If you haven’t seen it yet, RISE and several of our members were in a Roanoke Times article about cyber security on Sunday, “Cyber security experts wage quiet war on hackers“. Shout out to Rob, Ted and Nate for fighting the good fight and promoting RISE.
Meeting info: May 12th, @6pm, at ECPI (directions below).
This meeting is a can’t miss opportunity for a hands on deep dive with Wireshark. David Raymond (@dnomyard, bio below) who has previously spoken at Black Hat USA, RSA and Scmoocon will be presenting.
Wireshark is a great tool for quick-and-dirty network traffic analysis and it is widely used for network troubleshooting and incident response. In this hands-on discussion, we will review the basics of Wireshark and discuss capture filters, display filters, and basic protocol analysis. We’ll then go beyond the basics to talk about more advanced features of Wireshark and touch on some of the command-line utilities that come with it, such as tshark, editcap, mergecap, and randcap.
ECPI (5234 Airport Rd NW #200, Roanoke, VA 24012 or Google Maps) will be hosting the meeting and there will be some lab machines available for use by those without a laptop available.
David Raymond currently serves as Deputy Director in the Virginia Tech IT Security Office and Lab. In this position he helps oversee the security of the VT network, advises graduate students and undergrads doing cybersecurity research, and teaches courses in computer networking and security in the Department of Electrical and Computer Engineering. David holds a Ph.D. in Computer Engineering from Virginia Tech, a Masters in Computer Science from Duke University, and a Bachelors in CS from West Point. He has published over 25 journal and conference publications on a variety of topics and has spoken at numerous industry and academic conferences to include Black Hat USA, RSA, Shmoocon, and the NATO Conference on Cyber Conflict.
Don’t miss another great local opportunity to network with area security professionals. The RBTC Cyber Security Form next month is all about vulnerability management. Prior RBTC events have been excellent, and the hors d’oeuvres are not to be missed! Details on the event can be found on the RBTC website: https://rbtc.tech/2016/04/cyber-security-forum-vulnerability-management-may/
It was awesome to see so many new faces and so many familiar ones at last Thursday’s meeting, thanks again to ECPI for hosting. We ended up running out of chairs!
I hope to see everyone again next month, where we will dive back down in to the weeds and take an in-depth look at Wireshark.
Get on the mailing list or check the site for more details once we get them finalized.
We meet every 2nd Thursday of the month at 5:30pm. The meeting location rotates between several local businesses and colleges. Please see below to find out how to get on the email list for the meeting announcements. The meeting locations will also be posted to this site.
We are a group of Roanoke and NRV Information Security Professionals. We get together the 2nd Thursday every month to discuss current security topics. Meetings are free, usually so is the beer, and they are open to anyone.
Please send an email to RoanokeInfoSec@gmail.com if you would like to be added to the email notification list.
Our next meeting is April 14th at ECPI in Roanoke (address is below) at 5:30pm. The speaker will be an FBI Special Agent who has been with the FBI for 12 years and is currently in the Richmond Division with a focus toward the Roanoke area. He is currently working national security matters and has agreed to come and share with us his experiences and his thoughts on how we can assist in protecting our companies, valley and country.
It’s always good to meet your local FBI liaison. If you have a serious breach at your company or discover illegal activity on your network, you need to know who to contact.
Special thanks to Michael for opening up the ECPI facility to us and to Stephan for lining up our speaker.
Meeting Location:
ECPI University
5234 Airport Rd NW #200
Roanoke, VA 24012
Our discussion subject for the month of March was Network Pen Tests.
Our guest speaker was Russel C. Van Tuyl (@Ne0nd0g). Russel is an experienced Network Pen Tester with Sword & Shield in Knoxville, TN and has agreed to walk us through his Network Pen Testing procedures.
Here is a quick write up about his presentation:
Attackers can take complete control of a Windows domain by establishing full administrative rights to networks resources. This access can then be used to steal your organizations crown jewels, the thing that makes your organization money. This talk will introduce common attack paths used to compromise a domain. Additionally, a brief introduction to the tools used to perform some of these common attacks will be covered. This presentation will conclude by providing information on mitigating or detecting these common attacks. The audience will be provided with an opportunity to ask any questions, even if they’re not related to the presentation.
Update: Russel did a fantastic job presenting. His presentation was entertaining and had a ton of great information. He not only covered some of the techniques he uses when pen testing, he also talked about ways to mitigate them. If you didn’t walk away with a “To Do” list of things to check on your network, or a list of fun new things to try, you weren’t paying attention.
Here are the slides from the presentation:
He demonstrated how PowerShell can be an admins best friend, or worst enemy, by showing us how easy it was to use PowerShell Empire to compromise a box.
Our own Grant Sims has since created step by step video showing how to use one of the PowerShell techniques Russel spoke about. He shows how to use PowerSploit to get a meterpreter shell:
In the Feb meeting we heard from Mark Cairns from Cisco about how Cisco fits the security niche. Here is what Tom Spitnale from SyCom had to say about Mark’s presentation:
“I was impressed with the presentation he delivered to a group in Richmond just before the holidays. A very granular view of the “life of a packet” as it intersects with security dependent on the circumstances…on premise user, on premise resource, hybrid or cloud resources in the mix, off-premise users, etc. etc. While the presentation is admittedly developed to deliver a “why Cisco meets this market uniquely” message (and spotlights the functionality that different elements of Cisco’s portfolio addresses, both as point solutions and as a collective/integrated umbrella strategy), the discussion points and path from one scenario into the next really painted the picture, for me, of what modern security professionals are tasked with addressing. So I feel like “the pitch” aspect is worth “the story” that he tells.”
