SWCSF
Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers, running on the Intel Management Engine, a separate microprocessor not exposed to the user, in order to monitor, maintain, update, upgrade, and repair them.
updated 5 years ago
You just need a paperclip or something small and pointy.
This process will allow you to login with the default password of admin/(no password) and still retain the original configuration as a backup configuration so you can see it. This is probably want you want if you have a device that you inherited as part of your network but you don't have access to it but still want to know what the original configuration was.
If you hold the button longer, until the green light *stops* blinking, this will wipe the existing configuration and be a true reset. This is what you probably want if you are decommissioning the system or selling it to a 3rd party.
Be aware that the reset button is small and square piece of plastic recessed in a round hole, so you have to be delicate and intentional and make sure you press it without your small pointy thing slipping off to early, in which case the reset won't work. Fortunately, this system boots up within less than 15 seconds so it is easy to try again.
Video is a little out of focus but you get the idea.
Neelov Kar is a recognized expert in information security & data privacy and will help the group understand the important aspects of the PIMS standard and what are the right questions to ask as you begin to plan an implementation.
by Neelov Kar, SecureaStar Consultant
All this brings up the need to have provably secure code, if that is even possible.
Join Elio as he dives deep into the new realm of security.
by Elio Grieco, Founder, CEO, egx
Topic: As a long standing presenter of "Tool Time with Tim" and a official "Friend of the Forum", Tim will present on the use of the GitHub projects Yara and yarGen to hunt malware in enterprise environments. While separate projects, yarGen helps generate rule sets to use in Yara to detect and identify Malware signatures in network traffic.
As another SANS instructor and security professional for prominent financial organizations, Tim has years of experience managing security in complex enterprise environments.
Expect a fast paced and dynamic presentation as Tim takes a deep dive into these specific tools that most security professionals overlook.
Bio: Timothy Garcia is a seasoned security professional who loves the challenge and continuously changing landscape of defense. Tim started his career as an engineer in IT and after working on a few security incidents related to Code Red and Nimda; he realized he had found his calling. Tim currently works as an Information Security Engineer for a Fortune 100 financial institution where he provides security consulting to project teams to ensure security of IT operations and compliance with policies and regulations. Tim also leads the team that is tasked with Firewall review, SIEM management and privileged access monitoring and policy compliance. Tim has worked as a Systems Engineer and DBA and has expertise in systems engineering, project management and information security principles and procedures/compliance. Tim previously worked for Intel and served in the United States Navy. Tim also works with the OnDemand team as an SME, is a mentor for the Vet Success program and provides consulting and content review for the Securing the Human project within SANS. Tim is a contributor to the Arizona Cyber Warfare Range and works with the local security community giving monthly talks, when not teaching for SANS, on information security tools and techniques.
More about Tim: sans.org/profiles/tim-garcia
As a SANS instructor and the author of SEC555 and co-author of SEC455 and SEC530, Justin is uniquely qualified to present to the group on this topic and we couldn't be more excited to have him joining us this March 1st.
Additionally, he is planning on providing a virtual download so any attendees that wish, can follow along with his examples. A free version of VMWare player will be required to run the Linux lab environment on your local system which you can get from here.
Note, that you do not HAVE to download the lab, in order to get value from the presentation and can just follow along with Justin if you wish.
BIO: Justin is the co-founder of H&A Security Solutions, LLC, a company that deploys, maintains, and tunes SIEM, NSM, and other solutions for organizations. Justin also maintains one of the largest security onion deployments in the world with over 1200 network sensors. He is a passionate security architect and researcher who’s experience in cybersecurity started at the age of thirteen when he began providing professional services to organizations.
With 60+ certifications (GSE # 108, Cyber Guardian Blue and Red, CISSP, ITIL Expert, MCSE) Justin was the 13th GSE to become both a red and blue SANS Cyber Guardian. Justin has been through a lot of training and says that SANS instructors are the best he’d had the privilege to learn from. Becoming a SANS instructor became a personal challenge to see if he had what it takes to join the ranks of those before him.
More about Justin: sans.org/profiles/justin-henderson
youtube.com/channel/UCCtOSdF1YCUeh_lsbPWIQoQ
The report released by the United States of America Cyberspace Solarium Commission last March opens with a chilling warning. “Our country is at risk, not only from a catastrophic cyberattack but from millions of daily intrusions disrupting everything from financial transactions to the inner workings of our electoral system.”
Already a costly risk with $3 trillion lost to cybercrime in 2019, Cybersecurity Ventures predicts damages will cost the world $10.5 trillion annually by 2025. This is punctuated by the recent Solar Winds hack that ultimately led to the breach of thousands of businesses and government entities. Make no mistake, cybercrime has now escalated to cyberwarfare.
Clearly, no company stakeholder can afford to take a casual stance on cybersecurity. However, resource deficiencies force many to focus only on patching noticeable cracks in the levee because the task of identifying and fixing every trickle seems impossible.
