BSides St. Pete 2023 Presentations
Join us for a day of brain-stretching and networking with local cyber security enthusiasts.
Registration will open at 8:30 am est.
Presentations begin at 9 am and will end at 4 pm.
There will be food trucks available for lunch.
Presentations Schedule:
9:00 - 9:50 am: Opening Key Note
Location: Main Room
Between Two Palms: A Session on Burnout
Presenters:
Elvira "Velveeta" Reyes & Chris "MachoChrist" Machowski
​Join Chris and Elvira on this much needed discussion on the topic of burnout. They will do a deep dive and unravel the intricate web of burnout, casting light upon its sinister signs, its underlying causes, and the devastating aftermath it leaves in its wake.
10:00 - 10:50 am
Location: Main Room
Presenter:
​
Dan Holland
Complexity is the Enemy: How to start doing Cyber Risk Management
Adapted from well-received presentations from the speaker on this topic, most recently at Tampa BSides, the National Cybersecurity Alliance's "Convene" conference, and the Florida Hospital Association's Board Retreat, this presentation makes use of analogies and stories to simplify the broad and multi-dimensional concepts surrounding Cybersecurity Governance, Risk Management, and Compliance (GRC), and identify the key activities rooted in the NIST 800-series reference material every organization could implement.
Location: Pharm 1
Presenter:
​
Allyn Stott
How I Learned to Stop Worrying and Build a Modern Detection & Response Program
You haven’t slept in days. Pager alerts at all hours. Constant firefights. How do you get out of this mess? This talk gives away all the secrets you’ll need to go from reactive chaos to building and running a finely tuned detection & response program (and finally get some sleep). Gone are the days of buying the ol’ EDR/IDS/NGAV combo, throwing some engineers on an on-call rotation, and calling it your incident response team. You need a robust and comprehensive detection and response program to fight modern day attackers. But there’s a lot of challenges in the way: alert fatigue, tools are expensive, hiring talent is impossibly difficult, and your current team is overworked from constant firefights. How do you successfully build a modern detection and response program, all while riding the rocket of never ending incidents and unforgiving on-call schedules? This talk addresses the lack of a framework, which has led to ineffective, outdated, and after-thought detection and response programs. At the end of this talk, you will walk away with a better understanding of all the capabilities a modern program should have and a framework to build or improve your own.
Location: Pharm 2
Presenter:
​
Pat Gelin
Exploring Threat Actor Strategies on Exploitation of Emerging TLDs
The recent deployment of Google's new Internet domain TLDs have provided threat actors with new grounds for executing phishing and malware attacks. Accompanying this development, eight novel top-level domains (TLD) have been introduced. In this context, we are set to delve into a detailed analysis of emerging and observed tactics utilized by malicious actors in this field. The discussion will encompass a comprehensive examination of the known methods of attack, followed by the discussion of defensive strategies for organizations. Additionally, we will explore the significance evolving domain abuse landscape, and aim to equip attendees with the necessary knowledge to identify and mitigate these types of attacks.
Location: Pharm 3
Presenter:
​
Carlos Rodriguez
Integrating Cybersecurity into Organizational Culture and Portfolio Management
Traditional project management has gone through a transformation over the last few years driven by the impact that Digital Transformation has had in Development Teams that are under pressure to deliver high quality products faster and in small increments. While speed of product delivery is good, we still must manage IT and Cyber Risk to acceptable levels. Thus, Cybersecurity teams must transform into a more agile service organization that goes at the same speed in the digital transformation highway. Learn some techniques to integrate cybersecurity risk management practices across your project portfolio lifecycle.
Location: Pharm 4
Presenter:
​
Ivan Marchany
How to Build a Cybersecurity Journey
In today's digital era, where cyber threats are becoming increasingly sophisticated, building a successful career in cybersecurity has never been more crucial. This presentation aims to provide valuable insights and practical guidance for individuals interested in pursuing a career in this dynamic and rapidly evolving field. The presentation will begin by highlighting the growing demand for cybersecurity professionals across industries and the numerous opportunities available in this domain. It will emphasize the importance of cybersecurity key topics that will allow to mature your knowledge and success in this journey. No matter what level you currently are at, this presentation is for all levels as I’ll be covering a variety of topics. Topics include: • Education • Building Your Lab • You Are Your Projects • Practicing with Bounties • Have a Presence • On Certifications • Making Contributions • Networking With Others • Conferences • Responding to CFPs • Landing Your First Job • Mastering Professionalism • Understanding the Business • Having Passion • Becoming Guru Furthermore, the presentation will shed light on the importance of gaining practical experience and building a strong professional network in cybersecurity. It will discuss internship opportunities, participation in capture-the-flag (CTF) competitions, open-source contributions, and joining professional organizations as effective ways to enhance practical skills, demonstrate expertise, and connect with industry experts. By the end of the presentation, participants will gain a comprehensive understanding of the cybersecurity career landscape, the essential skills and knowledge required, the educational and certification options available, strategies for gaining practical experience, and pathways for career progression. Armed with this knowledge, individuals will be better equipped to embark on a rewarding and impactful journey in the field of cybersecurity.
