Loading…
Welcome to Diana Initiative 2020 Virtual Conference.
For more information, please see our web site here :
https://www.dianainitiative.org

Log in to bookmark your favorites and sync them to your phone or calendar.

Friday, August 21
 

8:00am PDT

Empathy as a Service to Create a Culture of Security
So-called "soft skills" are greatly undervalued in the Information Security industry. The very core of security involves humans. Rather than tackle human problems with zeros and ones, try to approach security with a more people-minded focus. A former librarian turned Information Security professional will go through examples of how addressing humans can ultimately help security. Using a 7-step framework from the library science discipline, the speaker will help you improve interactions with both colleagues and end users. You will come away with new ideas and a different outlook on how to improve the security posture of your organization.

Speakers
avatar for Tracy Z. Maleeff

Tracy Z. Maleeff

Information Security Analyst at The New York Times Company, Opening Keynote Speaker
@InfoSecSherpa, is an Information Security Analyst for The New York Times Company. Prior to joining the Info Sec field, Tracy worked as a librarian in academic, corporate, and law firm libraries. She holds a Master of Library and Information Science degree from the University of Pittsburgh... Read More →


Friday August 21, 2020 8:00am - 9:00am PDT
Stage 1

9:00am PDT

Critical Infrastructure, Interconnected Risks, and Resiliency. Why Women Should Care?
This talk is specifically focused on increasing awareness about the interconnected of the internet not only in our day to day to lives but also into our critical civil infrastructure such as water treatment facilities, energy grids, hospitals, etc., she brings attention to the fact that just like essential workers are recognized as critical to continue BAU for our personal lives during the Covid-19 pandemic, these civic infrastructures are also essential services and that we must not wait for a serious incident like the pandemic to make us realize that but rather pay crucial attention to their safety and security and to the coupling impact they have on us proactively and work in strengthening their resilience. The talk highlights attention to the gender gap in cyber security and in this area and how women can help close this gap and gives an opportunity to discuss challenges and how to close them.


Speakers
avatar for Godha Bapuji

Godha Bapuji

Founder, Women in Crisis Response


Friday August 21, 2020 9:00am - 9:15am PDT
Red Team Village Booth

9:00am PDT

Security and storytelling: Strengthening behavioral habits and security culture at Robinhood
It’s unusual for companies to take a page from children’s books to train and educate their employees, but in this case, the Robinhood Security Engineering Team did just that. The information security industry frequently looks to experts on organizational behavior to help employees learn secure habits and create a strong security culture, but we may forget one of the best examples of shaping habits, lessons, and behaviors: children’s stories. Children’s stories help their young readers define, develop, and practice habits that contribute to greater societal norms. From introducing characters, explaining their motivations, and capturing their interactions with others and the surrounding environment, children’s books make it easy for readers of all ages to understand, learn, and aspire to certain behavioral frameworks. How can we, as security professionals, widen our perspectives on the human factor and help equip our employees with strong security habits?

Meet Crypto Cat. From inception to execution, we'll talk about how we bootstrapped, built, and launched Secure Sherwood Forest: a custom-built, interactive security game to educate employees on key security and privacy behaviors in a novel and engaging fashion. Through customized characters, a fantasy-based storyline, and a simple, internally-hosted, web-based game as our delivery mechanism, we’ll discuss the key security behaviors identified, how the game leveraged technology for hands-on decision-making and positive reinforcement of key habits, and the overall impact of the game on nurturing a collaborative and proactive culture of security at Robinhood.

We're looking forward to seeing you there! :)

Speakers
avatar for Jessica Chang

Jessica Chang

Sr. Technical Program Manager, Security at Robinhood, Speaker
Jess Chang is a Sr. Security Technical Program Manager at Robinhood Markets, Inc. As a speaker, she has presented talks and spoken on panels for global security industry conferences, peer companies, federally-funded research and development centers, and industry groups. Prior to joining... Read More →
avatar for Colin Seale

Colin Seale

Software Engineer at Robinhood, Speaker
Colin Seale is a Software Engineer at Robinhood Markets, Inc. At Robinhood, Colin works on access management, security products, and crypto custody. Prior to joining Robinhood, he has had roles as a Security Researcher at OpenDNS, Software Engineer at Cisco, and Blockchain Security... Read More →


Friday August 21, 2020 9:00am - 10:00am PDT
Stage 1

9:00am PDT

Application Security: OAuth 2.0 and OpenID Connect
OAuth and OpenID Connect are the two widely used protocols for authentication and authorization of delegated access to third party applications. Not only they provide a common framework that can be implemented across different platforms, but also allow a user to grant limited access to their resources without having to expose their credentials, thus making them inherently more secure. But OAuth can be exploited to steal the access tokens, which can then be used in lieu of user credentials. This presentation will discuss the key concepts related to OAuth and OpenID and the relevant security issues with them. The presentation will also give an insight into how we can mitigate the risks to OAuth and detect the abuse of access tokens

Speakers
avatar for Nitya Garg

Nitya Garg

LinkedIn, Speaker
Nitya works with LinkedIn Technology as Information Security Engineer – Threat Mitigation and Incident Response. She has about 7 years of experience in Information Security, most of which has been on Threat Detection, Intrusion Analysis, and Incident Response.She is passionate about... Read More →
avatar for Akanksha Chaturvedi

Akanksha Chaturvedi

LinkedIn, Speaker
Akanksha works with LinkedIn Technology as a Senior Identity & Access Management Engineer. She has been working in this domain since past 7 years. She has an expertise in SSO, Active Directory, Authentication, Azure AD fields. Prior to joining LinkedIn, she has worked for Microsoft... Read More →


Friday August 21, 2020 9:00am - 10:00am PDT
Stage 2

9:00am PDT

Virtual badge building with tinkercad
Come join me for a 1 hour session where we walk through building a virtual version of this year's “Off the Shelf” badge. Attendees will learn the basics of this easy to use virtual prototyping tool. Please go to TinkerCAD.com and sign up for a free account before the workshop begins.

Speakers

Friday August 21, 2020 9:00am - 10:00am PDT
Village Workshops

9:00am PDT

Introduction to Capture-the-Flag (CTF)
Speakers
avatar for Marcelle Lee

Marcelle Lee

Senior Security Researcher, Secureworks
Cyber competitions and Women's Society of Cyberjutsu! 
avatar for Jai

Jai

Owner, Hack3r Runway


Friday August 21, 2020 9:00am - 11:00am PDT
Stage 3

10:00am PDT

Moving left in the SDLC
Jas will talk about how moving security left in the SDLC benefits the organization, reduced risk and improved security. How security works TOGETHER, Not against, Developers.


Speakers
avatar for Jaswinder Kaur

Jaswinder Kaur

Senior cyber security engineer, T-Mobile
Jas is working with T-Mobile as a Senior cyber security engineer. Before that, she worked in the DC Government and Bank of America for many years. She is leading the blue team in her organization. For her, cyber security has never been more important, securing the important personal... Read More →


Friday August 21, 2020 10:00am - 10:45am PDT
Red Team Village Booth

10:00am PDT

Incident Communications 101 - Breaking the Bad News
Enabling better communications between geeks and management. As humans we have had 60,000 years to perfect communication, but those of us working in IT, regardless of which side (Blue or Red Team), still struggle with this challenge. We have done our best over the centuries to yell "FIRE!" in a manner befitting our surroundings, yet today we seem utterly incapable of providing that very basic communication capability inside organizations. This talk will endeavor to explain HOW we can yell "FIRE!" and other necessary things across the enterprise in a language both leadership, managers and end-users understand.

Speakers
avatar for Catherine Ullman

Catherine Ullman

University at Buffalo, Speaker
Dr. Catherine J. Ullman is a security researcher, speaker, and Senior Information Security Forensic Analyst at University at Buffalo with over 20 years of highly technical experience. In her current role, Cathy is a data forensics and incident response (DFIR) specialist, performing... Read More →


Friday August 21, 2020 10:00am - 11:00am PDT
Stage 1

10:00am PDT

Trust, No Trust or Zero Trust - Myth Demystifying
Cloud is the new cool thing, everyone wants to be in cloud but what about security and compliance standards. How do organizations manage safety as well as security in the era of cloud. The concept of everyone inside the network being good or trusted is blown out of the water with cloud deployments. Effectively everyone is a tenant on a big server farm when it comes to cloud.

The only way forward is to not trust anything or what can be called a zero trust model. This talk will explore the concept of zero trust and will try to demystify zero trust models. The talk will focus on implementation and deployment scenarios of zero trust for organizations. How should the business prepare for the transition, what are the architectural requirements and what policies are required to be implemented?

We will conclude the talk with some recommendations based on our own experience dealing with zero trust deployments across a broad spectrum of clients and market segments.



Speakers
avatar for Vandana Verma

Vandana Verma

Security Solutions Architect, IBM
Vandana is a seasoned security professional with experience ranging from application security to infrastructure and now dealing with DevSecOps. She has been Keynote speaker / Speaker / Trainer at various public events ranging from Global OWASP AppSec events to BlackHat events to regional... Read More →


Friday August 21, 2020 10:00am - 11:00am PDT
Stage 2

10:30am PDT

“Off the Shelf” Breadboard addition
In this 90 min workshop we will discuss the basics of building a prototype using a solderless breadboard and standard parts, as well as getting the project ready for code. Requires the parts listed here(link needed) as well a computer with the Arduino IDE installed (link) We’ll end the session with loading a test sketch to the Arduino.

Speakers

Friday August 21, 2020 10:30am - 12:00pm PDT
Village Workshops

11:00am PDT

Breaking Down Barriers to InfoSec for Neurodivergent Individuals
InfoSec is a daunting field for many. For people who are neurodivergent, this field can be even more challenging to get into. The goal of this lightning talk is to highlight some of the challenges and pain points that neurodivergent people may experience when contributing to open source InfoSec projects, when getting started in InfoSec as a new career, or when changing careers to InfoSec, and to provide implementable solutions to these challenges, that are designed to make a positive impact.

Speakers
avatar for Rin Oliver

Rin Oliver

Content Marketing Manager, Esper
Rin is the Content Marketing Manager at Esper. They enjoy discussing all things open source, with a particular focus on diversity in tech, improving hiring pipelines in OSS for those that are neurodivergent, and removing accessibility barriers to learning programming. Rin is also... Read More →



Friday August 21, 2020 11:00am - 11:30am PDT
Stage 1

11:00am PDT

No Mom, I’m not a Hacker
For years, red teamers had all the fun and garnered the notoriety. They broke in, stole everything, then left a report on the blue team’s desk with some vague recommendations. The blue team wasn’t cool, it wasn’t fun, and it wasn’t the destination. Well, as my dear friend Wonder Woman once said, “If no one else will defend the world, then I must.” Blue teaming is critical to our industry, and it is time that blue teamers get the credit and reputation they deserve. In this talk you will learn about the history of the hacker stereotypes, what blue teaming really is, and why you should be proud to be a blue teamer. You will walk away with tips to elevate the profile of your organization’s blue team while encouraging others to join the blue side.

