Hyatt Regency Louisville 311 South 4th Street Louisville, Kentucky, USA, 40202


2017 Keynote Speakers

David Kennedy

Founder; TrustedSec, Binary Defense Systems and DerbyCon

ISC2 Board of Directors

David Kennedy is founder of TrustedSec and Binary Defense Systems.  Both organizations focus on the betterment of the security industry from an offense and a defense perspective.  David also serves as a board of director for the ISC2 organization. David was the former CSO for a Diebold Incorporated where he ran the entire INFOSEC program.  David is a co-author of the book “Metasploit:  The Penetration Testers Guide”, the creator of the Social-Engineer Toolkit (SET), Artillery, and several popular open source tools.  David has been interviewed by several news organizations including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News.  David is the co-host of the social-engineer podcast and on several additional podcasts.  David has testified in front of Congress on two occasions on the security around government websites.  David is one of the founding authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. David is the co-founder of DerbyCon, a large-scale conference in Louisville, Kentucky.  Prior to the private sector, David worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.

Building an Infrastructure to Withstand

Description: As an attacker, there are certain things that I will go after that should never be seen in a network. Building multiple layers of defense is nothing new, however there are key ways to identify and respond to attackers that minimize damage to the enterprise. This presentation will focus on both detection and deception techniques that any organization can implement in order to create a withstanding infrastructure as well as fake infrastructure that attackers will use in order to identify them in the early stages of an attack. Deception techniques are interesting, because it really needs to be believable for an attacker to go after them. This presentation talks about different techniques that make it hard for an attacker to differentiate with what’s real and what’s not, and how to best build better defenses.

* Learn protection, detection, and deception techniques in order to identify early warning attacks.

* Methods for building advanced detection in organizations that go beyond signatures.

* Ability to model an infrastructure on being able to withstand and detect attacks.


Kenneth White

Director of the Open Crypto Audit Project (OCAP)

Kenneth White is a security researcher whose work focuses on networks and global systems. He is Director of the Open Crypto Audit Project (OCAP), recently completed a large-scale audit of OpenSSL on behalf of the Linux Foundation’s Core Infrastructure Initiative. Previously, White was Principal Scientist at Washington DC-based Social & Scientific Systems where he led the engineering team that designed and ran global operations and security for the largest clinical trial network in the world, with research centers in over 100 countries. White co-founded CBX Group which provides security services to major organizations including World Health, UNICEF, Doctors without Borders, the US State Department, and BAO Systems. Together with Matthew Green, White co-founded the TrueCrypt audit project, a community-driven initiative to conduct the first comprehensive cryptanalysis and public security audit of the widely used TrueCrypt encryption software.

White holds a Masters from Harvard and is a PhD candidate in neuroscience and cognitive science, with applied research in real-time classification and machine learning. His work on network security and forensics and been cited by media including the Wall Street Journal, Forbes, Reuters, Wired and Nature. White is a technical reviewer for the Software Engineering Institute, and publishes and speaks frequently on computational modeling, security engineering, and trust. He tweets @kennwhite.


Lunch Sponsor Speaker

Alan Swanke

Senior Sales Engineer with Thales e-Security

Alan is responsible for promoting the company’s cutting-edge security solutions. His broad business experience includes over thirty years of focusing on enterprise information technology solutions with extensive vendor experience at Gandalf Data, SynOptics Communications/Bay Networks/Nortel Networks, HP/EDS, Network Instruments, VCE and Viavi Solutions.  Alan also served as an adjunct faculty member at Northwestern University’s McCormick School of Engineering and Applied Science.  Alan has a Masters of Information Technology from Northwestern University and a Bachelor of Science in Business, Industry and Communication from the University of Wisconsin, Platteville.


Breakout Speakers

Technical Track

TJ Adams, Privileged Account Management: A Sprint Approach

Through sixteen years in information technology and nine focused on information security, TJ Adams has become a trusted advisor for companies throughout the country. At CyberArk, TJ has spent the last 4 years focused on building privilege account programs with enterprises of all sizes. TJ holds the CISSP certification and is GIAC certified in Windows, Incident Handling, Intrusion Analysis and Penetration Testing.

The session will cover best practices for the management of privileged accounts and why managing these credentials is a critical aspect in any layered security strategy. Finally, I will offer a sprint methodology for quickly reducing the risk of privilege misuse in an environment.

