NYMJCSC Workshop
NYMJCSC is offering a pre-conference workshop on Tuesday October 13th at the NYC Seminar and Conference Center's 23rd St. Chelsea Center (located on 71 West 23rd Street, New York)

The workshop features four (4) in-depth full-day hands-on classroom-style educational courses to expand your knowledge and foster security discussions.

The tracks to be covered are:
  1. PowerShell for Auditors
    Hand on Powershell for IT security and auditors ... requires BYOD
    Instructors: Guy Hermann (GSA Train)

    PowerShell is a remarkably powerful tool that can be used by administrators to automate many aspects of their environment. PowerShell really starts to shine when used to audit and secure a Microsoft Windows ecosystem. Starting with an introduction to PowerShell, this brief overview explores PowerShell and exposes how it can be used to help secure Windows. This one-day session covers PowerShell from beginning to end, exposing participants to the wide range of tools available through PowerShell.

    Starting with the basics of using the shell and cmdlets along with the included help system, we examine the command syntax, command discovery, and how to work with the PowerShell Pipeline. We then progress into some of the many things you can do with PowerShell right now to audit and secure your environment. We then delve into some of the more sophisticated aspects of PowerShell and how it can be best used by Windows Administrators. You will be exposed to the Desired State Configuration tool, as well as Best Practices and specialized techniques for auditing and securing your environment.

    This session is packed full of Hands-On-Labs to demonstrate just how easy to use and powerful PowerShell really is:
    • Configuring Windows PowerShell
    • Finding and Running Basic Commands
    • Using the Pipeline
    • Converting, Exporting, and Importing Objects
    • Filtering Objects
    • Enumerating Objects
    • Working with Pipeline Parameter Binding
    • Formatting Output
    • Working with WMI and CIM
    • Moving From Command to Script
    • Moving From Script to Function to Module
    • Implementing Basic Error Handling
    • Creating an Advanced Function
    • Using Basic Remoting
    • Using Remoting Sessions
    • Desired State Configuration
    • Documenting Servers and Workstations
    • Auditing User Passwords


  2. Wireless Shock and Awe
    Be worried about what exposed via Wireless
    Instructor: Tim Singletary, Technical Director, Cyber Security Services, Harris Inc.

    The ease of use, mobility, and convenience has made wireless technologies not only prevalent but the defacto standard for most individuals as well as corporate America. Wireless throughout the years has not become magically secure just because it is more often used than not. Both companies and individuals are at risk of many variants of wireless attacks, from basic war driving to rogue access points.

    From smartphones, tablets, wearables, to the IOT (Internet of Things), wireless technologies have taken over both consumers and corporate America. Knowing the types of attacks and inherent weaknesses and vulnerabilities of wireless networks is half the battle, in keeping both your personal and corporate information secure and away from prying eyes.

    In this presentation we will talk about issues within wireless technologies that every individual using wireless should know. We will see firsthand demonstrations of weaknesses in wireless and how to mitigate those risks and protect critical resources (personal and corporate).

    ALL WIRELESS SHOULD BE TURNED OFF DURING THIS PRESENTATION!!

  3. Privacy and the Dark Net
    "All your data belongs to us."
    Instructor: Chris Roberts

    This simple statement is becoming more of a reality as both technologies accelerate and we (the soggy human element) get left behind. The variety of means and methods for storing and transmitting data have increased exponentially over the past few years and the tidal wave that is the Internet of Things (or IofE) is set to continue that trend. We have found ever-inventive means for distributing our data and our very lives across the electronic spectrum that we no longer really understand the extent of the saturation. This trend is not constrained to our personal lives as those delineation marks between personal and "work" have significantly blurred with both society and technological shifts. It is these traits among others that make the art of human engineering and intelligence gathering so much more involved.
    • We have simply become walking attack vectors.
    • Digital footprints, what are they, why are we talking about feet and what use are they to us as we work through the masses of data?
    • We are going to take a look at the core of an organization.its data. We will strip away the misconceptions that the data still is in the control of the organization and begin to understand WHERE the data is, HOW it got there and how WE can access it, learn from it and ultimately use it against our intended targets.
    • Targeting and attack vectors, looking beyond the perimeter. Reviewing an organizations structure, it's VAR's, partners, suppliers and other entities that are either trusted or shared resource entities.
    • We all love the IT department, the developers and the resources they use without thinking.
    • When YOU and YOUR work bleeds into your personal life...and the reverse. Why your E-Mail is one of the best fingerprints you leave behind. Why your HOA or your kids soccer team should never have your company mail address.
    • Targeting it outside of the borders, how much easier it is to attack in certain territories.
    • What public tools are out there, how GoogleFu is good, but not always adequate.
    • CLEAR/LEXIS NEXIS, what data can you gather from there vs. other entities, what works and what needs supplemental sources. At this point we'll take a look at the other options open to individuals doing their own research.
    • The Darker side of the Internet, what it is, how to get to it and how useful it CAN be (if only the Feds would stop closing down sites!)
    • Making sure the DarkNet doesn't follow you home, HOW to search, what tools to use and when to throw the computer away. The art of the VM and how to anonymize yourself.
    • All this and we've yet to actually "touch" the company, no CFA violations, no laws bent and nothing that's going to show up on the radar.all this legally done, above board and simply piecing together the jigsaw. We now have our target, our attack vectors and our plans, what's next?
    • Reversing the mindset, how we can take ALL of this and use it in a defensive manner, how to actually be PROACTIVE in security and start to consider the preemptive capabilities of intelligence gathering in the commercial world.


  4. Application Security
    Part 1: Take a tour of the OWASP foundation:
    • Highlighting key projects that can help your organization improve it security posture.
    • This portion of the session will set the groundwork for developers and management alike.

    Part 2: Live hacking demonstration using OWASP ZAP and OWASP WebGoat to find vulnerabilities.
    Instructor: Ken Belva
    • The attendee will then learn how the results of ZAP tie into the OWASP Top 10, OWASP ASVS, and the resolutions/fixes on the developer solution guides.
    • The class will end with a live exploit demonstrations of various security issues beyond just ZAP and WebGoat and how these exploits and issues tie back into the OWASP Top 10.

    Part 3: Deep dive into specific application threat surfaces.
    Instructor: Vladislav Gostomelsky
    • Fun with harvesting error messages: Gleaning useful and exploitable information from well meaning error messages - some SQL Injection
    • Abusing authentication gateways: Learning organization's password policy and security posture through auth gateways. Passwords resets, cryptography and entropy
    • Input validation - we still haven't fixed it: Black listing was wrong, then whitelisting was not enough, expression matching doesn't completely solve things either. What's next and how do we abuse it?


Notes:
  • You will be required to bring your own laptop for the class PowerShell for Auditors.
  • Seating is limited to 30 attendees per track.


As part of our educational mission as a coalition of non-profit organizations, registration fees are only to cover the costs of the facility, food and refreshments.

Registration does not include the conference pass. The conference on Wednesday October 14th is a separate registration.

[ Home ]