Title: Where is Our Industry Headed, and Why do We Matter? (Subtitle: Hackers in Hoodies, InfoSec in Suits) Abstract:This presentation will begin with a brief history of Information Security and current trends (technical and programs) and changes, both recent and what’s coming. The goal is an upbeat presentation. The Hacker culture and the Information Security culture have continued to split, with a greater focus on risk management and privacy within organizations. Information Security professionals who can speak to the business and articulate risk will be the people who move the industry forward and gain a greater voice in the board room and budget directional decisions. Subjects addressed will include: • How is hacker culture changing? How is hacker culture different than information security culture? • Security vs Privacy. It isn’t just GDPR, with all the organizations I work with, privacy is getting a lot of focus. • How can an InfoSec professional make a difference? How can we get a voice in the boardroom? • What is our duty to the our employers, the industry, and users? • What is risk? How do we communicate qualitative risk, and how do we quantify risk? • Why does any of this matter? How can we drive change? • Why does it seem like no one is listening to us? (Actually, many organizations have come a long way) Biography: Alex Hamerstoneis the Practice Lead for Governance, Risk Management, and Compliance at TrustedSec, where he uses his consulting experience to partner with all sizes of organizations in all verticals, performing assessments, audits, and security program development. Alex has designed security programs for both large and small organizations, and has advised and performed security assessments for companies ranging from small businesses to Fortune 100 corporations. Screen reader support enabled.    

    Title: Mental Health in Infosec: Hackers, Hugs, & Drugs Abstract: The information security community is difficult to compare to any other. We are composed of intelligent, driven, passionate, opinionated individuals. When you combine the pressure and stress we put on ourselves in the form of research, learning, teaching, and creating it starts to build up. Not only do we put pressure on ourselves, but we also take it on from our bosses, co-workers, and family in many different forms. The majority of roles we fill cater to our drive and willingness to be behind a keyboard for hours on end. The end result is that many of us are broken. Broken in different ways, at different times, and for different reasons. We need to bring to light a topic that shouldn’t be as faux pas as it is. I’ll share my personal struggles, stories of friends and family, and hopefully help us come closer together as a community to help you or people around you. Biography: Amanda Berlin is a Sr. Security Analyst for a consulting firm in Southern Michigan. She is the author for a Blue Team best practices book called “Defensive Security Handbook: Best Practices for Securing Infrastructure” with Lee Brotherston through O’Reilly Media. She is a co-host on the Brakeing Down Security podcast and writes for several blogs. She has spent over a decade in different areas of technology and sectors providing infrastructure support, triage, and design. Amanda has been involved in implementing a secure Payment Card Industries (PCI) process and Health Insurance Portability and Accountability Act (HIPAA) compliance as well as building a comprehensive phishing and awards-based user education program. Amanda is an avid volunteer and has also presented at a large number of conventions, meetings and industry events. Some examples of these are: DerbyCon, O’Reilly Security, GrrCon, and DEFCON. While she doesn’t have the credentials or notoriety that others might have, she hopes to make up for it with her wit, sense of humor, and knack for catching on quick to new technologies.    

    Title: Left of Boom Abstract: The term “Left of Boom” was made popular in 2007 in reference to the U.S. military combating improvised explosive devices (IEDs) used by insurgents in Afghanistan and Iraq. The U.S. military spent billions of dollars developing technology and tactics to prevent and detect IEDs before detonation, with a goal of disrupting the bomb chain. This is an analog to cybersecurity as we strive to increase our incident prevention capabilities before an attack. Do you know, empirically, what’s working, what’s not, how to fix it, how to verify the fix worked, and how to make sure it stays working across your security assets? This talk will cover automated methods for understanding and mitigating cyber risk. It will identify new and different approaches that you can apply to improve the effectiveness of your security tools, teams, and processes. Following, you’ll be able to develop your own strategy for getting left of boom. Biography: Christine Stevenson has over two decades of experience in Corporate IT and Security. She has held a variety of roles over the years with a primary focus on CSIRT and Digital Forensics. She is currently a Security Engineer at Verodin, a security instrumentation start-up out of Washington D.C.    

