ISSA Chapter Meeting 9 July 2024:

Opening remarks: Hybrid meeting: Meeting held in-person at ECPI and virtually on Zoom. For questions, please raise your virtual hand or use the chat feature. Charles is attending virtually today. Please give us feedback after the meeting what did you like? What could we improve?

Agenda: Welcome/Membership/Education/Presentation/Business Meeting/Q&A/ Feedback/Adjourn


Organization Chart:

ISSA-HR Professional Association Benefits: Build professional relationships, stay current on developments in areas of information security/risk/privacy, professional development, education opportunities, (looking forward to our presentation today!) Earn CPE/CEU continuing education credits, (Membership chair can handle CPE/CEU inquiries) learn practical and best practice solutions, career information and employment opportunities

Whether you’re a pre-professional, entry-level, mid-career, senior practitioner or security leader, ISSA offers strategic resources and guidance to successive career levels.
Membership Annual Cost: Professional (Not a student) $95, Student 30, (Chapter Dues $30) Professional = $125 total, Student = $60– Your company May even reimburse these dues! Does not hurt to ask.

*Select Hampton roads as your chapter

New Members: Welcome: Orantes B!

Education:
Resources on website, we do now have a separate mentorship program; we are passionate about what resources are out there!
Goals: Provide educational resources, mentorship opportunities, teambuilding/collaboration, hands-on industry tool familiarization, certification tracking/pipeline


Free Certification and Training:

SANS Cloud Diversity Academy:

Brought to you by SANS and Google is a U.S. Cyber Academy for U.S. Citizens and permanent legal residents with work authorization. This academy offers skills to secure cloud infrastructure and sensitive data through SANS OnDemand training and hands-on labs with industry experts. Launch your career in cloud security by earning globally recognized GIAC certifications with the support of a dedicated community manager and post-career placement with access to an alumni network.

Encouraged to apply:
Women; Non-Binary; Transgender, Black; Hispanic; Latino; Indigenous, PoC
Unemployed, or underemployed and interested in a career change (Priority may be given to applicants who are unemployed, underemployed or career changers)
Must be a US Citizen or permanent legal resident (Green card holder) with work authorization and currently living in the US.https://sans.org/cyber-academy/cloud-diversity-academy/

EC-Council’s $7 Million Scholarship for Cybersecurity Career Technician (C|CT):

Launched in May 2023 with an initial investment of $3.5 Million, the CCT Scholarship Program received a significant response with applicants pouring in from 170 countries. This global interest highlights the widespread demand for cybersecurity expertise and ensures a diverse pool of candidates with varied perspectives, essential for effectively addressing cyber threats.

The scholarship program has become a cornerstone in tackling the global cybersecurity workforce deficit. By nurturing a diverse and skilled talent pool, EC-Council is actively strengthening global cybersecurity resilience. Our continued commitment to this initiative, aligned with our mission to empower individuals and organizations with cybersecurity expertise, signals a future where digital environments are safer for everyone.Successful awardees will receive a scholarship to cover the cost of education and certification resources. The scholarship will not cover the certification exams proctoring and technology fee of $199, which the awardees will be required to pay to avail the benefits of this program.https://campaigns.eccouncil.org/cyber-career-starter-scholarship?utm_source=cybersecurity-exchange&utm_medium=pop-up&utm_campaign=cct-global-scholarship

Reading List: Blog of the Month:

The CDK Global Cyberattack:

in June 2024 serves as a stark reminder of the vulnerabilities within the automotive industry’s reliance on third-party software providers.

Attack Method (Speculative): While CDK hasn’t publicly confirmed the attack vector, experts suspect a combination of tactics:

Phishing: Hackers might have sent emails disguised as legitimate sources to trick CDK employees into clicking malicious links or downloading malware, granting initial access.

Software Vulnerabilities: Exploiting weaknesses in CDK’s software could have allowed the attackers to gain a foothold in the system and escalate privileges.

Impacts:

Dealership Disruption: The attack crippled core dealership functionalities. Sales, financing, customer relationship management (CRM), and service departments were all significantly impacted.

Financial Losses: Dealerships faced lost sales, delays in closing deals, and potential disruptions in service revenue.

Reputational Damage: Downtime and delays can erode customer trust in dealerships, impacting their brand image.

Wider Industry Impact: The attack reverberated through the auto industry, causing delays in vehicle deliveries and impacting overall sales figures.

Resolution:

System Shutdown: CDK prioritized containment by taking their systems offline to prevent further damage and data exfiltration.

