We have created this blog to share presenter notes, slides, and links and to answer many of the questions we received during each talk. You can view all of the talks here.
Day 1
Stef Rand - Hacking Your Brain: Using Proven Psychology Techniques to set and Smash Goals
Stef Rand, @techieStef, Associate Consultant at Mandiant
You can access Stef's presentation here.
Q: How long have you been in cybersecurity?
A: I started school for IT in 2017, and started studying cybersecurity in 2018. I got my first job in cybersecurity at the beginning of 2020.
Q: What method of studying works best for you?
A: I like reading physical paper books the best. When I can't do that, I try to get set up in a space that is comfortable and helps me pay attention to my online learning! For me, that means I try to clear away other distractions and focus on my computer, with breaks every hour or two.
Q: How do you decompress after a long workday?
A: I play with my dog or take her for walks! I cook a lot. I have regular video/phone calls with some of my friends. I do chores, I read, and I try to stay away from more screen time as much as I can (although I do love watching movies).
Q: What is the one thing you would tell your 18-year-old self ?
A: I was in college for my first degree then, so I'd tell myself to go to class! Even if you don't take good notes or do the readings, just showing up for class helps you learn WAY more than you think, and you get to know your professors. I made the mistake of skipping classes when I didn't feel prepared, and it hurt my grades & I didn't get the most out of my first few years of college.
Q: Does your experience in psychology help you in cybersecurity?
A: Yes! So much. I talk to and work with other people all day (virtually, at the moment). And my clients are people. Being able to communicate with and understand the people I work with & for is incredibly helpful.
Q: When did you know that you wanted to do cybersecurity?
A: I was in school in 2018 and I took my first networking class, which had a security focus, and I absolutely fell in love with being able to see the actual packets on the internet and learning how it all worked. Once I learned there was a whole field devoted to protecting the devices and information on the internet I was hooked.
Q: Was there a particular ‘aha’ moment that got you interested in technology?
A: I grew up around tech, so if there was an 'aha' moment for tech in general it was early! My 'aha' moment for looking at getting a job in tech as I was setting up a friend's router while I was between jobs, and he pointed out that I could get a good job in tech doings things like network setup or admin work. It had never occurred to me to get a job in IT, even though I did it all the time! I decided to go to school and see what branch of tech/IT was a good fit for me, and that is how I found cybersecurity.
Q: What school did you go to and what made you get started? I’m interested in DFIR but I don’t know where the best school is or how to get started?
A: I went to Augusta University because I was in Augusta at the time and they had a strong IT/cybersecurity program. The best DFIR resource I know of that is immediately accessible is DFIR Diva at freetraining.dfirdiva.com
Q: How long should breaks last considering school work and in between classes?
A: I recommend 10 minutes, if possible...that is long enough for your mind & body to kind of reset a little.
Q: How does a person focus on a subject, as its human nature to jump towards the end?
A: Focus is hard, and in some ways, it is a skill that you can practice! Like any other skill, you have good & bad days, and you can focus less/shorter times at first. If you are having trouble focusing even after practice, or if you have a hard time focusing enough to practice, you may be neurodivergent & there may be more advanced tips & aids to help you! In that case, I'd talk to teachers or your folks about it.
Q: Do you have any tips for improving focus?
A: As I mentioned above, focusing can be hard, but if you think of it as a skill to improve you can get better at it by practicing, like any skill. Take breaks when you can, so you don't exhaust your brain, just like you do for physical exercise. Try to put aside stuff you know makes it harder to focus. Reward yourself for being able to focus and getting better at it, with things like good snacks or favorite games. If you can't focus well enough to practice, then talk to your teachers or your folks, you might need some different strategies to get you started.
Q: Are there any apps you would recommend for tracking your goals?
A: I don't have any specific apps for goal tracking! I do a lot of old-fashioned note-taking and I have a journal, and I also will make spreadsheets for myself. I'd have to google progress-tracking apps to make any suggestions.
Q: How do you suggest handling online distractions with learning being practically all online now?
A: It's a challenge, for sure, and hard for all of us both at school and at work. I keep social media off & closed while I'm working so I'm not tempted. I wait to check non-work online stuff until I take one of my breaks every hour or two.
Q: What sort of content should be included when utilizing the method of journaling. Is there a certain level of depth to include?
