M1 COSAC International Roundtable Forum John O'Leary    

The 2016 edition of the Forum gives immediate emphasis to one of the defining characteristics of COSAC and one of the foremost reasons that COSAC is regarded as the best Information Security conference on earth. Participants participate. For a full day, a roomful of veterans with 15+ years’ experience will look at presented information security situations from as many different angles and viewpoints as their combined knowledge and hard-earned wisdom have afforded. The moderator will describe some actual, recent scenarios and usually pose a question or two about what the involved people did and whether or not the delegates in the room would have done anything differently. Then the real learning begins. For every clear and obvious solution posed by one delegate, another may well say “That’s fine, but it won’t work in my country … or industry …or specific organization …or with my budget.” Or another may chime in “Yeah, it sounds good and looks good on paper, but here’s what I experienced when we tried it.” Now the group digs deeper into that scenario, adds to its understanding, and can usually come up with reasonable, workable alternatives. And everybody benefits. Fist fights are rare.

We’ll also try to predict the future for Information Security. Will IoT change everything and make our organizations unsecurable? Is cloud computing amenable to controls? Are biometric access controls really better than something you know and/or something you carry? How will new and proposed laws in different venues affect our privacy controls and requirements? What additional physical security controls do we need to learn and use in an age of terrorism?

Come join us and help solve the problems of the world with a full day immersion into the COSAC way.


M2 Privacy in the 21st Century: Conundrum or Cliché?

Part One – Why We MUST understand Privacy Todd Fitzgerald

Privacy has taken center stage in the past few years. No longer is privacy just about the privacy notices that are sent in the mail or the privacy policy posted on a website. Privacy, as long defined in the EU, is about protecting the fundamental human rights of individuals.

But... and here is the But... at what cost? Where is the 'line we should not cross' with privacy? How much personal information are we willing to give up to get the services of the new app? Are we ok under the emerging Privacy Shield regulations to share data with the US ?

Should information located in a server in the EU be able to be accessed by court subpoena in the US ? Should countries localize the data to never leave the country and what are these impacts on commerce? Where do model clauses, binding corporate rules, transborder processing, GDPR, and the global laws come into view? What is the impact of IOT in our homes and the impact on privacy?

This session will be an interactive discussion of these issues and what should the security professional do to mitigate the risks?

The presenter has a track record of presenting material in an interactive, engaging way through the use of audio, visual, props, informative content and participation.

Part Two – What Price Our Data Privacy? Sían John

Data privacy has been an increasingly important topic over the last 2-3 years. Many consumers have only recently become aware of the changes to their privacy involved in online activity. In the 2000s with the rise of social media and internet services many of us sleep walked into giving up our private information in return for products and services. This is getting worse with the growth of the Internet of Things including wearable technology.

The increasing prevalence of data breaches and the Snowden revelations has led to reduced trust from consumers. Privacy, or the lack of it, has never been more important to our economic growth.

This has been borne out by studies this year which have shown that the expansion of the Internet of Things market is dampened by consumer concerns over the security of the solutions on offer and the security provided.

Many countries and regions in the world are currently updating their privacy and national security legislation to address the challenges of new technology and protect their citizens.

During this session we will discuss:

  • Examples of legislative changes, such as the EU General Data Protection Regulation, and their impact.
  • Can good privacy practices provide a competitive advantage?
  • What is involved in privacy by design? Is it achievable?
  • Is it possible to protect national security and individual privacy at the same time?

Part Three – When Privacy Goes Poof! Richard Thieme

“Get over it!” as Scott McNeeley said years ago about the end of privacy as we knew it is not the best advice. Only by understanding why it is gone and never coming back can we have a shot at rethinking what privacy means in the context of our evolving humanity.

The presenter provides a historical and social context for some of that rethinking. He goes both deep and wide and challenges contemporary discussions of privacy to get real and stop using a 20th century framework.

Our technologies have changed everything, including us. We humans are loosely bounded systems of energy and information. We interact with other similar systems, both organic and inorganic, "natural" and "artificial." These “differently sentient systems” all consist of nodes in intersecting networks extending in several dimensions. We have always known we were like cells in a body, but we emphasized “cell-ness.” Now we have to emphasize “body-ness” and re-imagine who we have become.

What we see depends on the level of abstraction at which we choose to look. Patterns extracted from data are either meta-data or just more data, depending on the level of scrutiny. The boundaries we like to imagine around our identities, our psyches, our "private internal spaces," are violated in both directions, in and out, by symbolic data that, when aggregated, constitutes “us.” It's like orange juice, broken down into different states before recombination as new juice; it is reconstituted by others but still constitutes “us,” and we are known by others more deeply in recombination than we know ourselves.

To understand privacy - even what we mean by “individual human beings” who want it - requires a contrary opinion. Privacy is honored in lip service, but not in the marketplace, where it is violated or taken away or eroded every day. To confront the challenges generated by technological change, we have to know what is happening so we can re-imagine what we mean by privacy, security, and identity. We can't say what we can't think. We need new language to articulate our experience and grasp the nature of the context in which we live. Then we can take the abstractions of data analytics and Big Data down to our level.

The weakest link in discussions of privacy is the definition of privacy, and the definition of privacy is not what we think. But pursue the real at your peril: Buddhists call enlightenment a “nightmare in daylight.” Yet when the screaming stops, it is enlightenment, still, after all. That clarity, that state of being, is the goal of this presentation.

Part Four – Ethics as Pacemaker: regulating the Heart of Information Privacy Protection Valarie Lyons

Information privacy protection is an important information management issue that continues to challenge organisations. The dynamic nature of a field coupled with technology in the midst of conflicting human forces leads to a challenging and ever changing target - particularly as now, with the growth of big data analytics, the lines between secondary-use and improper-use dimensions become somewhat blurred. With several high profile privacy breaches in 2015, organisations continue to clearly demonstrate their misuse of data without appropriate consent and their employees continue to follow practises that result in breaches of information privacy. Regulation alone does not appear to be effective.

Contemporary research findings reveal that information privacy protection approaches embedded into core strategic values such as CSR, can result in more effective privacy controls, which can lead to less privacy breaches, which in turn can result in increased consumer trust. In this presentation, I will explore the anatomy of an ethics-based information privacy protection approach, and how an organisation could strategically embed such new values into its core business model. The development of an ethics based information privacy protection program is an innovative concept and the core of my PhD research. In 2015, Giovanni Buttarelli, the European Data Protection Supervisor, cited that organisations must adopt an ethical approach to the collection and processing of data1 noting that if ethics are not driven into the management of information privacy, privacy breaches will continue to rise in number and magnitude. This concept of ethics is also incorporated ‘in principle’ into the General Data Protection Directive, which is to be implemented in full by 2018.


M3 The 2nd COSAC Security ‘Design Off’ Jason Kobes    
William Schultz    

In the spirit of hack-a-thons, this is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned security architect, or looking to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. This is not a session where you will sit and listen to people telling you how to do something. Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the clients needs. Last year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security architecture practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA Linkedin group, and each member will receive a personal acknowledgment on their Linkedin Page congratulating them on their achievement. Other spot prizes will be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

This competition was born out of a desire to provide a venue for security architects to apply skills in a safe environment. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may not be other practitioners in their organization to learn from. The goals for this session overall are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. Attendees at the 1st Design-Off last year marked this as one of the highlights of the conference and we hope you will leave feeling the same way.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.



1A How to break a Top Secret cipher Andy Clark

In early 1940 a group of policemen on the South Coast who were listening out for possible German spy radio transmissions from inside the UK heard signals of a type previously unknown to them. They were teleprinter signals being transmitted from Germany, and enciphered using the Top Secret Lorenz cipher machine that protected the strategic communications between Hitler and his generals. By contrast to the complexity of the Enigma machine’s three (or four rotors), the Lorenz machine had twelve and, unlike the Enigma, the British had no idea of its design or operation – indeed they would not see a Lorenz machine until after the war in Europe was over.

The interception and subsequent analysis of the Lorenz traffic started a chain of events that would lead, four years later to ten Colossus computers at Bletchley Park routinely finding the wheel start (key) positions for Lorenz machines in a matter of hours and allowing the linguists in the Testery to deliver the highest levels of strategic intelligence to the allied forces in advance of the D-Day operations, including briefing Eisenhower on Hitler’s belief that the Normandy landings were a diversion.

Behind this exceptional achievement lie the stories of extremely gifted, but historically poorly recognised, individuals including Bill Tutte who reverse engineered the design of the Lorenz from intercepted messages only and Tommy Flowers who designed and led the build of Colossus, the world’s first programmable electronic computer. Their intelligence, innovation and tenacity delivered the holy grail of cryptanalysis – using statistical methods on ciphertext only. The sensitivity of their achievements meant that their full story was not told until comparatively recently and, even now some elements of the role of the Colossus machines that were moved from Bletchley Park to (what is now) GCHQ remain untold.

