Cybersecurity Days

Cybersecurity Days

Cybersecurity Days 2020 - Welcome Video

The biggest cybersecurity learning opportunity of the year!

Hosted by Enterprise Security, this event is open to the entire Ohio State University community, including students, faculty, staff, researchers and the Wexner Medical Center. This annual event is free and offers diverse informational training and sessions.


Agenda:

Tuesday, October 6, 2020: Virtual Training

9 a.m. – Opening Session 

Security 2.0 – We Have Security Tools, But We Need a Thinking Tool 

Presented by:
Gary Clark

Director of Information Risk Management, Enterprise Security, The Ohio State University 

Session Description:

Organizations across the globe are increasing their security controls, but cybercriminals continue to steal data and hold organizations hostage with ransomware at an alarming rate. Security vendors offer additional security tools and services to “help”, but as a community, we need to pause and ask ourselves the following questions: 

  • Are the security controls in place working to protect critical assets? 
  • Are we holistically addressing our most critical threats? 

  • Are we continually updating our defenses against our adversary’s changing tactics? 

To answer these questions, we need to get inside the hacker’s head. If we can understand the cybercriminal’s playbook, we can user their own tactics against them.  Applying a threat framework will help us understand what our adversaries do, evaluate our own controls against their techniques, and integrate these learnings into our current security programs to build threat-based defenses. 

In this kickoff session, Gary Clark, will introduce this concept, that will be built upon throughout the day. 


9:30 a.m.  11:30 a.m. 

What You Don’t Know Can Hurt You, Badly. How to Make Your Environment Tamper-Evident. 

Presented by:
Mick Douglas

Blue Team Operations Specialist

Session Description:

The whole point of cybersecurity testing is to reveal how well your environment will stand up to attacks. Mick DouglasBlue Team operations specialist and certified SANS instructor, will deliver tangible actions you can take to make your networks, perimeters and systems tamper evident. This will improve your environment’s resiliency and allow you to better withstand and detect attacks. 

Douglas will share real-world examples of how attackers subvert controls currently in place and teach you how to prevent those control attacks from occurring. Several demonstrations of subtle attacks will also be shown. Examples include: lateral movement techniques, local privilege  escalation, and account  hijacking that would be typically difficult to detect. Learn how to increase visibility with these in-place security controls. 

This session is a great primer for content delivered throughout our morning sessions. 


11:30 a.m.  12:00 p.m. 

MITRE ATT&CK: A Framework for Tamper Evidence 

Presented by:
Steve Romig
Director and Security Advisor, Enterprise Security, The Ohio State University

Session Description:

The MITRE ATT&CK Framework helps visualize and organize thinking about adversary tactics, techniques and procedures at a detailed level. You'll increasingly see references of MITRE ATT&CK in security conversations, so it's helpful to have a general understanding of what it is. But, if you dig a little deeper, you'll find that it can help with a variety of tasks, including planning and evaluating your defenses, choosing security products and more. 

In this talk, Steve Romig will review the framework and prepare you for how Ohio State plans to follow a similar path in making our environment more tamper-evident. 


Noon – 1 p.m. 

Purple Team Demonstration – Gain Visibility of the Attack 

Presented by:
Chris Hartley
Lead Security Engineer, Enterprise Security, The Ohio State University
Bob Pardee

Senior Security Engineer, Enterprise Security, The Ohio State University

Session Description:

Large organizations often segment portions of their security staff by Blue Team (those that defend) and Red Team (those that attack and test). When those teams work together to calibrate their defense, those efforts are often considered Purple Team exercises. 

Enterprise Security Blue and Red engineers collaborate to show you real attack and defend scenarios we see at Ohio State. 

During this session you will:

  • Learn how to configure your environment to provide greater visibility to known attacks 

  • Watch the red team attack the environment and see how the network reacts

  • Gain techniques you can use in your environment to make it more tamper-evident

  • Discover how Enterprise Security can help you test your visibility 

Begin a conversation with Enterprise Security about how we can help you build and execute the tamper evidence principles that we're discussing throughout Cybersecurity Days. 


1:30 p.m. – 3:30 p.m. 

Application Security from Tamper Evidence to TampeResistance – Build Rigor into Your SDLC Without Afflicting Velocity 

Presented by:
Jason Montgomery
VP, Security, DataRobot

Session Description:

Many organizations overlook the application layer in their security practices. And, visibility is often seen as a game for perimeters, networks and systems. However, in application security, visibility is only one piece of the puzzle 

In this talk, Jason Montgomery will go beyond the principles of tamper-evidence and show how to design tamper-resistant applications. Montgomery will review tools and techniques used by pros to integrate security in their SDLC and build rigor into your process without afflicting your velocity. This talk also provides the building blocks for the following applications security session. 


3:45 p.m.  4:15 p.m. 

From Test to Tamper-Resistant Applications 

Presented by:
Geoff 
Shoupp
Senior Security Engineer, Vulnerability Management Service Owner, Enterprise Security, The Ohio State University

Session Description:

Applications are built to serve and help the user. We don’t often build technology in a way that detects the human manipulating it. Therefore, tamper evidence isn’t always possible which puts additional responsibility on testing your application to ensure vulnerabilities don’t exist in the first place. 

The problem? We can’t fix what we can’t see or test. Fortunately, the university offers some tools and techniques that can help.

