Keynotes

I am a professional thief and I’M BACK! When you walk down city streets, through the hallways of office buildings, or ride an elevator up to your hotel room….what do you see? Most of us simply see the world as we’re expected to: Stores that are open or closed. Institutions that have a main entrance we’re expected to use. Doors and floors that are only accessible to us if we are credentialed and authorized to be there.

That is not the world that I see.

My name is Deviant and I run covert entry operations with a team of similarly-trained experts. We break into buildings — picking locks, bypassing alarms, attacking the access control systems — and report our findings to clients around the world!

Breakout Sessions

Organizations are barraged constantly with phishing campaign attacks, and one organization suffers a breach every fourteen seconds. According to the 2021 Verizon data breach report, over 85% of data breaches are due to human error. It is worth noting how the criminals get into an organization’s systems and infrastructure. It comes down to phishing attacks or misconfigured and unpatched systems.

One solution is utilizing a robust security awareness and training program. However, how many employees take it, retain it, or use it? If the program is useful, why do breaches continue to occur? Organizations have training programs. Employees complete it and move on. Unfortunately, most of the time, they don’t remember it. Thus, the next evolution of security awareness needs to be an influential security culture. Within the security, culture is a security mindset for every employee and can significantly reduce the risk of a data breach through employees.

How to best defend your company from regulator enforcement actions and related lawsuits.

We will discuss new data breach notification timelines and requirements, legal aspects successfully handling ransomware and related payments, emerging enforcement actions and case law your organization needs to know.

Burnout Prevention
– Karen Worstell

Karen Worstell has a wealth of experience and strategies to share to flameproof your career so that you can stay in the game and thrive in spite of the stressors that come with cyber professions.  Join her on Thursday and come away with actionable strategies you can use for yourself, your loved ones, and your teams at work.

Special Sessions

CMD+CTRL Shadow Bank Cyber Range

Take a hands-on approach to learning about cyber security! This CMD+CTRL Shadow Bank Cyber Range session will train participants of all skill levels about common web exploits and techniques. Learn how to improve your practical cybersecurity skills and knowledge remotely! Security Innovation invites ISSA members to crack passwords, steal money and manipulate databases in CMD+CTRL Shadow Bank. Throughout the event, proctors will provide guidance, hints and tutorials in an intentionally vulnerable website while teaching players to think like an attacker! Participants will learn a variety of concepts and practical skills while having fun exploiting their way through dozens of vulnerabilities. No prior cybersecurity experience is necessary to learn and participate in this event.

Participation for all skill levels is easy – join the webinar, fire up a web browser on your computer (no tablets) and get ready to hack! The latest version of Chrome is recommended for the best experience, but the latest version of any major browser will work.

Pre-Req Knowledge: An interest in cyber security and a desire to learn more. A security testing background is not required and most information provided by the proctor will focus on new learners. Advanced participants will find the free play and dozens of challenges engaging and fun.

Training

‘Stop Ransomware in its Tracks!’

No product will make us secure, estimates are since 2019 more than $100 Billion a year is spent on cyber security products, yet we had many data breaches, we are losing the battle, so it is time for another approach. Organizations need to start with the foundations of defense in preparation for deploying deception and taking control of your networks.

The recent wave of ransomware attacks against Pipeline companies and others shows that we have to look at the fundamentals. There is no reason in a modern network for a ransomware attack to take out the entire enterprise network, at the most it can take out a machine and even an entire network segment, but it should never take out the enterprise, the only way this can happen is poor network design! We have to rethink how we do security, this will take a concentrated effort at using the proven methods of segmentation and isolation. No matter how much “security” is put in place, the reality is we are running our data on protocols that were developed many years ago when the Internet was small and as a result of this, these protocols are based on the principle of trust; therefore, to truly defend we need to modify these protocols. The concept is, if the protocols can be changed then the result of this will be frustration and confusion for the adversary.

In this webinar defensive concepts will be explored and an introduction to the power of using deception at different layers of the network. The attacker depends on information that is gathered during their surveillance, and with deception we change the network at layer 2-4 and the result of this is the attacker’s collected data is no longer valid and useless for them, this requires the attacker to start the information gathering process over again. These concepts change the game and puts the defender in control! The concepts have been deployed at Capture the Flag events and frustrated and confused the hackers for hours!

Forever you have heard that the hackers are in control and they only need to find one-way in. This webinar will show you how to flip that model and we only need one packet to identify the attacker and prepare our response strategy. We are in control of our networks because we have designed it and this webinar will show you how to take advantage of that.