Business – Adapting to Change

Cybersecurity Training for the Enterprise

Dennis M. Allen

Much as physical safety in the workplace must be everyone’s responsibility, so must good cyber safety become habit for everyone throughout an organization. Annual data record losses are now in the billions. Breaches and incidents result from stolen credentials, phishing, privilege abuse, malware, and numerous other methods. Protecting “the business” requires much more than simple, annual computer-based training done in order to check a compliance box. Indeed, everyone throughout the enterprise does require baseline training to support best practices; but also require a specialized plan to help them truly understand how their actions impact the success of the organization.


Dennis Allen is the Education & Training Technical Manager for the Software Engineering Institute’s CERT Cyber Workforce Development directorate, which has implemented several cutting edge training solutions for the DoD and Federal government. He received his B.S. degree in Computer Science from St. John Fisher College, and his M.S. in Information Assurance from Norwich University. Dennis has been with the Software Engineering Institute for 12 years and has more than 25 years of information technology and security experience with fortune 500 companies, government and military organizations, and many small businesses. He has delivered numerous professional training classes, presented at industry conferences, and taught both undergraduate and graduate-level courses. Dennis is continuously looking for innovative ways to improve education, training, and assessment for the next generation cyber warriors.

Implementing MFA (Massively Favored Authentication) at RIT

Laura O’Donnell, Clay Cooper

How do you implement Multi-Factor Authentication (MFA) for over 25,000 users, in 5 countries, using both university and personal devices, with a population ranging from computer security students through retirees, without having your support desk hate you?

In this presentation, we will discuss Rochester Institute of Technology’s implementation of MFA. We will discuss the roadmap, starting with the requirements, product selection, rollout, and ongoing support of MFA. This presentation will include the challenges, lessons learned, and success stories.

We look forward to explaining this implementation and discussing what lies ahead for RIT and MFA.


Laura O’Donnell is a Senior Project Manager who works at Rochester Institute of Technology where she is known as the project manager that takes on the “quirky” projects. She manages IT security, audit remediation and the compliance programs.

Projects she has enjoyed the most include: The implementation of multi-factor authentication, anti-virus software, RACF, and P2PE with PCI Compliant software/hardware. She has developed processes to locate and remediate sensitive data, managed business continuity projects, vendor relationships, and has implemented an Institute print management project. Laura has been fortunate to work with and learn from the incredible RIT staff and students. They are never boring and she is amazed by their talent and fortitude.

She holds a master’s degree in service innovation, a bachelor’s degree in business administration and a certificate in Project Management from RIT.

Clay Cooper is part of the team responsible for identity management at the Rochester Institute of Technology where he supports authentication-related services: LDAP, SAML, and Kerberos. He also provides security, authentication, and authorization consulting on departmental and university-wide projects and most recently he has been the technical lead for RIT’s campus-wide MFA implementation.

Clay’s primary motivators are to reduce the number of passwords people have to forget and reduce the number of times users are prompted for credentials while not compromising the security of sensitive data.

In addition to holding a BA in Computer Science from SUNY Geneseo, Clay is also a Red Hat Certified Engineer, amateur radio technician, and a licensed boater in New York state.

Making Sense of Multi Factor Authentication

John D. Flory III, Jeff Miller

Everyone should be doing multi-factor authentication. We all know this, so why, for example, are less than 10% of Gmail users not implementing it? It comes down to education. What problem is MFA solving? Using the answer as a springboard, we’ll discuss the impetus behind MFA, the different on-prem and cloud options, pricing models, best practices, and implementation “gotchas”.


John D. Flory III, recognized cyber security expert, will be sharing his insight and experience in the realm of physical, social and cybersecurity concepts. During John’s 22 year tenure in the security field he has spoken at numerous conferences including keynoting at the Symantec Global conference, New York State School Boards Association, New York Bankers conference, Entrepreneur Organizations, New York State Department of Homeland Security forum and several other diverse venues. John’s hands on security experience dealing with real time cybersecurity attacks and remediation make him a valuable resource for an organization’s cyber preparation process. John’s leading edge approach has allowed him to help create human firewalls as one of the key pillars of defense.

Jeff Miller is a unique blend of engineer, teacher, and evangelist of all things cybersecurity. His roots in cybersecurity stem from his engineering degree and tenure at the nation’s second largest law firm; where he regularly defended against ransomware, the hacktivist group Anonymous, distributed denial of service attacks, and various other threats. Jeff spends much of his time educating organizations on how to adhere to both security regulations and best practices around cybersecurity. Jeff lives, breathes, and bleeds cybersecurity. It’s not just what he does; it’s who he is.

The Evolution of Segmentation: How Network Segmentation and Micro-Segmentation Aid in Threat Isolation and a Secure Posture

Matt Ostrowski

Segmentation is a way to isolate devices and applications of similar type, function or requirements. Essentially, this sets the groundwork for a more secure and manageable environment. By grouping like systems together you are better able to isolate them, restrict access to them, and in the case of a breach, limit the impact. With an ever-increasing attack service, segmentation isolates critical, managed infrastructure from other more vulnerable devices. In addition, by taking it further into the data center, we can monitor east west traffic and prevent unauthorized lateral movement. In this session, learn how to plan, implement and manage a segmentation strategy.


