We measure so that we can improve and report. Reporting is for our bosses and job security. Improvement is for us. As an outnumbered security professional, you will never, ever have enough time, money and resources to add every layer of defence you wish you could, which means we need to work smarter. Learn about […]
Read moreWe have a smart new generation who understands how to get around computer systems — some are doing it just for fun, while others are doing it with a slightly more sinister intent! Let’s stop here and let that sink in for a moment. Cybercrime is a very lucrative business not just because of the […]
Read moreMonitoring events will always be a big challenge for defensive teams. Now, with the increasing adoption of cloud by enterprises, new data sources are needed to monitor these services and detect security incidents. In the AWS Cloud ecosystem, the primary source of visibility of the control plane activities is called CloudTrail. Leveraging CloudTrail allows you […]
Read moreNo, this is not a talk about the Beverly Hills Police Department. It is about a new tool that I built based on a methodology I developed for Destroying Active Directory Attack Paths found by BloodHound. This talk will cover the methodology and the various options that the script provides. All the features are aimed […]
Read moreRemote Desktop Protocol (RDP) is the de facto protocol to remotely access Windows systems. Two years ago, we released PyRDP, a free and open-source RDP Monster-In-The-Middle (MITM) tool to tangibly demonstrate some of RDP’s common misconfigurations and associated risks. Since then, more RDP servers are exposed online and Microsoft’s RDP implementation has been the target […]
Read moreStatistics are speaking loudly! There is a disconnection between defenders’ perceptions of the value of the security controls they implement, and the most common attack vectors leveraged by penetration testers acting as potential attackers. This presentation highlights the key results of a two-year-long research study aimed at understanding this disconnection. The perceptions and practices of […]
Read moreIntuition, acquired through years of experience, is what sets experts apart from novices. Intuition is the ability to look at a large amount of information, quickly spot interesting items, and dismiss the rest. In the case of security audits, intrusion testers typically face hundreds, or even thousands, of assets early in an engagement. Their ability […]
Read moreWhether you do Pentesting or Bug Bounty Hunting, Recon is an important phase for expanding your scope. However, not everyone does that as they are busy filling forms with random payloads. Effective Recon can often give you access to assets/boxes that are less commonly found by regular Pentesters or Bug Hunters. More assets mean more […]
Read moreAbuse Operations, theft of services, and violation of acceptable usage does not get the spotlight it deserves because ultimately, the systems in question are “working as designed”. It is within these “cracks” that the abusers, the malicious users, and outright criminals operate their tools, campaigns, and other questionable interests. We will highlight how they are […]
Read moreMost security experts would agree that password-based authentication is dead. The FIDO2 standard aims to replace passwords entirely and there is a good deal of chance that it will succeed. It has gained significant momentum in the past year, as key players like Microsoft, Apple, Google, and Mozilla started to jump on board. This talk […]
Read moreWhen we see the terms Natural Language Processing (NLP) or Machine Learning (ML), often, our guts are correct, and it is vendor marketing material, frequently containing FUD. After tinkering with various libraries in Python and R with the use of some OSINT and SOCMINT techniques, I have found a use for NLP and ML that […]
Read moreHow are passwords stored in Microsoft’s Active Directory and how can they be audited? What could an adversary do if they gained access to either a physical or a virtual hard drive of a domain controller? In what ways could one directly modify an Active Directory database file and how can such unauthorized changes be […]
Read moreRansomware attacks are prevalent. The actions taken by a company immediately after a ransomware attack can have major implications on their ability to restore operations. This talk will clearly explain which actions should be taken, and which actions might unintentionally cause an organization much more trouble. This talk will go through a series of Do’s […]
Read moreOne of the core purposes of cybersecurity is to protect data gathered by an organization. Numerous countries around the world have enacted statutes to force organizations to protect their users’ data. Although organizations are making efforts to comply with regulations and implementing revolutionary cybersecurity products into their operations, we continue to see breaches of businesses […]
Read moreThis talk showcases lessons learned from firsthand experience implementing everything from power transmission systems, smart meters, first responder radio systems, voting and election software to building automation (doors, HVAC, etc). We are increasingly asked to believe “that’s not IT” for a variety of reasons. This talk covers all the reasons, lies and how to deescalate […]
Read moreToronto has a vibrant and active security community. Join the founders and leaders of 6 of Toronto’s most active security communities for a “fireside chat”. Why do these communities exist? What are they up to these days? What are they working on next? How can you get involved? Join what will be a fun and […]
Read moreOrganizations adopting cloud-based delivery are often at a loss as to how to navigate the technological and organizational changes introduced by this movement. Are we ahead? Are we behind? Do we really need to deploy to production hourly? What about security? This presentation provides insights from 451 Research’s view of technology and security trends as […]
Read moreMost organizations conduct a vulnerability assessment or penetration test of their network as part of their security program. Testing may be conducted by employees, or by external specialists, and the results may be used to comply with regulations such as PCI DSS, or they may just satisfy your sense of “security’s being done right”. However, […]
Read morePenetration Tests and/or Red Team Engagements are usually aimed at getting the highest level of privileges in an organization’s Active Directory domain aka Domain Admin. However, what most teams miss or simply ignore is the fact that there are things that can be done even when you have obtained Domain Admin privilege. This talk’s primary […]
Read moreAttackers keep getting cleverer with their phishing attacks and if you’re a high value target or a large enterprise you’re probably also getting many targeted attempts every day. This session will cover the best practices for O365 for detecting, removing and investigating phishing attempts against an O365 tenant.
