An interactive look at what security research means today and how we got to zero days, bug bounties, and hoodie hackers in the news. What particular skills or talents are most essential to be effective as a security researcher, and how much can we learn from the new digital anthropologist in waiting.
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...EnergySec
In our modern world, we’ve learned to take for granted the universal availability of things like running water and electricity, and more recently, the Internet. As technology progresses, we are rapidly approaching a future in which nearly everything is digitally connected to nearly everything else. At the same time, we are learning to accept that all digital devices are broken from a security perspective. How we respond and adapt to this reality could well determine whether our future is utopian or dystopian. In In this interactive session, we will explore novel avenues of attack using digital “soft-targets”, and discuss how we might hold things together in the face of persistent vulnerability.
Slide Griffin - Practical Attacks and MitigationsEnergySec
Over the past few years, penetration testing has gotten easier. What used to take a week of scanning, analysis, and exploit research now happens in one day on average in a common IT environment. The efficiency of compromise has increased based on several factors including increased knowledge sharing, more robust computing, and automated exploitation tools. OT environments are often utilizing the same operating systems and are prone to many of the same attacks. The main differences are the presence of custom protocols, embedded systems, and lack of formal security programs to address the gaps created by two-way data communication networks.
This talk will show the most common attacks which our team currently uses to gain access and control over the networks and systems we test. More importantly, we will discuss the “top 10” things an organization can do to mitigate, remediate, and have active visibility into critical systems.
Almost 70 years since the first computer bug was discovered, there has been decades of research done on Information Security theory and practice. Yet, despite vast amounts of money being spent, innumerable academic papers, mainstream media obsession, and entire industries being formed, we are left with the impression that the risk is growing, not receding. Why? Some argue a lack of data, but data clearly exists. We’re likely generating it, in some areas, faster than humans will ever be able to process it. Perhaps, after all of this effort, we’ve managed to box ourselves into metaphors and first principles that might be inappropriately constraining how we think about “Information Security Risk”. In fact, it’s worth noting that we can’t even agree if there is a space between “Cyber” and “Security” when it’s written out. This talk will take an anecdotal look at “Information Security Risk”, “What IS Cyber Security?”, and use that perspective to suggest areas of research that are either lacking or should be made more accessible to the markets, industries, and individuals driving risk management change. In an industry filled with data, perhaps an examination of empty space might be helpful.
Device discovery for vulnerability assessment: Automating the Handoffnathan-axonius
While vulnerability assessment tools are widely believed to be very mature and approaching commodity status, they are only able to scan and analyze those assets they know about.
How Aetna Mitigated 701 Malware Infections on Mobile DevicesSkycure
View webinar recording - http://hubs.ly/H06134H0
Learn how Aetna protects its corporate data from mobile threats while providing a better user experience and complying with strict industry regulations.
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
Are you ready for the next attack? Reviewing the SP Security Checklist, by Barry Green.
A presentation given at the APNIC 40 Opening Ceremony and Keynotes session on Tue, 8 Sep 2015.
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...EnergySec
In our modern world, we’ve learned to take for granted the universal availability of things like running water and electricity, and more recently, the Internet. As technology progresses, we are rapidly approaching a future in which nearly everything is digitally connected to nearly everything else. At the same time, we are learning to accept that all digital devices are broken from a security perspective. How we respond and adapt to this reality could well determine whether our future is utopian or dystopian. In In this interactive session, we will explore novel avenues of attack using digital “soft-targets”, and discuss how we might hold things together in the face of persistent vulnerability.
Slide Griffin - Practical Attacks and MitigationsEnergySec
Over the past few years, penetration testing has gotten easier. What used to take a week of scanning, analysis, and exploit research now happens in one day on average in a common IT environment. The efficiency of compromise has increased based on several factors including increased knowledge sharing, more robust computing, and automated exploitation tools. OT environments are often utilizing the same operating systems and are prone to many of the same attacks. The main differences are the presence of custom protocols, embedded systems, and lack of formal security programs to address the gaps created by two-way data communication networks.
This talk will show the most common attacks which our team currently uses to gain access and control over the networks and systems we test. More importantly, we will discuss the “top 10” things an organization can do to mitigate, remediate, and have active visibility into critical systems.
Almost 70 years since the first computer bug was discovered, there has been decades of research done on Information Security theory and practice. Yet, despite vast amounts of money being spent, innumerable academic papers, mainstream media obsession, and entire industries being formed, we are left with the impression that the risk is growing, not receding. Why? Some argue a lack of data, but data clearly exists. We’re likely generating it, in some areas, faster than humans will ever be able to process it. Perhaps, after all of this effort, we’ve managed to box ourselves into metaphors and first principles that might be inappropriately constraining how we think about “Information Security Risk”. In fact, it’s worth noting that we can’t even agree if there is a space between “Cyber” and “Security” when it’s written out. This talk will take an anecdotal look at “Information Security Risk”, “What IS Cyber Security?”, and use that perspective to suggest areas of research that are either lacking or should be made more accessible to the markets, industries, and individuals driving risk management change. In an industry filled with data, perhaps an examination of empty space might be helpful.
Device discovery for vulnerability assessment: Automating the Handoffnathan-axonius
While vulnerability assessment tools are widely believed to be very mature and approaching commodity status, they are only able to scan and analyze those assets they know about.
How Aetna Mitigated 701 Malware Infections on Mobile DevicesSkycure
View webinar recording - http://hubs.ly/H06134H0
Learn how Aetna protects its corporate data from mobile threats while providing a better user experience and complying with strict industry regulations.
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
Are you ready for the next attack? Reviewing the SP Security Checklist, by Barry Green.
A presentation given at the APNIC 40 Opening Ceremony and Keynotes session on Tue, 8 Sep 2015.
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
Presented by: Gib Sorebo, SAIC
Abstract: For the last few years, energy companies, particularly electric utilities, have been scrambling to meet the onslaught of cybersecurity regulations. However, hackers don’t follow regulations, so the need to rapidly address evolving threats is imperative to meet expectations of senior leadership, board members, and shareholders. This session will discuss how a mature governance structure and a cybersecurity strategy based on a comprehensive understanding of business risk can be used to address threats, comply with regulations, and obtain support from company stakeholders.
