Loading…
BSides Boston 2016 has ended
Friday, May 20
 

9:30am

Registration for full day classes
Friday May 20, 2016 9:30am - 10:00am
NERD 1 Memorial Dr

10:00am

Advanced Web Hacking [Full day class]

GuidePoint Security’s Advanced Web Hacking class heavily emphasizes hands on learning through an instructor led, simulated Web Application Assessment against a proprietary web application that was built specifically for this course. Throughout the course, students will perform OSINT gathering, Application Discovery, manual vulnerability identification, and various exploitation techniques. The course moves beyond the basic OWASP Top 10 Web Application Vulnerabilities, by introducing advanced forms of these common vulnerabilities, built from our own penetration testing experience. Focus is also placed on creating realistic Proof of Concepts to show higher impact and what an attacker could do if the vulnerabilities were exposed. Topics Covered:


Application Discovery

  • Information Gathering
  • Application Functionality 
  • OSINT 
  • Fingerprinting 
  • Identifying Application Entry Points

Vulnerability Identification
  • Automated Scanning Limitations
  • Manual Vulnerability Identification Techniques


Vulnerability Exploitation

  • Blind SQLi
  • Advanced XSS
  • Server Side Template Injection (SSTI)
  • Privilege Escalation
  • Account Hijacking
  • Writing Proof of Concept Exploits

Course Requirements: Course attendees are required to have a laptop with an up to date Kali Linux Virtual Machine. This class is open to attendees of all skill levels, however, we assume prior knowledge of common web vulnerabilities and their exploitation.

 


Speakers
DB

David Bressler

David Bressler is a Managing Consultant at GuidePoint Security within the Application Security Team. He has more than 8 years of broad-based experience managing application penetration testing, source code review, architecture review, network penetration testing, digital and physical... Read More →
CD

Casey Dunham

Casey Dunham is a Security Consultant at GuidePoint Security with 10 years of experience as a full stack software developer in various industries managing development projects and building DevOps and Security initiatives into the Software Development Lifecycle. Before joining GuidePoint... Read More →


Friday May 20, 2016 10:00am - 5:30pm
NERD 1 Memorial Dr

10:00am

Introduction to Hardware Hacking [Full day class]

This training will introduce the audience to the field of reverse engineering electronics. Attendees will learn in a hands on environment how to identify areas of circuit boards to target and perform the extraction of firmware and data at rest, and interception of data in transit. The workshop will introduce and explain various ICs such as microcontrollers and radio transceivers, JTAG, common embedded flash storage solutions, and various types of communication buses. Registration cost includes some hardware hacking tools that may be kept by attendees. The target audience for this workshop has little to no experience in electronics. 

Attendees will receive:
- A Bus Pirate or GoodFET
- Hookup wire and EZ-hooks for connecting components to target hardware
 

Speakers
BD

Brent Dukes

Brent Dukes (@TheDukeZip) has over a decade of experience in systems engineering designing both hardware and software for radio applications. He has a passion for reverse engineering, and spends his free time competing in CTFs and modifying consumer electronics to suit his own needs... Read More →


Friday May 20, 2016 10:00am - 5:30pm
NERD 1 Memorial Dr

12:30pm

Registration for half day classes
Friday May 20, 2016 12:30pm - 1:00pm
NERD 1 Memorial Dr

1:00pm

CTF: Learn to Hack for Fun and Profit! [Half day class]

Learn about Capture The Flag (CTF) competitions and how you can participate. This training will provide a background on what CTFs are and how they operate.  This training will then guide participants through several real CTF challenges from previous competitions to help build an intuition for how to approach CTF problems and teach real world hacking skills that are used to defeat the challenges. Completion of this training should prepare participants for competing in the BSides Boston CTF.


Speakers
JF

John-Nicholas Furst

John-Nicholas Furst is a Hardware Engineer at Akamai with a long history of participation in CTFs. As a founding member of the hackerspace BUILDS at Boston University, he honed his skills in competing in various CTFs internationally. He eventually moved into running CTFs as a co-founder... Read More →


Friday May 20, 2016 1:00pm - 5:30pm
NERD 1 Memorial Dr

1:00pm

Physical Security Testing [Half day class]

This training presentation will be a complete walk through on how to perform physical security tests. This is NOT a lock-picking class. We will be covering common tools and tactics used to gain access to target facilities as well as provide videos from real world testing and hands on demonstrations of physical and electronic tools. Additionally, common issues that penetration testers encounter into will also be discussed, such as personal psychological issues (insertion mentality), manipulating people efficiently and and understanding the most common physical security controls encountered during testing.

