COSAC 2015 Seesion Synopsis will be displayed once confirmed
please check back soon


Clicking a session code on the timetable page will bring up the relevant session details that are found on this page.

You can use the links below to skip to the day in which you are interested. Click on a speakers name to read his/her bio.


M1 COSAC 14th International Security Round-Table Forum John O'Leary    

In 2013, the 20th annual COSAC, we had a magnificent group of experts in the 13th annual COSAC International Security Forum. These battle-hardened, thoroughly experienced veterans came up with workable, practical solutions for all the security problems in the world. But once again, unfortunately, the world did not stand still. New issues and new permutations of previously solved problems insured that our work-lives would not become a dull routine of sunny, idle days.

The 21st annual COSAC, with the 14th annual COSAC International Round Table Forum, comes at a time when information security issues, while still complex and arcane, have moved into the public consciousness with such ubiquity and casual familiarity that the Target breach and Snowden revelations and industrial espionage and phishing scams and even insider malfeasance are everyday, dinner-table conversation topics for relatively normal human beings, not just nerds and security geeks.

The Forum will try to provide avenues to explore when having to respond to questions and suggestions from co-workers, bosses, family, friends, casual acquaintances and those at virtually all organizational levels who might not really get the technical or architectural aspects of the things we do, but have heard or read about all this security stuff and don’t mind telling us that we ought to just stop screwing around and get it all fixed. Forum participants have been fighting the battles and accumulating the scars. They know that it’s never as easy as that article in the airline magazine made it seem to the CFO who read it on the way to that convention in Las Vegas. They also know that buying a piece of technology, no matter how well-crafted and suitable for the purpose, is never the absolute, complete, sole answer. But the willingness of Forum participants over the years to share ideas and experiences and value judgments has helped us all provide understandable answers to our customers and realistic security solutions for our firms. From its very inception, the Forum has been about analyzing the issues and helping delegates help each other. To those ends, we try to ensure a free-wheeling, lively, reality-based day of relevant discussion with copious interaction and no “School solutions.”

Another significant benefit of the Forum is that it gets you immediately into the COSAC mode. Think, …challenge, …help. COSAC is unique and easily the best Information Security conference on earth because it stresses such participation. The Forum is a deep dive directly into that operating mode. This year, as in the past, we solicit and welcome contributions of topics. They may be problems encountered; solutions that either worked well, partially, or not at all; or issues that are growing in importance, complexity or danger. Some of the questions we’ll try to answer include the following:

  • Could a Target-like breach happen to you?
  • What are appropriate standards for connecting devices?
  • How do you effectively handle media relations during and after an incident?
  • As of 1Q2014, rogue ads had overtaken porn as the top mobile malware attack method. Is this a real concern at the organizational level?
  • What’s the right way to handle your customers after a large-scale breach of sensitive data?
  • How have legal changes affected your ability to process information and to secure it?
  • Is this the year of IPv6?(repeat question from 2013)
  • Is it the Internet of things or the Internet of crap?
  • Can you effectively control BYOD?
  • What are your 2 or 3 primary 2015 items that will need budget money? (another repeat question from 2013)
  • Misdemeanor vs. Felony- For relatively minor offenses, should we punish the employee perpetrators? If so, how?
  • Are there any really useful and collectable metrics that cover what we actually do in Information Security?
  • Can effective information security really differentiate you from the competition?

Of course, there are myriad more items. The experience level and willingness to participate at prior Fora (or forums, if you so choose) has led to rich and fruitful discussions shedding much needed light into some dark corners and providing strategies for coping. And the solutions proposed usually also lead to more issues and questions.

Over the years of the forum, delegates have, for the most part, been willing if not eager to share information about and approaches to the vast array of problems we address, building on each others’ ideas. Prevention of problems is certainly a primary goal, but we can learn indelible lessons from failures and from recoveries as well as successes. Not everybody agrees with the analyses or proposed solutions, but almost everyone participates in the discussions. Such give and take helps prepare us to defend our positions with logic and determination back at the office.

The delegates who participate in the forum have been good at anticipating issues and concerns we’ll face in the near future. Grounded in reality, they have also seen what they perceived as security necessity get trumped by politics or genuine financial constraints.

In the forum we try to model the full COSAC experience – seasoned security professionals exchanging ideas and opinions based on their actual experience in real situations, been-there, done-that veterans defending some opinions and challenging others, but ever-willing to help and learn from each other. The moderator tries to not get in the way so that participants may discuss topics and experiences freely and subject their ideas to the scrutiny and analysis of all the experience in the room. And that is what makes it so valuable - the chance to compare notes, strategies and techniques with others who have had to explain painful things in the boardroom or to the newbies and have lived to tell the tale.

The COSAC Forum usually contains the volume and breadth of security expertise that consulting firms would salivate over. And the people participating are not trying to sell you anything.

In 2014, as we’ve done for the last several years, we invite participants to prepare and deliver short presentations on topics they want the group to discuss. No demands, but you might take a few minutes, perhaps prepare a few slides. Success stories, horror stories, pleas for assistance, disagreements with vendor philosophies or management decisions – all are fair game. Maybe you’ll be willing to lead the discussion on a specific topic. We’ll try to build an agenda, setting reasonable coverage goals for the day, knowing that discussions started here invariably continue through the week at COSAC. To make sure that everyone gets some of his or her major points of interest put before the group, we’ll see what participants wish to cover, set up a schedule for the topics and proceed to solve the problems of the world (again).

Potential topics for 2014 include the ones listed at the top of this abstract and any others you may deem relevant, such as:

  • Security Architecture (yes, SABSA)
  • DDoS Defense
  • Hacktivism (anonymous and otherwise)
  • Security for Virtualization
  • Migration to the Cloud
  • Nation-state Actors in cyber-espionage and warfare
  • End-point Security
  • Federated I&AM
  • Identifying and Managing Threats
  • Making do with Less
  • Securing all the Devices we now find Connected
  • International Complications of Computer Crime
  • Effective Security Awareness
  • Windows 8 Security
  • Limits of Outsourcing
  • Crisis Communications
  • Survivability, Recovery, and Operating in Degraded Mode

Keep an open mind, bring your wealth of experience and resulting judgment, be willing and ready to share techniques and strategies, and come join us.

M2 COSAC Master Class: Blowing the Whistle on Security in the Age of Surveillance

    Part One - How the Surveillance State has Changed IT Security Forever Richard Stiennon    

The rapid rise of surveillance by the NSA and other government spy agencies poses a new threat to every IT security department. Gone are the days when hackers, cyber criminals, or even espionage by foreign governments were the major driver of IT security investments. Since the 2013 revelations that the NSA had successfully executed on a mission of “information dominance” and “collect everything,” the new driver is massive data collection and how to counter it. This review of the NSA’s ANT catalog and the other tools used by the Tailored Access Operations (TAO) will challenge every security professional to re-think the measures they have deployed to counter targeted attacks. Stiennon predicts that the IT security industry will respond quickly to this new threat with increased investments in encryption, key management, and the defenses required to protect the means of encryption. This will mean a tenfold increase, to $632 billion, in security spending by 2023.

  • IT Security spending is already growing at 24% a year. Four times what most analysts predict.
  • Employment in IT security will grow tenfold
  • The NSA is a threat that will be countered by a revolution in IT security technology.

    Part Two - Is There a Commercial Impact from Snowden? Vince Gallo    

Recent revelations courtesy of Edward Snowden and Chelsea (ne Bradley) Manning have shocked, amazed or vindicated a large proportion of security professionals throughout the world. The methods employed by security agencies have been revealed which is in itself fascinating and more than a little instructive to those who wish to defend against or indeed implement related capability. This session will consider some of those interesting aspects, but with a view to a broader impact that seems to have occurred; the financial, commercial and organisational impact.

