Security Camp

Security Camp -- bringing together cybersecurity, privacy, and open source software. Saturday November 18, 9am to 5pm

Sat. Nov. 18 from 09:00 am to 05:00 pm

We know about Open Camps--one of the largest mission-driven open source conferences, held annually in New York since 2012 and attended by technologists and technology decision makers from around the world. All come together for an annual, multi-week conversation about the state of open source technology and the future evolution of global infrastructure and interconnectedness.

Security Camp at Open Camps is now in it's second year. Security is of critical importance given rampant threats, whether from profit motivated thieves, nation-states, or others performing malicious actions that target individuals, corporations, digital infrastructure, and now our physical infrastructure which is connected to our digital systems.

Security Camp brings together some of the top experts in this field for a three tiered learning approach to cybersecurity: (i) how do potential victims protect themselves, whether individual, corporation, NGO, or government, (ii) how can inventors, entrepreneurs, and software developers implement security and privacy by design, implementing security early in the development life cycle, and DevOps and (iii) how can governments better protect their citizens from what is becoming a crime of epidemic and unanswered proportion.

The event presents opportunities across the spectrum for security experts to meet decision makers in need, for stakeholders at all levels to attend sessions on the overall cyber threat landscape, and for security technologists and information security professionals to explore technical partnerships.

Security Camp features distinguished and exciting speakers, including Antoine Arlaud, Chris Frenz, Jessica Robinson, John Bandler, Ken Belva, Zoe Braiterman, Vitaliy Dubinsky, Susan Malaika, and Nicole Becher.

Security Camp will be held on Saturday November 18.

Sponsors

Sponsorship opportunities are available. Please contact info@opencamps.org if you are interested in sponsoring Security Camp.

Presenters

Security Camp features distinguished and exciting speakers, including Antoine Arlaud, Chris Frenz, Jessica Robinson, John Bandler, Ken Belva, Zoe Braiterman, Vitaliy Dubinsky, Susan Malaika, Nicole Becher, and more.

John Bandler

Founder (Bandler Law Firm and Bandler Group)

Antoine Arlaud

Solutions Engineer (Snyk.io)

Jessica Robinson

CEO (PurePoint International)

Ken Belva

(OpCode 41 Security, Inc.)

Dylan Esworthy

Account Manager (Alltech Consulting)

Zoe Braiterman

Chair, Women in AppSec (WIA) Committee (OWASP Foundation)

Susan Malaika

Senior Technical Staff (IBM)

Vitaliy Dubinskiy

COO (CYBRI)

Nicole Becher

Cyber Security Fellow (New America)

Schedule

Security Camp will be one day only, on Saturday, November 18, 2017, from 9:00 a.m. to 5:00 p.m. Security Camp will be hosted at Convene, 730 3rd Ave (between 45th St. and 46th St.), 17th Floor, in The SoHo Hub. Arrive at 9am, grab a complimentary beverage, the program will begin at 9:15, our first speaker will start at 9:30.

Presentations

Presentations:

Legal aspects of cybersecurity, privacy, security, and government

Cybercrime is a relatively new threat, considering the history of society and law. Today's technology brings considerable advances and benefits, but also brings a multitude of security and privacy threats. Cybercrime, encryption, and virtual currency are all evolving issues. Society--and the law--is struggling to keep up and balance innovation, advancement, cybersecurity, privacy, and government's role to protect the community from individuals and nations that wish to do harm. Government should protect us from crime and attack, but is not yet effective with regards to cybercrime. In some areas, government and the law should play a role to encourage corporations to be responsible, cybersecure, and protect the privacy of their employees and customers. In some areas, the law is antiquated and based on conventions from long ago--consider the provision based on the assumption that emails older than six months must have been abandoned by the user. Technologists should be aware of the law, know how to follow it, and responsibly debate the issues and influence their government to make responsible choices for our future.

John Bandler

Founder (Bandler Law Firm and Bandler Group)

Social Impact, Security and Innovation

This will highlight the key themes of the top organizations making an impact at these areas. Will highlight World Pulse: www.worldpusle.com and other organizations and why more than ever we need a new and fresh approach to innovative social impact solutions focused on security.

Jessica Robinson

CEO (PurePoint International)

Introducing IoT Crusher (Open Source Version)

IoT Crusher Open Source is a scanner that checks IoT and legacy devices for malware credential vulnerabilities. Vulnerable devices are then reported. These malware attacks have been known to create some of the largest worms, such as Mirai, in recent cyber history. Check if your networks and devices are vulnerable to malware without risk of infection.

Ken Belva

(OpCode 41 Security, Inc.)