Additional topics to include:
- Onsite and remote advance work (recon/surveillance)
- Penetration of the external barriers
- Penetrating the facility/internal barriers
- Penetrating the people (security personnel and attacking human targets)
- Deploying low power boxes on the network for remote network access and audio/video surveillance.


Speakers
KP

Keith Pachulski

Keith Pachulski is currently working for Dell SecureWorks as a Principal Security Consultant. He performs physical security services and executive security services independently. With more than 22 years of experience in physical and information security, He is currently responsible... Read More →


Friday May 20, 2016 1:00pm - 5:30pm
NERD 1 Memorial Dr
 
Saturday, May 21
 

8:15am

Registration
Saturday May 21, 2016 8:15am - 9:00am
NERD 1 Memorial Dr

8:30am

Resume Review
Bring multiple copies of your resume to have Ming, Roy and others (anyone who would like to join) critique it. This is an open session - we welcome all that are interested. We will provide real-time feedback including both the pros and cons of each. "Previous sessions' feedback have been all positive and we wish that we had more time to do this!"

Moderators
MC

Ming Chow

Ming Chow (@0xmchow) is a Senior Lecturer at the Tufts University Department of Computer Science. His areas of work are in web and mobile engineering and web security. He was a web application developer for ten years at Harvard University. He has spoken at numerous organizations and... Read More →
RW

Roy Wattanasin

Roy Wattanasin (@wr0) is an adjunct faculty member at Brandeis University in both the Health and Medical Informatics and Information Security graduate programs. He is also a healthcare information security professional. He spends most of his time managing the information security... Read More →

Saturday May 21, 2016 8:30am - 9:00am
NERD 1 Memorial Dr

9:00am

Pentesting for Fun and Profit
Should you become a pentester? How do you get there? What skills are required? What's the difference between a good tester and a "bad" tester and how to avoid the former.

This talk aims to answer these questions and give a basic overview of what it's like to pentest a small network and a small business using some of the automated open source tools of today including reporting and client interactions.

Speakers
WR

William Reyor

William Reyor is a senior security consultant for Foresite, pentester, BsidesCT cofounder, Nesit Hackerspace co-founder, former QSA, security engineer, network engineer, systems engineer, and all around security geek, CISSP, purple team.


Saturday May 21, 2016 9:00am - 9:30am
NERD 1 Memorial Dr
  • Room Mann

9:00am

Bringing down the great Cryptowall

Ransom-ware has been running rampant the last 6 years and there has been very little done to stop infections aside from deprecated signature scans and classic malware scanner. This presentation will demonstrate a couple concepts that work on even the most current versions of the ransom-ware plaguing the networks of today. We will go over how modern malware is reverse engineered and some outside the box ways of stopping malware using their own programming against them. We will look at malware and packing obfuscation methods Droppers used to load malware. Current versions of Cryptolocker, Cryptowall, SAMSAM and many other common ransomwares will be discussed. Additionally, there will be a brief introduction to the Exploit kits and SAAS platforms used to launch ransomware attacks.

This presentation will also go over several software and hardware methods to trick and manipulate malware and the payloads associated with them. We will review hardware methods including hacked USB devices with glitched partition tables that will lock up malware and operating systems affected. We will review software methods including malware resistant file structures randomized file extensions, ransomware payload simulators to find how your system would be affected and reports to help remediate them. We will review other methods including making machines immune to ransomware by adding kill switch watchdog programs that will lockup computer when malware attacks antivirus systems and watchdogs associated with them. We will look at methods to make your physical machines look like a sandbox environment that malware will ignore. Finally we will also look at some methods of abusing the TOR payment gateways to achieve free un-encryption by modifying system settings. 