Speakers
avatar for Danielle Knust

Danielle Knust

Security Risk Advisors, Speaker
Danielle has a broad technical background with focuses on network security and threat hunting. She has experience deploying security monitoring and remote access solutions to operation technology (OT), manufacturing, and lab environments. Additionally, she leverages industry accepted... Read More →


Friday August 21, 2020 11:00am - 11:30am PDT
Stage 2

11:00am PDT

Deploying discreet infrastructure for targeted phishing campaigns
Phishing attacks are an extremely common attack vector that has been used for many years, and the potential impact and risk involved are well known to most Internet users. However, it is still a highly relevant attack vector being used in the wild, affecting many victims. Phishing attacks exploits the vulnerable human factor.
The words easy and phishing never really seem to go together. Setting up a proper phishing infrastructure can be a real pain. This talk aims to walk you through the whole process of deploying an phishing campaign infrastructure from the perception of an attacker.

Speakers
avatar for Sreehari Haridas (invisible)

Sreehari Haridas (invisible)

Cyber Security Engineer, UST Global
Sreehari is an experienced Security Researcher, who has 3 years of professional experience. He is a Web application Penetration tester and a renowned Bug Bounty Hunter.Currently Sreehari is working as a Cyber Security Engineer at UST Global, formerly a security consultant with EY... Read More →


Friday August 21, 2020 11:00am - 11:45am PDT
Red Team Village Booth

11:00am PDT

Carnegie Mellon University's (CMU) Information Networking Institute (INI) Information Session
Thinking about going to graduate school for computer science, electrical and computer engineering or information technology?

Carnegie Mellon University's (CMU) Information Networking Institute (INI) is attending the The Diana Initiative Virtual Conference on Aug 21-22, 2020 and we want to meet you!

Connect live and hear about our programs, career outcomes and admission criteria:
  • Information Sessions -
        Aug 21 and 22 at 2 p.m. EDT
  • INI Admissions will be on hand for LIVE Q&A
        Aug 21-22 at 4:00 p.m. and  6:00 p.m. EDT
  • Available to chat during the duration of the conference

Visit our virtual booth to learn more about the INI's four master's degrees in information networking, security and mobile and IoT engineering.

We are a department within CMU's highly-ranked College of Engineering. At the INI, you can customize a technical computer science and engineering curriculum to explore your interests, such as human-computer interaction, cybersecurity, operating systems, embedded systems, cloud computing, big data analytics, smart cars and more.

Friday August 21, 2020 11:00am - 12:00pm PDT
Expo Hall - CMU Booth

11:30am PDT

Low Tech & Insecure: Building Better Boundaries at Work and in Life
Guidelines to developing your own, and respecting others’, physical, verbal, emotional and sexual boundaries. Tech folks don't go to HR conferences; even if they did, HR conferences won't provide this common framework for discussing boundaries and sexuality. All genders and orientations are welcome; you should leave this armed with information to help you navigate personal interactions with more confidence in your careers, at conferences and in your personal lives.

Speakers
avatar for Carlota Sage

Carlota Sage

Self, Speaker
Raised in the wilds of Alabama by angry chickens and crazy people, Wolfpack-educated in the Tar Heel/Blue Devil state, and indoctrinated into Security by Silicon Valley appliance vendors (which are either wolves or angry chickens…maybe both), Carlota has returned to the east coast... Read More →


Friday August 21, 2020 11:30am - 12:00pm PDT
Stage 1

11:30am PDT

CTI Mindset as a Technique for Blue Teamers
What if I told you that it is possible for blue teamers to practice CTI everyday?! With minimal guidance and insight, blue teamers can learn how to see things through the eyes of a cyber threat intel analyst. We’ll step through multiple examples of how a CTI analyst would view data, intel, analysis, and situations so you can gain helpful perspectives when performing analysis for your organization. Learn about the cognitive biases and logical fallacies that are killing your analysis and what to do about it. Take away CTI strategies that you can use in your org.

Speakers
avatar for Xena Olsen

Xena Olsen

CTI Analyst, Finance
Xena Olsen works for a Financial Services Fortune 500 Company. She is a graduate of the SANS 2017 Women’s Academy, has an MBA in IT Management, and currently holds the GSEC, GCIH, GCFE, GMON, GDAT, GPEN and GCTI certifications. She is a member of the Financial Services Information... Read More →


Friday August 21, 2020 11:30am - 12:00pm PDT
Stage 2

11:30am PDT

Lessons Learned from Playing with String
The speaker is an avid craftsperson, with years of experience knitting shawls, crocheting stuffies, and, more recently, sewing cloth face coverings. Some of the lessons learned from these crafts include: the importance of planning, batch processing, when to automate a task, and how everyone, regardless of skill level, has something to contribute.


Speakers
avatar for Amanda Draeger

Amanda Draeger

US Army, Speaker
Amanda makes magic by using sticks to turn fluff into stuff. She listens to the complaints of computers to pay the bills.


Friday August 21, 2020 11:30am - 12:00pm PDT
Stage 3

11:30am PDT

Security at Coinbase
Speakers: 
- Adrienne Allen, Director, Security GRC & Privacy at Coinbase
- Sasha Levy, Security Analyst, CSIRT at Coinbase
- Zassmin Montes de Oca, Product Security Manager at Coinbase
Moderators:
- Katie Wilson, Analyst, Third Party Risk at Coinbase
- Chitra Balu, Senior Security Architect

Speakers
avatar for Zassmin Montes De Oca

Zassmin Montes De Oca

Product Security Manager at Coinbase, Coinbase
Zassmin is passionate about application security and promoting women in technology. She started her career as a software engineer before co-founding Women Who Code, serving as their CTO and Board Vice Chair. Zassmin's interest in security propelled her into her current role as a Product... Read More →
KW

Katie Wilson

Third Party Security Analyst, Coinbase


Friday August 21, 2020 11:30am - 12:30pm PDT
Stage 4 - Village Talks

12:00pm PDT

Offensive GraphQL API Exploitation
Nowadays, the GraphQL technology is used by some of the big tech giants like Facebook, GitHub, Pinterest, Twitter, HackerOne. The main reason behind that is that GraphQL gives enormous power to clients.
But, with great power come great responsibilities. Since developers are in charge of implementing access control and other security measures, applications are prone to classical web application vulnerabilities like Broken Access Controls, Insecure Direct Object References, Cross Site Scripting (XSS) and Classic Injection Bugs. This talk will be explaining the common security impacts faced while using the Graphql APIs and how an attacker makes use of it to attack the underlying infrastructure and ex-filtrate sensitive data from an organisation.


Speakers
avatar for Arun S

Arun S

Senior Security Consultant, IBM India Software Labs
Arun works as a Senior Security Consultant @ IBM India Software Labs, with more than 6 years of experience. He is a chapter leader for the null open source security community in Bangalore,  also conducted training and workshops at c0c0n and BSides Delhi security conferences.Arun... Read More →


Friday August 21, 2020 12:00pm - 12:45pm PDT
Red Team Village Booth

12:00pm PDT

Broken Arrow
Friends and family ask for assistance installing WiFi or configuring smart devices in the house. They are now asking members of the InfoSec community for help ‘fixing my situation' to digitally detach domestic disputes.
The attendees will leave with the fundamentals to assist their community with the same fundamentals which are applied with Operation Safe Escape clients,  NATO special forces training, and corporate Digital Forensic/Insider Threat centers.


The very same Internet of Things which are installed for convenience can form agilded, velvet lined cage with an Alexa or Siri voice.


I will discuss how our community can apply InfoSec principles and forensic principles to assist domestic abuse victims cutting the electronic cord to their abuser.



The counterintelligence mindset should be applied to the domestic situation what can be gathered, what sources and methods can be used against a person in their own house and how to detect the threat.



The talk will discuss the use of social media to detect physical surveillance, technical countermeasures for surveillance devices, lessons learned with forensics...and the ways to protect oneself against leaving data behind.


Speakers
avatar for Will Baggett

Will Baggett

Revolutionary Security, Speaker
Prior to joining Revolutionary Security as a Senior Cybersecurity Consultant, Will has a solid foundation of applying innovative cyber solutions to the public and private sector. During his time in public service, he identified new cyber methods and capabilities to mitigate risk to... Read More →


Friday August 21, 2020 12:00pm - 1:00pm PDT
Stage 1

12:00pm PDT

What if we had TLS for Phone Numbers? An introduction to SHAKEN/STIR
If you've noticed a surge in unwanted robocalls from your own area code in the last few years, you're not alone. The way telephony systems are set up today, anyone can spoof a call or a text from any number. With an estimated 85 billion spam calls globally, it's time to address the problem.



This talk will discuss the latest advancements with STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs), new tech standards that use well accepted public key cryptography methods to validate caller identification. We'll discuss the path and challenges to getting this implemented industry wide, where this tech will fall short, and what we can do to limit exposure to call spam and fraud in the meantime.

Speakers
avatar for Kelley Robinson

Kelley Robinson

Twilio, Speaker
Kelley works on the Account Security team at Twilio. Previously she worked in a variety of API platform and data engineering roles at startups. Her research focuses on authentication user experience and design trade-offs for different risk profiles and 2FA channels. Kelley lives in... Read More →


Friday August 21, 2020 12:00pm - 1:00pm PDT
Stage 2

12:00pm PDT

Products People Trust: Privacy, Consent, & Security
ABSTRACT
Most software today collects and tracks as much data as possible with no concern for privacy or user consent. Consumers and regulations are starting to demand change. It's time to focus on building trust with our users. Our products should collect only what data is necessary, should always receive consent before collecting data, and should have proper security in place to protect collected  data.

AUDIENCE
This talk is intended for creators of digital products. Anyone who involved in the design, development, and launch of web and mobile applications and services. The concepts in this talk are simple, but their impact and intricacies when implemented in products are complex and nuanced. Attendees at all levels of experience and career tenure will find value in the concepts of this talk.

INTRODUCTION
Technology companies are developing a bad reputation for abusing data collection policies and for failing to secure sensitive data they collect from their customers. Silicon Valley values companies that grow fast and have lots of users. In pursuit of these goals and ideal metrics, technology companies make seemingly innocuous decisions to get features out with as much adoption as possible. Unfortunately, this usually means turning on features on by default, automatically opting users in: all without any care around consent of that choice and the data collection and privacy implications that may be associated with a particular feature. 

It’s not that anyone intentionally made these decisions with ill intent, it’s instead a lack of understanding the indirect implication to privacy, consent, and security of data that these features then introduce to a product or service.

This talk will reference real world examples of seemingly simple product and software decisions that lead to loss oftrust, lack of data collection consent, and failure to secure
 data that was collected. We will also analyze the impact these problems introduce to a business. We will look at practical tips to build trust in your software while designing features for consent with privacy and security in mind.

OUTCOMES/CONCLUSION
At the end of this talk attendees will have practical advice on building trust into software products. Attendees will leave with a new understanding of the concepts of trust, privacy, consent, and security as it relates to data collection, analysis, and storage within digital applications and services. Attendees will also leave with real world examples to reference and share this knowledge as they build new digital products and services at their companies.

