ABCDEFGHIJKLMNOPQRSTUVWXY
1
Want to see your talk here?
CFP Info/voting: http://bit.ly/BSidesDelCFP
CFP Submission Form: http://bit.ly/BDECFP20


Got an opinion on a talk, awesome! Speakers love feedback but it's best for everyone when it's constructive as these comments are public.
Shortlink to this page: http://bit.ly/2020CFPVotingBSidesDE
Want more info on the conference?

Twitter @BSidesDE
Main Wiki page https://bitly.com/BSidesDE
Website http://www.bsidesdelaware.com/

Mark your calendar for November 13th and 14th 2020
Want to see your name and logo in lots of places and make business connections? Are you looking to hire infosec talent?

Download Our Sponsor Kit: http://bit.ly/BDE2020SponsorKit
2
Copy and paste to twitter for easy votingTitleHow would you like to be
credited as the speaker
and author of the talk?

(This will be posted online AS IS for the
schedule and/or talk voting)
Abstract Intended audience or level skill levelSpeaker Bio (This will be posted online AS IS after your talk is accepted so spell check it please)Can you make people want to see your talk in 130 characters? Go:
5
@BSidesDE "A Crash Course In Assembly For Malware Reverse Engineers" #BSidesDE #Vote http://bit.ly/BSidesDelCFPA Crash Course In Assembly For Malware Reverse EngineersAdam Gilbert @AGDCservicesDo you analyze malware in a sandbox but get lost when there are limited results and you need to read the assembly to know why? If you want to dig into the malicious assembly code but don't know how to start, this class is for you.

This lab based workshop will introduce everything you need to get started statically analyzing malware down at the code level. We will review all the fundamentals; tools, assembly instructions, memory layout, calling conventions, essential API’s, common programming patterns, and more. On top of the fundamentals, you will learn strategies to put everything together and actually analyze malicious assembly code to discover Indicators of Compromise (IOC’s) not visible in a sandbox. Our goal is for you to start viewing assembly code as source
code, no different than reading C or Java.

Class Logistics
- Cost: $200
- This is an all day, 8 hour class taught remotely.
- You will receive a welcome letter with details to download the class VM a few days prior to the conference. If you do not receive the email three days prior to the class, contact us at adam.gilbert@agdcservices.com or @AGDCservices

Student Requirements:
- Students should have an entry level understanding of programming in any language. A general idea of malware analysis goals will be helpful, but is not necessary.
- Students must bring a 64 bit laptop with:
* VirtualBox or VMWare Workstation installed (VMWare Workstation Player is acceptable)
* 25GB of free disk space to install a provided analysis VM
* 8GB of RAM
* 1 USB slot
* Internet Connectivity
This class if for beginners, no previous experience in assembly is required
Adam Gilbert is an avid security researcher and founder of AGDC Services, a boutique computer security firm which provides malware analysis training and consulting services. He has 10+ years of infosec experience and a M.S. in Electrical and Computer Engineering, but his knowledge isn’t academic. It comes from digging down deep into malware to reverse engineer every aspect. Translating complex malware techniques into understandable concepts for fellow security practitioners is a truly rewarding experience that Adam is passionate about.
Increase your #dfir #malware analysis skills in the #remote, lab based "Assembly For Malware Analysts" class for only $200
6
@BSidesDE "So you wanna start a podcast (Updated for 2020!)" #BSidesDE #Vote http://bit.ly/BSidesDelCFPSo you wanna start a podcast (Updated for 2020!)Nate @gangrifSome say that Podcasting is still, in 2020, one of the best ways to reach an audience. Even in today's world of visual media, audio is still in high demand. I run the Iron Sysadmin Podcast, an IT Ops focused podcast. In 2016 when I set out to create this show, it wasn't as easy as I thought it would be. A lot of technology had to be learned, and since then the show has evolved. The podcast space has also evolved! In this talk, I'll recap how we started the Iron Sysadmin Podcast, how it's evolved over the years, and how I might do it differently today. If you're interested in starting a podcast, you won't want to miss this talk! Anyone interested in starting a podcast.
Nate is a Technical Account Manager at Red Hat, an accomplished Sysadmin, and a life-long nerd.
So, You wanna start a #podcast? Come learn from @gangrif's mistakes starting @ironsysadmin, and see how it's different today!
7
@BSidesDE "Breaking MFA" #BSidesDE #Vote http://bit.ly/BSidesDelCFPBreaking MFAMishaal KhanMultifactor authentication (MFA) has been hailed by cybersecurity experts as a silver bullet in the security landscape which should leave IT leaders skeptical. Join Mishaal Khan to break down the myths encircling MFA and uncover its weaknesses. Mishaal will provide live demonstrations of MFA bypass methodologies, discuss adoption hurdles, vendors, technologies, pros & cons and offer a framework for implementing MFA so your organization's data is protected.Anyone who uses multifactor authentication
Mishaal like to entertain people with hacks and shortcuts while conveying a much bigger message. His hands-on nature likes to test the limits of technology by breaking things in order to learn how to secure them.

