Note: Dev.to will not allow full reporting of this event due to their rule of "You cannot mention more than 8 users in a post!" Please read the full article on the GitGuardian blog
When you think of Baltimore, Maryland, you might immediately think of The Ravens, Edgar Allan Poe, or Old Bay Seasoning. Moving forward, I will always associate "BMore" (as the locals call it) with improved security across the public and private sectors, thanks to participating in the 18th International Conference on Cyber Warfare and Security, ICCWS, which happened March 9th and 10th, 2023, at Towson University, in the heart of Baltimore county.
This unique event brings together academics, military professionals, government agencies, and professionals from all around the security world to discuss their research findings and the state of cybersecurity. All the sessions I attended were very informative, and I will be summarizing a few in this post, but the best part of this event was the lively hallway conversations and connections that were made. It is hard to imagine another event where Ph.D. candidates, developer advocates, and intelligence agency officers would get to share thoughts on the future of cyber threats while sharing a meal.
While there were a lot of different subjects covered in the 2 days of sessions, there were some themes that popped up across multiple talks.
Zero Trust
Most everyone working in security and DevOps by now is familiar with the notion of Zero Trust, the approach that denies all access by default. We apply this in practice by implementing 'the principle of least privilege," granting only enough access to let people and non-human entities get their work done and no more. In his talk "Can Zero Trust Restore Our Ailing Trust?" Justin Fanelli, Technical Director, Dept of Navy PEO Digital and Georgetown University, argues that for a lot of the industry, Zero Trust is just a buzzword at the moment, albeit the "Beatles of our current jargon."
He argued that the public sector is lagging behind in adopting Zero Trust. In the private sector, teams have done a better job aligning the business value of Zero Trust to improved performance, which has really driven adoption. He shared that his efforts to get the first Zero Trust architecture adopted in his agency required the coordination of the Dept of the Navy, the White House, and the Department of Defense input. The slower nature of bureaucracies means that the value of a new approach can easily be overshadowed by the effort required to make change happen.
In his story, what made it work was the persistent story he was able to tell about performance improvements, which the private sector easily demonstrates. He stressed the importance of events like ICCWS, which connects us all to drive these narratives.
He also said there is a real opportunity right now to move the conversation from cybersecurity being the defender of legacy systems to the creator of new future-looking systems, to be the "heroes" tech needs. But this requires us to strive for better outcomes and not underestimate the power storytelling has to change the world.
CyberEd@ebcovert3
Listening to @USNavy Justin Fanelli talk about #ZeroTrust at #iccws23 at @TowsonU this morning #iccws14:26 PM - 09 Mar 2023
While everyone I talked to at the conference agreed that Zero Trust is part of the path forward, John Hurley from the Office of the Director of National Intelligence, ODNI, laid out the argument that more is needed in his talk "Zero Trust is not Enough: Mitigating Data Repository Breaches." He started out agreeing that the move from a 'trust, but verify' model to a 'verify, then trust' model has been an important step in national cybersecurity but went on to state that for a lot of applications, there has not been adequate thought given to areas like edge computing and the hybrid models of on-prem + cloud, especially while migrations are ongoing.
He laid out the benefits of leveraging a pull-based model for architecture, similar to the model we use for git-based workflows. In a software development workflow, there are multiple opportunities to reauthenticate as the code moves through the pull request flow and CI/CD pipelines. It is straightforward to ensure that only truly authorized people can do certain steps in such a stepped system. The issue right now, for some applications, is the pattern has been to authenticate once, allowing access rights once it is trusted within the system. Thinking in terms of 'per request' authentication can help us go a step further in making sure our systems are secure throughout.
Blockchain and CyberScams
Cyber warfare is not just being waged between state actors in military server rooms requiring a security clearance. It is being carried out against all of us in the form of cybercrime. One recurring technology that came up in multiple talks about cybercriminals was blockchain.
In his session "An Analysis of Crypto Scams during the Covid-19 Pandemic: 2020-2022,"researcher Johnny Botha from the University of South Africa walked the attendees through several of the most common scams involving cryptocurrency in the last couple of years. He shared real-world examples while explaining the nature of each scam and what signs to be on the lookout for.