    Title: Social Cybersecurity: Ideas for Nudging Secure Behaviors Through Social Influences Abstract: Among the underappreciated roles of a cybersecurity professional is that of “sales and marketing” for end-user security compliance. In this presentation, I will offer ideas drawn from social psychology for communication strategies and micro-interventions that could help the information security community to improve end-user compliance with mandated security tools and best practices. I will briefly describe our team’s work at Carnegie Mellon University’s Human-Computer Interaction Institute to develop playful security interventions that leverage social factors and to document and analyze workgroup resource sharing through questionnaires on Amazon Mechanical Turk and interviews with local IT professionals. We hope these ideas drawn from our research can help you to identify and lead to effective, low-cost methods to address pain points in end-user security support and head off social engineering attacks. Biography: Cori Faklaris is a doctoral student researcher at Carnegie Mellon University’s Human-Computer Interaction Institute. She studies information security and user behavior in social computing and is advised by Associate Professors Laura Dabbish and Jason Hong. Previously, she earned an M.S. degree in Human-Computer Interaction from the Indiana University School of Informatics and Computing (Thesis: The State of Digital ‘Fair Use’) and a B.S. degree in Journalism, News-Editorial sequence, from the University of Illinois at Urbana-Champaign College of Media. In between these degrees, Faklaris spent nearly 20 years in the U.S. news industry as a reporter, editor, designer, programmer, analyst, social media producer and general “Doer of Things No One Else Wants to Do.” She shares her home in Pittsburgh with her two cats, Dexter and Addie.    

    Title: Building an Effective Vulnerability Management Program Abstract: Every company’s approach to building a vulnerability management program can be quite unique with different processes, procedures, and tool sets under their belts. When considering the life cycle of vulnerability management (Discovery, Prioritize, Assess, Report, Remediation, Verify), there are key components which should be a main focus which we will review here. Inventory management, patch management, and risk assessment are a few of these key areas which will aide in building an effective program and ensure that full scope and coverage is achieved. In this presentation, we will discuss this lifecycle and its key components and how they interrelate. Pulling from experiences working with my company’s IT organization and business units and building our program from the ground up we will dive into prioritizations, approaches, challenges, and tips for building your program effectively. There is not a “one size fits” all solution, but there is a general set of items for consideration that can be applied across different industries that can be translated to a wider audience than that of IT organizations. Effectively communicating the output of this work is a key to success, and that is that will be sum total of the work put into your program. Biography: Damian Sopher is the Vulnerability Management Lead at Westinghouse Electric Company. Damian has been in IT for the last 14 years with a mixed background in both blue and red teaming.    

    Title: Reaching for Cloud 9: Key Enablers for Secure Cloud Computing Abstract: The rapid departure from traditional on-premises IT infrastructure to cloud based solutions requires information technology professionals to reconsider the traditional security models that have existed for years. Many organizations have taken the proverbial “leap off the cliff” into the array of commercial cloud service offerings without a solid understanding of the respective security implications associated with transitioning services and/or corporate sensitive information to a public or private cloud service. Organizations must first ensure that the appropriate level of security is implemented in a manner that protects critical data residing on the respective cloud based workloads. There are major cybersecurity challenges that organizations must consider during cloud adoption and/or transition to include: data ownership and accessibility, identity and access management, baseline security requirements, encryption key management, perimeter security, restrictions within the management plane and contractual considerations. This presentation will examine the aforementioned challenges to adopting public and private cloud services and recommend key enablers that support robust cybersecurity in a cloud based environment. Biography: Dave Odom is the Chief Information Security Officer (CISO) for the Naval Nuclear Laboratory where he is responsible for the management of the cybersecurity program. Dave spent 10 years in the U.S. Navy as an Information Warfare Officer and while on active duty, became known as one of the Department of Defense experts in the tactics of Computer Network Operations. Throughout his professional career, Dave has been involved in several freelance projects to include: technical editor for the book “Gray Hat Hacking – 1st Edition” security analyst for the IRS, technical curriculum developer for various cybersecurity courses of instruction, and director of the Cybersecurity Youth Boot Camp in the lower mon-valley area of Pittsburgh, PA.    