He's spent his career in the corporate world building complex networks and helping organizations secure them.

It helps to have a strong passion in cybersecurity, OSINT and Privacy while holding a long list of technical certifications including CCIE R&S, Certified Ethical Hacker, Certified Social Engineer Pentester.
dispel myths on MFA and how it can be hacked, learn the right way to implement it
8
@BSidesDE "Security Automation Steam Engine Time!" #BSidesDE #Vote http://bit.ly/BSidesDelCFPSecurity Automation Steam Engine Time!Joshua MarpetSecurity automation is an old term. But up to now, most security is automated in a way that is done to assist a penetration tester, or maybe a blue team member. But is security being commoditized enough, that security automation, as a tool and a strategy, is enough to be done on its own merits? Not as an assist, but as a goal in and of itself? Let's examine what security has been automated in the past, and where we are now. And let's discuss whether what has been done up to now, is worthwhile. Or not. everyoneJoshua Marpet is the Co-Chief Vision Officer and co-founder of Red Lion. He is an internationally renowned digital forensics expert and a patent-pending author for a Blockchain based Digital Forensics System. Josh has been honored as one of the top 10 most influential people in BSides and currently serves as a board member for BSidesDE and BSidesDC. He is a former board member with Hackers for Charity and BSides LV. Josh is heavily involved with CMMC. He is also a proud father, husband and mentor.Did you automate any of your security? No? Should you? How? How much money can I save? Or would I not save any money? Let's talk!
9
@BSidesDE "How InfoSec skills can help you survive a pandemic" #BSidesDE #Vote http://bit.ly/BSidesDelCFPHow InfoSec skills can help you survive a pandemicSpamThe pandemic has highlighted many interesting personal and professional challenges for everyone, but you might be surprised at how many Infosec skills can be applied to help you deal better with this once in a lifetime public health crisis.

This talk will present ways in which you can repurpose Infosec skills to help you thrive during the pandemic, and will also try to provide some unique ways you can use examples from the Pandemic to explain Information Security concepts to folks.
Anyone
Spam has been accused of being Satoshi Nakamoto, but he spends most of his time pretending to be a meat popsicle.
10
@BSidesDE "Securing AND Pentesting the Great Spaghetti Monster (k8s)" #BSidesDE #Vote http://bit.ly/BSidesDelCFPSecuring AND Pentesting the Great Spaghetti Monster (k8s)Kat Fitzgerald @rnbwkatWe’ve all heard of it - Kubernetes - but do you really know what it is and, more importantly, how to set it up securely? The Great Spaghetti Monster isn’t too difficult to secure if you just stop and use common sense (wait, WHAT?) security best practices. These techniques are for everyone - even those who have been playing with Kubernetes for some time.

Let’s talk about Docker, baby!

You have to start somewhere, and containers are the place. Next, let’s intro Kubernetes and the magic world of orchestration and what it really means to orchestrate containers. Then the fun begins as I demo a small Raspberry Pi stack with Kubernetes on it to show a live cluster with “visual aides” (very bright LEDs that show containers jumping from node to node).

As the brief Kubernetes demo concludes, it’s time to bring in security by demonstrating the security plug-ins and tools used. Techniques are shown for best-in-show k8s security configuration. Remember this concept - “Common Sense”? Let’s see if we can apply it with some best practices and build out the secure cluster. The focus on this is security threats to a Kubernetes cluster, containers and the apps deployed. A review of typical attack vectors in containers and Kubernetes clusters are shown with fun and exciting(?) pentesting tools specifically formulated for k8s.

Now the fun begins - we have secured our cluster and our containers but how can we be sure? Let’s put our blue-skills to the test with some red-skills and pentest our cluster. It’s time to present some live security testing tools that are best suited for testing k8s. This is where the rubber meets the road, or in this case, where, wait for it —– common sense prevails!!

Key Takeaways

1. k8s, what is it and why do I care, in real words, not fancy terms
2. Common sense techniques are still a thing and we prove it!
3. What tools we use and why
4. Pentesting in a k8s world is just a tiny bit different, and you will learn how.

