BSidesDetroit: Facilitating the Security Conversation

Posted on Posted in SecConf

BSides Detroit brings the BSides community to a new level and to a place it has never been before: The Destination Conference.

Having a destination security conference in Detroit is about bringing people from all over the country to Detroit, to talk about technical and non-technical topics, to educate and advance the industry in a location that doesn’t get much in the way of security conferences, but has a relatively large number of IT and security professionals and students who call it home.

Participants. BSides Detroit brings the unconference style to information security meet-ups. BSides is about making a conference of, by, and for the participants. Above all, though, we aim to create community, and to facilitate networking.

Speakers. We like speakers, specifically new and local speakers, not necessarily the people who are all over every other conference. We like content, specifically new and emerging content, and not necessarily the stuff that is all over the media.  BSides Detroit is about sharing material frankly, honestly, and directly, for the purpose of informing, educating, and continuing the conversation.

Sponsors. BSides Detroit’s structure creates a higher degree of engagement. Sponsoring takes your message beyond the vendor booths. BSides Detroit takes your engagement beyond passing out swag, goodies, and tchotchkes. Our sponsors send technical staff and thought leaders who discuss real world problems and offer practical solutions. Be prepared to be a part of the conference, sharing ideas, meeting people, and interacting with the local community. Be prepared to be blown away by BSides Detroit.


Information Security Reconciliation: The Scene and The Profession

Whether people want to admit it or not, there’s a strong, concerning segmentation that’s more obvious than ever within information security. Over my 15 years attending information security conferences around the Detroit area and beyond, I’ve seen a departure from the community I once knew and instead see a contentious, biased formation of “us vs. them” happening more than ever. On this 5th anniversary of Security B-Sides Detroit, I will provide an unapologetic perspective of what I’ve seen, what I am seeing, and what I hope to see in the future for the community as a whole. It’s tough to enjoy the big picture when most of us are living in 140-character arguments about topics not worth the middle of a tabloid magazine. So, let’s step back, take a breath, and be honest with ourselves about info sec so we can move on, better than we were before.

Mark Stanislav is a Senior Security Consultant on the Strategic Services team at Rapid7. With a career spanning over a decade, Mark has worked within small business, academia, startup, and corporate environments, primarily focused on Linux architecture, information security, and web application development. Mark has spoken internationally at over 100 events including RSA, DEF CON, ShmooCon, SOURCE Boston, Codegate, and THOTCON. Mark’s security research and initiatives have been featured by news outlets such as the Wall Street Journal, The Register, The Guardian, CSO Online, Security Ledger, and Slashdot. Mark is the co-founder of the Internet of Things security research initiative, He is also the author of a book titled, “Two-Factor Authentication”. Mark earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University. During his time at EMU, Mark built the curriculum for two courses focused on Linux administration and taught as an Adjunct Lecturer for two years. Mark holds CISSP, Security+, Linux+, and CCSK certifications.

Level One: How To Break Into The Security Field

I will be discussing tips on how to get employed in the InfoSec environment. I will also address candidate evaluation and team building. Here is a link to the blog I wrote on this topic.

I have over 15 years of experience within information technology as a systems and network Administrator and IT Manager. I have worked on network and software solutions for consulting firms, government agencies and computer manufacturing companies. Outside of work, I’m a full-time student working towards an Information Assurance Degree and actively attending InfoSec Community events.

Hacker High – Why We Need To Teach Computer Hacking In Schools

The latest studies show that we need more people with cyber smart skills, but many aren’t educated on the underlying security and technologies. As a parent, educator, and coach, the speaker will talk about his experiences in coaching hundreds of high school and college students in information technology and security. You can be part of the solution in meeting the cybersecurity skills gap. Here, you will learn tips, tricks and techniques for teaching security for all levels of students and employees. This session explains why and how they need to learn these skills in a fun and ethical way, through hacking. Let’s work together to raise the next generation of cyber warriors.

Ron Woerner is the Director of Cybersecurity Studies at Bellevue University. He has over 25 years of corporate and military experience in IT and Security and has worked for HDR, TD Ameritrade, ConAgra Foods, Mutual of Omaha, CSG Systems, and the State of Nebraska. Ron earned a B.S. from Michigan State University and a M.S. from Syracuse University. He was awarded the CISSP in 2001, the CISM in 2014, Certified Ethical Hacker (CEH), and Toastmasters Advanced Communicator and Leader designations. He is the Air Force Association CyberPatriot 2013-2014 Mentor of the Year for his work with High School cybersecurity competitions. He loves to talk to others who are passionate about Security and Privacy.

Getting Started – Help Me Help You

You’re pwnt. It’s a Friday afternoon and you just got some sketchy email, some reporter just called your PR person, or the Feds somehow sent you a fax (even though you don’t own a fax machine) and some dudes whose first names start with Special Agent darken your door. They don’t tell you much, so now you’re wondering – WTF should I do. Before you call high-priced consultants – like me – help me help you. Let’s be honest, if you screw things up right at the beginning, I’m going to be there a lot longer than you want me – I’ll be unhappy and you’ll be unhappy with the results. During this talk, I’ll tell you what to do, and what not do; where to look, and where not to look; what to say, and what not to say when badness happens to you. Also, I’ll walk through a quick scenario and together we’ll get stumble our way through a series of free (as in beer) tools to help you collect only and store the valuable, volatile data so you can safely shut down your system, unplug the interwebz, and go out for that well-deserved drink.

Dave has been doing IT and IT Security for nearly 14 years. Prior to its recent acquisition, Dave was the Director of Incident Response for Resolution1 Security. Dave directed security teams and operations for the vaunted General Electric CIRT (GE-CIRT). As a US Air Force Cyber Defense Officer – Dave led Incident Response operations for the groundbreaking AFCERT, helping to develop the “fight-through” cyber defense concept. He also oversaw a joint cyber operations team for the forerunner unit of US Cyber Command at Ft. Meade, MD. In his career, Dave has led Incident Response operations for everything from epic 1000+ system APT-intrusions to the latest, lamest, and most-painful CryptoWall infections. Dave has previously presented talks on Incident Response operations and Cyber Threat Inteliigence at BSidesSF, the Detroit CISO Roundtable, the Defense Cyber Crime Conference (DC3), and Air University. His most recent blogs on cyber security and incident response can be found at []( A Detroit-area native, Dave is an military and academic honors graduate of the US Air Force Academy and Central Michigan University.

From Blue To Red – What Matters and What (Really) Doesn’t

Attention Blue Team! Have you ever been curious about making the jump to penetration testing? Wonder if you have what it takes to do so? Come hear tales of hilarity and woe from an enterprise defender recently turned to the dark side (professionally :-). You will not only learn critical steps to take and pitfalls to avoid, but also what enterprise controls are a must, and which ones really don’t matter….at all.

Jason Lang has worked in enterprise security for over 10 years in both offensive and defensive roles. He has a passion for helping enterprise defenders who work tirelessly to protect their organizations, writing bug-free code (never happens), woodworking, and telling a good story.

Clear as F.U.D.: How fear, uncertainty, and doubt are affecting users, our laws, and technologies

Our technology is becoming easier to use and friendlier towards users who would struggle to use a PC. This is a wonderful change that has opened up new possibilities for them to learn, connect, and explore by making it simpler for them to browse the web and use email and social media. The downside is they don’t fully understand the technology, and this makes them easy marks for scammers. They see only half of the picture, gathered from news reports and bite-sized explanations they’ve read or heard. This affects not only regular people, but our lawmakers and politicians, too. This lack of understanding has the potential to cause lasting harm by creating misinformation, negative views of those who identify as hackers, and a fear of the internet. We can help by doing what we do every day: talking about it. We’ll discuss examples of how a lack of understanding has hurt different people and groups, how we got to this point, and how we can do some little things that will make a big difference.

As a native resident of Michigan, I’m a hunter, hiker, and camper. I don’t even mind the snow. I take my coffee too seriously, love good scotch, and spend a lot of time studying how infosec and new technologies are impacting our everyday lives. I have been working in IT for the past 10 years. For the past five, I’ve been a consultant and manager. I wear many different hats, but I’m always looking for something new to try or learn. If I’m not reading, scripting, or building something, I’m probably looking for my next project.

Data Breaches: Simply The Cost Of Doing Business

We’ve seen some pretty hefty data breaches since 2012, hundreds of millions of records from Fortune 500 companies. The problem with this problem is companies are treating these breaches as just another cost of doing business. Actual work to prevent or stop data loss are being viewed as more expensive than the efforts to clean up after the breach. So what can you do? Pivot, and make this an ROI discussion. I’ll show you some ways you can have the conversation in these terms, and some ways to help build a case for fixing a problem before it becomes a problem

Joel Cardella has been an “IT guy” since the early 1990s. He’s been involved in network operations, data center ops, service and security in telecommuncations, health care and manufacturing. Currently he is the Director of Information Security for North America for the largest cement company in the world you’ve never heard of. He seeks to educate infosec persons at every level by showing the lessons learned, right and wrong, throughout his career.

Eating the SMB Security Elephant – An ITSEC framework for small IT shops

Small or one person IT shops don’t have a large amount of resources to put towards security. We’re responsible for far more than just security and there are many competing demands for our time and attention. How do we make decisions on security projects in a sea of acronyms and products? This is one man’s framework to eat the elephant.

Austen has led an IT department for over 15 years. He specializes in custom development and project management. Many years fixing and implementing processes has taught him that the process, not the people are usually the problem. He doesn’t like people anyways. Austen holds a PMP and CQE

Enterprise Class Vulnerability Management Like A Boss

A fluid and effective Vulnerability Management Framework, a core pillar in most Enterprise Security Architectures (ESA), remains a continual challenge to most organizations. Ask any of the major breach targets of the past several years. This talk applies the recent OWASP Application Security Verification Standard (ASVS) 2014 framework and applies it to Enterprise Vulnerability Management in an attempt to make a clearly complicated yet necessary part of your organization’s ESA much more manageable, effective and efficient with feasible recommendations, based on your business’ needs.

Rockie Brockway is the Information Security and Business Risk Director at Black Box Network Services and BSidesCleveland organizer. With over two decades in InfoSec/Risk, Rockie teams with clients to understand the value and location of business critical data in an effort to further enable organizational innovation and to protect the brand.

Funny Money: What Payment Systems Teach us about Security

Emerging payment systems means new opportunities to make old mistakes. Apple Pay and Google Wallet has taken us cardless and wireless. Starbucks invented its own espresso-driven gift cards. Bluetooth payment beacons are taking us cashierless. Yet amid the encryption and tokenization and PCI DSS compliance, somehow, criminals still manage to eke out a living defrauding consumers. (And by eke, we mean the estimated $3 trillion dollar cybercrime industry.) This talk will review several emerging payment systems and describe the fraud and the flaws. With that as a framework, we will propose first principles for securely designing new systems and sidestepping the same old mistakes.

Drew Sutter recently graduated from Eastern Michigan University with a Bachelor’s of Science degree in Information Assurance. A select number of schools in the country are designated by the NSA as Centers of Academic Excellence in Information Assurance. EMU meets the NSA standards and is lucky to be one of these schools. After graduation Drew started working for Creative Breakthroughs Inc. (CBI), an IT risk management firm based in Ferndale Michigan. At CBI, Drew is part of a program called the CBI Academy. As part of the CBI Academy, he is employed as a Security Apprentice and gets to work hands on with many different technologies. Drew’s areas of interest are forensics, malware analysis, and penetration testing. In his free time, he enjoys hiking, biking, and other outdoor activities. Drew consider himself a technical person. He likes to solve problems and figure out how things work, but also enjoys research and writing. This is Drew’s second year at Converge / B-Sides Detroit.

Moving past Metasploit: Writing your first exploit

So you want to be more than a script kiddy? Metasploit is useful, but it’s important to understand the _why_ and _how_ of exploiting software. A simple buffer overflow exploit provides a great opportunity to explore the process of writing exploits. With just a touch of coding, you can break things for yourself!

I’m a hacker, a speedskater, and I’m always looking for new things to learn. You can usually find me in the nearest ice rink.

Wielding BurpSuite: quick-start your extensions and automation rules

This presentation is aimed at anyone who has used BurpSuite and knows the basics of Python. Its purpose is to demonstrate how to make use of Burp’s automation features as well as start crafting extensions for BurpSuite (using Jython) while delivering tips, caveats and resources so that participants can avoid making common mistakes in order to apply these practices as quickly as possible.

Marius Nepomuceno is a security engineer at Hyland Software, where he creates and delivers educational sessions, creates internal testing tools and frameworks, organizes corporate events surrounding information security, and works closely with the development and quality assurance staff on improving their secure coding and testing skills. Marius has given several presentations and classes to audiences of varying sizes on the topic of security concepts and the Secure Development Lifecycle. He headed up the project to re-fit Microsoft’s SDL processes to work within Hyland, adapting it to different waterfall-based and agile processes.

Browser and Windows Environment Hardening

In today’s threat landscape, many users are being compromised by exploit kits and phishing campaigns. These offensive techniques are successful because they target vulnerable outdated software and unsuspecting users. There are free tools and configuration options to help prevent the execution of malicious binaries, the exploitation of web browsers, and third party applications that are utilized by the browser. This presentation will introduce four methods to strengthen your host environment by using third party tools and customized configurations.

Kurtis Armour is a security professional who has been working in the industry for 4 years. He enjoys working on research projects and increasing his security knowledge. Pastime activities include mountain biking, golfing, squash, skydiving and lots more.

Quelle: BSideDetroid