Jeremy Druin, Learning Crypto By Doing It Wrong

United Parcel Service GISF, GSEC, GCIH, GWAPT-GOLD, GPEN, GMOB, GXPN, Sec+ Jeremy works as a security penetration tester, application security consultant, and defect remediation expert for UPS. Jeremy is also the owner of Ellipsis Information Security and teaches courses for SANS Institute and Indiana University Southeast. As a Director of Education for the Kentucky ISSA chapter, Jeremy presents on application security, penetration testing and defense along with operating the “webpwnized” YouTube video channel. Additionally, Jeremy develops the open-source OWASP Mutillidae II training environment. Jeremy has a Bachelors in Computer Science from Indiana University and is a GIAC-certified Web Application, Mobile and Network Security Penetration Tester.

Cryptanalysis is just mean. There is a lot of math and ciphers are difficult to understand. But we can get a glimpse into the world of cryptanalysis by breaking the classical Vigenere cipher. Besides being an interesting case-study, Vigenere is simple enough for us non-mathmeticians to understand but complex enough to sample several code-breaking techniques. If nothing else, we will reinforce why cipher choice is such an important part of implementing encryption.

Mark Loveless, The Edge of Normal

Mark Loveless is a Duo Labs researcher who also goes by the name Simple Nomad on the interwebs. He is not overly paranoid in spite of the fact that evil alien robots are stealing his luggage when he travels.

As a hacker, one tends to live out on the edges of society, and gets a real interesting view of the world. As a researcher, there is a strong quest for facts, and a stronger quest for finding flaws and detecting patterns. As a technologist, one has to have an eye on the future, with an eye on the path behind to see where we’ve been. Combine those elements and one will have a twisted perspective on the nature of reality and the path ahead. The end of the firewall, the VPN, and the password is happening as we have a maturing malicious market. All with the backdrop of the Internet of Things. How are we doing? Let’s discuss.

Adrian Crenshaw, Of Flags, Frogs & 4chan

Adrian Crenshaw has worked in the IT industry for the last seventeen years. He runs the information security website, which specializes in videos and articles that illustrate how to use various pen-testing and security tools. He did the cert chase for awhile (MCSE NT 4, CNE, A+, Network+. i-Net+) but stopped once he had to start paying for the tests himself. He holds a Master of Science in Security Informatics and is one of the co-founders of Derbycon.

This talk will tell the stories of people who got their data leaked, or trolled hard by 4chan because of bad OPSec, and what they could have done better. Internet Hate Machine: Because none of us as are cruel as all of us.

Travis Funkhouser, Defeating the Modern Cyber Attacker

Funkhouser joined Attivo Networks in 2017 as a Sr. Sales Engineer from ForeScout where he was Team Lead for the Mid-West engineers. Prior to ForeScout, Travis was at Nightingale Home Healthcare where he was Director of IT and the HIPAA Security Officer. Nightingale was a national U.S.-based home healthcare provider with 600 clinicians in 16 offices in ten states. Previous experience includes serving as the Information Security Team Lead for IU Health in Indianapolis, where for over seven years he was responsible for deploying and managing ForeScout’s CounterACT solution in an environment of 140,000 hosts and 35,000 employees. Travis graduated from Indiana Institute of Technology with a degree in Management of Information Systems.  He holds current CISSP, CISM, CHPS, and CPHIMS certifications as well as various information security and IT vendor certifications.

Defeating the modern cyber attacker is no longer be based on prevention alone. Predictive visibility, detection, incident handling, and post-incident analysis all play critical roles in attack avoidance, early detection, and streamlined incident response.  Distributed Deception Platforms (DDP) are now recognized as a core technology for advanced threat detection, automating investigations, and incident response. Join this session to learn how DDP’s change the game on attackers by closing the detection deficit and by providing incident handling playbooks for simplified incident response.

Justin Wilkins, The Enemy Within – Detecting and Mitigating Insider Threats

Justin Wilkins is currently the Manager of Systems Engineering for the Mid-Atlantic at Varonis, where he helps organizations secure, manage and govern their unstructured and semi-structured data. He has over five years of experience in data security and governance across multiple platforms in both the federal and commercial space. Prior to joining Varonis, he held engineering roles at Philips Healthcare, GE Aviation, and Bloomberg LP. His background as an aerospace engineer provides him with a deep understanding of the technical challenges with data security and the ability to develop creative solutions to solve complex problems. He earned a B.S.E. in Mechanical & Aerospace Engineering from Case Western Reserve University and currently resides in Washington, D.C. He enjoys studying foreign languages, traveling, spending time with family, surfing and playing soccer.