    Title: Insider threat exploits from the viewpoint of a hacker. Abstract: Often we hear in security about the inside or insider threat. This often leads to policies being created, awareness trainings being conducted, controls being reviewed or tools purchased to decrease the threat. While these are time proven strategies, they often come only from a defensive mindset of how we protect against the insider threat. Meanwhile the mindset of the hacker is almost exclusively an offensive approach. This insider threat talk will focus on the offensive approach and illustrate some of the attacks an inside malicious intruder may perform including reverse shells to gain access to another system, stealing credentials from a browser and creating additional local admin accounts. The talk will include a high level demonstration of the tools an insider can utilize unnoticed such as the Hak5 USB Rubber Ducky and Packet Squirrel. The talk will be geared for wide range of attendees by focusing on exploit demonstrations, suggestions to protect against the exploits, and an overview of control and policy best practices. Biography: David Kane is the founder of Ethical Intruder a local Pittsburgh based Cyber Security company founded in 2010. David is experienced as team lead on a wide variety of network, web and mobile penetration test engagements. In 2015 David developed a methodology to assist organizations to create cyber security and compliance roadmaps called the Cyber Liability Maturity Model (CLMM) which has been utilized extensively in Pittsburgh and led to a 2018 Tech 50 nomination for Innovative Technology.   Marc Hockenberry is a Penn State Student – Cyber Security.    

    Title: Managing Cyber Risk Surprises Abstract: Senior executives hate surprises — at least the painful kind, which is the type most often associated with cybersecurity. Unfortunately, many of the practices and beliefs that are prevalent in our profession today aren’t very effective in managing cybersecurity surprises. In fact, if you dug into the contributing factors behind almost any major breach event, you will almost undoubtedly find that one or more of the factors Jack will discuss in this session played a key role. In this session, Jack will discuss the factors that influence the likelihood of painful cybersecurity surprises, why current practices fall short, and what we need to do differently as professionals and as a profession. You should come to this session prepared to be provoked and challenged, as this will not be a “Kumbaya” feel-good message. Biography: Jack Jones has worked in technology, information security, and risk management for over thirty years. He has ten years of experience as a CISO with three different companies, including five years at a Fortune 100 financial services company. His work there was recognized in 2006 when he received the ISSA Excellence in the Field of Security Practices award at that year’s RSA conference. In 2012 Jack was honored with the CSO Compass award for leadership in risk management. Jack is an active member in ISACA, serving on the task force that created the RiskIT framework and leading the CRISC certification development. He is also the creator of the “Factor Analysis of Information Risk” (FAIR) framework adopted by the Open Group as an international standard. Currently, Jack is the EVP Research and Development of RiskLens, Inc.; Chairman of the FAIR Institute, a non-profit organization dedicated to evolving risk management practices; and an adjunct professor at Carnegie Mellon University, where he lectures on risk measurement and management. He has also co-authored a book on FAIR entitled “Measuring and Managing Information Risk, a FAIR Approach” which was inducted into the Cyber Security Canon in 2016.    

    Title: Cyber Intelligence Today: Best Practices and Biggest Challenges Abstract: Hear some initial results of an Office of Director of National Intelligence (ODNI)-sponsored unclassified study on the current state of practice of cyber intelligence. This talk showcases early study results on cyber intelligence best practices, key challenges, and technologies used by organizations across government, industry, and academia. Learn how some high-performing organizations perform cyber intelligence, and walk away with best practices you can start implementing today. This talk also speaks to cyber intelligence practices that have changed or remained the same in the last five years. This presentation updates the April 2018 RSA presentation “Taking the Pulse on Cyber Intelligence.” Biography: Jared Ettinger is a cyber Intelligence researcher at the Carnegie Mellon University Software Engineering Institute’s Emerging Technology Center. In this capacity, Mr. Ettinger provides cyber intelligence and other intelligence related emerging technical solutions and analytical best practices to industry, government, and academia. Mr. Ettinger is also an adjunct instructor at the Carnegie Mellon University, Information Networking Institute, where he teaches a graduate level course, Introduction to Cyber Intelligence. Mr. Ettinger has fourteen years of prior experience supporting the government across operational and intelligence disciplines including Cyber Operations, Human Intelligence (HUMINT), Counterintelligence (CI), Counterterrorism (CT), and Denial and Deception (D&D).    