Webinar Ivanti Neurons For Patch IntelligenceIvanti
In de huidige wereld zien we continue veranderingen. Het aantal cyberthreats neemt toe, de eindgebruikers verwachten meer en zijn maar 1 klik verwijderd van ransomware. Nadat een vendor een patch uitbrengt, wordt in 22 dagen een exploit ontwikkeld en gebruikt in cyberattacs.
Kijk met ons mee in deze webinar hoe u zicht krijgt op de patchstatus van uw omgeving en hoe wij u kunnen helpen met het stellen van prioriteiten, zodat ook u een time-to-patch bereikt van minder dan 22 dagen.
We look at what is a Capture the Flag Event and how it can provide a great training opportunity for anyone interested or working in Cyber Security... for free! We also look at some examples of thinking outside the box challenges
This is an update to the Cyber Defense Matrix briefing given at the 2019 RSA Conference. Cybersecurity practitioners can use this to organize vendors, find gaps in security portfolios, understand how to organize security measurements, prioritize investments, minimize business impact, visualize attack surfaces, align other existing frameworks, and gain a fuller understanding of the entire space of cybersecurity.
An overview of why knowing programming can make you a better cyber security professional, a look at the most popular languages and some pitfalls to avoid
IDS are great tools for blue teams and resource for network forensics, however they can also be a great resource for the red teams and as part of a penetration testing exercise.
Integrating Cyber Security Alerts into the Operator DisplayEnergySec
Presented by: Michael Toecker, Digital Bond
Abstract: Control Systems are responsible for the safe and reliable governing of physical processes, and are designed to report conditions that could affect reliable operations to operators for action. These conditions may vary in their severity, from minor inconveniences to those that can bring the process to a full halt. While engineers have predicted certain events and consequences, others are “unknown unknowns”, and may only be detected due to variances from normal function.
Cyber security conditions are similar in nature. Cyber security conditions can vary in severity and cyber security professionals can classify and alert on some, but not all cyber security events. In this presentation, Michael Toecker will discuss cyber security conditions that are known, and that could be integrated into the operational display.
Treating cyber security events as analogous to control system events has many benefits and drawbacks, and Toecker will expand on criteria for determining what is appropriate for an operator display, and what is not. The purpose of this presentation is to demonstrate that cyber security can have a place in operational decisions, so long as conditions are carefully analyzed and response actions developed beforehand.
Tools for Evaluating Mobile Threat Defense SolutionsSkycure
View recorded webinar - http://get.skycure.com/evaluating-mobile-threat-defense-solution
Get the tools and information you need to make the evaluation process of Mobile Threat Defense solutions easier and ensure your success.
Complete network security protection for sme's within limited resourcesIJNSA Journal
The purpose of this paper is to present a comprehensive budget conscious security plan for smaller
enterprises that lacksecurity guidelines.The authors believethis paper will assist users to write an
individualized security plan. In addition to providing the top ten free or affordable tools get some sort of
semblance of security implemented, the paper also provides best practices on the topics of Authentication,
Authorization, Auditing, Firewall, Intrusion Detection & Monitoring, and Prevention. The methods
employed have been implemented at Company XYZ referenced throughout.
Learn about current cybersecurity threats, what new threats are on the rise, and how to train the next generation of cyberprofessionals to help keep us secure.
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
Intelligence Analyst Selena Larson, Sr. Adversary Hunter Joe Slowik, and Sr. Adversary Hunter Amy Bejtlich overview the 2018 Year in Review report detailing the eight ICS threat activity groups Dragos' Intelligence team tracks and the changing threat landscape.
How would you handle and prevent fires from IoT forests?0 0
We are living in an Internet of Things era. Everyday more and more products are being connected to the Internet and it affects our lives significantly. Therefore, the importance of IT security is increasing every minute. There are many TOP Global IT companies that makes news with the security incident very often and consequences of mishandling incidents has been huge. Handling the incident for the Global level IT companies are very difficult because they make many different types of products and services in many different locations with very fast paced development schedule. Especially, responding to the security incident of consumer grade hardware products such as smartphone and IoT devices are more difficult due to the complexity of patching process.
This talk will provide an explicit methodology of building and managing a good PSIRT (Product Security Incident Response Team) for Top Global IT Companies that makes the consumer grade hardware products.
Security for AWS : Journey to Least Privilege (update)dhubbard858
I created the baker's dozen of things to think about when migrating or deploying in AWS. Use comments to add your input. Read time approx. 15-20 minutes max.
There is also a long form written version of this on https://blog.lacework.com.
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
Presented by: Gib Sorebo, SAIC
Abstract: For the last few years, energy companies, particularly electric utilities, have been scrambling to meet the onslaught of cybersecurity regulations. However, hackers don’t follow regulations, so the need to rapidly address evolving threats is imperative to meet expectations of senior leadership, board members, and shareholders. This session will discuss how a mature governance structure and a cybersecurity strategy based on a comprehensive understanding of business risk can be used to address threats, comply with regulations, and obtain support from company stakeholders.
Webinar Ivanti Neurons For Patch IntelligenceIvanti
In de huidige wereld zien we continue veranderingen. Het aantal cyberthreats neemt toe, de eindgebruikers verwachten meer en zijn maar 1 klik verwijderd van ransomware. Nadat een vendor een patch uitbrengt, wordt in 22 dagen een exploit ontwikkeld en gebruikt in cyberattacs.
Kijk met ons mee in deze webinar hoe u zicht krijgt op de patchstatus van uw omgeving en hoe wij u kunnen helpen met het stellen van prioriteiten, zodat ook u een time-to-patch bereikt van minder dan 22 dagen.