A: The key is to talk about how you are feeling about things and not just what is happening like a news report. By writing about how you feel, you're able to process it in a different way that can help you see it from different perspectives.
Q: How should we balance our free time in this field? So we don’t overwork ourselves, but we still have enough time to relax
A: This is a struggle for cybersecurity and one that I think we should treat like an occupational hazard in some ways! I'd say to try and find someplace to work that does not treat exhaustion and overwork as part of the norm or something to be celebrated. If you can, set firm boundaries early about how much time you are available outside of work hours.
Q: How do you get through your obstacles if it is really frustrating? How do you help yourself get through it?
A: I try to be kind to myself, and supportive like I would my best friend. I try to make little steps in the right direction & cheer myself on a ton when there is any progress. Sometimes I just can't get much forward progress, but I do my best, and that is more than ok. If you are dealing with a lack of motivation & frustration constantly, it might be worth reaching out to parents/teachers/resources to see if you need more help or different strategies to help your mood and motivation.
Q: What if you have trouble trying to physically separate yourself from your work in order to take breaks? What tips can be offered to encourage yourself to step away?
A: A lot of my friends at work set timers with alarms. I use my attention-needy dog as a cue to step away from the computer! Or if I run out of water or coffee I get up to take a break. Some kind of external cue like that can be very helpful.
Q: A lot of concerns have been raised in the last couple of months regarding cybersecurity in Zoom's app, was that hype all correct?
A: "All that hype" is almost never correct since hype is not usually the same thing as accurate reporting! That said, I didn't personally dig into Zoom vulnerabilities, so I'd have to do some googling to find out more.
Q: Which is the best college for cybersecurity?
A: First thing is you don't NEED college to get into cybersecurity. Academia does not change quickly enough to keep up with changes in cybersecurity. That said, if you want to go to college, you will learn things like how to study, how to work hard, how to write papers/reports, how to work in groups, and you can get a knowledge base of essential IT and system administration topics. I went to Augusta University because it was local to me & had a strong cybersecurity program. Several of my coworkers went to Champlain College. The best college for you is one that is a) affordable and b) helps you learn the best!
Q: How does anyone start a career in Malware analyst as a beginner?
A: I am not a malware analyst, so I don't personally have great advice on the topic! I'd say read and learn as much as you can from free sources online. The book Practical Malware Analysis is a few years old but is still highly regarded as an amazing resource.
Q: What coding languages would you prefer in going in cybersecurity?
A: I personally learned Python, some PowerShell, and C# because that was taught in my degree program. I know a lot of new tools are being made with Go!
Rin Oliver - Cybersecurity Career Success for Neurodivergent Individuals
Rin Oliver, @kiran_oliver, Content Marketing Manger at Esper
You can access Rin's presentation here.
View Rin's talk here.
Tyrone Wilson - Mini Workshop: Attack & Defend
Tyrone Wilson, @tywilson21, Founder of Cover6 Solutions; Organizer of D.C. Cybersecurity Professionals
Home Lab Set-Up information can be found here.
View Tyrone's talk here.
Q: Will a Raspberry Pi be able to support a SecurityOnion instance?
A: It will take a bit of configuration but, yes, you can run Security Onion on a Raspberry Pi.
Q: How trustworthy is SecurityOnion?
A: Very trustworthy for what it's used for, to monitor network traffic and alert on malicious traffic based on the current IDS signatures.
Q: Can I use SecurityOnion to hack?
A: In short, no. It is a passive tool meaning all it does is listen to network traffic.
Q: Can we use SecurityOnion to supervise the activities of our younger siblings?
A: Yes, you can. You will just need to create filters to better view only their traffic.
Q: What do you think of Docker, in regards to how safe it is to use this specific application?
A: Not a Docker pro, but the application on monitors - it does not do anything malicious. Remember, it is a "Passive" tool.
Q: What is Wireshark?
A: In short, Wireshark is a protocol analysis tool. It lets you see what the devices see. You can view all of the network communications to and from your devices and/or other devices on the same network. https://www.wireshark.org/download.html
Q: What is a good way to protect your PC from programs like Wireshark on the network you use?
A: If you are on the same network then there is no way around someone seeing it with Wireshark unless you connect to a switch or have a separate broadcast domain.
Q: You can use regex in Wireshark? Any regex examples for this workshop?
