Last weekend, 240 people attended CircleCityCon, Indianapolis' first major security conference. It was an amazing time, offering a chance to lean form a wide range of professionals.
There were more than thirty talks recorded at the event, thanks to Adrian Crenshaw (@irongeek_adc) and his team of volunteers. Salted Hash has included some of the videos below, but all of them are worth a look. In fact, Irongeek has recorded hundreds of talks over the years, and his archive of security footage is impressive.
Today's post serves as an update to my coverage of CircleCityCon, but it's also the tale of how I learned an important lesson.
This post, and the future articles based on the talks from this year's CircleCityCon, almost didn't happen. On Monday morning, my mobile office (a ThinkPad T430s) fizzled out. At first, it was determined that the video card had died, but once that was fixed, the system was still hosed. Ultimately, it was a RAM issue.
The reason that hardware failure almost led to disaster, is because I hadn't made backups of my notes. I had handwritten notes, and a few recorded interviews, but nothing that would really help develop a story. In fact, a majority of my working data was on the laptop.
Usually, when I connect my laptop to the home network, the backups kickoff immediately and my notes are stored properly for later use. However, my failure is that on Sunday morning, just before I left my house to give a talk on dealing with the media, I assumed the backup was finished.
That assumption cost me dearly, because the backup wasn't done, it was corrupted. I learned this critical detail on Monday morning as I attempted to recover notes due to the busted video card. Making matters worse, my backups are sent off-site, and this worked as planned, but those backups were corrupted too. Oh the joys of technology.
IDG Enterprise, my employer, pays extra to extend the warranty on my laptop, so it only required a series of phone calls to fix my problem. It slowed my workflow, but thankfully it didn't cause it to grind to a halt. However, the lesson for everyone is that backups are great, but they're only useful if they're tested and legitimate. Corrupted backups are just as valuable as having no backups at all.
My world has righted itself, but I have come to realize that my archive process could be better tuned, and obviously I failed when it came to verification and testing. Thanks to Irongeek though, I was able to re-edit my notes and finish them off.
The following videos represent a small subset of the more interesting talks I was able to catch while at the conference. Fair warning: These talks were recorded live, so the language in some of them are not safe for work.
Proactive Defense – Eliminating the Low Hanging Fruit w/ Matt Kelly
Every year the pen testers (or bad guys) come in, they find that one missing 08_067 or default tomcat password and own the network. This talk was inspired by the frustration of constantly running into the same exact issues on penetration tests, and the huge challenge IT has in securing their network. This talk will go over the top security failures we find and more importantly easy things blue teams can do to get rid of the low hanging fruit and make your pen testers work hard to escalate privileges.
OWASP Top 10 of 2013- It’s Still a Thing and We’re Still Not Getting It w/ Barry Schatz
The top 10 web application vulnerabilities, as determined by OWASP in 2013, grouped by similarity of the items. Each item will be presented with practical prevention strategies to fix these web security issues.
How often should you perform a Penetration Test w/ Jason Samide
How often should your organization conduct a penetration test and what is in scope? I get this question quite often from customers and colleagues. There really is no one correct answer but there is some guidelines I promote and adhere to... With threat landscaping changing daily I am not suggesting you perform a ‘pentest’ daily or weekly but it is very necessary to complete one.
Seeing Purple- Hybrid Security Teams for the Enterprise w/ Mark Kikta
By combining both red and blue team operations in your organization, you can develop comprehensive security exercises that will not only help you identify holes in your existing procedures, but also help you develop new ones all while keeping your team at the top of their game. This talk will explore blueprints for creating such a team, how to integrate it into your existing hierarchy, and how to make it fun!
Moving the Industry Forward – The Purple Team w/ David Kennedy
Let’s start off with a strong statement – pentesting today isn’t working. The blue team today isn’t working. When a pentest occurs, even done by some of the industries leading folks and the quality is there – the pentesters go in, blow stuff up, write the report and leave a trail of destruction to be cleaned up until the next pentest...This talk goes into how to structure the best and effective purple team within an organization as well as walk through a number of different attacks and how to defend them.
Over the coming weeks, I'm going to do more in-depth articles on some of the topics presented at the show, but I felt it was worth sharing the talks here and offer a link to an amazing archive of security information.