Cybersecurity Days

Enterprise Security hosts Cybersecurity Days each fall to provide meaningful training and resources to the university IT community at no cost to attendees. When we come together as a group internally, it is a great opportunity to share tips that work well in Ohio State's technology environment and to share new, relevant cybersecurity knowledge. 

Enterprise Security organizes the event in a format that fulfills information security framework training requirements, while also establishing ways to collaborate, build relationships and educate each other.

For the first time, in fall 2017 Enterprise Security hosted CSDs over multiple days, creating more opportunities for engagement than in previous years. Each event focused on a specific aspect of cybersecurity: Community Forum (September 21); Application Security Training (September 26); and System Security Training (October 9).

In the past we have hosted the events at the Fawcett Center and in the Ohio Union. Details about 2018 events will be posted as they are confirmed; check back regularly for updates.

Sample Agendas: From Fall 2017

Community Forum - Thursday, Sept. 21

Multiple Learning Tracks

This event day includes opening remarks, a keynote address and three security tracks: management, research and compliance and technology. Each track features a workshop at 1 p.m.

UPDATE: The Security Awareness Team hosts a clinic to set up the required Virtual Machines needed for the September 26 and October 9 courses. Clinics are from 10 a.m.- noon, and again from 1-3 p.m. near the registration desk outside the Great Hall.

You must have VMWare Player installed on your machine before this clinic. We cannot help you install VMWare Player at the clinic, as installation requires administrative privileges. Please contact your local IT service to have VMWare Player installed.

8:30 am - Opening Remarks by Helen Patton (Performance Hall)

Opening remarks by Helen Patton, Chief Information Security Officer 

8:45 am - Keynote Address: Security For the Rest of Your Life by Wendy Nather (Performance Hall)

Wendy Nather is Principal Security Strategist at Duo Security. She was previously the Research Director at the Retail ISAC, as well as Research Director of the Information Security Practice at independent analyst firm 451 Research. Wendy led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation (now UBS), and served as CISO of the Texas Education Agency. She speaks regularly on topics ranging from threat intelligence to identity and access management, risk analysis, incident response, data security, and societal and privacy issues. Wendy is a co-author of The Cloud Security Rules, and was listed as one of SC Magazine's Women in IT Security "Power Players" in 2014. 

Presentaton Materials: https://cybersecurity.osu.edu/files/keynoteaddress-securityfortherestofyourlifepdf

10 am - Why Risk Assessments Matter by David McCartney (Performance Hall)

Risk management is a vital part of a maturing information security program. Peek behind the Enterprise Security Risk Management curtain with data-driven examples of how information security risk is being reduced at OSU. Learn how to use scoring leadership will respond to, how to capture meaningful metrics, and hear what happens when you don’t. Results of our maturing processes will be shared including upcoming program changes, a brief assessment example, sample reporting, and frank discussion of current shortcomings and challenges.

Presentation Materials: https://cybersecurity.osu.edu/files/whyriskassessmentsmatterpptx 

10 am - 800-171: Research Compliance and Solutions by Laurel Dean (Great Hall)

Export regulations govern the transfer of data to all foreign persons, regardless of location.  These regulations are comprehensive and carry significant fines. Yet, many people never realize they are exporting data. This session will help users, IT professional, and support personnel understand the regulations, spot ‘red flags’, and be able to identify when export controls might be triggered. We will also discuss the federal information security requirements around controlled data, cloud computing, travel, and other topics of interest to the IT community.

10 am - UNIX Isn't a Four Letter Word: How to run Linux safely, securely, and above all -- easily by Mick Douglas (US Bank Theater)

Attendees of this talk will learn how to easily setup and maintain a Linux system that is resilient to attackers. This preview talk will provide a sampling of the topics discussed in the day long class on 10/9.  A focus of this talk will be how quickly and easily attackers can compromise a misconfigured Linux system.

11 am - Cybersecurity for You by Becky Mayse (Performance Hall)

This talk will feature practical tips and tricks every user can benefit from whether at home or work. Topics covered will include: recognizing phishing, the importance of protecting your data, password management and social engineering. 

 An optional sign in sheet will be available for this talk, anyone who attends it will receive credit for having completed IT 16.1.1 security awareness requirements. 