Negotiations (Unconfirmed): Reports suggest CDK may have entered negotiations with the BlackSuit hacking group, though the details and outcome remain unclear.

Gradual Restoration: CDK worked diligently to restore core functionalities, prioritizing critical services like sales tools


SOURCE:
https://www.cbsnews.com/video/cdk-global-cyberattack-still-crippling-car-dealers/

Social Media Resources:
Zeffy is used for event registrations, we sent an email out if you are signed up for those
with Eventbrite, we were limited a certain number of sign-ups as well as they have begun to charge for the service. Eventbrite is still being used, though it has a 25-attendee limit.


Feel free to pitch in and share ideas on our discord!
Discord (QR below), can use QR code, link or search “ISSA-HR” (https://discord.com/invite/Jt3m7TWQzQ)


LinkedIn: great resource to get in touch with us:
Click the QR code (Above), link or search for “Information Systems Security Association – Hampton Roads Chapter” https://www.linkedin.com/company/information-systems-security-association-issa-hampton-roads-chapter/

Website: Be sure to also check out the Meeting recap on the ISSA-HR webpage!

Been blogging on the LinkedIn! Thanks Faith! We love feedback!
https://issa-hr.org/issa-chapter-meeting-4-june-2024

Meetings and Social Events:

9 July: Daniel Weiss, IT Manager of Standard Calibrations Incorporated: Adventures in ZFS: Keeping data through hardware failures

6 August: Patrick Currie, Cyber Security Engineer (NAVSEA): A Deep Dive: Penetration Testing Techniques for UUVs

10 September: Orantes Blanks, Google Tech support: Crypto currency wallets stories and how to avoid pick-pockets


Looking for speakers for October 1st and November 12th, and beyond as we look ahead to 2025!

If you’ve been to, or go to conferences, and find anyone, or if you want to speak yourself! Practice something you’ve been working on or dig into something, such as a class presentation, an experience you’ve encountered or anything else related to cyber! Evan L is the point of contact for presentation inquiries.

After-Meeting Networking Happy Hour: After ISSA meeting at plaza Degollado. (Around at the corner from ECPI).

Cyber Social at Casual Pint: Wednesday July 24h 5:30-8:30, it’s a great casual (non formal) event, always a good turnout. No expectations, great place to network. Definitely a good time. Be advised we will not get the side room this time, we will be there, come out for a beer, we might (weather permitting) be able to be outside You can sign up for emails to stay in the know about these events!

Jobs:
Need a job:
Type of Job, Elevator Pitch (Value you bring, qualifications, additional info)
Have a Job:
Title of Job, basic requirements, contact information
ISSA has a job search page http://iz1.me/XJU31zUSeBV
https://issa-jobs.careerwebsite.com/jobseeker/search/results/

Government Jobs: USAJOBS.gov:
Government job resource: Great resource for fed resumes: federal resume Guidebook by Kathryn Troutman

Best way to get a job is through networking, as always.

Need a Job: If you’re looking for work, now’s your chance to let us know! Let us hear your elevator pitch: an Introduction, summary of what you do: current role and why you are doing well there, relevant experience, explain your value/what problem you can solve, and a Call to action for what you’d want to do next. Whether you are currently employed or just want to practice, now is a great opportunity.

Optionally, for an extra 30 seconds you can add other details such as clearance status, remote, on-site or relocation preference, additional education/certs not already mentioned, and other short details. We can post your email in the chat if you want, we will ensure it gets to the right people.


Michael works IT Support, networking engineer at Lynnhaven, have CC exam this week (Good luck!)
looking to try CISSP after that,
may need help from the group, currently networking, worked for government side, right now wants to try to get into Network Security Engineer, advancing from network engineer to network security, currently has TS/SCI,

Ebelle has a masters in business administration, teacher for fifteen years, transitioned into full time IT, network for three years, right now working as IT Support Specialist, has Security+, did A+ before that and an Azure cert, works at a smaller firm and feels like she can do so much more, don’t have much experience in cybersecurity, looking for opportunities for reaching out, also has ISC2 CC,

Derek currently works as healthcare CNA, background in IT, bachelors in IT, masters in information communication engineering, at the moment, looking to branch into that field. Look forward to learning from the group and seeing where it takes

Ginny finished Google cybersecurity cert and is studying for Security+, not looking for a job quite yet but won’t be here next month, figured she would stand up now, casually looking.