Speakers
WH

Weston Hecker

Weston Hecker has 11 years of pen-testing experience, 12 years of security research and programming experience while working for a security company in the Midwest. He has recently spoken at Defcon 22, Defcon 23, 2015 SC-Congress Toronto, 2015 ISC2 Anaheim California, and Enterprise... Read More →


Saturday May 21, 2016 9:00am - 9:45am
NERD 1 Memorial Dr
  • Room Commons

9:00am

Information-Driven Product Design
Two of the currently most valued technology skills are that of data scientists and cyber security professionals. It is estimated that there are 1 million job openings for cyber security experts in the US. Information-driven product design uses information theory to combine data and security skills while developing profitable products. Information theory defines a logarithmic measure of information that is impartial to the value of information. This impartial property will guide our product development and on the one hand, enable more data-driven design while on the other hand restrict the information we reveal to the outside world for a potential misuse

Speakers
NR

Nikon Rasumov

Nikon Rasumov has 10 years of professional experience in 8 start-ups and worked in information technology across all G7+RIC countries. He holds a PhD from Cambridge University in computational neuroscience as well as affiliations with MIT and Singularity University. Currently his... Read More →


Saturday May 21, 2016 9:00am - 9:45am
NERD 1 Memorial Dr
  • Room Paul

9:00am

Up is Down, Black is White: Using SCCM for Wrong and Right
Offense and defense overlap more often than you may think. The same tools that allow attackers to disappear into the shadows can be used to tease indicators out of the noise. Lateral movement that blends in with normal traffic can be a challenge in some environments, and this makes living 'off the land' with existing functionality even more important to attackers. At the same time, defensive analysts need to be able to gather indicators without tipping their hand to adversaries. Why not use deployed system administration tools against the very sysadmins who rely on them, and why not use existing toolsets to hunt the bad guys trying to hide in plain sight?

This presentation will cover how one common system administration tool, System Center Configuration Manager (SCCM) can be used for both good and evil. We’ll cover a detailed background on SCCM, including typical deployment scenarios and relevant security measures, before diving into how SCCM can be used as either an excellent attack platform or a powerful defensive solution. We will cover our newly developed PowerShell SCCM toolkit (PowerSCCM) in depth and how to apply it no matter which color of team you play on.

Speakers
MN

Matt Nelson

Matt Nelson (@enigma0x3) is a red teamer and penetration tester for Veris Group’s Adaptive Threat Division. He performs a variety of offensive services for a number of government and private sector clients, including advanced red team assessments. He has a passion for offensive... Read More →
WS

Will Schroeder

Will Schroeder (@harmj0y) is security researcher and red teamer for Veris Group’s Adaptive Threat Division. He has presented at a number of security conferences including Shmoocon, Defcon, Derbycon and several Security BSides conferences (including BSides Boston!) on topics spanning... Read More →


Saturday May 21, 2016 9:00am - 9:45am
NERD 1 Memorial Dr
  • Room Sampson

9:00am

CTF
Saturday May 21, 2016 9:00am - 2:00pm
NERD 1 Memorial Dr

10:00am

Practical OpSec for Paranoid Security Practitioners
How to catch someone using TOR? How can you maintain privacy in an age where there are prying eyes everywhere? Beginners and Experts will benefit from this talk.. I want to bring to light tooling around anonymity in the web specifically TOR, methodologies around using it, demo setting it up, and ways we as the good guys can A) leverage good OpSec and B) punish poor OpSec. Privacy is a huge concern in our industry. It is something that is being battled today in the highest court. Are we entitled to privacy in the digital age?

Speakers
ML

Mike Li

Mike Li is a security engineer that turned his hobby into something he does professionally. He has a degree in CS and Digital Security. He is avid member in the community, who is currently focusing on providing open source tooling to better manage security at scale for organizations... Read More →


Saturday May 21, 2016 10:00am - 10:45am
NERD 1 Memorial Dr
  • Room Commons

10:00am

Building Advanced XSS Vectors
In the modern web, with heavy use of client side processing and security guards like WAFs and XSS-aware browsers, XSS exploitation became much more clever and dangerous as it was never before.

In this talk we will see how to build modern and advanced XSS vectors and the scenarios involved to give rise to them. We will also see the use of webGun, a tool designed to help testers to build complex payloads to test them in live targets.