We look at what is a Capture the Flag Event and how it can provide a great training opportunity for anyone interested or working in Cyber Security... for free! We also look at some examples of thinking outside the box challenges
This is an update to the Cyber Defense Matrix briefing given at the 2019 RSA Conference. Cybersecurity practitioners can use this to organize vendors, find gaps in security portfolios, understand how to organize security measurements, prioritize investments, minimize business impact, visualize attack surfaces, align other existing frameworks, and gain a fuller understanding of the entire space of cybersecurity.
An overview of why knowing programming can make you a better cyber security professional, a look at the most popular languages and some pitfalls to avoid
IDS are great tools for blue teams and resource for network forensics, however they can also be a great resource for the red teams and as part of a penetration testing exercise.
Integrating Cyber Security Alerts into the Operator DisplayEnergySec
Presented by: Michael Toecker, Digital Bond
Abstract: Control Systems are responsible for the safe and reliable governing of physical processes, and are designed to report conditions that could affect reliable operations to operators for action. These conditions may vary in their severity, from minor inconveniences to those that can bring the process to a full halt. While engineers have predicted certain events and consequences, others are “unknown unknowns”, and may only be detected due to variances from normal function.
Cyber security conditions are similar in nature. Cyber security conditions can vary in severity and cyber security professionals can classify and alert on some, but not all cyber security events. In this presentation, Michael Toecker will discuss cyber security conditions that are known, and that could be integrated into the operational display.
Treating cyber security events as analogous to control system events has many benefits and drawbacks, and Toecker will expand on criteria for determining what is appropriate for an operator display, and what is not. The purpose of this presentation is to demonstrate that cyber security can have a place in operational decisions, so long as conditions are carefully analyzed and response actions developed beforehand.
Tools for Evaluating Mobile Threat Defense SolutionsSkycure
View recorded webinar - http://get.skycure.com/evaluating-mobile-threat-defense-solution
Get the tools and information you need to make the evaluation process of Mobile Threat Defense solutions easier and ensure your success.
Complete network security protection for sme's within limited resourcesIJNSA Journal
The purpose of this paper is to present a comprehensive budget conscious security plan for smaller
enterprises that lacksecurity guidelines.The authors believethis paper will assist users to write an
individualized security plan. In addition to providing the top ten free or affordable tools get some sort of
semblance of security implemented, the paper also provides best practices on the topics of Authentication,
Authorization, Auditing, Firewall, Intrusion Detection & Monitoring, and Prevention. The methods
employed have been implemented at Company XYZ referenced throughout.
Learn about current cybersecurity threats, what new threats are on the rise, and how to train the next generation of cyberprofessionals to help keep us secure.
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
Intelligence Analyst Selena Larson, Sr. Adversary Hunter Joe Slowik, and Sr. Adversary Hunter Amy Bejtlich overview the 2018 Year in Review report detailing the eight ICS threat activity groups Dragos' Intelligence team tracks and the changing threat landscape.
How would you handle and prevent fires from IoT forests?0 0
We are living in an Internet of Things era. Everyday more and more products are being connected to the Internet and it affects our lives significantly. Therefore, the importance of IT security is increasing every minute. There are many TOP Global IT companies that makes news with the security incident very often and consequences of mishandling incidents has been huge. Handling the incident for the Global level IT companies are very difficult because they make many different types of products and services in many different locations with very fast paced development schedule. Especially, responding to the security incident of consumer grade hardware products such as smartphone and IoT devices are more difficult due to the complexity of patching process.
This talk will provide an explicit methodology of building and managing a good PSIRT (Product Security Incident Response Team) for Top Global IT Companies that makes the consumer grade hardware products.
Security for AWS : Journey to Least Privilege (update)dhubbard858
I created the baker's dozen of things to think about when migrating or deploying in AWS. Use comments to add your input. Read time approx. 15-20 minutes max.
There is also a long form written version of this on https://blog.lacework.com.
Using big data and implementing hadoop is a trend that people jump all to quickly to. Instead understanding the run time complexity of one's algorithms, reducing said complexity and managing the process from start to finish in a lean and agile way can yield massive cost savings - or save your organization.
All papers tell exactly what SDN is. But what is the current status? And what are practical applications? This paper dives into other matters than just the obvious ones.
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.
Are you ready for the next attack? reviewing the sp security checklist (apnic...Barry Greene
Rethinking Security and how you can Act on Meaningful Change
What the industry recommends to protect your network is NOT working! The industry is stuck in a dysfunctional ecosystem that encourages the cyber-criminal innovation at the cost to business and individual loss throughout the world. We do not need a “Manhattan Project” for the security of the Internet. What we need are tools to help operators throughout the world ask the right question that would lead them to meaningful action. Security empowerment must empower the grassroots and provide the tools to push back on the root cause. This talk will explore these issues, highlight the dysfunction in our “security” economy, and present “take home” tools that would facilitate immediate action.
Slides from my DevOpsExpo London talk "From oops to NoOps".
They tell you in these conferences that DevOps is not about tools, but about culture. And they are partially right. I am going to tell you that it’s not only about culture or tools but also abstractions.
It is a lot about how you see software and its value. About our mental model of what software is: how it runs, evolves, and interacts with the other facets of an enterprise.
We used to view software as code. As a state of code. Now we think about software as change, as a flow. A dynamic system where people, machines, and processes interact continuously.
At Platform.sh we spend a bunch of time asking ourselves not “How do you build?” - or even “How do you build consistently?” - but rather “What does it mean to consistently build in a world where change is good?” A world that lets you push security fixes into production as soon as they’re available because you don’t want to be an Equifax but you do want stability.
In this presentation, I will go over what we think software is and why having the right ideas about software will help you get your culture right and your tooling aligned, as well as gain in productivity, and general happiness and well-being.
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
It's 2019 and we still don't know if we have a complete inventory of our assets. It is impossible to guarantee that they are all safe. The last penetration test resulted in a bloodbath. Every day we worry about whether today is the day they hack us. This cycle of stress and worry MAY break, but each stage of securing system has its complexities and challenges. We will analyze these challenges, these difficulties, and provide strategies to address them.
From asset discovery to system tightening to vulnerability management - this presentation will show you how to build lasting trust in the security we provide to our organizations.
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
When we talk about cyber security, we recognize that it is part of a holistic approach to security and critical infrastructure protection. Tools and technology are not enough to ensure that mission critical systems provide capabilities needed for the military, continuity of government and commercial enterprises to continue operations in the face of emerging threats. Recognizing the unique nature of our location on the Hawaiian Islands in the middle of the Pacific, we also understand the importance of collaboration and alignment of critical infrastructure protection among the military, state government, commercial and public stakeholders. A comprehensive approach needs to include innovative capabilities, a thorough analysis of operational dependencies, and the organizational collaboration required to protect critical capabilities. In this session, we will discuss our innovate approach to developing a holistic cyber security approach for critical infrastructure and share a case study to help you think differently about your own approaches for security.
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...EnergySec
Innovative and disruptive technologies are enhancing and invading our traditional industrial business model. Future organizations will need more data to operate efficiently and succeed in the brave new interconnected world. The diversity of new technologies and data will fuel more diversity in business opportunity. Everyone expects more OT, more IoT, and more IT – and all of it is supposed to be highly reliable and secure. These factors (and more) lead to a landscape shift for the mission-critical cybersecurity risk profile.
In this session, hear ways to recognize the problems and gain some clarity on possible solutions through historic lessons, made up words, and practical front-line experience.
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementEnergySec
The NERC CIPv5 deadline is fast approaching, and it’s not too late to be prepared. Join Mark Prince, Manager Operational Technology Fossil, from Entergy, Karl Perman, VP Member Services from EnergySec and Tim Erlin, Director from Tripwire to discuss achieving and maintaining NERC CIPv5 compliance in a fossil generation plant. We’ll cover some of the challenges that Entergy has experienced in their NERC CIPv5 compliance journey. Specifically, we will discuss configuration change management and how to leverage technologies for these requirements and consider what life would be without them.
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
Regulated entities should consider the RSAW templates when preparing evidence of compliance with the NERC CIP Standards. There are a number of implicit requirements in CIP v5 which an entity needs to fulfill to be compliant, which are not specifically identified in the actual requirements.
In this webinar, our experts will discuss such implicit requirements. Key learning's from this session would be:
RSAW format
Implicit requirements of CIP RSAWs
Leveraging technology for RSAW management
Wireless Sensor Networks: Nothing is Out of ReachEnergySec
Presenter: Daniel Lance, Layered Integration
After years of installing wireless sensor networks in homes and businesses we are now faced with a question “How is this all secure? Or is it?” A look into WSN (Wireless Sensor Networks) history and original design concepts that paved the road to us using these in our every day life.
This presentation will be a deep dive into wireless and reveal new challenges we have in protecting our perimeter when all of our core monitoring devices are riding a wave into the public space as most industrial control providers look to capitalize on fast installation times and inexpensive adaptive solutions. This research shows us start to finish how anyone with a laptop and SDR (Software Defined Radio) can hack into and take control of WSN’s from outside the front gate.
The presentation will demonstrate how a device inside your facility might reveal itself through spectrum analysis than how a hacker might flank the security of the device and own the network with very simple replay attacks that can grant them physical access, and how social engineering pre-installation and post-installation will cause you to disregard warning signs that someone is tampering with the network. A high level understanding of radio is no longer needed for packet analysis with open source tools, proper implementation has never been more important as even a encrypted device can be compromised by the last mile before installation. We will talk about the tools security professionals are lacking from the manufactures of these devices to scan for a compromised device and what can be done in the future to protect WSN’s.
Presenter: Mikael Vingaard, EnergiNet.dk
The goal of having a Honeypot (a fake ‘vulnerable’ IT-system/ service) is to learn more about your attackers and the methods they will use to breach your ICS/SCADA systems – but how can the Energy Sector actual benefit from using a Honeypot?
The Danish information security researcher, Mikael Vingaard has taken various free open source software to deploy ICS/SCADA Honeypot systems, and will share his experiences from the research and present interesting findings from the collected informations.
The talk will be discuss the pros and cons of honeypots, how to use honeypots as an early-warning system and add some interesting points seen from the energy sector of using Honeypot systems.
The presentation will showcase that gaining access to actual ICS threat intelligence can be done – even in budget constrained organizations.
Presenter: Mike Firstenberg, Waterfall Security Solutions
NIST, NERC CIP, the ISA/IEC and other authorities are adjusting their advice for secure industrial networks to include at least one layer of hardware-enforced unidirectional communications. Many security practitioners are familiar with specific applications of Unidirectional Security Gateway technology, but fewer have seen how widely the technology is being deployed throughout the electric sector.
Join us to review comprehensive unidirectional network architectures for generation, transmission, distribution, high-voltage substations, and control centers/TSO’s/balancing authorities. In each vertical we review use cases, examine NERC CIP compliance implications and cost savings, and compare the strength of each architecture with legacy firewall-based designs.
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
Presenter: Joseph Loomis, Southwest Research Institute (SwRI)
Asset Owners face challenges as they strive towards implementing the NERC-CIP V5 requirements. Meeting the requirements often require documentation and technical knowledge of how an asset operates that can only be provided by a Vendor. Vendors, likewise, may be unclear about how the NERC-CIP requirements affect them, and are unsure about how to meet the technical requirements. In this presentation we detail the lessons learned from a recent project where SwRI worked with a Vendor to determine how the requirements apply to them and what the Vendor needs to have to help support an Asset Owner in an audit.
Industrial Technology Trajectory: Running With ScissorsEnergySec
Presenter: Patrick Miller, EnergySec (President Emeritis)
Innovative and disruptive technologies are enhancing and invading our traditional industrial business model. Future infrastructure organizations will need more data to operate efficiently and succeed in the brave new interconnected world. The diversity of new technologies and data will fuel more diversity in business opportunity. Everyone expects more OT, more IOT, and more IT – and all of it is supposed to be highly reliable and secure. These factors (and more) lead to a landscape shift for the industrial cybersecurity risk profile. In this session, hear ways to recognize the problems and gain some clarity on possible solutions through historic lessons, made up words, and practical front-line experience.