During this session you will:

  • Learn how to scan your code with pipelines and runners 

  • Understand scanningSAST, DAST, dependency and container 

  • Customize your testing for your own environment 

  • Securely manage your code 

 

Wednesday, October 14, 2020: Virtual Community Forum 

9 a.m.  Morning Keynote

Inside the Mind of a Hacker 

Presented by:
David J. Kennedy
, OSCE, OSCP, CISSP, GSEC, MCSE, ISO 27001
Founder, TrustedSec and Binary Defense

Session Description: 

We frequently hear about organizations being compromised by hackers on the news. But how do these incidents happen and who are the hackers? This talk will go into real-world examples of how hackers target organizations. David Kennedy will discuss how cybercriminals decide which individuals and organizations to attack. You will learn how to protect yourself against the threats we face today and the threats that may come tomorrow. Attackers are continuously creating new methods of attack; how can you protect yourself and The Ohio State University?

Kennedy is a regular contributor and subject matter expert on cybersecurity for high-profile media outlets. His tools have also been featured in a number of TV shows and movies, famously serving as Technical Consultant for the critically acclaimed show, Mr. Robot.

As a forward thinker in the security field, Kennedy's had the distinction of speaking at some of the nation’s largest conferences, including Microsoft’s BlueHat, DEF CON and Black Hat. He's even testified before Congress on issues of national security.

Hailing from Bedford High School, of Southeast Cleveland, Kennedy donates his time by speaking with civic leaders and students about the importance of security.


10:30 a.m.

Take Ownership of Your Digital Identity

Presented by:
Jerod Brennen

Identity Strategy and Solutions Advisor

Session Description: 

Jerod Brennen returns this year with another applicable presentation for everyday life. You may remember his previous talk regarding the dark web and how to protect your smartphone as an extension of your digital life. This year, he takes a broader look at what a digital identity is and ways that you can safely navigate the internet without exposing yourself to unnecessary risks.

Brennen will also share information about the current and future state of digital identities, along with actionable steps that you can take to protect your life online. Don’t miss out on the digital identity checklist that comes with this presentation, you can also share it with your friends and family!


Noon Keynote

Digital Citizenship and Cybersecurity

Presented by:
Rob Duhart

Head of Federated Security, Google

Session Description: 

In this conference we talk about digital lives. What do we call a collection of digital lives that interact with one another? A digital community. What type of people do we hope live in our communities? Good citizens, people who are conscientious of how their actions affect others. A good digital citizen recognizes their actions as part of a larger effort to protect their community from bad actors. 

Columbus expat and Head of Federated Security at Google, Rob Duhart, is driven by serving people, building dynamic, world-class cybersecurity programs and teams while bringing trust and security to our digital world. In this session he will share how good digital citizenship helps secure communities like Ohio State, and what the future of leadership and culture in cybersecurity looks like.


1:30 p.m.

Threats Built-In: Embedded Systems and Consumer Electronics

Presented by:
Aaron McCanty

Cyber Computer Scientist, Battelle

Session Description: 

Consumer technology relies on embedded systems, or the coordination of a device’s computer hardware and software. Embedded systems appear in all of our technology, laptops, tablets and smartphones. But embedded systems also can be contained in anything from a simple vending machine to an intricate airplane with millions of parts. 

We seldom have a need to interact with embedded systems because these coordinations are often implemented at the factory during the manufacturing process. However, embedded systems can be manipulated to operate outside the engineer’s original intent. A smart television can be trained to spy. The slot machine can be trained to rain money. A pacemaker can be trained to kill. 

Embedded system security is a dynamic and ever-changing field. Adversaries are constantly looking for flaws in consumer electronics in order to do bad things like install malicious software or steal information. Discover what security researchers at Battelle learned as they analyzed how systems are exploited in the real world. Apply this knowledge to better protect the systems you create.

Aaron McCanty is a cyber security researcher in the Cyber and Electronic Warfare division within the Battelle Memorial Institute’s National Security business unit. He specializes as a reverse engineer and embedded software developer. McCanty spends most of his time researching ways to automate the reverse engineering lifecycle and lowering the barrier to entry in this advanced field.


3 p.m.

Cybersecurity: Oh the humanity!

Presented by:
Dr. Duane Wegener

Professor, Department of Psychology, The Ohio State University

Session Description: 

Cybersecurity involves a host of technological components, but many of the primary risks have, at their heart, human behavior. Therefore, much of the effort to improve cybersecurity involves changes in problematic human behavior, or the establishment and maintenance of adaptive cybersecurity behavior.  In short, many cybersecurity problems are behavior problems.  

How can users of technology be engaged to undertake the necessary steps to protect their data (or company data), or to learn more about available tools? To accomplish this most effectively, one would have to consider the goals and motives that drive safe or unsafe cybersecurity actions (or inactions) and engage end users with communications that serve their goals.  

The Ohio State Cybersecurity for You (C4U.osu.edu) platform provides initial steps in this direction by attempting to connect with the “pain points” involved in cybersecurity breaches while providing brief activities aimed at addressing them. This talk will use the C4U platform as a jumping off point to discuss the different ways that users can utilize this cybersecurity platform and its training in the real world. 


4 p.m.

Closing Remarks

Presented by:
Helen Patton

Chief Information Security Officer, Enterprise Security, The Ohio State University


Post-Event Resources:

VIRTUAL TRAINING RECORDeD PRESENTATIONS
VIRTUAL TRAINING SLIDES

VIRTUAL community forum PRESENTATIONS
VIRTUAL community forum SLIDES

*Please note: David Kennedy's slides will be added at a later date, but his recording is on the YouTube playlist, linked above. We will also be adding unanswered questions and answers from speakers on this web page in the coming week.