A: They do a good job documenting this on the Wireshark website. https://www.wireshark.org/docs/man-pages/wireshark-filter.html
Q: Are you able to track your acivity using this?
A: Yes, it tracks all network activity.
Q: Do we have any software to clone Kali Linux entirely in Windows and then interact?
A: Kali Linux has been in the Microsoft Store for over two years. You can find a tutorial by Offensive Security here
Q: How do you know what commands to use in Kali?
A: Kali has over 300 different tools. Knowing the commands takes a lot of practice.
Q: Linux noob here: what sets Kali apart for these uses? What stops me from using damnsmalllinux?
A: Technically any Linux distro can have these tools. The Kali Linux OS comes with most of the tools already installed.
Q: What was the command for finding the open ports?
Q: Nmap -v -T4 -sS -Pn -p- [ip address] --open
Q: Is virtualbox similar to vmware?
A: Yes, very similar. They are both Type II hypervisors.
Q: Will it be possible to install the phase 2 hypervisor on my mac?
A: Yes, Virtualbox, VMware Workstation Player, or VMware Fusion are all great options.
Q: In what instances would you use "replay" instead of "import" (and vice versa) in SecurityOnion?
A: Use import if you want the date of the alerts to be the same date as the original day of the traffic. Using replay will use the timestamps of the time you executed the command
Q: What's the purpose of Command Prompt in Windows? After all, it's just a technical mess with all black screen.
A: The command prompt allows you to control your message. Most of the things you can do with a mouse you can do at the command prompt.
Q: How do you get the Linux if you're not on Linux?
A: You can download the .iso file which you can use to create a virtual machine here
Q: Why do you ping IPs? In other words, what does it do?
A: A ping is a test to see if another device is "up/alive." Some ping commands may get blocked.
Q: How do you recognize a malicious IP over a normal IP that maybe communicating?
A: You will have to cross-reference the IP address with websites or tools that track known malicious IPs and their activity. I would check out the Greynose Visualiser https://viz.greynoise.io/
Q: Are there any websites or applications that will teach you step-by-step how to simulate the “attacks and defenses”?
A: Yes, plenty. Although a bit advanced, my favorite is https://ippsec.rocks/?#.
Q: What is privelege escalation?
A: The process of moving from a low privileged account like user to a high privilege account like Administrator or Root.
Q: How do you maintain good opsec while you're learning?
A: You don't have to use your name on the account. Use thispersondoesnotexist.com to get a profile photo and a password manager to help keep track of usernames and passwords.
Q: Could hacking yourself make a vulnerability for other hackers to get in while you do it
A: Yes, having a vulnerable machine on your network can be very dangerous should an attacker gain control of it.
Q: How could you apply this game programming? Is there any way I could make anti-cheat software through knowing cybersecurity?
A: I'm sure you could add a series of checks to your code that looks for specific sequences/controls that relate to cheat commands. There are tons on of cheat sites on the net. Keep in mind that these checks may slow the game down.
Q: Would you recommend eJPT or PenTest+ certification?
A: I would recommend both but take the Pentest+ first. :-)
Q: Favourite CLI text editor?
A: Nano.
Q: Which cloud service do you recommend as the best (and cheapest) on which to learn?
A: The main favorites are Digital Ocean, AWS, Google Compute, and Microsoft Azure.
Q: Do you have any good resources on these commands (msfvenom, metasploit, nmap, etc.)
A: Metasploit unleashed - https://www.offensive-security.com/metasploit-unleashed/.
Q: Is MSF Venom a way of creating simulated viruses, or is it a sort of provider for malware to set up fake attacks on a system using Kali Linux?
A: Msfvenom allows you to create real payloads that can help you can control a device.
Q: Is Exploit Database trustworthy and might not have a virus in it?
A: It is trusted by a lot of people as it house over 40,000 available exploits.
Q: How do I get authorization for monitoring & exploit vulnerable devices? What steps should I take to keep them safe?
A: You don't need authorization to monitor your own network. Keep your software updated and be careful of what links you click on. Also, use a different/strong username password for every account you have.
Chazz Scott - Cybersecurity is Like Ice Cream. There Are a Whole Lot of Flavors
Chazz Scott, @Mr_CaViar, Incident Response Team Lead at National Geospatial-Intelligence Agency (NGA)
You can access Chazz's presentation here.