The broad dissemination of the monitoring capability has engendered fear and outrage amongst not only the internet provider industry but individual and corporate consumers of those services. A study of economic history shows that disruptive technologies frequently become the engines of change, and the Snowden Effect can be viewed as one such disruption, so it becomes necessary to consider the changes that may flow from this. In this session we shall review published material in an attempt to understand the ways that internet providers are changing their architecture, at what cost, and to what benefit, so that they may be able to claim or demonstrate greater resilience in the face of SIA penetration. Consumers may also be changing their behaviour; where and when they do so, then also the flow of revenue will change, which in turn may drive further revisions to the supply of services necessary to satisfy the consumers. By such analysis it may be possible to discover the trends in consumer sentiment, and thus learn the commercial impact on the providers, or even to the balance of economics between various Nations. An understanding of these factors could be instrumental in guiding future decisions in order to avoid the fallout from Snowden as much as possible, or even to protect business from any possible revelations from Snowden, The Guardian, or anyone else who in future manages to breech government secrets using the high-tech espionage device called a USB drive.

    Part Three - Take Back the Net: Practical Counter-surveillance Lisa Lorenzin    

The past 18 months have brought a steady stream of revelations about bulk collection of metadata, and often content, of communications via the Internet. From national security agencies intercepting data that's later used for industrial espionage, to media companies installing intrusive - and sometimes illegal - software in the name of digital rights management (DRM), to tech industry giants data-mining email from free services and pushing cookies that track our day-to-day travels around the Internet, our private personal and corporate communications are under surveillance every day.

Fortunately, there are practical, realistic, everyday actions that individuals and corporations can take to protect our privacy, civil liberties, and intellectual property from this intrusive assault. Technology offers many tools for anonymity and data protection - almost too many. Which are worth the effort? How do you know what actually works?

This session will discuss the social and cultural implications of bulk data collection - How much is too much? What are you really paying for that "free" service? Where do we draw the line on government agencies collecting communications data? - and provide an overview of encryption and privacy technology individuals and organizations can use to begin to protect our private communications and intellectual property from eavesdropping and tracking.

    Part Four - Why Do We Get this Security Stuff So Wrong? Andy Clark    

In the recent past we have become increasingly aware of security failures that have global consequences and require global resolution. The most striking example is the Heartbleed bug where a single developer introduced a bug that was missed by a single reviewer. The resultant flawed code was introduced into OpenSSL’s source code repository and adopted into widespread use in March 2012. Some two years later when the bug was publicly disclosed around half a million of the Internet’s ‘secure’ web servers were believed to be vulnerable to the Heartbleed attack.

This is but one example of how intervention in a small part of a complex system can create an unanticipated and undesirable outcome. At the heart of the matter is the challenge of taking a Systems Approach to security in such a large domain. While using SABSA allows an enterprise to design and implement an architecture that is aligned to and balanced with its business needs, it relies on implementation components that it considers to be functionally trusted. In this talk we will discuss the competing motivational factors experienced by security researchers and academics and describe how this can lead to failures like Heartbleed, among others. While not being able to solve the ‘problem’ we will highlight how we might improve our systems thinking to mitigate such problems in a business driven way.

M3 SABSA Master Class: Security Service Catalogue Workshop Pascal de Koning    

This workshop is the first major activity of the “Security Service Catalogue” project. The aim of the project is realize the community-driven development of a security service catalogue, so that it can be consumed by enterprise (security) architects. Part of the goal is to implement a governance structure that supports continuous updates of the catalogue.

The desire for a security service catalogue was expressed clearly at the SABSA world conference 2013. Many SABSA practitioners have been working on the definition and inventory of the business drivers and business attributes. At this time, they are seeking ways to actually fill in the security functions at the logical layer.

Another development is that security is being integrated into TOGAF, a mainstream enterprise architecture framework owned by The Open Group. At this moment the TNSP-project is running, which goal it is to provide the integration of security into the Next version of TOGAF. Part of TNSP is the development of practitioner guidance. This “Security Service Catalogue” project will deliver a part of this TNSP-guidance.

For security architects, the security services catalogue is a register that supports filling in the logical (aka functional) layer of the architecture with security controls. Unlike existing control frameworks that contain requirements, the security reference architecture describes security building blocks that actually deliver protection. This architecture approach enables smooth integration of information security in the enterprise architecture.

To achieve this, the Security Service Catalogue workgroup is established as a joint initiative of the Open Group Security Forum and the SABSA Institute. The deliverables will be offered to the TNSP project for adoption in TOGAF Next.

Reuse of and referral to existing material is encouraged. We will look explicitly at existing best practices and standards and are eager to make use of their existence. This includes but is not limited to ISO27002, ISF Standard of Good Practice, O-ISM3, Open Security Architecture, O-ESA and Unified Control Framework.

Workshop agenda:

Part 1 - Inform each-other in short presentations of max 30 minutes:

  • Kick-off: Explain Security Services Catalogue project goals and organization
  • Presentation of TNSP-work (TOGAF Next Security Project) and the alignment with the Security Service Catalogue, as seen from the TOGAF perspective.
  • Presentation Security Services Catalogue concept and Trusted Architecture model, as seen from a SABSA perspective.
  • Presentation on Open Security Architecture work and how it relates to this project
  • Presentation O-ISM3 model to introduce the concept of security processes and help defining security services.
  • Additional presentations might be added.

Part 2 - Hands-on workshop:

  • Decide on a format for the Security Services Catalog
  • A format for the catalog will be proposed, discussed and improved where necessary.
  • Select suitable existing control sets, based on experience of attendees
  • We’ll exchange suggestions for control sets that might be useful.
  • Create a first version of the Security Services Catalog.

We’ll use an approach that allows everyone to contribute without judgement. All contributions are welcome. There will be structuring of the material based on ‘group wisdom’, but not on consensus. This will result in a practical take-away for every participant.

The workshop is aimed at security architecture practitioners, such as security architects, security managers, security consultants, etc.. We will discuss a lot, learn a lot, have some fun, and in the end - very COSAC-style - leave the workshop with something useable that is created by you and your (new) friends.


Stream A - Future-state Security
Stream B - Topical Issues
Stream S - SABSA World Congress
Stream P - Plenary Sessions

1A Weaponising Cybercurrencies G. Mark Hardy

Bitcoin is dead. Long live Bitcoin. Satoshi Nakamoto was no dummy. In the early days, he (they) mined over 1,000,000 Bitcoins when nobody really cared. If Bitcoin (or any other cybercurrency) were to increase in value at the rate it did last year, someone will be holding a massive currency weapon. George Soros destabilized the British Pound in 1992 and made over £1,000,000,000 profit. In the largest counterfeiting operation in history, Nazi Germany devised Operation Bernhard to destabilize the British economy by dropping millions of pound notes from Luftwaffe aircraft. If the holder of a giga-cybercurrency has a currency digital weapon that works frictionlessly in milliseconds, against whom will he target it? Can it destabilize an entire government? Can it be continuously reused for blackmail? What should governments be doing now to plan for this contingency and fight back? We'll discuss an entirely new class of information weapon -- digital cryptocurrency -- and how it might either change the course of history, or be relegated to the ash heap of failure.

2A Piano Thieving for Experts: That Bathroom Window IS Big Enough Ian Latter

ThruGlassXfer (TGXf) is a new and exciting technique to steal files from a computer through the screen with just a phone.

  • No networking configuration needed.
  • No portable storage devices needed.
  • If you can see it, you can steal it.