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...EnergySec
Presenters: Robert Landavazo, PNM Resources and Katherine Brocklehurst, Tripwire
With countless hours of work to go, PNM was far from ready for its coming audit in just 18 months. Confidence levels in its existing manual, and incomplete security controls, were at an all-time low; and the visibility into control center environments for quantifying its status and progress towards compliance was immeasurable.
With Tripwire, PNM’s preparation of the looming CIPv3 audit noticeably improved. With efficient reporting and automation, PNM’s now positioned to hold itself accountable for CIP auditable compliance of more than 3,500 explicit and supporting control points, satisfying CIP-002-3, CIP-004-3, CIP-005-3, CIP-007-3 and CIP-009-3. In addition, enhanced visibility and better control gave PNM the ability to effectively communicate meaningful and measurable initiatives to executive teams – resulting in increased support for their funding needs.
In this session, PNM – New Mexico’s largest electricity provider – will share a case study on its journey towards achieving continuous NERC CIP compliance despite a highly limited headcount, how it saved countless hours of labor-intensive manual effort, and the essential role that automation played in its success.
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...EnergySec
Presenter: David Zahn, PAS
Industrial control systems represent the brass ring for hackers who want to disrupt plant operations and negatively impact safety and productivity. The problem for cybersecurity professionals is that plants have highly vulnerable proprietary control systems where configuration data is not visible via standard WMI or SNMP calls. Yet, it is this same configuration data, such as I/O cards, firmware, installed software, and more, that hackers work hard to attain as it aids them in gaining control over industrial systems within plants.
As the saying goes, “you can’t manage what you can’t measure.” Taking inventory of this hidden configuration data and doing so for all control assets is difficult. Plants as a result fall short of achieving centralized, automated inventory – a cybersecurity best practice and a necessary precursor to effective change management. So how do you address change management when important security data is kept locked within each vendor’s distributed control systems, programmable logic controllers, and remote terminal units?
In this session, we’ll explore the types of inventory data that comprise a best practices cyber security plan. Next, we will dive into cost effective, accurate automation opportunities for inventory discovery and maintenance of heterogeneous proprietary and non-proprietary control assets. Finally, we’ll present a case study for implementing best practices for hardening ICS cyber security and automating management of change.
Agenda:
Building and Maintaining an Accurate ICS Inventory
Best Practices in Inventory Automation
Case Study
Where Cyber Security Meets Operational ValueEnergySec
Presenter: Damiano Bolzoni, SecurityMatters
What if cyber attacks were not the most prominent threat to industrial networks and systems? Although malware is still a major point of interest, the sword of Damocles for industrial networks is represented by insider threats such as system misuse performed by disgruntled employees, contractors and vendors, unintentional operator mistakes, as well as network and system misconfiguration and uncontrolled configuration changes; all this could lead to the divergence or failure of critical processes.
In this talk we reshape the concept of ICS security and demonstrate through case studies in different critical infrastructure sectors that the real value of industrial network monitoring goes beyond the detection of cyber attacks, but includes above all the need to maintain awareness about network and process operations, and obtain actionable intelligence that allows to preserve their overall health. We will show how the use of innovative network monitoring approaches can support security, operations, and network managers to:
Gain IT visibility of OT networks and full situational awareness of the network and process
Detect complex and advanced cyber attacks against industrial networks
Mitigate operational mistakes and misconfiguration
Presenter: Chris Sistrunk
Why haven’t we seen more ICS-focused attacks? Perhaps it’s because we’re not looking for them. The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available.
In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation looks at using NSM as part of an incident response strategy in ICS, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS cyber security program.
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...EnergySec
After a brief introduction by Mr. Humphreys, Henry Bailey will talk a few minutes about SAP’s roadmap for utilities. This will be followed by a discussion led by Chris Humphreys about the evolutionary transition from disparate point solutions to enterprise-wide, end-to-end, Regulation Management where controls are consolidated and leveraged such that compliance is a byproduct of industry best practices. Finally, Mr. Rice and Chris Humphreys will end the hour with a presentation expanding on the concept of controls consolidation and compliance as a byproduct focused on NERC CIP Ver 3-5 and NIST transitional capabilities of Regulation Management.
Industry Reliability and Security Standards Working TogetherEnergySec
It’s never too early to start thinking about where the standards are going and where your program should be heading. This presentation will discuss how energy organizations should consider furthering alignment to NIST 800-53 Rev 4; focusing on security maturity opportunities such as threat management; addressing third parties and vendors and developing processes to help satisfy control-based security objectives.
What the Department of Defense and Energy Sector Can Learn from Each OtherEnergySec
This presentation will discuss how the Department of Defense executes its critical infrastructure protection program, where it intersects with energy sector CIP efforts and what we can learn from each other.
Third Party Security Testing for Advanced Metering Infrastructure ProgramEnergySec
In July 2010, BC Hydro, the electric utility and grid operator of British Columbia began implementation of its AMI program, formally known as the Smart Meter & Infrastructure (SMI) program. The SMI program transformed BC Hydro from a traditional metering utility to a smart metering utility by implementing smart meters on the customer service points. It was the first step in the smart grid transformation.
The SMI program required the introduction of many new devices and applications into BC Hydro’s infrastructure. Some of these had never been deployed before anywhere in the world. Many were field deployed, outside of BC Hydro’s physical security perimeter.
The SMI Security Delivery Team was formed to deliver on these commitments and to take responsibility for the end to end security of the SMI program. The Team implemented a multi-pronged approach to securing SMI including security risk assessments, security penetration testing by the team, design reviews, whole project risk assessments and third party security penetration testing.
A standards based approach was required to ground the test plan both in best practice and in a common set of principles that BC Hydro and its vendors could accept. The Advanced Metering Infrastructure (AMI) Risk Assessment document prepared by the Advanced Metering Infrastructure Security (AMI-SEC) Task Force was used as a basis for the test plan. This document has since been passed to the National Institute of Standards and Technology (NIST) Cyber Security Working Group and was integrated into NIST IR 7628. NIST IR 7628 contains a comprehensive list of possible threats to AMI systems.