Have a Job:
Job title/Company/Type (Contractor, Government, Private sector, Internship, Full time, Part time)/Requirements (Years’ work experience, Education, Certs, Clearance)/Desired experience, qualifications and any other information desired (keep it short)

Johnnie’s company (SAIC) is hiring, a few from the group have been given offers, will sponsor security clearance, to start requesting you have A+ or Sec + or can achieve within 6 months, the process to be on boarded is minimum 2-3 months. Health benefits are great and you will learn a lot, Navy Marine Corps Intranet (NMCI)


CJ works a contract and is looking for two more helpdesk/group team helpdesk, software troubleshooting, contract is awarded but jobs are not posted yet. Two other positions in data analytics, website creation, geofencing type of job. If you happen to have those types of skills get in touch!


Monthly Presentation: Adventures in ZFS: Keeping Data Through Hardware Failures


Daniel Weiss, IT Department Manager of Standard Calibrations Inc will be discussing “Adventures in ZFS: Keeping Data Through Hardware Failures,” which promises to be both enlightening and engaging. He will delve into the challenges of handling hardware and data in production environments, sharing war stories, recovery experiences, and lessons learned. Attendees will gain insights into architecting systems for resiliency, managing different types of backups, and understanding their importance. With practical advice on how to turn potential disasters into manageable setbacks, this talk is for anyone looking to enhance their data management strategies and protect their systems against failures and ransomware threats.

Thank you, Daniel!

Adventures in ZFS; Keeping Data Through Hardware Failures: (Mother nature, hackers, entropy)
Making sure things don’t “vanish underneath your feet”

In my field, you’re not allowed to lose data (in no field really)

Why Data Storage?:
“accidental, malicious, ransomware, etc. How do you recover?, Corruption is like Bad saves, power loss, software glitches that write 0’s instead of properly saving files. Bit Rot doesn’t get discussed much, files that exist for long periods of time, the bits ‘flip’, quietly across systems.

Roops: does that affect some storage media more than others?
“I deal with tape storage and disk, if tape is well secluded it’s less susceptible, mechanical failures, bad drivers can cause it”
Roops: like bad sertors

“Motors can go out, you can put it in the freezer to help try and being it back, arms are magnetically controlled. Access loss, popular due to the cloud, what if the cloud is not there? What if the account messes up? These are more common issues….the cloud doesn’t CARE about your data. Disk loss, natural disasters, data center power loss were more historical issues.”

Threat Modeling:
(or how I learned to stop worrying and design to the specification)
When you’re designing things, what are the day to day real threats? Tabletop discussions are great to assess this. I am confident in my backup system because people keep deleting things…they get accessed frequently.
3-2-1 backup strategy is great for this. We use both rotational disk and tape, one is always online, the other is very slow, very offline. You may have lost some but the rest of the bank is there…unless you’ve lost the whole building.
On Ransomware, how do you make it “one hour ago” on a server? For those levels of things, hourly snapshots are good for it. This happens on the non-user-accessible backend. Deleting files out of snapshots are not possible.

Quick Tech Definitions: (see slide) Filesystems:
My big thing is Zetabyte file system (ZFS), XFS, ATFS, FAT32, etc.. depending on an indexed system or copy/write system, performance, RAID: 0,1,5 (RAID Z1) ,6 (RAID Z2) , or Complex (see slide)

Heil: what are your thoughts on ZFS’s RAID? Beside from a hardware controller?

“I like software RAIDS, hardware failure doesn’t affect them usually. Operating systems that support ZFS have a little more granularity, if a disk fails.. what is you have a few bad sectors?
Let’s say I have ZRAID2 for four disks, a normal controller would just do normal striping.
Heil: are you running these on VM’s or app servers? Do you take that in account when you do your RAID structure?
“the use case is always changing. Say for example the NAS we’re doing for mail, thats ZFSRAID 10. I’ve never used ZFS in a virtual file system. It can be done, but generally, it wants to talk to the entire program. If I need to access a bunch of data, it can read and mix and match and prioritize.

Kenn: what’s the speed difference between hardware and software RAID
“Hardware was the go-to back in the day, most software RAID’s were substantially slower back then. That’s a hard one—I’ve never run ZFS off a hardware RAID, This unique use case works best in my experience on software– which are more user friendly these days

Hiel: What drives are you running on? “SAS, SATA, just started NvME but those are mirrors. Hot swapping NvME is not something we do,
Are you using acceleration discs? “yes, we use read and write caches. One is a write log and the other is a RAM cache for gets. If you don’t have enough RAM, SSD can do this too, as they are non volatile, use RAM for read cache because RAM is volatile.

