Oklahoma’s Premiere Information Security Conference
April 7-8, 2022
Training: April 7, 2022
Conference: April 8, 2022
BSides Oklahoma is a free information security conference focused on practical, hands-on training for improving security.
Registration is free and includes lunch and a t-shirt! Walk-ins are welcome, but lunch and shirts are reserved for registered attendees first.
BSidesOK is a community run event. We depend on your support and sponsors to bring you this event each each. Be sure to check out these sponsors that helped bring 2021’s conference together!
Join us for Happy Hour Thursday night before BSIDES! Brought to you by Thales Digital Identity and Security and Fortinet.
Stay in the know on BSidesOK by following us on Twitter. Get updates on the event there such as CFP dates, speaker announcements, swag updates, and more!
Vendor and Contract Management for IT Management and Auditors
1-day training class on April 7 – $250
In this one-day session the class will cover the review process for contracts and service agreements. Students will learn how to perform a high-level review of contracts, and then do a deep dive as it relates to IT related items. This is a highly interactive discussion-based class. We will be reviewing contracts and building a checklist for understanding the contract terms. This class will help you provide valuable input to your General Counsel and contract managers, while helping your IT department protect your data and systems.
Red Team Fundamentals for Active Directory
1-day training class on April 7 – $250
Focused on explaining the fundamentals of Active Directory and how different aspects can be exploited during penetration tests, this course covers different attacks and explains the details of why they work. We also explore how an environment can be made resilient to attacks or detect malicious activity. The course includes hands-on exercises exploring common misconfigurations which are commonly seen in Active Directory. We then exploit these issues to pivot and escalate our access, ultimately gaining full control of an AD Forest.
Threat Hunting Workshop with Cybereason
1/2 day training class on April 7 (Afternoon-only) – $20
Whether the process is called threat hunting, cyber hunting or cyber threat hunting, each term essentially means the same thing: security professionals look for threats that are already in their organization’s IT environment. This differs from penetration or pen testing, which looks for vulnerabilities that an attacker could use to get inside a network.
Threat hunting isn’t based on flashy technology that will become irrelevant in a few months. It’s a return to one of the basic tenets of information security: reviewing your IT environment for signs of malicious activity and operational deficiencies. With hunting, you can answer the question, “Am I under attack?”
Want to learn about how to create an effective hypothesis for a threat hunt? This workshop will guide you through How to Generate a Hypothesis for a Threat Hunt and provide use cases you can take home to your current organizations tools as well as get hands-on experience with the Cybereason platform.
We’re Toast: The History of Toasters is Judging your SOC
J. Wolfgang Goerlich
Wolfgang Goerlich is an Advisory CISO for Cisco Secure. Prior to this role, he led IT and IT security in the healthcare and financial services verticals. Goerlich has held VP positions at several consulting firms, leading advisory and assessment practices.
Using DeTTECT and the MITRE ATT&CK Framework to Assess Your Security Posture
Are you capturing the right logs? Are your logs complete? Would you be able to detect the next Solorigate attack? These questions may keep you awake at night. But using DeTT&CT and the MITRE ATT&CK Framework can help you understand where you need to shore up your logging. Let me show you how!
In this session, we’ll discuss why the ATT&CK Framework is important for threat detection. Then we’ll dig into how you can use DeTTECT to identify the areas of your environment where your logging may not be comprehensive enough to catch the threats in ATT&CK. It’s a fun exercise and very visual. Best of all, I’ll walk you through the steps you’ll need to perform to set this up on your own.
A Hacker’s View of Your Vulnerabilities
In this talk Geoff Wilson will detail the hacker’s view of your vulnerabilities and how many of the targeted weaknesses are not on your radar. Geoff will detail associated exploits, best practices for thwarting these attacks, and how to manage vulnerabilities in 2022.