In this session we will explore the story of Lorenz, Heath Robinson, Colossus and those behind what it took to break the Top Secret cipher. We will consider the legacy of Colossus and those technical innovations that went underground in 1945 and did not reappear until some ten years later in the commercial world.

This talk is dedicated to the memory of Tony Sale.


2A RAT Hunting Rob Hale

Remote Access Trojans (RATS) have become one of the most widely used tools by attackers over nearly 20 years. RATs, such as netbus and Back Orifice started as “prankware”, yet were rapidly adopted by the hacking community maliciously. From the 1999 netbus-based attack on a legal scholar from Lund University, to the 2015 hacks of the Office of Personnel Management and Anthem using the Sakula remote access Trojan, we have seen a dramatic increase in the development, monetization and use of RATs. As the threat becomes more pervasive, we as security professionals must not only understand the impact of RATS, but must understand the entire supply and attack chain.

This presentation will focus on a three key areas. First, it will present a brief history of RATs and their usage in major attacks over the past 18 years. The second section will take the audience through the RAT supply chain, discussing the process of building, finding, acquiring, configuring and deploying a remote access Trojan. The third section will focus on current and proposed future methods of detecting and, ultimately, preventing, RATs from infesting the environments we defend.

Should time be available, a demonstration and walkthrough of the Poison Ivy, Dark Comet or Blackshades RAT will be conducted at the end.


3A Anti-Ransomware G. Mark Hardy

Cryptolocker, CryptoWall, and its dark cousins thrive on extorting funds (often in the form of Bitcoin) from unsuspecting victims who inadvertently trigger the payload. Last fall the Cyber Threat Alliance estimated one malware variant had already generated US$325 million in payments. Will ransomware become a permanent change in the landscape like post-9/11 airport security, or are there ways to break the back of this infection vector and send criminals scrambling for something else?

This is not just a talk -- it is also a discussion. By providing sufficient background and detail, COSAC participants will then be able to contribute their insights and ideas to create what might be game-changing recommendations for what has become a scourge of the decade. The presenter will share several recommendations from his research, and we'll try to build a better mousetrap. (Speaker is NOT a vendor; just a regular presenter at COSAC.)


4A Big data for cyber security: golden eggs or a stinky mess? Marleen van Emmerik

I once heard a conversation at a conference. One person was telling the other how much data his department had stored. The other responded with: Wow, that much data, sitting there like golden eggs ready to be picked. The first one responded with this question: But how do I get to these golden eggs?

This talk is about a cybersecurity project I am currently working on at a large bank. In this project, we apply the security architecture approach in order to align big data analytics with business objectives. I will start with the business risk profile, leading to services that have to do with big data analytics and finally giving you an idea of the implementation of these services. After that, we will go from the physical level back to the business level, to reveal the ‘golden eggs’.

Some highlights of the presentation:

  • We will make a relation chart of the buzz-term big data:
    - machine learning, correlations, lots of data etc.
  • I will draw the business attribute profile of the project:
    - awareness, network visibility, self-actionable etc.
  • I will elaborate on the services:
    - anomaly detection, pattern recognition and the actor model
  • I will tell you what I think leads to golden eggs:
    - for example, understanding models vs understanding the data
  • In a true COSAC style, in the end I expect you to tell me what you think leads to the golden eggs


5A Scenario Analytics: Unknown Knowns in Your Data Andrew Lea

This presentation will address the 'unknown-knowns' in your data. When security incidents hit, the evidence that it was going to occur is often retrospectively visible in your data, but was not identified in advance. This class of incident can manifest itself in many areas, from network intrusion to fraud, and from pandemics through to asset protection.

There are systemic reasons why this is so, which this presentation will explore. It will also examine the approach that should be used to preempt this problem, which we call scenario analytics.

Technically, this problem is also exasperated by the ever growing data sizes. Parallel processing solutions are only appropriate to a sub-set of problems, because many interesting problems are intrinsically hard to partition. Techniques to address the data size issue will also be outlined.

There are also data issues of confidence and errors, confidentiality, proportionality, and of course security which need to be respected and make analytics harder, which will be discussed.

Finally we will demonstrate technology to enable Scenario Analytics running on big datasets and interesting scenarios.