Speakers
avatar for Taylor McCaslin 🏳️‍🌈

Taylor McCaslin 🏳️‍🌈

GitLab, Speaker | Career Village Volunteer
Taylor McCaslin (he/him) is a multi-disciplinary Investor, Product Manager, and Technologist living in Austin, Texas. He currently works as a Senior Product Manager at GitLab focused on Security. Taylor also runs a small angel investing fund focused on impact investing with companies... Read More →



Friday August 21, 2020 12:00pm - 1:00pm PDT
Stage 3

12:30pm PDT

How an SRE became an application security engineer (and you can too!)
I made the leap from site reliability engineer to application security engineer late last year. What made it possible to move from security as a hobby to security as a job? A mix of research, workshops, meeting people, and focusing on the security-related parts of the job I already had. I’ll tell you what I studied, what I realized I already knew, and what was actually useful in the interview process (including links, a reading list, and other specifics).
Slides with notes here: https://docs.google.com/presentation/d/15-KXy1vYknYNdNN3vKLQNiwSGHsysg9AWhhOiaiAmY4/edit?usp=sharingBlog post version with links here: https://breanneboland.com/blog/2020/01/27/how-an-sre-became-an-application-security-engineer-and-you-can-too/

Speakers
avatar for Breanne Boland

Breanne Boland

Application security engineer, Salesforce
Talk to me about: Chrome extensions in a security context. Switching professions and specialties multiple times in five years. Your favorite quarantine snacks. Doing security in a very large company. Doing ops in very small companies. Your pets (though I will need pictures). What... Read More →


Friday August 21, 2020 12:30pm - 1:00pm PDT
Stage 4 - Village Talks

1:00pm PDT

Internal Red Team Operations Framework - Building your practical internal Red Team
This talk is about building a practical internal red team. This is not an easy task. For organizations, it is essential to have an internal offensive team to continuously perform adversarial simulation to strengthen the security posture and enhance blue team capabilities. Many variables needs to be taken care of before going forward with such an initiative. Most important thing would be assessing the progress and maturity of the red team building process.

Explains various steps to create an internal offensive team/red team from scratch and increasing the capabilities gradually on different phases. This talk introduces a proven way of building internal offensive teams, Internal Red Team Operations Framework. (IRTOF)



Friday August 21, 2020 1:00pm - 1:45pm PDT
Red Team Village Booth

1:00pm PDT

Carnegie Mellon University's (CMU) Information Networking Institute (INI) LIVE Q&A
Thinking about going to graduate school for computer science, electrical and computer engineering or information technology?

Carnegie Mellon University's (CMU) Information Networking Institute (INI) is attending the The Diana Initiative Virtual Conference on Aug 21-22, 2020 and we want to meet you!

Connect live and hear about our programs, career outcomes and admission criteria:
  • Information Sessions -
        Aug 21 and 22 at 2 p.m. EDT
  • INI Admissions will be on hand for LIVE Q&A
        Aug 21-22 at 4:00 p.m. and  6:00 p.m. EDT
  • Available to chat during the duration of the conference

Visit our virtual booth to learn more about the INI's four master's degrees in information networking, security and mobile and IoT engineering.

We are a department within CMU's highly-ranked College of Engineering. At the INI, you can customize a technical computer science and engineering curriculum to explore your interests, such as human-computer interaction, cybersecurity, operating systems, embedded systems, cloud computing, big data analytics, smart cars and more.

Friday August 21, 2020 1:00pm - 2:00pm PDT
Expo Hall - CMU Booth

1:00pm PDT

Cyber Harassment: Things I wish I knew when sh1t went sideways
Cyber harassment is a grey area in both legal and forensic capability. Protecting one’s self can feel impossible, however it is not!

Are words on the internet/emails/private messages considered harassment, seen as threatening, or just freedom of speech?

I will share the first-hand extensive knowledge on options. Life tossed me a curveball, which resulted in a life experience which lets me share how to help individuals through a series of options to be protected and for additional help.

Do not feel helpless, evidence can be gathered. Protective orders can be obtained. Individuals who have been harassed causing mental trauma have the right to file for FMLA (NOT just for babies folks!). This allows them to take the necessary time off work without having a fear of losing employment.

The options provided will include tips on how to document and obtain evidence, tips for interviewing lawyers to find an attorney that meets specialized standards for cyber, and how to reach out to get help that can protect an individual in their career.

I truly wish I knew during my experiences these options and by sharing my experiences, as long as one person is helped, then it makes my adventure worth it.

Speakers
avatar for Laura Johnson

Laura Johnson

Speaker
Laura Johnson is a Senior Security Engineer, who started her career by joining the military unaware of how much she would fall in love with "security and things". Earlier in her career, Laura held roles such as Maintenance/Integrator, Network Engineer, Consultant, and Managing Security... Read More →


Friday August 21, 2020 1:00pm - 2:00pm PDT
Stage 1

1:00pm PDT

More than just pipelines: DevSecOps
Although DevSecOps is currently a favourite industry buzzword many of us have limited knowledge on how to “do” it. Most vendors are selling mini versions of their tools meant to squish into your already crowded pipeline and calling it a day. This talk will define DevSecOps then discuss several strategies (high level ideas) and tactics (hands on keyboard) for fast and effective application security practices in a DevOps environment, all of which will take place OUTSIDE your pipeline.

When AppSec professionals operate in a DevOps environment they need to respect ‘the 3 ways’ (efficiency of the entire system, fast feedback and continuous learning), while ensuring they consistently release secure software. The current trend in this area is to add mini or partial versions of traditional security tools into your pipeline, breaking builds and/or slowing developers down immensely. For a change of perspective, this talk will detail how to implement a complete application security program without heavy reliance on pipelines.

Speakers
avatar for Tanya Janca

Tanya Janca

CEO and Founder, We Hack Purple
Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and weekly podcast that revolves around creating secure software. Tanya has been coding and... Read More →


Friday August 21, 2020 1:00pm - 2:00pm PDT
Stage 2

1:00pm PDT

I’m a hunter! Cyber Intelligence the new(ish) frontier.
Threat hunting and cyber intelligence is not new but interest in it is growing, and with good reason. Cyber intelligence helps fill in gapsand hunting helps find hidden threats. It's an important area that doesn't get enough attention. Companies and organizations should understand why knowing their threat space could help them prevent attacks, infections, breaches and other issues. I also hope to show another field in infosec, that might be of interest to those looking for a new area to learn.

Speakers
avatar for Yasmine ‘amira Johnston-Ison

Yasmine ‘amira Johnston-Ison

Senior Threat Researcher at Fidelis, Speaker
Army SIGINT vet who grew up in the intelligence world with a passion for cyber threat intelligence and malware."A target is a target and a network is a network - human or digital. In the shadows, it’s one in the same." - Yaz


Friday August 21, 2020 1:00pm - 2:00pm PDT
Stage 3

1:00pm PDT

Ten Things Every Cyber Security Job Seeker Should Know
Maximize your job search efforts and turn them into successes with recommendations to evaluate, refine, and improve your strategy. This presentation offers women in cyber security the tools they require to take expert control of their job search and achieve their career goals through ten essential tips.
 
Job seekers will benefit from insights into understanding the different types of recruiters, deciphering the importance of certifications, and leveraging the right avenues for self-promotion and networking. We’ll also dive into developing career search products like your resume and social media content, as well as methods to obtain experience including home labs, competitions, internships, and more.
 
This session will thoroughly explore ten crucial job search tips while also sharing findings from an industry survey, which examines the impact of volunteering in your professional community. By actively engaging in the community, cyber professionals can network, gain experience, and create opportunities for continued learning in order to progress their careers. By applying these guidelines and taking necessary responsibility for one’s job search, individuals will embark on the road to success in the cyber security job market.

Speakers
avatar for Courtney Schwarten

Courtney Schwarten

Outreach Advocate, ClearedJobs.Net / CyberSecJobs.com
Courtney Schwarten, Outreach Advocate for CyberSecJobs.com and ClearedJobs.Net, gives job seekers the resources they need to be successful in their next careers. In this role, she advises and coaches cleared professionals, transitioning military, and cyber security professionals and... Read More →


Friday August 21, 2020 1:00pm - 2:00pm PDT
Stage 4 - Village Talks

1:00pm PDT

“Off the Shelf” Soldering addition
In this 90 min workshop we’ll build step by step  the “Off the Shelf” badge. TOOLS REQUIRED — SOLDERING IRON, WIRE STRIPPER AND A SMALL WIRE CLIPPER you will also need solder, flux and possibility some solder braid or a solder sucker . Requires the parts listed here(link needed) as well a computer with the Arduino IDE installed (link) We’ll end the session with loading a test sketch to the Arduino

Speakers

Friday August 21, 2020 1:00pm - 2:30pm PDT
Village Workshops

2:00pm PDT

Into the unknown: From a stay-at-home parent to an InfoSec career
The problem: stepping into an industry that is constantly growing, changing, and impossibly complex. How do you know where to start? How can you even dare to catch up or at least come close? Everyday, the cybersecurity industry grows. These are not shallow topics to be understood in a weekend seminar. Even one area is enough to spend a lifetime of research on. So, from the outside, what hope do you have to join this industry, especially if you didn't choose this path initially?
A real life story about stepping into the unknown. From a stay-at-home parent to an InfoSec career. Without a college degree, after 10 years of being a stay at home mom, and now a single mother, I want to share with the audience how I stepped into the cybersecurity field. How I went from knowing almost nothing about IT security (spoiler, I had the same 6 character password everywhere!) to being a social engineer and participating on security research projects at an international IT security company.
This talk can encourage the audience to push themselves towards their life goals, regardless of how they start. I will share tips and tricks that helped me transition into a fulfilling career that I love, in a more unconventional method.

Speakers
avatar for Michel Quiroz

Michel Quiroz

insighti, Speaker
Michel currently works for insighti, an IT security company, as the head of business development during the week and dresses-up as kid's characters for parties and events on the weekend, you know, like Elsa or Wonder Woman. You could say that she does social engineering for a living... Read More →


Friday August 21, 2020 2:00pm - 2:30pm PDT
Stage 1

2:00pm PDT

My AWS Access Key Nightmares... and Solutions
As a Security Engineer, a lot of things worry me. Between S3 buckets possibly being open to the public, firewall rules exposing endpoints accidentally, and insecure coding practices, I need to stay on my toes. But those are possible to audit for and address. No, the thing that keeps me up at night is the possibility of someone leaving the keys to our kingdom sitting around somewhere: AWS Access Keys. Journey with me into my nightmare scenarios, and hear me talk about the solutions that allow me to get back to sleep afterwards.

Speakers
avatar for Emily Gladstone Cole

Emily Gladstone Cole

Speaker
Emily is currently a Staff Security Engineer for Agari Data, Inc., and spends a lot of time thinking about the ways that DevOps and Security intersect. Emily has performed critical organizational roles of security research, incident response, product security, devops engineer, system... Read More →



Friday August 21, 2020 2:00pm - 2:30pm PDT
Stage 2

2:00pm PDT

How to sink the ducky and other tricks
Unified logs contain a wealth of information that can be used to detect malicious USB devices like rubber ducky and bash bunny. Unified logs can also help find lateral movement and other malicious activity . . . once you know where to look. This presentation will cover some tips for detection using unified logs, and some gotchas for searching unified logs.

Speakers
avatar for Megan Carney

Megan Carney

Target, Speaker
Megan Carney has been an analyst/bad news giver in several different environments over the past ten years or so. She spends most of her time searching for all the places badness might hide. Can often be found staring into the abyss. It’s true the abyss stares back.


Friday August 21, 2020 2:00pm - 3:00pm PDT
Stage 3

2:00pm PDT

Ch-ch-changes!
Don Donzal from eLearnSecurity, sponsor of this year's Career Village, interviews three industry veterans about the many various paths into cybersecurity. Ping Look will bring her experiences as a technical hiring manager for defense and response, Sara Pickering as a human resources consultant and recruiter, and Carlota Sage as an IT leader turned vCISO, to paint a picture for the audience of the many twisty-turny paths you can take to get into Cybersecurity, and especially what hiring managers look for when hiring candidates without a security background.

