Cyber Security, Student AssociationRegent CyberSecurity Summit | 2.15.18

Regent CyberSecurity Summit | 2.15.18

This morning I attended the Cyber Security Summit ’18 at Regent University.
It included Kevin Mitnick, Ian Green, Roy Zur, Steve Abrahamson, Brian Demuth & Ryan Leirvik, and others.

It was a pretty awesome experience.

I have attached my notes for this summit below.

Agenda:

Session 1
8:30a.m. – 11:30a.m | Regent Theatre

8:30am – Dr. Gerson Moreno-Riano | Vice President for Academic Affairs | Regent

8:35am – Ian Green | Engineering Manager, Security & Privacy, Detection & Response | Google
Cyber Security Summit Keynote and Q&A

9:15am – Roy Zur | Founder & Chief Executive Officer | Cybint
Cyber Safe City of the Future
Keynote Address

Panelists:
Jon Green | VP & Chief Tech for Security | Aruva | Howlett Packard Enterprise
Robert R. Cochran | Supervisory Special Agent | FBI

10:10am – Steve Abrahamson | Senior Director, Product Security | GE Healthcare
Cybersecurity and Healthcare Technologies
Keynote Address

Panelists:
Dr. Richard V Homan | President & Provost | Eastern Virginia Medical School
Dr. Deva Henry | Assistant Professor, Engineering & Computer Science | Regent

10:50am – Brian DeMuth & Ryan Leirvik | Chief Executive Officer & Chief Operating Officer | GRIMM
The Cybersecurity Leaders & Workforce of Tomorrow
Co-Keynote Address

Panelist:
Dr. Mary Manjikian | Professor, Government| Regent

Session 2

12:00pm – Kevin Mitnick | Chief Executive Officer of Mitnick Security Consulting
& Chief Hacking office of KnowBe4
Hacking Live with Kevin Mitnick
Keynote Address


Ian Green

Cybersecurity Summit Keynote

  • Keys to SRE
  • Modern SOC Roles
    • Tier 3: SME/Hunters
    • Tier 2: Incident Hunters
    • Tier 1:
  • Common Staffing Pool
  • Hiring only coders
  • Cap operational load at 50%
  • Blameless Postmortems
  • Risk based Approach
  • Hires requirements:
  • Coder:
  • Deliberately Vague,
  • Language Agnostic,
  • Reasoning ability
  • All leadership needs to be informed about security.
  • Types of classes recommended:
  • Online training
  • A programming language
    • Python
    • Go
  • Task forces:
  • Digital Forensics
  • Collaboration
  • Code Reviews
  • Feedback
  • Hope for AI for third parties
  • At his company, encourages Security Engineers to attend:
  • Conferences – Pays for 1 per year
  • Certifications – Pays for 1 per year
  • Automated Scalability
  • Any scale
  • Early investing
  • SEM development
  • Partner teams of software engineers
  • AI Automation
  • Science Engineers building and maintaining
  • Machine learning models
    • Training the AI models
  • Hiring:
  • Smart
  • Passionate
  • Reasoning

Roy Zur

The Cyber Safe City of the Future

 

  • Petya Wipe (Ransomware)
  • When paid; wiped data
  • Ukraine: main target
    • Russian Government lead attackers
      • Fancy Bear
      • Using Ukraine as a playing ground
      • Chaos and testing tools for cyber warfare
    • Cyberwarfare
    • #1 Threat is our security
    • Smart Cities
      • Age of Cyberwarfare
      • 2050 75% population will live in cities
      • Air, Trash, Vehicles, Traffic, Lighting, Roads, all online
      • IOT – Web 3.0
      • More access points
      • More threats
      • More aggregated data.
    • Minimize threats
      • Cyber Resilience Plan
        • Prevention
        • Detection – Backup/Recovery
      • City SIEM – SOC-CERT
        • Monitoring/Detection
      • IOT Policy
        • Security First
        • Benefits second
      • Security Standards
        • Avoid weak links
      • Secured by design
        • Strong Cryptography
        • Authentication Capabilities
        • Authorization Capabilities
        • No Back Door
      • Pen testing
      • Data Privacy
      • Avoid unnecessary sharing
        • Not everyone and agency needs access
      • Threat intelligence
        • Physical and Cyber
      • Training and awareness
        • From awareness is to experts
      • Collaboration and Sharing
        • Between agencies, entities, companies.

