Here are some points that I picked up during my attendance:
Bryce talked about a well known issue of developers posting secrets to code repositories such as GitHub or BitBucket. The funniest part of this is that these developers realize their mistake and commit a revision to remove. What happens to the previous commit? Exactly! This same mistake is made by even more developers when you include other cloud technologies like S3 storage. That Wordpress vulnerability that allows file injection can lead to a complete meltdown when the attacker accesses all of your data that is stored inside S3 or other systems. Keep your secrets secret.
Bri explained the challenges in compromising Industrial Control System (ICS) devices. Getting the highest level of privilege on a system doesn’t automatically mean the compromise of the connected devices. There is a secondary payload required to further infiltrate and that secondary payload requires expert knowledge of the ICS being targeted. We aren’t yet at the point of having commoditized malware for ICS.
JC walked us through how he operates tabletop exercises for his clients. There wasn’t anything new for me in this one, but it was a great reassurance that I have been facilitating a quality exercise for all of my clients. I think the attendees should takeaway that there really needs to be a externally hired facilitator to run some of their exercises to work around any of the internal politics or bias. Mr. ‘Junior Infosec' may not feel comfortable calling out the CEO for a wrong answer, but I am happy to do it.
Chad gave us an earful of all the various ways that Windows credentials can be picked and harvested by attackers, both on the wire and on the disk. He even provided a handout with all the additional notes he talked about. This is a very important topic to be aware of because the DBIR has consistently shown that credentials are the most targeted in incidents and breaches. Defenders need to be aware of every possibility of credential compromise in order to put safeguards in place.
Lastly, Lesley gave an inspiring talk about how we as industry have a collective skill to land a plane while not being professional pilots (at least most of us). She went through a great demonstration showing how every person (not an exaggeration) can contribute in some way to improving the security field. We just have to look at ourselves and identify the skills we have and offer the help to others that are trying to learn. No one in this field is an expert at everything, even though its hard to believe with the reputation following many people. We all have skills, and we all have something we want to learn.
My Offer to Help
I consistently see advice given to new folks in the field, or those trying to get into the field, that blogging is one of the best ways. This allows you to demonstrate the skills you have and gives you a reference on your resume. You don’t have to post about the latest research on the newest malware. Focus on the skills you have that you can share with others, or document your journey of learning a new skill. Communication is a critical skill in this industry and I challenge you to find a job listing that doesn’t ask for someone with ‘good communication skills’ or the ‘ability to explain technical concepts’. Blogging is pure demonstration of that ability.
I want to put the offer out there to anyone who wants to get into blogging but is too shy to get it rolling. If you enjoy my style and reading my posts, then reach out to me so that I can help you. I can help you to organize your thoughts into a post that flows. I can help you come up with topics. I can help you improve on your writing skills. I am even happy to have you post on this blog.
My DMs are open on twitter, and my email is email@example.com. Your move.