Speakers
avatar for Carlota Sage

Carlota Sage

Self, Speaker
Raised in the wilds of Alabama by angry chickens and crazy people, Wolfpack-educated in the Tar Heel/Blue Devil state, and indoctrinated into Security by Silicon Valley appliance vendors (which are either wolves or angry chickens…maybe both), Carlota has returned to the east coast... Read More →
avatar for Don Donzal

Don Donzal

Community Director, eLearnSecurity
whoami - I’m a Dad, a Community Director & an Editor-in-Chief.Don Donzal is the founder of The Ethical Hacker Network (EH-Net), a free online magazine and community for security professionals. EH-Net was acquired by eLearnSecurity (eLS) in 2017 to bolster their free educational... Read More →
avatar for Sara Pickering

Sara Pickering

Director of Talent Development, ISE
Sara Pickering is the Director of Talent Development at Independent Security Evaluators (ISE). Self-proclaimed HR Nerd, she works with business leaders to ensure that people strategy aligns with company values and culture. Sara strives to build trust and high levels of employee engagement... Read More →
avatar for Ping Look

Ping Look

Senior Director, Detection & Response Team, Microsoft
Ping Look is passionate about bringing people together to solve problems and currently at the helm of Microsoft’s Detection & Response Team. Prior to joining Microsoft, Ping was engaged at Optiv, formerly known as Accuvant LABS, where she managed one of the most technically proficient... Read More →


Friday August 21, 2020 2:00pm - 3:00pm PDT
Stage 4 - Village Talks

2:30pm PDT

Conference Submissions for the Faint of Heart
Submitting a talk to a conference is quite overwhelming, even for seasoned speakers and presenters. The CFP process, while often documented, still results in submissions that may make a good idea tough to evaluate by the review team, and eventually they may be rejected. How could a first time submitter to a seasoned pro go about ensuring they share their ideas to the right audience and past muster with the review committee. In this talk we plan to present a general primer on how to make the submission the best it can be, reduce your stress, and ensure that you will have the tools required to confidently present your ideas to the target audience.


Speakers
avatar for Amélie Erin Koran

Amélie Erin Koran

Splunk, Inc., Speaker
Amélie is a Senior Technology Advocate at Splunk, focused on helping organizations transform, grow and secure themselves in the ever evolving world of technologies and their accompanying challenges. She arrives at Splunk after nearly 25 years as a technologist, from systems administration... Read More →
avatar for Nicole Schwartz

Nicole Schwartz

Product Manager, Secure Composition Analysis - GitLab, Speaker
Nicole Schwartz (@CircuitSwan) is a Product Manager for the GitLab Secure team. In her career, she has been in Product, System Administration, and Agile coaching. Before her career ever started she was a Hacker. When she isn’t working, she volunteers at and attends conventions (you... Read More →


Friday August 21, 2020 2:30pm - 3:00pm PDT
Stage 1

2:30pm PDT

Guardians of the cloud: the sysadmin's guide to cloud security
Organisations are rapidly moving applications to the cloud to support remote work in the COVID-19 era, leaving sysadmins and security teams to secure a sprawling mass of cloud-based infrastructure. It's easy to "lift and shift" on-premises administrative practices to cloud environments. However, cloud systems are prime targets for attackers and require a new approach to administration. So what is the most secure way to manage your Tier 1 servers running in AWS, application development in GitHub and business collaboration in Slack?

In her talk, Bronwyn will compare the threat models of cloud and on-premises systems. We will learn about best practices for secure cloud administration, including the importance of Identity and Access Management for effective cloud security. Bronwyn will share real-life lessons learned from working on cloud migrations, illustrating the challenges faced when on-premises administration concepts are applied to cloud environments.

Friday August 21, 2020 2:30pm - 3:00pm PDT
Stage 2

3:00pm PDT

Carnegie Mellon University's (CMU) Information Networking Institute (INI) LIVE Q&A
Thinking about going to graduate school for computer science, electrical and computer engineering or information technology?

Carnegie Mellon University's (CMU) Information Networking Institute (INI) is attending the The Diana Initiative Virtual Conference on Aug 21-22, 2020 and we want to meet you!

Connect live and hear about our programs, career outcomes and admission criteria:
  • Information Sessions -
        Aug 21 and 22 at 2 p.m. EDT
  • INI Admissions will be on hand for LIVE Q&A
        Aug 21-22 at 4:00 p.m. and  6:00 p.m. EDT
  • Available to chat during the duration of the conference
Visit our virtual booth to learn more about the INI's four master's degrees in information networking, security and mobile and IoT engineering.

We are a department within CMU's highly-ranked College of Engineering. At the INI, you can customize a technical computer science and engineering curriculum to explore your interests, such as human-computer interaction, cybersecurity, operating systems, embedded systems, cloud computing, big data analytics, smart cars and more.

Friday August 21, 2020 3:00pm - 4:00pm PDT
Expo Hall - CMU Booth

3:00pm PDT

College Students “Driving” Digital Crash Reconstruction
In order to address the massive growth of digital evidence available in criminal investigations, the St. Joseph County (IN) Cyber Crimes Unit began a partnership with the University of Notre Dame in 2015. Unlike any other cyber crimes unit in the country, they took a leap of faith and began employing students as sworn law enforcement personnel and digital forensics examiners. We are two of those investigators. In this role, we conduct digital forensics examinations on real cases, write and execute search warrants, and testify in court. When we are not actively working on a case, we conduct research and testing, looking for novel ways to apply technology and digital forensics to existing real-world problems.

Since the inception of traffic crash reconstruction in 1985, its methods and formulas have remained relatively unchanged. So, we asked: can technology revolutionize traffic crash reconstruction? In this talk, we will discuss research that we have done related to the feasibility of using data automatically collected by a smartphone to reconstruct traffic crashes. We have found that depending on user interaction with the phone, it may be possible to build a detailed timeline of events leading up to, during, and after a crash. This timeline can include not only user interaction with the phone, but also detailed GPS information and vehicle speeds. Finally, we will talk about how our research can address the limitations of existing crash reconstruction methods and show case examples of where we have applied this research to local cases.

Speakers
avatar for Brianna Drummond

Brianna Drummond

St. Joseph County Cyber Crimes Unit, Speaker
Brianna Drummond is a senior undergrad at the University of Notre Dame studying Political Science and Russian with a minor in Cyber Safety and Security. In addition to being a student, Brianna is a Senior Investigator for the St. Joseph County Cyber Crimes Unit. She also holds the... Read More →
avatar for Laura Hernandez

Laura Hernandez

St. Joseph County Cyber Crimes Unit, Speaker
Laura is a senior undergrad at the University of Notre Dame studying Sociology with a minor in Cyber Safety and Security. She is currently a Senior Investigator in the St. Joseph County Cyber Crimes Unit in Indiana, where she works as a digital forensic examiner. She is also certified... Read More →


Friday August 21, 2020 3:00pm - 4:00pm PDT
Stage 1

3:00pm PDT

Secrets of the Second Factor
Bored by talks convincing you to setup 2FA, as if you haven’t already had it on your MMORPG account for a decade?

There's more to MFA than protecting an account from a bad, reused, or dumped password. Let's go discover all the dirty little secrets in $company using the MFA logs!

Break the barrier of complacency that comes with a multi factor system! Explore all the obvious security violations of risky login habits. I’ll step through why you should be logging every authentication attempt and read the logs to discover all the hidden secrets that could have been unnoticed for years. Things slip by other data sources and behavior analysis tools but become clear when you know how to spot the secrets in the second factor.

Speakers
avatar for Bace 16

Bace 16

DC919, Speaker
BACE16 was bored as a firewall engineer so she started a Def Con Group in RTP, NC, DC919, to re-discover the joys of hacking with a community. Building on this, she also volunteers for BSides RDU and is a founding member of Cackalacky Con. She eventually found her calling as an incident... Read More →


Friday August 21, 2020 3:00pm - 4:00pm PDT
Stage 2

3:00pm PDT

A case against “Google it”: A cognitive science approach
"Google it" is a great one-liner, but it doesn't follow how people learn. People new to the infosec field have a lot to navigate during their learning. Mentors and education programs should develop a model of learning based on human cognition. There is an overwhelming amount of information and even more opinions on how to begin learning cybersecurity. Not to mention, not everyone is an excellent technical writer or writes content without considering their audience. Accordingly, telling a new learner to just "Google it" can be cognitively overwhelming, disrupts learning, and may cause people to not pursue infosec as a career or hobby.

In this presentation, mentors and those that create educational content for infosec professionals will learn the cognitive apprenticeship (Collins et al., 1987) model of learning and cognitive load theory (Sweller, 1994; Sweller, 2006; Sweller et al., 2011). Cognitive apprenticeships are the same as a traditional mentor-mentee relationship, except it provides a cognitive framework of how to learn. The four phases of modeling, scaffolding, fading, and coaching will be discussed in context to a Windows system administrator who wants to transition into a cybersecurity professional. The presentation will discuss how to train a Windows System Administration to apply the CSC Security Controls to Windows and Linux using a cognitive apprenticeship approach. Cognitive load theory is one way of explaining how instructional design helps or hinders transferring information from short-term memory, which has a small storage capacity, to long-term memory, which has a much larger storage capacity. When cognitive apprenticeships are practiced in context to how people learn, it will reduce the mentor and mentee's cognitive load and create a more engaging learning experience to facilitate long-term retention of what is learned.

Speakers
avatar for Duane Dunston

Duane Dunston

Northeastern University and Champlain College, Speaker
Duane Dunston is an Associate Professor of Cybersecurity at Champlain College. He's been in Information Security since 1997. He graduated from Pfeiffer University with a BS in Sociology and a Master's in Organizational Management. Duane is also a mentor for the Vermont Cyberpatriots... Read More →


Friday August 21, 2020 3:00pm - 4:00pm PDT
Stage 3

4:00pm PDT

Reclaiming Your Space in Cyber Security: Speak Out, Speak Up, Speak Often
There is a great global discussion happening about the ways in which systemic racism and gender bias reveal themselves across various aspects of our society. From #BlackLivesMatter to #Me too to #Timesup, there is a massive movement on the part of large swaths of American citizens that incremental progress is no longer enough. Americans seems ready for a sweeping change in the very definition of what America is, what we truly value and who the beneficiaries should be of a long-broken system. 
This public discourse is visceral, its uncomfortable and its disruptive. But it is necessary. It was unavoidable. Women, minorities, and other marginalized groups now have growing public support to transform discourse into action, draft new policies, and advance new ways for our society continues tovalue difference – across the board. More of them today are choosing to “Speak Out, Speak Up and Speak Often” in advocacy for more control over their lives. 
The Cybersecurity industry acts as a microcosm of the broader society in which it sits. Therefore, it is not exempt from the same demand for a revolution – a change in the way women are treated, minorities are kept out, and the responsibility for diversity and inclusion is placed on the victims of the treatment over and over again. The first black or female employee in any security team is the one who “breaks the boundaries”, therefore innately a change agent. But we all as an industry have to make space for those who are different. We must allow them to use their unique voice and value them as equals. It now the time for action. 
The purpose of this talk will be to discuss the responsibility of the cyber security industry to move over, open doors and make space for more women and minorities to “Speak Up, Speak Out and Speak Often”.