Panelists John Green and Robert Cochran

  • Mentioned Resources: Slashdot
  • Robert:
    • “Some things are better left mechanical”;
    • “Not everything needs to be interconnected”;
    • “People are the answer”
  • Jon:
    • “Home Networks are a microcosm of smart cities”
    • “So hyperconnected now”
    • “Never ending problems rushed by peoples rush to embrace technology”
  • Roy:
    • “This train is only accelerating”
    • “What we can do to make it safer”
    • “Companies prioritize efficiency over security”
    • “Security should be a fundamental part of building any hardware or software”
  • John:
    • “Security should absolutely be a fundamental when developing a hardware or software”
  • Robert:
    • “Hacker to me is Good”
    • “Engineers don’t think that way”
    • “What happens if someone miss uses that [device].”
    • “Be in that mindset, what happens if . . .”
  • Roy:
    • “[Security] has to be apart of the development processes”
  • Unknown Quotes:
    • “Always be risks”
    • “Responsible Disclosure”
    • If a company doesn’t respond appropriately to a bug hunter/reporter; then do full-disclosure.
  • Suggestions:
    • Disable Universal Plug-n-Play with your router
      • Devices open ports automatically inbound.
      • When off, limits to outbound only.
    • Steve Abrahamson | GE
    • Health Care
    • Risks include intentional misuse of medical privacy
    • Availability is vital
    • “Possible to hack into anything connected to the internet”
    • Hospira Infusion Pump Security Flaw
    • Why steal medical details?
      • Insurance fraud.
    • Ransomware
      • Hollywood Hospital
        • Paid $17,000 in bitcoin
        • “Don’t pay Ransom”
        • If you pay ransom, you will be a reoccurring target.
      • Regulatory Response
      • Collaboration is KEY
      • Panel:
      • Pacemaker
        • Encryption causing battery to deplete quicker.

Brian Demuth; Ryan Lenok
Cybersecurity Leader and Workforce of Tomorrow

  • Risk
    • Understanding
      • Identify, Categorize
    • Managing
      • Apply framework, structure, response
    • Measuring
      • Metrics, apply resources
    • “No one particular framework that fits all organizations”
    • “If you can’t measure it, you can’t manage it.”
    • Metrics: Good KRIs and KPIs
    • Expedite Experience:
      • Exercises
      • Cyber Ranges
      • Bridge Gap in Knowledge
    • Dr Mary Manjikian
      • Intro to Cyber Ethics
    • Insider Threat
      • Tough Issue
      • Element of Trust
      • Reporting Mechanisms
        • “Allow for safe place to talk about bad actor”
      • Pessimistic
        • Things are improving in some areas
        • We don’t know what we don’t know
        • New risk with devices
        • We need more people to do more research
        • Positive: Bug bounties
      • Automation
        • Drives fear of unknown
        • Needs tools to be better and faster – CyberSec
        • Doesn’t threaten jobs
        • Humans always win
        • Easier to focus on what is more important
      • Opensource tools
        • They made broad # of attack vectors are using easier methods
          • Easier fix, quicker threat.
        • Harder methods
          • More time, but more of a threat
          • More damage
        • Look up “Reasons not to use encryption”
        • End of the day, it comes to management.

Kevin Mitnick

  • Steve and Steve (Apple): Phone freaking too
    • Little secrets of the blue box
  • Fun Hack: McDonalds
    • Remotely take over drive thru window microphone
    • Joking
      • Telling people to get the salad due to weight of vehicle and passengers
      • If police, yelling “hide the drugs”
    • Wire Tap the wire tappers
      • Got into a government agency while testing his phone freaking.
    • 23 years today (2.15.18) was arrested by FBI.
    • Social Engineering
      • Hacker uses influencing
      • Hillary Clinton Campaign
        • The IT guy got an email with a PDF from one of the leaders of the campaign, accidently told them it was legit, but meant illegit.
      • Break into law firm
        • Call with a case acting like a lawyer
        • Provide email address
        • Send document via email
        • Send malware loaded PDF.
      • Live Hack:
        • Con
        • Exploit
        • Remote Access Trojan
          • Key Log
          • Saved Creds
        • Any attacker can bypass any antivirus
        • MITM
        • Proxy card stealing
          • Using expensive device, steal creds, create new one
          • Bathroom walk by, at urinal, have proxy card information
          • Did live demonstration of random person from audience.
        • Access RAM through firmware to get password HASHES on MAC
          • Access RAM with PCI Slot
          • MAC – Thunderbolt acts as PCI port
            • His folder name: pcileech_files
          • How stop:
            • Using latest tech
            • SEOS
          • Hacking Identity
            • Volunteer
            • Use of credit database, 30 seconds
            • SSN, Phone, Address, DOB
            • Using this information, steal identity
              • Credit Report
              • Account #s
              • Reset account password using stolen information
              • Can’t stop this; put up notifications when actions happen on bank accounts.
            • Recommendation:
              • Difficult to compromise Google Chromebook.
              • Use this for all financial uses ONLY
            • Email spoof and ransomware
              • Used “Sappo”?
              • Zero-day exploit
                • See flaw exploited
                • Phishing:
                  • Attachment
                  • Deploy ransomware
                  • Network shares with write access
                • Ransomware in the cloud
                  • 365 office email
                  • Ask for permission for using account, reading all information, for “security upgrade”
                  • Scramble emails with AES256
                • Better secure:
                  • Use password manager with random passwords
                  • 2 factor authentications
                  • Secure VPN when on public networks
                  • HTTPS Everywhere ADD-ON

RegentMinutes-21518

Categories: Cyber Security, Student Association

Comments

No Comments Yet. Be the first?

Post a comment

Your email address will not be published. Required fields are marked *