Read moreThe IoT industry is often lambasted for lax security, however it does face unique challenges. This talk brings expertise from a veteran security engineer who has spent the last few months embedded (hah!) in an IoT manufacturer, working on security from the inside. We will explore some of the unique challenges in this space, and […]
Read moreAnonymity tools such as the tor network and cryptocurrencies are increasingly adopted by fraudsters to hide their tracks. They have enabled a darknet underground economy that centers around online illicit markets which has generated over USD$500 million in sales in the past year. Within online illicit markets, fraudsters create profiles and post ads for their […]
Read moreAll smart devices, from cars to IoT, are based around processors. Often these processors are not considered as part of the threat model when designing a product. Instead, there is an implicit trust that they just work and that the security features in the datasheet do what they say. This is especially problematic when the […]
Read moreThe intersections between IT, OT, and (I)IOT has continued to fuse multiple domains within the organization. And in a world where we need to fully understand our security posture and react to the world around us, visualization is key. During this presentation we will dive deep on the toolsets, tradecraft and methodologies to render (visualize) […]
Read moreIt’s safe to assume that many people reading this text have heard of using the Remote Desktop Protocol (RDP) to connect to other machines. But has anyone ever considered that merely using RDP can compromise their own computer? In this talk, we will not be covering a typical RDP vulnerability where a server is attacked […]
Read moreThe PowerShell bubble has burst. With offensive use going down and detections and defences rising, the need for an alternative means to operate offensively against Windows environments is well underway and a big part of that is due to C# and .NET. In this presentation, Lee will take the audience through the rise of weaponized […]
Read moreOur future is inseparable from technology and the choices we make will determine if we trust or fear the infrastructure our societies are built on. We as the people that dream, design, implement and talk about technology are seminal to determining which direction the world around us takes. What we do and say today really […]
Read moreFrom startups to large enterprise to academia, Canada has more influence on the global security market and innovation than one might expect. This panel will discuss Canadian businesses’ stance in IT security and take a forward look at what it will take to become a stronger competitor in world markets. Expect conversation from funding innovative startups to […]
Read moreThe Zero Trust security model assumes a hostile network with relentless external and internal threats. Authenticating and authorizing every device, user and network flow requires real-time algorithmic processing of telemetry from as many sources of data as possible. Applying mature machine learning data science to the Zero Trust problem provides a wholistic solution to multiple […]
Read moreCIPPIC is the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, Canada’s only public interest technology law clinic. CIPPIC is based at the University of Ottawa’s Centre for Law Technology and Society. In this session, CIPPIC staff will review the year’s legal developments in cybersecurity and provide a look ahead at what we might expect […]
Read moreCryptographers focus on provably secure cryptographic primitives. Standards bodies focus on syntax of messages. But there are many system issues that get ignored, leading to interesting security problems. Examples include trust models for PKI, misuse of web cookies, naming issues, and placing unreasonable demands on users. This session provides lessons on and mechanisms for avoiding […]
Read moreThere’s a torrent of unmanaged, un-agentable devices sweeping across businesses in every industry. From devices like smart TVs, MRI machines, patient infusion pumps, industrial device controllers, and manufacturing robotic arms, to printers, smartwatches, smart HVACs, and badge readers. These devices form an attack surface which is neither protected by nor monitored by traditional security products. […]
Read moreDuring a web application penetration test, a tester often encounters different technology stacks and security controls implementations that requires the use of different tools and testing approaches. While commercial tools are often available for these specific scenarios – these can be hard to get in a short time frame (and can be very costly if […]
Read moreThe purpose of this session is to explain the less well-known aspects of the Canadian Anti-Spam Legislation (CASL or the Act) and illustrate those in action through a series of case studies based on the actual enforcement activities of the Canadian Radio-television and Telecommunications Commission (CRTC). In so doing, we aim to position CASL as […]
Read moreLife is rough for a security leader! The security product landscape is increasingly complicated but seems to always lag behind malicious actor capabilities. Organizations need proven security programs that demonstrate visible ROI, but once-vaunted security concepts have been sacrificed upon the altars of speed and mobility. Organizational leadership-level involvement has never been greater, offering access […]