Speakers
avatar for Jules Okafor

Jules Okafor

CEO, RevolutionCyber
​Juliet Okafor, J.D., is a cybersecurity professional who has combined her knowledge of the legal system and cybersecurity solution models into success stories across fortune 500industries throughout the USA. Her ability to scope, plan and design the creation of an OT Cybersecurity... Read More →


Friday August 21, 2020 4:00pm - 5:00pm PDT
Stage 1

4:00pm PDT

Entrepreneurial Adventures: Starting Your Own Company
So you’re not crazy, you just want to start your own company. Which kinda takes a level of crazy to pull it off. We’ll talk through what it takes to be an entrepreneur, ideation and the phases of startup, different kinds of companies (service, product, non-profit), how and why (or why not) to raise capital, types of investors, legal requirements, working (or not) with friends, challenges, building total/service addressable market size, back-office administration, employee benefits, equity (what is an RSU?), pricing, Intellectual Property Rights, economics, and resources for more information and networking. Will include anecdotes and insights my experiences starting several companies and from multiple Founders across the spectrum.

Speakers
avatar for Bryson Bort

Bryson Bort

Founder and CEO, Scythe
Bryson is the Founder of SCYTHE, a start-up building a next generation attack emulation platform, and GRIMM, a cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit advancing awareness of industrial control system security. He is a Senior Fellow for Cybersecurity... Read More →
avatar for Keenan Skelly

Keenan Skelly

CEO, ShyftED, Inc.
As the CEO of ShyftED, Inc., a Security Awareness company for all humans, Keenan Skelly provides engaging awareness software and strategic business insights for cybersecurity. Skelly, a former Army Explosive Ordnance Disposal Technician, and Chief, Comprehensive Reviews for DHS, has... Read More →



Friday August 21, 2020 4:00pm - 5:00pm PDT
Stage 4 - Village Talks

5:00pm PDT

Social Hour
Come on in to the "Networking" area and you will get randomly paired with another person for a chat.

We recommend bringing a drink, a snack, and recreating hallwaycon / quiet party!

Friday August 21, 2020 5:00pm - 6:00pm PDT
Networking Area
 
Saturday, August 22
 

8:00am PDT

What Does it Mean to Be a Barrier Breaker?
We often assume 'Barrier Breaker' means that someone was 'the first' or 'the only' to do something and what happens after that is almost a foregone conclusion . That's not how barriers get broken. It's kind of like saying, "a single drop of water breaks the dam", when we know that it takes a critical mass of water, a flood, before the dam will break. In security, especially, we reward the 'lone hacker' who discovers a zero-day and tend to dismiss those that come behind who identify similar classes of vulnerabilities or the same vulnerability presented in different ways--as if those discoveries aren't equally remarkable. Barrier breaking isn't a one-person phenomenon, it is a movement of people committed to change. Using a handful of examples, I will highlight some barrier breakers in our industry and provide actionable methods that each of us, day by day, and byte by byte, can use to become better barrier breakers.

Speakers
avatar for Yolonda Smith

Yolonda Smith

Head of Cybersecurity at Sweetgreen, Opening Keynote Speaker
Yolonda Smith is the Head of Cybersecurity for sweetgreen, a fast-casual salad restaurant chain with over 100 locations across North America whose mission is inspire healthier communities by connecting people to real food. In this role, she is responsible for the development and operationalization... Read More →


Saturday August 22, 2020 8:00am - 9:00am PDT
Stage 1

9:00am PDT

Critical Infrastructure, Interconnected Risks, and Resiliency. Why Women Should Care?
This talk is specifically focused on increasing awareness about the interconnected of the internet not only in our day to day to lives but also into our critical civil infrastructure such as water treatment facilities, energy grids, hospitals, etc., she brings attention to the fact that just like essential workers are recognized as critical to continue BAU for our personal lives during the Covid-19 pandemic, these civic infrastructures are also essential services and that we must not wait for a serious incident like the pandemic to make us realize that but rather pay crucial attention to their safety and security and to the coupling impact they have on us proactively and work in strengthening their resilience. The talk highlights attention to the gender gap in cyber security and in this area and how women can help close this gap and gives an opportunity to discuss challenges and how to close them.


Speakers
avatar for Godha Bapuji

Godha Bapuji

Founder, Women in Crisis Response


Saturday August 22, 2020 9:00am - 9:45am PDT
Red Team Village Booth

9:00am PDT

It's a Human Thing: Strategies for Navigating Diversity & Inclusion in your Organization
Over the last several years, the infosec community has preached the importance of Diversity & Inclusion in the space. But what does that look like? How can infosec leaders put realistic measures and policies in place to achieve a diverse and inclusive work force? In this session, I will cover both good and bad strategies used by companies over the last two years; highlight the do and do not for organizations of all sizes; and discuss with the audience how to navigate Diversity & Inclusion during socially charged times. The audience will leave with real implementation measures; guidance on what to steer clear of; and a community to continue the discussion after the talk.

Speakers
avatar for Keenan Skelly

Keenan Skelly

CEO, ShyftED, Inc.
As the CEO of ShyftED, Inc., a Security Awareness company for all humans, Keenan Skelly provides engaging awareness software and strategic business insights for cybersecurity. Skelly, a former Army Explosive Ordnance Disposal Technician, and Chief, Comprehensive Reviews for DHS, has... Read More →


Saturday August 22, 2020 9:00am - 10:00am PDT
Stage 1

9:00am PDT

IoT Honeypots and Rogue Appliances
Honeypots AND IoT security, all in one place? Yes, why YES I tell you, and this is it! Oh sure, honeypots are not new, but how they are used is what makes this talk just a little bit different. Presented for your viewing pleasure will be IoT specific honeypot configurations, some deployed with k8s (some not) and how they are used to not only trap attacks against your IoT devices but also detect attacks FROM a compromised IoT device.

Introduction - who I am and where this idea came from (2 mins)

Introduction to IoT devices and why they continue to be a serious issue with consumer and corporate security. I will discuss the 5 verticals of IoT devices while focusing on some of the typical attacks that have been used in the past few years. It is important to understand why vendors produce insecure devices and that they will continue to do so. (3 mins)

Introduction to Honeypots and key issues with planning, architecture and deployment. One of the biggest issues with honeypots is not setting them up, but using them the right way. Now referred to as “deception tech”, honeypots can provide a level of detection and defense against rogue IoT devices. Several examples will be presented with recorded sessions (or live demos if the demo gods are in a good mood) showing how to plan and deploy the right honeypots to the right environments. (5 mins)

Now for the fun! In this next section I will show IoT honeypots used for protection in the wild. The wild will consist of your home network, corp network, and even deployed in DMZs and other locations. Several examples of how honeypots were used to detect “angry appliances” doing things they should not have been doing will be shown. A more recent example in my own private home network will show how an intelligent thermostat was found to be scanning the network. This sections gets fun with various devices from light bulbs, IoT hubs and more. (10 mins)

Summary and Key Takeaways - Here I bring it all to a conclusion by providing key takeaways for the How and the Whys of planning and deployment and what to expect from private and hostile environments. The key point here is that attendees will walk away with real tools and ideas to use right away and not just some theory. This is actually a detailed section reviewing key points of the takeaways, not just a summary slide (10 mins)

Q&A - (5 mins)

5 minutes to spare from a 40 minute session!! Woo Hoo!

Demos will make this fun, with one live and a couple of recorded demos to cap it all off.

Key takeaways: 1. Different levels of IoT devices 2. Threat modeling techniques for IoT devices 3. Honeypots and deception tech - not your mother’s honeypot 4. Planning stages - this is CRITICAL for successful deployment 5. Setting up collectors/SIEM for analysis 6. CCAD

Speakers
avatar for Kat Fitzgerald

Kat Fitzgerald

Google, Speaker
Based in Pittsburgh and a natural creature of winter, you can typically find me sipping Grand Mayan Extra Anejo whilst simultaneously defending my systems using OSS, magic spells and Dancing Flamingos. Honeypots & Refrigerators are a few of my favorite things! Fun Fact: I rescue Feral... Read More →


Saturday August 22, 2020 9:00am - 10:00am PDT
Stage 2

9:00am PDT

Levelling up the Estrogen in the Cyber World
The lockdown has forced almost everyone into digitalization. But as the scale of the number of people doing remote work has increased so has the complexity and vastness of cyberattacks.

Now, from the point of a female engineering student, it’s hard to find a lot of female colleagues in the tech field.‘The International Journal of Gender, Science and Technology’ and many others have published studies regarding the gender gap of women in technology, cybersecurity being one of the fields. And we believe it is our duty to do something for the cause.

If you have ever been intrigued by cybersecurity and wanted to learn, the next question is HOW. Well, we may have the best answer to that, CTF’s. CTFs’ are coding competitions to the Cyberworld teaching you how to work up to escalate privileges from lowkey “bugs”.

Yes, we all know that there are tons of resources on the Internet. But that’s exactly the reason why we lose track. In this talk, we shall introduce you some Crypto and a little bit of Reverse Engineering and shall give you an idea of how to get started and how to navigate your way into the cyber realm. We shall also talk about existing opportunities for women and how to make the most of it.

Speakers
avatar for Sandra Bino

Sandra Bino

B-tech Undergrad
I'm a B-tech Undergrad student who has been playing CTF's for the past two years out of pure interest and also for the adrenaline rush right after I get a flag. I am also a member of teambi0s the #1 CTF team in India (I've been lucky ) also TeamShakti, an amazing group of girls from... Read More →
avatar for Meenakshi S L

Meenakshi S L

Student
Meenakshi S L is a CTF player with Team bi0s, the No.1 CTF team in India. She is also a part of Team Shakti, a group of bubbling young female minds set out to make their mark in the cyber world through CTFs, talks and workshops. She is currently pursuing her undergraduate degree... Read More →


Saturday August 22, 2020 9:00am - 10:00am PDT
Stage 3

9:00am PDT

Basic Arduino coding using virtual Badge
We’ll go through the basics of writing an Arduino sketch using the basic commands of DigitalWrite, Delay, and DigitalRead, as well as recycling code using Objects and loops.

Speakers

Saturday August 22, 2020 9:00am - 10:30am PDT
Village Workshops

10:00am PDT

Moving left in the SDLC
Jas will talk about how moving security left in the SDLC benefits the organization, reduced risk and improved security. How security works TOGETHER, Not against, Developers.