Ransomware is both scourge and savior. While it’s not typically considered an insider threat, it acts from the inside, using insider identities, encrypting files that insiders have access to on endpoints and file shares. Learn how organizations are using ransomware to identify and confront vulnerabilities that expose them to rogue employees, abusive administrators, and hackers.

Jason Hale, Investigating Malware using Registry Forensics

Jason Hale is a Digital Forensic Examiner at One Source Discovery and has worked in the digital forensics field for the last nine years. Jason earned his M.S. in Digital Forensics from the University of Central Florida, is a graduate of the Computer Information Systems and Information Security track at the University of Louisville, and is an adjunct instructor of Computer Forensics at the University of Louisville. Jason holds several industry certifications related to digital forensics and incident response, is a member of the SANS GIAC Advisory Board, has published articles related to digital forensics in journals including The Journal of Digital Investigation and the ISSA Journal, and has given numerous presentations on digital forensics to legal and technology professionals.

Since being introduced in Windows 3.1, the Windows registry has continued to add new and interesting information as the operating system progresses. Storing data about executed programs, accessed files, USB devices, Internet browsing history, and even the directory structure of external devices, the registry is a truly a treasure trove of information – if you know where to look. This presentation explores some of this information in the context of identifying malicious activity through the detection and investigation of malware using only information stored in the registry.

Michael Leigh, A Needle in the Cloud

Michael Leigh is SDO Practice Director for NCC Group in Austin, TX. He is a 20+ year security veteran dating back to 1991 where he worked for the military. Prior to NCC, Michael was brought into HomeAway to revamp their security program past detect / deny in the kill chain to more offensive components, such as disrupt, degrade and deceive. Michael has held senior leadership positions in Information security for large and innovative companies to include Cisco Systems and Oracle Corporation. At Cisco Michel was, the CSO for their Remote Operation Service and charged with building an Information Security program from ground zero. During Michaels tenure with Oracle he lead security assessments, penetration testing engagements and Forensics / Incident Response programs. Michael also owned a boutique consultancy where he acted as CSO for video game development companies, healthcare payment processing startups and Incident Response Commander for large state agencies.

With the onset of the cloud becoming a mainstream component of modern corporate infrastructure many questions loom around how to respond and handle security events and incidents. Organizations leave themselves challenged with how to perform Digital Forensics and Incident Response in unfamiliar territory. This talk addresses the questions that are becoming a staple of most modern organizations: How to acquire digital forensics in a manner acceptable by the courts?  How do I deal with large datasets?  What tools allow me to perform analysis on the images?  What are the logging requirements to support my Incident Response capabilities?

Compliance / Audit Track

Tom Kopchak, How to make your next audit less awful: Compliance by Default

Tom Kopchak is the Director of Technical Operations at Hurricane Labs, where he pretends to manage a team of network and Splunk engineers, but is still an engineer and technology geek at heart. He holds a Master’s degree in Computing Security from the Rochester Institute of Technology, and has spoken at numerous infosec conferences around the country. You will often be able to find him researching digital forensics topics or tinkering with any and all forms of computer hardware. When he is not working with computers, Tom enjoys composing, music improvisation (Acts of Music), and playing both the piano and organ.

If you’re here, your organization (and by extension, you) inevitably is responsible for managing and conforming to numerous regulatory and compliance requirements. All too often, you will find yourself at the mercy of an individual auditor’s interpretation of these compliance requirements. As a security professional who manages the technical operations of a company responsible for helping many customers meet compliance requirements through the use of security reporting tools, Tom can definitely relate to this scenario. This presentation will focus on various interpretations of compliance requirements that have seen from different customers working with different auditors across a wide range of industries. This talk will draw attention to these differences, and seek to ultimately encourage an approach to compliance that results in significantly less last-minute panic and more overall security. Both auditors and administrators alike are encouraged to attend.

Carla Raisler, Show me the Money! Using the CIS Critical Security Controls to procure funding for your security program

Carla Raisler is the Information Security & Privacy Officer for HealthTech Solutions and Team Chief for the Kentucky National Guard’s Defensive Cyber Operations Element. When she isn’t harassing her coworkers with phishing tests or security audits, she’s telling war stories over a good IPA.