Susan Fowler - Social Engineering: What It Is, Why It Matters, and What You Can Do
Susan Fowler, Forensic Examiner II at Walmart Technology
You can access Susan's presentation here.
View Susan's talk here.
Robert M. Lee - Defending Critical Infrastructure
Robert M. Lee, @RobertMLee, CEO of Dragos, Inc.
You can access Robert's presentation here.
View Robert's talk here.
Domenica Crognale - Move Along; Nothing to See Here...Or Is There?
Domenica Crognale, @domenicacrognal, @Cybersecurity at ManTech; Instructor & Author at SANS Institute
You can access Domenica's presentation here.
View Domenica's talk here.
Q: What are some of the legal issues involved in mobile forensics that you have to deal with?
A: Cloud data is often a very important aspect of mobile device forensics and many applications are moving towards only storing data in the cloud and not on the device, so it will require authority or consent from the data owner (Apple, Google, Facebook) to gain access to the data. This can be an extremely time-consuming process. Make sure warrants are worded so that as much data as you think you need is covered.
Q: Would factory resetting your device delete the files recording the data?
A: Yes, the nature of a factory reset is to delete all files from the device. Different device hardware manufacturer/model/version/firmware/operating systems achieve this differently. For example, in older devices that do not utilize encryption, a factory reset may destroy pointers/references to pre-existing (allocated) data but leave the data itself untouched in unallocated space, where it can be recovered using file carving, but a device wipe (factory reset) for iOS involves the wiping of the master key which makes all other files on the device encrypted and unrecoverable.
Q: Are there any advantages from using the executable iTunes vs the windows store version?
A: They both operate in the same manner, but the storage locations on your host machine as well as the timestamps associated with backups will differ between the two applications. As a best practice, I prefer to use the true iTunes download available from Apple.
Q: If I want to practice with some of my old phones, do I need the SIM card installed because I took all the SIM cards out from the phones that I no longer used?
A: Yes, most phones will function just fine without a SIM card as long as you can connect to Wi-Fi if you want to utilize these old devices for data generation and test purposes.
Q: When you are connecting the device do you use a cord or something?
A: Yes, you should usually only need the cord that came with the device to facilitate data extraction. Thankfully, we have progressed since the days of needing a unique cord for every different version of phone that was out on the market. If you have a few spare iOS lightning cables for iOS and some mini, micro and USB-C cables for Android, you should be able to acquire the majority of devices you will encounter.
Q: If the data within a mobile device is backed up and encrypted, does that mean it would theoretically survive cyber breaches that would delete files, hold them for ransom, or steal them?
A: If you are talking about some kind of ransomware that claims to lock your device and make your files inaccessible, most likely, yes. Most of these ransomware attacks will not persist after a device reboot. If you have a backup of your data (iOS) you can wipe your device and push an existing backup to the phone (assuming you make backups on a regular basis). If you are an Android user, you could wipe your device and then start fresh on your device after logging in with your Gmail password.
Q: Are 3rd party apps bad?
A: Not at all. There are many great third-party applications, and fortunately, they go through a pretty stringent vetting process if you are getting them from legitimate app stores like Google’s Playstore or Apple’s app store. I would steer clear of any third-party applications that you can install via side-loading (circumventing the official app stores for your operating system).
Q: Is it possible for a root or a jailbreak to be implemented remotely from a third party device such as a hacker so they may have full access to the device? Or are such actions only possible via physical handling of the mobile device?
A: There are over the air exploits that have been reported for these operating systems, some of them even provide remote code execution on the device. The good news is that once they are reported, a patch/update is provided relatively soon after. This is why it’s so important to keep your mobile operating system as up-to-date as possible.
Q: Do you have any thoughts on 3rd party Android ROMs such as Graphene/Lineage OS?
A: I haven’t taken a look specifically at either of the ROMs you mentioned, although there are many legitimate reasons for Android users to prefer a cleaner version of the OS that doesn’t come baked in with Manufacturer or Carrier applications and other noise. Some do not support Google Play Services though, so there may be applications that you want but can’t seem to find a good alternative for.
Q: In order for this process to be successful, must the mobile device be connected to a larger device like a laptop or a home computer in order to view the phone's apps for analysis? Or can the apps be analyzed without display or basic input/output with larger devices?
