November 2018 Chapter Meeting

Triad ISSA Chapter Meeting – November 15th

 

When: November 15th, 2018, 6-8 PM

Where:  Forsyth Technical Community College

2100 Silas Creek Parkway

Dewitt E. Rhoades Conference Center in the Robert L. Strickland Center

Winston-Salem, NC

Cost: Free for Triad ISSA Chapter Members and First Time Visitors. $10 for returning visitors.  Dinner will be provided.

If you know of any other security professionals interested in attending, please forward this invite on to them and copy us on your correspondence.

Agenda:

1. Meet, greet, network, and dinner (will be provided) (6:00 pm – 6:45 pm)

2. Chapter business (6:45 pm – 7:00 pm)

3. Presentation (7:00 pm – 8:00 pm): A Bucket of Fail

Abstract:

Cloud platforms are a massive win for organizations of all sizes. Cloud computing means anyone in an organization can stand up a publicly facing computing environment with nothing more than a credit card. Unfortunately, the incredible speed can come at a cost for information security. Nowhere is this more evident than with cloud storage. Amazon’s Simple Storage Solutions (S3) is by far the most popular cloud storage platform. Although secure by default, it is easy to accidentally expose sensitive information with weak permissions. Even experienced system administrators might make configuration mistakes and accidentally expose internal components. Common penetration testing methods for checking S3 bucket permissions are woefully inadequate for the volume of objects stored in S3. This presentation covers common misconfigurations with S3 and methods to verify strong S3 permissions including a script to automate permission checks. This script has successfully checked S3 object permissions on more than 10 million files in a few hours, finding the 6 misconfigured files and avoiding a breach.

Presenter’s Biography:

Stephen Deck is a senior application security consultant for DirectDefense where he performs security testing on web, mobile, and client-side applications. Stephen previously worked as a security engineer, incident responder, software developer, and an infantry officer. Stephen’s current work focuses on identifying software vulnerabilities, writing exploits, improving application testing methodologies, and better integrating software security in the software development lifecycle.

Register for this month’s meeting at https://triadnc-issa-2018-11.eventbrite.com.