Everyone from experts to vendors to talking heads espouse the benefits of threat intelligence. It’s spoken of as a nebulous panacea that only a select few can dole out like ambrosia, and it is beyond the mere ken of the average security professional. This talk is going to cover the basics: what is threat intelligence, how to discern wheat from chaff, where you can find it, how you can use it, and where you can learn more about it.
Presentations for Blue Team
Every two years almost seventy major candidates vie for Senate seats across the United States. Many of the candidates have or will soon have a major impact on policy and spending, and their campaign web sites are visited by millions of voters and other interested parties. 2016 has been the year of the political cyberattack, with hacked emails, phishing, insecure servers and even whispers of foreign penetration in the news.
Despite this backdrop, the cybersecurity of US Senate senatorial campaigns leaves much to be desired. On the eve of the 2016 election, Cybertical employed a new tool to scan the sites of 67 major candidates and found unpatched vulnerabilities, administrative usernames and public entry points on many of them. To help communicate which candidates’ sites were better or worse than others, every site scanned was awarded a “grade point average” (GPA) and a letter grade from A to F.
This presentation demonstrates the newly released tool, how it was used to get these results, and how the scoring process worked (and could be repeated across time to track improvement). Several Wisconsin and Milwaukee-area political sites will also be scanned and graded live.
After spending nearly 13 years working for the Department of Defense, I ventured out into the private sector to consult and advise on matters of information security. On many occasions, after explaining some basic security concept to a customer and outlining what they need to do to be secure,I often heard the retort, “yeah, but we don’t need DoD level security.” Well, after twenty years in the private sector, and especially over the past 2-3 years with the proliferation of data breaches against major companies, I find myself wanting to reply, “yeah, you really DO need DoD level security!”
What does this mean? Probably not what you are thinking. This talk will start with an overview of the foundation nature of data security, highlight the major tenets or goals of data security, introduce the risk equation, discuss how and why so many companies so often fail at implementing the basics of data security, and explore some ways that a DoD-centric approach to data security might be implemented in the private sector. Brainstorming, discussion, dissension all welcome.
*THIS PRESENTATION WILL NOT BE RECORDED*
As pentesters, we are often in need of working around security controls. In this talk, we will reveal ways that we bypass in-line network defenses, spam filters (in line and cloud based), as well as current endpoint solutions. Some techniques are old, some are new, but all work in helping to get a foothold established. This talk will not be recorded. Defenders: might want to come to this one. 🙂
An Introductory Guide for business that want to “improve security”, but don’t really know where to begin. This session will outline a strategy to get your company motivated to invest in security improvements. We’ll also explore the TOP FOUR attacks being used today, and what you can do right now to protect against them and dramatically improve your security profile.