Showing 14 out of 14 results
The Current State of Cyber Security
It’s almost a given that you or your company will be hacked one day. How fast and how you react is the thing that makes the difference. Eleanor Saitta explains the ins and outs of an attack and what you should have in place to surpass it successfully.
Securing the JVM
Consider a Java application in a private banking system. A new network administrator is hired, and while going around, he notices that the app is making network calls to an unknown external endpoint. After some investigation, it’s found that this app has been sending for years confidential data to a competitor (or a state, or hackers, whatever). This is awkward. Especially since it could have been avoided. Code reviews are good to improve the hardening of an application, but what if the malicious code was planted purposely? Some code buried in a commit could extract code from binary content, compile it on the fly, and then execute the code in the same JVM run… By default, the JVM is not secured! Securing the JVM for a non-trivial application is complex and time-consuming but the risks of not securing it could be disastrous. In this talk, I’ll show some of the things you could do in an unsecured JVM. I’ll also explain the basics of securing it, and finally demo a working process on how to do it. **What will the audience learn from this talk?** I'll show what a malicious attacker can do with on an unsecured JVM, and then demo what mitigations what can do to cope with that. **Does it feature code examples and/or live coding?** Sure! **Prerequisite attendee experience level:** Level (https://gotocph.com/2019/pages/experience-level)
Does Agile Make Us Less Secure?
Organisations adopting agile practices tend to throw out the old practices of requirements gathering, up front system design and careful analysis in favour of writing code just in time and pushing into production multiple times per day. Doesn’t this make us far less secure? Michael will address this question and talk about the tension between agile and security - and offer ways that you can resolve this tension.
Advanced Cloud Cyber Security with Kubernetes
Looking at the ongoing risks on any company today, no matter how much time and money you'll invest in cyber security as CISO or any security practitioner, You always arrive to same conclusion, it's not enough to achieve high standard of security, you have to do it 24/7 according to the changing cyber threats. In the talk we'll give a brief overview on different aspects of Cyber Security in the modern world, talking about Cloud and other external services that any size of a company uses now a days. We'll show from experience that the best and most fit approach is to achieve on going monitoring on your security posture. For the "why"? because the only thing that is a 100% sure, that the attack surface of every company is changing constantly, So we should keep on validating our security posture accordingly. And now the "How": We'll share how to build an infrastructure for security researchers that will allow them to concentrate on business logic and writing hacker “tasks”. Using Docker and Kubernetes on Google Cloud, these tasks can then be performed in parallel and without a lot of DevOps hassle. Our technique removes two common barriers: first, long and risky deployment processes and second, low transparency within the production system. Lessons learned promised and a glimpse of the Hackers view, because it's always interesting to see how you look from the outside. **What will the audience learn from this talk?** We'll share a how we achieved the next three goals: 1. Remove security researchers from the need to write infrastructure code. 2. Increase efficiency by running security activities in parallel. 3. Generate more accurate risk modeling results through automation **Does it feature code examples and/or live coding?** The talk will feature code examples of the implementation of the workflow manager that we've written in Python. But it will a high level overview of classes because we can't expose the real code. **Prerequisite attendee experience level:** (https://gotocph.com/2019/pages/experience-level)
A Practical Guide to Cybercrime
Cybercriminals are often perceived as having super powers to get into your systems and steal your money and data. The vast majority are just following simple cookbook recipes to take advantage of laziness, sloppiness and an failure to understand what might be risky behaviour. Defences against cybercrime do not have to be hi-tech or even very complex. This talk discusses various types of cybercrime and gives some practical advice as to how to make yourself a little safer.
OAuth Tokens As Your Identity API
You have an OAuth server, now what? In this talk, Jacob will illustrate how OAuth and OpenID Connect can be leveraged to deliver agility and scalability while also ensuring security. Distributed systems bring with them complexities surrounding identity. How should end-user identities be traced and delegated? How can we manage user permissions across groups and in large organizations? Jacob will explore a standards-based approach using protocols like OAuth and OpenID Connect, highlighting patterns for large scale deployments while keeping things simple. We’ll also see how identity is preserved and utilized within complex software delivery networks like Kubernetes.
