Richmond, VA

June 4th - 5th, 2015

Speakers

Jennifer Steffens G Mark Hardy
David J. Bianco Caleb “chill” Crable
Adam Crosby Chris Eng
Pete Herzog / Dave Lauer Allen Householder
Barry Kouns David Lodge
Kizz MyAnthia Mark Painter
Elissa Shevinsky Michelle Schaffer / Tim Wilson
Jason Scott Jason Smith
Schuyler Towne Bill Weinberg
Boris Sverdlik
Governor Terry McAuliffe

Governor Terry McAuliffe

@governorva / https://governor.virginia.gov/

Virginia Governor

Governor Elect Terry McAuliffeTerry McAuliffe is the 72nd Governor of Virginia. Since being sworn-into office, Governor McAuliffe has aggressively focused on building a new Virginia economy.

Governor McAuliffe previously served as Chairman of the Democratic National Committee from 2001 to 2005, was co-chairman of President Bill Clinton’s 1996 re-election campaign, and was chairman of Hillary Clinton’s 2008 presidential campaign.

RVAsec Special Remarks

 


Jennifer Steffens

@SecureSun / http://www.ioactive.com/

IOActive
IOActiveCEO_JenniferSteffens_2013_02As its CEO, Jennifer Steffens spearheads all aspects of IOActive’s global CEO business operations and drives the company’s strategic vision. Jennifer brings a wealth of industry and business experience to the company, having been an early member of several successful startups.

Earlier in her career, Jennifer was a Director at Sourcefire, where she helped build and grow its run rate from $250K to over $35M in just four years. She helped commercialize the Snort open source intrusion detection and prevention technology and built several service offerings around research initiatives. Prior to joining IOActive, Jennifer came to Seattle to help startup GraniteEdge reinvent itself. While there, she led initiatives to restructure the company and developed a product strategy that ultimately secured two additional rounds of funding. With over ten years of industry experience, Jennifer has held senior management positions at Ubizen, NFR Security, and StillSecure.

Jennifer is a well-respected media source, appearing in InfoSecurity Magazine, SC Magazine, Good Morning America, BBC, Reuters, The Guardian, and CBS News. She has been invited to give keynote presentations at a variety of conferences such as HackInTheBox. Jennifer is a member of EWF, ISSA, and OWASP.

RVAsec Keynote

 


G Mark Hardy

@g_mark / http://www.gmarkhardy.com/

GMH-photo-2G. Mark Hardy is founder and President of National Security Corporation and has provided cyber security expertise to government, military, and commercial clients for over 30 years. Also founder of CardKill, Inc., he is a retired U.S. Navy Captain, and an internationally recognized expert who has presented at over 250 events world-wide. He serves on the Advisory Board of the National CyberWATCH Center. A graduate of Northwestern University, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration, a Masters in Strategic Studies, and holds CISSP, CISM, GSLC, and CISA certifications.

RVAsec Keynote


Schuyler Towne

@shoebox / http://schuylertowne.com/blog

Ronin Institute
Schuyler TowneSchuyler Towne is a security anthropologist and Research Scholar at the Ronin Institute. He has dedicated his life to understanding how security technologies have affected culture & the effect of culture on security technology.

Selling Security in a Post Lock Society
There are pockets of the United States that are living in such secure surroundings that residents could go without locks altogether, which some consumers are beginning to realize. In this talk we’ll explore what features the next generation of home security products need to have, and how they will need to market themselves to have an impact on the emerging class of secure consumers.


Jason Smith

@automayt / appliednsm.com

Fireeye
Jason SmithJason Smith is an intrusion detection analyst by day and junkyard engineer by night. Originally from Bowling Green, Kentucky, Jason started his career mining large data sets and performing finite element analysis as a budding physicist. By dumb luck, his love for data mining led him to information security and network security monitoring where he took up a fascination with data manipulation and automation. Jason is the co-author of Applied Network Security Monitoring, creator of FlowPlotter, and co-developer of FlowBAT.

Jason has a long history of assisting state and federal agencies with hardening their defensive perimeters and currently works as a Security Engineer with Mandiant. As part of his development work, he has created several open source projects, many of which have become “best-practice” tools for the DISA CNDSP program.

Applied Detection and Analysis Using Flow Data
While network flow data isn’t a new concept, it is easily one of the most powerful data types you can have in your arsenal as a network defender. It is incredibly low overhead, easy to setup and maintain, and provides tremendously flexible capabilities for network security monitoring (NSM) detection and analysis.