Stranger Danger: addressing the security risk in npm dependencies

Open source modules, and especially npm, are undoubtedly awesome. However, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. The wrong package can introduce severe vulnerabilities into your application, exposing your application and your users data. The talk will use a sample application, Goof, which uses various vulnerable dependencies, which we will exploit as an attacker would. For each issue, we'll explain why it happened, show its impact, and – most importantly – see how to avoid or fix it.

Antoine Arlaud

Solutions Engineer (Snyk.io)

Mitigating Malware Attacks with a Zero Trust Network

With estimates placing ransomware as a $1 billion dollar industry in 2016 and with 2017 consisting of pandemic outbreaks of ransomware in the form of WannaCry and NotPetya organizations need to be prepared for the eventuality that a malware threat may find its way past its perimeter and endpoint defenses. A robust anti-malware strategy should involve a defense in depth approach to securing your organization such as the one laid out in the OWASP Anti-Ransomware Guide (https://www.owasp.org/images/c/ca/Anti-RansomwareGuidev1-6.pdf). In this talk, the security control of network segmentation will be looked at in depth with an emphasis on how organizations can begin to make a push towards zero trust. Zero-trust environments and the high level of network segmentation they require are an ideal way to help mitigate the spread of malware and other security threats because communications between systems on the same network will likely not even be possible unless there was already a legitimate use case defined in the firewall polices that control the communications between systems. While, the occasional malware infection is likely always going to be a reality, despite AV software, application blacklisting, web filtering, and the many other controls that can be implemented, a heavily segmented network will ensure that such infections remain isolated to just their network segment and do not have the capability of spreading to other systems in other network segments since these communications will not be permitted.

Open Source Tech for Data Governance & Compliance

Data Governance is a critical topic for many institutions. Regulatory bodies are introducing compliance directives for many industries, that constitute prerequisites for doing business. This session introduces an initiative and a call to action to make it possible for metadata tools and catalogs to plug and play, and to drive data governance via metadata automation. The initiative, recently kicked-off at the ODPi consortium, is based on open source tech such as Apache Atlas along with pluggable industry specific open source components.

1.5 million unfilled cyber security positions in few years?

The cyber threat is constantly growing, making the shortage of qualified talent more noticeable than ever. All major universities started offering different degrees and courses in cybersecurity, however, it may not be enough to close the gap due to the lack of on-hands on experience of the freshly graduated candidates. Some predict that this shortage will only continue to grow, since the number of attacks on SMEs has grown over 200% within this year alone. So what does the future look like for cyber talent?

Vitaliy Dubinskiy

COO (CYBRI)

Cybersecurity, Erlang, & Opensource Combine in OpenC2

This presentation will be about the intersection of 3 topics I care deeply about: Erlang, Cybersecurity, Open Source; and how those topics are combined in OpenC2, a new standard being developed for Command and Control (C2) for cyber security technologies. Cyber-attacks are increasing in terms of sophistication, speed and dynamics. Advanced cyber actors (and even script kiddies) are utilizing automation with adaptive tradecraft and these trends are likely to continue. A key enabler for the realization of more flexible and interoperable cyber defense components is standardizing interfaces & protocols to facilitate interoperability and integration. The OpenC2 Technical Committee in OASIS was founded to standardize machine-to-machine command & control (openC2) to enable cyber defense system interoperability at machine speeds. Ocas is an open source openC2 simulator developed in Erlang by the author for: • Validating the openC2 language specification • Simulating openC2 interfaces for the purpose of testing a product which produces openC2 • Simulating an entire network of security devices from an openC2 perspective for the purposes of evaluating a playbook (automated response to particular trigger) from either the blue- team or red-team perspective • code reuse by other open source security projects (eg openc2 interface to your favorite security technology) The talk will begin with the problem openC2 is trying to solve and a review of openC2, its use cases, and current status. Then a case will be made for why erlang is the right language for developing security applications. Ocas will be described including use cases, the design choices made in ocas development, the software architecture & code base, next steps, and the talk will end with a live demo.

Duncan Sparrell

Chief Cyber Curmudgeon (SFractal Consulting)

News

Security Camp will be on Saturday November 18, 9am to 5pm at Convene, 730 3rd Ave (between 45th St. and 46th St.), 17th Floor, in "The SoHo Hub."

Location

Security Camp will be hosted at Convene, 730 3rd Ave (between 45th St. and 46th St.), 17th Floor, in "The SoHo Hub". On Saturday November 18, 9am to 5pm. Convene is a great conference facility, www.convene.com

Team

This is run by a team of volunteers, like the rest of Open Camps. This conference is not done for profit, but to foster education about open source and security.

John Bandler

Founder (Bandler Law Firm and Bandler Group)

Bev Corwin

Director of Technology (DDC)