11:00 - 11:50 am
Location: Main Room
Presenter:
​
Stacey Oneal
Getting into Cybersecurity
In recent years, cybersecurity has gained additional attention due to the escalating threats and vulnerabilities in the cyber landscape. As organizations endeavor to protect their critical assets from cyber-attacks, the demand for skilled cybersecurity professionals has continued. This presentation aims to provide attendees with an understanding of the cybersecurity career landscape, essential skills and qualifications, career pathways, and strategies for professional growth and advancement with real-world examples.
Location: Pharm 1
Presenters:
​
Daniel Lopez &
Ashwini Machlanski
A Urinal Story: Human Behavior & Security
74% of all breaches involve the human element (2023 Verizon DBIR report). This fact clearly shows that individuals play a major role in securing an organization. Yet, the majority of companies invest in technology and tools. In this presentation, you'll learn the importance of managing human risk and how to leverage the field of behavioral science to help modify human behavior and secure the human. Oh! Wondering about that urinal story? Well, join us to find out.
Location: Pharm 2
Presenter:
​
Terri Khalil
Navigating New Cybersecurity Regulations: Charting a Course for Success
We'll dive into the surf of dealing with new cybersecurity regulations, just like a seasoned beachcomber navigating the ever-changing tides and shifting sands. Many companies find themselves new to the sea of cybersecurity regulations. We'll explore how these regulations may impact both IT and industrial control systems. The beach offers us valuable lessons on resilience, and as we build sandcastles of compliance, we'll uncover strategies to leverage these regulations to not only meet requirements but to strengthen our security posture like fortified sand walls against the tide. We'll discover that like every seashell along the shore, the regulations can hold the secrets of enhancing our cybersecurity resilience. Cyber beach takeaways: Attendees will leave the seashore equipped with a treasure trove of planning considerations for crafting an effective cybersecurity-related compliance program. • With our beach chairs set up for this cybersecurity adventure, we'll establish governance structures, key stakeholders, and communication channels to ensure everyone charts the course together. • We'll then hoist our compliance sails, catching the wind of interpretation and scoping to set a clear direction for our journey. • Along the way, we'll learn to manage the evidence like beachgoers collecting seashells, making sure we have everything we need to stay on course. • The tides of compliance ebb and flow, but we'll prepare for the day-to-day operations. • We’ll learn to surf the waves of audits and ensure our sandcastles of compliance remain resilient. • And if we happen to encounter non-compliance, we'll report it like a diligent beach patrol, ensuring the safety of our digital shore. • Our final destination will be sustainability, where we'll anchor our compliance efforts for long-term success. So, whether you're a seasoned beachcomber of cybersecurity compliance or a new adventurer, join us as we embrace the shoreline of success, discovering valuable insights and charting a course towards cybersecurity resilience.
Location: Pharm 3
Presenter:
​
Michael-Angelo Zummo
Going Undercover in the Underground - A Practical Guide on How to Safely Infiltrate and Engage
The dark web is filled with threat actors planning nefarious crimes. Cybersecurity professionals know that threat hunting in these underground environments is necessary, but they don’t know the most crucial step to beginning the process. ‘How do you access the deep and dark web?’ and ‘How do you gain a threat actor’s trust?’ These are the most commonly asked questions of cybersecurity professionals preparing a proactive threat hunt. Navigating the underground requires dedication to persona management and setting up a safe and secure environment to ensure one does not expose themselves to malicious actors. Senior Threat Intel Specialist at Cybersixgill, Michael-Angelo Zummo, will demonstrate how to set up a secure environment (dirty machine) using Tails, how to find sources in the dark web, best practices when creating your first persona, communicate with threat actors, and of course, how to seek out threats once you gain access to the sources where threat actors plan, play, and profit. All while using real examples that attendees can try for themselves.
