VASCAN 2020: InfoSec Everywhere, All the Time

As CIO, Ms. Evans is responsible for strategically aligning the Department’s Information Technology (IT) personnel resources and assets, including security, infrastructure, and delivery, to support core DHS missions and activities.
Ms. Evans previously served as the first Assistant Secretary for Cybersecurity, Energy Security and Emergency Response for the U.S. Department of Energy (DOE). She was sworn in on August 28, 2018, and provided strategic direction, leadership and management to address emerging threats while improving energy infrastructure security and supporting the DOE national security mission.
Prior to being named Assistant Secretary at DOE, Ms. Evans was the national director of the U.S. Cyber Challenge, a public-private partnership focused on building the cyber workforce. She served on the Trump Transition and Landing Teams to develop the management agenda addressing technology initiatives government wide.
Ms. Evans served as the Administrator for the Office of Electronic Government and Information Technology at the Office of Management and Budget (OMB) during the George W. Bush administration. At OMB, she oversaw nearly $71 billion in annual IT funds, including implementation of IT throughout the federal government. Previously, she served as the CIO for DOE and at the director level with both the U.S. Department of Justice and the Farmers Home Administration.
Ms. Evans holds a Master of Business Administration, a Master of Arts Public History certificate, and a Bachelor of Arts in chemistry from West Virginia University.

VASCAN members may also nominate a colleague for the 2020 VASCAN Founders Award.  The award is given annually to an information security professional, manager or auditor in recognition of their special efforts to strenthen information security programs in the Commonwealth of Virginia.  If you know someone who might qualify, please review details about the award and submit a nomination form.

asdfg

This lecture provides an overview of Blockchain technology and how Cryptocurrencies work. The lecture will also highlight other applications of Blockchain beyond supporting financial systems. Finally, the lecture will review the general benefits and costs of integrating Blockchain technology into a system. This lecture does not require any prior technical, financial, or legal knowledge. Audience members are encouraged to ask questions throughout the lecture!

The purpose of this presentation is to discuss the process by which we got buy-in for our phishing education program from the university cabinet, changes in our click and reporting numbers, problems and conflicts that we ran into, and how it has affected our annual penetration test, including getting their domains delisted/blacklisted as per our standard phishing procedure.

The rapid move to remote work brought to the surface several scenarios that were on the books to address "some day".  This Birds of a Feather will feature some scenarios encountered at ODU -- from new Telehealth clinics, to printers being brought home, to secure internal file sharing, to an entire COVID back-to-campus project establishing testing and monitoring for faculty, staff and students, as well as provide ample dialogue and collaboration on how to tackle the challenging scenarios faced.  Join this lively discussion, where the rubber meets the road, and you will not be disappointed.

BREAK

This is a two part briefing, with both sections heavily influenced by the lessons our teams have learned in the field. The first section is a synopsis of the Ransomware threat and how it is evolving. The second section dives into recommendations on how to best prepare your organization to defend itself. 

During a recent penetration testing engagement I was running out of ideas when it came to getting into the target’s active directory. The usual stuff wasn’t working – traditional NTLM relaying with responder, privilege escalation within compromised devices, passing the hash, etc. That’s when I remembered working with an IPv6 DNS spoofing tool during a lab some time ago where I was able to chain a series of vulnerabilities together to get domain admin. I figured it was worth a shot. This proposal is an overview of that attack chain, why it is likely present in most environments, and what we as security practitioners can do to prevent it.
What I will discuss:
•Starting with Windows Server 2008/Windows7, Microsoft has IPv6 enabled by default. IPv6 is also the preferred protocol over IPv4 meaning all DNS queries go there first.
•To prevent traditional Windows Proxy Auto Detection (WPAD) abuse Microsoft implemented a mitigation in MS16-077 that prevents any device other than the DNS server from providing the WPAD.dat file to clients. Microsoft also prevents clients from automatically authenticating against NTLM requests with this patch.
•HTTP response code 407 “Proxy Authentication” elicits an NTLM authentication response by most modern browsers.
•By spoofing ourselves as the IPv6 DNS Server, proxying traffic through the attacking device, and then serving a 407 “Proxy Authentication” response to the victim we can successfully relay NTLM credentials in an otherwise secure environment.
Beyond explaining the above attack I will explain how this can be leveraged with inherent Kerberos vulnerabilities to create the perfect storm – Domain Admin within 15 minutes.
After explaining the attack I will explain root-causes and the mitigations for such attacks.