ThruGlassXfer presents substantial security implications to enterprises globally since it bypasses all major security controls including best practices Data Center and Perimeter deployments and even Data Loss Prevention and End Point security deployments. For enterprises off-shoring their IT: if you're working under a governance mandate of data sovereignty with data staying on-shore, then be aware that as of today, your off-shore users now have full access to copy files off your systems without a trace.

The security model for protecting your data is incomplete and it is broken, right now.

Any user that has screen and keyboard access to a shell (CLI, GUI or even a Web Management shell) in your environment has the ability to transfer data, code and executables in and out of your environment without your knowledge, today. This includes your staff, your partners and your suppliers, both on and off-shore. And your implementation of best practice Data Center, Perimeter and End Point Security architectures have no effect on the outcome.

In this session I will take you from first principles to a full exploitation framework. You, as an audience member, will be able to actively participate in a live data theft (of simulated data) in complete anonymity using only your smart phone and an app from either the iPhone or Android app stores. I will be releasing the full specification for the ThruGlassXfer (TGXf) protocol and the reference C and PHP source code under the GPL for both CLI and Web platforms.

At the end of the session you'll learn how build on this unidirectional file transfer and augment the solution into a full duplex communications channel (a virtual serial link) and then a native PPP link, from a user controlled device, through the remote enterprise-controlled screen and keyboard, to the most sensitive infrastructure in the enterprise.

Why this will be the one presentation at COSAC you can’t afford to miss:

Engaging on multiple levels; A highly visual presentation that allows the you, the audience, to directly engage with the toolset from your chair. It is not a deeply technical concept (the solution stays above the shell-code level for example), but the mechanisms used to construct this exploit requires cross-discipline knowledge and will therefore appeal to an educated and detail oriented audience. The topic itself is also approached as a journey from first principles to implementation and then beyond so join me, whatever your knowledge or skill-set and learn something interesting!

Highly Accessible; Although targeted to an Enterprise audience, this presentation will have ubiquitous impact to security professionals. Further, as my objective is information sharing, I am providing sufficient material to let even the home brewer construct repeatable experiments in their own homes/environments. By the end of my presentation, you will be able to repeat my outcomes on your own.

Broad Appeal; I am presenting a new technique that comes from independent research which will have broad appeal to both new-comers and veterans alike. It is also highly topical in a climate of off-shoring, Cloud services, mobile device adoption and large scale customer data theft. Why wait until your Gartner/Forester analyst says this is important?

And, as an information sharing session, by the end of the hour you will know;

That this is not a hypothetical threat - it is robust and accessible enough for an auditorium full of random attendees to simultaneously leverage a single data heist anonymously.

That there is no simple solution - the source code is available and the next three generations of whack-a-mole have been plotted out with the final generation unblockable via any foreseeable technical solution.

Why it’s time for a mature conversation - the universal disclosure of the architecture flaw underpinning this clear and present threat, directly to the industry and one of its most committed and senior community of experts, with no foreseeable point solution, will require a mature response from the industry in order to begin the real discussion of how not to suck at enterprise security architecture and its implementation.

So if you’re looking for a presentation that’s unique, fresh, and demonstrates a clear blind spot in traditional Enterprise Security Architecture, existing best practices and the even the most leading edge security market verticals then this is a presentation that you won’t want to miss.

3A Take Down John Walker

We live in an age in which we as a society which has become dependent on technology to support business, and personal aspiration’s. In fact when it comes to big names organisations, say within the Oil-and-Gas, or Financial Services Industries, to a very large extent, their businesses are totally reliant on technology, and the internet to run their operations. But such a dependency goes far deeper than that, and when we look toward personal use, we may also start to appreciate just how interwoven technology, and the internet are into the very fabric of everyday lives – always on internet, home VoIP, internet TV, home working, banking, and even shopping – again, another level of reliance.

This presentation is based on an extended period of research, looking into the frailties, and potentials of causing disruption to business and public services, and focuses on a targeted attack against a specific, or multiple targets. The presentation is based on a published research paper, and also a paper which has been published in a global Digital Forensics Magazine.

The presentation, and papers outline the current state of weakness, and goes on to demonstrate in real-time, some of the exposures and vulnerabilities which are present, but are not consider by many big name organisations. It will conclude with a look at the new age states of CyberConflict, CyberCrime, and will conclude with an observations as to how technology has a modern day fit in the field of weaponry, and into the subsequent use as instruments of CyberWar.

4A Emergent Security Efrain Gonzalez

Have you ever wondered about the future of Information Security? Fast-forward 10 to 15 years from now. Looking back, what do you see? Did we make great strides towards solving the information security problem or will it be more of the same? Did the improvements in information security frameworks, technical security solutions, and security awareness solve the problem?

The answer is: probably not. The reason we will not be able to solve the information security problem in the next 10 to 15 years lies in the reactive nature of our approach. Typically, our approach to information security goes something like this. As our adversaries find new attack vectors; we develop new countermeasures. And, as our adversaries find ways around our countermeasures; we respond with more of the same. In systems engineering we refer to this as an escalation archetype in which the actions of the opponents create a never ending cycle – an arms race. A real life example of this phenomenon includes the nuclear arms race developed during the cold war.

In the words of Samuel Clemens (Mark Twain),

        “If you always do what you always did, you’ll always get what you always got.”

If a reactive approach to information security doesn’t work, what should we do? We need a change in perspective. We need a new way of looking at information security. We need a paradigm shift.

In his SABSA classes, David Lynas asserts on one of his presentation slides that:

        “Security is a property of something else.”

David is right. That something else David is referring to is the system as a whole. System properties such as reliability, maintainability, performance, usability, and security are properties of the entire system not of its individual components or parts. System properties like security only emerge once all the subsystems have been integrated.

Examples of emergent properties of systems abound in nature. Flocks of birds, schools of fish, and ant colonies provide a few examples. The interesting thing about emergent properties of complex systems is that they do not arise from any centralized logic or control. The emergent properties of systems arise from the interactions between system components while following very simple rules.

Engineering systems for their emergent properties is a relatively new field of study and has been largely relegated to the systems engineering discipline. System engineers have developed simulation tools and methods to help design systems for their emergent properties.

If security is an emergent property of complex systems, how can we take advantage of this fact? Can we take what we know about emergent properties and apply it to the information security space? Yes, this presentation explores information security from this new perspective. Participants will learn about emergent properties of complex systems and how these can be applied to information security to create what I call emergent security.

Today’s approach to information security is reactive. If we ever hope to break out of the information security escalating arms race, we need to take a different approach. Treating information security as an emergent property of complex systems offers a new perspective. Leveraging existing tools to engineer emergent security properties into systems promises to be a game changer.

5A Evolution of the OWASP Top 10 John Hetherton

This paper aims to investigate how the OWASP Top 10 has evolved over time and how seismic shifts in the application environment effected, or was effected by, the OWASP Top 10. The paper will look at this area across the following headings:

  • Integrated Development Environments
  • Secure APIs (ESAPI)
  • Browsers security features (certificate errors / WOT)
  • Layer 7 firewalls
  • Developer awareness

The paper will take into account trends identified across these areas based on our own web application penetration testing experience in conjunction with global findings. For example, we have seen a decrease in certain OWASP Top 10 vulnerabilities over the last decade and we will examine the extent to which this may be due to specific factors such as increased developer awareness,development using modern frameworks andaccessing applications using modern end user clients.

As part of this discussion we will also review the trends of increased attacker awareness and the proliferation and simplification of attack tools to determine their impact on the OWASP Top 10.

6A Triggers, Outcomes & Social Impact – A Framework for Assessing Technological Evolution Sian John

How do we model the future? How do we predict the evolution of technology?