Thankfully, in the face of daunting odds, it is possible to fight back and secure your organization’s reputation and intellectual property. Listen as Jack B. Blount explains how his experience as CIO in the federal government gave him a perspective on cyberwar – and how what he learned can help your business stay safe.
BIO: Mr. Jack Blount has an extensive career in technology as a visionary in the personal computer, local area networking, ERP, mobile computing, big data, cybersecurity, and AI. Blount began his career as an engineer at IBM. Mr. Blount was recruited from IBM to be the SVP of Business Development at Novell in the 80’s where he helped expand its business from $50M to $2B in just six years. Blount served as the CTO, COO, and CEO of 8 technology, turnaround companies. Blount has also served on twelve technology company Board of Directors of which five were public companies, and he served as Chairman of five of the companies.
Blount was also recruited in 2013 to serve as CIO in the federal government where he was responsible for designing a new 10-layer cyber security architecture that protected over one hundred thousand employees and billions of dollars. Blount has traveled around the world many times doing business in over 40 countries and has been a speaker at many public conferences in China, France, Germany, Norway, Russia, and the United States. Blount graduated from Southern Methodist University with a degree in Mathematics and did his graduate MBA studies while working at IBM.
Based on a recent article co-authored by Elio Grieco and Christina Eichelkraut
“We thought we were going to surf the internet. Instead the internet serf’d us.”
While inarguably the greatest invention in human telecommunication to date, the early idealism and utopian promise of the internet has given way to a profit-driven, algorithmically manipulated echo chamber that is starting to cause harms in the real world.
How did we get into this state of affairs, and more importantly, how do we get out of it.
The real-life gore wrought by algorithms
Communications Decency Act Section 230
Centralization and Censorship
Protocols over Platforms
SAP CVE-2020-6207 vulnerability
MAZE Exfiltration Tactic - Extortion
SolarWinds attackers hit O365 mailboxes
Malwarebytes: SolarWinds hackers read our emails
VIPGames.com had a wide open Elasticsearch Server exposing 30GB of user data including 23 million records for 66,000 users.
Manufacturing giants suffers major cyber disruption
More security vendors admit to SolarWinds attacks
A fifth of Sunburst Backdoor victims from manufacturing industry.
66% of workers risk breaching GDPR by printing work related docs at home
Return to SMS as a security feature
CISA warns of cloud attacks exploiting poor cyber-hygiene
Researchers spot SonicWALL exploit int the wild
Defense more effective than offense in curbing nation state threat actors (APT's)
Facebook sues devs of alleged data-scraping Chrome extensions
Intel: Earnings / financials leaked prior to public release potentially enabling insider trading.
Mastercard introduces quantum-resistant specs to enhanced contactless security.
Alert (AA20-352A) Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
In mid-December of 2020, an unprecedented cyber breach by an APT (Advanced Persistent Threat) Actor was disclosed by SolarWinds relating to its Orion software. With 300,000 customers, many of which are Government entities and Fortune 500 organizations, the potential scope and breadth of the impact exceeded all past events. The full extent of the breach is still being investigated and many organizations have been scrambling in December to remediate it. Even those not directly affected because they are not using the Orion software have to assess their supply chain dependencies and update their vendor risk assessments.
We have decided to dedicate our 2nd time-slot to a run down of what is known about the breach today, including tools and methods used, the scope of the breach, impact, ongoing remediation and lessons learned going forward.
Ref: us-cert.cisa.gov/ncas/alerts/aa20-352a
+ Extensive discussion by forum members regarding the new California laws and the implications for business.
Alert (AA20-352A) Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
In mid-December of 2020, an unprecedented cyber breach by an APT (Advanced Persistent Threat) Actor was disclosed by SolarWinds relating to its Orion software. With 300,000 customers, many of which are Government entities and Fortune 500 organizations, the potential scope and breadth of the impact exceeded all past events. The full extent of the breach is still being investigated and many organizations have been scrambling in December to remediate it. Even those not directly affected because they are not using the Orion software have to assess their supply chain dependencies and update their vendor risk assessments.
We have decided to dedicate our 2nd time-slot to a run down of what is known about the breach today, including tools and methods used, the scope of the breach, impact, ongoing remediation and lessons learned going forward.
Ref: us-cert.cisa.gov/ncas/alerts/aa20-352a
Topics include:
An update on Quantum Computing, progress to date,
Dispelling common myths and misunderstandings
Quantum Encryption fundamentals
How QE compares to common classical encryption
The role of error checking
Possible Quantum Encryption methodologies being considered for the future
International race for Quantum Supremacy
Companies, Institutions, influencers and thought leaders to keep an eye on
Takeaways and tips for how to stay up to date
Speaker Bio
With over two decades of professional experience in information technology and business management, Ford Winslow has been a thought leader in the related fields of cybersecurity, cloud, and IT services since their inception.