In this presentation, we will take a look at flow data from the perspective of the NSM analyst. To begin, we will harness the power of statistics to demonstrate how flow data can be used for detecting both structured and unstructured threats using techniques that go beyond simple signature matching. Next, I will discuss the concept of friendly intelligence and how flow data can be used to profile devices on your network so you can understand what normal communication looks like. Finally, I will describe how flow data can be used to augment the analysis of network security events that are detected by other mechanisms.

During this presentation, I will also demonstrate FlowPlotter, an open source tool I’ve developed to aide in visualizing flow data for detection and analysis. I’ll also introduce and demonstrate FlowBAT, a graphical flow-based analysis tool that Chris Sanders and I developed to break the significant barrier of entry into Flow Analysis. Every concept I discuss in this presentation will be demonstrated with practical, real-world scenarios complete with real data using the SiLK toolset. You will leave this talk with techniques you can apply to your network immediately with incredibly low overhead and high impact, and scripts to get everything running in minutes.


Barry Kouns

@riskbased / www.riskbasedsecurity.com

Risk Based Security, Inc.
Barry KounsBarry Kouns is principal consultant for ISO/IEC 27001:2013 pre-certification services at Risk Based Security, Inc., an information security, threat intelligence, and risk management consultancy. Barry’s experience includes information security consulting, risk assessment and quality management. Barry has provided training, procedure development and pre-certification consulting services resulting in the successful ISO/IEC 27001 certification of more than two dozen organizations.
Barry has full knowledge of GLBA, FFIEC, HIPAA, Sarbanes-Oxley, and 201 CMR 17 and is well versed with PCI DSS, ISO 9001, COBIT, FISMA, NIST 800-53, BS 25999, ISO 31000 and ISO 20000. He has earned a B.S. in Statistics from Virginia Tech and a M.S. in Industrial Engineering Management from North Dakota State University. He has earned the CISSP designation, is a trained ISO /IEC 27001:2013 Auditor & ISMS Implementer, and is ITIL Foundation Certified.
Barry was a Captain in the United States Air Force and served as a B-52H Navigator/Bombardier.

Incident Response Management – Not a Fire Drill
In spite of the billions of dollars spent annually to prevent a data breach, breaches are being reported at a rate of more than eight per day. Most security experts say it’s not a matter of if your organization’s data will be breached, but when. If your organization does not have a well designed, formally documented, and regularly tested Incident Response process in place, how well will you respond to the data breach that is most likely in your future?
Not all Incident Response programs are created equal. Speed of action, without first understanding the nature and severity of an event can often lead to elevating the costs to the organization. Join this session to learn how to build an effective Incident Response Management process to identify and properly respond to the various levels of information security events.


Dave Lauer

@dlauer / healthymarkets.org

Dave LauerDave Lauer is President & Managing Partner of KOR Group, a research and analysis consultancy specializing in market structure and technology. Dave is also the co-founder and President of Healthy Markets, a non-profit coalition of financial firms that seeks to improve disclosure and transparency in the industry while advancing data-driven market structure reforms. Dave’s current work focuses on leveraging machine-learning and “big data” to help improve algorithmic order routing systems, to refine buyside execution decisions, and to generally facilitate continued enhancement of all market structure analysis. Working closely with a wide range of market participants—including institutional buyside, sellside, ATSs, exchanges, regulators and retail robo-advisors—Dave channels his unique body of knowledge toward helping firms navigate increasingly complex modern markets.

Dave also serves as an independent director for Aequitas, a new
Canadian stock exchange.

Dave’s previous work includes technology architecture at Verdande Finance and IEX Group, public advocacy at Better Markets, and electronic trading at Allston Trading and Citadel Investment Group. Dave also helped develop technology for Tervela as an early employee during its formative stages. In his spare time, Dave collaborates on the maintenance and advancement of Cowbird.com, an innovative online photo-narrative storytelling network.

Pete Herzog

@peteherzog / www.isecom.org
ISECOM

Pete HerzogPete Herzog is the co-founder of ISECOM and the lead security researcher and creator of the OSSTMM. His analysis of security, hacking, trust, fraud, and neuro-hacking have shown up in thousands of research papers, books, and government documents around the world. He’s passionate about hacking and figuring out how things (and people) work. And he’s actually a pretty good guy.

Hacking the Market. How financial market players manipulate prices and infrastructure.
“This is a look inside the current security of modern stock exchange networks in the US known as “the stock market”. The financial networks are an ecosystem that has grown both outside of and within the limits of the Internet to trade billions of dollars daily in the US alone. It is as unique as any internal infrastructure and a fascinating study of evolution where operators push systems to their limits for performance in a drive to generate revenue from their best customers (high-frequency traders) while operating within a regulatory framework that is changing rapidly. It’s a hacker’s sci-fi paradise!”


Caleb “chill” Crable

@dirtywhitehat

The Media Trust
Caleb is a long-time contributor to the information security scene. A dirty whitehat, Caleb’s career spans various stints at information technology firms where he managed malware response teams, researched web-based security vulnerabilities and tested security products. He is a frequent presenter at technology security events where he shares information and best security practices including the recent Bsides Tampa and upcoming CarolinaCon, and is also the organizer for CarolinaCon Shootout in its 6th year.

The Art of Post-Infection Response and Mitigation
In this day and age, we are all [mostly] fully aware how far signature-based antivirus detentions go… not very far at all in regard to real-time protection. Users will get infected, there are no longer any IF statements in this equation. My focus is the gray area of post-infection and the many different aspects of end-user and incident response frustration that occur after a virus has penetrated a system, or organization, and done its dirty work. I will also be going over various malware removal and mitigation techniques, tools of the trade, and general guidelines to follow to prevent infections from happening in the first place.


David Lodge

@tautology0 / http://www.pentestpartners.com/

Pen Test Partners
Dave has been in the security industry for too long. Originally hacking games, then a developer, then sysadmin, then generic dogsbody and finally penetration tester.

For a job, dave hacks companies. For fun, he drinks beer, develops stuff, plays interactive fiction, kills zombies, hacks flash games, drinks beer, brews beer, translates from American to English, drinks beer and likes being pedantic about language.

Internet of Toys?
Does adding network functionality to modern toys make sense? Can they be abuse to manipulate or spy of you or your child? Can we totally subvert them.

It’s a hacking talk: of course we can!


David J. Bianco

@DavidJBianco / http://detect-respond.blogspot.com

Sqrrl Data
Before coming to work as a Security Architect and DFIR subject matter expert at Sqrrl, David led the hunt team at Mandiant, helping to develop and prototype innovative approaches to detect and respond to network attacks. Prior to that, he spent five years helping to build an intel-driven detection & response program for General Electric (GE-CIRT). He set detection strategies for a network of nearly 500 NSM sensors in over 160 countries and led response efforts for some of the company’s the most critical incidents.

David stays active in the community, speaking and writing on the subjects of Incident Detection & Response, Threat Intelligence and Security Analytics. He is also a member of the MLSec Project (http://www.mlsecproject.org). You can follow him on Twitter as @DavidJBianco or subscribe to his blog, “Enterprise Detection & Response” (http://detect-respond.blogspot.com).

Visual Hunting with Linked Data Graphs
Security analysts have to sift through a lot of information to hunt for and investigate incidents. Most tools, though, operate at a very low level, making it difficult to see past the individual events and get the big picture. Linked Data Analysis (LDA) visualizes the entities in your data as a graph and shows how they are related. When you are able to step back and see what’s going on at a higher level, it’s much easier to identify suspicious patterns and detect malicious activity that you might have otherwise missed.

In this presentation, we’ll use LDA techniques and open source software to visualize several different types of logs from the Bro network analysis platform. We’ll also demonstrate some practical strategies for identifying and investigating patterns that might indicate security incidents.


Bill Weinberg

@linuxpundit / http://osdelivers.blackducksoftware.com/author/bill-weinberg/

Black Duck Software
Bill Weinberg helps Fortune 1000 clients create sound approaches to enable, build, and deploy software for intelligent devices, enterprise data centers, and cloud infrastructure. Working with FOSS since 1997, Bill also boasts more than thirty years of experience in embedded and open systems, telecommunications, and enterprise software. As a founding team-member at MontaVista Software, Bill pioneered Linux as leading platform for intelligent and mobile devices. During his tenure as Senior Analyst at OSDL (today, the Linux Foundation), Bill ran Carrier Grade and Mobile Linux initiatives and worked closely with foundation members, analyst firms, and the press. As General Manager of the Linux Phone Standards Forum, he worked tireless to establish standards for mobile telephony middleware. Bill is also a prolific author and busy speaker on topics spanning global FOSS adoption to real-time computing, IoT, legacy migration, licensing, standardization, telecoms infrastructure, and mobile applications. Learn more at http://www.linuxpundit.com/.

