Overzealous Admin:  "I bet you can't break in to my network!  I got my stuff together…"

Pentester:  "I'm just here to help out and find the weaknesses the bad guys might or have used."

Overzealous Admin:  "Well I have a corporate network with a level 8 Paladin firewall taking +2 hit points, a level 3 Rouge IDS to disarm your Smurf Attack, a level 5 Wizard SEIM solution with +3 powers of divination, and a level 2 Devoted Cleric antivirus to heal your malware infections!"

Pentester:  "Um…your CEO shared all his docs on Dropbox.  Didn't your Wizard tell you'"

Lets play a game of fantasy tower defense with your infrastructure'  Instead of measuring the price of your implementation, lets concentrate on if it can really protect you!  If your defense isn't mobile, agile, or technically relevant to where your users and data are then you're still waging medieval siege warfare!  Who cares about networks, servers, mobile computing, and BYOD!  How about we review some modern security practices to protect what's really important…YOUR DATA…without attending a single vendor song and dance routine.  In the end, we'll collaboratively outline a new approach to securing your assets that doesn't focus on patching or hardening a single device or buying something.  Are we doing this all wrong'  You may even be convinced to throw away your firewall altogether!

BIOS: With hardly any experience in anything worth discussing, Evan is a frustrated and jaded security professional tired of responding to incidents and data owners in a broken mantra…"I told you so! Oh, you agree' Then WTF!" After a certification binge (he's embarrassed to say how many) and stint at corporate ladder climbing, he abandoned all hope of making businesses and government any more secure from the inside. Now he breaks stuff…

An IT industry veteran, with 20+ years of experience, Dr. Noah Schiffman is a former black-hat hacker turned security consultant. He spent almost a decade as a career computer hacker, performing penetration testing, social engineering, corporate espionage, digital surveillance, and other ethically questionable projects. Subsequently, he worked as a security consultant, teaching network defense, giving talks, and writing about information security. His past clients have consisted of Fortune 500 companies and various government agencies. For the past several years, his R&D efforts in the commercial and defense sectors have covered areas of data analysis and pattern recognition for security applications.

Back to BSides Las Vegas 2013 video list