Presentation Materials: https://cybersecurity.osu.edu/files/cybersecurityforyoupptx

11 am - Protecting Student Aid Information by Joanna Grama (Great Hall)

Joanna Lyn Grama, JD, CISSP, CIPT, CRISC, directs the EDUCAUSE Cybersecurity Initiative and the IT GRC (governance, risk, and compliance) program. Joanna has expertise in law, IT security policy, compliance, and governance activities, as well as data privacy.

Topics include: 

•Higher Education Data Context
•Language Level Setting
•Controlled Unclassified Information
•GLBA
•NIST
•The “To Do” List
 

11 am - Pen Test University by Matt Stvartak and Kyle Gordon (US Bank Theater)

Penetration Testing is a direct assessment of the security controls of a complete software system. This presentation explores motivations, tools and tactics of the pen testing ecosystem as well as the unique challenges faced in a university environment. Are you worried about the security of critical systems? Concerned about the effectiveness of your security controls and procedures? Interested if malicious hackers could actually break in? Find out how Pen Testing can help you answer these questions and more!

Presentaton Materials: https://cybersecurity.osu.edu/files/pentestuniversitypptx

12 pm - Cloud Platform Security by Matt Stvartak and Taylor Crane (US Bank Theater)

When implementing a cloud IaaS platform, what are the key security concerns that need to be addressed? What security concerns does the IaaS provider solve for you, and what problems do they create? Join this presentation for a quick deep dive into Cloud Platform security areas as they pertain to IaaS providers such as AWS, Microsoft Azure, and Google’s Compute Engine.

Presentaton Materials: https://cybersecurity.osu.edu/files/cloudplatformsecuritypptx

1 pm - Workshop: Cyber Legal Review by Chris Ingram and Chris LaRocco (Performance Hall)

It’s easier to be comply with legal and regulatory requirements if you’re aware they exist! In the Ohio State Information Security Standard, LEG1.1 legal and regulatory review requires that organizations periodically perform a cyber-legal review, to ensure they keep up-to-date with applicable laws and regulations. To assist Ohio State organizations with that task cyber-legal experts Chris Ingram and Chris LaRocco will explain the current regulatory environment and changes that everyone need to be aware of. This presention offers a high-level understanding of the current legal landscape as it relates to information security and will have completed the legal awareness activity as required by ISCR requirement LEG 1.1. 

Topics include: 

  • State of Information Security Codification
  • Payment Card Industry
  • Health Insurance Portability and Accountability Act
  • Family Educational Rights and Privacy Act
  • Gramm-Leach-Bliley (GLBA)
  • Fair Credit Reporting Act (FCRA)
  • Fair and Accurate Credit Transactions Act (FACTA)
  • Children’s Online Privacy Protection Act (COPPA)
  • Telephone Consumer Protection Act (TCPA)
  • Federal Information Security Management Act (FISMA)
  • Export Control Laws
  • Executive Order 13556 - Controlled Unclassified Information
  • Questions and Answers

Presentation Materials: https://cybersecurity.osu.edu/files/cyberlegalreviewpptx

1 pm - Workshop: System Level Compliance Risk Assessment for PHI and HIPAA Governance by Jamie Nelson, Cole Webber, Kim Kambarami, Allen Tam, Rob Brumfield and Annie Kowaleski (Great Hall)

This hands on session, allows participants to conduct a system level risk assessment for a system that contains PHI. It covers data and document collection, data analysis, preparing and writing the report and governance. It provides the knowledge along with the templates and SOP needed to conduct an assessment for your department.

Presentaton Materials: 

https://cybersecurity.osu.edu/files/systemlevelcomplianceriskassessmentforphiandhipaagovernancepptx

https://cybersecurity.osu.edu/sites/default/files/2017/09/completed_assessment_example.pdf

1 pm - Workshop: Defending Industrial Control Systems, by Matthew Luallen (US Bank Theater)

Matt Luallen is a well-respected professional with a unique background encompassing several facets of information assurance and content delivery systems surrounding business logic. Mr. Luallen has provided strategic guidance for Argonne National Laboratory, U.S. Department of Energy, within the Information Architecture and Cyber Security Program Office. He has extensive consulting experience within the governmental and commercial sectors including a multi-client base of corporations, financial institutions and healthcare organizations.

A graduate of National Technological University with a Master's Degree in Computer Science, Mr. Luallen holds a Bachelor of Science degree in Industrial Engineering from the University of Illinois, Urbana. This unique coupling has provided an underlying framework to directly correlate core business functions and requirements with computer architectural solutions.

Important preparation for this workshop:  Virtual Machine (VM) will need to set up before the day of the event.
 
