Presentations

BSIdes Caymans. And the Clouds Break: Continuity in the 21st Century. The promise of cloud computing was a utility; always up, always on, just a click away. But we’ve seen many outages. It’s clearly time to blow the dust off the continuity handbook, and revisit recovery for the twenty-first century. This talk provides an overview of business impact analysis, business continuity, and disaster recovery. We then revisit these concepts in the day and age of utility computing and Cloud services. After all, the cloud breaks. (May 25, 2022. Cayman Islands)

CypherCon. Street Cred: Increasing Trust in Passwordless Authentication. Good security gets out of the way of users while getting in the way of adversaries. Passwords fail on both accounts. What holds us back from getting rid of passwords? Trust. In this session, we will propose a framework of technical controls to ensure only trusted sessions authenticate, regardless of faults or failures in any one factor. We will share a path forward for increasing trust in passwordless authentication. (April 28, 2022. Milwaukee, WI)

CypherCon. Mistaken Identity: Protecting OAuth & OIDC. We’ve reached a tipping point with more apps being delivered from cloud services than from on-premises. OAuth 2.0 and OpenID Connect (OIDC) have become essential in federating access and handling strong authentication. But these are frameworks not standards, and these frameworks are based on dozens of RFCs. This has resulted in numerous approaches, confusing developers and security teams alike. In this presentation, participants will learn how to secure implementations. (April 28, 2022. Milwaukee, WI)

Security BSides San Francisco. Shall we play a game? Muscle memory, incident responders will tell you, is crucial to acting quickly in a crisis. Cyber Threat Intelligence informs what we do, but practice ensures we do it well—executing effectively to eliminate the threat and protect the organization. This session provides an approach to developing security exercises and running practice drills. MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) forms the basis of this approach. We will cover the fundamentals of an exercise: selecting the story, identifying the tactics, threat modeling, table top discussions, adversarial emulation, and scoring. The session concludes with advice on creating an overall exercise program, focusing on repetition, momentum, and building muscle. Turn intelligence into practiced action with security games. (March 2019. San Francisco, CA)

BSides Charleston. Follow the Rules (Keynote). As cyber security moves from hobby to profession, we have cemented fundamentals about security. We manage risk, not technology. We build security with defense-in-depth. We don’t do security through obscurity. And we definitely don’t just check the box. We hire people who look like hackers. We build systems that look like castles. We follow the rules. But, what if we’re wrong? What if we turn the rules on their head? What can we learn by challenging the fundamentals? (November 10, 2018. Charleston, SC)

SecureWord DetroitNothing of Value. “We have nothing of value to a hacker,” the businessperson responds to cybersecurity professional. “Why invest in security?” At the same time, money in cybercrime has exceeded the drug trade. Attacks are up, from ransomware to crypto mining. In this presentation, we will break out the different types of threats: from the curious to the criminal. The session explore the economics behind the tactics and present ways to make our organizations less of a target. At the same time, we will cover making the business case for security improvements and maximizing the budget we win. (September 12-13, 2018. Dearborn, Michigan)

GrrCon. Bounty Hunters. Bounty hunters, those keyboard cowboys, bent on circumventing protections and leveraging mistakes in software. All for coin, swag, and glory. But bug bounty programs are the latest attempt to find and stamp out code-level weaknesses. We’ve tried education. We’ve tried coding guidelines. We’ve tried top tens and paid penetration testers. And now we turn to the lone hunter, hoping to find and close just one more vulnerability. This session will highlight some achievements in recent times by these bounty hunters. And stepping back, thinking about defensibility, a framework and approach for building stronger software will be shared. After all, anyone writing code today lives with a price on their head. (September 7, 2018. Grand Rapids, Michigan)

CircleCityConClassic Cons in Cryptocurrency. Cryptocurrency brings with it a slew of new security concerns: 51% attacks, forks, and encryption busting quantum computing. This talk will explore the latest while providing background information on Blockchain and the inherent security controls it brings. That said, any technology is only as secure as the implementation. Moreover, every new technology gets adapted on the street to fit old crimes. Stolen wallets. Pyramid schemes. Confidence tricks and more. We’ll compare and contrast the crimes that the news media hypes and the cons that criminals routinely run. (June 3, 2018. Indianapolis, Indiana. Co-presented with Zachary Sarakun.)

CircleCityConSecuring without Slowing: DevOps. We turn to DevOps for speed. We turn to Cloud for flexibility. We adopt faster, leaner, more collaborative processes to drive change. And then? We turn to information security for protection. But can we secure the technology without slowing the pace? This session presents an entirely fictional development organization adopting DevOps. We will discuss which traditional software security processes work, and which ones fail entirely. Awareness training, muscle memory, culture shifts, all will be brought together. The presentation will conclude with take-aways for applying security to your DevOps team without slowing down. (June 3, 2018. Indianapolis, Indiana)

BlueRidgeCon. Roads Taken into InfoSec (Keynote). Those not in InfoSec want to get in. Those in InfoSec want to make it better. But with so many roads into our field, it is near impossible to draw lessons. And with many of those roads under construction, we can quickly find our progress slowed or stopped. We need more people. We need better people, people smarter than ourselves. It takes talent to find vulnerabilities, identify threats, respond to incidents, and avoid the press while drinking the taverns dry. In this session, Wolfgang Goerlich shares what he’s learned about developing talent from forty-two people he’s mentored during the past three years. This is a call for hackers and hunters to join a shared adventure, with a roadmap for getting there. (May 19, 2018. Ashville, NC)