The point(s) here, you WILL walk away with practical examples of what to do and what NOT to do. This isn’t theoretical.
All levels of Infosec will learn something!
Based in Seattle and a natural creature of winter, you can typically find me sipping Grand Mayan Extra Anejo whilst simultaneously defending my systems using OSS, magic spells and Dancing Flamingos. Honeypots & Refrigerators are a few of my favorite things! Fun Fact: I rescue Feral Pop Tarts and have the only Pop Tart Sanctuary in the Seattle area.
Oh sure, Kubernetes is the Bomb! But is it secure out-of-the-box? Oh hell no! Let’s see if we can change that. :-)
13
@BSidesDE "Workshop on Fundamentals of RF Security" #BSidesDE #Vote http://bit.ly/BSidesDelCFPWorkshop on Fundamentals of RF SecurityHarshit Agrawal @harshitnicAny technology comes with both hope and challenges. Radio communication came with the hope of a better life and services. But with this hope, Wireless communication came up with various security challenges like reliable communication between devices, wireless sniffing, spoofing, DoS attacks and so on. This workshop will give one brief idea of how to analyze the devices' security, and the best practice guidelines will help to design them properly.

To ensure RF security, one needs to have a comprehensive understanding of the technology, threats, exploits, and defensive techniques along with experience in evaluating and attacking. This session takes an in-depth look at the security challenges of many different RF attacks, exposing one to wireless security threats through the eyes of an attacker.
All levels of Infosec will learn something!
Harshit Agrawal is currently working as a Radio and Telecom Security Researcher. He is enthusiastic about Signal Intelligence, Electronic Warfare, and Telecom Security. He presented his research paper at International conferences like RSAC USA, HITB Cyberweek, ICS Security Singapore, Hack In Paris, HITB Amsterdam, Securityfest Sweden, Nanosec Malaysia, CISO Platform Virtual Summit, Sacon Conference Bangalore, and DakotaCon USA. Previously he was President at CSI Chapter and Vice President for Entrepreneurship cell at MIT, where he also headed the team of security enthusiasts which gave him a good insight into cyber-security and increased his thirst to explore more in this field. He is a Programmer, Researcher, and Believer! He believes in providing something out of the box!
Understand the ease and prevalence of RF exploitation with sophisticated practical examples and case studies.
15
@BSidesDE "Mining technical debt for fun and profit- M&A strategies" #BSidesDE #Vote http://bit.ly/BSidesDelCFPMining technical debt for fun and profit- M&A strategiesAlex MuentzWhen you buy or sell a company, you've got to figure out what you're getting. Sometimes the stuff you're getting is worthless. That's a nice property, but it's on top of a toxic waste dump. There's an equivalent in cybersecurity. You might have a bunch of paying users, but there might be an undiscovered breach or bad privacy practice that will affect brand value.

I'll discuss the M&A process and how cyber professionals can ferret out and remediate issues pre sale or clean up afterwards.

There'll be stories. There are always good stories to tell.
This is for all participants, but may be more interesting for mid-career people looking for ways to move into the business side of their profession.
Alex Muentz is the M&A Practice Lead at Leviathan Security Group in Seattle. He's offered cybersecurity and privacy advice to clients ranging from new startups to Fortune 50 firms.
17
@BSidesDE "Secure AI Powered Chat platform for LE " #BSidesDE #Vote http://bit.ly/BSidesDelCFPSecure AI Powered Chat platform for LE James Corbett An AI powered, CJIS compliant chat platform to help facilitate collaboration among local, state, and federal law enforcement and intelligence agencies. It's designed to be a virtual Fusion Center. The AI will be an assistant to helping officers and agents collaborate on cases across jurisdiction and state bounds. This chat will be for any and all law enforcement officers, federal agents, and intelligence personnel.
James Corbett is a social entrepreneur that successfully co-founded two innovative initiatives, Project Refit and Blastar, Inc. Project Refit is a nonprofit organization with a mission to combat isolation among military, veterans, and first responders. Blastar, Inc. has built the product IMPaCT. He went to Stockton University and Columbia University. He left Columbia and pursued building products and companies to help communities in the USA.
The nation's first AI powered chat platform built for law enforcement and intelligence agencies!
18
@BSidesDE "Security and CISSP Lessons from CoVID-19" #BSidesDE #Vote http://bit.ly/BSidesDelCFPSecurity and CISSP Lessons from CoVID-19Rob SladeUsing the pandemic as a giant case study, we will do a "one-day" quick CISSP review seminar. This is based both on a one day CISSP seminar *and* the full "Security Lessons from CoVID-19" presentation, so it's fairly intense. It's a good prep for those who feel *pretty* confident that they can pass the CISSP exam, but might want just a *bit* of a checkup.Preparing for certification
Rob Slade is the last surviving non-aligned malware researcher in captivity. He got his start, in security, researching viruses. But not this type of virus. He gets out to far too few conferences and tries to make up for it by spending as much time as he can interacting with the fragmented and disparate "communities" online. He has spent the past year cooped up and unable to do anything besides researching the latest security buzzwords. Before that, though, he taught security on six continents. He is the author of (most recently) "Cybersecurity Lessons from CoVID-19." More information than anyone would want to know about him is available at https://twitter.com/rslade
http://en.wikipedia.org/wiki/Robert_Slade
http://catless.ncl.ac.uk/Risks/search?query=slade or
https://www.youtube.com/channel/UCXkYtvTGyUGKDES8tiHUHxA
Wanna see if you can pass the CISSP exam? All while finding out how a hot topic relates to security?
19
@BSidesDE "NFTs: Digital Cash and Bitcoins and Blockchains, Oh My!" #BSidesDE #Vote http://bit.ly/BSidesDelCFPNFTs: Digital Cash and Bitcoins and Blockchains, Oh My!Rob SladeNFTs and cryptocurrencies have become enormously popular, recently, but are also wildly speculative. Starting with the principles of, and research into, digital cash, we will examine valuation, fungibility, technologies, infrastructures, and the basic principles underlying this field. In addition, we will note the speculative nature of much of this "wealth."Any level. (Novices, don't worry, we won't delve *too* deeply into the crypto.)
Rob Slade is the last surviving non-aligned malware researcher in captivity. He got his start, in security, researching viruses. But not this type of virus. He gets out to far too few conferences and tries to make up for it by spending as much time as he can interacting with the fragmented and disparate "communities" online. He has spent the past year cooped up and unable to do anything besides researching the latest security buzzwords. He is the author of (most recently) "Cybersecurity Lessons from CoVID-19." (And you can take that to the *bank*!) More information than anyone would want to know about him is available at https://twitter.com/rslade
http://en.wikipedia.org/wiki/Robert_Slade
http://catless.ncl.ac.uk/Risks/search?query=slade or
https://www.youtube.com/channel/UCXkYtvTGyUGKDES8tiHUHxA
NFTs and cryptocurrencies have become popular but also wildly speculative. Valuation, technologies, and the basic principles.
20
@BSidesDE "CMMC Certification Readiness: Mitigating Cyber Risk" #BSidesDE #Vote http://bit.ly/BSidesDelCFPCMMC Certification Readiness: Mitigating Cyber RiskAli PabraiAbstract:

The Department of Defense (DoD) standard, the Cybersecurity Maturity Model Certification (CMMC) is the future cyber standard now. CMMC is focused on the risk to the supply chain and how to effectively establish a cyber resilient program in an organization. While it directly impacts hundreds of thousands of suppliers to the DoD, you will find CMMC to provide value in enhancing your organization’s cyber and compliance program especially in the areas of policies, procedures and associated capabilities. Every compliance professional as well as cyber professionals, those with IT and information security responsibilities, must examine and learn more about the new CMMC standard. Cyber risk in the supply chain is a serious business risk. CMMC provides an opportunity to mitigate this risk.

Learning Objectives:

In this fast-paced, fact-based CMMC brief, participants will:

• Understand why CMMC is such a valued reference for addressing risks in the cyber supply chain (for e.g. your business associates)
• Walk through core components, organization and CMMC Maturity Levels
• Navigate requirements to achieve CMMC certification
• Examine key steps for establishing a CMMC-based compliance and cyber program
Compliance Professionals • Privacy Officers • Security Officers • IT Professionals • Legal Professionals • Senior Management and Directors
Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), CMMC PI, PA, RP, HITRUST (CCSFP), Security+, a cybersecurity and compliance expert, is the chairman of ecfirst. A highly sought after professional, he has successfully delivered solutions to U.S. government agencies, IT firms, healthcare systems, legal and other organizations worldwide. Mr. Pabrai has led numerous engagements worldwide for ISO 27001, PCI DSS, NIST, CMMC, GDPR, HITRUST CSF and HIPAA/HITECH. Mr. Pabrai served as an Interim CISO for a health system with 40+ locations in USA. ecfirst is an approved HITRUST CSF Assessor.
Get confidence to lead your organization in addressing cybersecurity risk at "CMMC Certification Readiness: Mitigating Cyber Risk"
21
@BSidesDE "NFTs: Bitcoins and Blockchains and Digital Cash, Oh My!" #BSidesDE #Vote http://bit.ly/BSidesDelCFPNFTs: Bitcoins and Blockchains and Digital Cash, Oh My!Rob SladeNFTs and cryptocurrencies have become enormously popular, recently, but are
also wildly speculative. Starting with the principles of, and research into,
digital cash, we will examine valuation, fungibility, technologies,
infrastructures, and the basic principles underlying this field. In addition,
we will note the speculative nature of much of this "wealth."
Anyone interested
Rob Slade gets out to far too few conferences and tries to make up for it by
spending as much time as he can interacting with the fragmented and disparate
"communities" online. More info than anyone would want to know is at
http://en.wikipedia.org/wiki/Robert_Slade

