Defensive Security Talks
Title: Bringing Home Big Brother: Personal Data Privacy in the Surveillance Age
Have you ever purchased something online and then seen an ad for a related item in your social media feed? Do you ever wonder who, or what, is listening to your conversations when your intelligent assistant is waiting for your commands?
You give away a significant amount of indirect information about yourself every day, whether you are online or think that you are offline. The online services you use often have the freedom to decrypt and view your emails, photos, contacts and documents. Something as innocuous as what you buy, or who you follow on social media, can be used by organizations and individuals to determine key facts about who you are and your personal habits. You don't even have to provide the information yourself - your family, friends and colleagues are sharing your information for you.
Todd is a Principal Consultant with NYSTEC's Information Security practice, where he manages complex security projects and helps clients to understand their security profile and to plan secure systems. Todd has over 20 years of experience in high tech manufacturing and software development. He is an ISC2 Systems Security Certified Practitioner and is pursuing an MBA in IT Management and a CGS in Information Security from SUNY Albany.
Michele is a Senior Consultant with NYSTEC's Information Security practice. She currently assists the NYS DOH Bureau of Information Security and Privacy with defining data sharing agreements. She is an attorney with more than five years of hands-on experience in document management, quality assurance, and other areas of information technology. She holds a JD from Albany Law School.
Title: Measuring the Efficacy of Real-Time Intrusion Detection Systems
To solve the problem of attack detection in the cloud, Artificial Intelligence (AI) techniques can be used because AI has the ability to solve a problem after learning from certain examples. It is clear that additional solutions are needed to complement existing security infrastructure in a layered defense model.
Jeffrey Richard Baez is an expert in the field of information technology with more than 16 years experience in information systems (analysis and design), information security and project management. He holds a bachelor's degree in information science and policy and East Asian studies, in addition to a master's degree in information science from the University at Albany.
Baez teaches topics in information technology (programming through python, Databases through SQL, and OS & networking fundamentals in Windows and Linux through Kali). He also teaches information security at the intermediate to graduate level in the following areas: cyber incident response, network monitoring, malware analysis, information security policy, user awareness training, penetration testing, and more.
Baez serves as the Chief Information Security Officer with New York State Dept. of Financial Services. He also collaborates on curriculum development with the College of Emergency Preparedness, Homeland Security and Cybersecurity. Baez has more than eight industry leading certifications, including the CISSP from (ISC)2 and MCSE from Microsoft.
Title: Incident Response Evolved - A Preventative Approach to Incident Management
The current threat landscape has been in a state of evolution that presents a significant risk to organization’s assets, reputation and presence in the marketplace. Nation states and cyber criminals are poised to take advantage of organization's weaknesses to carry out on their malicious objectives. Threat actors routinely deploy ransomware to extort their victims. This talk will focus on new and existing threat vectors such as ransomware and nation state attacks and how traditional defenses fail to address these threats.
Aaron will discuss how his teams' unique approach to incident response has proven effective in hundreds of organizations across all verticals and particularly in regards to the OPM breach, in which his team played a pivotal role. Aaron will additionally discuss how enhanced processes and tools allow organizations to take their security program to the next level by employing a preventative methodology to reduce risk and exposure.
Aaron leverages his unique Incident Response experience in complex, large-scale breaches to provide strategic solutions to secure environments of all sizes. Aaron has responded to several high profile investigations over the course of his career. He is highly skilled in translating difficult topics into easy to understand training sessions and utilizes his knowledge and skills to bring a unique approach to the ever-growing challenge of securing critical systems.
Aaron has over 9 years’ experience in incident response and digital forensics investigations. He has lead over 150 security engagements ranging from incident response to creating and customizing full-scale training exercises. He has a Bachelor’s Degree from the University of Central Florida, and holds several industry certifications, including GREM, GCFA, GCIH, and CISSP.
Title: Making Friends for Better Security
Doing security well is difficult enough. Without internal allies, it can be damn well impossible. Learn how to make alliances with other departments to get more of what you need to secure your organization.
Alex is both a cyber-security professional and lawyer. When he's not helping his clients improve their security, he tries to help out members of the hacker and security communities with their legal issues.
Title: To SIEM or not to SIEM: an Overview
In this talk, we will visit the questions I hear from clients and others, is a SIEM worth the money? Do I really need one? Should I outsource? There are all great questions, but to answer them you need more information. We will walk down the path together exploring the world of SIEM. We will cover some of the basics of SIEM and take a dive into what you can add to a SIEM to increase the value and return on investment for your organization while using a SIEM or MSSP.
