“Everything was destroyed, and few out of many returned home.”

- Thucydides

Two years ago, we discussed whether the Russian offensive included all-out cyber, or if the combatants were husbanding their resources. Last year, we noted that 50-year-old tanks and munitions work well in battle, whereas cyber weapons have a shelf life closer to milk than to wine. As a kinetic stalemate grinds through men and materiel, cyber has blossomed as a new form of expeditionary warfare, now targeting critical infrastructure, the most prominent of which (as of this writing) has been Kyivstar, Ukraine’s largest telecom provider. The fabric of society is now a target, seemingly in violation of Rule 1 of the Law of International Warfare.

"This attack is a big message, a big warning, not only to Ukraine, but for the whole Western world to understand that no one is actually untouchable."

- Illia Vitiuk, head of Security Service of Ukraine (SBU) cybersecurity department

Most critical infrastructures are not state-run in western nations. The United Kingdom has named thirteen critical infrastructures. The United States has sixteen. Regardless, these are being identified, cataloged, and targeted in a systematic way so as to provide a potential early strategic advantage in the event of future conflict.

What happens to our society if the digital gloves come off? What are the consequences of an adversary who cannot win on the battlefield taking the battle to the civilian population, shutting off power, water, and communications? What preparations can be made, realistically, to prepare our countries for what we can see is already happening? What message should we, as the senior global brain trust, craft to mobilize our societies and our governments before they suffer a catastrophic loss that might be avoided if we speak up now?

Do you suffer from a team that can't seem to talk to each other? Can you cut the air with a knife when entering your security meetings? Do people audibly sigh whenever you mention raising a ticket or inquire about its status? If so, then this session is for you.

In today's fast-paced and interconnected digital world, the harmony between security and technical teams is crucial. Yet, all too often, these teams operate in silos, causing friction, inefficiencies, and ultimately, compromising security. But fear not, for there is hope.

Join us as we embark on a journey to transform discord into harmony, to dissolve the tension that permeates the air, and to replace sighs with nods of understanding. We'll delve into the heart of the matter, addressing the root causes of disconnection and discord between security and technical teams.

From inspiring motivation to breaking down barriers, we'll discuss what motivates and drives people to take ownership of their place in Information Security. Say goodbye to the days of disjointed communication and hello to a future where security and technical teams work hand in hand towards a common goal.

The presentation addresses 3 trends currently challenging the cybersecurity operating model.

• Customer expectations are shifting - Digital natives think in terms of customer journeys, and they want safe but low-friction experiences along the way.

• Threats are evolving - There are now new ways to exploit human nature and decision making, using technologies like AI. Lastly,

• Regulations are fragmenting - Countries recognise the value of data and are taking a stronger, more localised, position on how to protect it.

These factors have important consequences for how cybersecurity teams design and implement their governance, risk, compliance and assurance frameworks. We will argue that the new paradigm which is decentralised, where speed and accountability for decision-making are favoured over structures of centralised authority and control.

A pre-requisite of this kind of adaptive security is for decision making at all levels of the organization, which implies effective communications based on a common ‘source of‘truth’.

In this presentation, the speakers will present their experience of establishing a security architecture that reflects these aims and principles, based on control modelling, thresholds, and real-time security data.

The session should be of value to a wide range of delegates that may be facing similar challenges and would be interested in learning what an architectural approach can contribute to the solution.

This will be original content, being presented at conference for the first time.

The hype cycle continues to thrive as illustrated by recent press coverage and political attention regarding the “existential threat” posed by AI, particularly LLMs and generative AI. Inevitably some people are asking how do we secure AI? This session considers AI-related risks and their potential evolution. To address these risks, we need to consider what governance and security mean in an AI context.

Responding to the political attention AI has received, national and international standards organisations are embarking on development of new standards. This session will explore these initiatives, discussing the challenges facing us standardising a rapidly evolving technology. In framing these standards, further discussion is needed about whether AI really is a new problem, or simply highlights inadequacies in our current IT and security standards.

Drawing to a close, the session will explore the role that the supply chain, security professionals, and SABSA could play in addressing challenges arising from use of AI and the consequences and/or liabilities arising from AI embedded in solutions.