It is tempting to look at the advancement of technology and assume that all the capabilities we see developing will gain widespread adoption. In reality the barriers or accelerators to adoption are a combination of technological capability, interactions between technologies and the desires of businesses, people and governments.

Recent years has seen the rise of the new career for futurologists who analyse and predict these trends, but surely there’s no right answer to this evolution and we can use our own expertise to determine what the outcome will be.

Sociological and socio- economic pressures are driving many of the trends that we are seeing today as much as the evolution in technology, and will ultimately be core to the determination of what is successful. These range from applications on mobile phones giving easy access to things like real-time transport information, to the big data solutions that are being built to provide better analytics about customer behaviour.

The Triggers, Outcomes, and Societal Impact (TOSI) Matrix™was developed to provide a consistent approach to evaluating the diverse pressures that affect technological evolution. This is aimed to assist groups with modelling the likely development of the technology landscape and its impact on society and industry.

The primary function of the TOSI is to assist in workshops, providing a structured framework, for groups to brainstorm where technology is likely to develop over the coming years. The session will give an overview of the framework and will be used to run through a live brainstorm of a technological trend to gain the view of the COSAC group on its likely development.

1B An IAM Journey – Enterprise Management of Identities & Access Lunga Newman

Who exist in your organisation’s logical environment? What access do these identities have to your organisation’s information and information systems? What activities have been conducted by these various identities?

Despite a plethora of legislative controls, regulatory controls and industry standards, these are questions that most organisations cannot answer. Identity and Access Management has been around for many years but organisations have only recently started to take note of the centrality of IAM to the overall security of information and -systems.

This presentation will introduce the logical steps to take when embarking on the IAM journey to ensure a reasonable chance at success.

Identity and Access Management is not an IT problem but a business problem, thus techies should not drive the design and implementation of such a crucial project. It has been shown many times over that a tool cannot effect change in an organisation … it can support the change that is spearheaded by the relevant people/business stakeholders and necessary business processes.

The basis for any IAM project must be to meet a business requirement, else it will be implemented by IT for IT with no buy-in from the users and management. It will fail to realize any business benefit.

The value of the presentation will be in the guidelines provided to design and implement an IAM program. This will include reference to the following:

  • Security Reference Model – how does the Reference Model relate to IAM?
  • IAM Policy, alternatively a Policy statement in an existing Security Policy;
  • IAM Standard;
  • Directory Services Strategy, including necessary patterns;
  • Conceptual Architecture – this will include the following layers, with components: Business, Presentation, Application, Data, Infrastructure, Management and Security.

2B Information Security Insanities & Albert Einstein Bevan Lane

Einstein states that the definition of insanity is doing the same thing over and over again and expecting different results. Information Security seems to be a field where there are many instances of this.

The aim of this session will be to discuss a range of things which have been accepted as norms within Information Security for the last 15 years and are done the same way without necessarily taking a step back to understand the initial reasoning behind it and whether it’s still applicable in the rapidly changing world of 2014. We are aiming to challenge security management as well as established technical controls in order to discuss whether we need to think more out of the box in terms of these practices.

The session will discuss case studies, integrating quotes from Einstein and other scientific legends to attempt to understand the impact of the massive changes in terms of technology and social behavior happening across the world and how information security needs to change to maximize its impact. We will discuss how dynamic these changes are and whether static information security practices are keeping up and what needs to be done to keep up. The session will attempt to foster creative thinking about the future of Information security. We will cover topics from policies, practices and technical architectures and aim to get an interactive discussion going which will consider whether these changes will bring benefits to the way in which we do things

3B Using Confidentiality, Integrity & Availability Isn’t Helping Vicente Aceituno Canal

The current state of affairs is that most information security professionals use the concepts of Confidentiality, Integrity and Availability for everyday work. These concepts present a series of problems that haven't been solved so far:

  • They don't have Units. This makes it impossible to manage information security quantitatively. Bye bye optimization of resources.
  • They are Incomplete. Some professionals complement them with concepts like Possession, Utility, Risk, Authentication, Authorization, Audit, Non-Repudiation and Accountability. This means there is a high variance on performance and delivery depending on what professional or company you count on.
  • They are Ambiguous. Many professionals and even published standards give different definitions of these concepts. This adds more undesirable variance.
  • They are not operational. Because of this, Threats, Incidents, Vulnerability and Weakness among other concepts can't be defined in terms of Confidentiality, Integrity and Availability reliably, expanding the ambiguity of definition. Even seasoned professionals don't agree on what is exactly an Incident or Vulnerability. If you can't agree on what something IS, how can you manage it?

I will elaborate on this point during the session, and present a practical alternative to these concepts.

4B Guerrillas in our Midst Dave Barnett

Designed as a highly interactive discussion about the emergence of “Shadow IT”in a world where everyone can gain privileged access to powerful but consumer orientated information technology, and often have a habit of bringing it into the workplace.

One of the major issues in IT Risk management is the low barrier for users to gain access to technology, an increasingly busy work environment and the empowerment of people by consumerization of IT mean that most workplaces have people who “just do it’irritatingly these people often tend to be quite senior. Is it possible to secure the unknown with technology or is user education now more important than at any time?Was this activity detected or was it reported, did it sidetrack existing monitoring tools? Would an amnesty help?

Do you just say no to cloud for example, do you have an anything goes policy for cloud or have you found a place somewhere in between? The session will explore the changing relationship between the IT practitioner and the consumer of IT and seek to identify if there might be a way for both sides to work in harmony.

Be prepared to talk openly but in confidence with your peers about users going off and doing cloud, mobile maybe even unauthorised internet connections without being accredited by IT Security.

Case studies will be presented, and solutions suggested but as with most successful COSAC sessions it’s not what is on the screen that is of most value it’s the discussion that happens between equals. As always with COSAC this session is held under Chatham House rules. everyone has an experience worth sharing that is of value to others.

5B Minor Infractions John O'Leary

They really didn’t mean to do any harm. They were just trying to get their jobs done. And they’ve done things like sharing passwords among themselves before. Y’know, covering for each other, augmenting team spirit in the group. You security guys are so petty. So what are you gonna do – fire the whole group?

For major security infractions, the consequences can be clear and definitive. But so many more security events are not earth-shattering or purposefully evil, and they’re perpetrated either by mistake or carelessness or by gauging other priorities ahead of what we deem to be crucial. Yet the down-the-line consequences to the organization of a minor sin can be significantly more than minor.

How do we effectively and fairly handle these minor infractions. Hanging at dawn is probably too severe, but ignoring them might send an equally wrong message. In this COSAC-rules session, we’ll set out some scenarios that would logically fall into the category of minor security infractions and ask what the consequences might be for the company and should be for the perpetrator.

6B Help! The Senior Executives are Ignoring Risk Glen Bruce

What if the CEO of a multi-billion dollar organization refused to use a password, any password or other authentication method, to access their mobile device that contains sensitive corporate information and provides access to the corporate network and systems? What if the senior executives of this organization are willfully ignoring information and technology risk? When is a federation not a federation? We have been helping this organization mature their information security program and have run into some interesting obstacles. The culture of the organization and their approach to business decisions by the executive management is getting in the way of effective information and technology risk management. As stated by the CIO, “We are not operating a nuclear facility”, but they control a significant portion of essential energy generation and delivery in many different forms (gas, electric, pipelines). They have had issues that have cost the organization millions but that has not seemed to make much of an impression on the executives.

The objective of this session is to outline a significant organizational issue and outline what worked and what didn’t. We will outline this organization’s attitude and approach (or lack of it) to information and technology risk and what they are currently missing. We will explore their organizational structure and responsibilities and look at some of the barriers to effective security. We will review this organization’s approach to risk management and why information and technology risk management is completely missing. We will outline what should normally be done to solve these issues and why those solutions won’t work. We will define the rather unique problem this organization presents and the approach that we took to overcome these obstacles. Have you had any similar experiences? What other options could be taken?

1S Banking under Tree, Architecting for Mobility Mohammed (Mz) Omarjee

In an effort to create to new business revenue models as well as extend banking services to growing business segments, this session will demonstrate how a strategic security solution approach can enable business to adapt their business strategy to support a Channel Convenience strategy, allowing customers to be able to bank anywhere from any device and at any time leveraging innovative technologies offered though emerging mobility platforms.

In addition, the session will aim to :

  • Provide an understanding of the mobile business problem domain and its related complexities at Standard Bank
  • Show how to analyse business strategy to define business security requirements and key business attributes
  • Illustrate how the business problem can be solved through design and creation and population of SABSA styled domain maps and entities
  • Indicate the various emerging security mechanisms through associated product components and service management capabilities to solve the business problem of mobility
  • in-house organizational challenges: Comparison of tactical “build” versus “buy“ decisions on security solutions, and its associated trade off’s.

2S Next Gen of “Things” … So what next about this complicated password S#@!T Mohammed (Mz) Omarjee

Neither passwords nor strong authentication methods have evolved to meet the needs of users and organizations. As the number of services used by a typical user has multiplied, so too has the number of usernames and passwords the user needs to remember. This further motivates users to memorize one password and reuse the same password everywhere, perpetuating a vicious cycle of weakened security. The obvious response, further complication with increased password complexity by adding requirements for upper case characters, special characters, and numbers and just … S#@!T

This session will aim to illustrate how the barriers of conventional authentication can be detached by leveraging “obvious” foundational elements that could be used to provide the next generation of trust based verification mechanisms to pervasive business applications for a true frictionless and simplified user experience. Furthermore, we introduce an emerging and standardised approach that aims to help applications, devices, and authentication mechanisms to interoperate with each other, satisfying key business enabling objectives of:

  • Cost reduction
  • Improved, more secure user experience.
  • Innovation with security
  • Increased growth with decreased costs.
  • Privacy protected.

3S An Introduction to Visual Security John Arnold

Everyone hates security requirements and policies documents. Such documents tend to be hundreds of pages long (I have seen thousand-page policies in my time as a security practitioner). They are poorly structured both from the point of view of both the executive (who wants to know if the policy is complete and correct) and the implementer (who wants to see what the policy is telling him to do).

‘Visual Security’ is a new approach to describing the security requirements and policies for complex organisations and solutions. Visual Security offers the security architect the following tools:

  • A set of 4 diagram types that can be used to describe ‘why’ an organisation or solution needs to be secure, and ‘what’ security is needed.
  • A simple but rigorous taxonomy for security services.
  • An easy mapping to UML tools to support automated analysis, traceability and reporting.

These tools make it much easier for the architect to see where security services are present, and were they are missing. They make it much easier for non-specialists to ‘see’ an ensemble of security policies as a whole, and they also make it easier to compare a specification with a design, or to compare two different specifications. Finally, they allow the consumers of a security policy to see much more quickly what policies apply to them. The 4 diagram types include 3 to describe ‘why’ an organisation needs to be secure (the stakeholder diagram, the risk diagram and the domain diagram). The 4th diagram type describes ‘what’ security is needed and is called the policy diagram.

The security service taxonomy works in two dimensions:

  • A standard access control pattern which classifies policies according to their role in a ‘contract lifecycle’.
  • A domain model which classifies policies according to the type of flow which is being controlled (user-application, application-application, application-server etc).

The author’s experience with real-world clients has shown that the diagrammatic format makes it much easier for stakeholders to visualise their security needs, risks and posture, and the service taxonomy helps the architects and implementers to understand what is required of them. Compliance staff find it easier to grasp the policies in place and trace them to implementations and evidence.

The symposium will give an overview of Visual Security, with the underlying rationales and some real-world examples. It will also cover some of the existing materials available for the technique.

4S Practical Stakeholder Engagement John Sherwood

SABSA speaks a lot about engaging with business stakeholders to understand and gather real business requirements, business drivers, business opportunities and threats, and critical success factors. This is clearly a 'good idea', but how do you go about it? How do you engage successfully with these business stakeholders?

This session will present a framework for stakeholder engagement that is practical and systematic, but it can never be a pure prescription that will work every time. The session will provide an opportunity for those who attend to discuss and contribute within the presented framework about the practicalities of doing this. It will enable sharing of real experiences with a view to developing a common body of knowledge on how we can best optimise the process of stakeholder engagement.

The output will be written up as a white paper (anonymised and sanitised of course) and published in the members area of The SABSA Institute web site. This is an opportunity for the SABSA Community to share it's member knowledge on a wide scale. Once published, the discussion doesn't stop there, because there will be a discussion thread on the web site to take it further with the global SABSA Community. This takes COSAC into a new dimension - providing seed-corn for a rich harvest of SABSA knowledge and wisdom.

5S ESA Roadshow – A Case Study: - Selling the Strategic Vision Andrew Hutchinson
Jason Kobes
William Schultz

Presenting the concept of enterprise security architecture to executives is a challenging but critical factor in getting funding and executive sponsorship. Finding the right balance of business language, and technical speak is not an exact science and must be customized to each specific audience. Using the SABSA methodology, we try to enable the executives (contextual layer) to communicate in business drivers and objectives, but in many cases the executives have been trained to speak in other ways from financial to technical language often using IT Tactics. It can take some effort to redirect the discussion to strategic business objectives. This session will discuss real scenarios of presenting to executives and the lessons learned. Attendees will discuss the pitfalls and successes, and how you might learn from these experiences to improve your own presentations.

6S SABSA as a Problem-Solving Framework….for Anything!
Become the FIFA World Champion 2018
Maurice Smit

It is claimed that ultimately the SABSA methodology is an holistic problem-solving framework that can be used outside the IT and IT-Security landscapes to define business-driven solutions to any problem. This innovative, relaxed and highly-participative session puts that SABSA theory to the test in a field almost as far away from Information Security as it is possible to get.

Using the SABSA methodology we should be able to create an architecture to help solve the problem for a football manager to become the FIFA world champion in 2018.

Your input during this session is needed to discuss how a match should be planned and played. What are the objectives? Which attributes? How about domains, domain interactions, and policies? How can we balance risk with opportunity? Which threats are out there? Do we need a multi-tier control strategy?

7P The More Things Change, The More They Stay The Same Vince Gallo
Char Sample

Over an extended period of time newcomers will come up with new ideas that will be introduced to their professional domain. While in certain areas this can be quaint or amusing (the re-emergence of fashion allowing clothes from a bygone age to be recycled) in others this trend is frustrating, wasteful and dangerous. We have in mind the tendency for problems and solutions to be re-introduced and thus faults and vulnerabilities to either persist or be re-introduced but, whatever the cause, the outcome is a pattern where each generation seems to repeat the errors of the earlier. This presentation will compare examples, separated by considerable time periods, in order to explore the common technical details and so attempt to analyse the common causes. Recognition and understanding of underlying causes of repeated mistakes should equip designers, suppliers, users and in particular the project managers within those groups to be able to reduce the likelihood of continued re-introduction of past mistakes.

The authors believe that some simple principals, if pursued, could enhance the robust nature of systems and products, and that these should guide the process of design, implementation and testing. The greatest contribution to future improvements will come from enhanced training and mentoring so that knowledge and experience used beneficially, starting by learning from the examples explored during this session.