Chris Maulding is a Sr. Security Engineer at Vertek, with a passion for all things security and protecting sensitive information. Chris has a degree in Computer Information Systems and is currently working on obtaining his bachelors in information security. He has experience in many areas of IT including system administration, offensive and defensive security.
Title: Thinking 1nside-the-B0x: Cyber Defense and Deterrence via How Hackers Think
Since our Republic’s origins, Americans have demonstrated a speculative knack and considerable optimism that have translated into innovative solutions for grappling problems. From the first English colonists to today’s NASA astronauts, Americans have a proud history of discovering new ways for getting the job done. Today innovation has become a buzzword in the US Army, and it is helping to shape the vision for the Army of 2025 and Beyond as an agile organization for a complex world. But does the US Army have the capabilities needed to protect vital national interests in cyber? Does the US Army know how to foster innovations that can keep pace with disruptive cyber attacks? The Internet’s growth in our globally connected world has meant that the tools within the cyber domain are constantly changing. To make matters worse, many believe the US Army is such an unwieldy bureaucracy that it can’t adapt to win tomorrow’s wars. So does the US Army have the capacity to out-hack those attacking us in the digital terrain? This presentation provides a framework for analyzing different types of innovation, and in doing so, asks us to think inside-the-box to promote better ways the US Army can defend and deter against attacks inside cyberspace.
Lieutenant Colonel Ernest Y. Wong is a Military Intelligence Officer in the U.S. Army who is currently serving both as the Chief of Staff at the Army Cyber Institute and as an Assistant Professor with the Department of Systems Engineering at West Point. He graduated from the United States Military Academy with a B.S. in economics, and he holds a M.S. in management science and engineering from Stanford University, a M.A. in education from Stanford University, and a Master of Military Science from the Mubarak al-Abdullah Joint Command and Staff College in Kuwait. He had the opportunity to work as a NASA Summer Faculty Fellow and has served in overseas deployments to Iraq, Kuwait, and the Republic of Korea. His research interests include disruptive innovations, cyber resiliency, and the application of systems engineering tools for resolving complex real-world problems.
Title: Problems With Elliptic Curves In TLS and SSH
This presentation examines the elliptic curve parameters standardized by NIST in FIPS 186-2, which are suspected by some as being back-doored by the National Security Agency. Despite being first introduced over 17 years ago, these curve parameters remain highly prevalent, as they are central to both the TLS and SSH protocols. An overview of the history and process of their standardization will be covered, along with a discussion of the NSA’s other successful back doors in NIST’s standards (as revealed by Edward Snowden). Recent developments in new curve parameters will be shown, as will a practical guide aimed at systems administrators for disabling the suspicious curve parameters in TLS and SSH.
Joe Testa is co-founder of Positron Security, a Rochester-based computer security company, and is a current board member and treasurer of Security B-Sides Rochester Inc. (the 501(c)(3) charity responsible for BSides Rochester). He specializes in penetration testing, exploit development, social engineering, and server & network hardening. Prior to co-founding the company, he excelled as a security researcher and vulnerability test programmer for Rapid7. Testa holds a Master of Science degree in Computer Security and Information Assurance from the Rochester Institute of Technology, along with a Bachelor of Science degree in Psychology and Computer Science from the University of Maryland at College Park.
Title: Let's Play Defense at Cyber Speed
Cyber-attacks are increasing in terms of sophistication, speed and dynamics. Advanced cyber actors (and even script kiddies) are utilizing automation with adaptive tradecraft and these trends are likely to continue. To combat this we need to facilitate interoperability and integration by standardizing interfaces & protocols allowing more flexible and interoperable cyber defense components. OpenC2 is being created to standardize machine-to-machine command & control (C2) to enable cyber defense system interoperability at machine speeds. This will make defense cheaper/better/faster and economics that will drive adoption. The talk will begin with the problem openC2 is trying to solve, provide a review of openC2 and its use cases, show the economics of adoption, review various open source implementations, and give the current status on standardization.