The CIS Critical Security Controls are a relatively short list of high-priority, highly effective defensive actions that provide a “must-do, do-first” action list. Implementing and auditing the CIS Controls provides security professionals the evidence-based prioritization they need to implement administrative, technical, and physical controls based on impact levels as designated through the NIST SP 800-53.

Chris Gida, Assessing POS Devices for Tampering

Chris Gida is a global information security expert helping organizations balance data protection requirements with meeting business goals and objectives. Chris has more than 10 years of experience within the information security, IT audit and consulting space. His diverse background in business concepts, management experience, technical skills and information security expertise allows him to interact will all levels within the organization. Chris is driven by the opportunity to create custom solutions for organizations which provide data protection and are easy to implement/support. Prior to his current position, Chris managed a team of 18 security professionals who performed a wide variety of security assessments. Chris also delivered regulatory and industry-focused assessments for organizations of all sizes, including several fortune 100 companies, across multiple industries including retail, healthcare, finance, education, and government. Chris has demonstrated leadership in the design, implementation, and execution of key information security programs. Chris has in-depth knowledge of HIPAA, HITRUST, PCI DSS, ISO 27000, SANS T20, Risk Management and Vendor Risk Management.

Credit card skimming is a hot topic, a significant threat from criminals and a challenge for merchants to prevent. As an experienced QSA and information security professional, the presenter has noticed that merchants are struggling with the training and inspection requirements to accurately detect potential tampering and substitution attacks on their payment devices. This struggle is not due to a lack of trying; the challenge is that merchants are left to subjectively create their own training and inspection program, with little guidance and support. Many merchants, such as smaller merchants, do not have the experience or training to identify tampered devices, especially as the sophistication of attacks continues to improve. The aim of this presentation is to provide more specific information about skimming, identify the importance of proactively identifying skimming devices and to assist merchants in meeting PCI requirements under requirement 9.9. As a traditional break out session, this presentation will make attendees aware of common methods for POS tampering and substitution, identify ideas for creating an internal assessment program, and provide topics for training internal retail staff. The audience will remain engaged as real-life examples of POS tampering and substitution are provided, including a review of picture and video examples for reinforcement. The presenter will leverage their experience in assessing a variety of merchants, including large retailers. This will help inform attendees of processes that will promote information security best practices on an industry topic where best-practices have not yet been established for tampering and substitution assessments.

Business Track

Alexandra Panaretos, Strengthening the Human Firewall

Alex is a Supervising Associate in Global Information Security for Ernst & Young LLP. She specializes in cyber security awareness and education, personal and physical security awareness, the psychology of social engineering, and operations security program development. She has over 10 years of experience developing and implementing cyber security awareness and education strategies in government, military family services, the Department of Defense, the medical and health industries, and local and national broadcasting affiliates. Alex was a core team member for cyber security program management assessments for U.S. National healthcare providers, and assisted in the development of security awareness materials for employees and patient care advocates. She was commended by a prestigious U.S. law firm for her educational seminars and cyber security teaching methods that assisted the firm in improving their information security.

A security-aware workforce serves as the first line of defense against cyber attacks. End users often are best placed within an organization to identify potential breaches and anticipate risks. Security-savvy end users can be an organization’s greatest asset in securing information. Organizations invest heavily in the latest security technology and information technology (IT) security personnel. These investments can’t protect the organization if end users are unintentionally undermining its security efforts. Learn how to engage your end users, understand the “cyber fatigue” plaguing most users, and develop a cyber aware culture in your organization through education, communication materials, and concise and clear messaging.

Robert L. Brown, Or How I Learned to Stop Worrying and Love the …

Robert represents emerging companies, which includes newly established companies as well as more mature companies seeking new markets. The issues faced by both groups of companies are strikingly similar how to identify customers and suppliers, how to put together the management team to reach the new markets, and how to raise money to fund the entry costs. For newly established companies, he is former chair of the Venture Club of Louisville (VCL), which serves as a gateway for entrepreneurs, investors and team members. 33 companies that made VCL presentations raised over $77 million in investment in 2016. For more established companies, he serves in several capacities where he helps domestic companies reach new customers primarily in foreign markets. Robert is chair of the National District Export Council appointed by US Secretary of Commerce, chair of the Kentucky District Export Council, former chair of the Kentucky World Trade Center, former chair of the World Affairs Council of Kentucky and Southern Indiana, and former chair of Crane House, a leading Asian cultural and business society. He was recently re-elected as chair of the Japan/America Society of Kentucky, and elected as treasurer of Sister Cities of Louisville. On a global scale, he is vice chair of the American Bar Association, Section of International Law and its 20,000 members in over 100 countries. He will become chair in 2018. In addition to a law degree, he has earned MBA and MS in urban economics (Louisville), MS in Japanese business (Jochi University in Tokyo), and two PhDs in law and development (University of Cambridge and The London School of Economics and Political Science). Recently, he completed an LL.M. in world trade from the University of London. He has also passed the CPA exam.

