ISSA Chapter Meeting 12 September 2023:

WELCOME/AGENDA: Roops opens meeting and welcomes attendees to September ISSA meeting of 2023; Hybrid and in-person at ECPI university, Agenda, after meeting give feedback; what we can improve?

AGENDA: Welcome, Membership, Education, Meeting Presentation, Business Meeting, Q&A/Feedback, Adjourn.

ISSA- HR PROFESSIONAL ASSOCIATION MEMBERSHIP BENEFITS: Build Professional relationships, stay current on developments in information security/risk/privacy, hear speakers, professional development and education opportunities, earn continuing education CPE/CPUs (validated through Charles), best practice/practical solutions, career information and Employment opportunities.

GROW PROFESSIONALLY: ISSA offers strategic resources and guidance to successive career levels. Professional and student rates for membership: Prof: ISSA org+Chapter dues: $125, student discount for membership: ISSA org+Chapter dues $60. Reach out to Charles.

NEW MEMBERS: 2 new members last month; welcome Gary and Sara! Thank you for all the new members, welcome also members involved with board: Cal, Faith.

EDUCATION: Goals: educational resources, mentorships program, teambuilding/collaboration, hands-on industry tool familiarization, certification Tracking/ Pipeline.
provide resources, mentorship program, reach out if interested, team building, collaboration industry tool familiarization
Chapter links on website at https://issa-hr.org/security-resources/ Practice Labs/ Content Creators/ Security Tools and Resources. ISSA Reading List: https://issa-hr.org/reading-list/

Hands on labs: Membership tiers, free/fee, (your company may already have an account!) Lots of people use these resources to learn, develop skills, improve yourself—can be used on resume, show what you do on your free time to demonstrate your skills, your company may reimburse you!
https://www.codewars.com/ , https://www.offensive-security.com , https://www.vulnhub.com , https://tryhackme.com , https://portswigger.net/web-security , https://academy.hackthebox.com/ , https://www.hackthebox.com , https://letsdefend.io/

 Virginia ready initiative program: (https://virginiaready.org), most top certs offered by area colleges.
Boeing program: Technical apprenticeship program (BTAP): “An accelerated, on-the-job, earn as you learn development program for those interested in gaining new job-ready technical skills for emerging and in-demand roles. BTAP participants receive paid, relevant work experience and are mentored by industry leaders, while acquiring the skills and on the job experience that we value.” https://jobs.boeing.com/BTAP

NEW social media resources! Discord (https://discord.gg/76zTmJHx) /Linkedin (https://www.linkedin.com/company/information-systems-security-association-issa-hampton-roads-chapter/ ) /Website Meeting Recap Notes (August) available: (https://issa-hr.org/issa-meeting-a-august-2023/ ) changes to website are underway!

Meetings and social events: Evan Larson is our meeting program director
see meetings for remainder of 2023: 3 left this year!
September 12^th: Johnnie Shubert- Digital Deception: Exposing the Dark Side of Artificial Intelligence
October 3^rd: Adam Shostack, Shostack & Associates- Threat modeling in the age of AI?
November 7^th:John Bos, Cybrex LLC- Creating and being a business owner (title in progress)
Holiday Party: TBD if speaker needed/wanted

Looking for speakers in 2024! Send us leads, topics you may be interested in, when you go out and see speakers make sure you send them to us!

Cyber Social: held on 3^rd or 4^th Wednesday: Upcoming on September 20 5:30, networking social 3380 Princess Anne rd. RSVP @ Eventbrite: (https://ISSA-HR.eventbrite.com) Meetup:(https://www.meetup.com/issa-hampton-roads/) anytime between 5:30 and 10! Just pop in! Never know who you’ll see; developer of ROM showed up once, was interesting.

After this meeting, networking happy hour at Plaza Degollado, ~7:45

New format for Jobs portion of the meeting:
Need a job/have a job/ ISSA job search page (http://iz1.me/XJU31zUSeBV )
Government Jobs: https://www.USAJOBS.gov Government job resource (book): Federal Resume Guidebook; Author: Kathryn Troutman.

Need a Job: Want you to give an Elevator pitch (~30 Seconds) about yourself: containing an introduction, summary of what you do (current role and why you are doing well there/follow-on relevant experience) explain your value, what problems you can solve and a call to action (what happens next). Optional-extra (~30 seconds) mention if you held a clearance in the past, preference for remote/onsite, other education/certs you have not covered, other short details, we can post these details and your email in the chat if you’d like your name to get out there.