Duncan Sparrell is a seasoned (aka old) software developer and network security evangelist. He graduated from RPI back when computers were the size of buildings and programmed with punch cards. He is semi-retired and trying to give back to the community while pursuing his interests in cloud security, agile, secure software development, and erlang. Most of his cyber experience is blue team (defense) but he kick-started his cyber chops as part of a CNA (offense) team during first Gulf War. Besides having various certs (CSSIP, CSSLP, CCSK, PE), the US Govenment awarded him the Intelligence Community Seal Medallion, and AT&T awarded him its Science and Technology Medal. His PGP fingerprint is “A870 5F67 00F9 D3FC ECD1 2D97 2A42 E870 6A4E EC12”, his twitter handle is @dsparrell, his peerlyst handle is sFractal, and his github handle is sparrell.
Title: Does DoD Level Security Work in the Real World?
After spending nearly 13 years working for the Department of Defense, I ventured out into the private sector to consult and advice on matters of information security. On many occasions, after explaining some basic security concept to a customer and outlining what they need to do to be secure, I often heard the retort, “yeah, but we don’t need DoD level security.” Well, after twenty years in the private sector, and especially over the past 2-3 years with the proliferation of data breaches against major companies, I find myself wanting to reply, “yeah, you really DO need DoD level security!”
What does this mean? Probably not what you are thinking. This talk will start with an overview of the foundational nature of data security, highlight the major tenets or goals of data security, discuss how and why so many companies so often fail at implementing the basics of data security, and explore some ways that a DoD-centric approach to data security might be implemented in the private sector. Brainstorming, discussion, dissension all welcome. Hint: This ain’t about Cyber!
Jeff is a respected Information Security expert, adviser, and evangelist. He has over 33 years of experience working in all aspects of computer, network, and information security, including risk management, vulnerability analysis, compliance assessment, forensic analysis and penetration testing. Earlier in his career, Jeff held security research, management and product development roles with NSA, the DoD and private-sector enterprises and was part of the first penetration testing “red team” at NSA. For the past twenty years, Jeff has been a pen tester, security architect, consultant, and QSA, providing consulting and advisory services to many of the nation’s best known brands.
Title: Ermahgerd: Lawrs
When do you – and other coders, hackers, developers, and tinkerers – think or worry about the law? If your answer is, “Not very often,” then this talk is for you. We all need to think about the law. And it’s not just privacy, or computer fraud, or even anti-circumvention law, that we should think about. We need to think about law as a whole and how it can help us do or stop us from doing what we want to do. This talk will start with a broad overview of the ways in which we implicate law when we do what we do, and then will focus on what that means for us and the broader implications that can arise from our various activities. Do you think the law would stop you from doing what you want to do or punish you for doing it? It might, but it also might not. If you think it does, do you think you should be able to do what you want to do? If you do, then we need to hack the law, and to do that we’ll need to talk to the legal coders, those writers of our cultural software. This talk will tackle not only law and working with code, but also why it matters for us to be aware of the law and engaged in improving it.
Prof. Robert Heverly is an Associate Professor of Law at Albany Law School of Union University, in Albany, New York. His primary focus is on issues relating to law and technology, especially the internet and information networks, cybersecurity, cyborg technology and intellectual property law. He teaches Cyberspace Law, among other courses, and has taught in the UK (Norwich Law School), Germany (Universität Trier & the George Washington Law Summer Program in Munich), and East Lansing, MI (Michigan State Law). He has been at Albany Law School since July of 2010. He holds an LLM from Yale Law School, a JD from Albany Law School, and Bachelors Degrees from SUNY Oswego. He probably likes lolcats a little too much. He can be reached at firstname.lastname@example.org.
Title: Real Security Incidents, Unusual Situations
The pace of databreaches has reached epic proportions.
Organizations large and small, in every industry are falling victim to hackers, hacktivists and nation states. Incident Response is a dynamic process where the unsuspected often becomes the root cause. From insider threats to unauthorized access with a bit of extortion, it isn't always what it seems. Take a walk with us down some seemingly normal paths that lead to the unexpected. Real security incidents, unusual situations.
Adam Dean is a Security Specialist at GreyCastle Security. Adam is a graduate of the University of Advancing Technology with a Bachelor’s degree in Technology Forensics. Adam has experience identifying, containing, eradicating and recovering from computer security incidents ranging from malware based infections to malicious insiders.
Title: Breaking is Bad: Why Everyone at This Conference Will be Unemployed
The truth is hard to swallow sometimes, but the reality is this:
PENTESTING IS DEAD. Yes, you heard it right. Dead. Finito. Mortis. And if
your career is attached to pentesting, it may be picking out its own
headstone: "Here Rests Carl's Career, Confined to PenTesting, Now Instead of
Buying Islands It's Laying Here Resting."