Geoff Wilson, CEO of Go Security Pro, will detail the hacker’s view of your vulnerabilities and how many of the targeted weaknesses are not on your radar. Geoff will detail GO’s most reliable Red Team exploits and the most effective strategies for thwarting these attacks in 2022. Geoff will also discuss incorporating the hacker’s view of your vulnerabilities into your vulnerability management program. This talk is appropriate for both security leadership and technical cybersecurity personnel.
The Untapped Potential of Today’s Youth
What if the answer to the cyber security gender and employment gaps lies in the potential of today’s youth? Most schools teach digital literacy; however, this isn’t enough to pique an interest in cyber for students, particularly young girls. Let’s end the disconnect between industry and education.
It is well known that the global demand for cyber security professionals outweighs the current supply. It is also known that a significant gender gap still exists as men outweigh women 3 to 1 in the field. What if the answer to both lies in K-12th graders, particularly young girls? This talk will discuss the untapped potential in today’s youth, the gender stereotypes in STEM and cyber education, and what you can do to better equip K-12 schools and educators for a cyber-oriented curriculum.
Cracking the Perimeter with OSINT
My favorite thing about video scoping calls is seeing the shocked look on a customers face when I start asking questions like are you still running 2 on prem exchange servers? Did you upgrade your solarwinds serv-u? Is the default helpdesk password still Company123? All of this and more from OSINT!
How does an attacker fingerprint your organization for a targeted attack? What information can be gleaned from the internet? In this talk will demonstrate how we use OSINT to assist in scoping an engagement and building a profile we can use on our assessments. We’ll use real life examples and show the Tools, Techniques and procedures to enable you to identify your organizations attack surface and how you can reduce it. You’ll learn what secrets your DNS records are giving up, how to use google to find information, leveraging shodan to identify leaks like SMB or DNS, and how we find valid usernames and passwords to spray at your VPN!
Uncovering the Spies: Validating Vulnerabilities within Applications
This talk will walk attendees through the validation process during a penetration test using real world examples.
With the growing need for application security and the testing from security researchers, bug bounty programs, and penetration testers, organizations and their staff must understand how to take in vulnerability reports and quickly validate the finding. This validation includes not only determining the validity of the flaw but the risk it exposes the organization. In this demonstration, Kevin Johnson of Secure Ideas will walk attendees through these validation techniques and show attendees the techniques he and his team use in their daily workflow.
The Cyber Insurance Market: Pitfalls and Premium Hikes
Kevin A. Sesock
Rising premiums? Denied coverage? Told to buy “cyber insurance” and you’re completely lost? Unlike car insurance, Cyber is an immature, rapidly changing market, with skyrocketing rates and cancellations, and even war clauses being used to deny claims. Let’s discuss the pitfalls of cyber insurance.
Blue Teaming is all about risk, and we can’t talk about cyber risk management without talking about risk transfer: buying insurance. The cyber insurance market has been a roller coaster these past few years, with insurers exiting the market, premiums skyrocketing, claims being denied, and policies cancelled. Most companies just check the “cyber insurance” box without ever giving thought to what they’re buying, how it will protect them, and what it means in their cyber risk management toolkit. We’ll spend an hour thinking about how to make an informed decision, how to avoid last minute cancellations, and what happens during a claim.
Three’s Not a Crowd: Why Account Tiering is Critical in Windows Environments
When it comes to Windows environments, effective account and device tiering is critical for protecting an organization’s systems and data. Three accounts isn’t too much; three’s (or more) company. I’ll be covering what tiering is and often overlooked areas that should be separated. And demos!
When it comes to security, the goal is to make an attacker’s job as difficult as possible. The more hurdles they must jump through, the easier it should be to detect and stop them. Unfortunately, common practices around how and where administrative accounts are used in Windows environments reduces the race down to only a couple of jumps (or maybe just a sprint). Through examples of what I have seen while testing multiple organizations and a demonstration or two, this session will show why device and account tiering is critically important for making a network a virtual obstacle course.