    Title: Hacking Identity: A Pen Tester’s Guide to IAM Abstract: Know your opponent and know yourself. It held true for Sun Tzu 2500 years ago, and it holds true for pen testers today. A pen tester who has worked in sec ops role has a distinct advantage, especially if that pen tester has a solid grasp of the good, the bad, and the ugly of identity and access management (IAM) in an enterprise setting. For red teams, this presentation will cover pen testing tips and tricks to circumvent weak or missing IAM controls. For blue teams, we’ll also cover the steps you can take to shore up your IAM controls and catch pen testers in the act. Purple teaming, FTW! Biography: Jerod Brennen is a Security Solutions Architect with One Identity, by day. By night, he’s a husband, father, writer, filmmaker, martial artist, musician, and gamer. I think it’s fair to say that he’s earned every gray hair in his beard, having spent his career fulfilling infosec roles in consulting, higher education, retail, and public utilities. Jerod likes to share what he’s learned over the years with local and regional information security professional organizations, at larger information security conferences, and online via blogs and podcasts. He also teaches information security courses, both domestically and internationally. At the end of the day, Jerod just wants to help folks get one step closer to doing what they want to do securely.    

    Title: Implementing NextGen AV at Scale in Enterprise Healthcare Abstract:  Verizon’s annual Data Breach Investigations Report indicates that the scope and frequency of data breaches is not slowing down. Based on the statistics reported to Verizon by security vendors, the healthcare sector was the target of 24% of all attacks, a third of which involved some form of malware. Almost 40% of that malware involved a unique hash, indicating that the attack was targeted at that organization. To keep up with this persistent threat, our endpoint protection platforms must evolve to tackle previously unknown threats and actors that leverage our own system administration tools against us. In 2017 and 2018, UPMC conducted a thorough evaluation of our endpoint security stack that involved a rigorous testing process involving many of the top solutions in the endpoint space. In addition to proving itself against modern threats, our chosen solution needed to be able to dramatically scale at the rate of UPMC’s hospital acquisitions. Also, and perhaps most importantly, it needed to be deployed and deliver its services with no impact to patient care. In our presentation, we would like to share our internally developed testing methodology and implementation strategy that led to the successful deployment of over 100,000 endpoints in approximately 3 months. The lessons learned from our project are applicable to any medium to large company looking to make their move to NGAV or transition to a different NGAV provider. While we do plan to mention the product ultimately selected, the focus of our presentation will be on our testing process, deployment plan and continuous operational improvements. Biography:  Kris Daugherty is a recognized leader in UPMC’s Information Security Group for his broad knowledge and depth of capabilities. He has specialized in the areas of vulnerability remediation, security tool automation and implementation, and Splunk integration. In addition to Information Security, he has served in systems engineering and desktop support roles during his 8 year tenure in Healthcare IT. UPMC recognized his leadership in 2012 by choosing him for the Award for Commitment and Excellence in Service (ACES). He holds several certifications including the SSCP and CompTIA’s Security+ and Healthcare IT Technician. Kris is a member of the Remediation Services team at UPMC which provides technical guidance and solutions for enterprise-wide security challenges. Dan Denne is a seasoned IT professional with over 28 years of experience. Throughout his career, he has managed many aspects of information technology for small, medium and large organizations. In 2004, Dan participated in a pilot course developed by CMU’s Software Engineering Institute on “Survivability and Information Assurance”, and systems security has been a primary focus ever since. Dan is a Certified Information Systems Security Professional and is currently the secretary of the (ISC)2 Pittsburgh Chapter. Dan is a member of the Remediation Services team at UPMC which provides technical guidance throughout the enterprise to improve UPMC’s overall security posture. Mike Dolan is a Senior Information Security Analyst within UPMC’s Security Operations Center. In this role, he monitors various log sources for signs of malicious activity, assists in product evaluations, ensures security tools are implemented to their fullest, provides training to his peers, and applies current industry best practices to prevent, detect, and respond to threats. In 2015, Mike received his Masters of Science in Information Science from the University of Pittsburgh. Prior to working in healthcare, Mike spent time in the manufacturing and defense industries where he worked as a Systems Administrator, a Network Technician, and a Network Administrator.    