Close your basement door, grab some popcorn, and hear about real world security issues facing your institutions, faculty, and students especially in these intense work from home days but also the attack vectors causing the greatest harm. How quickly could your organization be breached? How you could help? Please join our special guest, David Balcar a globally recognized security professional, as he will share with you real world experience in the world of cyber security and remember kids “Security never takes a holiday.” (Oh feel free to tweet!)

I. Funny Pics
II. Talk about what is really going on out there
III. Transforming from Legacy to modern security
IV. Talk about IoT, workload and sophisticated APT's attacks... I am looking at you Kim!
V. False Flags? This is not your average flag football game
VI. More funny pics
VII. End!

Working remotely required access to digital resources and demonstrated access shortcomings for data still in a physical format.  Old Dominion University already had an imaging standard which gave direction on reformatting physical records into digital format, with procedures for dealing with the security of regulated data (FERPA, HIPPA, PII, etc.) and maintaining quality control throughout the reformatting process.  The need to have all data resources accessible to those working remotely has dramatically increased the need to maintain information in a digital format.  This need must be balanced against security and other concerns.

Configuration Management for Radford University started with Ansible playbooks written and deployed from a single employee's workstation. Playbooks to configure and harden server images, install agents like CrowdStrike and Splunk Universal Forwarder, configure SNMP monitoring, and more! This presentation will cover the challenges of maintaining and sharing these reusable playbooks across multiple teams and departments.

The teleworking arrangements for all but essential faculty and staff has separated the workforce from physical records for an extended period of time.  The question of the necessity of maintaining physical public records rather than imaged digital versions becomes more important than ever.  Yet with reduced resources, caution must be used in determining appropriate candidates for conversion into an electronic data format.  Additional care must be exercised when the reformatting involves regulated data with significant security considerations.  This presentation will examine how ODU intends to deal with those physical records which are no longer required for business purposes, and those which have active value in daily transactions , risk management and compliance.  Following legislation, policy, standards and procedures has never been more important.

Security scanning as a black box doesn't always tell the whole story. With more infrastructure managed as code, and more software is run in containers, we have more opportunities to scan, typically before we even start things up. This session will give a brief survey of some of the (free) tools that can make scanning easier, and then let's talk about what can be done with all of the new information we can collect.

As part of the Collaborative IT Security Partnership for Virginia Higher Education, we will continue our discussion  from last year's workshop.  The goals of the this workshop are to: identify initial proposed services, determine how we can pilot one or more services, get additional buy-in, and determine how we can utilize VASCAN governance.  We would also like to look at how shared security services may benefit us given our current environments (remote work due to COVID).

Join UVA’s InfoSec Compliance team in a guided forum discussion on the challenges of meeting compliance needs in research and operational objectives in this new, COVID world.

This free class will be about 4-hours long with hands-on labs. It's the first half of the first day of the training class normally taught at Wild West Hackin' Fest.

Active Defenses have been capturing a large amount of attention in the media lately. There are those who thirst for vengeance and want to directly attack the attackers. There are those who believe that any sort of active response directed at an attacker is wrong. We believe the answer is somewhere in between.

In this class, you will learn how to force an attacker to take more moves to attack your network. These moves may increase your ability to detect them. You will learn how to gain better attribution as to who is attacking you and why. You will also find out how to get access to a bad guy's system. And most importantly, you will find out how to do the above legally.

The current threat landscape is shifting. Traditional defenses are failing us. We need to develop new strategies to defend ourselves. Even more importantly, we need to better understand who is attacking us and why. Some of the things we talk about you may implement immediately, others may take you a while to implement. Either way, consider what we discuss as a collection of tools at your disposal when you need them to annoy attackers, attribute who is attacking you and, finally, attack the attackers.

This class is based on the DARPA funded Active Defense Harbinger Distribution live Linux environment. This VM is built from the ground up for defenders to quickly implement Active Defenses in their environments. This class is also very heavy with hands-on labs. We will not just talk about Active Defenses. We will be doing hands-on labs and through them in a way that can be quickly and easily implemented in your environment.