Converge DetroitProwling: Better Penetration Testing. “But we passed our penetration test,” the person handling the security breach groaned. “How come they missed this?” Since the late 1960s, penetration testing has been about two things: demonstrating that the system can be broken into and finding some vulnerabilities. But, by now? We all know systems can be broken into. The shock and surprise are gone. And we all know there are vulnerabilities. Scores of vulnerabilities. Too many vulnerabilities. In fact, arguably today’s penetration testing doesn’t even identify a fraction of the vulnerabilities. This session will review the state of testing strategies and present predictions on where penetration testing should go in the future. (May 11, 2018. Detroit, Michigan)

RSA Conference. Zero to Ninety in Securing DevOps. As DevOps continues to be adopted across industries, IT security and application security professionals are being asked to secure the workflow and products. And we get asked to evaluate, recommend, and implement security controls well after the DevOps team has been established. Sometimes, months or even years after the team has launched. This talk speaks to that audience, sharing practices on how to start off strong. Approaches for building relationships, creating intuition, and becoming a trusted partner will be discussed and demonstrated. It is imperative we add security without taking away speed and agility, and the first 90-days is a crucial period. (April 16, 2018. San Francisco, California)

CodemashSecuring without Slowing: DevOps. We turn to DevOps for speed. We turn to Cloud for flexibility. We adopt faster, leaner, more collaborative processes to drive change. And then? We turn to information security for protection. But can we secure the technology without slowing the pace? This session presents an entirely fictional development organization adopting DevOps. We will discuss which traditional software security processes work, and which ones fail entirely. Awareness training, muscle memory, culture shifts, all will be brought together. The presentation will conclude with take-aways for applying security to your DevOps team without slowing down. (January 12, 2018. Sandusky, Ohio)

MiSecProwling: Better Penetration Testing. “But we passed our penetration test,” the person handling the security breach groaned. “How come they missed this?” Since the late 1960s, penetration testing has been about two things: demonstrating that the system can be broken into and finding some vulnerabilities. But, by now? We all know systems can be broken into. The shock and surprise are gone. And we all know there are vulnerabilities. Scores of vulnerabilities. Too many vulnerabilities. In fact, arguably today’s penetration testing doesn’t even identify a fraction of the vulnerabilities. This session will review the state of testing strategies and present predictions on where penetration testing should go in the future. (December 13, 2017. Lansing, Michigan)

DefCampSecuring without Slowing. Case studies of successful DevOps and Cloud security, leaning on Rugged and security culture, will be shared. The emphasis is on teams that secure the process and technology without sacrificing time. But can we secure the technology without slowing the pace? Absolutely. The session concludes with lessons on how do to just that. (November 9, 2017. Bucharest, Romania)

GrrCon. We Got It Wrong. This session is on all the things we all say all the time, about all the things we all know. Security through obscurity is bad. Defense in depth is good. Stop clicking things. Next generation is bad, or maybe, next generation is good. The list goes on and on. The resulting rules of thumb are sometimes contradictory and often misleading. With war stories and anecdotes, we’ll explore what happens when teams run security by tribal knowledge instead of research and reason. Spoiler alert: they get pwned. Turns out, we were wrong. (Friday, October 27, 2017. Grand Rapids, Michigan)

TAGITMSecurity Culture (Keynote). People performing contentiously and consistently is a lofty goal. Information Risk Management gives us the process to follow. Controls frameworks gives us the standards to set and meet. Yet it is the people who ultimately decide our security posture. In this presentation, we will introduce culture frameworks. Culture frameworks provide a means to accelerate building a cyber security program. For programs that are maturing, culture provides a means to communicate and drive behaviors. To illustrate this point, case studies will be shared that illustrate the challenges and successes of applying culture management. Let’s get street smart about cyber security. (October 5, 2017. Dallas, Texas)

SecureWorld Detroit. And the Clouds Break: Continuity in the 21st Century. (September 13, 2017. Dearborn, Michigan)

Duo Tech TalksEncryption: Tarnished Silver Bullets. (June 22, 2017. Ann Arbor, Michigan)-

CircleCityCon. And the Clouds Break: Continuity in the 21st Century. The promise of cloud computing was a utility; always up, always on, just a click away. But we’ve seen many outages. It’s clearly time to blow the dust off the continuity handbook, and revisit recovery for the twenty-first century. This talk provides an overview of business impact analysis, business continuity, and disaster recovery. We then revisit these concepts in the day and age of utility computing and Cloud services. After all, the cloud breaks. (June 9, 2017. Indianapolis, Indiana)

Converge Detroit. Tarnished Silver Bullets. They make it sound easy. Identify data assets. Assess threats. Protect it. Encrypt it. In theory, sure. In practice, not so much. Besides, what does a real attack look like? Encryption, as with any security tactic, quickly becomes complex and diffuse without a unifying strategy. The question of how it protects the organization’s mission must be answered. And what about threats and criminal activities? This session details how to identify and document the business processes, convert threat intelligence into actionable threat models, and strategically deploy encryption. (May 12, 2017. Detroit, Michigan)

Ann Arbor .Net Developers (AAND). Werewolves and Silver Bullets, Vampires and Holy Water, Hackers and Encryption. (May 10, 2017. Ann Arbor, Michigan)

Central Ohio InfoSec Summit. Game On. Beat the clock. Table-top. Tag. Scavenger hunts. All are forms of games. All four can be applied to strengthening a team’s incident response readiness. In this presentation, we detail building an incident response program around threat modeling, security exercises, and use cases for security operations. We’ll wrap up the session covering gamification of incident response. The result? Detecting faster. Recovering faster. (April 20, 2017. Columbus, Ohio)

RSA ConferenceEncrypt: Protect the Business, Prevent the Threats. Encryption, as with any security tactic, quickly becomes complex and diffuse without a unifying strategy. The question of how it protects the organization’s mission must be answered. And what about threats and criminal activities? This session details how to identify and document the business processes, convert threat intelligence into actionable threat models, and strategically deploy encryption.  (February 16, 2017. San Francisco, California)

CodeMashData-centric Encryption in Practice. They make it sound easy. Identify data assets. Assess threats. Protect it. Encrypt it. In theory, sure. In practice, not so much. Besides, what does a real attack look like? This session explores the problem, punch and counter-punch, by demonstrating attack techniques and encryption coding practices. We will start with common use cases, such as data warehousing, payment systems, Big Data analytics, and more. We will then discuss the threats and vulnerabilities, perform a basic threat modeling and risk assessment, and show how criminals punch through the security. Using secure development patterns and tools, we’ll demonstrate how to block and counter-punch the criminals. Heavy on the demos, light on the mathematics. (January 10, 2017. Sandusky, Ohio)

ISACA. More of Gravy than of Grave. “You may be an undigested bit of beef,” Scrooge once said. “A blot of mustard, a crumb of cheese, a fragment of an underdone potato. There’s more of gravy than of grave about you!” And next thing he knew Scrooge’s life was turned upside down. Turns out, we’re not that good at assessing risk. The question of how to protect the organization’s mission must be asked and answered. And what about threats and criminal activities? This session details how to identify and document the business processes and convert threat intelligence into actionable threat models. From there, we will cover how to strategically deploy encryption to protect the business, prevent the threats, and avoid the ghost of Christmas past. (December 13, 2016. Detroit, Michigan)

DetroitDevDayEncryption, Silver Bullets, and Holy Water. Werewolves attack? We have silver bullets. Vampires attack? We have holy water. Criminal hackers attack? We have encryption. Or at least, that’s how we’d like it to play out. The villains come and the heroes beat them back. But too often, encryption is like water without the holy, bullets without the silver. The configuration is wrong, or the code is incomplete, or other simple flaws trip us up. This talk will cover how and where to code for encryption to get real protection. With demos and code samples, we’ll discover the patterns for success. (November 12, 2016. Detroit, Michigan)

Tactical EdgeNew Ways to Steal. When asked why he robbed banks, Willie Sutton famously answered “because that’s where the money is.” It is no surprise that criminals followed the money to online payment systems and digital wallets. This talk will look at several such crimes, analyzing security failures at Starbucks, Apple, Google, WeChat, and more. Amid the encryption and tokenization and PCI DSS compliance, somehow, criminals still manage to eke out a living defrauding consumers. (And by eke, we mean the estimated $3 trillion dollar cybercrime industry.) This talk will review emerging payment systems and describe the fraud and the flaws. With that as a framework, we will propose first principles for securely designing new systems that avoid the pickpocketers. (October 25, 2016. Bogota, Columbia)

North American International Cyber SummitFood for Thought: Operational Technology Risks. We are only just barely beginning to secure information technology in organizations. Operational technology, such as industrial devices and production equipment, has received less attention. Yet much of what consumer’s demand, from medical to power to food production, relies upon integrated OT and IT. Using frameworks such as NIST and using threat intelligence, technical controls should be established and assessed. Using food production as an example, this session explores developing initial assessments to gain visibility into OT, integrating OT risks with established IT risk management practices, unifying security programs across IT and OT domains, and establishing a governance program. (October 17, 2016. Detroit, Michigan)

GrrCon. Lunch. Modern food production relies upon a collaboration of information technology and operational technology. Break one or the other, or both, and our food supply is jeopardized. Organizations lack visibility into the technologies and the associated vulnerabilities. Different teams are responsible for different aspects, further complicating the matter. We do not have central source for inventory, for vulnerabilities, for controls, or even for ownership. This is at a time when new technologies, such as the Internet of Things, and new threats are entering production environments. In this session, we will survey the problem and propose an approach to developing, assessing, and managing toward a unified control framework that protects our food. (October 7, 2016. Grand Rapids, Michigan)

Project Management Institute. Life: Embedding Security into the Lifecycle of Projects. This session provides guidance on advancing our security posture, building our security culture, and increasing our influence with stakeholders. We will walk through the entire project
lifecycle: building the business case, shaping the deployment project plan, executing, shifting into operations, and finally retiring the service. (September 26, 2016. Frankenmuth, Michigan)

Converge Detroit. Food Fight! (30 Minute Lightning Version). Modern food production relies upon a collaboration of information technology and operational technology. Break one or the other, or both, and our food supply is jeopardized. Organizations lack visibility into the technologies and the associated vulnerabilities. Different teams are responsible for different aspects, further complicating the matter. We do not have central source for inventory, for vulnerabilities, for controls, or even for ownership. This is at a time when new technologies, such as the Internet of Things, and new threats are entering production environments. In this session, we will survey the problem and propose an approach to assessing the technology and gauging the risk to our food supply. (July 15, 2016. Detroit, Michigan)

BSides Cleveland.  Playing Doctor: Lessons the Blue Team Can Learn from Patient Engagement. At CircleCityCon 2015 in the presentation “Turn Your Head and Cough”, Nathaniel “Dr. Whom” Husted compared security architecture assessments to being a physician. The similarities run deep. Doctors struggle with patient compliance, complex and unclear problems, time and resource pressures, and succeed only when others carry out their recommendations. Doctors struggle all the time. In this session, we explore the field of patient engagement and discuss how doctors are trained to drive patient behavior. We will cover the metrics and reporting used to determine patient engagement. And at each step along the way, lessons will be shared for applying these ideas to information security. So the next time you present an IT compliance report, the next time you share your findings from a penetration test, or the next time you tell developers their code is weak, you,ll be ready to drive behavior and get results by playing doctor. (Saturday, June 25, 2016. Cleveland, Ohio. Co-presented with Stefani Shaffer-Pond)

BSides ClevelandFood Fight. From farm to fork, food production in America is a complex and interwoven system of technologies. This session explores a slice of that system and relies upon food production as an example of multifaceted penetration testing. With a combination of stories and lessons learned, we will discuss and learn from the challenges of scaling up penetration testing and adapting it to unique technologies. This provides us an opportunity to sharpen up on the basics while learning advanced techniques. Moreover, given food production’s reliance upon SCADA and ICS systems, the session will describe how these non-traditional systems can be assessed. All in all, for the defenders, what we learn from a good food fight can be directly applied to securing our own complex networks. (Saturday, June 25, 2016. Cleveland, Ohio.)

CircleCityConPlaying Doctor: Lessons the Blue Team Can Learn from Patient Engagement. At CircleCityCon 2015 in the presentation “Turn Your Head and Cough”, Nathaniel “Dr. Whom” Husted compared security architecture assessments to being a physician. The similarities run deep. Doctors struggle with patient compliance, complex and unclear problems, time and resource pressures, and succeed only when others carry out their recommendations. Doctors struggle all the time. In this session, we explore the field of patient engagement and discuss how doctors are trained to drive patient behavior. We will cover the metrics and reporting used to determine patient engagement. And at each step along the way, lessons will be shared for applying these ideas to information security. So the next time you present an IT compliance report, the next time you share your findings from a penetration test, or the next time you tell developers their code is weak, you,ll be ready to drive behavior and get results by playing doctor. (June 11, 2016. Indianapolis, Indiana. Co-presented with Stefani Shaffer-Pond)

CircleCityCon. Food Fight. From farm to fork, food production in America is a complex and interwoven system of technologies. This session explores a slice of that system and relies upon food production as an example of multifaceted penetration testing. With a combination of stories and lessons learned, we will discuss and learn from the challenges of scaling up penetration testing and adapting it to unique technologies. This provides us an opportunity to sharpen up on the basics while learning advanced techniques. Moreover, given food production’s reliance upon SCADA and ICS systems, the session will describe how these non-traditional systems can be assessed. All in all, for the defenders, what we learn from a good food fight can be directly applied to securing our own complex networks. (June 10, 2016. Indianapolis, Indiana)

Great Lakes InfraGard Conference: Demonstrations of Risk (Keynote). A live fire demonstration showing the need for proactive cybersecurity measures in our lives and in our organizations. (May 15, 2016. Grand Rapids, MI)

MCRCon. Defensible Architectures (Keynote). Security architectures can be lofty goals and theoretical models. Yet when the architectures meet the real world, not everything goes according to plan. This reality will be explored in this session through a series of case studies on organizations. Organizations that developed architectures and roadmaps. Organizations that migrated to the new architecture and dealt with technical debt. And perhaps most importantly, organizations that responded to incidents and contained with security breaches within their new architecture. From this vantage point, we will share lessons learned and key take-aways for making the most from security design. (May 10. 2016. Ypsilanti, Michigan)

MCRConGuarding Dinner. A look at the food production industry and its role as critical infrastructure. (May 10. 2016. Ypsilanti, Michigan)

BSides Chicago. Food Fight. From farm to fork, food production in America is a complex and interwoven system of technologies. This session explores a slice of that system and relies upon food production as an example of multifaceted penetration testing. With a combination of stories and lessons learned, we will discuss and learn from the challenges of scaling up penetration testing and adapting it to unique technologies. This provides us an opportunity to sharpen up on the basics while learning advanced techniques. Moreover, given food production’s reliance upon SCADA and ICS systems, the session will describe how these non-traditional systems can be assessed. All in all, for the defenders, what we learn from a good food fight can be directly applied to securing our own complex networks. (Saturday, May 7, 2016. Chicago, Illinois)

Central Ohio InfoSec SummitFood for Thought: Shining Light on Operational Technology Risks. We are only just barely beginning to secure information technology in organizations. Operational technology, such as industrial devices and production equipment, has received even less attention. Yet much of what consumer’s demand, from medical to power to food production, relies upon integrated OT and IT. Using frameworks such as NIST and using threat intelligence, technical controls should be established and assessed. The session presents a case study on finding common ground for such controls. (March 30, 2016. Columbus, Ohio)

Cyber Summit:  Threats Panel Panelists include: Rodney Davenport, Phil Bertolini, Wolfgang Goerlich, Finhas Hasan, Sandy Jurek, and Titus Melnyk. The discussion will focus on recent cyber threats to infrastructures and ways to resolve vulnerabilities by examining areas such as proactive management, mobile and Internet of Things security, and “the weakest link.” Attacks Panel. we now look at reactive measures taken due to cyber attacks against infrastructures. In a field where attacks and strategies change by the hour, panelists will discuss best practices for staying ahead and how to recover from loss. (March 18, 2016. Oakland University, Michigan)