    Title: Stealing Data With CSS: Attack and Defense Abstract: Client-side code injection attacks continue to be one of the most common attack vectors across the web. According to OWASP, Cross Site Scripting (XSS) and similar injection attacks are the “second most prevalent issue” on their Top 10 list of the “Most Critical Web Application Security Risks,” and “found in around two thirds of applications.” While many developers and security professionals are aware of the risks of unchecked JavaScript injection, Cascading Style Sheets (CSS) are often overlooked. A method is presented that can be used to steal targeted data, using CSS as an attack vector. Due to the modern web’s heavy reliance on CSS, a wide variety of data is potentially at risk, including usernames, passwords, and sensitive data such as date of birth, social security numbers, and credit card numbers. The technique can also be used to de-anonymize users on dark nets like Tor. Previous work in this space as well as open problems are discussed; and several proof of concept examples are presented which demonstrate how CSS can be utilized to steal various types of client-side data without the need of JavaScript or iframes. Defense methods are presented for both website operators and web users. Biography: Mike Gualtieri is a Pittsburgh-based technologist and entrepreneur who is passionate about Linux, Free/Open Source Software, internet privacy, and cybersecurity. He has two decades of business and technical experience in software and security, and currently leads the consulting firm Eris Interactive Group. A graduate of University of Pittsburgh (2004 M.S. Computer Science, 2006 M.B.A), Mike founded the software startup Kiddix Computing in 2006, which sought to provide a safe and secure computing environment for children. In 2011, Mike founded M. L. Gualtieri Group (Eris Interactive Group), a software design & development firm, and has architected dozens of successful software products for organizations both in and outside of the Pittsburgh region. Mike lends his security expertise to small-to-mid-sized organizations across many industries, to help strengthen their security posture. He strives to educate the public about modern security threats, challenging de facto mitigation strategies, and advocates an offensive approach to security. Mike’s enthusiasm for security was also apparent at a young age, as he decided to write a program to (weakly) password protect some of his 5.25″ floppy disks, only to discover that 20 years later he had to hack into his own files to discover that the secret password was ‘ninja’.    

    Title: Securing Your Cloud Estate Abstract: Learn to implement the Center for Internet Security (CIS) critical controls for cloud workloads. Increasingly, cybercriminals are targeting cloud-hosted workloads, looking for high-value assets and free compute. In this session, Jonathan Trull will provide explicit guidance on how to leverage the controls in cloud environments to prevent data theft and unauthorized cloud resource consumption. Learning Objectives: 1: Understand the most common types of attacks against cloud users in 2017. 2: Learn actionable guidance for implementing key controls within your cloud estate. 3: Learn how to apply key controls within public clouds. Biography: Sean Sweeney is the Americas Director – Chief Security Advisors in Microsoft’s Cybersecurity Solutions Group. In this role, he is primarily responsible for aligning and mobilizing the Americas team to deliver thought leadership and deep customer engagement in region. He is also responsible for regularly engaging with the security industry through public speaking, standards development, and advanced research, as well as providing strategic direction on products and services, and advising customer CXOs on security and compliance issues. Sean joined Microsoft from the University of Pittsburgh where he was the Chief Information Security Officer. At Pitt, Sean was responsible for the strategic leadership of the information security and privacy protection programs for the University’s 5 campuses and 120,000 users. Sean is a previous principal and co-founder of a Pittsburgh-based eDiscovery startup. He was the Chief Information Officer for a national law firm based in Pittsburgh, and Applications Manager for the U.S. Department of Justice in Washington, D.C. He received a BA from George Mason University in Fairfax, VA, attended Virginia Commonwealth University’s Graduate School of Education in Richmond, VA, and is both a Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP). A frequent author and speaker on cybersecurity and compliance, Sean is also a steadfast champion of cybersecurity workforce development. Originally from Northern Virginia, and an avid boater; Sean has resided in Pittsburgh, PA for the last 13 years.    