Before you can run the VM on your machine, you will need to install VMWare Player (or an equivalent). You will also need at least 2GB of free RAM, 40 GB of free disk space and an I3 processor or equivalent to run the VM for the workshop. Consult your local IT service for help with setup. Download the VM here  

Presentaton Materials: https://cybersecurity.osu.edu/files/defendingindustrialcontrolsystemspdf

3 pm - FBI Travel Awareness Briefing (Performance Hall)

Espionage is an increasingly serious threat for international travelers. Perpetrators may be competitors, opportunists, or foreign intelligence officers. In many countries, domestic corporations collect competitive intelligence with the help and support of their government. To help mitigate risk to international travelers this talk outlines steps you should take before, during and after your travel to protect yourself and your data.

3 pm - HIPAA Privacy and Security Auditing by Jennifer Elliott and Tremayne Smith (Great Hall)

Privacy and Security Officers from OSUWMC and OSUP discuss and provide guidance for conducting a range of different HIPAA related auditing procedures including:

  • Accounting of Disclosure Audits
  • Notice of Privacy Practices Audits
  • Release of Information Audits
  • Department Walkthroughs

Presentaton Materials: https://cybersecurity.osu.edu/files/hipaaprivacyandsecurityauditingpptx

3 pm - From Gossip to Grownup: Making Threat Intelligence Work by Wendy Nather (US Bank Theater)

"Call me as soon as you can." That's not a message anyone wants to get, but it's the most common way that successful threat intelligence sharing happens.In this talk, Wendy Nather shares her experiences helping to stand up the Retail Cyber Intelligence Sharing Center: how sharing can scale, when breach notifications come from unexpected sources, how there can be 50 Shades of Amber in threat intel classifications and whether automated IOCs (Indicators of Compromise) are really just big honking signatures.

Presentaton Materials: https://cybersecurity.osu.edu/files/makingthreatintelligenceworkpdf

4 pm - PCI Compliance: What it means to you and how to get there by Roland Kreml and PCI Committee Panel  (Performance Hall)

Does your department want to take credit card payments? Are you already taking payments, but you want to change how you are doing it? The Payment Card Industry Data Security Standard (PCI DSS) can be a cumbersome regulation, but there are experts at Ohio State who can help you navigate the pitfalls and ensure you are taking credit and debit cards payments in a secure manner that meet the requirements. Of interest to business and security professionals, including Merchant Managers, Finance Managers and Security Liaisons this session, presented by members of the Ohio State PCI Committee, covers broad range of topics related to the PCI DSS and Ohio State's Payment Card Policy to help get you moving in the right direction. There will also be a panel discussion to assist with your specific topics.

Presentaton Materials: https://cybersecurity.osu.edu/system/files/2017/09/pci_compliance_-_what_it_means_to_you_and_how_to_get_there.pdf

4 pm - Getting your Computing Environment Compliant with Security Baselines by Brian Mitchell and Jim Ridolfo (Great Hall)

The IT Director from OSUP  share a successful process to become compliant. This seession gives you the tools you need to mount your own effort to get all the PCs in your department compliant. Topics include:

  • Identifying and Cleaning Up
  • New Deployments
  • Maintaining Compliance
  • Reporting
  • Documenting Exceptions

Presentaton Materials: https://cybersecurity.osu.edu/files/gettingyourcomputingenvironmentcompliantwithsecuritybaselinespptx

4 pm - An Abbreviated History, Present, and Near Future of Security Automation at OSU by Chris Hartley (US Bank Theater)

This talk covers Enterprise Security's automation tools and capabilities with respect to our past, current state, and near-term goals. It explores the merits of automation, its pitfalls and how we can work as individuals, units -- and together as a University to identify and detect threats and anomalies -- then respond to known bad activities and behaviors.  It considers the use Indicators Of Compromise (IOCs) and subject matter expert knowledge regarding the ways systems, networks and users “ought to act” while granularly applying policies most effectively.

