defined security controls to provide insight into how automation can be leveraged for information security.

How often have you heard that 'Early stage startups don't care much about Security because if there is no product, there is nothing to secure?' Although there is merit in the argument that startups need to build product so as to sustain and grow, it often puts the person in charge of securing them in a tricky position. For most startups, this person is the first Security Engineer who can be somewhere between the 10th to 300th employee. By the time the first Security Engineer is on-boarded the attack surface has usually become quite large and he or she faces an uphill battle to go about securing the organization. In such cases, the Security Engineer needs to perform as a 'one-man army' keeping the attackers at bay. In this talk, i will present a playbook on how to perform as one.

In the past  9-1-1 networks were mostly closed networks with no access to the outside world, there has been a lack of need to think about information security because why should you? With technology advancing software vendors are now utilizing cloud services and there are outside public safety applications that now need to communicate to 9-1-1. This has led to many centers in last decade to opening up their networks.  The next several years will also be a large change for 9-1-1, as they will be switching from the analog Enhanced 911 (E911) to the digital NextGen 911 (NG 911) system. For large metropolitan PSAPs, this will be a blip on the radar as they have the resources and personnel to handle the changeover but smaller and rural PSAPs will have the same information security concerns but they will not have the resources or personnel available to them to address these concerns. There are a large list of security concerns for 9-1-1 centers to acknowledge and start addressing before the switchover to NG-911.  I will go over telephony denial of service attacks on both the analog E911, the VoIP NG-911, and the non-emergency lines, prank/hoax calls to 9-1-1 (what I universally call “swatting”) and  in what ways that can be accomplished using technology past and present, various attack vectors to the Computer Aided Dispatch, or CAD, network why that data needs to be protected both currently and in the future with NG-911, and physical/internal threats to the 9-1-1 center for both the data and the security of the dispatchers. This is just an informational talk about these concerns to help bring awareness to what we face in the public safety industry and how we handle it with the limited resources we have available to us.

Information Security compliance without enforcement through technical controls is just checking boxes.  On the other hand, technical controls without the backing of compliance through effective policy and management support can equate to just playing with the latest bright and shiny security related hardware and software.  We will walk through effective and popular techniques used by attackers.  Then the compliance and technical controls that are designed to detect and mitigate these techniques will be discussed in depth .

Security practitioners advocate ideals through clichés and analogies to help others understand complex problems.  One prominent analogy espouses baking security into a solution instead of bolting security on at the end.  This seems like an obvious analogy – a baker certainly can’t add flour to a cake after it’s in the oven.  In business reality, time-to-market beats security every day of the week.  How can an architect bake security into solutions when the extra time could result in a failed venture?  This talk explores the realities of blending security into the design and implementation of solutions with a goal of realizing better is not the enemy of perfect.  Some implementations bolt on security beautifully; other design patterns prove impossible to correct.  Look forward to a meme-filled tour of architectures, design patterns, and lessons learned that will help security practitioners and business people identify if they’re cooking soup or baking cakes (…if that sounds like a mixed metaphor, don’t be late for supper). 

As one of the United States government's premier assessment and penetration testing organizations, the Department of Homeland Security (DHS) National Cybersecurity Assessments and Technical Services (NCATS) team is responsible for proactively identifying risk against federal, state, local, territorial, and critical infrastructure networks. This session will provide detailed insight on how DHS emulates the digital adversary in order to identify and mitigate risk against our nation's infrastructure through core capabilities in vulnerability scanning, penetration and red team testing, design review, and phishing assessments. The quantifiable and objective data gained by the NCATS team will allow attendees to gain a comprehensive understanding of the issues that affect government networks and how DHS is helping to overcome them.

Information security is always changing and to keep up with these changes we need to somehow upgrade the professionals to keep up.  In order to do this we need to expand the brain of the information security professionals. In this presentation we will cover several modern day philosophy concepts and how to incorporate these concepts into your everyday practice. These concepts include: ontological design, looking-glass self, feedback loops, flow state, cognitive play. Applying these concepts will hopefully expand your mind and improve how information security is conducted.

As a security professional, how involved are you with your organization's code signing activities and processes? Learn how you can create a secure enterprise code-signing infrastructure that will scale and adapt as networks continue to evolve and grow.

So much of the news related to CISOs today is negative. The reasons are clear because the challenges are enormous. Many CISO’s believe they are not given a fair chance – essentially obstructed from doing their job. Often there can be poor trust with the board, primarily due to not having a pragmatic, cost effective plan, to solve board level problems. CISOs have failed largely in this regard as their security plans have been tactical and not delivering on strategic goals. The common argument is executives just don’t ‘get it’, but most do, and they realize that security doesn’t provide great value with historic or conventional approaches. They might say the business only wants check-box security, but executives understand that to a great degree that is the only material benefit offered by security – so may as well get it at best cost. This talk will explore where and why things have happened the way they have, and how to move towards a definition for the CISO of 2025.