GLSEC 2018 Program & Schedule
April 30th, 2018
The Eberhard Center
7:30 AM Check in
8:00 AM Coffee and Light Breakfast
8:45 AM Opening Remarks
Matt Fletcher: Conference Chair
9:00 AM - 10:00 AM Featured Speaker
Aaron Bedra: It Starts and Ends with You
Security starts and ends with you. Developers of systems have the responsibility to ensure that security is built in. Join Aaron as he walks you through the security skills you need as a developer, identifying common gaps and misconceptions and sharing resources to help you improve your security knowledge. Aaron will identify critical areas of security knowledge and describe the most important security skill you need as a developer.
10:00 AM - 10:15 AM | Short Break
10:15 AM - 11:00 AM | Session Talks
Brittany Postnikoff: Defending Against Robot Attacks
Many people have a plan to make it through the robopocalypse (robot apocalypse), but in this talk we put these plans to the test. We start our discussion with a quick overview of physical and social abilities of current robots, mainly as a way to inform the people that haven’t taken the time to think what their life might be like if robots were to take over. We follow this by doing live demos of robot physical and social engineering attacks, and some of the defenses that we have employed to protect ourselves from these risks. By the end of this talk you can walk away with effective and practical defenses that you can use in your workspace and home today.
Gary Coburn: Defense in Depth, Google's Methodology for Security
Ever consider what Google does to meet scale and security requirements? How bout if that methodology could be used for your business?
In this session we will dive into the security and privacy focus that Google uses to secure the entire world. You'll get an understanding of just how paranoid Google is when it protects user and corporate data. You'll get a chance to understand everything that goes into a secure yet scalable solution at Google. Leaving this session you will understand the background and the scale at which Google continues to learn from each consumer product and how they continue to be applied to the new computing solutions and offerings that Google brings to the market. You will get to see how hardware, encryption, and policy are enforced throughout the Google infrastructure and applications.
11:00 AM - 11: 15 AM | Short Break
11:15 AM - 12:00 PM | Session Talks
Brian McKeiver: Doom, Gloom and the New GDPR, What's a Web Developer To Do?
The new General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. If you haven't heard of GDPR, the summary is that organizations must respect and protect their subject's data at all costs. While this new data privacy regulation originates from Europe, US based companies should reconsider neglecting this on the simple basis of unfamiliarity/geography. Join Brian McKeiver as he explains how this regulation came to be, how it compares to other regulations like HIPPA and PCI in the web world and why GDPR matters to developers and organizations that run enterprise websites. Attendees can expect to learn all of the above plus receive tactics and strategies that help deal with data consent, data portability, the right to be forgotten, and how much responsibility you might have as an agency, or developer, of your customer’s data.
Aunshul Rege: A Temporal Assessment of Adversarial Intrusion Chains, Adaptation and Group Dynamics Using a Real-time Cybersecurity Exercise Case Study
Conventional cyberattack management is response-driven, which is now considered inadequate, especially in managing adaptive adversaries. Furthermore, the human aspect of adversaries is often downplayed in the technical cybersecurity domain. How do they behave, adapt, and manage defender threats? How do they engage in group dynamics and decision-making? How can these aspects be measured?
Using a Criminological framework and empirical evidence of observations and interviews done at a force on force ("paintball") exercise held at the 2015 North American International Cyber Summit (NAICS), this talk focuses on human behavior in cyberattacks. Specifically, this talk covers how adversaries might engage in research and planning, offer team support, manage conflict between group members, structure attack paths (intrusion chains), manage disruptions to their attack paths, and how limited knowledge bases and self-induced mistakes can possibly impact adversaries. Also discussed are issues in measurement and metrics in capturing human behavior effectively. Finally, the talk discusses how observations from a cybersecurity exercise can be further assessed using various data science techniques to delve further into adversarial behavior.
12:00 PM - 1:15 PM | Lunch and Community Discussion
Tech Talks | Meetups and Beyond
Moderator: Danielle Cimek
Midwest Tech - Jonathan Jelks
MI3d.co - Christopher Kaminsky
BitCamp - Beth VanSlyke
CyberPatriot - Tamara Shoemaker
1:30 PM - 2:30 PM | Session Talks
Kelley Goldblatt: Cyber Threats in Michigan
This talk will explore what the Michigan Cyber Command Center (MC3) is and how it benefits Michigan organizations and residents. It will explore cyber security State and Federal cyber resources. Real-world examples will also be used to help explain some of the cyber threats currently impacting Michigan organizations and residents.
Michael Swieton: The Art & Craft of Secrets: Using the Crytographic Toolbox
Picking an encryption algorithm is like choosing a lock for your door. Some are better than others - but there's more to keeping burglars out of your house (or web site) than just the door lock. This talk will review what the crypto tools are and how they fit together with our frameworks to provide trust and privacy for our applications. We'll look under the hood of websites like Twitter, at game-changing exploits like Firesheep, and at how tools from our application layer (Rails,) our protocol layer (HTTP,) and our transport layer (TLS) combine to build user-visible features like single sign-on.
2:30 PM - 2:45 PM Short Break
2:45 PM - 3:30 PM | Session Talk
Chris Winczewski: Identity Access Management & Privacy by Design: A Win-Win Opportunity?
Three market forces are changing the internet's status quo that we are all so familiar with. You know, the one which requires us to remember hundreds of username/password pairs while also placing a major security burden on the companies storing our personal information. The first is regulation. General Data Protection Regulations (GDPR) go into effect 25 May 2018. Companies can be fined 4% of annual revenue for GDPR violations. The second is the trend to fire individuals who handle personally-identifiable-information (PII) and their executives after data breaches. The third is comes from individuals themselves who are requesting more control over their personal information. Is there a solution which solves these issues while preserving individual privacy? This talk will present a number of technology components that are coming together in ways that will either empower individuals to control their digital identity or completely strip them of all privacy. As technology implementers, the choice is ours.
Kimberly Wolting: Welcome to the Dark Side: Anticipating Threats with Dark Personas
You may be familiar with traditional user personas that help us understand who will be using our products and why in positive and expected ways. But what about users who have malicious or harmful intentions? This talk will examine case studies where use of “dark personas” has come in handy. Then learn how you can use this method to identify patterns, plan for securing your work, and build products that contribute to a safer, healthier software space.
3:30 PM - 4:00 PM Afternoon Ice Cream Break
Come and get it! Love's Ice Cream
4:00 PM - 4:45 PM | Session Talks
Dave Poortvliet: Tracking Low Energy Bluetooth Devices
How secure is your location while using a fitness tracker? One overlooked security issue is how wearables emit a persistent low energy Bluetooth signal exposing the device’s MAC address allowing anyone with an Android phone to track their location. Watch in horror or amusement how I easily set up a device to track the breakroom usage of my co-workers by tracking their Bluetooth devices.
Sara-Jayne Terp: Social Engineering at Scale
Social engineering at scale explores the online misinformation crisis, how psychology is being used to spread misinformation, how organizations are using data to combat the issue, and how misinformation might reshape the use and economics of the internet. It looks at the wider structure of online misinformation and the long-term structural problems it's likely to cause across society and the internet (with potential mitigations), beyond the misinformation itself (detection, tracking, etc) and individual perspectives (journalism, political science, etc).
4:50 PM | Wrap up and Closing Discussion
5:00 PM Let's get the party started!
Post Conference Mixer
Grand Rapids Public Museum.
The Grand Rapids Public Museum is a very short walk from the Eberhard Center. There will be food and beverages. Most importantly, interesting people and conversations.