Matt Ostrowski, with 15 years of industry experience, focuses on building out IT infrastructures for a wide range of environments using a vast array of products and tools. Matt prides himself on evaluating the entire ecosystem to make suggestions that will ensure a secure and stable IT environment. When not designing networks, Matt enjoys riding his motorcycle both on the road and track.

Integrating Third Party Scoring Services into Your Enterprise KPIs

Joe Corsi, Tony Karakashian

As scoring services such as SecurityScorecard and BitSight continue to gain in popularity with clients and vendors, Paychex Inc. has taken steps to accept and socialize these scores internally and to incorporate these metrics into their current set of key performance indicators. With the inclusion of an “outside” scoring entity into their current portfolio of security metrics comes a myriad of challenges, as relates to socializing scores to key decisions makers, convincing development and operations resources of the validity of the scoring, and developing internal process improvements to ensure the SDLC remains uninterrupted, when critical findings may be found mid-delivery cycle.


Joe Corsi is currently serving as a Senior Security Manager for Paychex Inc.; a Payroll, Human Resource and Employee Benefits service provider. He is currently responsible for teams dedicated to Security Engineering and Architecture, Vulnerability Assessment and Management, Risk, Compliance and IT Audit, Security Projects, Metrics, and Reporting.

Joe has a bachelor’s degree in computer science from St. Bonaventure University and has a master’s of business administration degree (MBA) from the University of Rochester’s Simon School of Business.

Prior to joining Paychex in 2012, Joe served in the US Army as both an Infantry and a Military Intelligence Officer with a focus in Signal/Cyber operations.

Tony Karakashian is a mild-mannered father and the licensee for TEDxRochester, by day, and seasoned information technology professional, by night. Driven by a desire for peak operational efficiency, he has, in his 20+ years in the field, left a wake of astonished managers, satisfied customers and admiring colleagues behind him. In his spare time, he likes wreaking change on the unsuspecting city of Rochester as well as writing about himself in the third person.

Specialties: Windows 2003/2008, Active Directory, Citrix Xenapp Server, VMWare ESX Server, Visual Basic & VBScript, Linux

Bug Bounty at my Org? It’s More Likely Than You Think

Ashley Rider, Andrew Durgin

In the age of crowdsourcing, the gig-economy and what seems like daily breach disclosures, Bug Bounty programs offer an attractive supplement to your security program; allowing researchers world-wide to assess your virtual assets and be rewarded for their findings. However, many organizations are rightfully hesitant to allow strangers to hack their systems and to then trust them to securely disclose the findings. You may wonder if a Bug Bounty program is right for your organization and whether it can be as valuable as vendors may lead you to believe. The speakers will address these concerns by sharing real-world experience from two large financial organizations who strategically adapted their security programs to utilize Bug Bounty.


Ashley Rider has worked at Paychex, Inc since graduating from college in 2005 and has 14 years’ experience across multiple disciplines within Information Security, including Security Identity Management, Security Engineering, and Vulnerability Assessment and Management. She is currently responsible for managing the Security Assessment team. Ashley graduated from the Rochester Institute of Technology with a bachelor’s degree in Information Technology. Ashley works to build strong cross-functional partnerships and to continuously improve security across the entire organization, all within a complex and continuously changing threat landscape.

Andrew Durgin joined the USAA Information Security team in December 2017, to focus on Web Application security. Prior to this, Andrew worked for over a decade at Paychex, Inc., serving in various roles in Information Security, including Security Engineering, Security Assessment, and Security Operations Management. Andrew graduated from Rochester Institute of Technology in 2005 with a bachelor’s degree in information technology. Andrew finds satisfaction in providing realistic solutions that enable the organization, while at the same time strengthening their security posture.

Be a Hero with DMARC: Save Your Customers and Partners from Internet Villains!

Stephen Mitchell

HealthNow New York, Inc. adopted aDomain-based Message Authentication, Reporting and Conformance(DMARC) reject posture in September 2017, for all but one of their domains; and it only took five months! No problems!

But according to the November 2017 Agari DMARC report, DMARC adoption is still low. Why? We think it’s because DMARC is not an alluring topic at the top of everyone’s task list and there’s no easily digestible content available to help those looking to start down the path to DMARC reject.

In this presentation we’d like to share the options they have for implementing DMARC, and the strategy and tactics we all can use to become DMARC heroes.


Stephen Mitchell is a Senior Information Security Analyst at BlueCross BlueShield of Western New York. He loves helping people defend their enterprise’s data, streamlining business processes, and improving integrations between information risk controls. He has spent the majority of his career in the corporate information security field gaining experiences in cyber threat intelligence and incident response, easy administration of systems, and telling people why email is the worst thing ever. While delivering sustainable security solutions is his primary, every day job function, Stephen also enjoys sharing his knowledge with others and building long lasting relationships with his peers through the healing power of karaoke.