Location: Pharm 4
Presenter:
​
Michael Magyar
Everything I Needed to Know About Practical Cybersecurity, I Learned from my Mom
Do you often try to simplify your cybersecurity program by buying new products and services with names like EDR/XDR/PAM/PIM/AI/crypto/blockchain only to have them fail to live up to their marketing hype and ultimately become shelf-ware? Do you wish there was a better way? While those products have their place, this talk will show you how to implement basic operational security hygiene using the lessons we all (hopefully) learned growing up. "New" cybersecurity trends and techniques, such as ZeroTrust, will be deconstructed to show how they directly map to these childhood lessons and will then be rebuilt in a more practical way. They will then be applied to a fictitious organization as a way to anonymize examples of real-world security wins. The takeaways from this talk will help you to build a stronger organizational culture that will not only result in easy security wins, but will also allow your organization to realize cost savings and operational efficiencies along the way.
12:00 - 12:50 am: Mid-day Key Note
Location: Main Room
Presentor:
Mid-day Key Note Speech
1:00 - 1:50 pm
Location: Main Room
Creating your Security & Compliance Audit Framework
Presenter:
​
Michael Brown
In security & compliance, we need to ensure that IT controls are operating correctly AND we will need to be doing things on a regular basis. Should we be assessed or audited for various regulations, frameworks or standards such as HIPAA/HITECH, HITRUST, PCI-DSS, ISO/IEC 27001, SOC 1 & 2, CMMC, etc, we will need to have a year's worth of data/evidence we will be expected to provide. And if your organization is not doing this activities, there can be serious repercussions. As someone who has consulted with clients who were being assessed, as well as being part of a company that deals with annual HITRUST & SOC 1, 2 assessments, ensure that these regular activities are performed is critical to our success. We will go over the process of creating your own framework that will work for your organization. This is the second of a series of related presentations in the area of security & compliance.
Location: Pharm 1
Presenter:
​
Wilson Bautista
Building a Comprehensive Framework for AI Systems Security: Methodology and Grading
As the use of artificial intelligence (AI) expands across various sectors, ensuring the security of these systems becomes increasingly critical. This presentation proposes a robust, multi-faceted framework aimed at protecting AI systems from potential risks and vulnerabilities, from data breaches to adversarial attacks. The proposed framework includes ten key components: continuous risk assessment, stringent data security measures, enhancing the robustness of AI models, privacy preservation, ethical use of AI, reliability and safety assurance, regulatory compliance, systematic auditing and monitoring, user education, and a proactive incident response plan. In addition to discussing the methodology, the presentation also introduces a novel grading system for AI security. This grading system evaluates the performance of AI systems across the ten key components of our framework, providing a comprehensive and nuanced understanding of the AI system's overall security level. By exploring the complex landscape of AI security, the presentation aims to provide valuable insights for both practitioners and researchers. It also calls for ongoing work to continually refine and evolve the security framework in response to new challenges and advancements in the field.
Location: Pharm 2
Presenter:
​
Jarrad "Raydar" Pemberton
IAM Security and So Can You: An Intro to Identity Access Management and How to Beat It to a Pulp
Join Uncle Raydar for a wonderful 45 minutes of learning how companies secure their enterprise environments with things like Okta, how those tools are implemented in environments, and how IAM engineers secretly lurk in conference calls when you get laid off. Hear from the engineer responsible for making IAM do IAM things on how it works, how IAM is installed and configured, and how to manipulate and hack IAM in an enterprise environment. SSO out of scope? Yeah right!
Location: Pharm 3
Presenter:
​
Sam "Furio" Decker
Adversarial Prompting: Exploiting Large Language Models
Large Language Models (LLMs) like ChatGPT are everywhere. Come learn about how LLMs work at a functional level, and then how to exploit the vulnerabilities present in these models! Attendees will get to see first hand how to perform various types of prompt injections, prompt leaks, and jailbreaks. You will leave with a fundamental understanding of how these models work, their vulnerabilities, and how to exploit them.
Location: Pharm 4
Presenter:
​
Richard MacCammon
Chairs! Chairs? Chairs! How your office ergonomics makes you a better hacker
Your body is your best friend and your best asset to building a long-standing and lucrative career in cyber. Whether you’re in the board room talking DFIR or climbing down the chimney as you pen test like Santa Claus, eventually you’ll be back at your desk writing a report. Will your office furniture enable you to do your best work or will your paycheck be used for the chiropractor?
2:00 - 2:50 pm
Location: Main Room
Cyber Supply Chain Risk Management and Evolving Governance
This presentation examines the dynamic landscape of supply chain risk management in the context of current governance policies, including Executive Order 14028, Memorandum M-22-18, and Memorandum M-23-16. As organizations face increasing uncertainties and disruptions in their supply chains, it is crucial for managers to understand the evolving nature of these programs and the implications they have on supply chain operations.