Speakers
BL

Brute Logic

Brute Logic is a world-class security researcher for finding Cross Site Scripting vulnerabilities, reaching the #1 spot on openbugbounty.org (formerly xssposed.com). He currently works at Sucuri testing their WAF. He publishes tips, tricks and tools at his protected twitter account @brutalsecrets... Read More →


Saturday May 21, 2016 10:00am - 10:45am
NERD 1 Memorial Dr
  • Room Mann

10:00am

Diversity, Don't Read the Comments
We tend to know diversity is important. There’s evidence that diverse teams are smarter and more creative. Furthermore, there’s also a lot of evidence that diversity matters for the bottom line. Based on the evidence, it seems like diversity would be important to an industry based on innovation and creativity. However, IT and specializations with the field like IT Security continues to be plagued by a diversity problem. And it doesn’t matter how you define diversity. No matter how you slice it, lack of diversity continues to be an issue. Recently, there’s been an increased focus on the issue with many tech firms publishing their stats and stating goals on improving diversity in their workforce, which leads to new stories being published, which invariably leads to comments on the story. If you think diversity matters, don’t read the comments. By engaging the audience throughout our talk, we will hit on the highlights of why diversity matters, what the current state of affairs look like, ideas on how to change it, and the importance of supporting a diverse culture. We want to start conversations about what each member of the InfoSec community can do to support diversity and ignore the comments.

Speakers
PM

Pedro Marcano

Pedro Marcano is the CEO of Vernance. He has founded three information security startups. Lately he has been working with critical infrastructure organizations and utilizing different frameworks as a base to help solidify organizations’ security postures. Most of his career has... Read More →


Saturday May 21, 2016 10:00am - 10:45am
NERD 1 Memorial Dr
  • Room Paul

10:00am

Breaking out of the silo: the need for broad security automation
Information Security teams are trying to manage increasingly complex IT and cloud environments at their organizations while also keeping pace with an ever-changing threat landscape. At the same time, there's a well-documented issue of unfilled security positions around the world.

For many teams this has inevitably led to security control gaps, operational failures, and, overall, insufficient security across virtually all industries.

A critical and necessary part of the solution to this problem for any organization is broad automation of disparate technologies and processes across the entire InfoSec lifecycle (protect > detect > remediate). There are a number of potential benefits of automating to this extent: more maintainable, auditable, maturable, predictable, and effective security programs.

In this presentation and the Q&A, the speakers will cover:
1. InfoSec programs' current state of affairs with fragmented, siloed automation
2. Strategy for approaching broad security automation
3. Examples of broad automation, including some at Rapid7 (current and future state)

Speakers
JD

Julian DeFronzo

Julian DeFronzo is a Security Engineer at Rapid7 with a diverse background in network security monitoring, incident response, and data analysis. He loves building microservices and playing with data. He is an avid runner and a BBQ enthusiast.
JP

Justin Pagano

Justin Pagano, Information Security Lead at Rapid7, is a tall guy who loves dogs. He's also very passionate about InfoSec, science, grammar, and Oxford commas.


Saturday May 21, 2016 10:00am - 10:45am
NERD 1 Memorial Dr
  • Room Sampson

11:00am

Keynote
Anonymous--the masked activists who have contributed to hundreds of political operations around the world since 2008--were perfectly positioned to earn the title of cyberterrorists. In this talk Dr. Coleman considers the various factors, from their uptake in Hollywood film and TV to the timing of their contributions that allowed them to narrowly escape this designation.

Speakers
GC

Gabriella Coleman

Dr. Gabriella Coleman holds the Wolfe Chair in Scientific & Technological Literacy at McGill University. Trained as an anthropologist, her scholarship explores the intersection of the cultures of hacking and politics, with a focus on the sociopolitical implications of the free software... Read More →


Saturday May 21, 2016 11:00am - 11:45am
NERD 1 Memorial Dr
  • Room Mann

12:00pm

Lunch
Saturday May 21, 2016 12:00pm - 1:00pm
NERD 1 Memorial Dr

12:00pm

Resume Review
Bring multiple copies of your resume to have Ming, Roy and others (anyone who would like to join) critique it. This is an open session - we welcome all that are interested. We will provide real-time feedback including both the pros and cons of each. "Previous sessions' feedback have been all positive and we wish that we had more time to do this!"

Moderators
MC

Ming Chow

Ming Chow (@0xmchow) is a Senior Lecturer at the Tufts University Department of Computer Science. His areas of work are in web and mobile engineering and web security. He was a web application developer for ten years at Harvard University. He has spoken at numerous organizations and... Read More →
RW

Roy Wattanasin

Roy Wattanasin (@wr0) is an adjunct faculty member at Brandeis University in both the Health and Medical Informatics and Information Security graduate programs. He is also a healthcare information security professional. He spends most of his time managing the information security... Read More →

Saturday May 21, 2016 12:00pm - 1:00pm
NERD 1 Memorial Dr

1:00pm

Identifying (and avoiding) perverse incentive structures in your security solutions
Speakers
M

Mudge

Peiter Zatko, better known as Mudge, is a computer and network security expert, open source programmer, writer, and a hacker. He ran one of the most famous hacker think tanks, the l0pht, and famously testified to the US Senate about catastrophic vulnerabilities within critical infrastructure... Read More →


Saturday May 21, 2016 1:00pm - 1:45pm
NERD 1 Memorial Dr
  • Room Mann

2:00pm

Advanced XSS and Injection Attacks
Many developers are becoming increasingly familiar with the OWASP Top 10 Web Application Security Risks and the other OWASP Projects such as the OWASP Proactive Controls. However, in today’s world of advanced client side JavaScript frameworks, Single Page Applications and multi tiered RESTful backends, the common vulnerabilities that the OWASP Top 10 highlights are not as easy to find and exploit as they used to be. While these newer frameworks do a great job of increasing the security of the application they also have their own caveats, and in the real world where it takes time to refactor existing applications, new vulnerabilities can be introduced. In this presentation we take a look at advanced forms of Cross Site Scripting (XSS) in the AngularJS framework through improper usage of the AngularJS templating language and Injection attacks through the Hibernate Query Language (HQL) as well as breaking the HQL Lexer to run arbitrary SQL commands. We also present methods of auditing applications for these issues and preventing these vulnerabilities.

Speakers
DB

David Bressler

David Bressler is a Managing Consultant at GuidePoint Security within the Application Security Team. He has more than 8 years of broad-based experience managing application penetration testing, source code review, architecture review, network penetration testing, digital and physical... Read More →
CD

Casey Dunham

Casey Dunham is a Security Consultant at GuidePoint Security with 10 years of experience as a full stack software developer in various industries managing development projects and building DevOps and Security initiatives into the Software Development Lifecycle. Before joining GuidePoint... Read More →


Saturday May 21, 2016 2:00pm - 2:45pm
NERD 1 Memorial Dr
  • Room Paul

2:00pm

Getting Past Blame: A Human Strategy for Hacking Security
By regarding humans as the weakest link, contemporary information security perspectives disrespect users and business owners. We’ve failed in our attempts to tame the human. Code bases are getting larger and more complex while malware stays small and simple. People are universally terrible at applying patches, and patches may never actually reach the endpoint users due to layers of development responsibility. This problem will get exasperated as the steadily lower cost of IoT entry results in an onslaught of fly-by-night device makers that are unable to provide long-term maintenance support, leaving millions or billions of devices running unsupported code in their wake. Rather than persistently blame the human for the current troubled state of information security, we need act like hackers again and shift our perspective. Taking a Human-oriented security strategy changes the rules of the game, relieving users from the burden of past assumptions and allowing us to reassess what's possible to help them protect their environments. It’s well past time that we accept the need to change course, re-engage our inner hackers, and hack security.

In this briefing, I will discuss three key actions that security professionals can take to hack a human strategy into their regular routines: 1) Stop the blame by re-examining our core assumptions and changing our perspective on what it means to be secure, 2) Focus on solutions that show promise correcting inherent flaws, not on the problems that existing technologies fail to address, and 3) Collaborate with technology researchers to assist them in disrupting the security industry and potentially gain actionable value from participating in their research.

Speakers
MF

Michael Figueroa

Michael A. Figueroa, CISSP, is the Cyber Innovations and Services Lead at Draper in Cambridge, MA. He primarily focuses on transitioning an advanced secure processor based on the open RISC-V ISA to market. He also serves as the program manager for advanced research in reverse engineering... Read More →


Saturday May 21, 2016 2:00pm - 2:45pm
NERD 1 Memorial Dr
  • Room Commons

2:00pm

Roads to a Career in CyberSecurity
There is no single path to a successful career in cyber security. The security industry requires individuals with diverse sets of expertise and experiences - from analysts to engineers, from CISOs to marketers; just like the Women on this panel and the moderator. Deidre Diamond will moderate a panel of four women in the security industry as they each discuss how they built their career in different disciplines, all united by the common thread of cyber security.