Time Is Not on Your Side – The Legal Risk of Ransomware

F. Paul Greene

A ransomware attack not only poses a security risk, it creates legal risks that can cripple an organization, even if, from a technical perspective, it is able to recover fully. This presentation outlines the legal risk arising from a cyber extortion attack, and provides an actionable outline of how to address legal considerations before, during, and after a you receive that first ransom note. Some of the questions addressed include: Has my organization appropriately planned for this event? Whom do we call first when we first see the ransom note? Are our communications concerning the attack privileged, or can they be used against us? Will our carrier pay for our forensic support, and how about the ransom? and Do we have to report this and when?


Paul Greene is Chair of the Privacy and Data Security Practice Group at Harter Secrest & Emery LLP. He is a seasoned breach coach with deep experience in ransomware and cyber extortion events. Before an event, he aids organizations in conducting appropriate pre-breach planning and incident response drills. During the event, F. Paul oversees all aspects of incident response, helping the organization properly position itself for quick recovery, managing regulatory and litigation risk, and preserving the attorney-client privilege and appropriate incident related documents and artifacts. F. Paul publishes and speaks internationally on cyber-security issues, is an adjunct professor at the Rochester Institute of Technology, teaching Information Security Policy and Law, and is a Distinguished Fellow of the Ponemon Institute.

Business – Agility via DevOps

Security and Chaos Engineering

Sean Atkinson

This presentation will review chaos engineering principles and the application of information security to an agile development process. In it, we will discuss the automated adversary emulation concept, as a way to introduce “chaos” and provide new capabilities, from an agile perspective.


Sean Atkinson is Chief Information Security Officer of CIS (The Center for Internet Security). Prior to CIS, Sean served as the Global Information Security Compliance Officer for GLOBALFOUNDRIES, serving Governance, Risk and Compliance (GRC) across the globe. In addition to his work with CIS, Sean is also an adjunct professor of Computer Science at the College of Saint Rose.

Prior to GLOBALFOUNDRIES, Sean led the security implementation for the New York State Statewide Financial System (SFS) implementation from 2007 to 2014 and his last role and responsibility was as the Internal Control, Risk and Information Security Manager.

Sean was born in Brooklyn, N.Y. and lived in England for 18 years, graduating Sheffield Hallam University in 2000. After moving back to the United States, Sean has pursued multiple degrees and certification in the IT arena.

Beyond Prevention: Detection and Response in the Modern Enterprise

Mike Schladt

In this discussion Fishtech (CYDERES) will share its vision for the moving of organizations from traditional prevention based security models to a position from which they are capable of responding quickly to advanced threats, in near real time. This discussion will explore leveraging orchestration and automation along with DevOps technologies to augment human expertise, through automation, collection, enrichment, and the post-processing of telemetry and events across technology independent platforms.


Mike Schladt, CYDERES Detection Engineer, is an Information Security Engineer with over 10 years’ experience performing malware analysis, reverse engineering, digital forensics, and incident response. His previous roles include leading malware analysis at the USAF National Air and Space Intelligence Center as well as at General Electric where he performed multinational incident response investigations and researched innovative detection and response capabilities. Mike has presented research at public and private national cybersecurity conferences and taught Network Security Monitoring at the University of Cincinnati. Mike lives in Cincinnati Ohio with his wife, Jessica, and their dog, Seeley. Mike and Jess are both graduates of the University of Kentucky, School of Engineering (and by definition, avid UK Basketball fans).

Five Steps to a More Secure DevOps Environment

Bill Malik

Many organizations are adopting DevOps in order to seize market opportunities ahead of the competition. Building information security and risk management into this new development pattern is challenging. In this session, hear five recommended solutions for introducing information risk management into your systems development life cycle and three strategies for building the business case for management. Understand how to incorporate legacy ICS and contemporary IoT programs into DevOps securely, reliably, and safely. Learn valuable recommendations for improving DevOps by incorporating information security and risk management, all based on where your development organization is today.


William Malik is VP of Infrastructure Strategies at Trend Micro. As a founder of Gartner’s Information Security Strategies service in the mid-1990s, Bill has deep expertise in information security matters. He has spoken internationally on information security, identity management, privacy, business continuity, and enterprise architecture. During his IBM career he guided the mainframe operating system zOS (then MVS) through the process leading to a NIST/NSA B1-level security rating. He taught a graduate class on Information Security Policy at Georgia Tech.

Don’t Call Me a Firewall: A Formula for Creating Cybersecurity Superheroes

Brian Murphy

The data is present, visible and irrefutable – people are our biggest cybersecurity risk. And while security pundits evangelize the failures of security awareness and corporate budgets continue to be wasted on human security; the rest of us persevere, knowing that awareness is but one part of the security equation – the most difficult one. Firewalls are programmable, portable and predictable; people are none of that. And until we realize that security people aren’t good at solving psychology problems, we’ll continue to wallow in cyber-disappointment. Join GreyCastle Security as we dive into the human psyche and the tips, practices, and Jedi mind tricks we use to effectively transform corporate citizens into cybersuperheros.