6A Big Data in Healthcare John O'Leary

Big Data and ever-more-sophisticated analytic programs and techniques are revolutionizing healthcare. We visualize pinpoint accurate diagnostics in the most complex, difficult cases. We’re promised patient-specific treatment and rehabilitation plans. The vision includes the best specialists, no matter where located, having immediate simultaneous access to all relevant data presented in the most cogent, usable form. All records are accurate, complete, accessible by those authorized, and completely secure.

But those of us who’ve been in IT Security for any appreciable time have an internal red flag that goes up upon hearing “It’s gonna be great!” Then those euphoria-deflating security questions start multiplying and running through our somewhat addled brains. Where is all this data coming from? Where will it reside? Who controls it? Who grants access? On what basis? How do we know it’s accurate, relevant? Is it complete enough for life and death medical decisions? What about analytics system administration; data monitoring and correction procedures; incompatible security architectures? Oh yeah, and what about patient privacy?

Big data in healthcare is neither a fad nor merely a trend, it’s a revolution. There’s no going back. Join us as we look from a security perspective at both the bright and dark sides.


1B How to Get Heard Martin de Vries

Of course security was present as a department for ages. However somehow we got into a situation where we found ourselves not really having an effect. IT was fully busy doing their own stuff. Yes, we were 'managing' and 'overseeing' the security processes within the organisation. We ensured all systems got their AIC rating and based on that we ensured that all systems were checked against the security baseline.

However, when we looked outside of the organisation we saw the threat landscape changing. Cybercrime and malware were (and still are) on the rise. And the organisation wasn't adapting despite the numerous efforts and memo's we were delivering to management. So, what to do? We had to find a different way of communicate with the organisation.

We defined 9 Top Risks which from our view are important for the organisation to mitigate and we drafted a heat map to plot those 9 risks.

We stroke the right chord! Management liked it and was listening. And most importantly was taking action.

In this session (with hopefully lots of debate from the participants) I want to brief the COSAC audience on how the model works. What are the 9 Top Risks? What does the heat map looks like and most importantly why it works.

Having visited COSAC conferences twice I (think I) know what the COSAC audience would like to see. In this case it will be an insight in the true journey we took to get security top of mind within the IT organisation.


2B From Director IT Security to Chief Cook and Bottle Wash Michael Hirschfeld

I first presented at COSAC in 2004 when I was the Director of IT Security for the Australian Taxation Office. Over the past 12 years I have worked in a number of senior ICT roles and in a number of Australian Government Agencies and have spent the last 8 months acting as the Chief Information Officer for the Australian Department of Finance.

This role gives me a unique perspective on the management and leadership of ICT Security.

I will focus on what I need from the security team to make decisions and run the ICT business and how what I think is important might differ from what the security team thinks is important.

Specifically I will cover issues such as: presenting and communicating risk; strategic business outcomes, ICT Strategy and ICT Security Plans; the relationship between technology and people in an organisational context; and the importance of delivering outcomes for the organisation rather than security outputs. I will also touch on some issue that, as a Director of IT Security I thought were overly mundane but now view as critically important such as: managing the budget; identifying priorities for the ICT spend; and working with partners and vendors.

ICT Security is a cornerstone of the enabling infrastructure of the organisation and a CIO must be able to create an effective dialogue with the executive that addresses security. This session should leave you with a better idea of how to support the CIO in having those strategic conversations that will lead to better security outcomes.


3B 2020 Vision for the 2020 CISO Todd Fitzgerald

The role of the CISO has evolved substantially over the past decade as awareness of breaches have moved into homes and boardrooms at an alarming rate. This session will look at the role of the CISO in governing information security practices, the reporting structures, and relationships with the other “C-suite”, and where do we go from here? What will the CISO do to keep their jobs in 2020?

This will be a presentation reviewing how we arrived at this point, however it will primarily be an interactive discussion as to the skills, knowledge, and technologies necessary to compete as a CISO. Right now the market is hot, however as the supply gets filled, CISOs will need to differentiate themselves. This session looks at that differentiation.

The presenter has a track record of presenting material in an interactive, engaging way through the use of audio, visual, props, informative content and participation.


4B On the Emergence of Security Education: a comparative analysis of security curricula in the Netherlands Esther van Luit

Only recently has formal security education taken a foothold in the Netherlands, undoubtedly answering to the increasing demand for security professionals in the market. As the security body of knowledge is still very much in development, the nature of the curricula of these studies is of interest to the industry. As the speaker takes part in one of these new security studies and is concerned with its curriculum through the study programme committee, she has investigated the different security curricula in the Netherlands and contrasted them.

