VASCAN

Presenter: Doug Streit

Vulnerability management is a notable challenge in the enterprise. It is arguably a lower priority than other operational security practices, such as a robust patching cycle. It is often considered a compliance checkbox. It is complicated by the operating system and application interdependency and ownership. It can be confused as a "Security Operation" or a "Risk-Compliance" responsibility. There are many moving parts and dependencies. Support teams are strapped for time. It requires cohesive collaboration between all of the core support teams - DBAs, System Admins, Application Owners, and System Owners that include networks, identity, web development, administrative systems, and infrastructure systems. This presentation describes one successful journey to actively managing vulnerabilities across hundreds of critical hosts, overcoming numerous challenges to get to a satisfying conclusion.

Presenter: Tyler Hudak

Computer forensic cases of the past can teach us a lot. This talk will discuss three public cases in which computer forensics played a key part, how forensics helped or hindered the case, mistakes that were made, and what we can learn from them.

Presenter: JD Sayle and Jose G. Siles-Gonzales

The GMU IT Security Office has been working on an internal documentation SharePoint site for storing, organizing, and reviewing standard processes and procedures. Our structure follows the NIST Cybersecurity Framework while also being operationally efficient for daily use, onboarding new members, and enumerating our use cases across our security program. We will show our use cases and documentation for utilizing both Defender for 0365 and Crowdstrike Falcon EDR.

Presenter: Lori Kressin

The most recent version of the HECVAT now includes questions regarding accessibility in both the Lite and Full versions. This session will provide background and help you understand your role when reviewing the answers provided by the vendors.

Presenters: Jesse Castellani and Jordan Burenette

In this presentation, we will provide one method to make macOS baseline configurations easy using the macOS Security Compliance Project (mSCP). We will provide an overview of mSCP, the benefits of using mSCP, how you can customize mSCP, and discuss how we’ve implemented it in our organization.

Presenter: Michael Talley

Annual reviews of access can seem like traveling through the seven levels of the candy cane forest, past the sea of swirly twirly gumdrops, bringing everyone down a whole octave...in a good way! The process often involves gathering data from multiple systems, lots of printouts, and marked-up notes, which is tedious and confusing for managers, sysadmins, and auditors alike. The School of Dentistry built an electronic tool to ingest systems, users, roles, and access levels so that managers can review their employees' access online and take action. The Virginia Commonwealth University School of Dentistry - the only dental school in the Commonwealth of Virginia - educates students in the traditional classroom environment while also treating patients on a mini-hospital infrastructure, all while operating like a private practice corporation. Protecting patient and student privacy and security is our passion as IT professionals. This presentation will provide an overview of the School of Dentistry's uniquely hybrid clinical and academic environment, discuss challenges auditing physical and logical access (especially within a hub-spoke IT model), and present the automation architecture (utilizing HR system data feeds, Active Directory, linked database servers, Google Groups, Network-based locks, and ETL processes) and demo the solution built by the School of Dentistry, along with lessons learned, future improvements, and continual obstacles (and opportunities) with reviewing access.

Presenter: Kate Rhodes

Over the last year, we at ODU have overhauled our Risk Assessment process in an effort to modernize our processes and keep up with changing requirements. Our overhaul includes itemizing our Business Critical Systems and identifying at the system level vs. service level, updating our Risk Assessment template to align more with cyber insurance expectations with a strategy to move to NIST 800-171 level assessments, and how we plan on leveraging a new GRC Tool for system level and unit level assessments. This includes how we plan on identifying units that will not fall under University Security Program thus they will not be covered by cyber insurance, and how we will obtain acknowledgment and acceptance from business unit leaders.

 Presenter: Sanjit Ganguli

How to provide secure access to critical data and applications in the new world where users (faculty/staff and students) are both on and off campus and applications and data are both on-premise and in the cloud. We must balance a good user experience and access to data/apps while securing access and protecting confidential data.

Presenter: Phil Fenstermacher and Pete Kellogg

Launching a container program can be intimidating. The rapidly evolving space makes it feel like you're always trying to catch up and makes it impossible to declare it ready for production. In this presentation, we'll show how we built, secured, and rebuilt (overnight) William & Mary's container platform that runs everything from student code to Banner. We'll discuss the different security tools we use, sharing our experiences with each. We'll close by discussing our experiences with the CIS benchmarks, how Kubernetes fit in our most recent audit, and what we're planning on doing next.

Presenter: Bob Turner

The digital transformation in education continues to expose technical and procedural challenges to ensure consistent security through the transition to cloud technologies and services. Organizations seeking to adopt multi-cloud strategies, gain economic and operational advantages, and support teaching and research are becoming more dependent on cloud applications and environments. Security architectures are not keeping pace with cloud-based networking innovations and the continuation of remote work only increases the attack surface. This presentation will show pathways to engage security at the service edge, allowing organizations to shift away from purchasing numerous point products to secure different parts of their networks and adopt a more cost-effective operational service model.

