homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Six Presentations You Don't Want to Miss at Supply Chain Cybersecurity Summit
SANS Cyber Defense

Six Presentations You Don't Want to Miss at Supply Chain Cybersecurity Summit

June 19, 2019

Supply-Chain-Summit-2019

As the inaugural Supply Chain Cybersecurity Summit approaches, we're getting excited for two days packed with expert presentations exploring critical supply chain challenges and potential solutions organizations can implement to help mitigate third-party risk.

The Summit's advisory board has worked diligently to assemble an agenda that provides a diverse set of perspectives on and approaches to the problem of supply chain cybersecurity. Below you'll find some featured presentations which will help you become better equipped to deal with this often-overlooked threat vector.

For the entire list of Supply Chain Summit presentations and speakers, check out the Complete Summit Agenda.

Keynotes

We'll kick off both Summit days with in-depth talks from two of the most well-respected cybersecurity leaders in the industry.

Third Party Software Assessments for Modern Development

Chris Wysopal, Veracode

Software is no longer delivered on a CD-ROM with occasional updates. Software delivery has become a continuous process for SaaS, mobile and desktop apps. So what value is a point in time assessment to understand the risk accepted by software users? Software assessments must become continuous and process based. There is also a need to balance the transparency desired by software users with the needs of vendors to be effective in software delivery and maintenance. We need continuous assessment with the right level of transparency to keep up with our rapidly changing and deeply nested software supply chains.

About Chris Wysopal

Chris Wysopal, Veracode's CTO and Co-Founder, is responsible for the company's software security analysis capabilities. In 2008 he was named one of InfoWorld's Top 25 CTO's and one of the 100 most influential people in IT by eWeek. One of the original vulnerability researchers and a member of L0pht Heavy Industries, he has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He published his first advisory in 1996 on parameter tampering in Lotus Domino and has been trying to help people not repeat this type of mistake for 15 years. He is also the author of "The Art of Software Security Testing" published by Addison-Wesley.

When Your OT Support Supports the APT

Jake Williams @malwarejake, SANS Institute; Rendition Infosec

Manufacturing, medical, and many other environments have extremely specialized (and expensive) operational technology (OT) devices. Due to a high degree of specialization, these devices are rarely maintained by the same organization that operates them. In some cases, these devices are merely leased from the manufacturer, remotely maintained by the manufacturer, but deployed in a customer's production network.

While it is well understood that remote support technicians could achieve malicious effects through remote administration software, what about APT? How easily can an advanced attacker pivot from an infected remote support machine to the OT device (and ultimately to the customer network)? In this talk, Jake will walk through the mechanics of compromising OT equipment via remote support software complete with demonstrations of gaining access.

About Jake Williams

SANS Senior Instructor and Founder of Rendition Infosec, Jake Williams boasts a decade of experience in secure network design, pen testing, incident response, forensics, and malware reverse engineering. He's obtained clearance from various government agencies and regularly responds to cyber intrusions by state-sponsored actors in the financial, defense, aerospace, and healthcare sectors. Williams developed a cloud forensics course for a U.S. government client, the pentesting tool Dropsmack, the anti-forensics tool ADD, and builds other custom solutions to address incident and malware-reversing challenges. He has identified vulnerabilities in a state counterpart to Healthcare.gov, and as a former N.S.A. employee, Williams' expert opinion is a frequently sought after by Wall Street Journal and New York Times reporters.

Noteworthy Talks

These presentations include new research, interesting concepts, and innovative approaches to supply chain cybersecurity.

Hacking the Motherboard: Exploiting Implicit Trust in All of the Forgotten Places

Sophia d'Antoine @Calaquendi44, River Loop Security

Last year, Bloomberg's Big Hack article gave everyone a (questionably accurate but) much needed scare which forced companies to evaluate their exposure to supply chain intervention attacks. But a wider acknowledgment of the problem doesn't make it go away. We need to understand the attack vectors and the inherent hardware vulnerabilities used by these backdoors, as well as the steps we can take to protect ourselves. We must have confidence in the systems and the technical infrastructure that supports our economy. This confidence currently relies on too much implicit trust — overlooking serious risks. Assurance in this area is hard won, manual, and costly.

In this talk, Sophia will dive into several recent hacks including the ASUS software update hijacking and the SuperMicro supply chain allegations vs. reality. This discussion will include a technical overview of various types of hardware implants, the access they enable, and what we should be doing to detect and mitigate. Attendees will leave the talk with an in-depth understanding of what a hardware implant is, what types of implants provide what capabilities, and — with this knowledge — how to protect their enterprise from these attacks against a modern supply chain.

About Sophia d'Antoine

Sophia is a Director of Research at River Loop Security. She is a graduate of RPI, and earned her MS on exploiting CPU optimizations, which later assisted in the development of Spectre/Meltdown. Sophia has spoken at dozens of conferences, sits on the PC for WOOT and SummerCon, and is the NYU Hacker in Residence. She develops tooling to assist vulnerability discovery.

Trust but Verify: An Argument for Security Testing Vendors

Rachel Black, One Medical and Kyle Tobener @kylekyle, Salesforce

Before a company shares data with an external vendor, an important question needs to be considered: Does this vendor have a mature security program that will keep the company's data safe? To answer this question, companies often employ a variety of vendor risk-management strategies, including questionnaires, requests for documentation, and contract language, as well as a variety of new tools that scan the public face of a vendor. But are these strategies truly effective at gauging the vendor's security maturity?