BSides IndyFood Fight. Modern food production relies upon a collaboration of information technology and operational technology. Break one or the other, or both, and our food supply is jeopardized. Organizations lack visibility into the technologies and the associated vulnerabilities. Different teams are responsible for different aspects, further complicating the matter. We do not have central source for inventory, for vulnerabilities, for controls, or even for ownership. This is at a time when new technologies, such as the Internet of Things, and new threats are entering production environments. In this session, we will survey the problem and propose an approach to developing, assessing, and managing toward a unified control framework that protects our food. (March 5, 2016. Indianapolis, Indiana)

RSA ConferenceDevOps Connect: Rugged DevOps (Panel). DevOps and Security practitioners combine to talk about real world, enterprise level experience on implementing automation into the Software Supply Chain.  Rugged DevOps is the best shot we have at rising to the challenge of software security through the creation of an automated Software Supply Chain. If you and your company are ready to investigate the advantages of Rugged DevOps and explore the benefits of an automated Software Supply Chain, but are not quite sure on where to get started or why, this day is for you. (February 29, 2016. San Francisco, California)

Codemash: Security Culture in Development. The majority of security vulnerabilities come from flaws in software code. While the rate in which these flaws occur remains constant, we are now developing more code than ever before as well as deploying software to many more devices. We must address the software development process and it can only be done by creating a culture of security. This session presents the Security Culture Framework (SCF) and applies it to an entirely fictional development organization. We will discuss awareness training and tying the training to tangible improvements in code. By using the SCF Topics/Planner/Metrics approach, we will move the organization toward developing every more secure code. The presentation will conclude with take-aways for applying the SCF to your software development team. (January 7, 2016. Sandusky, Ohio)

DetroitDevDayPickpocketing: Lessons Learned From Payment Apps and Wallets (Developer Edition). When asked why he robbed banks, Willie Sutton famously answered “because that’s where the money is.” It is no surprise that criminals followed the money to online payment systems and digital wallets. This talk will look at several such crimes, analyzing application security failures at Starbucks, Apple, Google, and more. After each one, security architectural practices will be proposed. Your app may not be where the money is, but we can be sure that someone somewhere will try to break it. This talk will give you the street smarts to avoid the pickpocketers. (November 14, 2015. Detroit, MI)

BSidesDFWNew Ways to Steal, New Ways to Protect. Emerging payment systems means new opportunities to make old mistakes. Apple Pay and Google Wallet has taken us cardless and wireless. Starbucks invented its own espresso-driven gift cards. Bluetooth payment beacons are taking us cashierless. Yet amid the encryption and tokenization and PCI DSS compliance, somehow, criminals still manage to eke out a living defrauding consumers. (And by eke, we mean the estimated $3 trillion dollar cybercrime industry.) This talk will review several emerging payment systems and describe the fraud and the flaws. With that as a framework, we will propose first principles for securely designing new systems and sidestepping the same old mistakes. (November 7, 2015. Richardson, TX)

Motor City ISSAPickpocketing: Lessons Learned From Payment Apps and Wallets (Business Edition). When asked why he robbed banks, Willie Sutton famously answered “because that’s where the money is.” It is no surprise that criminals followed the money to online payment systems and digital wallets. This talk will look at several such crimes, analyzing security failures at Starbucks, Apple, Google, WeChat, and more. Amid the encryption and tokenization and PCI DSS compliance, somehow, criminals still manage to eke out a living defrauding consumers. (And by eke, we mean the estimated $3 trillion dollar cybercrime industry.) This talk will review emerging payment systems and describe the fraud and the flaws. With that as a framework, we will propose first principles for securely designing new systems that avoid the pickpocketers. (October 15, 2015. Livonia, MI)

GrrConPunch and Counter-punch Part Deux: Web Applications. Applications today account for 75% of all attacks on corporate resources. Whether injection, XSS, poor crypto or the general ignorance of secure coding techniques, applications need our help! In “Punch and Counter-punch Part Deux”, Wolfgang and NerdyBeardo present a poorly secured application and how to properly utilize secure coding techniques to defend it. Our attacker demonstrates active attacks against the application including using SQL Injection, Cross Site Scripting, CSRF, and Broken Crypto. Demonstrations will be written in C# however concepts will work with any programming language. All code will be made available on github. (October 9, 2015. Grand Rapids, MI. Co-presented with Nerdy Beardo)

SiraConChange Culture, Change Risk. People performing contentiously and consistently is a lofty goal. Information Risk Management gives us the process to follow. Controls frameworks gives us the standards to set and meet. Yet it is the people who ultimately decide our security posture. In this presentation, we will introduce culture frameworks. Culture frameworks provide a means to accelerate building a risk management program. For programs that are maturing, culture provides a means to communicate and drive behaviors. To illustrate this point, case studies will be shared that illustrate the challenges and successes of applying culture management to a risk program. Attendees will leave with new insights into how to leverage the people aspect of Information Risk Management. (October 8, 2015. Detroit, MI)

Security Culture ConferenceSecurity Culture in Development. The majority of security vulnerabilities come from flaws in software code. While the rate in which these flaws occur remains constant, we are now developing more code than ever before as well as deploying software to many more devices. We must address the software development process and it can only be done by creating a culture of security. This session presents the Security Culture Framework (SCF) and applies it to an entirely fictional development organization. We will discuss awareness training and tying the training to tangible improvements in code. By using the SCF Topics/Planner/Metrics approach, we will move the organization toward developing every more secure code. The presentation will conclude with take-aways for applying the SCF to your software development team. (June 18, 2015. Oslo, Norway)