The Future of Security
Ever wonder why technology seems to be more fail by design than security and privacy based? Also, how is it we can have so many training programmes and awareness budgets, but people keep clicking the links and opening the attachments. In this talk, I will highlight the way we approach security today, and how we can adjust this to be effective. We will look at why technology often isn't built with security or privacy as default, and how we can be a part of the shift to embedding security. **What will the audience learn from this talk?** The take aways from this talk is an understanding of what the current landscape looks like, and how we got here. An understanding on how as individuals we can start to change the culture and understanding of security and privacy How organisations can make a difference to their consumers What part regulations and directives take at protecting consumers, and how to leverage these to make a difference Practical steps everyone can take to make a difference (from the non-technical, personal consumer, professional consumer, programmer/coder, and organisation). **Does it feature code examples and/or live coding?** This will not include live coding, however, I will discuss an autopsy view of breaches that have happened. For this to include a live demo, please respond with any suggestions you may be interested in - I could always bring a rubber ducky, or cover something small to include for sure. **Prerequisite attendee experience level:** [Level 200](https://gotocph.com/2019/pages/experience-level)
Lessons From Billions of Breached Records [Live Streamed]
Security flaws, hackers and data breaches are the new normal. It’s not just those of us in the industry facing these foes every single day; it’s everyone. Whether you’re online or offline, you simply cannot exist today without your personal information being digitized in systems which are often left vulnerable and exploited at the whim of attackers. But who are these people — the ones who seek to break through our defenses and exploit our data? And how are they continually so effective at doing so, despite our best efforts? In this talk, you’ll hear from the creator of “Have I Been Pwned” about the lessons he’s learned after processing more than 11B records of breached data. You’ll get a glimpse behind the scenes of what caused some of these devastating incidents and how they continue to wreak havoc today, despite how much more aware the industry is becoming. It’s a frightening, eye-opening and entertaining look at infosec and data breaches.
Concurrency abstractions for application security
Automatic memory management all but eliminated entire classes of security vulnerabilities through high-level abstractions for application developers. Statically typed languages aim to reduce exploitable bugs even further. Can additional abstractions around concurrency, isolation and fault-tolerance provide similar benefits? In this talk we explore ideas from the Erlang virtual machine and how they compare to other languages and runtimes in meeting the security requirements of modern networked applications. Do the benefits outweigh the lack of statical type checking? And what challenges remain?
Protect Your Code with GitHub Security Features
Creating modern software has a lot of moving parts. We all build on top of the shoulders of giants by leveraging closed/open source packages or containers that other people have shared. That makes securing our software a lot more complex as well! In this session you'll learn what possible attack vectors you need to look for, how to protect yourself against them and how to leverage GitHub's features to make your life easier! Topics: * Signed Commits * Dependabot updates * Dependency scanning for known vulnerabilities * Secret scanning (and revoking) out of the box * Using CodeQL
Competence Development Through Capture the Flag and Virtual Hacker Labs
Capture The Flag is a well known concept in the cyber security community, which is fun and motivating due to the high degree of gamification. On the other hand, the first steps into the CTF world can appear steep. In this talk, Jens Myrup Pedersen will share his experiences in using CTF for education, where he has good experiences from both ordinary education, part-time/continuing education, and company specific trainings - for example by combining mini-lectures with hands-on challenges, and by carefully selecting challenges to support learning objectives. The aim of the talk is to inspire you to improve competence development in your organizations using CTF as motivating and inspiring tool.
Has My IoT Device Been Hacked? Establishing Trust with Remote Attestation
IoT devices are becoming more prevalent in our daily lives, with applications ranging from smart homes to industrial automation systems. These devices are often connected to sensitive information and resources and are vulnerable to a wide range of security threats. For example, an adversary can use IoT devices to disrupt their operation, steal sensitive information, or gain unauthorized access to resources, and the consequence could be fatal. Aimed at providing integrity guarantees, Remote Attestation (RA) has been proposed as a security technique that allows a remote entity to verify the trustworthiness of a potentially compromised device. RA checks the software integrity and detects unexpected modifications in device configuration. In particular, RA allows an untrusted device to generate reliable evidence about the current state and convince a remote Verifier that the device is running legitimate software. RA can be used to respond to security threats to minimize the impact of security breaches and ensure that devices are operating securely. The RA protocols proposed in the literature make different assumptions regarding device architectures, attack scenarios, and security requirements. This talk first gives a brief introduction to IoT security and Remote Attestation. Then, it presents the most significant RA schemes in the IoT domain, including a three-fold discussion, (1) reviewing the working mechanisms of the state-of-the-art RA techniques in the IoT domain, (2) discussing the attestation mechanisms for IoT swarms, (3) presenting future challenges and promising research directions.
Shaping Language in Cybersecurity For People
Our words often have more power than we realise. Cybersecurity uses words in ways that can often confuse people who are looking for support. It is often said that cybersecurity needs more people to be focused. But again, these are just words, what does that actually mean?<br> The talk will start by addressing how language influences people within the security field, before moving to focus on how positive language can be used to build confidence and capability in people so they can feel safe online.
Principles For Secure and Reliable Systems
Whether you're building a new system with an established team, trying to tame a legacy ecosystem, or starting from scratch, how you think about security and reliability has a big impact on how hard they are for you to achieve. In this session I'll give you some tools for reframing the way you think about these problems, and explore how they're linked, too. Specifically, we'll look at security and reliability from the perspective of design principles, both in terms of the technical design of your system architecture and security and operations tooling, and in terms of the design of the organization that's doing the work, especially how it communicates and makes decisions. By the end of this talk, you should understand some of the structures you need in place to achieve good and sustainable outcomes for your team.