Tornado Talks in Ten

Wednesday, May 15 | 3:30PM–4:30PM CT | Montreux, Second Floor Event Centre
Session Type: Breakout Session
Delivery Format: Lightning Talk Presentation

Talk 1: CMSS: Plug In Some Security into Your CMS

Content management systems provide an easy interface for users to alter website content and appearance but often leave security and IT professionals in the dark regarding the security state of the platform. Come join the fun as we explore how Duke is using modules and plug-ins to catalog important security data contained within each CMS and collect it centrally for vulnerability-alerting and incident response.

Outcomes: Understand how CMS data can be used to improve your web security posture * Identify methods of aggregating CMS data in your environment * Examine some potential strategies for inventorying your web presence

Presenter: Niko Bailey (Duke University)

Talk 2: How to Survive a Successful Phishing Attempt

We experienced a successful phishing incident at KCU, which cost the university real dollars and forced us to create an incident management response team and ongoing security processes. We would like to share our story with other institutions, including what we did and lessons learned that others can benefit from.

Outcomes:Apply lessons learned from our phishing experience to your own institution * Craft your own incident response plan * Identify tools and ideas to apply on your campus

Presenter: Lance Huggins (Kansas City University of Medicine and Biosciences

Talk 3: NIST-800-63-3B Password-Vetting Compliance

In June 2017, NIST Special Publication 800-63-3B established new guidelines regarding how organizations should vet user passwords. Rather than password composition policies that require a certain number of character sets, NIST now recommends that organizations check passwords against a list of banned passwords and reject those that are found on the list. As of July 2018, the list of known compromised passwords numbers more than half a billion strings. This presentation will demonstrate how to solve this problem at all levels of the organization and also share a specific technical solution using a Bloom filter at Virginia Tech.

Outcomes: Understand the drastic password-vetting changes introduced by NIST 800-63-3B as of June 2017 * Learn how these changes will impact every level of your organization and how to adapt * Learn how to solve the technical challenges brought about by the changes with a hybrid solution

Presenters: Randy Marchany (Virginia Tech), Richard Tilley

Talk 4: Sleight-of-Hand Magic and Cybersecurity

We'll explore the commonalities between sleight-of-hand magic and cybersecurity, specifically, the neuroscience behind the way the observer/user interprets data they see and how the senses can be tricked both in magic and in cybersecurity.

Outcomes:Learn how to triage potential threats * Learn how to manage your attention to mitigate errors in judgement * Understand the science behind illusion and perception and its role in exploiting the user

Presenter: Don Warrick (California Lutheran University


  • Niko Bailey

    Vulnerability Management Analyst, Duke University
  • Lance Huggins

    IT Director, Kansas City University of Medicine and Biosciences
  • Randy Marchany

    University IT Security Officer, Virginia Tech
  • Don Warrick

    IT Training Manager, California Lutheran University

Resources & Downloads

  • NIST800633B PasswordVetting Compliance

    Updated on 11/26/2019
  • How to Survive a Successful Phishing Attempt

    Updated on 11/26/2019
  • CMSS Plug In Some Security into Your CMS

    Updated on 11/26/2019
  • SleightofHand Magic and Cybersecurity

    Updated on 11/26/2019