Snapshotting/Versioning: Putting a date stamp next to it eliminates time penalty, users can’t tell hourly snapshots. There are limits, generally 100 are recommended.

War stores:

“One SAS hard drive can be connected to ,multiple servers (first mistake), had a SAS array hooked into two different servers, super fast super cool, Automated IP address failover. Ran testing for four months before pushing it to the production environment… an update did something..as they do. Updated the server, restarted, it didn’t properly give the file system, and hung during shutdown. Server updated the driver used to communicate to the disks… server came down and did not come back up. The second server was still mounted, writing to the SAS array simultaneously… Both hung. Unable to mount file systems. Came up as “corrupted.” long story short, I didn’t not lose any data, only the feature flags. When things got weird, the file system trashed, but realistically no data gone….except for all my emails.

Coding things yourself for mission critical data is not a recommended practice.

Had to consult Solaris documentation and retrofit the software until the file system could be read again. VERY slow data transfer.

I did not have a backup plan for this, because you don’t really run into it until..you run into it.
Sometimes you can’t anticipate hardware failure, this is why data retention is important.

2. picked up a bunch of servers at the same time, same model hard drive, same size, same use case. Something you don’t consider, they won’t fail at the same time? Right? How much disk parity do you have? A few drives? RAID 5 is fine, a few more,? A whole bunch? RAID 6 might keep you safe.. how many drives can you lose at the same time? Do you have spares in inventory? We were losing 2-3 a week. Had to start buying them in bulk, only to witness them going out at once. With the same data usage, they are likely to fail at the same time.
Blackblaze publishes data on how different brand hard drives behave over time.
If your data is lost, it doesn’t matter how good your firewall is. Your company can’t work without data.

3. an SMB feature flag update caused Data to write 0’s to file but calls it saved. Then removed accessibility to files. This is a use case that pointed to use of ZFS.
Our tape backup is LTO tapes, it has a file system, but more of less they do their own thing. The tape system manages it mostly. Tapes are different stipe layers on them depending on what type of LTO you have.
Roop: how much time of snapshots you keep?
“we do our hourly’s and keep them for 1-2 weeks depending on the system. It’s hard to do long term snapshots, if we are keeping long term those snapshots usually are done weekly. Snapshots are done on a block level instead of on the file level.

Over 80% on an ZFS system can be a hard time, APFS had this issue at 90% disk space.
XP would do it in away where every disk write would run a disk defrag.


CJ: I have a fun “learn”, in the navy I had a system that had a drive, RAID 6, noticed when a drive went bad, put it on order, didn’t have on hand, next thing I know still haven’t gotten it after a month, nervous about the drive, the type of system it was didn’t give us rights to activate the disk. Nobody could figure out who to contact about this at the training command I was at. Sitting there doing “someday this is going to die” the second disk will go and the stack will fall.
“it depends is you are read intensive, or write tensive, what do you need practically for the day-to-day?
What if one fails? What if several fail? If it fails on Friday and hardware people aren’t there until Monday, it silently fails over the weekend, it will run while it can until it fails.
In interesting thing we ran into, smaller size disks in high quantity helped performance, then tried large slower disks, then swapped a drive, and seven hours later, it still wan not done indexing.

Hiel: Have you ran into shingle disks?
“I never used them, was excited about them.”
Hiel: do not even put a shingle disk in a RAID
“why?”
Hiel: there are even WD Reds that are shingle, it’s seen in exotic file systems and seem to be bad news.

Roop: as a medium company how do you handle storage?
“we are on our next round of reconsidering offsite storage. Budget and bandwidth were discouraging factors in the past. It’s also discouraging when you can’t determine what’s important or what isn’t. Our network and backbone is good to 10-40 gig, uplink. We can push data back and forth much more quickly than through the internet.
Things we can’t lose for audit purposes would be best used for this use case.

Hiel: are you running everything locally?
“almost everything, all internal is local, we have a building HVAC and a server room HVAC than runs separately.
Hiel: so when the meteor hits……
“this is why we have so many meetings about it”

Business Meeting:

Old business/New business/Membership Updates/Secretary: Meeting Minutes/Treasury Report/Social Media Updates

Old Business: Social Event, Casual Pint June 26th

New Business:
Election Committee
Conferences

Volunteer Events: Volunteer Events: What would members like to participate in? Who can volunteer to lead?