Speakers
avatar for Jaswinder Kaur

Jaswinder Kaur

Senior cyber security engineer, T-Mobile
Jas is working with T-Mobile as a Senior cyber security engineer. Before that, she worked in the DC Government and Bank of America for many years. She is leading the blue team in her organization. For her, cyber security has never been more important, securing the important personal... Read More →


Saturday August 22, 2020 10:00am - 10:45am PDT
Red Team Village Booth

10:00am PDT

DevSecOps – It’s A Team Sport
<p>DevSecOps derives its own name from being an amalgamation of formerly three separate common teams within most IT organizations, <strong>Dev</strong>elopment, <strong>Sec</strong>urity and <strong>Op</strong>eration<strong>s</strong>. With the onslaught of new technologies and methods to build, deploy and secure such solutions, it's become paramount to unite and streamline these traditionally separate activities. This doesn't come without its own set of challenges; from turf wars to knowledge and abilities, with most of the effort trying to wed-up the right puzzle pieces to ensure overall team successes. </p>
<p>There’s also no success in this area given to a group of “rock stars” or “prima donnas” but more from “roadies” and “sidemen” who work to make sure the whole show is going to be good rather than try to take center stage. Finding, identifying, and nurturing the staff and talent that is willing to work through the change not only within the IT organization, but are also ambassadors to the rest of the organization to help them through the new ways of exploiting the new ways of integrating technology into business.</p>

Speakers
avatar for Amélie Erin Koran

Amélie Erin Koran

Splunk, Inc., Speaker
Amélie is a Senior Technology Advocate at Splunk, focused on helping organizations transform, grow and secure themselves in the ever evolving world of technologies and their accompanying challenges. She arrives at Splunk after nearly 25 years as a technologist, from systems administration... Read More →


Saturday August 22, 2020 10:00am - 11:00am PDT
Stage 1

10:00am PDT

Hacking into Android Ecosystem
There are more than 2.5 billion devices on Android today. That implies any vulnerability can potentially lead to a massive privacy breach or security attack. So, how does the security landscape looks like for Android, are there known privacy limitations or security threats? How do you look into the internals of an Android app? How do you look into the internals of Android itself? This talk will answer these questions for the audience. As a part of the talk, we will cover the following:
1. Overview of Android Security Landscape: Present day's security and privacy posture of Android, the attacks and challenges in defence.
2. Android Apps Internals: How to reverse engineer Android App and see what it does?
3. FRIDA: Using FRIDA to explore Android Apps Ecosystem
4. Design of malwares and spywares
5. Current situation, exploitation, risks and future.


Speakers
avatar for Aditi Bhatnagar

Aditi Bhatnagar

Microsoft, Speaker
Aditi Bhatnagar is a security enthusiast who is presently working as Software Engineer in end point security team, developing defender solutions for Android platform at Microsoft. She is actively involved in researching the privacy and security aspects of evolving Android landscape... Read More →


Saturday August 22, 2020 10:00am - 11:00am PDT
Stage 2

10:00am PDT

Testing all the things - We can't catch 'em all and who's accountable anyway?
Suppliers, systems, sites, apps, devices, vulnerabilities and all the brewing bright ideas. What's riskiest? What do we tackle first? How much can we reasonably do? What about tyres we can't kick? 

No-one can test (or fix) all the things, but we're told to try, even when we get the call just before it goes live. But there's no Tardis, money tree, or vending machine stocked with specialists and no-one can be accountabile for something they can't influence, or don't understand.

I'll be sharing lessons learned about those pinch points and showing simple risk-based ways to share the burden across the whole organisation Delegating work to prune the pipeline. Embedding accountability. Recognising where the orginanisation might not be mature enough to change. Moving things left - back to the bright ideas factories - so there's time and space to tackle the tyres we really have to kick, or call out the fact there just aren't enough hours in the day.

Speakers
avatar for Sarah Clarke

Sarah Clarke

Data Protection & Security GRC Specialist, Speaker
Sarah started out in IT and network security, but has spent the last decade tackling challenges linked to doing security and data protection governance at scale. She moved away from the tech coalface after seeing colleagues burnt out, often because they didn't have data and sponsorship... Read More →


Saturday August 22, 2020 10:00am - 11:00am PDT
Stage 3

11:00am PDT

Deploying discreet infrastructure for targeted phishing campaigns
Phishing attacks are an extremely common attack vector that has been used for many years, and the potential impact and risk involved are well known to most Internet users. However, it is still a highly relevant attack vector being used in the wild, affecting many victims. Phishing attacks exploits the vulnerable human factor.
The words easy and phishing never really seem to go together. Setting up a proper phishing infrastructure can be a real pain. This talk aims to walk you through the whole process of deploying an phishing campaign infrastructure from the perception of an attacker.

Speakers
avatar for Sreehari Haridas (invisible)

Sreehari Haridas (invisible)

Cyber Security Engineer, UST Global
Sreehari is an experienced Security Researcher, who has 3 years of professional experience. He is a Web application Penetration tester and a renowned Bug Bounty Hunter.Currently Sreehari is working as a Cyber Security Engineer at UST Global, formerly a security consultant with EY... Read More →


Saturday August 22, 2020 11:00am - 11:45am PDT
Red Team Village Booth

11:00am PDT

Carnegie Mellon University's (CMU) Information Networking Institute (INI) Information Session
Thinking about going to graduate school for computer science, electrical and computer engineering or information technology?

Carnegie Mellon University's (CMU) Information Networking Institute (INI) is attending the The Diana Initiative Virtual Conference on Aug 21-22, 2020 and we want to meet you!

Connect live and hear about our programs, career outcomes and admission criteria:
  •  Information Sessions -
        Aug 21 and 22 at 2 p.m. EDT
  • INI Admissions will be on hand for LIVE Q&A
        Aug 21-22 at 4:00 p.m. and  6:00 p.m. EDT
  • Available to chat during the duration of the conference

Visit our virtual booth to learn more about the INI's four master's degrees in information networking, security and mobile and IoT engineering.

We are a department within CMU's highly-ranked College of Engineering. At the INI, you can customize a technical computer science and engineering curriculum to explore your interests, such as human-computer interaction, cybersecurity, operating systems, embedded systems, cloud computing, big data analytics, smart cars and more.

Saturday August 22, 2020 11:00am - 12:00pm PDT
Expo Hall - CMU Booth

11:00am PDT

Exploiting Sexual Exploitation
Online sexual harassment is one of the most overlooked crimes on both the interwebs and irl. Victims need help, and way fewer resources exist to support them. From cyberstalking cases, to revenge porn posts to deepnude takedowns, Labac helps victims of abuse defend and prevent targeted attacks.

This talk details our crew’s efforts to flip the table against online abusers. We will outline various tactics used against historical targets, such as technical attacks and policy exploits. We’ll also discuss how you can help.

Speakers
avatar for K T

K T

LaBac, Speaker
Threat Hunter. Founder, Labac.
avatar for Aaron DeVera

Aaron DeVera

Speaker
Bot Detective. Founder, Labac.LaBac is a hacker collective combatting tech-enabled abuse. LaBac serves on the NYC Cyber Sexual Assault Taskforce, a city-wide initiative dedicated to fighting online sexual exploitation. The LaBac collective curates the Museum of Modern Malware at... Read More →


Saturday August 22, 2020 11:00am - 12:00pm PDT
Stage 1

11:00am PDT

Hiding In The Clouds: How Attackers Can Use Applications Consent for Sustained Persistence and How To Find It
Applications are modernizing. With that, the way permissions for these applications are granted are also changing. These new changes can allow an attacker to have sustained persistence in plain sight if we don’t understand how these work and where to look. What’s the difference if an application has permissions or an application has delegated permissions? Why did that admin account consent to that application, should I be worried? Is that application overprivileged? I have thousands of apps, how do I account for this? In this session we will look to demystify and bring clarity to these questions. You’ll understand these new application models and how they can be abused for sustained persistence, how these permissions work and what overprivileged looks like and finally, how to find them in your environment.

Speakers
avatar for Mark Morowczynski

Mark Morowczynski

Principal Program Manager, Microsoft
Mark Morowczynski (@markmorow) is a Principal Program Manager on the customer success team in the Microsoft Identity division. He spends most of his time working with customers on their deployments of Azure Active Directory. Previously he was Premier Field Engineer supporting Active... Read More →
avatar for Bailey Bercik

Bailey Bercik

Microsoft, Speaker
Bailey Bercik (@baileybercik on Twitter) is a Program Manager in the customer facing arm of the Identity Engineering division at Microsoft. As part of the “Get-To-Production” team, she acts as a trusted advisor to Fortune 500 enterprises deploying Azure Active Directory. She's... Read More →


Saturday August 22, 2020 11:00am - 12:00pm PDT
Stage 2

12:00pm PDT

Offensive GraphQL API Exploitation
Nowadays, the GraphQL technology is used by some of the big tech giants like Facebook, GitHub, Pinterest, Twitter, HackerOne. The main reason behind that is that GraphQL gives enormous power to clients.
But, with great power come great responsibilities. Since developers are in charge of implementing access control and other security measures, applications are prone to classical web application vulnerabilities like Broken Access Controls, Insecure Direct Object References, Cross Site Scripting (XSS) and Classic Injection Bugs. This talk will be explaining the common security impacts faced while using the Graphql APIs and how an attacker makes use of it to attack the underlying infrastructure and ex-filtrate sensitive data from an organisation.


Speakers
avatar for Arun S

Arun S

Senior Security Consultant, IBM India Software Labs
Arun works as a Senior Security Consultant @ IBM India Software Labs, with more than 6 years of experience. He is a chapter leader for the null open source security community in Bangalore,  also conducted training and workshops at c0c0n and BSides Delhi security conferences.Arun... Read More →


Saturday August 22, 2020 12:00pm - 12:45pm PDT
Red Team Village Booth

12:00pm PDT

BlueZ Cluez: Getting to Know the Linux Bluetooth Protocol Stack


There are many opportunities to learn about various protocols through the Internet of Things. One such protocol, Bluetooth, is a wireless protocol used for communicating data between devices from 2.400 to 2.485 GHz over short distances. This presentation introduces Bluez, a Bluetooth stack available in Linux, as a tool that researchers can utilize to study the protocol and identify potential vulnerabilities between devices exchanging data. In this case, we will leverage BlueZ and its features to control a light bulb. The presentation intends to cover the set-up and installation of pertinent tools in order to scan, identify devices, connect with the targeted device, and change the light bulb’s LED color. Audience members will walk away with a solid foundation of BlueZ and how to interact its tools to scan, connect, and tinker with devices.



Speakers
avatar for Ria Baldevia

Ria Baldevia

King's College London, Speaker
Ria Baldevia is a student at King's College London pursuing her PhD in digital humanities.