Topics of discussion will include:
  • Initial interest in security 
  • First industry jobs 
  • Job changes, lateral moves and growth
  • Mentoring and inspiring others in the field


Moderators
DD

Deidre Diamond

Deidre Diamond is the Founder and CEO of the national cyber security staffing company Cyber Security Network (CyberSN) and the Founder of not-for-profit thought leadership platform #brainbabe (brainbabe.org.) Prior to founding CyberSN and #brainbabe, she was the VP of Sales for the... Read More →

Speakers
SA

Sonia Arista

With a career spanning nearly 20 years, Sonia E. Arista is the Director of Information Security at Tufts Medical Center in Boston. There, she is the information security Subject Matter Expert and also has extensive experience driving program development, assuring operational readiness... Read More →
LA

Lital Asher-Dotan

Listed on Mass High Tech’s 20 Women to watch in Tech and Business, Lital Asher-Dotan is a Cyber Security expert that has a record of launching disruptive innovative technologies. | | She leads the marketing team at Cybereason, a successful cyber security startup that received... Read More →
SC

Sandy Carielli

Sandy Carielli has over a decade of experience in the security industry, as a product manager, consultant and developer. Most recently, she was a Director of Product Management at RSA, where she was responsible for the SecurID portfolio and the Data Protection product line; she has... Read More →
NC

Nazira Carlage

Nazira Carlage is a Senior Manager, Product Security at EMC Corporation. She leads the EMC Product Security Response Center that is responsible for managing and resolving security vulnerabilities in EMC products. Additionally, she has responsibility to drive the strategy and execution... Read More →


Saturday May 21, 2016 2:00pm - 2:45pm
NERD 1 Memorial Dr
  • Room Mann

2:00pm

CryptoLocker Ransomware Variants Are Lurking “In the Shadows,” Learn How to Protect Against Them
Recently, attackers employing a CryptoLocker variant have been removing volume shadow copies on systems, disallowing the users from restoring those files and then encrypting the files for ransom. If a user cannot recover from backups, he/she is at the attacker’s mercy.

In this technical session, we’ll discuss the ins and outs of shadow copies, reveal how attackers are using them to encrypt files for ransom and then discuss ways you can quickly, and easily, detect and respond to these kinds of attacks.

Speakers
RN

Ryan Nolette

Ryan Nolette, is Senior Threat Researcher at Bit9 + Carbon Black and draws from more than decade of intense and active Incident Response (IR), Threat Research, and IT experience to add a unique perspective of technical expertise and strategic vision to Bit9 + Carbon Black. Prior to... Read More →


Saturday May 21, 2016 2:00pm - 2:45pm
NERD 1 Memorial Dr
  • Room Sampson

3:00pm

Facilitating Fluffy Forensics 2.0
Cloud computing enables the rapid deployment of servers and applications, dynamic scalability of system resources, and helps businesses get products to market faster than ever before. Most organizations are aware of the benefits of adopting cloud architectures and many are becoming aware of the potential security risks. The majority of organizations, however, don’t realize the numerous challenges of conducting incident response (IR) activities and forensic investigations across public, private, and hybrid cloud environments.

It’s not all doom and gloom, however. The consumption model of cloud architectures actually lends itself to helping investigators conduct forensic and IR exercises faster and more efficiently than on a single workstation. For this to happen, however, the tools and techniques employed must evolve.

In this session, DataGravity CISO Andrew Hay will revisit the forensic and IR challenges of investigating servers and applications in cloud environments in addition to the opportunities that cloud presents to help expedite forensic investigations.

Speakers
AH

Andrew Hay

Andrew Hay is the CISO at DataGravity where he advocates for the company’s total information security needs and is responsible for the development and delivery of the company’s comprehensive information security strategy. Prior to that, he was the Director of Research at OpenDNS... Read More →


Saturday May 21, 2016 3:00pm - 3:45pm
NERD 1 Memorial Dr
  • Room Sampson

3:00pm

We bought some tools - now what?
Everyone knows that information security isn’t something that can be ignored. Most people are doing something about it. But how do you know if you’re focusing on the right things, and where your gaps are? Is your focus based on a checklist your CIO read in a magazine? The key to a successful information security program is organization and documentation, the less fun but still vital part of information security. In this presentation I plan on outlining the steps to setting up a formal information security program and identifying gaps for current programs.
- Creating the main framework document & what should be in it
- What to do when your boss gives you a security checklist he read in a magazine.
- Strategies on selecting a security framework SANS Top 20, NIST, ISO 27001, Cyber Essentials
- Establishing a security council
- IR plan & template
- Policies
- Change management
- Vulnerability management