A: You can install a file browser on a rooted Android Device or a Jailbroken iOS device which will allow you to dig into the individual folders of interest, although I sometimes use this for a quick sanity check, it’s nice to be able to analyze the data using a computer. I like Root File Manager (by MobilDev) for Android and Filza File Manager app for iOS, but there are many out there to choose from.
Q: If you were to delete your history, would searches done before the history was deleted, still show?
A: It depends on a few factors…. if you are using an app with private browser capabilities (think private or incognito mode) those searches and visits are never saved. If you are browsing in regular mode, and only choose to delete individual searches (like searches for the month of December) then everything else that you didn’t delete is still there. There are a TON of mobile browsers and they all give you slightly different options for deleting/clearing data.
Q: What advice do you give about protecting the physical security of phone or clearing data that are no longer needed from a phone
A: As someone that doesn’t like to delete stuff (because I may need it someday), this is a tough pill to swallow, but if you no longer need something that contains sensitive data, destroy it! Always protect your device with a strong passcode and don’t alter the default settings on your device that increase security protections (i.e. USB Accessories should be turned OFF by default in your iOS Settings > Face ID & Passcode and USB Debugging should be turned OFF for your Android device under Settings > About Device/Phone > Developer Options).
Q: What if data is in a secure enclave such as MobileIron?
A: Using Mobile Device Management applications like MobileIron to protect sensitive data is a great idea. By default, data protected by these applications should not be included in a backup. Also, rooting/jailbreaking may encourage the removal of these MDMs in order to offer that full file system access to the phone, and removing the MDM should result in the removal of any data that it was protecting.
Q: Can safely simulate these tools' effects using virtual machines, correct?
A: Yes, there are many emulators available for Android and some for iOS tool that you can use to test out applications which in turn will generate artifacts. The development platforms for both operating systems (Android Studio and XCode respectively) also allow some simulation capabilities that you can utilize.
Q: What can hackers do with your safari searches?
A: Any and everything they can dream up! I would imagine that some people’s searches could be used to blackmail them into providing money or even sensitive information should it get into the wrong hands.
Q: What is the worst piece of information to give out online?
A: Treat any of your personally identifiable information with the utmost care. I never give out things like my social security #, bank accounts, passport info, etc. unless I can confirm the receiving entity is legitimate and properly protecting my information. Fortunately, there are laws that govern how companies must protect sensitive information, and example is the Payment Card Industry Data Security Standard (PCI-DSS), which regulates how business that process and store credit card information must operate.
Q: My friend jailbroke her phone to install Kali, what are the benefits of this?
A: Some people like having full control of their device and not being locked down to Apple’s security models which is why they jailbreak. There are also applications in alternative stores that are either free or not available from Apple’s app store.
Q: How do you unlock an icloud locked iOS device?
A: You will need credentials to unlock any iOS device…. username password for cloud, biometrics or passcode for the physical device.
Q: Is it true that IOS 14 cant be forensically imaged?? Can ftk imager take an image of the data? Can you image the phone with autopsy?
A: Your commercial tools will utilize iTunes and the AFC service to pull data from iOS devices, so regardless of the firmware version running on the iOS device, even if it’s the latest greatest, it can be image. Get a FREE copy of iTunes. Most often, the tool that was designed to “backup” your data is still the best tool for acquiring it for analysis.
Q: How do you deal with obfuscated binaries on devices?
A: A lot of patience; obfuscated binaries will mask the true names of functions and methods that comprise your application, so there isn’t a real quick way to make sense of it using a java decompiler like JADX. If your application was developed with kotlin, you might stumble upon a metadata file where those functions/methods are not obfuscated and you can use that to work through making sense of the source code.
Q: What are the impacts of downgrading devices to allow an exploit to work?
A: Sometimes this is the only method to get access to the particular user data that you are after. It WILL and DOES make some changes to data on the devices. It may also remove certain data, so it should always be done as your very last acquisition method after you have tried everything else.
Q: Can you access your phone's data and back up your phone using Linux?
A: Yes, you can run ADB commands in Linux and for iOS devices, you may need to install libimobiledevice and iFuse.
Q: Will these tools work for really old blackberry devices?