Key learning outcomes

• An understanding of AI security risks and vulnerabilities

• An appreciation of the limitations of security standards

• An outline of key issues to address in deployment of AI solutions

The nature of the cyber security risk is both complex and broad, and present in almost any part of digital operations making it a top non-financial risk. On a daily basis stakeholders are being faced with decisions on how to proceed with the implementation of the business strategy whilst providing a commensurate level of protection against ever evolving cyber threats and ensuring critical products and services operate within the desired risk thresholds. The accuracy, completeness and timely accessibility of the information required to determine the optimum way forward is more important than ever.

The session draws in from philosophy to illustrate how ancient wisdom can be applied to cyber security and risk management. Will illustrate how Socratic method, an interactive technique for establishing knowledge, allows us to test assumptions through honest dialogue, think differently and ultimately guide us towards better understanding the implications of decisions that needs to be made. The audience will experience how to draw strength from contrarian thought, and utilise it as a tool for both establishing ignorance and knowledge.

The IT organisation around our team is making key structural and governance changes, including re-aligning to business value stream structures, migrating from waterfall processes to Agile change delivery, and introducing a new control framework. And these are just some examples.

To keep up with these changes, and this pace of change, we need to update our security architecture practices. We are aligning Security Architects with their Solution and Enterprise counterparts to maximise security “shift left”. We are embedding architects in value stream verticals and service horizontals to maximise our coverage with limited resources. We’re helping to share the definition and roll out of the new control framework, to ensure Architecture and Risk processes and artefacts are aligned from the outset. And to keep up with the pace of Agile, we’re taking first steps from point in time design docs towards living architecture artefacts, and re-learning what re-usable architecture means as a result.

In this talk I will explain how we’re tackling all of these changes, lessons learned to date and where we’re going next.

The idea for this came to me today (March 21st) after having visited a dutch conference. It has been lingering in the back of my mind for some time but having seen the call for speakers in my Linkedin-feed this morning I decided to put it forward. On my way home I even came up with a title.

The core of my presentation is that there is a difference between IT and OT and that it should be treated differently, from a security perspective. In the past I have seen that large companies treat the OT they have (HVAC of camera surveillance systems) as if it were a regular IT system. Leading to frustation of both security professionals - trying to secure these systems - and facility departments – trying to operate them.

So I’d like to argue that the IT Security guy (with his ISO2700x of equivalt framework) is not the one to turn to when it comes to securing OT. It the OT Security guy with the IEC62443 certificate. And perhaps explain the basics of IEC62433..

I’d really like to start a discussion on why companies have their OT connected to the internet…

Outside China, Apple and Google control more than 95 percent of app store market share with the Apple App Store holding nearly 2 million and Google’s Play store holding nearly 3.5 million. The impact of this proliferation of apps and their everyday routine use, together with other web interactions, means that users’ personal data is spread widely on suppliers’ servers throughout the Internet.

This arrangement provides an enormous attack surface for malevolent actors. This array of personal digital data points is taking on a much more important role in personal identification than previously, with their compromise potentially leading to individuals losing control of their (digital) identity used by a large number of service providers.

In 1989 Tim Berners-Lee conceived the Solid (SOcial LInked Data) project as a way to give individual users full control over their personal data and the freedom to combine it or share it between applications.

Users keep their personal data in "pods" (personal online data stores) hosted wherever they choose. Applications that are authenticated by Solid are allowed to request data if the user has given the application permission.

2024 has seen the first substantial rollouts of this technology in Europe in the recruitment and healthcare sectors. In this talk we discuss the architecture and technical operation of Solid and whether it has the potential to disrupt existing business models where an individual data subject can become the data controller.

‘Words mean things’, as Drill Sergeant once enthusiastically bellowed at me after failing to communicate effectively. I came to understand this was because of the lethal consequences of the profession he was training me for.

When undertaking any work as a risk professional, it is sensible to proceed with caution and choose our words wisely. Business Drivers, Attributes and the careful crafting of their definitions for the Enterprise to which they belong are foundational to the ESA toolbox. With our work, we hope to capture complexity within plain language expressions while remaining flexible and removing ambiguity.

