Nov 12, 2025

Security Boulevard Community Chats Webinars Library Queen City Con 0x3: Hacking And Embracing Resiliency Cincinnati holds the distinction of being the first in the United States to establish a municipal fire department in 1853 , as well as the first to install a fire‑station pole. This marked a turning point in the history of firefighting, as the new technology of the steam pump let small dedicated groups of professionals stop fires much faster than ever before. But the arrival of the steam pump was not immediately embraced by the public, as many people distrusted this new disruptive technology . Over 120 years later, we are once again seeing defenders leveraging new technology, namely AI, that is also being met with a lot of skepticism. This parallel made "Cincy" the perfect backdrop for hackers to get together to talk security and trends at Queen City Con 0x3 . Hundreds of security pros, compliance experts, students, and hackers got together for the third installment of "Cincinnati's Premier Security Conference." Over three days, 71 speakers presented talks alongside hands-on labs, workshops, and 10 different villages, which many participants noted made this event feel very similar to DEF CON, but without the infamously long lines. Here are just a few highlights from this year's QCC. Machines Now Define Your Perimeter In his session "Non-Human Identity Management (NHI Management)," Scott Smith, Principal Consultant at New Era Technology , talked about how risk has shifted from people to non-human identities (NHIs). He defined this to include tokens, API and OAuth keys, certificates, bots, and service accounts, spread across our systems, code, and environments. Creation is automated, but ownership is unclear, and visibility is decentralized. Attackers know this. The common breach path is simple: a developer hardcodes a key, commits to a public GitHub repo, and automated scanners find it within minutes. Scott said that over half of organizations report breaches tied to machine identities, and that now 77% of web app attacks start with stolen credentials. Scott explained that traditional identity and access management (IAM) programs do not cover this terrain. Secret scanning helps, but really, what you need are better processes. He reminded us not to boil the ocean; we should start where DevOps already has traction and keep secrets out of code. Treat machine access like data risk. If an NHI can reach a critical system, govern it like regulated data. We need a pragmatic approach here. First, discover and inventory NHIs and classify them. Next, prioritize and rotate static credentials, right-size permissions, and integrate automated secret scanning into CI/CD to stop new leaks. Finally, establish governance that survives growth. Expect the footprint to expand as microservices, automation, IoT, and AI agents multiply identities and introduce drift, especially in MLOps. The perimeter is identity now. It only works if it protects more than your workforce. Scott Smith Cloud Security’s Preventable Failures In his session “Cloud Security and Other Assorted Cautionary Tales,” Matt Scheurer, VP, Computer Security & Incident Response , walked through the kinds of mistakes that still drive incidents in AWS, Azure, and Google Cloud. It starts with a simple posture check, using threat models like STRIDE and data-flow mapping to see how information moves in and out of systems. Then he verifies that basic controls exist. In AWS that means GuardDuty for detection, CloudTrail for activity logging, and CloudWatch for performance signals. In Azure, lean on Defender for Cloud, Sentinel, and Entra ID for identity. In Google Cloud, Security Command Center is the anchor. Training matters too. He said he relies on Microsoft’s Cloud Security Explorer and Kusto Detective Agency to make it easier to find issues before attackers do. Matt’s introduced us to the acronym "SaaD," Stupidity-as-a-Disservice. He does not mean this as an insult, but as a reminder that many cloud failures are avoidable if we think things through and communicate. For example, he told the story of a storage bucket marked public, where a developer insisted that since uploading to it required a login, it was safe. It was not. Anyone could discover and download anything in that bucket, which contained receipt images, full credit card payment data. A misunderstanding and misconfiguration turned into a privacy incident. Another case hinged on default credentials left unchanged after a penetration test. Another story Matt told was about an engineer who opened Remote Desktop on a cloud host to bypass a broken VPN, creating a jump host that risked full environment compromise. Matt said the fixes for most issues are straightforward. For example, avoid making public buckets by default. Update credentials and test that default creds no longer work on any given system. Classify the data before migrating it to determine the precautions you need to take and the scope of potential incidents during and after the move. Ultimately, we can't trade security for convenience. Matt Scheurer Defaults That Let Users Own Your Forest In their session “Making $ With COMPUTER$,” our , Principal Security Consultant at Semperis , and John Askew, Hacker and Founder of Terrapin Labs , showed how a plain user can join a machine to Active Directory (AD) and pivot to compromise the whole forest in minutes. Two default settings were at the heart of this issue. First, the ms-DS-MachineAccountQuota attribute lets certain users add up to 10 computers to the domain. The other is  `SeMachineAccountPrivilege` user right, which lets any Authenticated User add those computers. The presenters said that this made sense 25 years ago, but today machine accounts are attacker gold. They face less scrutiny, carry different permissions, and can even be created via relay without credentials. Both speakers see these defaults everywhere; Jake estimates roughly 80 percent of AD instances have never updated these settings. John said he has never seen anything but default for these in any pentest he has done. The duo explained that the fix is simple and disruptive in the right ways. Set MachineAccountQuota to 0 and restrict SeMachineAccountPrivilege so only admins can add computers. Teams should follow the newer domain join model with trusted computer account owners. Pre-create the object in a controlled Organizational Unit (OU), which is a specialized container, then let a designated joiner attach the host, or even go as far as performing Offline Domain Joins for tighter control. Monitor for new machine accounts with Event ID 4741 and investigate the creator if it ever shows up unexpectedly. The pair urged us all to start the conversation with the server and identity teams now, before any incidents occur. John Askew and Jake Hildreth Detection by design means resilient first Trent Liffick, Principal Cyber Threat Analyst at Fifth Third Bank , in his session “Detection by Design: Engineering Resilience Against Evolving Threats,” argued that most teams believe they are designing for detection, yet many lack dedicated practitioners. He framed detection engineering as a lifecycle: gather intel, design, develop, test and deploy, monitor, and keep testing. The goal is coverage that balances integrity, operational cost, risk, and utility. Trent drew a clear line between brittle and resilient logic, where brittle rules break when attackers rename binaries, obfuscate command lines, or swap tools. Resilient detections describe behavior, so for example, instead of matching powershell.exe by name, use OriginalFileName to see what the service was originally called, and Script Block Logging, which records all PS script runs, regardless of how they are invoked. His principle is “shift down, not left.” Ask whether a rule holds over time, resists small tactic changes, and models attacker behavior rather than a string seen once. Prefer generalized patterns and abstractions. Trent said that we need to evolve faster than adversaries. We should aim to catch any mistakes an attacker makes while taking shortcuts to speed up their attacks, and design detections that survive evasion. Trent Liffick Discipline Over Defaults The subtext across QCC was simple. Our biggest risks are not zero-days. They are defaults, drift, and decisions we delay because they feel inconvenient. Each session pointed at the same nerve. Identity is the perimeter, and our lack of guardrails in the cloud is an attacker's best friend. Detection is celebrated, yet often built on fragile strings instead of durable behaviors. We must develop the habit of turning principles into practice on the dull, daily work of building out and enriching our asset inventory, logging, rotation, and reviewing to ensure we are following the principle of least privilege everywhere. Model Over Mechanism The best teams are the ones that think in lifecycles and patterns, defining what “good” looks like, then keeping the systems inside those bounds. Measure change. Log what matters and read it to detect the behavior, not the binary names. When you do adopt tools, pick the ones that reinforce the model rather than distract with dashboards. The tool is not the needed control. The control is the rule you enforce every day. Culture Decides Outcomes Convenience is a persistent attacker's ally. Public buckets, default creds, and brittle rules that break on a filename change are not sophisticated concepts, but they are very common patterns in modern organizations. Resilience comes from teams that choose to embrace friction early so they avoid catastrophe later. Identity governance might be a boring grind to get right, but it is mandatory. Pull The Alarm, Prove The Control Firefighting in Cincinnati turned a corner when steam met discipline. Security is at the same bend now. The lesson from Queen City Con 0x3 is not another tool. It is posture. Your author got to give a talk along these same lines, raising awareness of the seriousness of the issues of poorly governed NHIs and what steps we can take right now, and into the future, to improve our security posture in this area. Treat identity as the perimeter, especially for non-human accounts, and focus on nailing down cloud security basics. We should stop pretending that giving in to convenience is neutral. Fixing the issues we create by taking the easy path takes work, but for most problems, the solutions are boringly straightforward. Cincinnati moved faster once the city trusted a new technology and trained professionals on how to use it. We will too, if we choose discipline over drift.