ISSA-LA Information Security Summit X

New to InfoSec? Master AppSec engineer? Come test your skills against your fellow engineers in security (and maybe pick up a couple new skills along the way). We will begin with a short class on the basics of secure coding and the types of vulnerabilities you'll be able to hunt. Next, you'll show who runs the leaderboard with an old fashioned capture the flag competition. This class is designed to accommodate all levels of skill and experience. Even if you’re not the competitive type and you’re just a little bit curious, please register and come poke at our app.

This course is part of the Summit X Women in Security Forum, but all are welcome to attend.

Deception, distortion, dishonesty are core to adversary actions. Are you susceptible to these actions? Our adversaries use these methods to purposefully manipulate our data and manage our perceptions. The talk covers past methods deception used against adversaries, threat intelligence and how data can be perceived differently, methods to manipulate your particular bias, as well as denial, deception, and cyber dirty tricks. This discussion engages the audience to actively participate in the discussion.

Serious attention is being paid to Serverless and Functions as a Service (FaaS), enough so to warrant some introspection from a security practitioner's perspective. This talk examines the shift from traditional security to cloud and serverless security models. Get prepared to see how security professionals can prepare for a business culture that encourages breaking down silos and democratizing security across the organization.
The idea of FaaS does not fundamentally differ from traditional cloud compute resources with
regards to the impacts of a successful attack. However, the risk directly imposed on the organization is heavily reduced and primarily focuses on development defined code and configurations.
In this talk we examine ...
As security practitioners we need to accept that learning some aspect of development is as important as understanding what an IP is.
First we’ll need to define, contextualize, and visualize the terminology from a security perspective:

• Agile to DevOps progression
  • DevSecOps, Rugged DevOps
• CI/CD
• Microservice
• Build Automation
• Containers
• Pipelines
  • Abstract of SDLC pipeline
  • Typical SDLC pipeline (FOSS)
  • Security centric DevOps pipeline (FOSS/Service)

There’s a high likelihood that your organization is either considering or is currently adopting some aspect of the DevOps culture and possibly testing services on serverless types of technologies. What can you as either a practicing security professional or an interested stakeholder do to prepare for a business culture that encourages breaking down silos and democratizing security across the organization. One of the greatest benefits of all of this is the ubiquity of REST API’s and web services. Traditionally breaking into or practicing security required deep understanding of network level protocols, tools like Nmap, metasploit, etc.. DevOps can be viewed as operations getting a table at previously development driven conversations. The newest approach is DevSecOps, Rugged DevOps, InfraOps, or some other term we’ve yet to settle on in the industry. However, these terms are the best way of saying that security finally has a place at the table and many of us realize we weren’t all that prepared for it. What can you do to get prepared and how can you provide impact in an environment that never seems to stop changing.

No matter how much “security” is put in place, the reality is we are running our data on protocols that were developed many years ago when the Internet was small and as a result of this, these protocols are based on the principle of trust; therefore, to truly defend we need to modify these protocols. The concept is, if the protocols can be changed then the result of this will be frustration and confusion for the adversary. In this presentation advanced defensive concepts will be explored and the power of using deception at different layers of the network. The attacker depends on information that is gathered during their surveillance, and with deception we change the network at layer 2-4 and the result of this is the attacker’s collected data is no longer valid and useless for them, this requires the attacker to start the information gathering process over again. In a robust defensive solution, the network can change multiple times based on the classification of the threat, and each time it changes, the attacker is lost and has to start the recon process over again. These concepts change the game and put the defender in control! 

For decades security awareness programs have been based on the assumption that employees don’t
know the correct course of action and with the right training, they will start performing more securely.
However, this approach has not proven to be effective. A second dimension needs to be considered in
security behavior change: motivation.  This talk will explore how and when to motivate employees to
security action. It will also discuss how to “surf” motivation generated by both predictable and
unpredictable security events to drive security behavior change in a workforce.  Finally, this talk will
explain how to measure changes in employees’ security behaviors and how practitioners can create
meaningful metrics.

Mobility and the Internet of Things (IoT) have disrupted the corporate enterprise network on the scale that PCs disrupted mainframes in the 1980s.  Yet most enterprises continue to approach security as if though there is still a hard perimeter with nothing but corporate-owned end points running against internal applications. Mobility, however, means employee-owned end points connecting over public carrier networks to cloud applications.  Traditional perimeter security simply doesn’t address this.
From mobile-based phishing to Bluetooth-based attacks, mobile and IoT have fundamentally changed the threat landscape. In this talk we will look at the modern threat landscape, the security controls currently available on the market (such as mobile threat defense and mobile application management), and provide real world examples of how they fall short under simulated attack. Finally, we will look at practical ways to improve enterprise security around mobile and IoT as well as cause the defensive products to evolve to be more robust.