This session is for those who feel that creating meaning from words is both a powerful and dangerous undertaking. These brave persons will want to better harness language for their work. It is also for anyone who enjoys a cheeky bit of wordplay.

Attendees will be exposed to principles and tools from game design, systems engineering and linguistics. These concepts will be connected back to Security Attribute writing and demonstrate their utility for ESA. By the end of the session you will be equipped to define Requirements and Attributes with the decisiveness of James Murray heading the Oxford Scriptorium.

The Connected and Autonomous Vehicle (CAV) sector is rapidly evolving, presenting unparalleled opportunities for integration and third-party data utilisation. This evolution, however, introduces significant challenges, particularly regarding the integrity and reliability of vehicle-generated data. The stakes are high: compromised data could lead to accidents, traffic disruptions, hinder emergency services, and more. This session delves into the technologies underpinning CAVs, upcoming enhancements, potential threats, and necessary controls. It will explore the intricate web of supply chain relationships, the data exchanged between stakeholders, and how these factors contribute to the sector's security posture.

A central theme of this presentation is the concept of "contextual trust" – a framework for assessing and ensuring the integrity of data in environments which could be considered untrustable. By leveraging contextual data points and blockchain technology, we can construct a more robust, trust-based model that safeguards against data spoofing, unreliability, and unavailability. This approach not only enhances the security of CAV operations but also underpins the development of safer, more reliable autonomous transportation systems.

Attendees will gain insights into:

• • The current and future landscape of CAV technologies and the pivotal role of data integrity.
• • The multifaceted security threats facing the CAV sector and the controls to mitigate these risks.
• • The mechanics of contextual trust and blockchain technology in establishing a dependable data ecosystem.
• • Strategies for implementing these technologies to foster trust and security within the untrustable facets of CAV operations.

This session builds on the Gordon Jenkins work presented at COSAC a couple of years ago but refocuses on CAV. It aims to equip attendees with the knowledge and tools to navigate the complexities of CAV security, focusing on the importance of trust and integrity in advancing the sector's safety and reliability.

In the sprawling digital landscape, platforms like Telegram and Discord have become pivotal arenas for threat actor communications, offering a blend of anonymity and accessibility that is highly attractive to the cybercriminal underworld. This session, entitled "Telegram and Discord - A Wretched Hive of Scum and Villainy," will peel back the layers of these digital ecosystems to reveal the dynamics of threat actor communities. The focus will be on understanding where these actors converge, the nature of their interactions, and the illicit activities they orchestrate within these seemingly benign platforms.

The presentation will navigate the complexities of infiltrating these communities, detailing strategies for gaining trust and gathering intelligence within networks that are notoriously wary of outsiders. Attendees will gain insights into the sophisticated methods employed by threat actors to safeguard their forums from prying eyes, including the weaponization of tools against security researchers, law enforcement officials, and others who venture too close.

A special emphasis will be placed on the gaming community, a vibrant and often-targeted sector where threat actors blend seamlessly with legitimate users, exploiting platforms and tools for malicious purposes. This segment will explore the unique challenges and opportunities that the gaming ecosystem presents for cybersecurity efforts, highlighting recent incidents that underscore the urgency of addressing these threats.

Moreover, the session will discuss recent U.S. criminal prosecutions that have brought to light the activities of cybercriminals operating within Telegram and Discord. These cases serve as a critical reminder of the legal and ethical considerations involved in tracking and engaging with threat actors, offering lessons for cybersecurity professionals navigating this treacherous terrain.

This presentation promises to offer a comprehensive overview of the digital underbelly that thrives on platforms like Telegram and Discord. Participants will leave with a deeper understanding of the methods and motives of cybercriminal communities, equipped with the knowledge to more effectively combat the threats they pose. Through a blend of technical insight, real-world examples, and strategic guidance, this session aims to empower attendees to confront the challenges of cybersecurity in the era of social messaging platforms.