In this session, the speaker will present the results of the analysis followed by an attempt to draw conclusions on the current state of Dutch security education. The speaker is interested in discussing with the attendees what elements still seem to be missing from the curricula, and what elements are present in the curricula in their native countries. Doing so should lead to pointers with which we can advance the state security education for the industry and train the best future security professionals possible.


5B Hacking the Security HR Supply Chain K. Patrick Wheeler

-a subversive approach in sourcing human diversity, gender rebalance and cost minimization-

Building a Cyber Security Apprenticeship program using atypical talent, MOOC’s, experiential learning and the Jedi Padawan’s Oath. An analysis of some failures, qualified successes, surprising multipliers and comments on how to scale.

As a group of 'technical experts' with years of experience a 'diverse' talent pool and supply chain is lacking. Worse yet, a competitive culture (“…are you technical?”), a focus on credentialism (“… more STEM graduates”) with endemic one-upmanship and shibboleth’s drive NPC’s away, retards efficacy and business credibility and increases costs.

We examine a tri-modal apprenticeship program from the CSO of a Swedish/Luxembourg private bank:

  1. classic 9 month internships (1,000€/mo)
  2. work-study program (1,000€/mo)
  3. ‘starter’ with a degree in informatics (1,400€/mo, Luxembourg reimburses 1/2 the salary for the first year)

and offer comments on experiences extending this to a Global Enterprise.

Failures in traditional sourcing like Universities (“…our students are studying IT Security, not Finance, why would they work in a bank?”), Human Resources (try asking your HR to ‘find CV’s showing spark’) and advertising ‘Security as a Career’ to gender-specific young-professional technology forums (GeekCarrots#4). Successes came from value-add side-channel attacks and honeypots (‘California -style- Career Clinic’), direct recruitment/reputation and human resources (once they ‘got it’).

We developed a customized and individualized approach (not the same) with thrice weekly career and company coaching (not the same) with vertical integration (IT, Risk, Audit) and substantive work assignments:

  1. Technical & Sensitive: forensic/ incident investigations, audit management, vulnerability, internal threat analysis
  2. Project Management: full IAM re-design, overall vulnerability remediation, physical security gap and remediation
  3. Business Critical: CFO’s BPO effort, awareness training, user entitlement reviews

We realized surprising knock-on benefits in engaging introverted mid and senior technical experts into a mentoring program. Surprising challenges came from consultancies attempts to recruit apprentices before their engagements were completed. Lastly, with the ‘cool kids’ being the security team, our overall security ‘engagement’ program became visible throughout IT, Business and reached the Board level.


6B Women in security: the drivers & challenges in getting
'the other half' to contribute to the industry
Esther van Luit

On a global average only 10% of the people working in the security industry are women, and this includes those working in the communication and marketing. In the Netherlands, this percentage is only 3%. The speaker has been involved in research with a Dutch institute to further investigate the cause of and countermeasures for addressing the extraordinarily low share of women in the industry. Considering how the security industry is short on 1.5 million security professionals globally by 2019, we cannot afford to let half of our population sit idly by without investigating the reasons for them not to take up a career in this industry.

The speaker noticed an interest for this topic during COSAC 2015, and therefore feels attendees would be interested in the preliminary conclusions of this research and possible directions for solutions. The second half of the session is intended to reflect on and debate the merits of actively addressing this issue from the perspective of the male and female attendees.


1S Practical Process Decomposition using the APQC Process Framework Andrew S. Townley

Horizontal and vertical process consistency is a key principle of the SABSA methodology, but in practice, many teams have a hard time turning the principle into concrete pieces of a security architecture. Sometimes, people don’t know or can’t access the definitive list of processes, and sometimes it’s hard to find the right ways to talk about the processes in meaningful business terms.

This session discusses an alignment of the APQC process and benchmarking framework with SABSA so that addressing the How of the business becomes much more straightforward and communications between “the business” and information security can take place at the right level and with the right language. Participants will understand how they can use APQC and SABSA in their own Security Architecture work to identify areas of enterprise risk, candidate domain models and process-related requirements from a business perspective./p>

Specific topics to be covered include:

  1. Introduction to APQC
  2. Issues and inconsistencies of ESA and APQC
  3. Using APQC as a lens to identify ESA attributes and domains in any organization
  4. Leveraging APQC benchmarking metrics for Information Security
  5. Mapping and alignment of the APQC Categories and Process Groups with SABSA
  6. Overlaying common risk domains with the APQC Process Categories
  7. Areas for further development