Saturday August 22, 2020 12:00pm - 1:00pm PDT
Stage 1

12:00pm PDT

Women in Threat Intelligence - from on the ground to in the cloud
Introduction: A brief history of female intelligence operatives and cyber threat intelligence leaders from all over the world and a challenge to the audience to keep these key points in mind for discussion after the presentation:
  1. As you honor the contributions of the threat intelligence experts in this overview, keep mental notes of how they embraced traditional and nontraditional masculine and feminine traits to accomplish their mission.
  2. Challenge yourself to check thoughts of bias, social conditioning and the temptation to judge based on very limited information about the individuals being portrayed.
  3. At the end of this presentation, we will discuss the power of diversity and equanimity in a world class Threat Intelligence Team.
Female Intelligence Operatives and Leaders
State of Affairs - statistics about women in senior leader positions and what we can do to continue to improve the odds of women being successful in threat intelligence and cyber security
  • Recruiting efforts to reduce bias in job descriptions, necessary skills, education, certifications, "right fit", etc.
  • Number of female CEOs, CISOs
  • Number of women on boards of directors - certification courses to help you prepare
Answering the call is critical, even if you don’t see the path to your intended outcome.
  • Disaster medicine - fraud (benefits of being a female firefighter)
  • 911 Commission - we brought teams together to correlate intelligence and investigations in very creative ways
  • Combating botnets and nation state attacks at a global level
  • Sim Swap cases - information sharing across industry and sectors
Building a world-class threat intelligence program 
  • Training teams to challenge outcomes, grow, learn, reduce and be aware of bias
  • Partnering with key stakeholders inside and outside the company
  • Presenting to senior leadership and the CISO Advisory Board
  • Laying the foundation for diversity, inclusion and bringing people from underrepresented populations into the field through mentorship, training, networking, hiring


Speakers
avatar for Jodie Ryan

Jodie Ryan

Sr. Manager Threat Intel & Countermeasures, Speaker
Jodie Ryan is a Sr. Manager of Threat Operations at Verizon Media. Her teams of Cyber Threat Intelligence Analysts and Countermeasures Engineers produce custom detections and threat advisories to lead intelligence-driven mitigation efforts across all Verizon Media properties such... Read More →


Saturday August 22, 2020 12:00pm - 1:00pm PDT
Stage 2

12:00pm PDT

So, I Made A Microdot
Microdots have a long and storied history in the transfer of information over obscured channels. In the same family of invisible inks and stenganography, microdots were the OG side channel attack and were used to great effect throughout the cold war.
But the advent of more modern methods of data storage and transfer have rendered film microdots obsolete. In this talk, I discuss the technical concepts behind how I made the microdot, and a modern twist on microdot methodology to bridge the gap between analog and digital microdot creation and use.
  1. Here's a rough outline:
  2. Introduction - 2 min
  3. What is a microdot? - 2 min
  4. History of the microdot - 2 min
  5. methodology overview - 2 min
  6. 1-step method - 7 min
  7. 2-step method - 7 min
  8. analog/digital hybrid - 5 min
  9. Operational security considerations - 3 min
  10. Challenges - 3 min
  11. wrap-up & questions - 7 min

Speakers
avatar for Emily Crose

Emily Crose

n/a, Speaker
Emily Crose has been working in the field of information security for over 10 years. Previously she has worked at the CIA, NSA, and US Army INSCOM. In her free time, she runs the Hacking History project and co-authors The Teletypist.



Saturday August 22, 2020 12:00pm - 1:00pm PDT
Stage 3

12:00pm PDT

Arduino coding using the bread board or soldered badge
We’ll go through the basics of writing an Arduino sketch using the basic commands of DigitalWrite, Delay, and DigitalRead, as well as recycling code using Objects and loops.

Speakers

Saturday August 22, 2020 12:00pm - 1:30pm PDT
Village Workshops

1:00pm PDT

Internal Red Team Operations Framework - Building your practical internal Red Team
This talk is about building a practical internal red team. This is not an easy task. For organizations, it is essential to have an internal offensive team to continuously perform adversarial simulation to strengthen the security posture and enhance blue team capabilities. Many variables needs to be taken care of before going forward with such an initiative. Most important thing would be assessing the progress and maturity of the red team building process.

Explains various steps to create an internal offensive team/red team from scratch and increasing the capabilities gradually on different phases. This talk introduces a proven way of building internal offensive teams, Internal Red Team Operations Framework. (IRTOF)



Saturday August 22, 2020 1:00pm - 1:45pm PDT
Red Team Village Booth

1:00pm PDT

Carnegie Mellon University's (CMU) Information Networking Institute (INI) LIVE Q&A
Thinking about going to graduate school for computer science, electrical and computer engineering or information technology?

Carnegie Mellon University's (CMU) Information Networking Institute (INI) is attending the The Diana Initiative Virtual Conference on Aug 21-22, 2020 and we want to meet you!

Connect live and hear about our programs, career outcomes and admission criteria:
  • Information Sessions -
        Aug 21 and 22 at 2 p.m. EDT
  • INI Admissions will be on hand for LIVE Q&A
        Aug 21-22 at 4:00 p.m. and  6:00 p.m. EDT
  • Available to chat during the duration of the conference

Visit our virtual booth to learn more about the INI's four master's degrees in information networking, security and mobile and IoT engineering.

We are a department within CMU's highly-ranked College of Engineering. At the INI, you can customize a technical computer science and engineering curriculum to explore your interests, such as human-computer interaction, cybersecurity, operating systems, embedded systems, cloud computing, big data analytics, smart cars and more.

Saturday August 22, 2020 1:00pm - 2:00pm PDT
Expo Hall - CMU Booth

1:00pm PDT

Automating Threat Hunting on the Dark Web and other nitty-gritty things
What's the hype with the dark web? Why are security researchers focusing more on the dark web? How to perform threat hunting on the dark web? Can it be automated? If you are curious about the answers to these questions, then this talk is for you. Dark web hosts several sites where criminals buy, sell, and trade goods and services like drugs, weapons, exploits, etc. Hunting on the dark web can help identify, profile, and mitigate any organization risks if done timely and appropriately. This is why threat intelligence obtained from the dark web can be crucial for any organization. In this presentation, you will learn why threat hunting on the dark web is necessary, different methodologies to perform hunting, the process after hunting, and how hunted data is analyzed. The main focus of this talk will be automating the threat hunting on the dark web. You will also get to know what operational security (OpSec) is and why it is essential while performing hunting on the dark web and how you can employ it in your daily life.

Speakers
avatar for Apurv Singh Gautam

Apurv Singh Gautam

Georgia Institute of Technology, Georgia Institute of Technology
Apurv Singh Gautam is pursuing his Master's in Cybersecurity from Georgia Tech. He commenced work in Threat Intel/Hunting 2 years ago. He worked on hunting threats from both clear web and dark web throughout his professional career and is also involved in performing HUMINT on the... Read More →


Saturday August 22, 2020 1:00pm - 2:00pm PDT
Stage 1

1:00pm PDT

Unmasking the Avengers: Shifting Roles of Facial Recognition
Your voice may be your password, but what happens when it’s your face and there’s a data breach or the data is wrong? What happens to your privacy and security when all of the data is right?

No longer solely for use by protestors or comic book characters, facial recognition algorithms are racing to adjust for the increased use of facial masks in public. Caught up between protests and COVID19 are cellular data and biometric data sets, shared with and utilized by law enforcement in often unintended ways. A growing number of public/private partnerships are providing law enforcement access to large data pools. Information that in some cases is incorrect. We’ll take a deeper dive into how privately collected location sharing and facial recognition data is being increasingly leveraged by government and law enforcement.

Speakers
avatar for Elizabeth Wharton

Elizabeth Wharton

SCYTHE, Speaker
Elizabeth (Liz) Wharton is a technology-focused business and public policy attorney who has advised researchers, startups, and policymakers at the federal, state, and local level. She is the Chief of Staff at SCYTHE as well as a member of the Technology & Innovation Council with Business... Read More →
avatar for Suchismita Pahi

Suchismita Pahi

Rally Health, Inc., Speaker
Suchi Pahi is a data privacy and cybersecurity lawyer who has spent the last six years assisting clients in setting up their cybersecurity programs, incident response plans, and data privacy approaches both in regulated and mostly unregulated spaces. She loves to talk about data protection... Read More →


Saturday August 22, 2020 1:00pm - 2:00pm PDT
Stage 2

1:00pm PDT

Getting Paid Like a Boss
Described as the "talk I wish I had when I was starting out", come get all your compensation questions answered. When you are comparing job offers or a raise, what does everything like "Total Compensation" really mean? When they are offering equity, stocks, restricted stock, stock options, or talking about their employee stock purchase plan, what does that mean to you? When do you get those stocks? Do you have to pay for them? Are they guaranteed? What's vesting mean anyway? Do you know how to negotiate multiple offers and make sure you're getting paid for your experience? Learn all about the basics (and where to do more research) on all the terms that might get tossed your way. You'll be in a better position to understand, research, and negotiate all the bells and whistles that come with tech job offers.

Speakers
avatar for Tracie Martin

Tracie Martin

Founder, DefendCon
Tracie Martin founded and runs DefendCon, a technical security conference for women and other underrepresented genders in security. She is passionate about advocating for more underrepresented genders in technical security roles. She has been in the security community for over 20... Read More →


Saturday August 22, 2020 1:00pm - 2:00pm PDT
Stage 3

2:00pm PDT

Cyber Performance and Risk Quantification: Enabling Security Decision Makers
Abstract
Cyber risk has graduated from a being a non-traditional risk to a mainstream risk that underpins major organizational capabilities. Security personnel – spread across the spectrum from operations to the echelons at the C-suite are faced with the juxtaposition of risk and reward in a technology enabled world.
In this talk we explore, what makes the task of taking prudent decisions to secure technology and reduce cyber risk arduous. We also discuss the need to diversify cognitive intellect (gender, race, culture etc.) that drives cyber risk mitigation and how effective quantification techniques can strengthen decision making in the security realm.
Elemental and strategic decisions are often taken based on experience and not quantitative data-driven analysis. In instances where decisions are taken to proactively mitigate risk, it is often inevitable to reflect and wonder if resources were overspent on a threat that may never have materialized. After all, in the world of security the absence of certain outcomes is a measure of success.
The inherent challenge in security decision making is often exacerbated with a plethora of unstructured and irrelevant data. The quantification of cyber risk is a supplemental and essential part of the security decision-making dialogue. At the lowest level cyber performance quantification allows first line defenders to track effectiveness of activities across the board. At an Executive level, quantification allows for prudent allocation of resource and intellect to bolster organizational defensive capabilities.
Detail Outline 
  • Introduction [2 mins]
    • Background and experience
    • Why cyber quantification matters?
  • The decision maker’s dilemma [6 mins]
    • The security decision chain hierarchy
    • Data Fatigue
    • Decision inertia
    • The hindsight bias: Anticipating the known
    • Paradox of risk versus unknown or insufficient reward
  • Cognitive diversity in decision making [3 mins]
    • Role of diversity in leveraging / mitigating risk
    • Role of diversity in reacting to risk
    • Role of intellectual diversity in prioritizing security decisions
  • The makings of robust quantification [6 mins]
    • Quantification models
    • Active engagement
    • Consequence modeling
    • Contextualization of intelligence
    • Nudge theory
  • Benefits and parting words [3 mins]
    • Enabling deliberate decision making
    • Increasing accountability
    • Increasing situational and consequence awareness

Speakers
avatar for Mysore Shruthi

Mysore Shruthi

Speaker
Mysore Shruthi is a Senior Cyber Risk Advisory Consultant. Her primary focus is on helping organizations gain data-driven transparency into security performance while managing cyber risk. Having lived in four countries, she brings her global perspectives on cyber risk decision science... Read More →


Saturday August 22, 2020 2:00pm - 2:30pm PDT
Stage 1

2:00pm PDT

How To See Your Own Perception Bias
Updated Title: "What I Learned About Bias From Crossing the Gender Divide"

Five years ago my career was skyrocketting upwards, but that changed when I brought my gender expression inline with my gender identity. As a result of transitioning, I experienced a shift in bias that no one could have prepared me for -- but it's not what you're thinking. In the two years that followed, I received over 30 rejections for roles and levels that I had previously held. I anticipated that I would run into stereotypes and negative bias, but the most surprising change in bias was internal.

Years of practicing meditation gave me a direct awareness that our perceptions are coloured by our past experiences, but as this body's hormones changed, so too did my own perception of the world! The interplay between memory and sensation, which occurs continually in each of us, is known as "perception bias", and I have some news for you: we're all biased -- and that's OK.  

 What matters is what we do with it.