https://twitter.com/rslade
http://catless.ncl.ac.uk/Risks/search?query=slade
https://www.youtube.com/channel/UCXkYtvTGyUGKDES8tiHUHxA
https://ca.linkedin.com/in/rslade?trk=author_mini-profile_title
NFTs and cryptocurrencies have become enormously popular, recently, but are also wildly speculative.
22
@BSidesDE "BCP and Privacy Lessons from CoVID-19" #BSidesDE #Vote http://bit.ly/BSidesDelCFPBCP and Privacy Lessons from CoVID-19Rob SladeImportant information security concepts which have been pointed out by the
CoVID-19 pandemic crisis. Using the SARS-CoV-2/CoVID-19 pandemic as a giant
case study, and structured by the domains of information security, this looks at
business continuity, physical security, privacy, and applications security aspects of
the crisis, pointing out specific security fundamentals where social, medical, or
business response to the crisis failed, or needed to make specific use of those
concepts. For the most part, these lessons are simply reminders of factors that get
neglected during times of non-crisis, and particularly point out the importance of
advance planning and resilience in systems and business.
anyone
Rob Slade may be an information security and management consultant from
North Vancouver, British Columbia, Canada, or he may be an artificial
intelligence program gone horribly wrong, and hooked up to various email
addresses. He is the last surviving non-aligned malware researcher in
captivity. He got his start, in security, researching viruses. But not this
type of virus. This year he has been cooped up inside with nothing to do but
research the latest security buzzwords.
Hey, it was tough to go through, so you might as well learn from it ...
23
@BSidesDE "Differential Privacy" #BSidesDE #Vote http://bit.ly/BSidesDelCFPDifferential PrivacyRob SladeDifferential privacy is a relatively recent topic, although it is an
amalgam of well- known, and long utilized, concepts. Oddly, outside of
academic circles, it was almost unknown until Apple made a big deal of it in an
announcement in 2016. Differential privacy is, however, the "quantitative risk
analysis" of privacy, which is why it has such important points to make to the
field of privacy, and why almost nobody is using it. (Including, mostly,
Apple.)
anyone
Rob Slade is the last surviving non-aligned malware researcher in
captivity. He got his start, in security, researching viruses. But not this
type of virus. He gets out to far too few conferences and tries to make up for
it by spending as much time as he can interacting with the fragmented and
disparate "communities" online. He has spent the past year cooped up and unable
to do anything besides researching the latest security buzzwords. He is the
author of (most recently) "Cybersecurity Lessons from CoVID-19." (And he
doesn't care if you know that.)
No, it's not *that* type of privacy. It has more to do with databases and queries. But it does have some interesting points ...
24
@BSidesDE "Security Awareness Lessons from Dr. Bonnie" #BSidesDE #Vote http://bit.ly/BSidesDelCFPSecurity Awareness Lessons from Dr. BonnieRob SladeDr. Bonnie Henry, as BC's Chief Medical Health Officer, has demonstrably
saved over 5,000 lives in just a few months. With the regular CoVID press
briefings, she has also provided a MasterClass in effective communication of
complex technical subjects. This reference provides real-world examples of the
most significant points in designing and implementing an effective security
awareness program. It also conclusively proves, with mathematical certainty,
the importance of a security awareness training.
anyone interested in security awareness
Rob Slade may be an information security and management consultant from
North Vancouver, British Columbia, Canada, or he may be an artificial
intelligence program gone horribly wrong, and hooked up to various email
addresses.

https://twitter.com/rslade http://en.wikipedia.org/wiki/Robert_Slade
http://catless.ncl.ac.uk/Risks/search?query=slade
https://www.youtube.com/channel/UCXkYtvTGyUGKDES8tiHUHxA
Many say security awareness training doesn't work. Most simply don't try. Here are some pointers that prove awareness is useful.
25
@BSidesDE "Security Management Lessons from CoVID-19" #BSidesDE #Vote http://bit.ly/BSidesDelCFPSecurity Management Lessons from CoVID-19Rob SladeLessons, or reminders, of important information security management concepts
which have been pointed out by the CoVID-19 pandemic crisis. Using the SARS-
CoV-2/CoVID-19 pandemic as a giant case study, and structured by the domains
of information security, this looks at security aspects of the crisis, pointing out
specific security fundamentals where social, medical, or business response to the
crisis failed, or needed to make specific use of those concepts. For the most part,
these lessons are simply reminders of factors that get neglected during times of
non-crisis, and particularly point out the importance of advance planning and
resilience in systems and business.
anyone
Rob Slade is so *fever*ishly excited about *cough*ing up this presentation that
he can practically *smell* it. (Well, no. He can't.) More information than
anyone would wish to know about him is available at
http://en.wikipedia.org/wiki/Robert_Slade It is next to impossible to get him
to take "bio" writing seriously (especially with his death so imminent) but
you can try at isc2@outlook.com

https://www.amazon.com/Cybersecurity-Lessons-CoVID-19-Robert-Slade/dp/0367682699
You lived through it, might as well learn from it ...
26
@BSidesDE "Security Frameworks: Comparison and Overview (COBIT, COSO, ISO 27000, ITIL, and the rest of the alphabet soup) " #BSidesDE #Vote http://bit.ly/BSidesDelCFPSecurity Frameworks: Comparison and Overview (COBIT, COSO, ISO 27000, ITIL, and the rest of the alphabet soup) Rob SladeFind out the BS behind BS 7799. We give you the ITILlating facts to help you
pull up your SOX and get the jump on the quidelines from "Audit" to "Zachman."