ICE Cybersecurity, the San Diego-based firm he founded in 2016, specializes in managed cybersecurity and advanced cyber protection programs for organizations in heavily regulated industries.
Over the past two decades, Mr. Winslow has held technology leadership positions in the cybersecurity, cloud, information technology, risk management, life sciences, financial services, healthcare, non-profit, and retail Industries, where he has consistently delivered value through the latest break-throughs in technology.
Prior to launching ICE Cybersecurity, Mr. Winslow served as Chief Risk Officer, of a San Diego-based cloud and managed services provider. He is the co-author of “Good Informatics Practices,” a best-practices training guide for the life sciences and healthcare industries.
In addition to his professional duties, Mr. Winslow serves as an advisor to a number of startups focused on cybersecurity, blockchain, internet of things (IoT), and emerging technologies. He is an advisor and mentor with CyberTECH, a San Diego-based network of tech-inspired startups and early-stage firms.
Mr. Winslow is an active member of the local community, supporting social organizations and charities benefiting a variety of worthy causes. His spare time is spent with family, on the golf course, playing music, or cooking. Ford studied computer science and information systems management at the University of Maryland.
Early in Casey's cyber security career, he found himself shut out of more than one opportunity due to a lack of scripting skills and at a distinct disadvantage in competing for lucrative cybersecurity positions. As a result, he invested in learning Python. After joining Tenable, he identified some unfilled needs in the product feature set so as a personal initiative developed an open source project called navi which provides a number of command line tools to extend and enhance the Tenable.io vulnerability scanner and has posted it on GitHub where he actively supports the project with bug fixes.
Is Casey a professional developer? Nope. Is he trying to sell or promote navi or Tenable.io? Nope again. Does he have an interesting story to tell about creating a new tool to both fill a feature gap with a commercial security product as well as reinforce his scripting skills, all while contributing to the open source community, and why you should consider the same? Yes!
Navi - The Tenable.io Swiss Army Knife (208 commits)
github.com/packetchaos/navi
A command-line tool which leverages the Tenable.io API to automate common tasks in Cyber Exposure or Vulnerability Management.
Bio:
Casey has been involved in various IT related disciplines until about 5 years ago when he settled on cyber security and hasn't looked back since. He has consistently advanced his skills and career path and is now is one of three Principle engineers at Tenable and is an internal visionary with some measure of responsibility or influence for all aspects of Tenable operations.
Casey currently holds the following cyber security related certifications.
Tenable Certified SCCV Sales Engineer
Qualys Vulnerability Management Specialist
GIAC Web Application Penetration Tester (GWAPT)
GIAC Certified Penetration Tester (GPEN)
Certified Ethical Hacker v9
Red Hat Certified System Administrator
Security+| ce (SY0-401)
Do you really think your data center is resilient enough? Do you ever consider the physical plant in your risk assessments? This presentation will give you some insights, based on practical experience, into what really can go wrong in your data center, despite the most sincere and heartfelt promises by your colocation providers sales force.
Bio:
Rich Larkins is a Senior Principal Staff Network Systems Engineer and CISSP with way too many expired Cisco certifications to care anymore. He has designed and implemented data centers and networks in over 10 countries on 4 different continents and has broken others all over the U.S. Rich has also been known to have been associated with various Cyber Security folks and organizations through the years, though most won't admit it. Contrary to ISSA PHX chapter's memorial scholarship to the National Conference named after him, he is not dead yet..
He lives in Scottsdale Arizona with his wife Patricia, and their rescue 3-legged Cocker Spaniel with no teeth, Orion.
Any tributes, stipends, and/or gifts should be in Single-Malt Scotch older than your kids.
CEO of Edwards Valen & Associates, LLC
With co-presenter, Abel Sanchez
Scott will discuss some of the unique cybersecurity challenges banks face. He will share his perspective on helping financial institutions meet federal regulatory requirements as well as the hurdles he has overcome in teaching financial institutions to maintain sound operating practices.
Speaker Bio
Scott brings over thirty years of financial consulting to financial institutions to the table. His professional reach spans companies in Arizona, Colorado, Texas, and New Mexico and includes positions such as CEO, Partner, Vice President Loans and Operations, Director Internal Audit, Interim President, and Advisory Director.
When he is not busy providing financial consulting to community banks, Scott is busy leading strategic planning retreats, where he assists management in evaluating potential acquisitions and mergers. There are very few areas of a financial institution where he doesn't possess expertise.
His education & professional attainments include being a CPA and obtaining a bachelors degree in accounting from the University of Arizona.
