Did you know Halifax, the capital of Nova Scotia, is considered to be "the economic center of Atlantic Canada" and is home to many impressive firsts? Halifax established the first public school and the first law school in Canada. It was also the first place in North America to turn on all-electric city lights. This spirit of innovation continues to shine through today, as the city is home to the largest cybersecurity conference on the Canadian Atlantic coast, the Atlantic Security Conference, this year better known as ATLSECCON 2024

No alternative text description for this image

This Atlantic time zone-based event drew together over 1200 participants to see sessions from over 50 speakers across 2 session-filled days. Along the way, there was a capture the flag village, many networking breaks, a snowstorm, and one social event featuring Halifax Donair. Here are just a few highlights from the conference. 

A Journey of Mindfulness and Security

Chris Gates, the Senior Offensive Security Manager at RobinHood, set the tone for the conference with his keynote speech, "F*ck It - Just Get Your Feet Wet!" Chris shared his personal story of transformation, emphasizing the significance of embracing a hacker mindset coupled with mindfulness to enrich life experiences. The title comes from an anecdote of him hiking and fearing to get his shoes wet, which he inevitably did. Once he did, though, the path got much easier to travel. We need to accept that life, like security, is a messy business, and we just need to wade in. 

Throughout his talk, he explained how we need to run tests and implement observability in our personal lives. Mindfulness is how we accomplish this, allowing ourselves to pause and consider how we react as a first step to improving our situation. He stressed the importance of intentionality in our actions and the need to challenge our core programming. Much the same way we need to re-evaluate the best approaches to cybersecurity, we need to be mindful of the approach we take for the rest of our lives. By reevaluating how we got to believe what we believe, we can counteract bad programming. 

Keynote from Chris Gates.

Balancing the risk management equation

In his talk on "Demystifying Risk Associated with Vulnerabilities." Bryan Beard, cybersecurity manager at Grant Thornton, delved into the complex world of translating threat scores into potential real-world consequences. He talked us through the recent ban on Flipper devices in Canada, which was based on a misconception that hacking devices can be used to steal cars.  They can't. Similarly, we spend too much time on things like CVEs that are marked 'high risk' even though, in our environment, they would be extremely hard to execute. 

Bryan emphasized the importance of understanding the context of each vulnerability. He urged us to go beyond standard metrics like the Common Vulnerability Scoring System, CVSS, and scores and consider the unique aspects of their networks. By focusing on the root causes, most commonly unpatched systems, we can develop more targeted and effective mitigation strategies. Bryan also laid out five levels of difficulty for remediation of vulnerabilities, from easiest to hardest:

  1. Flip a switch – If a security setting can simply be turned on, then we should do so.
  2. Flip a switch and test—Some security settings can simply be turned on, but we need to check to make sure they do not cause unexpected behaviors. 
  3. Update – Applying patches should be normal maintenance but takes more effort than just adjusting a setting. 
  4. Upgrade —This level requires a whole new version of the service or software to remedy the security threats. Your vendors should discuss this.
  5. Rewrite – Sometimes, the only way to secure your organization is to replace the application completely with a different approach. Of course, this takes the most effort. 

Bryan concluded that we can balance the severity of the specific threats in our environments with the level of remediation needed to prioritize our work securing the organization. 

"Demystifying Risk Associated with Vulnerabilities" from Bryan Beard Manager

Thinking like an attacker means understanding Active Directory

In his session "The Silent Scream of Every Network: The Horror that is Active Directory," Tim Oroszi, Principal Security Engineer at Tenable, walked us through the many ways adversaries abuse Active Directory, often abbreviated to "AD." AD attracts attackers due to its widespread use, common misconfigurations, and inherent vulnerabilities. Tim said AD security is like a leaky basement: unseen and unmanaged yet critical to the foundation of an organization's IT infrastructure. One of the major issues is that no one group outright owns AD inside most organizations, making it that much harder to secure.  

Tim laid out several important steps for securing AD:

"The Silent Scream of Every Network, the Horror that is Active Directory" Tim Oroszi Principal Security Engineer at Tenable

Better security by understanding why containers are not VMs

In his very practical talk "Building Containment Fields: How to Secure Containers," Eric Conrad, SANS Institute Fellow, and CTO of Backshore Communications explained one of the biggest issues with container security is that we are not delivering on the basics. While virtual machines all have their own kernels and often come complete with system-level logging and security tools built in, containers all share the same host kernel. This means it is far easier to take control of the host machine and do it without leaving a clear trail. 

Containers are mostly created by developers, who have incentives to make lighter and faster workloads, 'shaving pennies' wherever possible. Building in a logging function or double-checking for root access is not going to be top of mind, especially when they come from a VM background, where many of these concerns are managed at the OS level.  

Fortunately, Eric shared a free and open-source tool that can make it very simple to find and fix issues: CIS Docker Benchmark, from The Center for Internet Security. This text-based tool can quickly identify common issues and provide guidance on how to implement the needed changes. With this tool, anyone, even if they have no idea how containers work, can surface issues and start improving their security within the first 30 minutes of using it. Best of all, it teaches the user container fundamentals along the way. 

"Building Containment Fields: How to Secure Containers" Eric Conrad, CTO of Backshore Communications

Charting a Course for Collaborative Cybersecurity

ATLSECCON 2024 resounded with a common message of unity and collaboration in the face of our cybersecurity challenges. Sessions ranged from very technical explorations of exploits to broader security improvement conversations. Your author was able to premier a new talk in the latter category, where I shared the power of empowering our co-workers as security champions, drawing on the principles from OWASP's program guide. Part of this program was raising awareness through "Lunch and Learns," which many companies like GitGuardian offer as a free service to customers.

I am already looking forward to the next ATLSECCON, where we will again gather to forward the cause of security in the true North East, strong and free.