Brian Murphy brings his expertise in Governance, Risk and Compliance in Banking and Manufacturing and has over 10 years of experience, specifically in Identity and Access Management, Policy and Procedure Review, and Control Gap Analysis. Brian maintains Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC). As part of the GreyCastle team, Brian is a member of the Business Services, focusing on delivering Awareness programs and client training sessions.

Small Business Privacy and the GDPR: How Did We Get Here?

Chaim Sanders

Over the past year we have seen organizations frantically attempt to prepare for the European Union’s General Data Protection Regulation, or the GDPR, as it’s more commonly known. Large organizations were hiring lawyers, sending out new privacy policies, and positioning their products to market “GDPR compliance”. While these organizations have the budgets to prepare for this large and nebulous piece of legislation, smaller organizations continue to struggle with understanding GDPR and the steps they need to take. In this talk we will investigate the minimum requirements outlined in GDPR and the multinational history of how we ended up with the GDPR.


Chaim Sanders is the Security Lead at ZeroFOX, an organization devoted to social media security. He is also the project lead for the OWASP Core Rule Set (CRS) and a co-lead for OWASP Baltimore. Currently Chaim’s specialization centers around web application security. Chaim frequently shares his research at many conferences nationwide, as well as on various blogs. Prior to his current employer, Chaim has worked for several governmental contractors, security research organizations, universities, and commercial contractors providing security driven consulting and development expertise. Chaim holds a bachelor’s and a master’s degree in information security from the Rochester Institute of Technology (RIT), where he still lectures.

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

Michael Melore, CISSP

New methods are required to address threats that are increasing in frequency, sophistication, and impact; all in a climate of increasing cost restraints and shortages of resources and skills. Traditional security controls and response can’t possibly keep pace.

Private and State sponsored dark web actors are well orchestrated, use innovative AI technologies, are able to leverage Digital Currencies; and their R&D produce wares, designed to circumvent traditional security practices, have changed the game. New and innovative security approaches are now required.


Michael Melore is an IBM CyberSecurity Advisor, Certified Information Systems Security Professional, and recognized subject matter expert in Security Intelligence, Data Protection, Identity Access Governance, and Authorization. His unique security perspective is frequently reflected in his published articles. Consulting roles include: Lead architect for many of the largest secured authentication and billion-user authorization infrastructures.

Speaking engagements include passionate discussions correlating blended threats across physical and logical infrastructure boundaries, Cognitive Security, Threat Hunting, Security Intelligence and Response, Identity Access Management and Governance, Defense in Depth, Security Immune System, Cloud Security, and Billion User Identity Crisis.

Sex, Lies and Mobile Devices: The Seedy Underworld of Mobile [In]security

Daniel Gibson

The smartphone in your pocket has, quite literally, transformed every facet of your life. From commerce and communications, to entertainment and awareness; mobile devices have become our most prized possessions, almost overnight. But along with these amazing advances in technology have come very serious security and privacy risks, many of which go unnoticed, unmanaged or even unknown. The device in your pocket has become the Big Brother we always feared, and the worst part is this – you agreed to it. Join GreyCastle Security as we demystify the security and privacy risks of your smartphone and provide practical tips for dealing with this new phenomena.


Daniel Gibson (CISA, CISSP, MBA, M.S. Cybersecurity) is a Senior Security Specialist at GreyCastle Security. Prior to joining GreyCastle, Daniel served as the Director of Information Security for the Ayco Company (a Goldman Sachs Company), and in IT Advisory Services at Ernst & Young. Additionally, he has held roles managing information technology and security initiatives in various industries; including healthcare, finance and technology marketing.

His 10+ years’ experience in IT and cybersecurity includes extensive experience in risk assessment and management, incident response, HIPAA, ISO 27001/2, NIST 800-53, SOX, GLBA, vendor risk management, contracts, security awareness training, and leading comprehensive enterprise security programs.

Time Is Not on Your Side – The Legal Risk of Ransomware

F. Paul Greene

A ransomware attack not only poses a security risk, it creates legal risks that can cripple an organization, even if, from a technical perspective, it is able to recover fully. This presentation outlines the legal risk arising from a cyber extortion attack, and provides an actionable outline of how to address legal considerations before, during, and after a you receive that first ransom note. Some of the questions addressed include: Has my organization appropriately planned for this event? Whom do we call first when we first see the ransom note? Are our communications concerning the attack privileged, or can they be used against us? Will our carrier pay for our forensic support, and how about the ransom? and Do we have to report this and when?