The program was highly successful. Test results informed BC Hydro’s deployment decisions and allowed the manufacturers to improve their products. Lessons were learned about how best to conduct third party security testing. A full lessons learned section is included in the presentation.
Beyond Public Private Partnerships: Collaboration, Coordination and Commitmen...EnergySec
The industrial cybersecurity landscape is complex and formed by very different actors (industrial organizations, critical infrastructures, EPC companies, industrial and cybersecurity vendors, consultancy companies, integrators, academia, public bodies and governments), with very different interests and objectives and different maturity levels, even internally in each organization, so there’s no way to go alone in the way of protecting these industrial and critical infrastructures adequately. Interdependencies, multidisciplinary, multiple supply chains and lack of common reference make even more complex the task of advancing in the right way.
Public Private Partnerships (PPP) are recognized as a key aspect on improving Industrial Cybersecurity and Critical Infrastructure Protection, but PPP usually is a formal and structured way of communication and collaboration between organizations, that is not necessary followed by the persons in charge or being part of those organizations.
In this presentation, we are proposing a new concept: C3R, “Collaboration, Coordination and Commitment based Relationships”, as the base for building a global community for protecting our Industrial and Critical Infrastructures and explaining the keys of the success of such an approach.
Mr. Feldman will lead us on a path to help us think about the “Sea Changes” happening in the energy sector from a strategic perspective, implications for the energy companies and cybersecurity from a Board of Directors governance viewpoint. This will include future direction concept that will address suggestions on where Regulators such as NERC should be heading with regard to security and other associated issues to feed your thoughts.
The informative and entertaining discussion is presented by a 26 year military and law enforcement veteran and former federal counterterrorism operative (now working as a state law enforcement agent responsible for critical energy infrastructure protection), and details the emergence of Red Cell activities and Red Teaming as a valuable form of alternative assessment for use in securing the American energy grid. A widely accepted and established practice in military and intelligence circles, Red Teaming is slowly moving into law enforcement and the private sector, and is now being utilized as a key vulnerability and threat assessment tool by state law enforcement agencies, Fortune 500 companies, and national laboratories.
The presentation features actual case studies and explains the key reasons energy producing organizations should utilize Red Teaming, including the avoidance of groupthink, complacency reduction, eliminating information silos, collective sense-making, addressing the correctly balanced approach to high impact/low frequency (5 sigma) events, and the integration of CIP compliance into a realistic physical security posture.
The brief outline details the key questions answered by Red Cell exercises: What do our adversaries want, how will they try to meet their goals, and how do we most effectively stop them? Attendees will become familiar with the basic techniques utilized in Red Teaming, including interdisciplinary teams, structured analysis, and physical exercises/penetration testing. Finally, the presentation provides a brief after-action report detailing the Red Cell Exercise conducted by the SC Public Service Authority in November 2013. That exercise addressed dam/dike sabotage, criminal targeting, executive safety, terrorism (domestic and transnational), insider threats, physical attacks on energy grid infrastructure, and workplace violence.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
5. 5
WHAT IS A “ZERO-DAY”
01 02 03 04 05 06 07
Su Mo Tu Th We Fr Sa
FEBRUARY
08 09 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 01 02 03 04 05
It’s easer then you might think but you might be looking in the wrong places, the
wrong way and if you blink you could miss it in some special instances.
Can you find one?
Not the 29th
Too busy, 5th
9th Monday ehh
21st seems good
”Who cares thats just a defcon term”
Above is the list of reasons why anyone might not be familiar with a cyber
security researcher, there are few of us and we don't get introduced until people
put on sad faces.
”Think the news was using it”
”Was part of stuxnet and we’ve scanned for it”
”Why did all of the PLC’s go offline then back?”
7. 7
@DanielCLance
Twitter
Start to no2ce a trend in the
technologies developers are using to
promote new products.
The Tech
I wasn’t Looking but found something
”“
8. 8
@DanielCLance
Event-Horizon
The go-no-go point for any good guy
or bad the moment you can’t pass
something up that you know or have
a great feeling about
Funny feeling
I wasn’t Looking but found something
”“
9. 9
@DanielCLance
Approach Tactic
Analogous Path CompleRon
Company Who Uses
Company Who Adds To
Company Who Works On
Customer (Enduser)
Service Provider
Company Who Dev
Weighing Analysis
There isn't a right answer or a wrong one. But
picking the lesser evil path if possible is advised
and more oXen easier.
9
10. 10
@DanielCLance
Is there a way of telling all par2es
involved what the issue is and what
milestones will escalate this effort?
Planing
Is this going to be something loud?
What is the current reputa2on of the
target and how will a vulnerability
force change.
Promotion
Who are we really looking at and
why? You can waste a ton of 2me
contempla2ng who and what to peek
into.
Research
Bounce ideas off other people in the
industry. Use the kinda detail that
protects the idea from harming the
public.
Review
11. 11
@DanielCLance
Knowing the target “size” can tell you
a liZle about possible reac2ons to
your findings. They might not be a
good target.
Size
Is there a win-win that can be found
in working with one target over
another. Customers demanding
change works.
Relationships
Is this issue going to only effect one
major player or will it effect all of
them, and in what way?
Industry Target
12. 12
@DanielCLance
Strategic
Is this really the best use of
Rme, how mission criRcal is
the issue? Ask this
throughout research.
Loyal
Do we have a way to see the
issue through to the end. Is
the body of work going to
require any longterm
funding?
Honest
Can the data collected about
the target be a risk to the
researcher and when do you
stop.
Respectful
Are there relaRonships at
play that might effect the
company you work for and
the target?
Accomplishment
What do we show to the
public when we show the
capability of working on a
parRcular set of equipment.