Speakers
JB

Jim Bowker

Jim Bowker, CISSP, has been in IT for over 20 years with the last decade or so focusing on information security. He has a Bachelor's in Computer Technology from Purdue University, a Master's in Information Assurance from Northeastern University. He currently head up the Information... Read More →


Saturday May 21, 2016 3:00pm - 3:45pm
NERD 1 Memorial Dr
  • Room Paul

3:00pm

Advocating for yourself in an Apathetic world: How to be Sick with Success
117 million people in the United States have at least one chronic illness, and In 2010 7 of the top 10 causes of death were chronic diseases. So it makes sense that a portion of our community suffers from at least one chronic illness: diabetes, a heart condition, depression, an autoimmunity disorder. We all know at least one person in InfoSec with one of these conditions.

Being a population of people on the front lines of data security, knowing not to trust “the man” is a given. But what happens when you need resources to take care of yourself? How much do you divulge? How much do you have to?

Based on my 10+ year career in medical and disability insurance, as well as my personal history of surviving through college and a career with severe Crohn’s Disease, I will explore the resources available to protect your job, while learning to advocate for yourself with your doctors, your insurance companies, and your employer.

Speakers
EP

Emily Pience

Emily Pience is a 10+ year survivor of the Insurance industry, focusing mostly in disability and Medicare. She is a well-known "Crohnie" (Crohn's disease patient) for 15+ years, supporting peers through mentoring and annual speaking for the Crohn's and Colitis Foundation of America... Read More →


Saturday May 21, 2016 3:00pm - 3:45pm
NERD 1 Memorial Dr
  • Room Commons

3:00pm

How To Discover 1352 Wordpress Plugin XSS 0days in One Hour
In a single night, I was able to find about 1400 vulnerabilities in wordpress plugins. Not only that, but they were all a single kind of vulnerability, cross site scripting (XSS). Using techniques that I have developed, I was able to mass download plugins and scan them for unsanitized outputs from a user. In this talk, I will show how I did it and how I have responsibly notified the community.

Speakers
LC

Larry Cashdollar

Larry Cashdollar has been working in the security field and finding vulnerabilities for over 15 years. With a couple thousand CVEs to his name, he is a known researcher in the field. You can see many of the disclosed vulnerabilities at vapidlabs.com. He is a member of the SIRT at... Read More →


Saturday May 21, 2016 3:00pm - 3:45pm
NERD 1 Memorial Dr
  • Room Mann

4:00pm

Simple Data Exfiltration in a Secure Industry Environment
Since Edward Snowden’s extensive data exfiltration from a high-security NSA environment, there has been heightened focus on data exfiltration - not only from government and defense environments but also from security-conscious industries such as finance, health-care, insurance, etc. While much of Edward Snowden’s exfiltration is thought to have required elevated privileges such as access as a system administrator, today’s industry leaders are also concerned about regular employees and are asking the question ‘how easy would it be for an employee or vendor with only ‘user-level’ privileges and minimal IT training to exfiltrate data?’

In the author’s experience as an IT auditor at dozens of security-conscious environments, the answer to that question is that data can easily be exfiltrated by employees with little or no IT training. Further, and importantly, most organizations have little or no effective detective controls that would alert or detect such data loss.

This presentaion explores the top 10 data exfiltration methods that can be accomplished with only ‘user-level’ privileges and that are routinely overlooked in security-conscious industries.

Speakers
PC

Phil Cronin

Phil Cronin started DataSec LLC to provide risk management and data security services for security-conscious industries. Phil has partnered with senior management and audit committees in improving management oversight and control and ensuring IT regulatory compliance. He has over... Read More →


Saturday May 21, 2016 4:00pm - 4:45pm
NERD 1 Memorial Dr
  • Room Commons

4:00pm

Getting Started with Machine Learning for Incident Detection
Organizations today are collecting more information about what's going on in their environments than ever before, but manually sifting through all this data to find evil on your network is next to impossible. Increasingly, companies are turning to big data analytics and machine learning to detect security incidents. Most of these solutions are black-box products that cannot be easily tailored to the environments in which they run. Therefore, reliable detection of security incidents remains elusive, and there is a distinct lack of open source innovation.

It doesn't have to be this way! Many security pros think nothing of whipping up a script to extract downloaded files from a PCAP, yet recoil in horror at the idea of writing their own machine learning tools. The "analytics barrier" is perceived to be very high, but getting started is much easier than you think!