CSA Nordic Summit. Life: Lifecycle management of cloud technology. The adoption of Cloud technologies elevates the role of security leadership while elevating the threat to our technology. Cloud allowed us to step away from infrastructure tasks and freed us to focus on strategic activities; applying security controls to the lifecycle rather to the individual equipment. Using Cloud services as an example, this session provides guidance on advancing our security posture, building our security culture, and increasing our influence with stakeholders. We will walk through the entire lifecycle: building the business case, shaping the deployment project plan, executing, shifting into operations, and finally retiring the Cloud service. At each stage, we will share guidance on incorporating security activities and integrating the new service with existing security programs. The resulting lifecycle will take advantage of our new role to better protect our technology. (June 15, 2015. Oslo, Norway)

CircleCityCon. Security Culture in Development. The majority of security vulnerabilities come from flaws in software code. While the rate in which these flaws occur remains constant, we are now developing more code than ever before as well as deploying software to many more devices. We must address the software development process and it can only be done by creating a culture of security. This session presents the Security Culture Framework (SCF) and applies it to an entirely fictional development organization. We will discuss awareness training and tying the training to tangible improvements in code. By using the SCF Topics/Planner/Metrics approach, we will move the organization toward developing every more secure code. The presentation will conclude with take-aways for applying the SCF to your software development team. (June 12, 2015. Indianapolis, IN.)

Source Boston: Aligning Threats and Allies through Stories. (May 2014. Boston, MA)

BSides Chicago: Aligning Threats and Allies through Stories. BSides Chicago 2014. Successful defense occurs when the interests of a security team’s stakeholders intersect with the attackers actions. This session provides a three-part management methodology to enable defense-in-depth through effective stakeholder and threat management. Internally, the method models the political power of our target audience, the audience coverage of our message, the timing, and the benefits used to influence our audience. Externally, the method models the attacker’s objectives, tactics, techniques, and mitigating controls. Using this story-driven security methodology, we can identify what our allies need, identify what our attackers want, and build business cases to satisfy one while thwarting the other. (April 2014, Chicago)

Ohio Information Security ConferenceThreat Models that Exercise your SIEM and Incident Response. This talk presents a case study on taking actual security incidents, creating threat models, and using the models to create red team exercises. The resulting red team exercises are then used to evaluate our technical controls (SIEM, vulnerability management) and incident response. Quarter by quarter, driving up the security posture. (March 12, 2014. Dayton, OH. Co-presented with Nick Jacob)

ConFoo: SDLC in Hostile Environments. What happens when end-users have the motive, opportunity, and skillset to attack our software? When two hacker conferences hosted a six week capture-the-flag contest, organizers learned first-hand how this impacts the software development life cycle (SDLC). We will discuss wins and losses, successes and failures, and hard lessons learned. (February 24 – February 28, 2014. Montreal, Canada)

BSides Columbus: Rapid Fire Threat Modeling. Everyone is talking about threat modeling. But when you get down to it, few are doing threat modeling. The reasons are simple: modeling can be complicated, there is conflicting information, and it is not clear what to do with the finished model. This session presents a pragmatic threat modeling exercise that can be accomplished in an afternoon. We will review how to find sources for threat models, communicating the findings, auditing and assessing the available controls, and driving change within the organization. In sum, this talk presents a practical approach to rapidly getting the most from threat modeling (January 20, 2014. Columbus, OH. Co-presented with Mark Kikta)

North Oakland ISSA: Practical Threat Modeling. (December 11, 2013. Auburn Hills, MI)

Eastern Michigan University: Information Assurance: Practical Risk Management. (December 3, 2013. Ypsilanti, MI)

Oakland University’s Cyber Security Club: Surviving the Robot Apocalpyse. (November 21, 2013. Auburn Hills, MI)

Siouxland IT Symposium: Bring Your Own Cloud. (November 7, 2013. Sioux Falls, South Dakota)

SecureWorld Detroit: Game Time: Disaster Recovery and Incident Response. (October 17, 2013. Dearborn, MI)

ISACA: Attack Paths and Mitigations. Threats are the missing ingredient in many security programs. Defense-in-depth is dead. When defense is performed without an eye on the offense, the result is over-spending and under-performing. Risk management, too, is struggling. Executed without an eye on threats, a risk-based approach still results in a security breach. To successfully secure and defend networks, we must understand threats at the same level we understand our assets and vulnerabilities. This session presents a method for modelling threats and the path attackers take through our networks. Using these models, defensive strategies can then be defined and exercised. Organizations can then employ targeted defenses to mitigate the impact of security breaches. At the end of this talk, participants will leave with insights into developing a threat-driven security program. (October 16, 2013. Dearborn, MI)

Greater Detroit ISC2: Game Time: Disaster Recovery and Incident Response. Beat the clock. Table-top. Tag. Scavenger hunts. All are forms of games. All four can be applied to strengthening a team’s readiness. Take two of the ISC2 domains: Business Continuity and Operations Security. Both domains include disciplines for reacting to emergencies. Disaster Recovery, for example, is a planned reaction to an outage. Incident Response is a planned reaction to a security breach. With policies and plans in place, organizations must routinely practice in order to be ready for unplanned events. This session will present and discuss several games that organizations can play to improve DR and IR readiness. (September 24, 2013. Southfield, MI)

GrrCon. Beautiful models. We need beautiful models. Models attract and hold your attention. They excite you. They prompt action. And action, excitement, and focus is exactly what is needed to defend IT. By models, of course, we mean threat models. Intricate and beautiful, a good threat model tells a story. It indicates what we are protecting and where the attacks may come from. Done right, modelling highlights both the strengths and weaknesses of our IT. It becomes a means for strengthening and focusing our efforts. We need beautiful models to see what is and what could be. This session will explore threat modeling as part of the secure development lifecycle. A case study will be presented. The stories are real and only the names have been changed to protect the innocent. Beautiful Models answers the question: what is it that makes a threat model beautiful and actionable? (September 12-13, 2013. Grand Rapids, MI)