Cyber-attacks are common, frequent and increasing. They are also increasing used by global players, with a resulting global impact. Who are the attackers? Who is attacked? Is there an end in sight? What lies ahead?

Harlen R. Compton, CISSP/Attorney at Law, Back to Basics – Why You Don’t Have to Spend a Fortune for Good Security

Harlen is a Kentucky licensed attorney and an (ISC)2 Certified Information Systems Security Professional (“CISSP”). He spent ten years working in Information Technology doing system administration and later software development in both the financial and healthcare sectors. Since 2014, Harlen has worked in Security & Compliance for Homecare Homebase, LLC, part of The Hearst Corporation, where he advises on I.T. risk management, regulatory compliance, sub-service organization monitoring and contracts, secure software development, internal and third-party penetration testing, and audits. Harlen is a graduate of the Louis D. Brandeis School of Law at the University of Louisville. Prior to that he received a Bachelor of Science degree in Computer Engineering & Computer Science from the University of Louisville’s J.B. Speed School of Engineering. He attended the United States Military Academy at West Point for part of his undergraduate studies and was actively involved with the “SIGSAC” signal security group.

“Security Theater” is a function of business leaders spending money to check regulatory boxes and sleep better at night with a false sense of security. While spending truck loads of money on Information Security is not a bad idea at all, corporate spending on security “solutions” can seriously fail to deliver any real reduction to risk when a solid foundation of basic security practices has not been laid first. The most “bang for the buck” often lies in tools that an organization already possesses and in tasks that are neither fun nor glamorous, but are absolutely essential. This is especially true for organizations without a preexisting and reasonably mature cyber security practice. Plus, when solid progress can be shown using existing tools and resources, the “sell” to upper management to spend the serious dollars on necessary products and solutions becomes much easier. In this presentation, I advocate for sensible prioritizing of a security program. Basic controls such as software patching, controlling what devices are on the network, knowing who has access to those devices, and proper training and policies around people (the weakest link) should be matured before trying to get more money from business leaders for the cool stuff. I discuss breaches reported in the news and statistics, some I have experience with, and how in the vast majority of cases, it was a failure of fundamentals and not the absence of expensive security tools that led to the breach. I am also careful to explain that there is real value in security spend on the more advanced and expensive solutions, and how to leverage success with the fundamentals to help persuade senior management to see that value.

Conrad Reynolds, Everything I Needed to Know About Security I Learned From The Godfather

Conrad loves security, audit, and film. He is especially fond of films with security & audit themes, including “All the President’s Men”, “Catch Me If You Can”, “The Smartest Guys in the Room”, “Spotlight”, and “Mr Robot”.

Security and audit problems are nothing new; we face the same basic threat and control concepts today that organizations have since the time of the ancient Egyptians. The Corelone Family was particularly successful in dealing with security issues, and we can learn from their example.

Apolonio “Apps” Garcia and John Zuziak, Measuring Cyber Risk with Open FAIR

Apolonio “Apps” Garcia CRISC, Open FAIR is the President and founder of HealthGuard, where he has been helping healthcare clients solve their cyber security and risk management challenges for over 15 years. Apps and the HealthGuard team were early adopters of the Open FAIR (Factor Analysis of Information Risk) standard and have been utilizing scenario based risk analysis for the better part of a decade.

John Zuziak CISSP, CBCP has over 10 years experience in Information Security building programs to address Compliance, Medical Device Security, Third Party risk and Risk Management. He has been with Catholic Health Initiatives for over 5 years, serving as the Director of Information Security Governance and Risk for the last year. Prior to joining CHI, John served in a variety of roles as a Network Engineer, HIPAA Security Official, Information Security Manager, and VP of Technology.

With the increased number of cyber attacks over the last several years, many business leaders and boards are looking for tangible data on their organizations security posture and the related risk to their organizations. This presentation will introduce the Open FAIR standard, which is an analysis framework and taxonomy that gives security leaders a new way to measure and express cyber risk in business terms.