2S Modelling Security Architecture Narendra Ramakrishna

SABSA provides an excellent framework for business-driven Enterprise Security Architecture and Design. Aspects such as business attributes profile, domains and the trust modelling are something that the industry has not witnessed in most other architecture frameworks. Although there have been attempts to “model” security architecture with boxes, lines, ellipses and circles, there is voidness in the area of modelling enterprise security architecture that the industry could use and potentially align with other architectural notations such as Archimate or in the design land, UML. The intent of the paper is to propose a simple yet comprehensive technique to model enterprise security architecture and design aligned to SABSA that enables –

  1. Standardisation of SABSA Enterprise Security Architecture framework by formalizing common language used in the form of ESA modelling notation
  2. Reusability of model artefacts (not documents) to enable enterprise and department level collaboration and knowledge management
  3. Generic or organisation specific Library of assets for various ESA artefacts such as – Business attribute profile(s), security services, mechanisms and components and associated views
  4. Tool-assisted development using a separate toolbox for ESA that augments Enterprise Architecture (ToGAF) modelling using Archimate


3S Modelling Security Zones Jaco Jacobs

In large enterprises, not all data is, or can be, treated equally in terms of security. Attributes, such as confidentiality, integrity, availability, access control, audit, location and transport, need to be aligned with the importance of data and associated levels of trust.

This leads to a paradigm that data and resources with similar protection requirements and governed by the same security policy can be grouped together. On the other hand, data and resources with diverse protection requirements and governed by different security policies must be kept separate.

A good-practice approach to achieve grouping as well as separation of data and resources for security reasons is security zones. Zones of trust help enterprises to understand the degree of confidence that is granted to individuals, systems and networks, intentionally or unintentionally, based on the associated risks and value of assets.

In this workshop, we will explore some techniques that allow architects to develop security zones for large enterprises from conceptual construct through to physical instantiation.


4S Ultra-Mega-Super-Fast SABSA Balanced Risk David Lynas

Getting started. When I ask the professional community about the most difficult challenges they face, I often hear those two words in response. Getting started. To begin with we have a people problem: this process, like all perceived change will be resisted by the powers that be, so how will I get them to believe in it? And anyway, everyone knows it is so time consuming and so incredibly complex.

But is it not a primary function of the Enterprise Architect is to make the difficult simpler and repeatable?

In typical COSAC style we will address this thorny challenge not theoretically but by actually doing it. In one solitary hour. All the way from a top-level requirement, through multi-tiered Attributes, defining measures & metrics along the way, articulating risks and opportunities and their traceable control and enablement objectives. We’ll even ‘launch’ and try to squeeze in a practical application of the newly-refined SABSA Multi-tiered Strategy for defence-in-depth both positively and negatively.

Having allocated just one hour, let’s find out if we can make the time-consuming become rapid; the complex become instinctive; and the resisted become welcomed. Results will be circulated to all participants and summarised at the COSAC Rump Session.


5S Value-based Risk Management William Schultz

In Information Technology, many risk assessments tend to deal primarily in qualitative risk measurements. That is, risk assessments and risk mitigation strategies tend to use general rankings for impact and likelihood, such as low, medium, and high, with little quantifiable justification to support it. These are often derived from assessments using industry best practices or standards and assigning a level of risk to any gaps. In some cases this is fine because best practices are there for a reason, and can provide a useful gap assessment and clear areas of improvement. However it can also create challenges when you try to prioritize mitigation strategies or begin to justify a budget for each mitigation strategy. We seem to be lacking mature methods for assigning quantitative values in risk management models that can help us ensure that we are properly prioritizing our remediation strategies, and validate that spending related to risk remediation is in line with the impact and likelihood of the possible loss.

In this session we will discuss some of these issues and identify advantages and disadvantages for either qualitative or quantitative approaches to risk valuation. We will also look at a case study of an organizations attempt to incorporate quantitative metrics into enterprise IT risk management, looking both at what seemed to work and what did not. Finally we will discuss things that Security community can do to improve the way we assign value to organizational risk, including lessons that we might learn from other industries.


6S Leveraging SABSA in the NIST Risk Management Framework Jason Kobes

The NIST Special Publication 800 series provides some great guidance regarding Risk Management, however the guidance often leaves organizations with many questions regarding how to integrate that guidance. Fortunately the NIST risk management guidance follows some of the same core principles used in SABSA. The NIST 800 series calls out many attributes, such as Assurance, Traceability, Trustworthiness, Resilience, to name a few. In addition, the principles of governance, risk management maturity, iterative improvement, continuous monitoring, security domains, trust models and many other risk management principles can be found in both the NIST risk guidance and the SABSA framework.

