BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: Security Misconfigurations in the Cloud - "Oh Look\, something\n fluffy\, poke\, poke\, poke"\n When: Saturday\, Aug 13\, 12:30 - 13:10 PDT\n Where: Flamingo - Sunset-Scenic Ballroom (Cloud Vill age) - [1]Map\n\n SpeakerBio:Kat Fitzgerald\n Based in Seattle and a n atural creature of winter\, you can typically\n find me sipping Grand Ma yan Extra Anejo whilst simultaneously\n defending my systems using OSS\, magic spells and Dancing Flamingos.\n Honeypots & Refrigerators are a f ew of my favorite things! Fun Fact: I\n rescue Feral Pop Tarts and have the only Pop Tart Sanctuary in the\n Seattle area.\n Twitter: [2]@rnbw kat\n\n Description:\n Intro time (5 mins) Well\, I have to say who I am and why I'm here and\n my qualifications\, otherwise people leave. Ok \, maybe they don't leave\,\n but I want to explain how/why I do this an d how I'm going to make it a\n fun project for everyone after the talk! Baking something fluffy (10\n mins) Now I take a few minutes to explain the common concepts of cloud\n configurations such as IAM/ORG policies a nd how they compare to\n redteaming 'on-prem'. It's all about understand ing the magic that is\n the cloud in clear terms that everyone can follo w along with - and\n yes\, there are funny jokes and memes throughout. A happy crowd is an\n engaged crowd! Seriously\, in a quick 10 minutes\, 'Pizza as a Service'\n is used to explain the concepts of the cloud\, th e attack vectors\n presented and how pentesters and bad actors use these attack points to\n their advantage. It's clobberin time (10 mins) Let's get to it with\n lots of example of misconfigurations and the attack ve ctors they pose.\n This is both live (with recorded backup) demo time an d OSS tool\n demonstrations to help find misconfigured cloud services. N ot much\n else to say about this part. It is interactive\, fun and reall y shows\n off how simple mistakes can lead to serious incidents like exp osing\n millions of records to the public 'accidentally' or how a public \n github repo was used to launch over 300 VMs for crypto mining and no\ n one knew until a month later. Oh yeah\, and a brief description of how \n cryptomining is a fun diversion to take your attention away from what \n the attacker was really doing will be discussed. Peace offerings to\n the demo gods will be made prior to the live portion of course. Great\, \n now how do we fix it? (10 mins) Well\, attendees have to come away wi th\n some clear AIs to be able to apply to their cloud configurations an d\n some suggestions on how to avoid misconfigurations in the first plac e.\n Auditing tools are discussed and shown (not in demo\, but output fr om\n audits are shared and discussed) Tools discussed are all OSS and\n nothing\, (and I mean nothing!) is commercial! Before and afters of\n misconfigured cloud projects will be shown with some general\n automatio n suggestions to help remove the 'human threat' factor from\n the proces s. Key Takeaways (5 mins) Let's bring it all to a neat and\n tidy conclu sion with specific takeaways so attendees feel like they\n got something out of this. What good is any talk without identified\n specifics of wh at we learned and how to apply them\, am I right? And\n there you have i t\, tied up neatly with a lovely bow and ready to take\n home! Q/A (5 mi ns)\n '\n\n 1. https://defcon.outel.org/consolidated_page.html#Flaming oThirdFloor\n 2. https://twitter.com/rnbwkat\n\n\n DTEND:20220813T201000Z DTSTART:20220813T193000Z LOCATION:CLV - Flamingo - Sunset-Scenic Ballroom (Cloud Village) SUMMARY:Security Misconfigurations in the Cloud - "Oh Look\, something fluf fy\, poke\, poke\, poke" END:VEVENT END:VCALENDAR