Read moreIn order to save the security industry, someone had to quit or be fired. Is this the ultimate fail or the only way to beat Thanos? This year’s panel includes all the best viewpoints: a vendor, an academic, a startup, and a quitter. Half the panel does more operations work than security work and has […]
Read moreThis talk focuses on real-life exploitation techniques in AWS cloud and the tools used to perform them. We will focus on these steps: Identify a server-side request forgery Gain access to instance meta-data credentials Enumerate IAM permissions Privilege escalation Connecting to internal VPC services via VPN Multiple tools, such as nimbostratus, enumerate-iam, Pacu and vpc-vpn-pivot […]
Read moreThreat hunting in the cloud is something that is not often talked about from a security strategy perspective. This talk will specifically cover techniques that can be used to support hunting within cloud environments. Recently, we have seen both Amazon and Microsoft release traffic mirroring capabilities within cloud environments which has allowed traditional network security solutions […]
Read moreBehavioral analytics helps IT professionals predict and understand consumer trends, but it can also assist CISOs in understanding potential threats—and unearthing them before they wreak major havoc. Additionally, automation helps to respond rapidly, thus reducing your mean time to resolve (MTTR) and improve SOC efficiency. Join this session to discuss: Using behavior analytics as a […]
Read moreThe evolution to a mobile and cloud-first approach to IT has made the old perimeter-centric view of security obsolete. We are opening our systems, information, and businesses to access from anywhere at any time. In this new reality we need to securely enable, manage, and govern access for all users, from employees to partners, customers, […]
Read moreIt was the best of times, it was the worst of times… that pretty much sums up infosec today. We can’t figure out how to align to our businesses effectively, we love our silos, and constantly hire the wrong people. This presentation will address common issues in information security and people leadership areas, giving you […]
Read moreCars are no longer simply mechanical. While they may be getting more advanced that doesn’t mean they are immune to hacks. One particularly sensitive entry point for hacking a car is the legally required OBD II port, which is basically “the Ethernet jack for your car”. This port works on a signaling protocol called CAN […]
Read moreThis presentation focuses on the malicious actors’ efforts to introduce and spread malicious apps through the Google Play app store, and how various players (consumers, internet providers, security firms, etc.) can help to thwart these efforts. One of the most common ways of conducting cyber security attacks (beside phishing) is through trojenized applications that end […]
Read moreModern software applications are complex, highly integrated collections of components, authored by dozens or even hundreds of individuals, and the rise of open source has taken this complexity to the next level. As an end-user, how well do you understand what a piece of software is *actually* doing, under the hood? Is your favorite string […]
Read moreThe CIS Critical Controls are recognized as a good start in setting up a defensible infrastructure. They are platform / OS agnostic, aren’t driven by vendor agendas, and are very much community and volunteer driven. In this talk, we’ll discuss a typical organization, one that we’d see in many security engagements. We’ll discuss the various […]
Read moreWhile we continue to support the concepts of compliance, defense, governance, and prevention, it’s time to shift our focus beyond those measures with more emphasis on strategic response to incidents. This talk offers real stories of failure and practical, quick-win lessons on how to be prepared to respond quickly, accurately, and confidently when incidents occur. […]
Read moreThe Web application development lifecycle has numerous security activities. For developers, code review is a familiar recurring activity. To support Java developers, a project was started in 2012 called, “Find Security Bugs” (FSB). It is an extension of the SpotBugs project, formerly known as FindBugs. FSB is a community static analysis tool which targets specific vulnerabilities. Over the years FSB has evolved from a limited tool to a solid coverage of bug […]
Read moreI will recap traditional cracking techniques before utilising combinator attacks to challenge recent password guidance of passphrases over passwords. I will then focus on more advanced methods, leveraging additional tools to launch attacks such as Fingerprint, PRINCE and Purple Rain. Non-deterministic techniques will be shown that are designed for infinite runtime, resulting in candidate generation […]
Read moreIn recent years, the threat to the public key infrastructure posed by quantum computers has gained some attention. Standards agencies such as NIST and ETSI have begun efforts to standardize encryption and signature algorithms that are quantum resistant. This talk will introduce attendees to the threat posed by quantum computing and explain which parts of […]
Read moreThe goal of the talk is to answer a few questions we often see or hear : “ATT&CK is nice and all, but how do I (we) get started?”, “How can I (we) detect those TTP?”, “Why use the ATT&CK Framework?”, etc. The ATT&CK Framework from Mitre is the new honest in the InfoSec world. […]
Read more