The ability to cross boundaries is one of the most natural human behaviours, in fact, it is so natural and normal that we don’t even give it a second thought. Whether we walk out of our houses into public or walk into a bank or store from the street, we don’t even consciously think of the fact that we are crossing a boundary or that each boundary that we cross is beholden to a set of rules that we learn to follow from a young age. One can even go so far as to say that each of these boundaries defines and protects a zone. The Oxford dictionary defines a zone as “an area or stretch of land having a particular characteristic, purpose, or use, or subject to particular restrictions”. Why is it then that we make it so incredibly difficult for ourselves to define and traverse zones in modern business environments? In this session we will explore how we can use an adapted version of SABSA domain modelling to define and manage zones within a modern enterprise and use these zones to create and communicate security information flows and controls to stakeholders concisely and consistently.

In an era where digital information flows freely, the boundary between public interest journalism and computer hacking has become increasingly blurred. This session will delve into the controversial prosecution of Timothy Burke, a journalist from Tampa, Florida, who faced legal repercussions for his investigative work exposing hypocrisy in Fox News' broadcasts, including interviews between Tucker Carlson and Kanye West. His case serves as a stark example of how governments and corporations are leveraging computer crime laws to suppress dissent and penalize whistleblowers and journalists.

At the core of modern computer hacking statutes are vague and ambiguous terms such as "without authorization" and "in excess of authorization." These phrases, initially designed to protect against unauthorized access to computer systems, have evolved into tools that facilitate the transformation of hacking laws into generalized secrecy laws. This presentation will explore the implications of such legal frameworks, highlighting how they are used to prosecute individuals for exposing government or corporate secrets, thereby stifacing critical journalistic endeavors and public discourse.

Furthermore, we will examine the historical underpinnings of these statutes, tracing back to common law trespass laws. The session will argue that concepts of property and trespass, formulated in the 14th century, are ill-suited to govern the complex, interconnected landscape of the 21st-century internet infrastructure. The presentation will critically assess the adequacy of these outdated legal foundations in addressing contemporary cyber challenges, arguing for a reevaluation and modernization of legal principles to reflect the realities of digital age.

This session aims to shed light on the precarious balance between safeguarding digital assets and ensuring the freedom of information and expression. By dissecting the case of Timothy Burke and the broader context of computer crime prosecutions, we aim to foster a nuanced understanding of the legal, ethical, and societal implications of using hacking laws as instruments to stifle dissent. Attendees will leave with a deeper appreciation of the need for legal reforms that both protect against genuine cyber threats and uphold the principles of democracy and free speech.

Today, Agile and DevOps practices enable many organisations to develop and deploy software at an ever-increasing pace. At the same time, thanks to cloud computing, systems are becoming increasingly abstract and complex, making them difficult to secure.

We will discuss some of the real-world challenges facing security professionals in modern environments, including:

• • Poorly defined roles, responsibilities, and authorities
• • The pace of change
• • The constant need to reinvent the wheel
• • The amount of technical debt
• • Busy work vs. meaningful work

This interactive session will explore strategies to address these challenges, including the following:

• • Defining and implementing effective RACI models
• • Fostering collaboration between DevOps and Security
• • Integrating security into the DevOps Lifecycle
• • Automating security activities
• • Specifying reusable patterns
• • Limiting and eliminating sprawl
• • Evaluating and prioritising work

The A4: Advanced SABSA Incident, Monitoring & Investigations Architecture course has been listed as an advanced course but is rarely run and the current training material dates back to 2015. However, this course is arguably one of the most important areas of focus for advanced architectural attention. Despite the many cyber defence approaches that have been adopted in industry, cyber attacks continue to penetrate the preventative layer of controls. Having the operational aspects of an organisation’s cyber defences built as an integrated part of a solid architecture is key to minimising damage to the business and the executives running it.

The 2015 course covers monitoring, transforming log data, augmentation, and incident management and investigations. This presentation describes the changes that have been applied to bring the course to a 2024 perspective with the coverage of more advanced processes for threat hunting, current best practices in the existing processes, and introduces the architectural placement of contemporary tools in the component layers. In particular, it covers the emerging area of artificial intelligence in the form of LLMs, and addresses AI component augmentation in the architecture.

Our goal as security practitioners is to stop bad things from happening to the organization we have chosen to protect. When this happens and law enforcement is able to finally catch the bad actors, what actually happens? Do they get what they deserve or does cyber crime actually pay? In this session we'll look at this issue globally - is the punishment fitting the crime? What can we do to make this a crime that doesn't actually pay, or at the very least, comes with some significant risk? As with all COSAC presentations, this should spark a lively debate and hopefully can serve as a call to action to our governments to make a change.