Have a job: Job title/company type of company contractor/government/Private sector/requirements, years of experience, education, certs, and clearance/qualifications/any other information desired (keep it short!)

Presentation: Johnnie Shubert, speaking about AI and how it’s being used in the coming years;

What is AI?: The capacity given by humans to machines to memorize and learn from experience, to think and create, to speak, to judge and make decisions:
“Not pattern recognition, not google lens/photos, which is just pattern recognition, AI is a model that has a large dataset it is trained on and can create realistic functions: articles condensed by ai: AI is very pervasive.”

AI enhanced scamming (the rabbit hole): Phishing (is EASY), Enhanced password cracking (faster than ever before), Impersonation: voice cloning, Deepfakes (even live ones): crypto scams, ‘grandparent’ scams, romance scams:
 “Went down a rabbit hole for this one, it is SCARY, the toolkits available now– (johnnie sighs)– target phishing, spear phishing; a good hacker may take some time to target and exploit: AI can do its own OSINT. Ingests the data and uses it to create TARGETED PHISHING campaigns/smishing/vishing/ and even password cracking: there are AI models to crack passwords. Impersonation/ voice cloning (deep fakes), live real time deepfakes that can be used in Zoon/ chat applications, convincing, real-time deepfakes generated by video data. This software is out there, and it is free and user friendly, which is why it shows up on TikTok, etc. Grandparent scams/ Romance scams, some of the most destructive scams because they target the vulnerable.”

AI Phishing: vishing (voice cloning), smishing (auto spray), email (harvesting/SPAM) Social engineering (OSINT for purposes of voice cloning and these live deepfakes.):
 “The next generation will be the AI doing the social engineering, calling with a voice clone filter to mimic the voice of another.”

Advanced Password Cracking: PCWorld (April 23): PassGAN, an AI password cracking software was fed over 15M passwords from the 2009 RockYou breach. Passwords under four and over 18 characters were excluded:
“Has two AI’s; one creates password hashes and another checks those and they go back and forth and this method is used to crack passwords.”
Cracked: 51% of passwords under 1 minute, 65% Under 1 hour, 71% in 1 day, 81% of the passwords in 1 month:
“Reused passwords are a HUGE risk for these reasons, AI will be able to predict possible future passwords.”

Impersonation, Identity Fraud and more: Deepfakes 2.0: Live (real time) through Zoom and Teams. Software exists, available for Windows, Android, iOS:
“Tools available on the dark web. Available to cybersecurity professionals AND cybercriminals.

Brief video: no audio: live deepfake recorded in real time using software and off the shelf video card to generate images.
“Model has TWO AIs, generative adversarial networks, one generates the image, the other discerns what is wrong and gets progressively more accurate and difficult to differentiate from real. This software can run on Nvidia (optimized) and other easily accessible chipsets.”

Next video: Deepfakes: potential for abuse in these situations; talked about with romance/grandfather scams, iOS cloning will be talked about: fascinating.
“In new iOS, there is voice listening and they create a voice filter for you if you become voice impaired, in new iOS 17, android has many apps to mimic someone’s voice, Windows too.”

Voice cloning: Caller ID spoofing is LEGAL, up to a point—voice cloning/filters able to hide accents:
“Caller ID spoofing is ONLY illegal if used for fraudulent purposes (puts into questions what is defined as fraudulent), civil matter. Judgement call. Caller ID spoofing is easy through software. Paired with voice cloning, can be dangerous. Need to look at ways to remediate these kind of situations (Zero trust/trust but verify, even calling them back at the known number to see if it is real.) Call-jacking is possible, but layers compounded could make a mess. Voice cloning/filters can also be used to obscure accents. All it takes is a substantive enough audio sample.”

New twist on old scams: Grandparent scam, Romance scams, Tech support, Call center scams:
“Grandparent: could be a faked rendition of a family member in trouble. Older populations are not terribly tech savvy, inform to have them verify who is calling them, with a safe phrase, etc., a WAY TO VERIFY. Push education, get the word out.
Romance: Online relationships where funds are sent. Threat actors target vulnerable people.
Tech support/Call center scams: a call with an accent, presumably India, voice filters can alter an accent right down to locale, will seem natural and accommodating, more sophisticated, harder to detect and harder to defeat, because they are becoming more convincing.
There’s $ in it and it’s not hard to do these things, which is a huge motivating factor for those without the morals.”

YOU ARE A TARGET:

We are a threat vector. www.securingthehuman.org/
“None of this is hyperbole unfortunately. AI will create a script, come up with ideas based on OSINT data, TRUST BUT VERIFY:  you get a call from someone familiar to you asking about goods/services/money/access to intel/ ask yourself if it is out of character for them.”