Paul Greene is Chair of the Privacy and Data Security Practice Group at Harter Secrest & Emery LLP. He is a seasoned breach coach with deep experience in ransomware and cyber extortion events. Before an event, he aids organizations in conducting appropriate pre-breach planning and incident response drills. During the event, F. Paul oversees all aspects of incident response, helping the organization properly position itself for quick recovery, managing regulatory and litigation risk, and preserving the attorney-client privilege and appropriate incident related documents and artifacts. F. Paul publishes and speaks internationally on cyber-security issues, is an adjunct professor at the Rochester Institute of Technology, teaching Information Security Policy and Law, and is a Distinguished Fellow of the Ponemon Institute.

Technical Track

Advanced Penetration Testing Techniques

Joe Testa

This presentation will cover three advanced penetration testing techniques: 1.) SSH man-in-the-middle attacks, 2.) Remote Desktop man-in-the-middle attacks, and 3.) using a reverse-engineered version of the Sysinternals PsExec tool to evade detection while using the pass-the-hash technique against Windows systems. These techniques have been field-tested to be highly effective at catching IT admins off-guard and silently widening access to an internal network.

The design and internal construction of each tool will be analyzed, followed by a demonstration of each. Because the presenter authored tools #1 and #3, above, the analysis will be in-depth and quite technical.


As a seasoned security consultant, Joe Testa has over 15 years of experience in the information security industry. He specializes in penetration testing, server & network hardening, source code auditing, and social engineering. In his spare time, he volunteers as a board member and the treasurer of BSides Rochester, a 501(c)(3) charity responsible for hosting an annual information security conference.

Prior to founding Positron Security, Testa excelled as a security researcher and vulnerability test programmer for Rapid7. He holds a Master of Science degree in computer security and information assurance from the Rochester Institute of Technology, along with a Bachelor of Science degree in psychology and computer science from the University of Maryland at College Park.

Staying Sharp and Keeping Your Edge (Practical Tips for Keeping Up to Date)

Eric Anderson

Change is constant, and in the world of cybersecurity, it is incredibly fast and frequent. Keeping up with it all can be daunting, but there are ways that everyone can keep their knowledge, skills and experience up to date – without breaking the bank! Join us for a discussion and demonstration of several simple, practical methods to help you stay on top of your game. We’ll discuss various resources for self-research and education, weigh the merits and methods of formal training, and explore how to facilitate learning while doing. We’ll spend most of our time watching live examples of how to learn through exploration and experimentation in your own easy-to-create lab environment.


Eric Anderson has been “engineering” in the cybersecurity business for over 20 years and has been in IT longer than he cares to recall. For the last 18 years his responsibilities have included making occasional presentations, speaking, and formal training. He’s worked closely with leading developers of product training, to help improve their courseware with a focus on making hands-on lab work more realistic, engaging, and dynamic. He’s found particular interest in finding ways to simulate real world scenarios in safe and simple simulated environments.

Security Automation: Blessing or Curse?

Jonathan Borgesen

Over the past five years the Cyber Security landscape has changed drastically. Since 2013 there has been 9,727,967,988 records lost or stolen. There are currently around 7.6 billion people on the planet. 2 billion more breaches than there are people in the world!

Based on this explosion of malicious activity explosion of malicious activity, organizations are looking for ways to decrease the amount of time that bad processes are running on a network. Typically, this is attempted by sharing information between tools while leveraging automation through API’s. However, this tends to be a very time extensive and complex method which can leave organizations unable to take full advantage of the investment they made.

There is a better way. Robotic Process Automation (RPA). With RPA, organizations can create an agnostic approach to automation that doesn’t require days of coding or scripting (as API’s tend to require). Instead, an integration can be programmed within hours. Depending on the integration, an organization can shorten their threat window from years, months, or weeks – to minutes. This inevitably provides greater value to current legacy tools. Additionally, it allows understaffed security teams to focus on strategy rather than spending cycles reviewing logs and manual investigations.


Jonathan Borgesen is the Principal Security Consultant for SMP. Jonathan has a decade of experience in the Cyber Security Industry. During that time Jonathan has focused on educating organizations on modern threats as well as the best course of action to protect against those threats. Through this methodology, Jonathan has assisted many organizations in meeting their security goals, whether it be on the Endpoint, Network, or Cloud. Jonathan is passionate about leveraging automation to assist organizations ability to address skills shortages and an increasing threat landscape.

Machine Learning in Information Security

Dain Perkins

This presentation will discuss machine learning topics as they relate to information security (MLIS). Topics will begin with some important taxonomy and nomenclature, then move through basic models and types of learning. We will discuss some techniques that have proven useful in the real world and finish up with some thoughts on where MLIS might be headed. Today’s session will be delivered from the perspective of a security guy who has realized that paying better attention in Calc. 3 would have been really helpful.

This presentation will boil down some of the ocean of information gathered in recent months to focus on understanding the point of AI in security, some of the models used for anomaly detection & threat hunting, effectively putting AI to work in the infosec space, and how these techniques can help address real world challenges.


Dain Perkins has been working in the Information Security / Information Technology space for just over 25 years. He is currently employed at PatternEx as Director of Sales Engineering; working with clients, data scientists, programmers, and product managers to develop new and better ways to employ advanced machine learning techniques that address the problems of threat detection. Dain holds a BSc in IT/IS and is a CISSP.

Exploring How Memory-Mapped Files Hide From Antivirus and Execute Malicious Code

Ben Holder

Did you know, that not only can well-known exploit code be dumped into memory-mapped files (MMF) and remain undetected, but that attackers can use to C# to execute that code directly out of MMF.

Join Sirius penetration tester, Ben Holder to find out how shell dumped into non file-backed MMF can remain undetected while in-depth scans are run, and learn techniques that will allow a memory address to be repeatedly identified and utilized for code execution.


Ben Holder has over two decades of IT security experience working as a penetration tester, security researcher, and all-around “breaker of things”. He spent 10 years in the U.S. Navy, and led the CCNA/MCSE education courses that submariners went through prior to assuming IT leadership positions within the fleet. He subsequently worked in submarine weapon system R&D for General Dynamics as the security implementation and design lead. For the last six years, he has focused on penetration testing, gap and regulatory assessments (GRC), and security team development. He currently helps manage and develop Sirius’ Threat Assessment Program.

Adopting AWS – Learn How to Deploy AWS Services Securely

Jeremiah Sahlberg

Implementing new technologies without fully understanding their capabilities can lead to disaster for your organization and your customers. Amazon Web Services (AWS) offers a plethora of services that provide large computing capacity to companies and individuals, quickly and easily. Unfortunately, we’ve recently seen major corporations sustain large breaches as a result of this practice. How and why are S3 buckets getting compromised? How secure are serverless websites? In this presentation we will take a deep dive into AWS and the shared responsibility you and Amazon have to protect your cloud assets. You’ll walk away with the necessary tools to safely and securely deploy solutions into AWS.


Jeremiah Sahlberg is the Director of Information Security at Tevora and has over 20 years of security experience. He holds CISSP, CISM, PCI QSA certifications. Mr. Sahlberg is an executive security consultant and advises clients on establishing security programs and compliance management.

Previously, Mr. Sahlberg held the Senior Director of Protect Operations at NBCUniversal and was the CISO for Tekmark Global Solutions.

Mr. Sahlberg has presented at NCUA-ISAO (2018), NCTA (2017), SINET (2016), New York State Cyber Security Conference (2014 & 2012), and Nevada Digital Government Summit (2010). He guest lectures at NPower and sits on the BoA for Liberty University’s School of Engineering.

Building the Panopticon: Logging and Alerting With Free Tools

Matthew Gracie

The goal in Jeremy Bentham’sPanopticon was to allow for the complete observation of a large building by a single watchman. This is similar to what threat hunters and blue teamers want – a single point from which to observe all potentially malicious activity happening on a network. This talk presents a toolset that can provide this visibility using a mixture of no-cost and open source tools, deployed on commodity hardware. Learn how to set up alerts for software installations, service restarts, honeytokens, or any other indicator, for zero additional dollars in security spend.


Matthew Gracie has over a decade of experience in information security, working to defend networks in higher education, manufacturing, and financial services. He is currently an Information Security Engineer with Blue Cross and Blue Shield of Western New York. Matt enjoys good beer, mountain bikes, Debian-based Linux distributions, and college hockey, and can be found on Twitter as @InfosecGoon.

Data Hoarders: Finding Needles in Stacks of Needles

James Pleger

Over the last 10 years, security has gone from “We need more data!” to “Please don’t send us anymore”. This talk will review techniques and strategies designed to help analysts, hunters and engineers take a more successful approach towards analyzing large (TB+) amounts of data. By the end of the talk, participants should have some new ideas and approaches on how to tackle finding needles in a mountain of needles without getting overwhelmed.


James Pleger, CYDERES Director of Threat Intelligence, has been working on security problems for over 12 years, focusing primarily on the defensive side. He has held a wide range of positions; from reverse engineering software in assembly to building high performing threat intel teams. Over his career, James has worked on many interesting projects; including large scale malware analysis platforms and automated exploitation tools.

OWASP AppSec Track

What is the Android Colluded Applications Attack and How to Detect It

Igor Khokhlov & Leon Reznik

We present our study on the colluded applications attack in Android OS; its definition, possible scenarios of its exploitation, and developed methods of detection. We analyzed and classified existing techniques of detection and mitigation in relation this attack. Our analysis allows us to formally define the colluded application attack and to develop an attack model. We will present numerous scenarios of the colluded applications attack exploitation and discuss the results of their simulation. Regarding attack detection, three classifiers are developed and examined. Developed classifiers are based on various machine learning techniques. We will present results from each classifier’s performance in detecting attacks and analyze their recognition accuracy.


Igor Khokhlov is a Ph.D. candidate. He conducts research on data quality and value evaluation for sensor-originated data. Igor’s fields of interest include Android OS, cyberssecurity, and AI.

Leon Reznik is a Professor of Computer Science (primary affiliation) and Computing Security (secondary affiliation). His current research concentrates on data quality and security evaluation and assurance, cognitive sensor networks and systems, intelligent intrusion detection, and big data analytics.