Energetic
What is the speed of
approach based on any
possible past experiences
with the target
14. 14
@DanielCLance
CERT Use
Repor2ng Method
Public Disclosure
Personal Risk
Mi2ga2on w/effected
Private Disclosure
Weighing Analysis
There isn't a right answer or a wrong one. But
picking the lesser evil path if possible is advised
and more oXen easier.
15. 15
@DanielCLance
The two forks are op2onal but the center in the integrity of approach and must always be done
Approach Tactic
RequiredOptionalOptional
16. 16
@DanielCLance
This can all be very useful later if you have to write a vulnerability report
INVESTIGATE
What all are they showing on there
website. Are they talking about the
technology as a new innova2on.
Websites
What did they saw the public in the
past. Can this be used against them.
Way-back Machine
See how people are using the
technology and if it already shows up
in the public space.
ShowDan
Many companies use video as a
training tool. How can this be used
against them.
YouTube
17. 17
@DanielCLance
This is a very light assessment on the public percep2on of the company and isn't always needed at this point in
the process. This informa2on can be used to help the vulnerability report.
FISHING IN THE DARK
Service Process
What tools are used to service the
technology itself. What service do they do
RMA Process
How do they handle returned product.
Can I get an exploit in to them that way
Carrer Center
How do I stack up against what they are
looking for. Build an account apply.
Photos of Controls
Everyone wants to show off. Show me
your (NOC) network operaRons center
18. You would be shocked how much
you will find. Hardcoded passwords
lee in, default passwords lee in with
no way to change them in the
manual.
18
@DanielCLance
When an engineer writes the manual they tend to over inform you for the task at hand. Us this to your advantage.
READ THE MANUAL
a
19. 19
@DanielCLance
Why wait so long?
DOWNLOADING LOOKING
There wasn't a password to download manuals
and firmware, the manuals had direc2ons to
all of the tools needed to service and break
the device. Even had direc2ons on how to
build the parser they use and that happen to
be a stock parse. Then they showed you how
to upload new calibra2on files, even gave me
fake telemetry to test with.
WEBSITE
20. 20
@DanielCLance
Collect all of your findings and package them up so it is easy to understand to anyone reading. Then encrypt
the hell out of it, and at this point it should be clear you have something that could be cri2cal to humans on
the other end of the technology
CLARIFY
BASIC SECURITY
PRACTICES
SUGGESTIONS
This aZack was done
without having the
physical device. If they
had protected some of
the things we covered
this wouldn't have been
possible to uncover.
FULL NETWORK
SEGMENTATION
SUGGESTIONS
This is really more of a
mi2ga2on and not a
long term fix.
RECALL ANY DEVICES
THAT ARE USED FOR
MISSION CRITICAL
SUGGESTIONS
Rarely done in the real
world but serves as a
way of saying this is a
major issue.
UNAUTHENTICATED
COMMAND AND
CONTROL
VULNERABILITY
The sweetest words. You
could remotely blow
away the firmware on
the device and even
install applica2ons of
your own.
NETWORK LEVEL
COMMAND AND
CONTROL
VULNERABILITY
Not a worst case
scenario most of the
2me this is a quick fix.
But in this case the
device could be spoofed
on the network. So it
was a big issue.
21. 21
@DanielCLance
This is the easiest part to mess up, you want your work to be taken seriously so write it up professionally say
what you mean and mean what you say or the report wont be taken seriously by any developer
SEND TO THE CORRECT PARTIES
Submit
ICS-CERT and US-CERT both lack a
forma`ng rule for submi`ng new
reports.
Format
Start with company background and
the industries effected. Then a
narraRve explaining the issue at a
high level. Close with technical
detail.
Proof-of-concept is always good to
include. This is where that pre-
research will come in.
www.inspirasign
I am contac2ng you both as this product is used in both consumer products and ICS the vendor claims.
Velodyne LiDAR, Inc.
Velodyne’s three flagship products the HDL-64E, HDL-32E, and the PUCK suggest they are used for:
Automo2ve
UAV
Mapping
Automa2on (ICS)
Robo2cs
Security (Ironic)
Urban Planning
Agriculture
Mining
R&D
Topography
Geology
HDL-64E, HDL-32E, and the PUCK (AKA VLP-16) All make use of packet captures to relay in plain text, telemetry from the sensor to server. The server will make a logical determina2on based on the telemetry this could be leveraged to, in the case of an automobile tell the
server (CPU) in the system that the sensor or vehicle has a wall in front of it. They’ve employed an embedded web server that doesn’t require authen2ca2on to access and update both firmware and calibra2on files for the lasers. If an aZacker can gain network level access at
any point they can modify the firmware and calibra2on files and remove any forensic evidence in the process. With very liZle effort an aZacker could access the GPS data also collected in some configura2ons of the sensor and launch a replay aZack replaying telemetry from
the sensor itself at plus or minus a given la2tude and longitude. Sample .pcap files can be found at hZp://midas3.kitware.com/midas/community/29 for tes2ng. Some of the documenta2on that is public also shows you how they parse the data.
Addi2onally if an aZacker is on the network, all they need to do is launch an aZack at a given telemetry and control what the vehicle (for our example) can see live thus allowing them to steer the vehicle if an aZacker has commend and control of a network enabled device.
The official vulnerability of this system:
Unauthen2cated command and control with network level command and control lacking basic security prac2ces.
Sugges2ons:
Full network segmenta2on. Recall any devices that are used for mission cri2cal, or could present a health and welfare risk to users, and/or bystanders. Un2l basic security prac2ces can be implemented.
hZp://velodynelidar.com
hZp://velodynelidar.com/downloads.html
Firmware, Manuals, and soeware are all free to download. Suggest user authen2ca2on here.
P.S. hZps://www.youtube.com/watch?v=wUfHadExvs8 (Proves a good deal of the claims above in the promo video)
You can give them my name, our goal at Archer is to strengthen cri2cal infrastructure through a collabora2ve effort with effected venders. Please keep me updated so I may be of service when needed.