As has been famously said, the nice thing about security standards is that there
are so many of them. Which security framework is most appropriate for you?
What can they help you to achieve? And where do Treadway and Turnbull come into it?

Come with questions, get answers, and share experiences about the all-too-often
mysterious checklists that govern our professional lives.
anyone
Security specialist, malware researcher, author, and gadfly unwilling to take anyone's "rules" for granted. Published "Robert Slade's Guide to Computer Viruses," co- authored "Viruses Revealed." Prepared the world's first course on forensic programming and wrote "Software Forensics." Maintained a glossary of security terms, now published as "Dictionary of Information Security." Also "Cybersecurity Lessons from CoVID-19." (The various security frameworks might constitute the contents of a dictionary all to themselves ...)
Get a jump on the scoop behind the alphabet soup.
27
@BSidesDE "Security Operations Lessons from CoVID-19" #BSidesDE #Vote http://bit.ly/BSidesDelCFPSecurity Operations Lessons from CoVID-19Rob SladeLessons, or reminders, of important information security operations concepts
which have been pointed out by the CoVID-19 pandemic crisis. Using the SARS-
CoV-2/CoVID-19 pandemic as a giant case study, and structured by the domains
of information security, this looks at security aspects of the crisis, pointing out
specific security fundamentals where social, medical, or business response to the
crisis failed, or needed to make specific use of those concepts. For the most part,
these lessons are simply reminders of factors that get neglected during times of
non-crisis, and particularly point out the importance of advance planning and
resilience in systems and business.
anyone
Rob Slade may be an information security and management consultant from
North Vancouver, British Columbia, Canada, or he may be an artificial
intelligence program gone horribly wrong, and hooked up to various email
addresses. More information than anyone would want to know about him is
available at http://twitter.com/rslade

Twitter/Social Media/Blog
https://twitter.com/rslade
http://en.wikipedia.org/wiki/Robert_Slade
http://catless.ncl.ac.uk/Risks/search?query=slade
https://www.youtube.com/channel/UCXkYtvTGyUGKDES8tiHUHxA
You lived through it, might as well learn from it ...
28
@BSidesDE "Security Lessons from CoVID-19" #BSidesDE #Vote http://bit.ly/BSidesDelCFPSecurity Lessons from CoVID-19Rob SladeLessons, or reminders, of important information security operations concepts
which have been pointed out by the CoVID-19 pandemic crisis. Using the SARS-
CoV-2/CoVID-19 pandemic as a giant case study, and structured by the domains
of information security, this looks at security aspects of the crisis, pointing out
specific security fundamentals where social, medical, or business response to the
crisis failed, or needed to make specific use of those concepts. For the most part,
these lessons are simply reminders of factors that get neglected during times of
non-crisis, and particularly point out the importance of advance planning and
resilience in systems and business.
anyone
Rob Slade may be an information security and management consultant from
North Vancouver, British Columbia, Canada, or he may be an artificial
intelligence program gone horribly wrong, and hooked up to various email
addresses. More information than anyone would want to know about him is
available at http://twitter.com/rslade

https://twitter.com/rslade
http://en.wikipedia.org/wiki/Robert_Slade
http://catless.ncl.ac.uk/Risks/search?query=slade
https://www.youtube.com/channel/UCXkYtvTGyUGKDES8tiHUHxA
You lived through it, might as well learn from it ...
29
@BSidesDE "Homomorphic Encryption" #BSidesDE #Vote http://bit.ly/BSidesDelCFPHomomorphic EncryptionRob SladeHow do you encrypt something, and still use it? Recently security operations has
become very excited about homomorphic encryption. It seems to be the latest
"magic" security technology that will solve all our problems, but I don't think
we've really provided a good outline of what it is, and, particularly, what it can't
do. This presentation will outline the basic concepts, note some specific forms
and applications, and point out the various factors for use or consideration.
anyone
Rob Slade gets out to far too few conferences and tries to make up for it by
spending as much time as he can interacting with the fragmented and disparate
"communities" online. More info than anyone would want to know is at
http://en.wikipedia.org/wiki/Robert_Slade