Third-Party Risk Management & Supply Chain Security
COVID disrupted supply chains critical to our society exposing how vulnerable they are. Supply chains are more than logistics, more than risk assessments, SOC reports on a vendor’s cybersecurity, or due diligence. Supply chains need ongoing monitoring and third-party risk management. TPRM is key.
This presentation will give attendees the processes and procedures they will need to properly select a vendor, perform due diligence, determine inherent risk, calculate residual risk, manage contracts, establish ongoing monitoring, document and report to senior management and the board, maintain oversight & accountability and terminate vendors; all while protecting their supply chains.
An Insider Threat: What is Social Engineering?
As a now-retired criminal/behavioral profiler, I will engage the audience: By outlining the psychological aspects of Social Engineering, Data Breaching, and the prevention of Data loss. By converting your everyday social and observational skills.
Retired Criminal Profiler & Hostage Negotiator, Crux Conception, has taken his years of training, education, and experience to develop a method, which will allow individuals within The Tech Community to utilize: social, people, and observation skills, to detect potential theft and acts of company espionage.
By converting your ordinary social and observational skills into simple criminal/psychological profiling techniques.
When we hear the word “Ransomware,” it is so hard to believe that before a cyberattack is initiated and hackers/cyberthieves penetrate through your online security system…that someone on the inside offered valuable information to the hackers, giving them the ability to hold your company for RANSOME?
Are we that naive to think that an individual or organization, worlds away, actually-know how much a company is willing to pay? Are we that unaware to think that someone on the inside supported the hackers/cyberthieves with valuable information regarding your company’s security system and protocols?
Why is it so hard to imagine that someone inside has specific information about how much a company is willing to pay and how much its product is considered a valuable resource to its vast customer base?
For example, what if AT&T had a disgruntled employee (with pertinent knowledge regarding AT&T’s security system and protocol). To a SOCIAL ENGERNER, this is the perfect candidate to recruit, gather valuable data, and then relay that information to a team of hackers/cyberthieves.
WHAT IS SOCIAL ENGINEERING:
Social engineering may appear like innovative, technical experimentation, but its fundamental is very straightforward to comprehend. Social engineering is the ability and talent to emotionally influence individuals to take a specific method or divulge data.
Social engineering can occur offline or online; however, online social engineering has been ubiquitous over the previous years. Contingent on the engineer’s expertise and what they pursue to achieve, the Social engineering con can motivate the potential target to take swift, imprudent actions or earn the victim’s faith as the first move.
This can either; be a swift and straightforward one-time occurrence or transpire in complex phases over a prolonged interval. Social engineering is a highly evolving method of a confidence scheme.
This lecture will display individual methods to infiltrate social media accounts using fake accounts and collect data from unknowing account holders. (using altered photos, which will appear original and pass a “google photo search,” disseminating false or misleading information, and more).
The presentation will engage the audience: We will focus on their psychological motivations to identify the emotional precursors. We will combine open discussions, media, and PowerPoints, to illustrate cultural adaptation, borderline personality disorder, psychological autopsy, precursors to Espionage, Spying, and Theft of Data.
The presentation will give participants innovative insights to conduct psychological field profiles/assessments and verify potential risk factors. This presentation will outline the mental aspects of Data Breaching and possible prevention of Data Loss.
In today’s cyber-risk and cyber-security world, we sometimes forget about the individuals or suspects behind the breach, attack, or theft. We neglect these individuals until it is too late and the damage has been done.
Individuals such as:
Edward J. Snowden, the media hails him as a “whistleblower,” but Snowden stole data belonging to the NSA and disseminated said data to unauthorized individuals.
William Binney (NSA)
Jose Ignacio Lopez (GM) Chief of productions accused of corporate espionage.
Steven Louis Davis (Gillette) Pleaded guilty to theft of trade secrets.
Patricia Dunn (Hewlett-Packard) Involved in a spying scandal.
Ross Klein and Amar Lalvani (Starwood Hotels) downloaded confidential Starwood information to use later at Hilton.
Lessons Learned from Cultivating Open Source Projects and Communities
Over the last decade, I’ve had the privilege professionally of building and cultivating some Open Source projects and communities. To start off this isn’t a tools talk, this is a talk about the soft skills you have to have to be able to succeed as a leader in an Open Source project. My journey started tending the frequently asked questions for a small Linux Distribution called CRUX, and then years later professionally moved to the OpenStack-Chef project to build OpenStack clouds. I’ve grown other projects along the way helped build tooling and communities some successful and still running today, others were just flashes in the pan.
I’ve learned a ton on this journey; honestly still am, but I have some lessons that are hard learned and hopefully I warn pitfalls that can cause wasted cycles and pain.
I’ll be going over:
– This isn’t a tools talk
– Scoping your project
– Empathy and audience is important
– Successful traits of Open Source projects
– Clear Vision
– Have a plan to move on if needed
– Honestly, is it even worth this hassle?
Digital Forensics: Reconstructing an Attack in Modern Web Apps
Application security struggles to keep up with modern development. Attacks against applications will only continue to grow. Web3? DevOps? Pipeline? Supply chain? With so many buzz words amidst a myriad of undiscovered vulnerabilities, where does your incident response team start after an incident?
With modern application development moving at a feverish pitch, application security is struggling to catch up. Attacks against applications continues to grow in the wild west of new and untested development ideas. Web3? DevOps? Pipeline? Supply chain? With so many buzz words and an untold number of zero days yet to find, where does digital forensics fit? Where does your incident response team even start after an incident?
Join us as we discuss the wild and wacky world of digital forensics in the modern era of application development and develop strategies to prepare your application security team for a breach.
Making the Right Call: Officiating Football and Infosec
Football refs and infosec practitioners have a lot in common! We deal with unpopular decisions, are expected to be perfect, and, of course, are always wrong. This talk will focus on my experiences both as an infosec professional and a TX HS football official.
In today’s world, we understand that analogies are an effective communications tool for communicating complex, technical topics to those with limited experience in complex, technical topics. The inverse is also true, in that we as infosec professionals can leverage the same process for learning, from a ‘sportsball’ context. This talk will focus on my experiences both as an infosec professional and a Texas High School football official. Both offer striking similarities, and truisms from one can equally be applied to the other. We will discuss how we as infosec professionals can communicate unpopular decisions better, deal with irate coaches and customers, how other entities tabletop, and how other industries/avocations face many of the same battles that we face but have developed efficient philosophies and structure to respond effectively and positively to those challenges. Lastly, we will address dealing with mistakes and adversity. You will leave with a greater understanding of what a football official does, how officiating relates to infosec, and gain insight into the time and energy that go into being a quality official, and why you shouldn’t yell at referees.
Practical Open Source Intelligence
Alex Slotnick ‘BOsintBlanc’
Open source intelligence is a rich source of data for blue teams. However, how and why to make use of it can often elude us. This talk aims to equip defenders with the tools to make use of publicly available information and enrich their defense.
In this talk BosintBlanc walks defenders through 7 fundamentals of Open Source Intelligence while detailing their best uses and practical applications. Through case study conducted and investigated prior to the event he will showcase how and WHY your team should be utilizing the rich data source.
Cameras, CACs & Clocks: Enterprise IoT Security Sucks – A Story of Two Million Interrogated Devices
Working with Fortune 500s & government agencies we’ve interrogated over two million production IoT devices. We’ve identified threats & trends, compiled statistics, summarized cases, & evaluated common offenders. We’ve assembled tactics that organizations can employ to mitigate risks.
Enterprise Internet of Things (IoT) security today is analogous to IT security in the mid 1990s. It was a time when security awareness was limited, countermeasures and best practices weren’t broadly applied, and attackers explored, compromised, controlled, and exfiltrated data from systems with minimal resistance. In short, enterprise IoT security sucks as bad today as that unpatched Windows NT 3.51 sever with an RS-232 connected modem that IT forgot about.
Working globally with Fortune 500 enterprises and government agencies we’ve interrogated over two million production IoT devices. Across these two million devices we’ve identified threats and trends, compiled statistics, summarized compelling cases, and evaluated common offenders. We’ve also assembled tactics that organizations can employ to recognize value from their IoT devices while minimizing risk and ensuring that devices that are secure today will stay secure tomorrow.
Security issues are compounded by the quantity of IoT devices. Our analysis indicates that most organizations have about five IoT devices per employee. The global IoT market has grown from $100 billion in 2017 to over $1 trillion in 2022. There are over 46 billion connected devices today and 30 billion (65%) of those devices are IoT. We are increasingly dependent on consumer, enterprise, industrial, and military IoT devices for cost reduction, supply chain logistics, productivity gains, security, and everything in between. Despite the criticality of IoT, our security hasn’t kept pace. In the enterprise, we’ve identified that we simply don’t know:
● What IoT devices we have – guesses based on legacy asset discovery solutions are consistently off by at least 50%
● When our firmware was last updated – in many cases the firmware is end of life and the average IoT firmware age is six years
● If our credentials follow organizational policies – passwords that are default, low-quality, don’t have scheduled rotations, and lack centralized management are the norm
● How vulnerable our IoT devices are – at least half of the IoT devices we’ve interrogated have known, high to critical level CVEs
While enterprise IoT security currently sucks, it doesn’t have to be that way. By evaluating the security risks and the inherent limitations of IoT, you can leverage tactics that will have a rapid and positive impact on security.
● Discover your IoT devices, diagnose their security, and define their limitations
● Employ tactics to improve your IoT security and communicate their status to stakeholders
● Restate key findings derived from the interrogation of two million production IoT devices
Cryptography: 500 BC to HTTPS
Have you always wanted to learn more about cryptography? This high-level survey of centuries of crypto takes the audience all the way from “simple” Caesar ciphers in ancient Greece to Enigma in World War II to HTTPS, concluding with practical advice for how the audience can maximize HTTPS security.
Many developers have a just-keep-HTTPS-working understanding of cryptography, and would like to learn more.
This talk starts with the simplest (and oldest) forms of secret communication: from the first invisible ink, to the ancient “scytale” anagram tool, to Caesar ciphers used in ancient Greece and Rome. These simple techniques give an accessible introduction to fundamental aspects of all cryptographic systems thru-out history. In particular, the establishment of a secure “key-exchange”, which will be shown thru-out the talk to be the most important and practical knowledge for developers.
From those ancient foundations, it explores the evolution of cryptography over centuries of “battle” between code-makers and code-breakers: from frequency cryptanalysis of the Islamic Golden Age, to the Alberti Cipher Disk and the Vigenère Square used in Renaissance and pre-Industrial Europe, to the World War II stories of making and breaking the Enigma machine – the first popular use of electromechanical cryptography, and the pre-cursors to modern computers.
Coming into contemporary times, it covers the development of computer cryptography: from the “Lucifer” cipher that would become the Data Encryption Standard (DES), to the Advanced Encryption Standard (AES) used today in protocols like TLS/HTTPS, along with modern key-exchange protocols like RSA, Diffie-Hellman, and Elliptic Curve.
The talk concludes with practical advice for developers to maximize the security of HTTPS and TLS in their applications.
Closing Remarks and Raffle Prizes
Located at the Glenpool Conference Center in Glenpool, OK – just southwest of Tulsa.
Glenpool Conference Center
12205 S Yukon Avenue
Glenpool, OK 74033
Watch the 2021 talks
See you soon!
Code of Conduct
Everyone deserves to attend a learning event, community or professional, with a reasonable expectation of good behavior. The BSidesOK Team expects that while attending this conference you treat everyone with the love and respect you wish to receive. This applies to all attendees, speakers, volunteers, vendors, and anyone in between. We feel that if you do that, then this conference will once again run smoothly and we will all have a good time.
Don’t be an ass!