Our profession is at war with itself over strategies on how to bridge the perceived security talent gap. This conflict is rife with misperceptions, partial communications, and incomplete data – all of which serve to create confusion within the marketspace. In this presentation, we will look at all sides of the talent war and discuss how a “both-and” solution is the most appropriate. We will also look at the hidden pitfalls and necessities of the most prominent talent approaches and what practitioners and organizations must do to overcome them
Bio: Kim L. Jones is a 34-year intelligence, security, and risk management professional with expertise in information security strategy, governance & compliance, security operations, and risk management. Mr. Jones is a former Chief Information Security Officer who has built, operated, and/or managed information security programs within the financial services, defense, healthcare, manufacturing, and business outsourcing industries. He is also the principal architect of one of the cybersecurity degree programs at Arizona State University.
Jones holds a Bachelors Degree in Computer Science from the United States Military Academy at West Point, and a Masters Degree in Information Assurance from Norwich University. He also holds the CISM, CISSP, and CDPSE certifications.
linkedin.com/in/kimjones-cism
EG vs EG
2 minutes each taking the position for or against (or in the middle?)
Questions/Comments by Forum.
Debate Topics:
Password Managers, Yes or No?
Should home users encrypt their hard drives?
Google can do a better job protecting my info than I can?
AI/ML in will result in a lower fatality rate vs human operators by 2030?
Cyber Security will be transparent to the end user by 2040?
The problem of anonymity on the Internet will never be solved?
The homes of the executive team have become the new battleground for the corporation. CEOs and their CISOs need to extend the defense perimeter and protect the entire digital lives of senior leadership. It is the right thing and the smart thing to do in today’s threat environment.
Attendees can expect to learn:
Compelling metrics for the level of risk to the company from executives in their personal digital lives
An understanding of how to extend the defense perimeter to encompass the new battlefront in the home in a way that protects the privacy of the executive
The CISOs and CEOs roles in protecting their company by protecting the digital lives of executives, board members, and key personnel.
Speaker Bio:
Dr. Chris Pierson is the Founder & CEO of BLACKCLOAK - a Concierge CybersecurityTM & Privacy protection suite for high-net-worth individuals and top C-Suite executives. Chris has been on the front lines of cybersecurity and fighting cybercrime for over 20 years - - with DHS, as President of the Federal Bureau of Investigation’s Arizona Infragard, as the Chief Privacy Officer for the world’s 3rd largest bank, and in various other roles as a Chief Information Security Officer for financial companies.
He currently serves on the Department of Homeland Security’s Privacy Committee and Cybersecurity Subcommittee and is a Distinguished Fellow of the Ponemon Institute.
Tim is a Sr. Level security engineer at a large financial institution as well as a long time SAN's instructor.
southwestcybersecforum.com
Cyber threat update with Erik Graham (~15 min)
Short presentation by our sponsor (~15 min)
Implementing Security Compliance Through Automation
by Joseph Bennet - Lead Consultant Contino,
Aaron Brock - Lead Consultant Contino,
Jason Lutz, NPA - Senior DevOps Consultant, Security
Topic:
Hybrid cloud change control and compliance can be manual, cumbersome and not scale well. Joseph, Aaron and Jason will present how they migrated a manual process of log ingestion for clients AWS flow logs into an automated process driven by what are typically considered DevOps tools such as Git, Ansible, Jenkins, Terraform and Trumpet. This reduced the process timeline from days to hours, and allowed different teams to more effectively collaborate in managing the process. This mash-up of tools and how they were used provides important lessons for the future of Security Automation. Don’t miss this highly technical presentation which will include demo code and interactive chat session with the presenters.
Bio:
Joseph: Joseph Bennet has 14 years working in the IT industry, and 7 years as a consultant ups killing clients and their staff in the deployment, management, and use of various technologies. Joseph Bennet's includes a wide range of industries including financial, entertainment as well as public sector experience working with organizations such as the US Patent and Trademark Office and the Army Research Laboratory.
Aaron: Aaron N. Brock, is passionate about delivering solutions which create business value for clients. His forte is to tightly integrate iterative technological improvements with people-focused learning and upskilling, creating an environment where positive change is encouraged. He continues to evangelize a Cloud-First approach following DevOps best practices. Aaron has extensive experience in Docker, K8s, Jenkins, Ansible, Terraform and more. He continues to work with a wide breadth of companies across a variety of industries ranging from gaming to large financial institutions, and has experience at every level of the software development lifecycle.
Jason: Passionate in building cloud security programs, implementing open source technologies, and addressing information security risk. As a certified ISO 27001 Lead Implementer: he understands what it takes to build and reinforce information security management systems (ISMS) with a specialized focus on cloud implementations. He continuously increases his security, compliance and technical skills; combining these skills to create a unique amalgamate of knowledge to offer to our clients.
FBI Cyber Task Force Update
by FBI Special Agent Paul Schaaf, also Phoenix Co-Infragard Coordinator
Topic:
Paul will provide an update from the FBI Cyber Task Force on the onslaught of on-line misinformation and how it is going to force our society to change the way we consume information and trust sources.