https://twitter.com/rslade
http://catless.ncl.ac.uk/Risks/search?query=slade
https://www.youtube.com/channel/UCXkYtvTGyUGKDES8tiHUHxA
https://ca.linkedin.com/in/rslade?trk=author_mini-profile_title
How do you encrypt something, and still use it?
30
@BSidesDE "Security Engineering != (Admin || Analyst || Responder) " #BSidesDE #Vote http://bit.ly/BSidesDelCFPSecurity Engineering != (Admin || Analyst || Responder) @reswob10 and @nfltr8The field of Security Engineering has evolved as an essential function within the Information Security industry. Security Engineers are responsible for many aspects of protecting the enterprise; including designing of secure systems, supporting security operations, and protecting business platforms, data centers and now, the cloud. The nebulous role of Security Engineers is sometimes confused with system administrators, security analysts or even penetration testers. Yet the industry recognizes the need for Security Engineers with over 1000’s of opportunities in the DMV region alone. This talk will address questions such as “What is a security engineer?” and “Aren’t they the system administrators?” Reswob (reswob10) and Noog (nfltr8) will provide their experience as Security Engineers in Information Security (or Cyber) solving real problems for federal services and other industries. Heck, we will even throw in a framework that we created called the Security Engineering Triad. After all that fun, we want to inspire the next generation on what it takes to become security engineers in today's world to include experience, education and certifications needed.Anyone
Craig Bowser is an Infosec professional with over 20 years of experience in the field. He has worked as an Information Security Manager, Security Engineer, Security Analyst and Information System Security Officer in DoD, DOJ and Dept of Energy areas and is currently a Director of Data Analytics at GuidePoint Security. He has some letters that mean something to HR departments. He is a Christian, Father, Husband, Geek, Scout Leader who enjoys woodworking, sci-fi fantasy, home networking, tinkering with electronics, reading, and hiking. And he has a to do list that is longer than the to do slots that are open.