    Title: Perspectives on Establishing “Cyber Confidence” Abstract: Building, maintaining, and leading a cyber security team capable of engaging in successful defensive cyber operations is a difficult challenge. Many technical and non-technical aspects must be considered. Both the leaders and members of these teams must strive to be able to establish and maintain “cyber confidence” across the group. Establishing “Cyber Confidence” is essential for successful long term defensive cyber operations along with longevity of the team and the investments in it. This presentation will discuss what is meant by “cyber confidence” and why it is so critical for success. Additionally, we will walk through several real-world examples and associated challenges of achieving “cyber confidence” within a team. Technical and non-technical topics of discussion will include: -Leading, and building technical trust and confidence among your team members. -Importance of having team members with varied perspectives (specialist vs. big picture). -Team leaders knowing the right technical questions to ask team members and when to ask them. -Discerning that some problems can be very complicated and require a significant time investment. -Ability to discern technical problem classification or over-simplification or over-complication. -Knowing your infrastructure – cyber infrastructure configuration, management and vendor support. -Benefits and criticality of hands-on technical troubleshooting skills. -Collecting the right data, and knowing how to analyze, and when to trust the data. -Listening to your log files, baselines, and change management documentation. Biography: Tom Podnar currently is a Cyber Security Engineer at the CERT division of SEI at Carnegie Mellon. He works with the United States Army researching, architecting, implementing and delivering elite cyber warfare exercises. He also is an adjunct professor at La Roche College, where he teaches Computer Security. He previously was the Systems Architecture team manager at the University of Pittsburgh, where his team was responsible for architecting and implementing all Enterprise systems.    

    2018 TRISS CISO Panel The CISO Discussion Panel will bring together several CISO’s from the regions top companies. We will discuss several of today’s top issues and to take questions from the audience. Join Dawn Cappelli, VP Global Security and Chief Information Security Officer, Rockwell Automation, Tom Dugas, CISO, Duquesne University CTS, Dr. Trebor Z. Evans, Senior VP and CISO, Dollar Bank, Omar Khawaja, VP & CISO, Security & Risk Mgmt., Highmark Inc., and James Ringold, Chief Information Security Officer, Westinghouse Electric for an informative and engaging discussion. Doug Salah – Moderator Dawn Cappelli – Panelist Tom Dugas – Panelist Dr. Trebor Z. Evans – Panelist Omar Khawaja – Panelist James Ringold – Panelist    

    2018 TRISS Women in Technology Panel The Three Rivers region has had a transition of workforce over the last 30 years. As a result we are seeing workforce changes in information security. With the region’s transition from industrial to one based in technology, the role of women has greatly evolved. A report compiled on economic trends in Allegheny County by the University of Pittsburgh Center for Social and Urban Research indicated one of the most significant transformations in the regional and county workforce has been the increase in female labor force participation over the last 30 years. As the presence of women in the technological landscape continues to grow and evolve within the region, the goal of TRISS is to empower women to become a valuable part of the economy as employees and leaders of the region. This panel will focus on women leaders in the workplace who will network with emerging leaders. Deidre Diamond – Moderator Annia Aleman – Panelist Kellie Morrow – Panelist Bonnie Mitchell – Panelist Soo Yi – Panelist Dawn Cappelli – Panelist    

    Career Village by CyberSN in partnership with TRISS Stop by the CyberSN Career Center while you are at TRISS and speak with the cyber career experts about job searching, who’s hiring in Pittsburgh, resume tips, interview advice, or to get your career questions answered. We will also be offering JobBuilder sessions at no-cost so you can see what happens when you build a truly tailored cybersecurity job description. Our team comprises over 20 years of recruiting experience and we know what’s going on in cybersecurity. Job searching is broken, CyberSN can help.   Job Searching and Hiring is Broken What is going on with searching and hiring in cybersecurity and how can you have a more successful experience?   Rock Your Job Search Building a resume and LinkedIn profile that can help you land the job you want and tips for interviewing.   Hack Your EQ, Grow Your Career What is EQ and why does it matter to your career development? Come hear about the workforce skills that correlate to your career success.   Headshot Studio Free professional headshot ]]>