A: The tools we used during the Cyber Camp will not work specifically for blackberry, since they were specific to Android and iOS, but there are FREE backup utilities for older blackberry devices. If you have a REALLY old blackberry, you will want to backup using BlackBerry Desktop, which will create a .ipd (Windows host) or a .bbb file (Mac OS host) that contains all of your device information. If you have a Blackberry running OS10, the Blackberry Link software can be used to create a backup, which is in .bbb format regardless of which platform it was created on.
Craig Bowser - DNS: What It Is, What It Does, and How to Defend It
Craig Bowser, @reswob10, Federal Director - Data Analytics at GuidePointSecurity
You can access Craig's presentation here.
You can view Craig's talk here.
Day 2
Rob Lee - Cybersecurity Careers: Where Do You Fit?
Rob Lee, @robtlee, Chief Curriculum Director and Faculty Lead at SANS Institute
Rushmi Hasham - Now What? Pursuing Cybersecurity After Graduation
Rushmi Hasham, Director of Training and Certification, Rogers Cybersecure Catalyst at Ryerson University
You can view Rushmi's talk here.
Simbiat Ozioma Sadiq - Protecting Your Digital Identity
Simbiat Ozioma Sadiq, @Xymbiz, Information Security Analyst at CEH
You can access Simbiat's presentation here.
You can view Simbiat's talk here.
Q: How about private messages we send between friends? Are these messages really private or can they be used against us too?
A: To be honest, I suggest that if it’s typed, saved, or sent, it can be discovered by someone with enough DFIR skills and time. “Private” is very often far from the truth.
Q: If you delete your Facebook account can people still find it and open it again? Or can they create an account in your name, if you don't have one?
A: Copycat accounts are common and unfortunately quite easy for someone to set up. if you follow Facebook’s guidance to close an account, it’s not likely that someone can open your account again, but they could still set up a copycat that looks like you. same for opening an account that looks like you even if you don’t have one.
Phillip Wylie - Starting a Career as an Ethical Hacker
Phillip Wylie, @PhillipWylie, Co-Author of The Pentester Blueprint: Starting a Career as an Ethical Hacker
You can access Phillip's presentation here.
You can view Phillip's talk here.
Q: How can I get started as a System Administrator?
A: CompTIA A+ and Network+ will give you the base knowledge needed to start.
Q: Is it better to go into IT first with the goal of going into cybersecurity afterwards?
A: It is a good way to get into cybersecurity but not required. You can get IT skills from courses and go directly into cyber security. Any experience you get in IT would help in some way in cybersecurity.
Q: How to become a red teamer? what should we learn for it? And how are web pen testing and red teaming related?
A: You need to learn how to pentest to be a red teamer. Red teaming is a more advanced form of pen testing where you try to emulate a malicious hacker and try to go undetected. Once you have the pentesting skills you will work on learning how to obfuscated your exploits and use techniques to go undetected.
Q: What is forensics?
A: Digital forensics is the practice of evaluating artifacts like logs, files and their contents, and other electronic data to determine what actions a user or attacker conducted on a system or network. think of it as a digital detective.
Q: What is binary code and can it be converted to python?
A: Binary code is a compiled form of programming language that creates an executable file. It is not convertible to Python but you can use Py2Exe to create an executable file or binary out of Python programs.
Q: Does red teaming have a separate roadmap? Or we can be a red teamer just by getting advanced in pentesting?
A: They are very similar - I’d say red teaming typically requires a bit more experience but that’s not a 100% rule. Pentesting skills contribute to red teaming capabilities, but red teaming incorporates a LOT more.
Q: What is your recommended site to learn to hack?
A: The Cyber Mentor, Hack The Box, and Try Hack Me.
Q: What would you say is the right amount of money to spend on a cybersecurity course?
A: It is going to depend on your budget. Starting out you don't have to spend much. You can take courses by The Cyber Mentor, or Pentester Academy, and use Hack The Box, or Try Hack Me for the hacking skills.
Q: What are the best value for money cybersecurity courses and certifications out there?
A: The Cyber Mentor and Pentester Academy courses. PenTest+ for pentesting certifications.
Gabriel Agboruche - Can People Hack Nuclear Plants?
Gabriel Agboruche, @ICS_Gabe, Senior Consultant - ICS|OT at Mandiant
You can access Gabriel's presentation here.
Next-Level App Hacking: Threat Modeling for Better Attacks
Alyssa Miller, @AlyssaM_Infosec, Hacker & Security Researcher
You can access Alyssa's presentation here.