In this session we will look at how NIST calls for the use of EA and ESA; we will explore and discuss how SABSA can be used to efficiently and effectively implement the NIST Risk Management Framework with confidence.


7P From zero to SABSA; a journey in financial services Dimitrios Delivasilis

Financial services and in particular payments is the new battlefield of the financial sector. Technological disruptors, pervasiveness of micropayments, and an ever growing appetite for frictionless transactions are just few of the drivers that force traditional business models to change, long lasting strategies to be reviewed and new partnerships to be formed. The frenetic pace of these events unfolding puts additional strain on the already fragile relationship between business and technology, let alone information security.

This presentation constitutes a real-life use case of a dominant payments company that decided to employ SABSA methodology and principles to challenge the old paradigm of information security and eventually to facilitate a rather demanding transformation. The word “journey” in the title sets the right tone from the beginning and aims to manage audience’s expectations. This is not a typical presentation that almost unilaterally focuses on the current (As-Is)- and target (To-Be)-architecture, but most importantly explains the motivation of using SABSA, highlights the logical steps that were followed as part of that journey, emphasises on the challenges faced and reiterates the achievements and their value for the entire organisation. Sharing this unique experience with COSAC community, could enable the participants to draw a parallel between Visa’s and their organisations’ approach on using SABSA.



8A Enumerating Software Security Design Flaws Throughout the SSDLC John Willis

The security challenges we face today are numerous, yet we just can't seem to produce software without including countless security vulnerabilities. About one-third {1/3"3 of all software security vulnerabilities are due to design errors. To further compound the problem, nonfunctional security requirements often do not get translated to real technical security design features, or controls. To make matters worse, security design features have their own dependencies. Bundle this with design errors that may or may not be uncovered through threat modeling, and It ls no surprise that we have the perfect storm. Worse yet, any security functionality implemented to address nonfunctional requirements is unlikely to receive attention duringtesting.Unfortunately, if we don't address these security design flaws the testers may never notice anyway!

A methodology and evolving mock-up/prototype is introduced to address these problems. A graphical tool that is SysML compatible is the ultimate goal. The high-level re-entrant workflow concept to be used throughout the Secure Software Development Lifecycle (SSDLC) includes:

  • Build the security model
  • Expand the requirements utilizing Security Tactics and repurposed Common Criteria Security Functional Requirements and their dependencies
  • Organize the model and its requirements graphically to account for function reuse
  • Design status check-off of items already addressed
  • Identification of mitigations needed which result from a standardized threat modeling process, and redo above steps
  • Enter level of effort and risk scoring data, thereby providing a Risk-Benefit Analysis ranking
  • Risk decision step to fix or accept risk, documenting any risk acceptance justification
  • Generate list of security requirements changes to be addressed,and update design status as fixed
  • Finalize requirements, documenting anyitems deferred
  • Output list of all security requirements implemented for documentation and testing purposes
  • Output list of implemented, inherited,and deferred security controls in desired format {ISO or NIST)

The hypothesis is that by employing the above methodology/tool we should be able to establish order where there is currently chaos regarding the identification and satisfaction of security requirements, not only in the solution space-but throughout the SSDLC as well.

The benefits of such a methodology/tool include:

  • Enables characterizing security variables so that they may controlled
  • Provides a way of enumerating designflaws, errors and omissions-which may account for 1/3'd of vulnerabilities
  • Assists in enumerating requirements by applyingstandard Security Tactics and packages of requirements, as tied to Common Criteria Security Functional Requirements, then expanding the requirements based on well-defined dependencies
  • Facilitates capture of technical security control requirements based upon chosen mitigations according to a user-defined standardized Threat Modeltaxonomy
  • Enables enumeration of security functionality required to address nonfunctional security requirements
  • Facilitates decision-making using Risk-Benefit Analysis of each technical security control,generating acceptance of risk documentation
  • Generation of associated details needed to implement the enumerated requirements-for design and coding changes, plus unit, integration, and QA testing
  • Provides details for system security plans in ISO and NIST formats
  • Ability to integrate with other modeling tools via SysML

What makes this approach unique is:

  • Use of Security Tactics and packages to specify groups of Common Criteria Security Functional Requirements
  • Repurposing of Common Criteria Security Functional Requirements, in particular their dependency relationships which are used to further enumerate security requirements and technical controls needed
  • Embedding chosen mitigations for a standardized Threat Model taxonomy to generate even more security requirements and technical controls
  • Enabling Risk-Benefit Ana lysis of each requirement/technical control
  • Facilitates generating documentation needed for testing and compliance purposes


9A Security Aspects of the Blockchain Ecosystem Rahul Lobo

The blockchain is a decentralized ledger of transactions which are grouped together in blocks that are connected to each other using strong cryptography. It is also trust less and hence does not rely on a centralized authority to broker and confirm that these transactions took place. The blocks are cryptographically connected; making each block of transactions ‘immutable’ i.e. it cannot be modified once it is created. This is inbuilt into the cryptographic math of the blockchain and this inherently protects it from change or attack.