OSS Hygiene – Mitigating Security Risks from Development, Integration, Distribution and Deployment of Open Source Software
Across the landscape of IT, Open Source Software (OSS) is pervasive and ubiquitous. From the cloud and web to data centers; from the desktop to mobile devices; and across a range of embedded and IoT applications, OSS commands an ever-increasing, dominant share of the system software stack and provides equally substantial swathes of enabling application middleware, applications themselves, and tooling. While rapid adoption of OSS demonstrably offers a range of advantages, the community development model presents developers, integrators and deployers with a set of accompanying challenges related to security, operational, and legal risk. Historically, foremost among these concerns stood license compliance and IP protection; however, with recetnt highly publicized threats to OSS, security has joined these concerns and today dominates the OSS adoption conversation. This presentation will explore the role of and requirements for secure development of and deployment with OSS.


Allen Householder

@__adh__ / https://www.cert.org/blogs/certcc/

CERT/CC
Allen Householder is a Senior Vulnerability & Incident Researcher at the CERT Coordination Center (CERT/CC). He has been involved in internet security since his first professional job in 1995, where a few weeks after starting at a Fortune 500 company he was told “You’re the IP & DNS guy” and shortly thereafter was given responsibility for the corporate firewall. His recent work includes being the technical lead developer for the CERT Basic Fuzzing Framework (BFF) and Failure Observation Engine (FOE), and research into the (in)security of the Internet of Things. His research interests include applications of machine learning to software and system security, fuzzing, and modeling of information sharing and trust among Computer Security Incident Response Teams (CSIRTs).

 

Coordinated Vulnerability Disclosure is a concurrent process
Media reports about Zero Days, bug bounties, and branded vulnerabilities usually focus on the publication of a vulnerability report. Vulnerability disclosure policies recently hit the mainstream with public kerfuffles between Google and Microsoft over the timing a few vulnerability announcements. However, public reports largely ignore the process of coordination and disclosure that precedes a publication event. For the past 26 years at the CERT Coordination Center, we have been helping connect security researchers and vendors in the interest of improving the security of the Internet and providing users and administrators with the information they need to secure their systems. In this talk I’ll describe the process of coordinating vulnerability disclosures, why it’s hard, and some of the pitfalls and hidden complexities we have encountered. This will be a behind-the-scenes look at a process that doesn’t receive much attention yet is of critical importance to internet security.


Mark Painter

@secpainter / http://h30499.www3.hp.com/t5/user/viewprofilepage/user-id/604506

HP Enterprise Security Products
Mark Painter currently serves as a Security Evangelist for HP Enterprise Security Products. In this role, he is for responsible for educating security professionals, customers, executives and other groups about the risks of security vulnerabilities and HP ESP security solutions. Mark has played an active role in the security industry since 2002 when he joined SPI Dynamics, a leading provider of web application security assessment software and services. Over the course of his career, he has been involved with product management and marketing, security blogging, and vulnerability research.

A year in the life of HP security research
In this presentation, results from the 2015 HP Cyber Security Risk Report, HP and Ponemon Institute studies, and the HP State of Security Operations 2015 Report will be shared to discuss vulnerability trends, where organizations are currently ailing in their security efforts, and how best to counter those threats.


Adam Crosby

Former IDS analyst turned red teamer turned powerpoint jockey née cloud architect. Allergic to alcohol, compensates with Diet Coke.

Embracing the Cloud
It’s inevitable at this point, so rather than fighting, you may as well embrace it – cloud computing is coming to your organization soon (or more realistically, is already there, possibly under the radar!).
This talk covers how to get over the hump of resistance, do so smartly, and possibly enjoy some security benefits in the process. The focus here will be on info sec (or ‘cyber’), rather than the normal DevOps/Agile mumbo jumbo. Vendor selection, indicators of success, net new threat models and mitigations, and net new potential capabilities will be covered.


Elissa “#LADYBOSS” Shevinsky

@ElissaBeth / http://www.businessinsider.com/author/elissa-shevinsky

JeKuDo Privacy Company
Elisa ShevinskyElissa Shevinsky is CEO of JeKuDo Privacy Company. JeKuDo is building the best easy to use privacy tools, and is funded by the Mach37 cyber-security accelerator in Virginia.

Shevinsky is a frequent writer and speaker, and most recently gave talks at ShmooCon, DefCon, Pii2014, SXSW, the Computers Freedom and Privacy conference and various Meetups. Shevinsky is also the author of “Lean Out,” an anthology on Silicon Valley culture, published by OR Books.