Thank you,
Daniel Lance
22. 22
@DanielCLance
As of 1 Sept 2011 the other elements of our
disclosure policy, see below, are no longer in
effect. We will decide what we want to do with
any vulnerability. We may disclose it to the
vendor; we may disclose some or part of it
publicly; we may disclose only to our affected
customers; we may keep to ourselves for
future use; or we may do something else.
OTHERS
Our goal at Archer is to strengthen cri2cal
infrastructure through a collabora2ve effort
with effected venders. Please keep us updated
so we may be of service when needed.
ARCHER LABS
Iden2fying a vulnerability is easy; taking care of the vulnerability so your work beZers the overall health of an
industry is the hard part oeen 2mes. And reading vulnerability disclosure policies around the industry proves
how most aren’t cut out for the job of security research.
VULNERABILITY DISCLOSURE POLICY
23. 23
@DanielCLance
MALWARE IN A
NUTSHELL
Malicious SoXware
“ Generally, software is considered malware
based on the intent of the creator rather
than its actual features.“ -pctools.com-
Dynamic Attack Surface “ Code should be classified from its behavior
alone.“ -Daniel Lance-
24. 24
@DanielCLance
Where do these people come from?
Becoming a security researcher?
Former coder, a hacker, a programmer, a developer, and a computer scientist.
26. 26
White, Black, Gray, and everything between?
Hat Trick
BAD GUYS
Typically use there skill for some type
of personal gain or agenda.
GOOD GUYS
Use there skill for penetra2on tes2ng
and implement.
GRAY GUYS
They are everywhere you want to be,
and typically where you need them.
28. 28
@DanielCLance
Nevil Maskelyne
1903 Disrupts John Ambrose Fleming's
public demonstraRon of Guglielmo
Marconi's purportedly secure wireless
telegraphy technology, sending insulRng
Morse code messages through the
auditorium's projector.
A family of portable cipher machines
with rotor scramblers. Broken by
Polish cryptologists Marian Rejewski,
Henryk Zygalski and Jerzy Różycki
The Enigma cipher machine Finds a frequency of 2600 Hz would
interact with AT&T's implementa2on
of fully automa2c switches.
Joe Engressia,
1932
1943
1957
French computer expert René
Carmille, hacked the punched
card used by the Nazis to
locate Jews.
IBM Punchcard
Used to interact with automated
telephone systems
Phreaking boxes
1960s
Na2onal CSS employee
revealed the existence of his
password cracker
1980
29. 29
@DanielCLance
MORAL HAZARD
You have to wonder if we are major enough
for the technology we choose to use
Movies The Net and Hackers are
released.
Pop Culture
1995
1981
The New York Times
Describes hackers for the first 2me as
we all have come to know them.
Hundreds of advisories and patches
are released
Windows 98
1999
Stuxnet, The first Malware
Conference, MALCON. Intellectual
property thee from Google.
Malware
2010
Hospital pays ransom to get
computers back.
$17,000 ransom
2016
31. Is there an obvious difference?
”From the Rme you get in your car for your morning
commute, to the Rme you walk through your door at the
end of the day, you make decisions about your security”
-Daniel Lance (Ripely Stole This)-
Forensic vs Clinical
32. 32
@DanielCLance
The Best We've Got In ICS
Working with ICS-CERT
Report
Complete report gets sent-in via
encrypted email, some2mes other
encrypted files get sent as well
Weighing analysis done, report
is done. Everything in the
report is now TLP RED to us
33. 33
@DanielCLance
Report Reviewed
The good folks at ICS-CERT review and
send any comments back with a 2cket
number
This next part takes forever,
you wait for a whole Siberian
winter to pass before gexng
another email
Vender
ICS-CERT will let you know your report is
in the hands of the vendor.
34. 34
Learn To Play Darts
Then you get another email saying
they are “s2ll working to verify
claims” or maybe get a ques2on or
two [but s2ll learn darts]
35. 35
@DanielCLance
Disclosure
Zero-days maZer because we are all
effected in some way. Picking the
appropriate 2ming can be key to a
effec2ve disclosure
Patch or quit 2me. If aeer an
appropriate 2me period you’ll
know the kinda ac2on the
vendor will take
36. 36
patch or quit
Timeline For Disclosure
Nov
Dec
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
2015
Disclosure Requires Vender
To follow a proper disclosure path the vender must take the time to work with
research and want to fix the issues. If they don't want to play kick ball we play dodge
ball.
Report Sent
Assigned Ticket
Vendor Verification
Drop Dead Date 100%
Full Disclosure
PUBLIC WITH CUSTOMER OUT REACH
37. Vender, Customer, Public and I
Disclosure role play
Right side of the room:
How would you handle escala2ng the process or would you?
Lee side of the room:
Would you want to know about the issue from the vender or
from me the researcher.
Public
Everyone whom has an opinion.
39. 39
Hacker Motivations
White Hat Hackers
State Sponsored Hackers
Spy Hackers
Security Researcher
Black Hat Hackers
Script Kiddies
Hacktivists
Cyber Terrorists
40. 40
@DanielCLance
DEGREES OF HACKING
State Sponsored Malware
Militarized code
Think OS level attack code. This is the
stuff most real “Zero-Days” are made of.
Custom attack
They’ve installed something and left
default passcode in or a port open
Implementation
Tools are already made they are just
making use of whats around
Penetration
41. 41
Free research given to critical infrastructure
ARCHERS CONTRIBUTION
All will publish before the end of the year
Could Represent
2015 the number of reported
vulnerabili2es was 142*
21%
29+
3
6
13
Applications SensorsPLC’s Industries
Of all advisories for ICS-CERT in 2016
*Based on Advisories By Vendor coded as a “15”
42. @DanielCLance
CLOSING PATH
Build an Ark
Go medieval on malicious code
You’ll be hacked
Accept that and move on
Hire blue team
Start using firewalls how they were
meant to be used.
Hire a researcher
Find problems not solutions
Use carrier pigeons
Stop using email
Isn't everything owned
Go with the masses pay bounties
Hold BEER-ISAC
Have a beer and talk about those dam
hackers
Baseline everything
Blow away everything and always start
from scratch.
Where do we
go from here?