Bio: Chris Pavan is a veteran incident responder with experience supporting the US military and working in national forensics projects. He is a previous SWSCF speaker and is heavily invested in the Phoenix cyber security community.
Bio: David Gold recently joined SentinelOne as Sr. Director of Sales Engineering for the West. David has more than 15 years experience in enterprise information security and brings a strong track record of innovation and customer focus to SentinelOne. Previous to SentinelOne he was the VP of Product and VP of Solutions Architecture at ProtectWise and helped launch and build the company from stealth to a successful exit to Verizon. David helped define the network detection and response market and has helped many organizations develop detection and response strategies and to embrace cloud delivered technologies. He has also led Firewall Product Management at McAfee and has held various roles in sales engineering, product management and support at Websense, Intel, McAfee and Secure Computing.
Bio:
Niko Zivanovich is a Security Engineer for Check Point based in the South West US, specializing in Incident Response. Check Point is based in Tel Aviv, Israel and is one of the largest cyber security firms in the world. Previously at Johns Manville in Denver, Colorado working in network security and security operations focusing on ICS environments. While at Johns Manville, Niko and his colleagues helped to form the Berkshire Hathaway Information Security Group in order to facilitate the sharing of intelligence across the organization. He most recently worked for Berkshire Hathaway Inc. focusing on Incident Response preparation throughout the subsidiaries globally. He holds multiple certifications through the SANS GIAC organization.
Topic:
Anatomy of an Incident Response Event An Incident Response (IR) Plan is where tools, skills and process all come together in a high pressure, time-critical environment. Advance planning and experience are critical to a successful outcome. Niko will walk through a real-world Incident Response event and highlight at each key stage in the process where specific tools, people and skills and the structured response plan came into play and the how deficiencies at any point can hobble the organization. Attendees will be able to overlay this presentation onto their own organizations capabilities and identify where they may have shortcomings in their own IR Plan.
Bio:
For over 20 years, Ilene Klein has been evangelizing security to anybody who would listen … and to management. During this time, she built and led compliance, governance, incident response, privacy, policy, security awareness, threat intelligence, and vulnerability management programs and frameworks. Ilene started her career as an electronics instructor and then traveled from Honolulu to Heidelberg as a systems engineer installing proprietary software for the U.S. Army and resolving system crashes before focusing on cybersecurity. Ilene has earned multiple security and privacy certifications, and she’s won awards such as the CISM Geographic Excellence Award for earning the highest score in the North America geographical region on the December 2011 CISM examination and a 2018 Warrior Award for fighting on the “front lines” of cybersecurity.
Topic:
Congratulations — You’re in cybersecurity, one of the best and most in-demand careers. But there’s an entire alphabet soup full of cyber-related certifications out there. During this presentation we’ll discuss the CISM certification, including what it is, how it differs from the CISSP, who might be interested in earning a CISM, the domains covered, and whether it’s worth it.
Mark and his colleagues use Data Science to help organizations gather, process and structure data so that meaningful patterns can be analyzed, explored, and communicated to the organization, their stakeholders, clients, and contractors.
He started his career at 19 as a 911 Dispatcher for Phoenix Police Dept. There, he learned how powerful information and communication can be. He developed a curiosity for computer science that ultimately lead to doing freelance IT consulting for JP Morgan Chase, Berkshire Hathaway, and various other regional corporations and small businesses. While working for these companies, Mark's programming skills converged on Data Science to handle the massive amount of information that must be dealt with on a daily basis for these organizations. This lead to an increasing interest alongside the emerging field of Data Science. Seeing how generally useful these tools were, a couple of years ago he switched his business focus from IT to Applied Data Science, and has since served clients in Education, AI-Security Implementation, Politics, and Real Estate.
Topic:
The amount and importance of data in our daily lives is increasing at an accelerated rate. What are the security implications of large, international, public entities (state actors, corporations, etc) accumulating so much information in such a concentrated and centralized way? What kind of liability becomes apparent when large amounts of data are leaked? Even the most routine, mundane data (in large enough quantities) can be dangerous in very subtle and unpredictable ways. The best method of addressing these concerns is through education and data literacy. Spreading that knowledge will be the primary motivation of this talk.
I will go over the basic Data Science Process, some common industry vocabulary (especially common buzzwords), and provide some additional resources to learn more about Data Science.
In this talk, we'll take a look at how AI technologies are enhancing adversarial capabilities and how challenges in defensive machine learning are opening up new attack surfaces.
Gavin is a senior consultant and researcher who has a passion for network security, both attack and defense. Through that passion, he runs NetSec Explained; a blog and YouTube channel which covers intermediate and advanced level network security topics, in an easy to understand way. His work has given him the opportunity to be published in industry magazines and speak at conferences such as Defcon and CactusCon. Currently, he is researching ways to address the cybersecurity skills gap, by utilizing machine learning to augment the capabilities of current security analysts.
Gavin has presented to the group before in Jan of 2019 on Machine Learning with very positive reviews.