You can view Alyssa's talk here.
Q: Is there a universal set of tools all ethical hackers use in order to carry out operations, like do blue team and red team use separate tools from one another? Or do all ethical hackers need to create their own programs for their specific targets?
A: In general blue teamers tend to have a different set of tools than red-teamers. Blue teams are trying to build defenses and remove vulnerabilities that have already been discovered. Red teamers are trying to craft attacks, avoid defenses, and discover vulnerabilities in the systems that they can attack.
Q: How often do you focus on DevSecOps when you speak to developers about threat modelling and incorporating security into their mindsets?
A: This is an area I have been focusing on a lot lately. People don't fully understand DevSecOps as a concept and when it comes to Threat Modeling they have a difficult time fitting it into the fast-paced processes of a DevSecOps culture. So I have been very focused in the last two years on finding ways to do it better and educating people on those ideas.
Q: Could you explain more about what app phishing is? How do we protect against it?
A: I've not seen/heard "App Phishing" used as a term before. Phishing refers to the use of specifically crafted emails that attempt to fool a user into taking some action that could compromise their personal information or the security of their systems. For instance, they might try to trick the user into clicking a link that takes them to a website that steals their information or get them to open an attachment that contains dangerous malware or ransomware.
Q: How do I harness the art of threat modeling?
A: Different ways to think about it 1. Attacker perspective: what would I want to go after, what would I gain the most? 2. what if I was this company, what would I want to defend the most? 3. User mindset - what should I do or not do?
Q: How often do websites have in house security auditors?
A: Let's clarify some language here. Auditors would refer to people who ensure that the application teams follow standards that the company has documented for how to manage the security of the applications. Penetration testers/ethical hackers would be the ones that perform technical assessments of the systems. Most mid-sized or larger companies (1,000 employees or more) will have some form of internal auditors. However, it's usually not until they get larger than they build internal teams of penetration testers. Additionally, it very much depends on what kind of business they are. Banks, Technology Companies, and Insurance Companies are more likely to have internal teams than manufacturing, retail, or health care.
Q: How do you value a threat to the organization?
A: There is no one way to do it. But in general, it's a combination of the value that the affected asset has (personal information, company secrets, etc.), the likelihood of the threat launching an attack, and the amount/type of impact it could have on that asset.
Q: Are you allowed to do bug bounties if you are under 18?
A: In most cases, you do have to be an adult because bug bounty programs require you to agree to specific legal terms and conditions and in general the law does not allow for minors to provide such consent. However, you'd have to consult the individual terms of each bounty program to find out for sure.
Q: Would coding affect the speed of the Internet and fps(frames per second) of games?
A: It certainly can, yes. There are a lot of factors in how games are written that can impact their performance, including bandwidth required and the video quality (which even goes beyond fps).
Q: If a hacker were to get a hold of the information from several credit cards, then wouldn't the original owners of the cards be alerted to false use of that information?
A: Potentially, yes. However, it's not a perfect science. It would require either that the company that the attackers stole the information from noticed it (which in general doesn't happen right away) or the credit card company notices that charges being made on the card are suspicious.
Rajvi Khanjan Shroff - Cracking the Mystery: Quantum Cryptography and the Future of Cybersecurity
Rajvi Khanjan Shroff, Founder of Project Cyber
You can access Rajvi's presentation here.
Resources from her slides:
Project Cyber Instagram
Q: You keep saying "we" when referring to Project Cyber, are there more people involved in this?
A: Yes, there are! :) If you head to our website, we have quite a few official members, as well as members who have joined us recently after watching SANS Cyber Camp and are now working on their first draft and meeting our other members!
Q: Are quantum computers available to the public? If not, will they ever be?
A: Quantum computers can be simulated, and one way to "interact" with a quantum computer is through the IBM Quantum Experience. It's a platform that enables anyone to access quantum processers. It's pretty cool in that it allows you to program a real quantum computer right at home. I've played around with it before and found it a pretty cool resource, so I've added a link to it with the other resources!
Q: Is quantum cryptography related to quantum physics?
A: Yep, so think of it like this: Quantum physics is the branch of science that deals with the world on a microscopic level. Properties of quantum physics enable us to build quantum computers, which in turn creates a need for a new kind of cryptography, quantum cryptography as our cryptography today can be broken by the quantum computers of the future.