Q&A:
Is impersonation ILLEGAL? “Though these things may be real time deep fake. Most cases need to establish HARM”

How can we trust what trust has already been eroded? is digital forensics calling this out? “Short answer is yes, they leave fingerprints up to the person who created the software to implement those fingerprints. Detection of GPT created content. This software is not “open source” but it is free, digital forensics/cybersecurity will just become more nuanced and difficult.
Some digital forensics tools are in place, in the gaming community a lot of cheat software is now AI and it looks like player is paying, can’t tell is someone is cheating or playing, software companies have developed their own programs that can discern forensics and differentiate what is not real.
AI will have a probability marker. Federal judge has recently ruled you cannot sue an AI for copyright”

SAG AFTRA and AI? – huge debate.

WHAT JOBS ARE SAFE FROM AI? Great question. (Can we tell the future like that?)

ANYBODY IN HERE CAN CREATE A GENERATIVE AI.

CONFERENCES:
COVA CybER Con 2023, ODU; Sep 20-21, $25-$500, https://covacci.org/cybercon/

InfoSec World 2023 Disney Coronado; Sep 25-27, $299-3495 www.infosecworldusa.com

ATT@CKcon 4.; MITRE ATT@CK’s HQ McLean VA, Oct 24-25, $295-495, https://na.eventscloud.com/website/58627/attackcon4/

Virginia Beach CyberOps 2023, ODU 2101 Constant Hall, Room 1002 Norfolk, VA 235082, Oct 28, Free SOLD OUT, https://sites.google.com/view/oducyberops2023

CyberForge: has been announced: Feb 10-11, $5 per person,$200 for vendors, have not opened registration yet.

BUSINESS MEETING: Old business/ New business/Special election: Secretary Position open for nominations/ Special Election Voting / Membership Updates/ Treasurer Report/ Social Media Updates.

Old: New social Media Resources: New Discord/New LinkedIn, please join! Can post, ask questions, invite others in the club, great place to collaborate! Last social was at Casual Pint on Aug 30^th, hurricane forecast dug a dent in attendance but was good time.

New: Special election: Secretary position open for nominations, special election voting to take place,  Special thank you to Bruce Richard for his service to the chapter for 2 ½ years as ISSA-HR Secretary

Volunteer events: What would members like to participate in next? Who can volunteer to lead?

If you try to volunteer somewhere and they don’t accept you, SAY YOU ARE AN ISSA MEMBER AND “WE” would like to participate. We are here to support those who choose to lead. We can create handouts, outreach, all you need to do is lead!

Special election: Secretary position is open, Special Election Committee: Michael Bukowski, Mike Douklias

Open for nominations until next Cyber Social on Sep 20^th  11:59 EST, can email or submit in person
Those nominating: will need from you: A brief bio, Digital Photo (able to print 300dpi jpg, gif) and a statement of interest and goals the chapter.

Special Election Voting: Will be voted electronically, members keep an eye on your email!

August 1^st Meeting Minutes: Comprehensive Meeting Recap on website, by Historian: Faith Walauskas (https://issa-hr.org/issa-meeting-1-august-2023/ Meeting called to order by chapter President, Welcome Opening remarks,  ISSA overview,  Guest Speaker Introduction, Guest Speaker: Charles Herring, CEO of WitFoo
Topic: Big Data Security: Cruising on a Data Security Lake, Business Meeting: Chapter updates from the board and committees: New Discord, New LinkedIn, Meeting recap on website Treasurer, Report Balance $5,758.08 recorded, Meeting adjourned.



Membership updates: QR code will take you to the page to join, Discount code 2023ISSA50L (need to pick 1 year renewable, fill out information, then enter discount code on next page) see Charles for detailed information.
Last meeting: Members: 10 Visitors: 10
Last cyber social: Members: 4 Visitors: 2

Treasurer report: September 2023: $5845.27, would like to figure out sponsorships, for cool stuff like giving back to kids, volunteering, scholarships, Will need to authorize budget for holiday party, 1800 proposed, recorded.

Social Media Updates: decent month, a little growth: Facebook: +4 (total 206), LinkedIn: +1 (total 157), Meetup: +7 (total 235), Eventbrite: +5 (total 118), Discord: +4 (total 16).

After meeting networking: at Plaza Degollado, meeting comes to close

PLEASE GIVE US FEEDBACK! What did you like/ recommendations? What could make your experience better?

Send your feedback to President@ISSA-HR.org  

we love improvement!