Netsec Explained; netsecexplained.com
Gavin's Youtube; youtube.com/channel/UCsKK7UIiYqvK35aWrCCgUUA
Join John as he reviews the new landscape of warfare and how most countries are preparing for the likelihood that the next war will be a hybrid between cyber and conventional, and the impact to all of us that are in the line of fire.
Bio: As Vice President of Systems Engineering, John currently leads teams for a number of Fortinet’s largest customers and service providers. With 20 years of experience in network design, engineering and global operations, he continuously works to strategize, construct and operate data and content delivery that can scale and survive modern business needs.
As the industry has shifted from a focus of simple connectivity to one of continuous access, real-time security, and expanded platforms, he is proud to be part of a leading security organization as a consultative member of the Fortinet Security Fabric team, offering direct feedback from the field to help best determine not only how we shape our technology, but also the ecosystem growth through partners and their complimentary solutions.
John resides in Seattle, Washington, holds a bachelor’s degree in business management, and will obtain his master’s degree in cybersecurity and information assurance in 2020.
Topic: Wizard Spider, made famous by their commodity banking malware “TrickBot” and “Ryuk”, is a notorious threat actor that conducts high impact attacks across a variety of industry verticals and sectors. We’ll start off with an overview of the current e-crime landscape and emerging trends, and the begin to breakdown the tactics, techniques, and procedures that Wizard Spider leverages as they conduct operations across the globe. Focus will be on the TrickBot, Ryuk, and AnchorDNS malware families, providing high-level overviews of their functionality and deployment. A victimology case study will provide a deep-dive into a real world scenario where both the failures and lessons learned will be on display. This talk will conclude with defensive strategies to help mitigate the threat, as well as, an interactive question and answer session.
Bio: Matt Russell an internationally seasoned business and technology executive. He combines the exceptional leadership skills he learned leading and training intelligence teams in US Special Operations, with his commercial experience in consulting and industry to successfully operate across a variety of business domains, geographic boundaries, and cultural landscapes. Matt spent 5 years living and working in Asia and possesses advanced fluency in both Korean and Spanish.
Bio: Michael McAndrews has been involved in Information Technology and Security for more than 25 years. Michael worked in the financial services, manufacturing and pharmaceutical industries before joining the Federal Bureau of Investigation in 2006 as a Special Agent. During his time with the FBI, he investigated numerous violations, but focused primarily on computer crimes such as intrusions, Internet frauds and intellectual property violations. He was also a member of the FBI's Cyber Action Team, a group of selected agents who would deploy worldwide for the most critical of intrusions. With experience in both the National Security and Criminal arenas, Michael left the FBI in December 2013 to rejoin the private sector. He now works as an expert in the field using leading edge security devices and performing awareness training to groups worldwide.
Michael is a Certified Information Systems Security Professional (CISSP) and has been certified by GIAC as a GSEC professional, an Intrusion Analyst (GCIA), and Incident Handler (GCIH). Michael also holds the A+ and Network+ certifications from Comptia.
There is a lot of confusion and misconceptions, even among security professionals about what modern firewalls do. Even the terms Next Generation, NGFW or 4th Generation Firewall which are commonly thrown around by vendors can be confusing and misleading. John Nash will break down the features of a sampling of the the leading firewall vendors and allow you to leave with a clear picture of what the proper role of a perimeter firewall plays in your organization and how it ties into your overalls security strategy.
The presentation was delivered at (ISC)2 at Rio Salado College, Tempe, AZ July 16th, 2019 by John R. Nash, VP of Phreedom Tech © 2019 Phreedom Technologies phreedom.com
Goals 0:00
Contributors / Sources 0:50
Preface 1:23
The Death of the Firewall Has Been Greatly Exaggerated 3:56
Overview 6:52
What is a Firewall (Basic)? 8:37
Firewall Timeline 9:22
Is it a firewall? - Maybe, depends on what it does 11:16
Your Grandfather's Firewall 11:30
NGFW / Enterprise Firewall 12:28
Success vs Failure 17:32
Network Protocols 20:02
Governing Bodies 21:48
Eg. Bluetooth Special Interest Group 22:08
IETF / IRTF 23:21