Pentesting DevOps: Attacking Containers and Container Orchestration

Mark Manning

Monolithic applications are a thing of the past but our job as security professionals is to review them from a security perspective. This talk will review container technologies (e.g. Docker), as well as container orchestration technologies (e.g. Kubernetes, Marathon). We will cover new container-centric OS’s like CoreOS and what security implications exist for each. What is their threat model? What does a “pen test” against these technologies really mean? We’ll include real-world exploit scenarios we’ve seen in client environments.


Mark Manning is a Principal Security Consultant with NCC Group with a focus on enterprise devops and container technologies. He has worked with numerous clients on Docker, Mesos, Rancher, CoreOS, Kubernetes, and other container-related technologies. He’s performed penetration tests to breakout from container to host, architecture review of devops and container orchestration systems, and research on container technologies. Mark also works on mobile applications, general application security, and security reviews of privacy and pseudonymity technologies like Tor. He also is a BSidesROC and Rochester 2600 organizer.

Rocking The (Vox)Vote

Jason Ross

VoxVote is a nifty little live voting app that turns out to have terrible security. Messing with it gives us a great opportunity to learn common flaws in REST API design, and the process an attacker uses to target these common resources.


Jason Ross is a Senior Consultant with NCC Group, a global information assurance specialist providing organizations with expert security consulting services. Jason began working with NCC Group in 2010, based out of the New York City office. Jason has performed security research in the following areas: web applications, devops security, mobile device & application security, and malware analysis. Jason has given talks at at Blackhat DC, BSides Las Vegas, DerbyCon, and DEF CON Skytalks; as well having spoken at many regional conferences across the United States. Jason has developed and delivered training tools and programs on topics such as advanced mobile penetration testing, android forensics techniques, and enterprise-level malware analysis. Jason is also FEDRAMP certified and is an active part of the NCC Group 3PAO service offering.

Your Apps Have Gone Serverless. Has Your Security?

Tal Melamed

The revolution came and went. No shots were fired, but lots of chaos ensued. You finally got your head around containers and Docker, and your teams have moved on to serverless. There are many benefits to moving to a serverless architecture.

Does that mean that our applications are now safer, or are they vulnerable to the same attacks that we are used to in the monolithic architecture? Along with its advantages, serverless architecture presents new security challenges. Some of these security threats are equal to those we know from traditional application development, but some take a new form.


Tal Malamed has 15 years’ experience in the information security field, specializing in security research and vulnerability assessment. Prior to being the Head of Security Research at Protego, Tal was a tech leader at AppSec Labs, leading and executing a variety of security projects for serverless, IoT, mobile, web, and client applications, as well as working for leading security organizations, such as Synack, CheckPoint, and RSA.

Techniques Criminals Use to Break Authentication and How to Defend Against These Attacks

Danny Harris

Providing access to systems should be done in proportion to risk. Higher value systems with sensitive or confidential data require greater protection. Traditionally, passwords have been used as the way to gain access to systems, yet often they can’t provide sufficient protection because they may be weak or rely on poorly implemented password authentication services.

In this presentation, you will learn:

  • Some common attacks against passwords and authentication services, to help you understand how to better design and protect applications against criminal attackers
  • Password and authentication-related security patterns
  • Techniques to improve the security of your passwords and authentication processes


Danny Harris has been an information and application security practitioner for over 20 years. He is knowledgeable in all phases of the secure software development life cycle (SDLC) and is responsible for the creation and delivery of application security training and SDLC assessment programs at Security Innovation. Previous teaching experience includes seven years as an adjunct professor for the Computer Security and Forensic Investigation program at Wilbur Wright College and as a security instructor for the SANS Institute.

Did You Just Break My Auth

Aditya Balapure

Authentication has been a major pillar underlying the security health of the public web. As privacy and security have evolved to make the web more secure, so have bad guys evolved better tactics. This talk will cover how bad guys have targeted web authentication.


Adi Balapure is an Information Security Team Lead at Grubhub Inc., and a builder, breaker, and cyber defender at heart. He likes to evangelize Information Security, go after bad guys in video games; loves security in general, speaking at conferences and is an avid fan of pop rock music. With multiple years of experience in all forms of security, some of his core interests are in the field of Application, Cloud Security and Malware Research. Hit him up on twitter @adityabalapure

Understanding Web Application Firewalls with Open Source ModSecurity and OWASP Core Rule Set

Tin Zaw

Everyone who has ever used, or attempted to use, OWASP ModSecurity Web Application Firewall, knows something about fine-tuning rules. ModSecurity Core Rule Set (CRS) was designed to catch more, show more and to let you decide what to do with security alerts. It is a time consuming, and often frustrating, exercise to analyze alerts – to separate the wheat from the chaff and then determine which are candidates for blocking. With thousands of servers at more than 100 locations, Verizon Edgecast CDN is one of the world’s largest deployments of OWASP Core Rule Set. We will share our experience in fine-tuning the CRS for a large number of customers, adjusting for their tastes regarding risk and their attitudes toward false positives.