Stream A - Future-state Security
Stream B - Topical Issues
Stream S - SABSA World Congress
Stream P - Plenary Sessions

8A Complexity & the Role of Cryptographic Security Roy Follendore III

Today’s idea of a competent vision of IT security remains reactively driven by technical details. Each time event X occurs a technical security response Y is created, evaluated and implemented as part of a responsive strategy. Each of response impacts the properties of previous responses. We assume that our security objectives remain constant. For the last two decades I have challenged this assumption with the notion of anthropic security.

The sheer number of events across the enterprise infrastructure means that the dimensions of security problems can be and too complex to fully recognize and adequately communicate. This means that our security processes lead to inflationary restrictions within the fabric of the security enterprise. As security experts, I feel that we should desire to provide optimum throughput for our consumers, and to do that we need to change our view of the paradigm of security. If this is true the question is how shall do we do that?

As experienced security experts we arrive at this table with the innate understanding that we view concept of security through preconceived filters. The methodology of our present security policies are not fully capable of expressing the problems for the same reasons that our technical experts do not agree on the most advantageous perspective. Due to the inflexibilities of our present security language we need to establish better security paradigms that encompasses the complexities that we encounter. I therefore posed the possibility of creating such a paradigm through the broader notion of object oriented security.

In the late 1980’s I originated the idea of object oriented cryptographic key management security because I believe that an object oriented approach would change the way that we would be able to provide secure networked communications. Today I also believe that for such an approach to be successful our official policies and documentation also need to be structured and associated in such a way that we are able to model and see what we are doing. The first step is to change the way that we orient our language.

The representation of security should not be discussed as secrecy but rather as an act of efficiency and effectiveness. The value of such an approach is that as experts we shall be able to collectively avoid much of the unexpected entropy that results when we make a change in policy while utilizing cryptographic solutions as a means of improvement in the efficiency and effectiveness of network communications. This is something that I can argue we are not presently doing in part because we do not have a unified means to model and discuss explicit applications with respect to implicit philosophy.

I would like to offer an ambitious theoretical explanation of the relationship between the object oriented paradigm, and its relationship to fine grain access and content control that can achieve this. My intention is to discuss the reasons why Virtual Private Networking, while incredibly successful have not been adequately expressed. Finally, I shall also touch upon the reasons why objects are necessary to prevent the future continuation of splintering of the web.

If we are to believe that information theory and physics are essentially the same ideas expressed in different ways then information theory is bounded by the same consequence as physics, not by our devices and policies imposed upon it. If we as a collective civilization are not ready, willing and able to recognize, embrace and utilize our complexities then we shall be randomly affected by them.

My approach to discussing this shall be to open up the relevance of this topic as points within a less than fifteen minute set of observations which shall include a handful of slides and perhaps an animation. At the conclusion I shall break down the issues into three salient group discussion points.

The first of these discussion points involves the implications and opportunities of dealing with blind notions of unrecognized complexity and the necessity of mandatory degrees of freedom to obtain optimal solutions.

The second discussion point is the establishment of a comprehensive paradigm that maintains and manages the structure of cause and effect.

The third discussion point involves the importance of convergence which involves the recognition of where we as a technical society are going next, the aspects of technical security that such an approach fundamentally changes and what it means.

My goal is to initiate a global dialogue which changes the perception of proportionality between the explicit and implicit future expectations of security through intelligent and rational object oriented methodologies.

9A Chaos, Cybernetics, Cynefin & SCAN in Enterprise Systems Engineering David Hafele

The fields of Enterprise Architecture and Enterprise Systems Engineering strive to analyze human and technical systems from a premise that diverges from Newton’s principles of classical mechanics, which are by nature deterministic. This systems approach “shies away” from the reductionistic atomism of Newton and aligns itself with the more holistic systems method espoused by Ludwig von Bertanlanffy’s General Systems Theory. General Systems Theory advocates the idea that each system interacts with its environment in a real and meaningful fashion such that the environment changes the system and the system changes its environment. Thus, there is the possibility for evolutionary changes to systems, which may result in serendipitous events in our enterprises.

Unfortunately, even highly ordered systems may fall into disarray by developing various levels of randomness and disorder that are intensified by the systems inherent complexity and dynamicity. Both the Enterprise Architect and Engineer need to find suitable methods to manage the range of order from simplicity to ultimate chaos and disorder. Fortunately, several different systems approaches have been developed to address this dilemma: Cybernetics, Cynefin (pronounced “kuhnevin”), and SCAN.

Each of these methods offers novel insights into understanding and dealing with increased systemic complexity, which leads to uncertainty and increased risk. For this reason alone, it is well worth the time and effort of the security practitioner to become aware of their potential value to enhance and preserve their enterprises.


10A Increasing Resilience & Reliability of Software-Based Systems Andrew Lea

Many of us have worked with systems which have proved less robust and resilient than we desired or expected.  These flaws are often as a result of errors in the specification, design and implementation of the software they run.  Worse yet, some of these flaws arise because of the very need to test software, and have produced high-profile disasters, such as that which afflicted the launch of Ariane 5.  And why does software get worse quicker than hardware gets more powerful?  Unfortunately, since each line of code can be regarded as a component, as software grows in size, reliability is bound to fall.

In this presentation I will discuss some of the changes in programming - both practice and language design - that could increase resilience and reliability.  Topics will include:

  • esource (RAM, CPU, disk, response time) budgeting, which is often completely ignored, yet used to be regarded as critical.
  • Genuine semantic (rather than grammatical) checking by compilers, to catch errors earlier in the implementation cycle.
  • Highly expressive languages, to increase productivity, and therefore leave more budget for testing.  (But often at the cost of slower production code and run-time discovery of bugs which could have been caught earlier.)
  • Run-time error correction, vs dual 'debug' vs 'production' code, which often means production systems contains untested code paths.
  • Self-healing operating systems, languages, and systems.
  • Fail safe probabilistic proofs of correctness and budget conformance.

11A Slaying the Hydra: Evolution and Mitigation of Denial-of-Service Attacks Lisa Lorenzin

One of Hercules' first challenges was his battle with the Lernean Hydra, the many-headed mythological serpent who sprouted two new heads every time one was removed. Hercules would feel right at home in today's datacenters, where mitigation of distributed denial-of-service (DDoS) attacks can feel like an unwinnable game of Whack-A-Mole.

In the past few years, the magnitude of DDoS attacks has grown at a disconcerting pace. The largest DDoS attack in 2012 peaked at 100Gbps; the first quarter of 2014 brought a 400Gbps NTP amplification attack. Despite the security industry's best efforts to encourage protection of the end-user systems and patching of the vulnerable servers that enable these assaults, successful attacks seem to be taking place with increasing regularity and volume.

Denial of service is not a new problem; simplistic attacks such as ping floods and syn floods have been around almost as long as the Internet has existed. The rise of botnets, vast collections of malware-infected zombie systems, led inexorably to the appearance of distributed denial-of-service attacks. Attackers, too, have evolved: script kiddies harnessing the power of Metasploit, Anonymous launching the Low Orbit Ion Cannon (LOIC) against targets ranging from the US Copyright Office to the Motion Picture Association of America (MPAA) to PayPal, cyber-criminals using threats of DDoS as a method of extortion.

This session will provide an overview of the various forms of DDoS attack active today, who is launching them, and why. We will then discuss mitigation techniques that reduce the impact of and potentially stop the attacks entirely, comparing the benefits and caveats of each approach.

12A Kaizen for Bank Owned Accounts G. Mark Hardy

What happens when old school banking process bumps up against internet-era banking operations? Welcome to the nightmare of the OOB, or Out of Balance.

When modern banking operations collide with legacy systems, bizarre anomalies easily lead to events like a $10,000 loan being disbursed as a $10 million loan, which modern "self-balancing" software automatically corrects by generating a myriad of contra entries that no one understands, or even looks at. In this session you will see how a rapidly dwindling workforce of old-timers - banking gurus and wizards from the 70s and 80s - are leaving behind a set of processes that are difficult or impossible to maintain with commercial off the shelf software, and why those urban legends about a small deposit getting extra zeros added on to the end and going unnoticed are often true.

8B What Can the Data Be Used For? Jason Kobes
Mary Dunphy

Data is being collected at an impressive rate today; much of which is not directly attributable to the nature of the activity where it is collected. This can be seen clearly in the use of the Internet. Data is collected about the past locations of the user or at least the browser. GPS companies are tracking locations and speeds of vehicles. Phone companies are tracking the location, routines, activity and friends of their customers. Games are collecting information about the users and the devices the games are played on. The list goes on and on.

We have many names for this: product development,target marketing, surveillance, security, and many more, but how deep does the data collection go? Are the custodians of the data practicing Good Stewardship? How much can actually be determined from this information? Is the data being used for the good of Humanity? Is it even ethical to dig so deeply into people’s private lives? Nationality aside is there a basic human right to privacy… do these efforts cross that line?

9B Getting the Most Out of SIEM Data in Big Data Char Sample

Big Data presents both opportunities and challenges to our current understanding of SIEM data. The very nature of Big Data allows for individuals to derive whatever is desired from the data, however, how do we gather meaningful information? Understanding how to get the most out of Big Data requires a mind shift that is opposite the training of security professionals. This talk begins by defining Big Data and the key architectural components of Big Data, it then moves to an explanation of data lineage and how data lineage can be used to inform and structure queries. Finally, we will provide examples that illustrate how SIEM data can be expanded in the Big Data environment to provide greater network situational awareness.

This session is designed to be interactive in nature. The presenter will introduce specific various topics and fully expect the audience to participate, question and debate the fine points. Attendees are encouraged to bring their own problems.

10B Data Classification & Information Identification in the Age of Big Data & Linked Open Data Andrew S. Townley

Big Data. Er... what is it exactly?

A recent lead-in for an MIT Technology Review piece on Big Data from late last year highlights one of many problems anyone actually dealing with it needs to solve before they can seriously think about it from an information security perspective:

"Big Data is revolutionizing 21st-century business without anybody knowing what it actually means."

How can you talk about Big Data Security if nobody agrees on what it really means?

Linked Open Data (LOD). What's that?

According to, Linked Data is about using the Web to connect related data that wasn't previously linked, or using the Web to lower the barriers of linking data currently linked using other methods.

Currently, Linked Data is mostly the domain of academics and still closely tied to the W3C's Semantic Web initiative, but quietly, a lot of people in many governments have been using the principles of linked data to publish previously unavailable information to the public using these technologies, including the US, UK, the EU, Brazil and Australia.

The primary driver listed in the Report on Digital Government: Building a 21st Century Platform to Better Serve the American People illustrates the crux of this session:

"We're moving from managing documents to managing discrete pieces of open data and content which can be tagged, shared, secured, mashed up and presented in the way that is most useful for the consumer of that information."

Looking at Big Data and Linked Data shows us that the way people, organizations and governments think about, publish and consume digital information is changing, and, in fact, already has changed. However, there are still far too many questions about what it all means, how to do it right, and specifically, how do we keep it secure where the definition of "security" is an open-ended context of potential uses?

In this session, we'll explore these issues and some of the ways our current thinking isn't ready for the world we find ourself in today. We will discuss the identity problem not from the traditional perspective of end-users as security subjects, but from the perspective of the data and information entities themselves. Finally, we will explore some potential ways we can leverage what we know in new ways to try to address these challenges.

Big Data is here and Linked Data is lurking in the corner. Don't underestimate either of them and the ways they will impact our role as information security professionals.

11B Cloud Assurance: Trust but Verify Ross Spelman

This talk will provide an insight into the resources and tools that should be considered when looking to gainan understanding of the risk associated with moving to a cloud environment and further discusses methods for assessing cloud service providers (CSPs) security, primarily focused on Cloud Security Alliance (CSA) methodologies and tools.

The review will specifically look at the CSA STAR (Security, Trust and Assurance Registry) a searchable registry which allows potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to a higher quality procurement experience.

Additionally Ross will discuss the CSA CCM (Cloud Control Matrix) which can be leveraged to assess individual cloud providers which may not yet appear on the registry. Ross will demonstrate how the CCM overlaps with existing industry standards and regulatory requirements, with specific emphasis on PCI DSS nuances regarding scoping and network segregation in the cloud.

12B Certified Security: Assurance or Trust? Helvi Salminen

Several security certification schemes have been created for organizations, products and security professionals. These security certifications are used as “quality labels” – having the right kind of label means that there is a good level of assurance of security. So, if an organization or individual hands over sensitive assets to a certified entity there is no reason to be worried. Or if a product has a security label we can be sure that it works as it has been designed.

But what does a security certification really tell about the certified entity? Can we be sure that a certification - compliance with a set of security requirements means a good level of security?

This presentation discusses the limits of assurance – how much various types of security certifications give assurance and how much still must be covered by trust. Also the factors impacting the credibility of the certification schemes are analyzed – how the standards are constructed, the importance of auditor accreditation schemes, the individual auditor’s competence, organizational culture and management commitment among others.

The presentation is designed to have a practical orientation, and several different security standards and certification schemes are analyzed.

The purpose of this presentation is not to give the idea that certifications are useless, on the contrary. However, the limitations of certifications are essential to understand so that an organization can establish the right level of trust and controls.

8S Reducing the Unknown Unknowns: Using SABSA to Improve Threat Modelling & Risk Assessment Chris Blunt

“There are known knowns, there are things we know we know. We also know there are known unknowns, that is to say, we know there are some things we do not know. But there are also unknown unknowns, the ones we don’t know we don’t know.” - Donald Rumsfeld, 2002.

There is risk associated with everything we do, from crossing the road and driving to and from work, tothe use of information systems to support and enable business capabilities. While we accept the risk associated with most day-to-dayactivities without too much conscious consideration, we spend a large amount of time trying to identify and manage risks associated with the use of information technology. Despite this,many information security risks are still not identified or effectively managed – these are our “unknown unknowns”.

This session will be an interactive discussion exploring how threat modelling and risk assessment can be improved to reduce the number of “unknown unknowns”. It will cover a range of topics including:

  • Techniques commonly used to identify threats and their relative strengths and weaknesses.
  • Approaches to improving the quality and repeatability of threat modelling and risk assessment.
  • Using SABSA methodologies and techniques to improve threat modelling and risk assessment.
  • Presenting the relationship between the identified risks and the business opportunities, goals and objectives.

9S No Risk, No Glory Pascal de Koning

Risk is the downside of opportunity. “Nothing ventured, nothing gained”, they say. On the other hand: no goal, no risk. What do the traditional vectors of risk, being ‘chance of event occurring’ and ‘impact of event’, tell us about the relationships of goal and time with risk? And how does that reflect on current business practices?

Besides cyber risk, there is business risk, project risk, architecture risk, safety risk, etc. What is the relationship and proper balance between the management of those risks? Did the big banks that recently failed spend too much on cyber risk and too little on business risk?

For cyber risk management, ISO 27005 is a widely used standard. It helps to identify the areas where measures should be taken, based on a risk assessment. However, the risk assessment data often have a huge factor of uncertainty that is not displayed in the results matrix. So, does it really address risk or are we missing something here?

Finally, security controls are generally considered as a negative thing, a burden you need to have in order not to be vulnerable. I’d like to turn this around. A security measure offers protection to an asset or it contributes to achieving a security objective. Thus, security measures have a positive effect on the achievement of business goals and by qualifying this relationship it is possible to prioritize them according to added business value.

10S Moving Beyond SWIFT Payments: A Whole Bank SABSA Implementation Ross MacKenzie

Westpac Banking Corporation is a Multinational Financial-Services provider.

Westpac is one of Australia’s "big four" banks, and is the second-largest bank in New Zealand. At COSAC 2009, we presented “A Journey Through Modernisation of an ESA at a Leading Bank”, and this year we are back to share our achievements, lessons learned, and next steps.

With this presentation we will demonstrate how the SABSA Method influenced the security architecture of Westpac's Strategic Investment Programs including, but not limited to, large scale:

  • Enterprise perimeter security environments;
  • On-line banking platforms and applications;
  • Enterprise service bus implementations.

We will outline Westpac’s approach to managing the risks of current industry trends, such as infrastructure virtualisation, private cloud deployments, business asset zoning and service management.

Share our real-world lessons for “what can go wrong” in addition to the great things that “can be achieved”.


11S Battle Royal: Functional Comparison of EA Frameworks Jason Kobes
Bill Schultz

What EA framework do you use and why? Which is the best? If you are using EA, do you need an ESA (SABSA)? How about the opposite? If you are using SABSA, do you need to use an EA framework in addition?

We asked ourselves these questions and began to research. We found an existing document that performed a comparative analysis of 4 major EA frameworks in 2007. These four were TOGAF, Zachman, Federal Enterprise Architecture (FEA), and Gartner. We reviewed and updated the matrix and then added SABSA to the comparison. We then looked at the comparison matrix for any important EA requirements that were not included. What we found may surprise you.

Not for the faint of heart, this session will review this comparative analysis of EA Frameworks and will challenge participants to a debate that may change the way you think about enterprise architecture.

12S Enterprise Data Protection - the lifecycle Ajit Gaddam

In this presentation, I wanted to share the implementation of data protection in a large enterprise that started from a 6-page presentation to a complete enterprise rollout. Learn how the business justification went through, how the standards were created, sensitive data discovery was performed, where encryption fit and most importantly did not. Also learn how certain sensitive data was tokenized and where tokenization is not a silver bullet, how Big Data was leveraged and where it was chaotic, how the non-production was secured with secure data management, and the whole thing monitored. The crucial component - a SABSA methodology based data protection security architecture and implementation using TOGAF framework.

13P Spread Spectrum, Wireless Security & The World’s Most Beautiful Geek John O’Leary

For the Tony Sale Memorial session of 2014, we cover the unlikely pairing of an actress lauded repeatedly as the world’s most beautiful woman and a musical conductor whose best known work caused riots in the streets and fistfights in the theatres. The pairing was not romantic, but inventive. Way back in the early 1940’s, they invented and patented a “Secret Communication System” – the basis for solid security in a massive number of current devices.

She certainly didn’t look like a geek. And in her movies and interviews, she never sounded particularly technical. Yet Hedy Lamarr, frequently cited in the 1930’s, 40’s and 50’s as “the most beautiful woman in the world,” along with her co-inventor – composer George Anthiel, was granted the patent on a frequency hopping technique that serves as one of the cornerstones of security for wireless devices even today.

A rare mix of brains and beauty, Ms Lamarr never received a cent from any of her inventions. Hedy and George signed over the rights to frequency hopping spread spectrum to the US Navy, but the invention was so far ahead of its time that the Navy didn’t initially understand what it had.

We’ll cover her story, the invention and how it relates to security for the mobile, connected world of 2014 and beyond.

14P The COSAC Rump Session Various

The hugely popular COSAC "rump" is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

  • Electronic submission: Send email to the rump session chair David Lynas at before 10AM GMT Friday, September 26.
  • Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday October 1.

Submissions should include a requested amount of time for the presentation. An anticipated maximum of four minutes will be allocated for each presentation.


W1 Security, We Have A Situation! John O’Leary

It may not be as headline-worthy as the Target breach or the Snowden insider information compromise, but chances are, your organization will have to deal with some sort of security “situation” sooner or later, … probably sooner. Maybe it’ll be an attack, logical or physical, random or targeted. Maybe a dishonest or politically motivated employee (or contractor) will steal and/or lay out your firm’s deepest secrets. Perhaps a lawsuit, bad publicity, or a merger, acquisition or major reorganization will rattle or even topple some columns on your painstakingly architected and carefully crafted security edifice. It could even be an honest mistake or misinterpretation.

In this COSAC half-day class, we’ll examine options for effectively handling things when management tells you “We have a situation.” We’ll look at procedural necessities of intrusion detection and response (with or without IPS and IDS) and elicit your experience-based reactions to multiple types of sensitive security scenarios. As time permits, we’ll analyze situations that you present, both real and hypothetical, to garner suggestions from other class members.

When the ball drops, we want to be ready.

W2 Complex Challenges in Security G. Mark Hardy
Char Sample

The rate of change in security challenges is outstripping most organizations' ability to respond effectively. New attacks, new technology, new strategies; unless one is a master of all, they will succumb to defeat.

This session is designed to be interactive in nature with the presenters introducing key security topics, explaining the issues and offering recommendations, then opening up for audience participation to debate the merit and considerations of other solutions.

Topics will include: Big data security vulnerabilities, supply chain attacks, transposing security into virtualized environments, The Internet of Things (TIOT), digital currency, the security "hangover" of continued Windows XP usage, as well as key topics that may emerge between submission time and presentation time.


W3 Theory & Practice are Not the Same

Part One – The Theory & Practice of Using SABSA Chris Blunt

As Albert Einstein said,

        “In theory, theory and practice are the same. In practice, they are not.”

The SABSA framework, methodologies and techniques provide a robust approach to the development of an Enterprise Security Architecture (ESA). However, when it comes to actually applying SABSA to develop an ESA it can be difficult to know where to begin.

This session will provide an overview of a model developed to apply the SABSA methodologies and techniques in a logical order when developing an ESA; and presents a real world example of its application to develop an ESA for a mid-sized government agency.

Specifically it will look at how the SABSA framework, methodologies and techniques were used to:

  • Establish clear accountabilities and responsibilities for information security to ensure that it is considered and addressed at each stage in the lifecycle of a business capability;
  • Establish the security services and capabilities required to maximise the opportunities associated with the business capabilities whilst minimising the information security risks;
  • Provide a consistent method for the design and implementation of security services and capabilities to reduce the costs and operational complexity by enabling reuse, minimising the implementation of silo-ed point solutions; and
  • Provide on-going assurance that its information security risks are being effectively managed by demonstrating that security services and capabilities have been implemented as designed and remain effective during their operational lifespan.

It will also discuss some of the challenges encountered during the project, together with the strategies that were used to overcome them.

Part Two – The Problem Set: Hard-Earned Architectural Lessons Nima Khamooshi

Have you started to undertake an enterprise security architecture effort? Are you not sure about what types of challenges lie ahead? If you've taken the SABSA courses and are ready to forge ahead but aren't sure about what problems lie before you come to this interactive session to experience, debate, and discuss some of the major problem areas experienced by chief information security architects in their delivery of security architecture and consulting services in a variety of large complex entities.

We will cover many of the standard problems with architecture efforts and the solutions to help make your effort a success such as: the 'know it all' security staffer, SABSA terminology problems/weaknesses (i.e. the Terminology wars), the need for architecture and how to 'sell it', the 'nuh-uh that's not true' scenario, and many, many others. This session will provide anonymous case studies to spur thought and discussion amongst fellow architects to help move everyone's skill sets forward.

Copyright © 2014 COSAC
- All Rights Reserved -