RVAsec 2023

Passwords have long been the bane of user, IT support staff & security professional.  Compromised passwords are the leading source of account takeover and system breach, attackers are simply logging in and no longer breaking in!  Solutions in the past have always come with caveats, but with the inclusion of Passkeys into most major operating systems and platforms a true light may be at the end of the tunnel.  Join this panel to learn about the sorted history of passwords, current and developing trends with passwordless authentication, and what the best practice for Passkeys looks like!

Awareness of the benefits of behavior-focused defense is growing, and more intelligence around adversary tactics, techniques, and procedures ("TTPs") is available now than ever. However, as major adversaries increasingly modify their TTPs, teams struggle to track and manage the rising volume of TTP intel. We’ll review recent examples of adversary TTP evolution, including ransomware and commodity loader case studies, a summary of the TTP intelligence landscape, and guidance on effective intelligence collection, processing, and application for defenders.

This talk is a summation of stories from my recent penetration tests inside Active Directory networks. I will use this time to discuss common methods I have used to obtain initial access inside Active Directory environments, the features that paved the way to lateral movement, and vulnerabilities that escalated me to Domain Admin. This talk is laid out in a way that benefits both entry-level and experienced penetration testers. The content is for both blue and red teamers looking to better understand common Active Directory configurations that can lead to compromise. It has everything from memes to kerberoasting, with a pinch of humor (no dad jokes, I promise).

Taking the Network 101 presentation at RVAsec 2019 a bit further, this talk will dive into network security aka technical security controls that should be considered with respect to risk management in common environment, including private/public cloud and the recent industry buzz words around ZTNA - Zero Trust Network Access.
If you have ever wondered how you might use a VRF to segment authenticated user traffic, this is a talk for you. If you are trying to cut through buzzwords that a sales guy is throwing your way about how to protect your remote workers, this is a talk for you.

The peculiar story of the history of cryptography - featuring a code-breaking Quaker poet

Get a 2023 update on NIST security framework and CMMC compliance. Business with the government is Virginia's #1 industry. The government is sick of spending billions on projects only to find the data leaked onto the Internet. Due to this many government contracts require security compliance to the National Institute of Standards and Technology (NIST) 800-171 standard. For years businesspeople didn't take the 110 security controls seriously. Now we are seeing deals being lost to the Supplier Performance Risk System score. Ian has helped dozens of organizations implement compliance programs since 2017 in his role of vCSO.

 The advent of quantum computers promises to have profound economic impact because they solve lucrative industry problems that are otherwise impossible. The dark side is the consequences to global cybersecurity and the encryption systems fundamental to almost every aspect of our digital lives, including the cyber tools needed to protect them. Although 1970s-era PKI infrastructure has served us well for decades, it provides no assurance against the threat of “harvest now, decrypt later”. The transition to post quantum cryptography standards must be accompanied by more advanced techniques to ensure durable privacy, which is now a national economic security imperative. Fortunately, new redundant hardware and software solutions eliminate the single point of attack and failure in our business critical systems. 

AI, it's all the buzz. We have seen marketing fraudsters at Black Hat called out. Heard sales people use every buzzword they can to try and close. So is it all smoke and mirrors? Or maybe there is pragmatic use for this upcoming technology. I have taken ChatGPT and treated it like an offensive security lab. I trialed many different approaches to using it. In this talk I will show where it can add value in a technical, business and sales role. I will also show how it can fail miserably, it's security concerns and how its influenced. Will this take your job or add to it? Find out in my talk.