Presentation Materials: https://cybersecurity.osu.edu/files/securityautomationpdf

 

 

Track 1: Management (Performance Hall)

Track 2: Research and Compliance (Great Hall)

Track 3: Technology (US Bank Theater)

8 - 8:30 am

Registration (coffee provided)

8:30 - 8:45 am

Opening Remarks

8:45 - 9:45 am

Keynote: Security For the Rest of Your Life

10 - 10:45 am

Why Risk Assessments Matter

800-171: Research Compliance and Solutions

UNIX Isn't a Four Letter Word

11 - 11:45 am

Cybersecurity for You

Protecting Student Aid Information

Pen Test University

12 - 12:45 pm

Lunch Break (on your own)

Cloud Platform Security

1 - 2:45 pm

Cyber Legal Review 

System Level Compliance Risk Assessments 

Defending Industrial Control Systems

3 - 3:45 pm

FBI Travel Awareness Briefing

HIPAA Privacy and Security Auditing

Making Threat Intelligence Work

4 - 4:45 pm

PCI Compliance

Getting your Computing Environment 

Compliant with Security Baselines

Security Automation at OSU

Application Security Training Course - Tuesday, Sept. 26

Code Security for Hackers and Developers 

There are four technical skills required by security researchers, software quality assurance and test engineers, or developers concerned about security: source code auditing, fuzzing, reverse engineering, and exploitation.  Each of these domains will be covered in detail. C/C++ code has been plagued by security errors resulting from memory corruption for a long time. Problematic code is discussed and searched for in lectures and labs. Fuzzing is a topic book author DeMott knows about well. Mutation file fuzzing and framework definition construction (Sulley and Peach) are just some of the lecture and lab topics. When it comes to reversing C/C++ (Java and others are briefly discussed) IDA pro is the tool of choice. Deep usage of this tool is covered in lecture and lab. Exploitation discussions and labs are the exciting final component. You’ll enjoy exploitation basics, and will also use the latest techniques.

Virtual Machine (VM) is required for this course. You must have VMWare Player installed on your machine, which requires administrative privileges. Please contact your local IT service to have VMWare Player installed.
 

TIME

TITLE

TOPIC

LABS

LECTURE SLIDES

TOOLS (IN VM)

8 - 10 am

Source Code Auditing 1 and 2

Classic and Newer mistakes in C and C++

Review real world code

Audit various C code

Audit JPEG code

C audit solutions

C++ lab guide provided

Get VM shared and setup as soon as student start arriving

Text editor and SCI understand used

10:15 - Noon

Fuzzing 1 and 2

Fuzzing overview and basic file fuzzing

Network based mutation vs. Fuzzing Frameworks

Peach

Demos on file fuzzing

Use Sully – fuzz FTP

Peach – Fuzz Internet Explorer with GIF pictures

Fuzzing

MacFuzz

GPF

VDA Fuzz

Sulley

Peach

Noon - 1

Lunch Break (on your own)

1 - 3 pm

Reverse Engineering 1 and 2

IDA usage, Extending IDA, Malware analysis, and misc. topics

1. Crack a program

2. C++ investigation

3. Binary Patching

4. Scripting

5. Malware investigation

6. Flair usage

Homework: Plugins and Emulation

Using IDA Pro

Reversing lab guides

IDA pro

Various other utilities and tools

 

3:15 - 5 pm

Exploitation 1 and 2

Buffer overflows, Shellcode, Debuggers, and Return Oriented Programming

Function pointer overwrite

Writing a stack buffer overflow exploit, lab guide

ROP exploit, lab guide

Exploit lab guides

python, windbg, immunity debugger, Metasploit, ROP generators

System Security Training Course - Monday, Oct. 9

Red Hat Linux System Hardening 

Getting a Linux server up and running is now fairly easy... but how do you keep it from being stolen by the bad guys?  This class covers several easy and practical steps you can do to take to make your system significantly more resilient to attacks without being a pain to manage/use.  

8:00 - 8:15 amWelcome Remarks
8:15 - 10:00 amPart 1
10:15 - NoonPart 2
Noon - 1:00 pmLunch Break (on your own)
1:00 - 3:00 pmPart 3
3:15 - 5:00 pmPart 4

UPDATE: Virtual Machine (VM) is required for this course. You must have VMWare Player installed on your machine, which requires administrative privileges. Please contact your local IT service to have VMWare Player installed.

Those registered for this course will receive a separate email from cybersecurityday@osu.edu with a link to download the VM as well as step-by-step instructions to set up the VM for both Windows and Mac systems.  

Who should attend?

Sessions are free and open to all employees from The Ohio State University and The Ohio State University Wexner Medical Center. If you not an Ohio State employee and would like to attend, you will also be able to register from this page. We will register as many professionals as we can can accommodate within the available space. We will send you an invitation within a week of the event.  

Questions

Questions should be directed to cybersecurityday@osu.edu.