In this presentation, we’ll walk through the creation of a simple Python script that can learn to find malicious activity in your HTTP proxy logs. At the end of it all, you'll not only gain a useful tool to help you identify things that your IDS and SIEM might have missed, but you’ll also have the knowledge necessary to adapt that code to other uses as well.

Speakers
DJ

David J. Bianco

David J. Bianco is a Security Technologist at Sqrrl Data, Inc. Before coming to work as a Security Technologist and DFIR subject matter expert at Sqrrl, he led the hunt team at Mandiant, helping to develop and prototype innovative approaches to detect and respond to network attacks... Read More →
CM

Chris McCubbin

Chris McCubbin is the Director of Data Science and a co-founder of Sqrrl Data, Inc. His primary task is prototyping new designs and algorithms to extend the capabilities of the Sqrrl Enterprise cybersecurity solution. | | Prior to cofounding Sqrrl, he spent 2 years developing big-data... Read More →


Saturday May 21, 2016 4:00pm - 4:45pm
NERD 1 Memorial Dr
  • Room Paul

4:00pm

Becoming a Multi-Headed Hydra
It is a universal truth acknowledged that security teams have too much to do, and never enough resources to do it.

Traditionally, there are tactical tasks that security organizations own that we all hate doing: event triage, managing vulnerabilities, and more. These tasks lead to alert fatigue and more: they suck up value time that security experts could be using to strategically design and improve security defenses.

WHAT IF: You could scale your security tasks beyond your organization? Instead of wagging fingers and waving sticks, you could instill a sense of ownership of security posture across your engineering and operations organizations?

This isn’t a pipe dream, this is happening: let’s look at how some other modern companies are scaling their security organizations without security personnel.

Speakers
JA

Jen Andre

Jen Andre is an engineer and entrepreneur who loves infosec, Linux, hacking on open source, and delights in the weird and the wonderful. | | She values experimentation and Getting Sh** Done. Having spent a career in infosec (she started as an event analyst in a SOC, then moved... Read More →


Saturday May 21, 2016 4:00pm - 4:45pm
NERD 1 Memorial Dr
  • Room Sampson

4:00pm

CSO Panel
CSO Panel with:
  • Jon Creekmore, The Cyber Discovery Group
  • Andy Ellis, Akamai Technologies
  • Josh Feinblum, Rapid7
  • Adam Glick, Century Bank
  • Mark Nardone, Northeastern University 

Moderators
PL

Patrick Laverty

Patrick Laverty is the moderator for the CSO Panel. He is a security analyst at Rapid7 and was formerly at Akamai Technologies. He he runs monthly OWASP meetings in Rhode Island. He doesn't have much experience at moderating panels and hope that doesn't show through. He did his homework... Read More →

Speakers
JC

Jon Creekmore

Jon Creekmore is the Chief Security Officer for The Cyber Discovery Group, a nonprofit public charity in cybersecurity technology, education, and research. Jon’s roles place him overseeing the supervision and conduct of unique security architectures and policies which support operations... Read More →
AE

Andy Ellis

Andy Ellis is Akamai's Chief Security Officer, responsible for overseeing the security architecture and compliance of the company's massive, globally distributed network. He is the designer and patentholder of Akamai's SSL acceleration network, as well as several of the critical technologies... Read More →
JF

Josh Feinblum

Josh Feinblum is the Vice President of Information Security at Rapid7. He is deeply involved in the security community, with a lifelong passion in the space that culminates in 12 years of information security experience. Prior to his role at Rapid7, he spent time starting security... Read More →
AG

Adam Glick

Adam Glick is currently the Vice President of Information Technology and Information Security Officer for Century Bank located just outside Boston, MA. Having been with Century for almost four years, his responsibilities include operationally managing all IT systems and all matters... Read More →
MN

Mark Nardone

Mark Nardone is the CISO at Northeastern University in Boston, also his alma mater, with a master’s degree in management information systems. A graduate of the university’s Northeastern Leadership Program, as well as Evanta CISO Institute, with more than 15 years’ experience... Read More →


Saturday May 21, 2016 4:00pm - 4:45pm
NERD 1 Memorial Dr
  • Room Mann

5:00pm

Closing remarks
Saturday May 21, 2016 5:00pm - 5:45pm
NERD 1 Memorial Dr
  • Room Mann

6:00pm

Networking Event
Saturday May 21, 2016 6:00pm - 9:00pm
Meadhall 4 Cambridge Center