Mark spoke about some unique ways Cisco can leverage an end to end solution to provide visibility into the network and how it compares to open source solutions.
We will be kicking off the New Year with the first part of a two part series. (Open Source Security vs Commercial Products).
This month we will be discussing open source security and how our own Nate Sykes and Grant Sims (bios below) are using open source products to secure their network. Next month we will have Cisco come in and give us an overview of what they can offer from a commercial software standpoint.
Nate and Grant have been working to transition their security posture from a purely prevention based model to a prevent, detect and respond model. Nate and Grant put it this way “Prevention WILL fail. As a defender you have to consider/protect EVERYTHING. An attacker only has to find ONE flaw overlooked, unknown, unpatched or misconfigured.” To that end Nate and Grant will give us an overview of how they use open source security sensors to defend their network.
They will discuss:
Here are the slides from the first part of the presentation:
For the second part of the presentation, Grant demoed how to use Security Onion to investigate an AnglerEK incident:
Brief bios:
Nate Sykes (@n8sec) is the IT Manager at R&K Solutions, he has been working in IT for 19yrs. Nate has worked in all areas of system and network administration. He has been involved in different aspects of security for the last 6yrs, mostly involving blue team work. He holds GSEC, GMON and Security+ certifications.
Grant Sims (@ChiefRiverSims) is the Sr Security Analyst at R&K Solutions, he has been working in IT for 9yrs. He has a networking background, developed while working in a major DoD data center. He holds CCNA-Voice, CCDP, CCNP, Security+ and GPEN certifications.
At our Dec. meeting our guest speaker was Randy Marchany (bio below). @randymarchany is the University Information Security Officer for Virginia Tech. He is also the director of the VA Tech IT Security Lab, a component of the university’s Information Technology Security Office. Randy did a great presentation about Continuous Monitoring and how they are implementing it at Virginia Tech. He also talked about how security is changing with “borderless” computing. They have to blend corporate security with ISP model security. He also talked about as much as things change, some seem to stay the same. One of my favorite slides from the presentation was a quote Randy said back in 2002, that still holds very true today:
Here is the “Continuous Security Monitoring: A Big Data Challenge” presentation:
Here is the “What is Old is New Again” presentation:
Randy’s bio:
Randy Marchany is the University Information Security Officer for Virginia Tech. He is also the director of the VA Tech IT Security Lab, a component of the university’s Information Technology Security Office.
He is the author of VA Tech’s Acceptable Use Statement and a co-author of the original FBI/SANS Institute’s “Top 10/20 Internet Security Vulnerabilities” document. He is the co-author of the SANS Institute’s “Responding to Distributed Denial of Service Attacks” document that was prepared at the request of the White House in response to the DDOS attacks of 2000. He was part of the SANS Institute’s Secure Code project that developed a set of exams to test programmers’ knowledge of secure coding techniques. He has been a member of the SANS Institute’s faculty since 1992.
He is a co-author of the EDUCAUSE “Computer and Network Security in Higher Education” booklet. He is a member of the EDUCAUSE security task force focusing on risk assessment and security metrics. He was a coauthor of the original Center for Internet Security’s series of Security Benchmark documents for Solaris, AIX and Windows2000.
He is one of the original members of the US Cyber Challenge (USCC) Project. The USCC mission is to significantly reduce the shortage in the cyber workforce by serving as the premier program to identify, attract, recruit and place the next generation of cybersecurity professionals. He designed the curriculum for the USCC summer camps.
He is one of the founders of the Virginia Alliance for Secure Computing and Networking (www.vascan.org), a consortium of security practitioners and researchers from VA Tech, U of Virginia, James Madison Univ., George Mason Univ.
He has been a frequent speaker at national and international conferences such as Educause, SANS, IIA, ISACA, ACUA, International CISO symposium, IEEE, NIST, NY State OIT Security conference, FBI-Infraguard chapters, US Forest & Wildlife Service, Computer Security Conference, Air Force Material Command. He’s been the subject of articles in the Chronicle of Higher Education on security issues at university campuses.
He was a recipient of the SANS Institute’s Security Technology Leadership Award for 2000. He was a recipient of the VA Governor’s Technology Silver Award in 2003. He was part of the team that won the EDUCAUSE Excellence in Information Technology Solutions Award in 2005. He is a co-holder of two cybersecurity patents.
He is acknowledged as one of the North American masters of the hammer dulcimer. He is the author of the original theme song of National Public Radio’s nationally syndicated radio program, “World Cafe”. His band, “No Strings Attached” was nominated for or won “Indie” awards (independent record label’s version of the Grammy) for Best Album (String Music) category in 1984, 1985, 1986, 1988, 1990.
RISE - Roanoke InfoSec Exchange 