The data is concrete, the statistics are irrefutable. The opportunity in
cybersecurity has transitioned from breaking things to building things. CEOs
and executives throughout North America are becoming less interested in
proving negatives, and more interested in proving competitive advantage.
Cybersecurity has become synonymous with business and the decision is yours
- be part of the problem, or be part of the solution.
Join GreyCastle Security as we explore the dynamically changing
cybersecurity industry and how you can profit or plummet.
Reg Harnish is an entrepreneur, speaker, author and the CEO for GreyCastle
Security, a leading cybersecurity consulting firm headquartered in Troy, NY.
Reg has been practicing security for nearly two decades, specializing in
security solutions for healthcare, higher education, critical infrastructure
and other industries. Reg's security expertise ranges from risk management
and incident response to regulatory compliance and awareness. Reg brings a
thought-provoking perspective to the industry and strives to promote
awareness, security ""thinking"" and practical application of security
As the CEO for GreyCastle Security, Reg is responsible for defining and
executing the company's vision. Reg has led the organization to four
consecutive years of triple-digit growth while establishing GreyCastle
Security as a highly-respected thought leader. GreyCastle Security is
currently working with organizations in nearly every state in the United
States, including Fortune 5000 and Global 100 organizations.
Reg attended Rensselaer Polytechnic Institute, and has achieved numerous
security and industry certifications, including CISSP, CISM, CISA and ITIL.
Reg has achieved various physical security certifications, including
firearms instruction and personal protection. Reg is a graduate of the FBI
Reg is a fellow of the National Cybersecurity Institute, a cybersecurity
educational institution located in Washington, DC. Reg serves on numerous
security association boards and is currently an advisor to several
educational institutions focused on cybersecurity.
Reg is a nationally-recognized speaker and has presented at countless
industry events, including BSides, ISSA, ISC2, ISACA, ASIS, DHS and
InfraGard. Reg's successes have been featured in leading industry journals,
including Software Magazine, ComputerWorld and InfoWorld. Reg is a
contributor to numerous security publications and has co-authored several
books on cybersecurity awareness.
Title: Top 10 Issues in Cybersecurity & Data Privacy Law
For anyone interested in protecting data privacy or providing cybersecurity, what are the leading issues of which they should be aware?
B.S., U.S. Air Force Academy
M.S., Computer Science, University of Illinois at Urbana/Champaign
J.D., Georgetown University Law Center
Antony Haynes joined Albany Law School in December 2015. He has extensive litigation experience in the intellectual property, securities, and criminal defense areas.
He served as an associate at the law firm Quinn Emanuel Urquhart & Sullivan, LLP, in Washington, D.C., and before that at Williams & Connolly LLP, in Washington, D.C.
Prior to practicing law, Antony was an Assistant Professor of Computer Science at the U.S. Air Force Academy, where he taught courses in programming, developed the Academy’s Information Assurance curriculum, and created the intercollegiate Cyber Defense Exercise. He has extensive experience with a host of software and hardware technologies, including Cisco routers, Motorola microprocessors, TCP/IP networking protocols, SQL databases, and web-based programming. He developed an on-line survey-system for the Department of Epidemiology at a major university.
After the Air Force Academy he was an associate at Chatham Financial Corporation, Capital Markets, Kennett Square, Pa., where he led a company-wide software effort, wrote financial software and coordinated technical developers.
He is a distinguished graduate of the U.S. Air Force Academy, where he was recognized as the top computer science graduate. He received his M.S. in Computer Science from the University of Illinois at Urbana/Champaign, where his thesis focused on machine learning and expert systems.
He is an entrepreneur who leverages his background in computer science, technology, business and the law to advise startup companies. In addition to advising startups, he has spent time acquiring and growing companies.
Title: Big Data's Big Problems
The data that we record daily about ourselves through our cell phones, credit card purchases, emails, social media postings, etc., helps us connect with each other and improve our quality of life. However, we are also enabling a set of societal harms that we have not yet begun to grapple with seriously. I will be discussing some of the problems of big data including insufficient anonymization and unfairness in automated decision making.