Grand Rapids IT Symposium: Bring Your Own Cloud. This session presents a pragmatic overview of cloud computing and bring your own device. Depending on who you speak with, cloud is either poised to lower IT costs world-wide or a security disaster and a compliance nightmare. People advocating to keep IT services in-house get labeled server huggers. People suggesting leveraging public cloud computing get tarred as outsourcers looking to cut jobs. And while the hype is that cloud is cheaper and that cloud is killing the data center, the reality is more nuanced. We need a middle a ground. How can companies realize the dream of public utility cloud computing, while retaining the service and security they have come to expect from in-house IT? The answer is a hybrid cloud computing. That is, combining the benefits of public utilities with the reliability of in-house IT departments. We will present how a Midwest investment firm evolved its in-house computing through two generations of private cloud, and is now building a third generation for launch later this year. The session is a case study in adopting consumer IT and adapting to IT trends. Lessons learned will be shared, along with a vision for how agile IT departments can succeed now and into the future. (June 19, 2013. Grand Rapids, MI).

Great Lakes InfraGard Conference: Securing Financial Services Data Across The Cloud. We came from stock tickers, paper orders, armored vehicles, and guarded vaults. We moved to data bursts, virtual private networks, and protocols like Financial Information eXchange (FIX). While our objective remains the same, protect the organization and protect the financial transactions, our methods and technologies have radically shifted. Looking back is not going to protect us. This session presents a case study on a financial services firm that modernized its secure data exchange. The story begins with the environment that was developed in the previous decade. We will then look at high-level threat modelling and architectural decisions. A security-focused architecture works at several layers and this talk will explore them in depth; including Internet connections, firewalls, perimeters, hardened operating systems, encryption, data integration, and data warehousing. The case study concludes with how the firm transformed the infrastructure, layer by layer, protocol by protocol, until we were left with a modern, efficient, and security-focused architecture. After all, nostalgia has no place in financial services data security. (May 16, 2013. Ypsilanti, MI)

BSides Chicago: Surviving the Robot Apocalpyse. (Note: the video recording is only of the last half of the talk.) The robots are coming to kill us all. That, or the zombies. One way or the other, humanity stands on the brink. While many talks have focused on surviving the zombie apocalypse, few have given us insights into how to handle the killer robots. This talk seeks to fill that void. By exploring software security flaws and vulnerabilities, we will learn ways to bypass access controls, extract valuable information, and cheat death. Should the unthinkable happen and the apocalypse not come, the information learned in this session can also be applied to protecting less-than-lethal software. At the end of the day, survival is all about the software. (April 27, 2013. Chicago, IL)

Henry Ford: Surviving the Robot Apocalpyse. (April 25, 2013. Dearborn, MI)

Source Boston: Punch and Counter-punch: Covert Channels in PowerShell. Alice wants to send a message to Bob. Not on our network, she won’t! Who are these people? Then Alice punches a hole in the OS to send the message using some .Net code. We punch back with Windows and .Net security configurations. Punch and counter-punch, breach and block, attack and defend, the attack goes on. With this as the back story, we will walk through communications channels that defenders use and attackers abuse. The session will highlight three common covert channels, explore what makes covert channels hard to detect, and explain potential controls. Demonstrations will feature a PowerShell toolset. The software will be made available for creating your own Alice and Bob stories, and assessing your organization’s security posture when it comes to covert channels. (April 17, 2013. Boston, MA)

Eastern Michigan University: Information Assurance: Whispering on the Wires workshop. (April 5, 2013. Ypsilanti, MI)

Motor City ISSA: Panel Discussion: Current Trends in the Cybersecurity Threat Landscape. In light of last week’s Islamic Cyber Fighter’s DDoS attacks on America’s financial institutions and the implication of nation-state sponsored cyberattacks this is a very timely topic to discuss. (March 21, 2013. Livonia, MI)

Motor City ISSA: Incident Management with PowerShell. Have you seen the latest scare? The Java 0-day exploit that allows attackers to execute code on your computer? Now scares come and scares go. But let’s suppose for a moment your servers were infected using this exploit. How could your administrators detect the attack? How would you recover? Even better, what could have been done beforehand and how could you prevent this from happening again? Incident Management, of course, is the security practice that seeks to answer these questions. In Windows server environments, PowerShell is the way Incident Management gets put into practice. This session will introduce InfoSec professionals and systems administrators to PowerShell’s security features. We will provide an overview of Incident Management and PowerShell. Then, using the Java 0-day exploit as a driver, we will walk through the lifecycle of an incident. The audience will leave with information on the policy and practice of managing security incidents in Windows with PowerShell. (February 21, 2013. Livonia, MI)

GrrCon: Punch and Counter-punch with .Net Apps. Alice wants to send a message to Bob. Not on our network, she won’t! Who are these people? Then Alice punches a hole in the OS to send the message using some .Net code. We punch back with Windows and .Net security configurations. Punch and counter-punch, breach and block, attack and defend, the attack goes on. With this as the back story, we will walk thru sample .Net apps and Windows configurations that defenders use and attackers abuse. Short on slides and long on demo, this presentation will step thru the latest in .Net application security. .Net tools that demonstrate the attacks and defenses will be released following the talk. (September 27, 2012. Grand Rapids, MI)

