Silicon Valley Cybersecurity Meetup

Agenda:

6:00 - 6:15pm: Introduction
6:15 - 7:00pm: Gopi Ramamoorthy - Are you worried about data breaches? Let's change the Pentest Strategy!
7:15 - 8:00pm: Networking

Summary of the talk:
Cyber threats continue to evolve in different forms and grow at exponential speed. Majority of the companies conduct pentests periodically to identify the risk and proactively take measures to protect the systems. The companies also conduct multiple cybersecurity pentests using internal security testing teams and through bug bounty programs. But a large number of companies still face multiple security incidents including data breaches each year. Speakers with his experience of managing security for highly regulated industries such as finance and healthcare for over 15 years will deep dive into what are the critical tests that are not included in pentests. This session will list top 10 things that should be included in pentests but not included. First half of the session, the speakers will discuss why these top 10 are not included by providing details on technology limitations, process boundaries, and methodologies of current pentests. Second half of the session will be on how to overcome the technology and process barriers to eliminate above shortfalls to improve the benefits of pentests and secure the organizations. Pentesters most of the time focus on breach attack surface (BAS) while they should prioritize the protect surface. Pentesters also heavily rely on OWASP top 10 threats, and vulnerabilities that have assigned CVEs but many vulnerabilities in some of the new threat categories do not have assigned CVEs. Those categories are Zero Trust vulnerabilities (vulnerabilities in access control for not following ZT), Identity management, SSO integration and configuration vulnerabilities, data exposure or leak vulnerabilities, AI system vulnerabilities, and supply chain integration vulnerabilities. Speakers will provide related examples/case studies. As mentioned above, the second half of the session will focus on what needs to be changed in strategy, process and technology to overcome the above limitations. The speakers will go deep dive on technical details to build a risk register and align the timing, strategy, goals of the pentests with the risk register. Ransomware attacks and data breaches have become very common and it has become a real nightmare to many CISOs. The speakers will address how to reduce the risk of these two using pentests. Finally, speakers will highlight how GenAI can be used to improve the pentests and can become a core part of the cybersecurity professionals’ toolbox!

Speaker bio:
Gopi Ramamoorthy, with over 15 years in information security and compliance, has risen from engineering roles to leadership positions in sectors like Finance and Healthcare. He has built security monitoring infrastructure for startup and large enterprises including the systems that
processes $350 billions in financial transactions. He managed security compliance for multiple units, had been part of 300+ audits and consistently maintained an impeccable record of zero findings. Gopi's contributions extend beyond his core work; he's an active leader in infosec
forums and served at ISC2, ISACA, CSA in leadership roles since 2013. Gopi is an advisor for multiple Cybersecurity and AI companies. Certified with CISSP, CISA, CIPP/US, and CISM, Gopi is currently the Head of Security and GRC Engineering at Symmetry Systems. Gopi has
spoken at multiple conferences on Cybersecurity, AI, and Privacy including at RSA San Francisco, ISACA, ISC2, OWASP, CSA, IIA, BSides, and multiple regional conferences.

Agenda:
6:00 - 6:15pm: Introduction
6:15 - 7:00pm: Todd Krebsbach - Rooting Around: Forensic Adventures in IoT with a Smart Camera
7:15 - 8:00pm: Networking

Summary of the talk:
This talk walks through a real-world forensic investigation of a off-the-shelf well-known smart camera device. Using UART access and bootloader bypass techniques, I gained root shell access to examine the device’s firmware integrity. Along the way, I manually invoked boot steps, verified critical hashes, and uncovered that the device had either been reset or was never compromised. It’s a behind-the-scenes look at hardware hacking, firmware validation, and the curious world of IoT forensics.

Speaker bio:
Todd Krebsbach is a Senior Security Engineer with a passion for hardware hacking and digital forensics. Before entering the cybersecurity world, Todd spent 20 years in the U.S. Army, serving as both an Infantryman and a Counterintelligence Special Agent. With over a decade of experience in intelligence operations and red team engagements, he brings a unique perspective to the intersection of physical and digital security. Todd holds a Master of Science in Cybersecurity and has been an avid hacker since middle school—dabbling in everything from RF exploitation to tearing apart IoT devices just to see what makes them tick. His work blends curiosity, discipline, and a touch of mischief, making him a go-to for unconventional security insights.