BSides Cleveland 2016

There are a lot of different talks that are on specific topics, but it's not possible to cover everything in depth. This will be an actual discussion on security, focusing on YOUR questions.

This talk shows how to use one line of PowerShell in different ways to get meterpreter on a system. Beginning with the creation of a malicious ps1 file using msfvenom, starting a handler, and hosting the malicious ps1 for targets to download. Once the target runs the one liner, it'll download and execute the malicious ps1 file giving you a meterpreter session. I then go over different ways to get targets to run the one liner using a Teensy, a shortcut on a network share, a macro enabled spreadsheet, a misconfigured mssql server (blank SA), and using ysoserial to exploit vulnerable java deserialization functionality.

Models play a major role in our lives - we start using them as an infant to understand everything from motor skills to social constructs, and continue using them throughout our lives as we develop. We will look at the impact models can have on skills development, security program development, and even dealing with/planning for/analyzing specific threat scenarios. To do this we'll dive into the good and bad of various models at work in the industry today, have a few laughs, and discuss the characteristics that make said models valuable from different angles.

Developers use unit tests and acceptances tests in continuous integration (CI) to find bugs early and often in a repeatable way. Security is an important part of any software development life cycle. So why not add security analysis tools to this pipeline? This talk will cover adding and using OWASP/pipeline, a framework made for running security analysis tools in CI.

A 20 minute crash course on the basics of: Using the WiX Toolset to create your own MSIs. Debugging your MSIs. Creating a UI for your MSIs. Making MSI creation flexible enough for automation.

This talk will focus on the tool Responder and how it can be used by both attackers as well as defenders. We'll review the current feature set, other tools that work in conjunction with it, and demonstrate a few real-world testing scenarios that can be used by penetration testers and blue teamers alike.

The relationship between security professional, and developers often seems adversarial. In this presentation I will be discussing the problems, work-flows and end-goals from the developer and security professional's viewpoint.

I will discuss in depth, the pressures and business needs that often drives development cycles. We'll also be talking about the mind-set of the successful developers you can easily win over, how to do it, and how to expand this to all development teams.

We Security Professionals are also not without fault. Our approach of tracking issues, and throwing tools at the problem just isn't working. I'll be talking about my experiences within different organizations, and how minor adjustments can gain wider acceptance and appreciation for security teams within the organization.

It is hoped by spreading understanding what drives a developer's mindset, as well as the development process, we as security professionals can help them, and ourselves. In outlining the problem, as well as filling in the gaps for those who lack development experience, we can bring security and development onto one team.

We call it security awareness training, but all we ever give our employees is regurgitated knowledge. Their passwords suck, public wifi is bad, and email is deceiving. Mix in some yearly reviews of policies and procedures and you have the perfect recipe for an employee who stopped listening hours ago. You don't truly learn something until you understand "why" and that comes when employees are engaged and motivated. This is my take on how to engage through gaming and why it works

When there is a natural disaster or catastrophic event... who ensures responsibility for recovery or who should? The City, State or Local government, the National Guard, FEMA, non-profits, private businesses, the people, etc., or maybe all of the above. Government emergency operations and disaster relief has been a long standing practice, but what about for "Cyber" Attack or "Cyber" disaster? With Hollywood movies and TV Shows like Mr. Robot, more people are starting to wonder, what would happen... or hopefully what is in place if "something" would happen? In this talk we will go into the history of Local and State Government involvement in Emergency Operations of a catastrophic Cyber Attack. We will also touch on the deep depths of "Cyber" Martial Law.

Food and open bar for attendees. Chill and chat about the talks earlier in the day.