The top scams uncovered by his team's research included:
Giveaway scams - Someone impersonating a rich celebrity offering 'send me 1 Bitcoin and I will send you back 5 coins'.
Rug Pull scams - Criminals make fake websites and initial coin offerings, ICOs, attracting investors, then simply running away with the money. Sometimes this process can take months, referred to as a "slow rug pull/" Here, things might seem like they just went wrong on their own, leaving the victim to feel like it was just bad timing rather than that a crime has occurred.
Phishing scams - Targeted emails and fake websites lure victims into giving up their crypto wallet logins.
Ponzi schemes - Everyone is told if they can add just a few more members below them in the investment, then everyone will get paid. Only the originators of these scams make any money, and these scams are illegal throughout the world.
Pump and Dump - Criminal gangs use private channels like Telegraph to manipulate the prices of specific crypto coins, cashing in when the rush happens and leaving the investors with worthless assets.
Unfortunately, cyber scams are big business, raking in over $62 billion in 2022 alone. While it is unlikely that cybercriminals will make fewer attempts to steal moving ahead, we can do a lot by helping people stay aware of the dangers. We can keep ourselves safe by staying skeptical of anything that seems too good to be true and remembering, as Johnny put it, "there is no such thing as free money!"
While the state of crypto scams might seem dour, there is some good news on the law enforcement front. For years most cybercriminals have acted under the belief that cryptocurrency is virtually untraceable. The truth is, according to Saminu Salisu, founder of Bilic, blockchain might be the most traceable currency out there.
In his session "Blockchain Forensics: A Modern Approach to Investigating CyberCrime in the Age of Decentralisation," he presented the finding of his joint research with the Vienna University of Technology. They were able to successfully deanonymize transactions for 47 different cryptocurrencies, even if the coins were passed through 'tumblers', systems designed to obfuscate the origins or destinations of the transitions.
This is very good news as the world continues to embrace blockchain-based currency at an ever-growing rate. The stakes are very high, as Saminu shared that about $18 Trillion USD is transferred annually through cryptocurrency. To put that in perspective, the global annual transactions processed through Visa total $14 Trillion, and Mastercard totals $7 Trillion, both of which have rigorous policies and security in place to protect your assets. Hopefully, similar research in law enforcement means we can all stay a little safer in the future, no matter how we choose to store and transfer our funds.
Isn't all cryptocurrency untraceable?
Blockchain might be the most traceable currency out there - according to Saminu Salisu from @spectralhash in his talk at #ICCWS
"Blockchain Forensics: A Modern Approach to Investigating CyberCrime in the Age of Decentralisation"03:57 AM - 14 Mar 2023
A True Global Community experience
Talking with the participants, it became clear this is a very special event that is looked forward to by folks in academia, as well as government agencies and security folks from the private sector. I had not experienced an event that cut across so many industry verticals before. The level of sharing was amazing, with every presenter fully engaged and very open to feedback.
I was even able to give some feedback that directly impacted the work of a Ph.D. student who is researching the security of health records. Part of her future research involved creating and maintaining honeypots, but she was worried about the costs and finding a healthcare partner that would grant her the needed network access to implement one. I was able to explain that this lighter-weight approach of honeytokens would still serve her needs but not require near the overhead, expense, or network access. Honeytokens are a great way to detect unwanted access to all manner of systems. Hopefully, her research will lead to safer healthcare records for us all.
I was very honored to be a speaker at the event myself. I was able to share my love of DevSecOps and knowledge of navigating OWASP offerings through 2 different presentations. In my newest talk, "Scaling Security: What Shifting Left Was Supposed To Mean," I was able to show that the core lessons of DevOps, such as testing earlier, diving work into more management chunks, and enabling continual tight feedback loops, are ideals security teams need to embrace so they can be involved earlier in the software development lifecycle.
Next year's event will be in person in Johannesburg, South Africa. I might not get to make it that far to attend, but fortunately, there will be a virtual track as well, so everyone around the world can attend this truly unique event!
Top comments (0)