Jeanna Neefe Matthews is an associate professor of computer science at Clarkson University. Her research interests include virtualization, cloud computing, computer security, computer networks and operating systems. At Clarkson, she leads several hands-on computing laboratories including the Clarkson Open Source Institute and Clarkson Internet Teaching Laboratory. Students in these labs and in her classes have been winners in a number of prestigious computing contests including the 2001, 2002, and 2004 IBM Linux Challenge, the 2005 IBM North American Grid Scholar's Challenge, the 2005 Unisys Tuxmaster competition, and the 2006 VMware Ultimate Virtual Appliance Challenge. She has worked actively on industrial projects with companies including VMware, Intel, IBM, AMD, HP and Greenplum/EMC. She has held a number of professional leadership positions including member of the ACM Executive Committee, the chair of the Governing Board of ACM Special Interest Groups (SGB), chair of the ACM Special Interest Group on Operating systems (SIGOPS), editor of ACM Operating System Review, member of the Executive Committee of US-ACM, the U.S. Public Policy Committee of ACM and an ACM Distinguished Speaker. She has written several popular books including "Running Xen: A Hands-On Guide to the Art of Virtualization" and "Computer Networking: Internet Protocols in Action". Jeanna received her Ph.D. in Computer Science from the University of California at Berkeley, a B.S. in Mathematics and Computer Science from Ohio State University and a B.A. in Spanish at SUNY Potsdam.
Title: Hacking Politics: Infosec in Public Policy
In recent times, the issues of the InfoSec community have arguably become synonymous with those of our overall society. In a world where the Internet is now the backbone of every facet of life, from Wikileaks’ influence on electoral politics, to encryption’s effect on law enforcement, we see constant examples where InfoSec is determining our geopolitical reality.
As legislative and law enforcement bodies respond, it is unfortunately often in a less-informed manner. Ignorant, restrictive and even oppressive policies and legislation threaten to restrict free expression, hamper ingenuity and hobble digital security.
Some of the threats are being devised right here in New York State, literally across the street at the Capitol. We will review recent attempts to litigate against encryption, mandate backdoors, and obtain private data without warrants or oversight.
The InfoSec community must advocate for their interests in public policy within our democratic representative institutions and the court of public opinion. A diverse panel of speakers will examine how we can accomplish this with activism and lobbying.
Communications Director, Restore the Fourth
Jonathan Capra is a former Occupier who helped deploy Internet access to the activists in the Academy Park encampment. He formed a civil liberties working group before heading up the march in Albany for the national Restore the Fourth event. He now serves as Communications Director for the Restore the Fourth 501(c)4 non-profit, and is host of their podcast, 'Privacy Patriots'. He is also a cable news producer and former DNS Administrator.
Legislative Counsel, NYCLU
Rashida Richardson researches and analyzes state and local legislation, rules and regulations that implicate civil rights and civil liberties.
Prior to working at the NYCLU, Richardson was a staff attorney at the Center for HIV Law and Policy, where she worked on a wide-range of HIV-related legal and policy issues, and she previously worked at Facebook Inc. and HIP Investor in San Francisco. During law school, Richardson was also selected as a research assistant for Professor Margaret Burnham in Northeastern University's Civil Rights and Restorative Justice Project, where she participated in a landmark civil rights action against a county in Mississippi for a kidnapping and murder which took place in 1964. This suit was the first of its kind.
Richardson graduated with honors from Wesleyan University in 2008, and she graduated from Northeastern University School of Law in 2011.
DIRECTOR OF GRASSROOTS ADVOCACY
Shahid leads EFF's grassroots and student outreach efforts. He's a constitutional lawyer focused on the intersection of community organizing and policy reform as a lever to shift legal norms, with roots in communities across the country resisting mass surveillance.
From 2009 to 2015, he led the Bill of Rights Defense Committee as Executive Director. After graduating from Stanford Law School in 2003, where he grew immersed in the movement to stop the war in Iraq, Shahid worked for a decade in Washington, D.C. He first worked in private practice for a large California-based law firm, with public interest litigation projects advancing campaign finance reform, and marriage equality for same-sex couples as early as 2004, when LGBT rights remained politically marginal. From 2005 to 2008, he helped build a national progressive legal network and managed the communications team at the American Constitution Society for Law & Policy, and in 2008 and 2009 he founded the program to combat racial & religious profiling at Muslim Advocates.
Outside of work, Shahid DJs and produces electronic music, writes poetry & prose, kicks rhymes, organizes guerilla poetry insurgencies, plays capoeira, speaks truth to power on Truthout, occasionally elucidates legal scholarship, and documents counter-cultural activism for the Burning Man Journal.