AtlSecCon 2022

Responsible disclosure programs are a key part of any company's information security program, they allow safe harbour for researchers, hackers, and the general public to contact you without fear of reprisal. They can be a wealth of free information on the security of your company and their products but also a endless pit of false information, low level vulnerabilities, and people begging for money.  

In 2018 I helped my company (a Fortune 1000 medical device and informatics company) start their first responsible disclosure program, in the 4 years since this we have learned a wealth of information about how to run, and not to run a program of this. Today I would like to talk to you about this very process and how you can start, or grow a program at your company. We are going to discuss what a program is and why to have one, the concept of rewards, how to advertise your program and how to manage incoming vulnerabilities as well what to look out for along the way.

Infrastructure Security services are seen as the traditional mechanisms for enforcing protection of data. But now Identity and Access Management has to be considered too to prevent illegitimate access to information, unauthorized usage of services, and tampering of data. This is why, at AWS, Identity and Access Management oriented services is global service in our portfolio. Implementing a least privileged model for your workload requires that you consider what each component must have as permissions. For example: is it better to assign an IAM role to your Compute instance or to impersonate the initial requestor with their roles and permissions? Are the attributes of the requestor important for your access control logic? Can the context of the request influence how the resource should be disclosed?

Answering those questions will allow you to design and implement access control thanks to a composition of multiple mechanisms. Through this session, we will describe how a very simple web store application will benefit from implementing: identity federation, attribute-based access control, and security token exchange through the usage of the appropriate AWS services.

Zero Trust is an architectural approach to improving the security of IT environments. But it can go much further: it can help with industrial control systems and even physical security. We will discuss how zero trust has implications and impact in all three domains, and give attendees a tactical plan for improving resilience and mitigating risk. First, we will define aero trust in a vendor-neutral way. Then, we will see how it applies to cloud and the software supply chain. Next, we turn to the OT domain, and look at with Zero trust in the real world. We close with practical steps to make your enterprise more secure.  

My background is on the defensive side, but I always had an interest in the red team side of things. After taking SANS Incident Handling 504 back in 2006, who wouldn’t?

Over the past five years, I have built or assisted with building adversary emulations using techniques that adversary groups from around the world utilize. Why? To help blue teamers identify threats and use their tool sets more effectively, as well as demonstrate the value of certain data sets and techniques that can be applied everyday. I’ve been the adversary and I will share with you my experiences, lessons learned, pitfalls that I have encountered and share guidance that may help you.

Attendees will come away with a better understanding of where scenario based adversary emulation fits, how to focus your efforts to ensure that everyone is getting something out of it, guidance on data sets and ideas around where to start when building your scenarios.

Finally, links to existing data sets that we have created will be provided so if you want to see what we produced and use them to improve your own hunting and detection, you can!

Security used to be easier when everything could be put into a datacenter and always protected. In today's modern digital transformation, people can work anywhere, and apps live everywhere - on-prem, in the cloud, and multi-cloud, complex environments. This has forced security to go through its own transformation.

As security deployment gets more complicated, it increases costs and breaches. More technology to update and manage, more expertise required to run and chase down detections, means more breaches. If we look a typical Zero Trust architecture as shown here, we can see that to deploy each of the key Zero Trust pieces, there is a lot of work and too much complexity.

So, what is the answer? Frictionless Zero Trust. In this session, we will cover how Crowdstrike approaches Zero Trust in a completely different way. How it leverages the platform to automate the decision process as much as possible and how your Security experts can benefit from automation, all while keeping you secure.

The recently bankrupt Chinese tech giant Phicomm installed a cryptographically locked backdoor on each and every one of the routers they released over the past several years. In this talk, I will show how I reverse engineered the backdoor protocol and discovered a series of zero day vulnerabilities in that protocol's implementation. I will also demonstrate a tool I developed to exploit these vulnerabilities and gain a backdoor on any Phicomm router released since 2017, including models released on the international market, and which can still be found for sale on Amazon. Since Phicomm is no longer in business, it's safe to assume that there will never be an official patch for these routers, which means that the surest path for securing these devices passes through this very backdoor.

This talk focuses on the often forgotten, unpatched, and ignored low-level remote management interfaces that exist in our networks. All the security tools in the world won't save you if a TA can re-initialize your VM storage array.

The Dirty Dozen refers to twelve of the most common human error preconditions, or conditions that can act as precursors, to accidents or incidents, in the aviation industry. Developed by Canadian Gordon Dupont, it became the cornerstone of the aviation industry's Human Factors safety program in the 1990s. That program was a major part of reducing incidents per million departures from 4.0 to less than .5 over the past 30 years, a nearly 90% reduction.

In this talk, David will discuss the Dirty Dozen and how they can be applied to cybersecurity to significantly improve awareness programs and reduce cyber risk.