Generative AI is remarkable for its ability to utilize extensive data to answer complex questions. However, in a business context, not all data should be accessible to everyone.

Human customer service representatives are adept at utilizing their comprehensive knowledge of previous cases and processes to respond to customer inquiries while safeguarding sensitive company and customer information.

In contrast, generative AI, in its default setting, strives to provide detailed answers and can inadvertently overshare information. This becomes a significant concern when handling customer interactions. The pivotal question then arises: how can one enhance the security of an AI model, ensuring both operational efficiency and data confidentiality? For seasoned security professionals like us, this entails adopting innovative approaches.

Join two COSAC regulars who will unveil their journey of deconstructing this challenge and reconstructing a solution. Participants will gain insights into current best practices for designing and implementing the following control objectives in AI:

• • Data Sanitization and Filtering
• • Privacy by Design
• • Audits and Monitoring
• • User Consent and Transparency
• • Anti-Phishing Measures

Let’s enrich our biological intelligence with a skillset needed to secure the artificial one.

What is the best way to leverage the NIST Cybersecurity Framework (CSF) 2.0 when implementing or updating a SABSA developed security architecture? The NIST CSF 2.0 is a significant upgrade to the de-facto global framework for managing cybersecurity threats but it still lacks several of the essential elements for a robust cybersecurity program. The SABSA Institute (TSI) sponsored SABSA Enhance NIST Cybersecurity Framework (SENC) workgroup project is developing various tools, techniques and guidance to help your organization put the NIST CSF 2.0 to work.

This session is a high-level view of what the updated NIST CSF 2.0 provides, and a first look at what the SENC project is delivering to enhance implementation of the CSF. The SENC project is defining SABSA-specific guidance for leveraging the NIST CSF 2.0 including: developing the contextual architecture to front end use of the CSF with the SABSA attributes profiling process including a few example Attribute Profiles for selected industry sectors; a SABSA NIST CSF 2.0 Profile to include enhanced and additional CSF categories and subcategories aligned to the SABSA method; SABSA NIST CSF 2.0 Informative References that map the SABSA NIST CSF 2.0 Profile to the SABSA matrix; and a collection of SABSA-specific Examples for the CSF subcategories aligned to the SABSA NIST CSF 2.0 Profile.

Too often, the application of the NIST CSF focusses on the processes, technologies and controls while losing sight of managing the business value and risks involved. We will outline example content from the SENC project deliverables and what will be available to the SABSA community when the project is completed. The SENC project will provide specific recommendations for leveraging SABSA to apply and enhance the NIST Cybersecurity Framework 2.0 to help manage your organization’s business risk requirements.

In this highly graphical session, I will present a mostly anonymised journey across the threat landscape that businesses have had to endure over the last decade. Like a casebook of notes from the field I will cover the weaponization of the legal system, the malicious commercial director, the IT team who were a little too smart, the overly curious manager, one of the largest regulatory investigations ever undertaken, investigations, accidents, misconfigurations and consequences, a dalliance with state sponsored actors and finally and for the first time the Anglo Irish Bank story from the insider in the room. Covering retail, services, legal, manufacturing, financial services, regulatory bodies, and local government my intention is to inform, entertain and enable attendees to take home some food for thought and potentially incorporation into their organisations irrespective of vertical or technology stack.

In the digital age, the proliferation of Artificial Intelligence (AI) technologies has transformed the way we interact, work, and conduct business. From personalized recommendations to autonomous decision-making systems, AI has permeated various facets of society, promising efficiency, innovation, and convenience. However, with these advancements come concerns regarding privacy, data protection, and ethical use of AI. In response to these challenges, regulatory frameworks such as the General Data Protection Regulation (GDPR) have been established to safeguard individuals' rights and regulate the processing of personal data. Yet, the evolving landscape of AI necessitates continual adaptation and augmentation of these regulations. Addressing this gap, the EU has recently formalised the introduction of the AI Act. This act aims to 1) establish a comprehensive framework for the regulation of AI systems, addressing issues of transparency, accountability, and fundamental rights and 2) provide AI developers and deployers with clear requirements and obligations regarding specific uses of AI. However, the act’s alignment with the GDPR presents a myriad of challenges. This presentation delves into the intricate interplay between the AI Act and GDPR, examining ten key challenges that compliance with the EU data protection framework presents for the use and development of AI tools and will cover topics such as:

• • Overlapping Regulations: Analyzing the areas of convergence and disparity between the AI Act and GDPR, and identifying potential conflicts in compliance requirements.
• • Data Protection and Privacy: Evaluating the implications of AI algorithms on data privacy and the extent to which they adhere to GDPR principles such as purpose limitation, data minimization, and data subject rights.
• • Ethical Considerations: Discussing the ethical dilemmas arising from AI technologies and their impact on fundamental rights, including the right to privacy, non-discrimination, and autonomy.
• • Regulatory Enforcement and Accountability: Examining the enforcement mechanisms under both the AI Act and GDPR, and the responsibilities of stakeholders in ensuring compliance and accountability.

By shedding light on the intersection and challenges posed by the AI Act and GDPR, this presentation aims to provide a comprehensive understanding of the regulatory landscape surrounding AI technologies, empowering organizations to navigate regulatory compliance while fostering innovation and ethical use of AI.

Key Learning Outcomes:

• • An understanding of the key requirements of the AI Act that relate to GDPR.
• • An overview of the opposing approaches to data protection in the AI Act and GDPR.
• • An understanding of data subject rights, and data protection principles
• • An understanding of organisations’ obligations under both the AI Act and the GDPR

In the evolving landscape of business security, the integration of MITRE ATT&CK® framework plays a pivotal role in enhancing organizational resilience against cyber threats. Our approach leverages the MITRE ATT&CK® from understanding adversary motives to the implementation of mitigation strategies and ensuring robust protection mechanisms. We introduce the Critical Information Protection Strategy Dependency Map, a novel tool designed to navigate the complex interplay between business impact, adversary techniques, and mitigation procedures. This dynamic map begins with identifying business impacts and systematically links them to potential adversarial techniques. Subsequently, it aligns appropriate mitigation techniques and procedures, culminating in targeted assurance questions. This methodology ensures that mitigations are contextually relevant, activated based on the specific business context at the point of impact and adversarial interaction.

Key insights from our strategy include the importance of deep business knowledge through the identification and analysis of critical information assets in collaboration with technology users. Utilizing the MITRE ATT&CK® framework as a foundation, we optimize it to fortify business resilience. Our strategy emphasizes outcome-focused strategic planning to protect the business context against adverse activities, thereby safeguarding the company's financial health. Moreover, our approach eliminates redundancy and bias by employing an effective mapping process. This not only manages the intricate business context but also ensures the dynamic and consistent application of mitigation techniques across different layers of the business, adhering to the principles of Engineering Trustworthy Secure Systems. Our methodology stands as a testament to building secure systems that are both dynamic and aligned with business objectives, offering a comprehensive blueprint for organizations aiming to enhance their security architecture.

Overtly Tony Sale was known for his outstanding engineering talents which he used to rebuild the WW2 code breaking Colossus and create the National Museum of Computing at Bletchley Park. However, during the Cold War Tony toiled secretly supporting MI5’s efforts to identify covert radio transmissions in the UK, signals which were used by hostile intelligence services working to undermine the UK Government and its allies.

This work was the precursor to modern technical surveillance counter measures (TSCM), an increasingly important field, and one that is practiced today both by Governments and commercial entities who are trying to protect their most sensitive information from competitors and hostile nations.

This paper draws upon TSCM principles to identify the threats from the Internet of Things (IoT) and how our dependence on 21st Century Personal Communication Devices and applications can expose our ‘signals’ to hostile state and organized crime actors.

We will explore the TSCM techniques in use today and how we can help protect from, or at least confuse, a modern attacker.

The question really is …. is there a spy in my coffee machine?

The COSAC “rump” has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community. Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives.

Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

• • Electronic submission: Send email to the rump session chair David Lynas at [email protected]
• • Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 2nd October.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.