IETF / RFCs 23:49
IP (TCP/UPD) Suite 25:15
Common IP Ports 26:17
IPV6 / IP version 6 27:04
OSI Protocol Stack 28:52
OSI vs. IP (TCP/UPD) Suite
Network Protocols 29:36
Network Architectures 30:02
Internet Circa 1971 30:47
Internet 1980 32:09
USENET 1986 32:23
Internet 2013 32:36
Is Encryption Important? 32:52
Encryption 33:54
Need for Encryption 35:37
Encryption Types 35:54
DES/3DES Block cipher
AES Block cipher
SHA-2 Hash Algorithm
RSA Encryption + Digital Signature
Common Secure Protocols 37:32
Encryption: Ciphers 38:10
Microsoft Prioritizing Schannel Cipher Suites 38:47
OpenSSH session using “verbose” 39:02
Threat Landscape 39:50
Vulnerability Databases 40:24
NVD Data Feeds 41:29
CVE Scoring 41:56
CVE Vector String 44:41
Mary Meeker Internet Trends 2019 47:07
Packet-filtering firewalls (Legacy) 48:52
Circuit-level gateways 48:58
Stateful inspection firewalls 49:18
Proxy Firewalls (Application-level gateways) 49:21
UTM Firewalls 49:46
NGFW / Enterprise Firewall 50:03
NextGen Firewalls 50:30
NextGen Firewall / Generation 4? 54:51
NextGen Firewalls Challenges 55:01
Throughput: 55:29
Ease of Use: 55:35
Decryption (SSL, TLS, SFP, etc): 55:50
OSI Seven Layers - Review 56:13
Risk is where you aren’t looking 56:18
Firewall Deployment Models 56:29
VMware Micro-segmentation 56:39
NGFW Feature Summary 57:05
Real time threat updates
Integrated IDS/IPS
Web/URL filtering
BotNet Detection
BGP / OSPF
Deep Packet Inspection
Certificate Generation/Management
Application Policies
AD Integration
Device/Ad correlation
Suggestive Actions
Dynamic trust model
Multi-dimension heuristics
Provides Unified Interface
Open API
Feed Integration
High Availability
Bump on the wire
Data Integration
SIEM Integration
Machine Learning
Gartner Report 2018 Report for Enterprise Network Firewalls 57:12
Gartner Magic Quadrant for Enterprise Firewalls 2018 57:58
Check Point Software 58:47
Palo Alto Networks 1:07:40
Cisco Firepower 1:01:58
Fortinet 1:04:22
Palo Alto 1:07:40
Panorama manages your network security with a single security rule base for firewall, threat prevention, URL filtering, application awareness, user identification, sandboxing, file blocking, and data filtering.
Example: Fortinet Product Line-Up 1:10:35
Feature Product Line Up
Firewalls Fortigate (SMB, Chassis, VM & SD-WAN)
Virtual Segmentation Fortigate VDOM’s
Proxy FortiProxy
Wi-Fi FortiWiFI
Switch FortiSwitch
Router Integrated
SD-WAN Integrated
Off-line Analysis FortiSandbox
End-Point Protection FortiClient / EMS
Cloud Offering AWS, Azure and FortiCloud
Authentication Token/Authenticator
Mail FortiMail
WebFiltering fortiWeb
DDOS FortiDDoS
BotNet Protection Integrated
SSL/TLS Inspection Integrated (ASIC)
Digital Feeds FortiGuard
Threat heuristics Integrated
Single Sign-On Integrated
Analytics FortiAnalyzer
SIEM FortiSIEM
NAC FortiNAC
Gartner Magic Quadrants 2017 1:14:41
NSS Labs NGFW Comparative Report 1:14:58
Author – Thomas Skybakmoen JULY 17, 2018
2018 Tested Products
Barracuda Networks CloudGen Firewall F800.CCE v7.2.0
Check Point 15600 Next Generation Threat Prevention (NGTP) Appliance vR80.20
Cisco Firepower 4120 Security Appliance v6.2.2
Forcepoint NGFW 2105 Appliance v6.3.3 build 19153 (Update Package: 1056)
Fortinet FortiGate 500E V5.6.3GA build 7858
Palo Alto Networks PA-5220 PAN-OS 8.1.1
SonicWall NSa 2650 SonicOS Enhanced 6.5.0.10-73n
Sophos XG Firewall 750 SFOS v17 MR7
Versa Networks FlexVNF 16.1R1-S6
WatchGuard M670 v12.0.1.B562953
Erik presents recent events and his recommendations with his uniquely entertaining style.
Can a 20 year old technology help give you strategic visibility into a modern enterprise netowork? The answer is yes!. Welcome to a powerful network monitoring/logging tool most people have never heard of.
Tim Garcia will review the capabilities and use of the the Zeek and Bro IDS (two separate tools that are often used together) for security threat hunting.
(Originally the presentation was to be on the use of the Yara scripting tool to identify malware signatures but the Zeek/Bro topic won out due to popular demand).
Tim is SANS Instructor primarily focused on blue team activities, ethical hacking, incident handling, security management and general information security principles. Instructor in Information Systems Security, Systems Analysis and Project Management for several local universities in the Phoenix area.
Dr. Jerry Craig reviews a new process in which Security Controls Assessments (SCA) are managed and operated by in-house assessor teams—which allow the federal government to reduce engagement periods and costs; perform continuous monitoring and risk-based system vulnerabilities analysis; develop deeper knowledge into control families and individual controls; gain greater visibility into systems, perform and most importantly result in the ability to stand in a defensible position in the event of a data breach.