Speakers
avatar for Aeva Black

Aeva Black

Open Source Program Manager, Microsoft
Aeva Black is a queer geek and lifelong student of the dharma, a Linux user since the mid '90s, and has been an advocate for Open Source since 2003. They pioneered the creation of the OpenStack Bare Metal Cloud project while working at HPE, and have contributed to projects such as... Read More →


Saturday August 22, 2020 2:00pm - 2:30pm PDT
Stage 2

2:00pm PDT

Breaking into Cybersecurity or Increasing Your Knowledge For Free (or Close to It)
Are you trying to break into Cybersecurity? Let me share with you creative ideas to fund your cybersecurity quest for knowledge and advance your career. There are many resources to help you gain the skills you need to get a job in cybersecurity or to keep your existing skills sharp or develop new skills. Take advantage of the opportunities you have as a woman and/or a minority because the cybersecurity industry needs diversity and your talents are needed and in demand. Let’s help you remove some of the obstacles to achieving your cybersecurity goals and dreams.

Speakers


Saturday August 22, 2020 2:00pm - 2:30pm PDT
Stage 3

2:30pm PDT

Election Security 101
Election security in the United States is one of the most complex and difficult cybersecurity challenges facing our country today. Outdated and vulnerable equipment, chronic underfunding, untrained personnel, and a bewildering diversity of jurisdictions and laws are only the beginning of the problems the country faces going into the 2020 election cycle, and experts agree that little to nothing has been done to solve them. All of this in addition to the struggles the country faces with the onslaught of COVID-19. 
In 2017, the DEF CON Voting Machine Hacking Village was convened by myself and my fellow organizers, Matt Blaze, Harri Hursti, and Jake Braun. Together, we opened up the previously restricted voting machinery for public, good-faith hacking efforts to explore and educate the security challenges inherent in these machines. In my talk, I will be giving an overview of the overall state of the industry for election security in the U.S. going back to the 2000 Florida recount. Among the topics, I’ll be addressing are how the industry got to its current state, what we can do to improve it, and the individual findings of the three DEF CON Voting Machine Hacking Village reports released since 2017. Our findings have also been featured in a newly released HBO documentary, "Kill Chain".

Speakers
avatar for Maggie MacAlpine

Maggie MacAlpine

Nordic Innovation Labs / DEF CON Voting Village, Speaker
Maggie MacAlpine is an election security specialist and one of the co-founders of the DEF CON Voting Machine Hacking Village. Over the course of ten years spent in the election security field, MacAlpine has been a contributing researcher on the “Security Analysis of the Estonian... Read More →


Saturday August 22, 2020 2:30pm - 3:00pm PDT
Stage 1

2:30pm PDT

Bug Bounty Craze
Bug bounty has been a long time craze, and becoming a necessity to keeping organizations safe by crowd sourcing their security. As the demand increases, the supply needs to increase as well. However, getting into the bug bounty space can be tricky and hard to start. This talk approaches the history of bug bounty, the current legal landscape, and the next steps for bug hunting, including how to get started and which tools to use.

Speakers
avatar for Chloe Messdaghi

Chloe Messdaghi

VP of Strategy, Point3 Security
Chloé Messdaghi is the VP of Strategy at Point3 Security. She is an ethical hacker advocate who strongly believes that information security is a humanitarian issue. Besides her passion to keep people safe and empowered online & offline, she is driven to fight for hacker rights. She... Read More →


Saturday August 22, 2020 2:30pm - 3:00pm PDT
Stage 2

2:30pm PDT

7 Tips for Women To Get To the Top in Technology
Learn how to boost your career in the technology industry as a woman in a male dominated workplace.
Listen to my story as a female leader in Tech and discover some simple steps you can take today to fast-track your career in IT; find out what concrete actions you can implement today to boost your own career in Tech; 

Speakers
avatar for Perrine Farque

Perrine Farque

Diversity consultant in Tech, Inspired Human
Perrine Farque is an award-winning diversity consultant in Tech who was nominated in the Top 50 Most Influential Women in UK Tech. Perrine drove the strategy at Tech companies including Facebook, PagerDuty, Pivotal, Nlyte Software and AvePoint for over a decade. During her career... Read More →


Saturday August 22, 2020 2:30pm - 3:00pm PDT
Stage 3

3:00pm PDT

Carnegie Mellon University's (CMU) Information Networking Institute (INI) LIVE Q&A
Thinking about going to graduate school for computer science, electrical and computer engineering or information technology?

Carnegie Mellon University's (CMU) Information Networking Institute (INI) is attending the The Diana Initiative Virtual Conference on Aug 21-22, 2020 and we want to meet you!

Connect live and hear about our programs, career outcomes and admission criteria:
  • Information Sessions -
        Aug 21 and 22 at 2 p.m. EDT
  • INI Admissions will be on hand for LIVE Q&A
        Aug 21-22 at 4:00 p.m. and  6:00 p.m. EDT
  • Available to chat during the duration of the conference
Visit our virtual booth to learn more about the INI's four master's degrees in information networking, security and mobile and IoT engineering.

We are a department within CMU's highly-ranked College of Engineering. At the INI, you can customize a technical computer science and engineering curriculum to explore your interests, such as human-computer interaction, cybersecurity, operating systems, embedded systems, cloud computing, big data analytics, smart cars and more.

Saturday August 22, 2020 3:00pm - 4:00pm PDT
Expo Hall - CMU Booth

3:00pm PDT

Digital Forensics and Data Finding
New technologies help us be more productive by remembering what we've done, where we've been, what files we've opened, people we've contacted, and things we didn't even know we wanted help remembering.

By identifying what artifacts are left behind by technologies we use and create, we can better control our own information and that of our users. This talk presents digital forensics and the world of the endpoint device.

How can we tell what breadcrumbs are left by doing everyday tasks on our computers and cell phones?

How effective can users be at clearing their tracks and deleting evidence of what they've done?

In this introductory level talk, the field of digital forensics (DFIR) will be introduced. Attendees will learn about the kinds of data that can be recovered on computers and cell phones by digital forensic examiners.

Speakers
avatar for Lodrina Cherne

Lodrina Cherne

Principal Security Advocate, Cybereason
Lodrina Cherne is Principal Security Advocate at Cybereason + a DFIR instructor at SANS. Ask her how to fight for people wrongly impacted by tech.


Saturday August 22, 2020 3:00pm - 4:00pm PDT
Stage 1

3:00pm PDT

The Bug Hunter’s Methodology v4: Reconnaissance
The Bug Hunter’s Methodology is an ongoing yearly installment on the newest tools and techniques for bug hunters and red teamers. This version explores both common and lesser known techniques to find assets for a target. The topics discussed will look at finding a targets main seed domains, subdomains, IP space, and discuss cutting edge tools and automation for each topic. By the end of this session a bug hunter or red team we will be able to discover and multiply thier attack surface. We also discuss several vulnerabilities and misconfigurations related to the recon phase of assessment.

See slides here: https://docs.google.com/presentation/d/1HHzkmREYNGLAT8UY_nnNgG7yJFuaR9tj_UaahF92oqw/edit

Speakers
avatar for Jason Haddix

Jason Haddix

Director, Speaker
Father, hacker, educator, gamer, & nerd.  I am passionate about information security. Not only is security my career focus but it’s my hobby. I absolutely love my job.In my previous role as Director of Penetration Testing I led efforts on matters of information security consulting... Read More →


Saturday August 22, 2020 3:00pm - 4:00pm PDT
Stage 2

3:00pm PDT

There were NO REFRESHMENTS at the Networking Event...Tales of a Clueless First Year Cybersecurity Student
In 2018, Marylyn Harris started as a "Clueless" Cybersecurity Student. A Registered Nurse, U.S. Army Veteran and Social Entrepreneur, Ms. Harris boldly decided to pivot her twenty year healthcare career to Cybersecurity. During this session, Ms. Harris will share her experiences and "lessons learned" during her career pivot to Cybersecurity.  Resources to start, grow and fund a Cybersecurity education, career and business will be discussed.
 
The session will highlight:


- Knowing Yourself 
- Articulating your Value Proposition
- Locating Powerful Resources
- Learn the Cybersecurity Ecosystem and Landscape


Ms. Harris will provide a sheet of Resources to ALL participants.

Speakers
avatar for Marylyn Harris

Marylyn Harris

IT Security, Harrland Healthcare Consulting LLC
Marylyn Harris is a former U.S. Army Nurse, Gulf War Veteran and Social Entrepreneur that pivoted her career to Healthcare Cybersecurity in 2018. Ms. Harris began her Information Technology (IT) studies by entering a five (5) day CompTia Network+ Bootcamp and dropped out on the morning... Read More →


Saturday August 22, 2020 3:00pm - 4:00pm PDT
Stage 3

4:30pm PDT

Gatekeeping, Gaslighting & Grieving: Excelling Despite The Ugly Phases of Your Security Development Life Cycle
This talk will apply a common SDLC model to career development: Planning, Threat Modeling, Testing, Deployment, and Maintenance. Our peers can typically use this 5-step model throughout their careers with no roadblocks. However, women are often suffering in silence through 3 extra unspoken phases in our security development life cycle: gatekeeping, gaslighting, and grieving.
Also overlooked: Black women and sisters of color face unique barriers to career success. Diversity efforts are often not intersectional, network access controls are designed to keep us out, and our threat models are different from industry peers.
This keynote will use the SDLC model to bring these vulnerabilities to the forefront. The audience will leave empowered with strategies to help them excel despite the ugly phases of the career life cycle. The speaker will also talk openly about money, a conversation that is long overdue.

Speakers
avatar for Keirsten	Brager

Keirsten Brager

Sr. Security Consultant/NERC-CIP SME, Closing Keynote Speaker
Keirsten Brager is a Sr. Security Consultant/NERC-CIP SME in critical infrastructure and was recently named one of Dark Reading’s top women in security quietly changing the game. She is also the author Secure The InfoSec Bag: Six Figure Career Guide for Women in Security. She produced this resource to help women strategically plan their careers, diversify their incomes, and fire bad bosses. Keirsten holds a M.S. in Cybersecurity and several industry certifications, including GICSP & CISSP. As an active member of the Houston security community, Mrs. Brager has participated in a number of panels and public speaking engagements promoting strategies for success. In her free time, she loves sharing career advice, studying Black history, and convincing women not to quit the industry... Read More →


Saturday August 22, 2020 4:30pm - 5:30pm PDT
Stage 1

5:30pm PDT

Closing Remarks
Speakers
avatar for Nicole Schwartz

Nicole Schwartz

Product Manager, Secure Composition Analysis - GitLab, Speaker
Nicole Schwartz (@CircuitSwan) is a Product Manager for the GitLab Secure team. In her career, she has been in Product, System Administration, and Agile coaching. Before her career ever started she was a Hacker. When she isn’t working, she volunteers at and attends conventions (you... Read More →


Saturday August 22, 2020 5:30pm - 6:00pm PDT
Stage 1

6:00pm PDT

Social Hour
Come on in to the "Networking" area and you will get randomly paired with another person for a chat.

We recommend bringing a drink, a snack, and recreating hallwaycon / quiet party!

Saturday August 22, 2020 6:00pm - 7:00pm PDT
Networking Area
 
  • Timezone
  • Filter By Date The Diana Initiative 2020 Aug 21-22, 2020
  • Filter By Venue Virtual Conference
  • Filter By Type
  • Expo Hall
  • Keynote
  • Social
  • Talk - Red Team Village
  • Talk Track1
  • Talk Track2
  • Talk Track3
  • Talk Track4
  • Village Workshop