Tin Zaw has served as Verizon Digital Media Services’ director of global security solutions since 2015. He and his team provide managed and professional security services, protecting their clients’ web properties from external threats. He launched the services during his first year at Verizon and continues to grow the business each year.

Prior to joining Verizon, Tin led web and product security teams at AT&T and Intuit. He previously designed and implemented security products at Symantec and participated in the early days of the web infrastructure at Inktomi, which later became part of Yahoo! and now Verizon. He started his career by programming network protocols at QUALCOMM and Cerner.

Tin graduated with a bachelor’s degree in computer science from Pittsburg State University, Kansas. He earned a master’s degree in computer Science from the University of Southern California and an MBA from the USC Marshall School of Business.

The Industrialization of Red and Blue Teaming

Karlo Arozqueta

The industrial revolution was brought on by purpose-built machinery and automation. A similar revolution has occurred in security and has led to the industrialization of red and blue teaming. In large part, this industrialization has been realized through security instrumentation platforms. We need to readjust, so that we are focusing on security effectiveness and the efficacy of security controls. We need to industrialize our approach to red and blue teaming with security instrumentation through automation, environmental drift detection, prescriptive actions, and analytics that will enable us to finally and empirically manage, measure, and improve security effectiveness.


Karlo Arozqueta has not known life without a keyboard since 1985 when he got his first computer, a Commodore 64. Since that time, he’s watched the age of computers, networking, the Internet and Computer Security turn from hobbies to careers. He’s run his own computer consulting company (a hard drive data recovery company), spent 7 years running the Incident Response team for a major US Federal Agency, and is currently the Director of Engineering covering the US Federal market, for Verodin.

In addition to volunteering as staff at several conferences (ShmooCon, DerbyCon, SkyDogCon), he has spoken at conferences both large and small (GFIRST, ISACA, IR 2017, BSides Springfield, and Outerz0ne to name a few). He enjoys combining comedy and his technical expertise into dynamic “edutainment” that keeps audiences engaged.

Hands-on Training

Ohhhh-Sint: Look What We Found…

Dan Astor & Evan Perotti

The pre-exploitation phase is often considered one of the most important steps of an offensive engagement. Information gained during this phase can be used to better understand the target network and its public-facing resources. However, with their being such an enormous volume of data available and wide number of services in use, obtaining a manageable amount of quality results can be troublesome.

In this lab session, we’ll present several ideas and methodologies that we have used in offensive engagements, to perform effective open-source intelligence (OSINT) and reconnaissance. We will provide resources on how to leverage these techniques, in addition to presenting scripts to help automate these processes.

Participants will Learn:

  • Different forms of passive OSINT activities
  • How to identify target network ranges and domains to develop a footprint
  • How to identify employees of the target to develop a faceprint
  • How to use public information aggregation services to support their faceprinting and footprinting activities
  • How to extract useful reconnaissance information from public datasets (Project Sonar, breach dumps, etc.)
  • How to perform targeted searches to identify potential vulnerabilities and misconfiguration
  • Ways to automate information gathering activities
  • Methods of using gathered information to support offensive operations


Attendees should:

  • Be familiar the Linux (or other *nix) command line
  • Have Docker installed (VM or host) with the ability to run Debian-based containers
  • (optionally) Make accounts for the following services (all are free):, LinkedIn, Google,, SecurityTrails, Censys
    • While not strictly required, some of the activities utilize tools that require an account
  • Note: Necessary course materials will be made available at the start of the training

Please let us know if you would like any additional information about the training.


Dan Astor is a senior operator for Security Risk Advisors’ Technical Assessment team. His focus is in red team operations, network penetration testing, password cracking, and spear phishing. He has been a speaker at BSides PGH, NOLA, and Philly.

Evan Perotti is an operator for Security Risk Advisors’ Technical Assessment team. His focus is in red team operations, network penetration testing, reconnaissance activities, and spear phishing. He has developed a number of open source and private tools to automate common offensive activities.

OWASP Capture the Flag

Jim Keeler

Vulnerabilities in web applications are a prolific attack vector and the developers that create and maintain these network accessible resources are in an opportune position to harden them; but many are unaware of the attack surfaces they are introducing.

What better way to learn how to defend a web application than to role play the attacker? Attendees will be given a vulnerable web application to attack for “flags” that can be redeemed for points on our live scoreboard. Self-organized teams of two to four are encouraged but attendees can be placed into a team at the event; or they can try it solo. There will be help available for those still developing their skills.


Attendees must bring a Wi-Fi enabled laptop capable of running and pre-installed with Docker.


Jim Keeler is a senior software engineer at Calero Software. After 13 years in development he jumped at the opportunity to specialize in security. He currently serves as a member of Calero’s Security Center of Excellence; an internal team that heads security initiatives and promotes security culture. Jim holds a BS in Computer Science from SUNY Fredonia and will be pursuing a GSSP-.NET certification this fall.