Election Committee:
As per Article IV of the ISSA Hampton Roads Bylaws: we will be needing two volunteers to fulfill these positions; nominations for following board positions:
President
Vice President
Secretary/COO
Treasurer/CFO


Election Committee Best Practices:
PREPARE FOR ELECTION:

1. Identify election workforce

2. Find and read the latest bylaws, especially sections on audits, elections and turnover processes

3. Follow the bylaws, have them present in case of questions.

4. Define and record the process particulars then distribute/brief it to membership.

5. Early and frequent request for nominations

6. Request nominations AT EVERY MEETING to attain momentum, enlarge the field and get people involved/talking about it.

7. Determine type of election: Designated or Rolling nominations. Each has advantages and drawbacks. Smaller numbers of nominees normally indicate a rolling nomination.


Board members who are currently in positions that are open for nomination cannot be part of the election committee.

Johnnie has volunteered as Election committee/ Evan is audit committee (CJ will oversee and be IT support)

ISSA Mentorship program:
NEED VOLUNTEERS
Desmond Graham: Mentorship Chair
Call for volunteers on the mentorship Program committee

Desmond has communicated that he would be busy until August, Volunteers would be helping to find mentors in the area as well as a place to host the Mixers.

Call for Mentors: reaching out to schools and companies in the area
Mentorship Mixers: Learn about how to get into cybersecurity with no previous background
Meet and learn from cybersecurity SME mentors
Network with hiring managers and the cybersecurity ecosystem

Conferences:

Bsides Roanoke 2024: July 12th: $25 https://bsidesroa.org/

Virginia Cybersecurity Education Conference: July 16-17th, Blacksburg VA: $50-$200,https://sites.google.com/vt.edu/vacybereducon

Zero Trust Government Symposium: July 17-18 in National Harbor, MD: $0-$1290https://zerotrust.dsigroup.org/

DC Metro Cybersecurity Summit: July 18th in McLean VA: $195-$250, https://cybersecuritysummit.com/summit/dcmetro24/

SANS Security Awareness: Managing Human Risk Summit 2024: August 1st-2nd , Norfolk VA: $0 (Virtual)-$425 (in-person),

https://www.sans.org/cyber-security-training-events/sans-security-awareness-summit-training-2024

Black Hat USA 2024: August 3rd-8th in Las Vegas, NV: $2,499 (briefings) $800 (vendor hall)
https://www.blackhat.com/us-24/DEF CON 32: August 8th-11th in Las Vegas, NV: $480
https://www.defdonf.org/

FutureCon: August 22-24 in Washington DC: $50-$200https://futureconevents.com/events/washington-dc-2024/

INFOSEC World: September 21-22 in Lake Buena Vista, FL: $1595-$3595,

We love to volunteer at local conferences! Great way to network, garner interest in our chapter. Some of the best networking opportunities compared to merely being a guest. We are always looking for people!

Membership Update:
Number of members: 46
Last meeting: (Unknown) members, (Unknown) visitors in attendance

June 4th Meeting Minutes: Meeting recap on website:
https://issa-hr.org/issa-chapter-meeting-4-june-2024/


Presentation Speaker: Evan Larsen: How My Facebook got PWNED (And how I recovered from it)
Business Meeting:
Old Business: Cyber Social @ Casual Pint
New Business: Conferences, Volunteer Outreach
$4,346.71 recorded.

Treasurer Report:
Balance: $4,494.71
Still trying to get back to 5k

2024 Events Calendar:

Social Media:


Email Addresses:

Adjourn:

After Meeting: Networking Happy Hour @ Plaza Dellogado

Please give us feedback!: What did you like? Recommendations for future meetings? What could make your experience better?
Send your feedback to President @ ISSA-HR. Org

Roop: How do you guys do data backups?
“what are you defending against? It depends on how important that data is. We do net notifications if things do happen”

Johnnie: Do you guys have a cold site?
“there is a something…let’s move on”

Hiel: I’ve done a lot of data forensics, data recovery etc, w=one of the things people don’t realize is the bit rot on an SSD is IMMENSE- especially if it’s not powered constantly.
If you’re going to store it long term, not plugged in, conventional HDD is the way to do.
“people assume HDD’s since they are mechanical are more vulnerable, but SSD’s are not perfect either, and they were designed to be that way—they were designed to be cheap and plentiful. We only use SSD’s in our backup systems for cache accelerators.

Hiel: always test your backups!
“yes, always make sure they work, don’t wait until you hit the restore button.