The presentation begins by providing an overview of the prevailing governance framework, highlighting the significant role of EO 14028, which outlines the strategies for strengthening supply chain resilience and reducing vulnerabilities. Subsequently, Memorandum M-22-18 and M-23-16 are explored in detail, shedding light on the specific considerations and requirements they introduce to enhance supply chain risk management practices.
One key aspect of the evolving program is the Paperwork Reduction Act (PRA), which necessitates a thorough evaluation of the administrative burden associated with implementing these policies. The presentation emphasizes the importance of managers addressing their supply chain issues by striking a balance between compliance with the regulations and minimizing paperwork.
Furthermore, the presentation underscores the imperative for managers to proactively identify and assess risks across their supply chains, including vulnerabilities stemming from geopolitical shifts, natural disasters, cyber threats, and other emerging challenges. It emphasizes the need for comprehensive risk mitigation strategies and the adoption of innovative technologies, such as data analytics and artificial intelligence, to enhance supply chain resilience.
Ultimately, this presentation aims to equip supply chain managers with a comprehensive understanding of the evolving governance landscape and the necessary considerations to effectively manage supply chain risks. By embracing these changes and leveraging the available tools and frameworks, organizations can navigate uncertainties and build robust supply chain programs that are adaptable to future disruptions.
Location: Pharm 1
How to Wage War and Bypass Congress: a Primer on Gray Zone Warfare
Cochise talked at B-Sides Tampa about cyber warfare and he wants to continue down the rabbit hole at B-Sides St. Pete! The key to gray zone warfare is to wage war without being caught or even looking like the aggressor if you do get caught. The concept of cyber warfare and gray zone warfare is already upon us as countries try to disrupt each other by manipulating their computers. Come spend an afternoon with Cochise as he goes more in-depth about how gray zone warfare affects red and blue teams alike and how gray zone warfare is committed via the economy, political values, and what that means for cyber professionals.
Location: Pharm 2
Presenter:
​
Arpan Sarkar
Getting MAAD-AF to Attack Microsoft 365 & Azure AD
In this session, we will take a hands-on approach to emulate attacker tactic, techniques & procedures in cloud using the MAAD Attack Framework. Cloud attacks progress with a significantly different set of techniques than network attacks focusing not on payload and malware but on abusing the permissions and the privilege of compromised identities to access and abuse native applications. Attendees will be guided through the MAAD attack framework, a tool designed to replicate the techniques Vectra has observed used in the world by attackers. Attendees will learn about the threats in the cloud, how they can effectively emulate those threats to test their security and how they can best defend against them. By exploring the techniques used by attackers, defenders can be better positioned to stop attackers in their own environment.
Presenter:
​
Dan Fernandez
Location: Pharm 3
The Boring Parts of AI: Risks and Governance of Large Language Models
In this presentation, we will discuss the governance and risks of Large Language Models (LLMs), highly advanced AI models capable of generating human-like language. With the widespread adoption of LLMs in businesses and the rush to develop custom applications, it is important to consider data security and ensure the success of these projects. We will begin by providing an overview of LLMs and their revolutionary impact on various industries. Following that, we will examine the governance and security concerns often overlooked in the development and deployment of LLMs. This will include challenges such as custom model training, data privacy, and securing LLM applications. Our talk will highlight important considerations for anyone using or building a Generative AI application. Additionally, we will provide specific examples and case studies of the risks associated with using or integrating Generative AI into existing products.
Location: Pharm 3
Presenter:
Click, Clack, Thock: A Badger’s Guide to Keyboard Hacking, DIY Keyboards, and Coworker Disrespect
In this presentation, we will discuss the governance and risks of Large Language Models (LLMs), highly advanced AI models capable of generating human-like language. With the widespread adoption of LLMs in businesses and the rush to develop custom applications, it is important to consider data security and ensure the success of these projects. We will begin by providing an overview of LLMs and their revolutionary impact on various industries. Following that, we will examine the governance and security concerns often overlooked in the development and deployment of LLMs. This will include challenges such as custom model training, data privacy, and securing LLM applications. Our talk will highlight important considerations for anyone using or building a Generative AI application. Additionally, we will provide specific examples and case studies of the risks associated with using or integrating Generative AI into existing products.
3:00 - 3:45 pm
Location: Main Room
Closing Remarks & Awards
Join us for the closing remarks for the 2023 BSides St Pete conference in addition to the handing out of awards for the Capture The Flag event.
Be sure to ask a volunteer about post-event networking!