Presenter: Thomas "Tweeks" Weeks

Want to learn how to do actual hands-on WiFi sniffing and encryption cracking? Come to our sniffing and cracking workshops to either watch and follow along (howto notes included), or borrow one of our USB "Monitoring" NICs to do it using our play-target WiFi access points. In our first lab, sniff and intercept sensitive information using aircrack and Wireshark. Then in our second lab, learn how to crack WEP WiFi encryption keys, with discussions about WPA2 weaknesses to avoid on your network! Come, watch and learn, or learn by doing!*

Goals:

Give hands-on experience with setting up WiFi hardware for sniffing With examples for aircrack-ng (for capture) and Wireshark (for inspection)

Requirements:

• Laptop with Kali Linux (preferred), Windows, Mac (untested) (For Win/Mac, recommend using Kali VM images)
• Special WiFi Adapter (ALFA USB a/c/n for “monitoring”/sniffing) (borrow one from Instructor (limited quantity))
• Software Aircrack-ng - https://www.aircrack-ng.org/ (incl. in Kali)
• Software Wireshark - https://www.wireshark.org/ (incl. in Kali)

Presenter: Daniel Terceros

Phishing continues to be a popular attack vector used by attackers with all sorts of motivations, from political to financial ones. About 82% of all breaches recorded last year involved social engineering in some form, with threat actors preferring to phish their targets via email more than 60% of the time. Most organizations deal with this threat almost daily, which makes automating the triage for these events an important part of maturing a security program.

Presenter: Michael Richardson

Network-based vulnerability scanning can provide an assessment of the vulnerabilities that a system presents to the network. But what happens if the firewall rules disappear? What other potential problems are being shielded by the host-based and/or institutional firewall? What local exploits lie in waiting for your unprivileged users to leverage? What out-of-date, dormant libraries might be turned on through the next application update? How might one assess issues that might not be presented to the network, like processor, driver, and firmware vulnerabilities? Adding an agent-based vulnerability assessment program to your tool belt can expose these hidden issues in your environment, and in some cases automate other tasks required for annual audits, inventory, etc. We'll be discussing the results of a recent project at GMU to further enhance our vulnerability scanning program through the integration of Tenable Agents into our Network Vulnerability Scanning program and our Governance, Risk, and Compliance program in Archer.

Presenter: Jon Ford

The modern threat landscape is vast. Cyber attacks related to the conflict in Ukraine are surging. Critical and pervasive vulnerabilities such as “Log4Shell” have led to massive risk due to the complexity of patching. Cybercriminals are conducting sophisticated ransomware and extortion operations at a rising tempo targeting commercial and government organizations alike.

Please join Jon Ford, Managing Director at Mandiant, and retired FBI Senior Executive, for a discussion about how these threats might evolve in the near future and how organizations can harden their infrastructure against destructive attacks and difficult-to-detect threats. In particular this briefing covers: 

• Deep dive into state-sponsored and other threat actors, including where they are increasing threat activity, and where they are focused
• The targeting and TTPs to watch for from some of the notable threat clusters, such as Sandworm Team
• Supply chain risk landscape – how to prepare for attackers’ innovative thinking
• How do government and private sector entities work together to combat these threats?
• A close look at aggressive cyberattacks and information operations which have increased with the Ukraine crisis
• Steps organizations can proactively take to harden their environment against destructive attacks

Presenter: Mark Day, Chief Scientist, Netskope

Security service edge (SSE) is the next evolution of cloud security and is critical to any zero trust strategy. SSE converges legacy point security capabilities into a unified cloud platform that provides secure access to applications and data everywhere, consistently for every location and delivery model. A modern security program aligned to zero trust principles must move beyond simplistic allow/block decisions and instead evaluate and re-evaluate the context surrounding every interaction, offering and adapting just the right access at just the right time. SSE is the security stack that helps deliver the promise of cloud and digital transformation.

Join this session to learn about:

• The critical components of a modern zero-trust program
• Learn how Security Service Edge can help to deliver zero trust principles

Presenter: Joshua Cole

This talk describes the lessons learned through 2 1/2 years of work-from-anywhere from a cybersecurity company that decided to shed its offices and move to an all-virtual model. The talk will discuss how the company made the switch from the standpoints of GRC and technology to ensure the protection of sensitive data that are equally applicable to academic environments.

Presenter: Dan Rocker

Cut through the hype with CAS Severn and Z-Scaler by learning the truths about Zero Trust architectures. This session will cover the definitions of zero trust, components of a zero trust strategy by reviewing CAS's Zero Trust Roadmap, and how Z-Scaler plays a key part in a customer's journey to Zero Trust enforcement across the organization.