The Changing Legal Landscape for InfoSec: What You Need to Know
As black hat threat actors attack and embarrass American companies and celebrities, the government seeks to show that it is strong on “cybercrime” by going after the most accessible targets – researchers, journalists and “hackers” like you and me.

Changing government policies and recent court decisions have created a climate where individual infosec researchers could be jailed in the course of doing their jobs. It’s a disturbing trend but there are ways to do our work while mitigating our personal risks.

This talk reviews court cases, policy decisions, and the history of hacker convictions, along with analysis from legal experts, to consider best practices for avoiding getting slammed for your research.


Jason Scott

@textfiles / http://textfiles.com

Jason Scott is an archivist, historian, documentary filmmaker, information collector, and public speaker. He figured you’d be sick of historical computing by now, but it’s not happening.

All Watched Over By Machines of Loving Grace
For over a century, the selling of computers as the inevitable tools of liberation, productivity, and new ways of life has led to some of the most striking images and words in the world of advertising and public relations. Jason Scott, the free range archivist of the Internet Archive, presents a slideshow and tour through some of the most notable excessive and most outlandish promises of the technology industry.


Kizz MyAnthia

@kizzmyanthia / http://kizzmyanthia.com/

Kizz MyAnthiaInfosec specialist whose qualifications include an indepth understanding of security principals and practices; C|EH, MCSE+Security designations; and detailed knowledge of security tools, technologies and development. Seven years of security experience in the creation and deployment of solutions protecting networks, systems and information assets for diverse companies and organizations, with over 10 years overall in the industry.

Into The Worm Hole: Metasploit For Web PenTesting
Metasploit is most commonly known for its epic pwnage of network and service level vulnerabilities. What you may not know is that same epic pwnage can be leveraged exploiting web application vulnerabilities. By leveraging the ability to custom build Metasploit modules or tools using the framework the power of Metasploit is only limited by the imagination of the user. “Into The Worm Hole: Metasploit For Web PenTesting” will build on prior knowledge of Metasploit and help elevate the tester’s skills and abilities by working hands-on building a custom scanner, using Metasploit to exploit Web Vulnerabilities, and learn to use Metasploit for phishing, XSS, and other web application vulnerabilities.


Chris Eng

@chriseng

Chris Eng is vice president of research at Veracode. In this role, he leads the team responsible for integrating security expertise into all aspects of Veracode’s technology. Throughout his career, he has led projects breaking, building, and defending web applications and commercial software for some of the world’s largest companies.

Chris is a frequent speaker at premier industry conferences, where he has presented on a diverse range of topics, including cryptographic attacks, agile security, mobile application security, and security metrics. He has been interviewed by Bloomberg, Fox Business, CBS, and other media outlets worldwide.

Security Speed Debates
Match wits in a fast-paced debate covering a handful of topical security issues and industry-revelant subjects. Two teams of volunteers will face off, and the audience will determine which side made the most convincing (or entertaining) arguments. Topics will not be announced in advance, so participants will have to think on their feet!


Boris Sverdlik

@jadedsecurity /

Oscar Insurance
Jaded Security Guy

You’re HIPAA certified and Bob just killed someone from the parking lot
My friend Bob is undergoing Chemo and his wife asked him to get a copy of his medical records for a second opinion. Bob being an obedient husband had to jump through hoops to get copies of HIS records thanks to the monotony that we know as HIPAA.

So one day while Bob is waiting for his treatment he notices that the facility has several blatant physical security issues which could allow someone of a more shady nature to obtain his health records without jumping through hoops. Follow Bob in his adventures..


Michelle Schaffer / Tim Wilson

@mschafer

Michelle Schafer heads up Merritt Group’s Security practice where she applies more than a decade of hands-on PR-related security experience spanning every discipline. She is known for creating and implementing strategic communications campaigns that drive results for clients such as Venafi, CrowdStrike, Ionic Security, Mach37, BlackHat and more.
Michelle has presented at Security B-Sides DC/Las Vegas and ISSA events and was recognized as a top influencer in the security community in 2010 and has been quoted in “Women in Security” stories.

Tim Wilson is the Editor in Chief of the number one security trade publication, DarkReading.com.

Hasty Headlines in InfoSec: Don’t Be Fooled by Everything You Read!
This session will discuss why some data breaches like Sony and Target get much more media attention than others and what enterprises can do to keep their names out of headlines, or at least be prepared when or if it ever happens to them. It will also give you an inside look at how security media determine what’s major news and what’s not and how PR “spin” is all part of the process.