Motor City ISSA: Whispering on the Wires. The Internet opened communications and enabled this flat world where everything is but one click away. These complex networks make possible rich exchanges of thoughts and ideas, goods and services. But there is, of course, a dark side. Not all communications are productive. Not all communications are visible. Some are destructive, hidden, invisible. Some messages are whispered in secret. In this session, we will delve into ways attackers can hide their traffic using steganography and covert channels. Examples will be demonstrated and potential controls will be discussed. (September 20, 2012. Livonia, MI)

OWASP Detroit: Covert Channels and Controls in the .Net Framework. As the OWASP Detroit founder put it, “come watch Wolf talk about .NET and hiding stuff…” (September 12, 2012. Royal Oak, MI)

North Oakland ISSA: Turtles all the way Down — .Net Software Security. Peel back the layers of abstraction, what do you find? Software. Feel through the fog of cloud computing and what is there? Software. What powers our devices? Handles our protocols? Drives our cars? What ties us all together? Software. Every layer of our technology stack is software. It is turtles all the way down. Few things are as germane to security as software security. We will delve into software security in this session. Using C# as an example, we will see how software in general breaks and how to protect Microsoft .Net in particular. So how do we protect software? Come find out. (September 12, 2012. Auburn Hills, MI.

Lunch and Learn. Bring Your Own Cloud. How can companies realize the dream of public utility cloud computing, while retaining the service and security they have come to expect from in-house IT? The answer is private cloud computing. That is, combining the benefits of public utilities with the reliability of in-house IT departments. In this session, we will present how a Midwest investment firm implemented DevOps on a cloud computing model. (August 22, 2012. Livonia, MI)

BSidesCleveland: Naked Boulder Rolling. Applying risk management and the security development life cycle to make security manageable. (July 13, 2012. Cleveland, OH)

BSidesDetroit: Naked Boulder Rolling. Every day we roll the boulder up hill. Every morning we find the boulder back down in the valley. Like Sisyphus, defenders face the daily challenge of getting all the systems secure and the morning realization that new vulnerabilities have crept in. It is so bad we say it is not if we will get breached but when we will get breached. Worse, defenders say most breaches are career ending events. Ouch. There has to be a better way. In this talk, we will cover using business impact and risk management as a driving force for prioritizing security efforts. This reduces the likelihood of a breach and prevents any breaches from being career ending event. We’ll round out the hour with a case study showing these principles applied to securing a million dollar website. Guaranteed, you will leave this talk a smarter boulder roller. (June 2, 2012. Detroit, MI)

Stir Trek: Running DevOps on a Microsoft Cloud. You have heard the rumors. DevOps is this touchy-feely culture thing where the developers run cowboy over the infrastructure using open source tools. But what if you are running a Microsoft infrastructure? What if you are in a highly regulated industry, say like finance? And what if you need to show hard dollar savings to support culture changes? Forget the rumors. We have the facts. In this session, we will present how a Midwest investment firm implemented DevOps on a cloud computing model. The tool stack is SharePoint, SQL Server Business Intelligence, and System Center. Let’s get past the rumors and see how existing organizations are getting the most from DevOps and the cloud. (May 4, 2012. Columbus, OH).

GrrCon: How asteroids falling from the sky improve security. An asteroid fell from the sky and the data center is now a smoking crater. At least, that’s the scenario that launches your business continuity planning. BCP asks the questions: what do we have, what does it do, what is the risk and what is the value? The answers to these questions are also essential build blocks of a risk management program. This presents an opportunity for the savvy information security professional. In this session, we will look at ways to co-opt business continuity to advance an organization’s information security. (September 16, 2011. Grand Rapids, MI)

MiSec: How asteroids falling from the sky improve security. (August 18, 2011. Royal Oak, MI)

Storage Network World: Disaster Recovery Metrics: Beyond RTO and RPO. Many people consider only the recovery time and recovery point, RTO and RPO, when developing their strategies. This is a problem. Left unattended, certain characteristics of a recovery strategy will cause us to miss our recovery time. So it is important to look beyond the surface. To meet RTO, we must have sufficient time metrics. To meet RPO, we must have sufficient data metrics. And to balance the ongoing operational costs with the per incident costs, we must have supporting scalability metrics. This talk reviews the necessary metrics and considerations. (April 6, 2011. San Jose, CA)

Motor City ISSA: Practical Risk Management. The Motor City Chapter of the Information Systems Security Association (ISSA) will be hosting their September meeting with a presentation on Practical Risk Management. Their speaker, J. Wolfgang Goerlich, CISSP, CISA, is an information security professional with over a decade of experience in IT. Currently Mr. Goerlich is the Network Operations and Security Manager for a large financial institution in Michigan. In this presentation, Mr. Goerlich will describe some of the challenges he faced while developing an enterprise risk management program and explain how he ultimately solved them with a leading governance risk and compliance (GRC) technology. This presentation will discuss the practical implementation of GRC technology, discuss its uses, and review lessons learned. (September 18, 2008. Southfield, MI)

Lunch and Learn. Simplifying BCP Using OS and Storage Virtualization. (August 21, 2008. Livonia, MI)

Storage Network World: Simplifying BCP Using OS and Storage Virtualization. This session presents the evolution of disaster recovery. An institution responsible for billions in assets, Munder Capital Management’s information systems must be always available. Munder has been thru several BCP cycles as they went from tape to standby systems, from cold to hot sites. This session delves into the lessons learned from these DR strategies as well as presents their latest: use OS and storage virtualization to completely automate recovery. (April 7, 2008. Orlando, FL)

I want Wolf to speak at my event

I want to hire Wolf

I want to interview Wolf