See comments at end for second bio
Our talk on Security Engineering highlights the importance of this field & how it fits in the challenges all organizations face.
31
@BSidesDE "Cybersecurity is exactly like soccer" #BSidesDE #Vote http://bit.ly/BSidesDelCFPCybersecurity is exactly like soccerJohn Stoner @1MrStonerI propose that a lot of folks have trouble wrapping their head around all the problems in Cybersecurity, so I love bringing in some analogies. As a soccer fanatic, this talk seems natural to me. Are you a striker for Man City (A red teamer on a fortune 25)? Or are you a youth academy product (intern) playing for Bradford City (a small start-up)? Are you a specialist (wide speedy winger – Adama Traoré) or an all-around generalist (James Milner)? Are you Man City, and spend any amount for the right talent, or do you rely on your youth academy and train up the junior folks? Let’s dive into the tackle and have some fun on the pitch, try not to get yellow carded! Everyone (Novice though Expert)
Mr. Stoner is a CISSP certified professional with over 21 years of experience in the US Intelligence Community (USIC), defense sector, and national security industry with 11+ in cybersecurity. He is a cybersecurity specialist looking for an impactful role across verticals, or serving multiple clients. Experienced in Cyber Threat Intelligence (CTI), cyber counterintelligence (CI), SIGINT, Defense Industrial Base (DIB) cyber engagements, NIST 800-171 & 800-53, Advanced Persistent Threat (APT) analysis, Risk Management Framework (RMF) and Governance, Risk and Compliance (GRC). He is a US Soccer D level licensed coach and has been involved with soccer since the age of 5.
Cyber Personnel explained through soccer analogies! No VAR!
32
@BSidesDE "Can Cryptocurrency Replace the US Dollar?" #BSidesDE #Vote http://bit.ly/BSidesDelCFPCan Cryptocurrency Replace the US Dollar?Kenneth GeersCryptocurrency has the potential to revolutionize world finance and world politics. As a currency, however, crypto still has a lot to prove. Good money has three requirements: reliable medium of exchange, meaningful unit of account, and stable store of value. Computer coders and digital revolutionaries have only just begun. A key milestone will be whether cryptocurrency can replace the US Dollar as the world’s reserve currency - a pillar of international relations since World War II. That is unlikely in the near term, but over the horizon, anything is possible. This talk offers a framework for understanding cryptocurrency’s past, present, and future. It details the security challenges associated with cryptocurrency investment, dissecting numerous vulnerabilities and mitigations. It examines why the economic potential of cryptocurrency is intimately tied to its political impact. Investors, from citizen to nation-state, must weigh the benefits and risks of cryptocurrency on tactical and strategic scales.Everyone.
Dr. Kenneth Geers is an External Communications Analyst at Very Good Security. He is an Atlantic Council Cyber Statecraft Initiative Senior Fellow, a NATO Cooperative Cyber Defence Centre of Excellence Ambassador, and a Digital Society Institute-Berlin Affiliate. Kenneth served for twenty years in the US Government: in the Army, National Security Agency (NSA), Naval Criminal Investigative Service (NCIS), and NATO. He is the author of “Strategic Cyber Security”, editor of “Cyber War in Perspective” and “The Virtual Battlefield”, and technical expert to the “Tallinn Manual”.
I evaluate three key goals of cryptocurrency: reliable medium of exchange, meaningful unit of account, stable store of value.
33
@BSidesDE "EDR is Dead; Long Live Threat Hunting" #BSidesDE #Vote http://bit.ly/BSidesDelCFPEDR is Dead; Long Live Threat Hunting@niryoo The end is near for standalone EDR. EDR has made us into hunters. But before that, you have to get the foundations out of the way to be able to leverage dynamic, behavior-based hunting. How to help prevent in-memory attacks or fileless malware?
Fileless attacks, exploits, supply chain, and other living off the land attacks that regularly bypass EDR should be part of your capabilities now.
When an attacker is smart enough to evade detection what places should you look at? Few old (and some new) tricks to understand what was done and how to best eradicate the threat.
Information Security Practitioners
Nir started his career as a squad leader in the Israeli Intelligence Corps. He helped with gathering intelligence tracking the growth of terrorist organizations.
Nir has over 20 years of experience in threat intelligence, insider threat analysis, and endpoint security. Currently, Nir is a technical solutions engineer with Tanium.
Nir speaks occasionally at security conferences.
Get another view on what hunting smart using endpoint security looks like. Cyber hygiene translated to real life actions!
34
@BSidesDE "Hunt the Stank" #BSidesDE #Vote http://bit.ly/BSidesDelCFPHunt the Stank@securitysphynxTo be “secure” is more than “stopping bad behavior” or “keeping people out”. Being secure today is about knowing bad behavior when you see it, stop missing false negative, be prepared when a supply chain attack impacts you, understand the limitations of modern EDR – they miss human attackers because humans look like humans, not malware signatures and realize that tool saturation, shadow IT, burnout, overworked admins… all of the above have created gaps. Your first and last defenses involve understanding BEHAVIOR and correlation.
I’ve divided this up into two sections – part one I call the “boring basics” because that’s generally how people in security feel when you say thing like “map network flow” and “where’s your CMDB”. But those boring basics are essential, you’ll never get to the “fun” parts of security if you skip them.
The second have is a very quick – because this is only half an hour – run through of the attack lifecycle and some of your opportunities to detect dumb, different, and dangerous behavior that your signature-based detections may be less likely to pick up.
E5
Melissa Bischoping (@securitysphynx) is a passionate security evangelist whose academic & professional background in human psychology and technology align to educate, advocate, and remediate the difficult security problems faced by businesses and individuals.
She currently works as an Endpoint Security Research Specialist at Tanium where analyzes emerging threats, zero-days, and CVEs to provide subject matter expertise for internal and external customers. Prior to Tanium, she held positions in operations and security across the hospitality, casino gaming, and industrial/manufacturing industries.
Outside of work, Melissa pursues a Master of Science in Information Security Engineering at SANS, where she also competes as part of the Capture-The-Flag team. She supports Pros Vs Joes as a Blue Pro staff member, and is an active member of multiple industry nonprofits to support other women in security. She lives in Northern Virginia with her spouse, son, 3 sphynx cats, and a min-pin.
This talk with help you tackle the low hanging fruit, clean up your dirty laundry, and then go for the big threats!
35
@BSidesDE "SBOM’s and CBOM’s - why bills of materials matter to hackers?" #BSidesDE #Vote http://bit.ly/BSidesDelCFPSBOM’s and CBOM’s - why bills of materials matter to hackers?Joshua MarpetBills of materials are fascinating, in that they can provide vulnerability information, component information, and compliance information. For red teams, it gives them ways to get in. For blue teams, it gives them a punch list of what to protect. What about for forensics, or compliance, or incident response? What do they get?Anyone interested in bills of materials and learning new reconnaissance methods
Executive director of the RM-ISAO, founder of MJM Growth, and SPDX podcast host. I’ve been there and done that.
Want to learn the newest red team recon method, the best blue team tool, and the sexiest incident response resource ever?
36
@BSidesDE "" #BSidesDE #Vote http://bit.ly/BSidesDelCFP
37
@BSidesDE "" #BSidesDE #Vote http://bit.ly/BSidesDelCFP
38
@BSidesDE "" #BSidesDE #Vote http://bit.ly/BSidesDelCFP
39
@BSidesDE "" #BSidesDE #Vote http://bit.ly/BSidesDelCFP
40
@BSidesDE "" #BSidesDE #Vote http://bit.ly/BSidesDelCFP
41
@BSidesDE "" #BSidesDE #Vote http://bit.ly/BSidesDelCFP
42
@BSidesDE "" #BSidesDE #Vote http://bit.ly/BSidesDelCFP
43
@BSidesDE "" #BSidesDE #Vote http://bit.ly/BSidesDelCFP
44
@BSidesDE "" #BSidesDE #Vote http://bit.ly/BSidesDelCFP
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106