The event occurred during the October 7th meeting of the Southwest CyberSec Forum at University of Advancing Technology in Tempe, AZ.
Table of Contents:
Introduction 0:11
Major Experience 1:28
Core Questions 3:00
What is an SCA? 4:23
What Do Restaurants & SCAs Have in Common? 5:42
What is Adaptive Capabilities Testing? 7:17
ACT Snapshot Analogy (Goal) 7:44
SCA/ACT Information Source Comparison 8:24
Failed Controls vs. Mapping Example 14:18
Alignment of Controls & Testing 17:49
Control Family Test Plans 18:32
Benefits of Aligned Test Plans 19:19
Funding Approaches 20:55
System of Record vs. Piecemeal 23:09
Conflict of Interest 24:50
Staffing for Success 25:42
Mowing the Lawn 31:05
DHS CDM Phases & Approach 32:46
Continuous Monitoring 33:51
Individual Control Family Deep Dives 36:38
Cost Savings 39:42
Bringing on Contractor Labor vs. In-House Labor (FTEs) 40:44
Lessons Learned 41:47
About Ventech Solutions 44:51
Our Core Strengths
Key HIDS Program Achievements
Full Security Suite
Erik presents recent events and his recommendations with his uniquely entertaining style.
We walk through the steps to select a logging platform and them implement an Elasticsearch cluster, a logstash layer, Cerebro, ingest, parse data and perform initial discovery and reporting in Kibana and finally use Grafana to create more advanced graphs.
See the Table of contents below:
Overview / Agenda / Intro 1:02
The need for security monitoring 1:16
What do we have to work with? 2:07
Getting started with log analysis 3:34
What data should be collected? 5:41
Firewall and windows log data 6:18
Typical logging architecture 9:44
Selecting a logging platform 10:40
Merits of Elasticsearch/ELK 13:46
Elasticsearch deployment 17:25
Phreedom ELK topology 19:42
Cerebro intro 27:00
Logstash deployment 29:18
Configuring SysLog on your FW 32:26
Installing Winlogbeat agents 32:40
Ingesting data into Elastisearch 32:57
Elasticsearch indicies 33:22
Installing Kibana 33:47
Kibana overview 35:09
Using Kibana 35:20
Building security reports 36:56
SIEM security questions 37:12
Fortigate log types 37:42
Windows Eventlog types (Channels) 37:52
NSA whitepaper on Windows IOC 38:24
Nagios PowerShell IOC Check 39:03
Investigating your Windows Data with Kibana 39:48
Investigating your Firewall Traffic with Kibana 41:29
Kibana - Visualize 42:55
Kibana - TimeLion 43:33
Installing / Using Grafana 44:40
Building your first Grafana Graphs 45:32
Grafana - Windows Failed Logins 45:41
Grafana - Firewall Policy Heatmap 46:26
Grafana - TCP Session Count by Server 47:01
Final Security Dashboard 47:36
Erik reviews each and discusses the impact with the audience with his uniquely entertaining style.
Over the last 34 years, John has worked for Rockwell International in the R&D labs for the GPS system, as a field engineer for communication carriers deploying packet switched technologies and is now VP of Technology for Phreedom Technologies with his business partner Dean Moore.
Chapters / Table of Index
What is a Firewall: 0:17
History of Firewalls: 0:57
Network Protocols 3:50
IPv4 / IPv6 Comparison 9:07
IPv6 Firewall Support 9:45
Packet Filtering Firewalls 11:57
Circuit Level Gateways 12:27
Stateful Inspection Firewalls 13:15
Proxy Firewalls (Application Gateways) 13:39
UTM Firewalls (Unified Threat Management) 15:25
Next Generation Firewalls (NGFW) 15:57
NGFW Challenges - Architecture 25:50
NGFW Challenges - Throughput 26:25
NGFW Challenges - Ease of Use 27:44
NGFW Challenges - SSL Decryption 28:30
Non-IP Security - USB Firewalls 30:09
Non-IP Security - Bluetooth 31:00
VMware Micro-segmentation 33:28
Fortigate NGFW Capabilities 34:55
Fortigate NGFW - Traffic Bubble Map 34:55
Fortigate NGFW - Threat Bubble Map 39:51
Gartner Magic Quadrant- Firewalls 40:39
NGFW Feature Summary 41:45
Security Analytics Dashboard 41:58
As CEO/Partner of iCertWorks, ISO Manager and SecuraStar, Dave has worked for decades managing a broad spectrum of risk management products and services for some of the largest organizations in the world
There are no traditional career paths in cyber security, but the recruiting process often lacks transparency. Learn from an insider to build your own career. This talk, “Hacking Hired,” identifies the four primary vectors of your job search and shares insights on how to work these vectors to your advantage to create the career you want. From a high-level, these vectors are the tools, technology, organizations and people. This is open to professionals at every stage in their career.