In this session, the presenters will argue that hands-on security testing is one of the best methods to measure security maturity, and that it is far more effective than any other strategy. You'll learn how best to incorporate security testing into your vendor risk-management program at any scale, scope your testing, interpret results, and overcome the common challenges that a security team can face with hands-on security testing.

About Rachel Black

Rachel Black is a Senior Manager of Application Security at One Medical focusing on product security, vendor security, and a little of everything else. In her free time she snuggles with her Corgi, plays Stardew Valley on the Switch, and religiously uses Yelp to decide where to eat!

About Kyle Tobener

Kyle is a Director of Enterprise Security at Salesforce where he focuses on vendor and application security. In his free time, he collects cyberpunk paintings, runs the largest board game Meetup in San Francisco, and teaches his toddler daughter to break things.

Demos

It's not a SANS Summit without a deep technical dive. These demonstrations will show you ways an adversary can attack your supply chain.

Hack Your Lunch: A Live Demo of How Your Supply Chain is Getting Pwned!

Brandon Helms @_ChiefyChief, Rendition Infosec

Working as a Red Teamer has challenged Brandon's thinking and helped build solutions to previously unsolved problems. One of the more interesting solutions that he helped engineer revolved around using the developer to enable the deployment of their tools. In this presentation, Brandon will demonstrate the impact of a developer being compromised and the exponential impact that can result from it.

In this hands-on demo, we will reconstruct an engagement where a developer was compromised and the attacker (Red Teamer in this case) was able to inject malicious code into the production code base which in return enabled remote access to any user that executed that code. You will be able to see the impact from both the developer's point of view as well as the attacker. Afterwards, Brandon will decomp the indicators and speak to best practices when using centralized code repositories and engineering production-based workflows.

About Brandon Helms

Brandon is the COO at Rendition Infosec. He has dedicated most of his career to leading some of the most advanced cyber operations for both the DoD and private sector. He was a Chief Petty Officer in the U.S. Navy where he ran IT and security operations for submarines and then transitioned to become a technical director at the NSA. Following his military career, he entered the private sector as a Business Information Security Officer, supporting numerous Nation States and Fortune 500 companies. Today, his focus is on training the next generation of cybersecurity professionals.

Bring Your Own Threat - Supply Chain Attacks Using Personal IoT Devices in Companies

Martin Hron @thinkcz, Avast

According to statistics, 35% of IT Directors report more than 1,000 pieces of shadow IoT on their networks daily, 39% said they used personal devices connected to the enterprise network. Most popular devices were fitness, digital assistants and smart kitchen devices. Every single day we hear how consumer IoT is weak and in its infancy, still, according to the statistics, these devices are commonly allowed to join computer networks of many small, medium and big companies. What could go wrong? If we talk of software supply chain attacks, the situation is somewhat easier, but what about all those IoT devices, we don't really have insight into? How easy is it to infiltrate enterprise network using off the shelf commodity IoT?

Martin will present a proof of concept (live demo) of how this could theoretically happen. Using a simple camera with modified-firmware an attacker may start the attack from the inside out which gradually leads to getting access into the network infecting a coffee maker, modifying router settings, and in the end deploying ransomware, rendering the whole network inoperable. In conclusion, he'll discuss possible attack vectors and solutions to this problem.

About Martin Hron

Martin is a Security Researcher at Avast where he leads research across various disciplines such as dynamic binary translation, hardware-assisted virtualization and malware analysis. Recently, his focus is on firmware and IoT security. Martin is devoted to technology and is a true software and hardware reverse engineer with more than 20 years of experience in the industry.

Attend the inaugural Supply Chain Cybersecurity Summit!

These are only a few of the presentations on the Summit agenda. In addition to expert talks and demos, the Summit will host an evening reception, onsite luncheons, and several networking sessions. This is your chance to learn, share, and connect with the best in Supply Chain Cybersecurity. We hope to see you there!

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • SEC540: Cloud Security and DevSecOps Automation
  • MGT414: SANS Training Program for the CISSP Certification
  • FOR585: Smartphone Forensic Analysis In-Depth

Tags:
  • Cybersecurity and IT Essentials

Related Content

Blog
Penetration Testing and Red Teaming, Cybersecurity and IT Essentials
January 4, 2023
Cloud Scanning for Vulnerability Discovery
In this article we'll look at the step-by-step process of scanning a cloud provider's network for target enumeration.
370x370_Joshua-Wright.jpg
Joshua Wright
read more
Blog
Untitled_design-43.png
Digital Forensics and Incident Response, Cybersecurity and IT Essentials, Industrial Control Systems Security, Purple Team, Open-Source Intelligence (OSINT), Penetration Testing and Red Teaming, Cyber Defense, Cloud Security, Security Management, Legal, and Audit
December 8, 2021
Good News: SANS Virtual Summits Will Remain FREE for the Community in 2022
They’re virtual. They’re global. They’re free.
370x370-person-placeholder.png
Emily Blades
read more
Blog
Cybersecurity and IT Essentials
April 3, 2020
Instructor Spotlight: Keith Palmgren, SANS Senior Instructor
Meet Keith Palmgren, a cybersecurity professional with over 30 years of experience, specializing in the IT Security field.
SANS_Filler_Avatar.jpg
SANS Institute
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn