Talks

• Speaker: Amol Sarwate

• Title: SCADA Security: Why is it so hard?

• Abstract: This talk will present technical security challenges faced by organizations that have SCADA, critical infrastructure or control systems installations. It will provide examples of attacks and examples of security controls for the same. The talk will introduce an open-source tool to help identify and inventory SCADA systems.The presentation will begin by introducing SCADA systems under the hood including RTU, IED, PLC, FEP, PCS, DCS, HMI, sensors, data historians and other SCADA components. The presenter will categories these components into distinct groups based on the functionality that each component provides. The presenter will review the security implications on each of these groups and identify where most of the threats lie. The presentation will take a packet level dive into SCADA protocols like MODBUS and DNP3 and study their security implications. The presentation will give example of attacks that can be carried out against each group and component. The presenter will release an updated version of an open-source tool to identify and inventory SCADA systems using the protocols discussed in this presentation. The presenter will then focus on real world examples of successful and not-so-successful implementations of security controls with SCADA systems. This will include examples of what some large organizations have done, and a discussion about why SCADA security cannot be deciphered just by tools or technical solution. The presentation will conclude with guidance on how control system owners can start implementing additional measures to get to an acceptable security.Attendees who are in charge of control system infrastructure will get insight on what worked and what did not for other organizations. Engineers who are in-charge of security for control systems will get a better technical insight of SCADA protocols and components and can use the open source tool that is introduced. Attendees who are new to control systems will get an excellent overview of security complexities of control systems.

• Speaker: Spencer McIntyre

• Title: How I Learned To Stop Worrying and Love the Smart Meter

• Abstract: The "Power Grid" is a growing topic in the security industry and Advanced Metering Infrastructure (AMI) is a topic that hasn't been discussed to its full potential. This presentation will discuss the types of vulnerabilities that have been found in Smart Meters, and give examples from real world assessments we’ve conducted. Different methods of accessing the meter will be presented such as over the optical interface and the Zigbee wireless radio. In addition, we will discuss a testing methodology we’ve developed which covers Smart Meter testing.

• Speaker: Prutha Parikh

• Title: Attacking Apache Reverse Proxy

• Abstract: his talk will discuss the Apache Reverse Proxy vulnerability (CVE-2011-4317) that I discovered while developing vulnerability signatures for Apache. Depending on the reverse proxy configuration, the vulnerability allows access to internal systems from the Internet.

  The presentation will start with discussion on reverse proxies and look at some older reverse proxy vulnerabilities and patches. It will go into the thought process behind bypassing the latest patch to discover a new vulnerability to remotely gain access to the internal network. It will also describe the tools, techniques and ideas that went behind discovering the new variant of the vulnerability and constructing a proof of concept to exploit the issue. Along with exploring the root cause of the issue, it also talks about the issue from an attacker’s perspective and finally recommends protection mechanisms against the attack. The talk will also give the audience a peek into the process of vulnerability signature creation and discovering new vulnerabilities.

• Speaker: James Kegel

• Title: WiFi Security

• Abstract:

• Speaker: Matt Presson

• Title: Building a Database Security Program

• Abstract: In today's world of Information Security, we implement technical controls almost everywhere. As such, you would probably be hard pressed to find an up-to-date InfoSec department that didn't manage firewalls, IDS/IPS systems, Web Application Firewalls, HIDS/HIPS, AV for clients and servers, and full disk encryption for laptops. While these types of systems can be useful, in most cases they fail to prevent a company's IP and customer data from being stolen by attackers.

  This talk will present a model that can be used by companies to effectively detect and prevent such breaches by implementing a database security program focused on business integration, proactive security controls, and continuous monitoring and alerting. Examined will be the key focus areas of the program along with how each provides greater visibility to security and the business, and makes it possible to respond quicker to potential security incidents - potentially preventing a breach altogether.

• Speaker: James Ruffer

• Title: Attacking Corp America using Social Media

• Abstract:James F. Ruffer III is well-known ethical hacker with a special interest in social engineering and social media hacking. He is a regular presence on the USA weekly (Chicago NBC radio), Memphis NBC TV, and Memphis Clicks and Coffee, where he talks on security issues. Also, James has published widely on security topics, includingsocialmediasecurity.com, FBI Infragard, and connectedcops.net. James has spoken at several security events, including Phreaknic, Infosec Chicago, Memphis CyberExpo. Extending his expertise into the app world, James has publish apps for datalossdb.org,ihackcharities.org, and exoticliability. James is currently on the board of Memphis OWASP and Memphis ISSA, and he serves as VP of IT for a financial institute. His past experience also includes CTO social media/mobile development, Encryption Engineer for fortune 500, and forensics engineer for fortune 50 company.