This talk will be segregated into the below 3 sections

Introduction to Blockchain Security

This talk will cover the security design aspects of the design of Blockchain technology based on the original whitepaper by Satoshi Nakamoto ( with an emphasis on understanding it in simple terms.

The below aspects will be covered

  • What is the blockchain and how cryptography is used to connect blocks and enable distributed ledger technology
  • The mining and consensus process that uses cryptoeconomics to secure transactions from modifications and enable trust in the protocol e.g. Miners have to expend a large amount of computational power to find a unique hash, the miner that finds this hash gets the right to append to the blockchain.
  • The various aspects of the blockchain which include the protocol, currency and smart contracts.

Inherent Security Features of Blockchain technology


Once transactions are confirmed on the blockchain they cannot be reversed because they are resistant to change. Any person trying to change transactions will have to be able to exponentially expend a large amount of computational power to recalculate the hash and this is currently not feasible. This makes the transactions resistant to change and immutable.


The blockchain consists of multiple nodes, each node maintains a copy of the blockchain and hence there is no single point of failure.

Highly Available

Blockchain technology, especially public ones are always running as the nodes are always connected to each other in peer to peer manner. This enables 24*7 uptime.

Strong Encryption

A blockchain can be configured to use strong cryptography. The popular cryptocurrency bitcoin uses SHA256^2 (two iterations of the algorithm) for validating the blockchain which was invented by the NSA. Currently this algorithm has not known vulnerabilities and no collisions have been discovered.

Vulnerabilities of Blockchain technology

51% Attacks

This is considered a very large flaw in the design of public blockchain based systems like bitcoin. Hypothetically, if a single entity contributed to the majority of the networks mining hash rate or the consensus mechanism, they would have full control of the network and would be able to manipulate the blockchain at will. An entity with 51% of the hashrate could:

  • prevent transactions from gaining confirmations, hence making them invalid
  • stop transactions between blockchain addresses
  • reverse transactions and allow double spend transactions
  • prevent other miners from finding blocks for a short period of time

Such an attack could undermine the use of the blockchain that came under this kind of attack

Double Spending

Double spending is a mechanism of successfully spending or performing the same transaction more than once. In a blockchain if an entity were able to double spend it could possible transfer a certain asset on the blockchain twice to two different parties thus compromising the security of the system. Blockchain based systems reduce the risk of double spending by implementing mechanisms such as only accepting transactions once they have been confirmed a certain number of times i.e. after a number of subsequent blocks are confirmed.


Blockchain based assets such as the bitcoin cryptocurrency are stored in wallets which are secured by Public Key Cryptography. The blockchain address which is used to send and receive transactions on the network has an associated private key which is secured by a password. If this private key is known an attacker or computer malware could steal assets from the wallet. This is mitigated by updates to the wallet such as multi-sig that requires two authorizations to release funds from an address.

It is also possible to create malware/computer viruses that can spread through the blockchain . A security researcher from Kaspersky Lab and Interpol has created an experimental computer virus that could enter PCs connected to the bitcoin blockchain. This was presented at the Black Hat conference in Singapore.

Denial of Service

While the blockchain is inherently resistant to denial of service by being decentralized, certain vulnerabilities in the blockchain technology could lead to denial of service conditions. For example in February 2014 a “massive” distributed denial of service attack hit the bitcoin blockchain. This attack used vulnerabilities in the bitcoin protocol called transaction malleability, or the potential renaming of transaction attacks to propagate. At that time this attack prompted bitcoin trading exchanges such as Bitstamp to halt trading due to transaction confirmation delays and disruption in balance checking.

Vulnerabilities in software

While the concept of the blockchain may be inherently secure, implementations of the blockchain may be susceptible to security flaws and vulnerabilities leaving it open to attack from malicious parties. These vulnerabilities may occur in software used to integrate into the blockchain or application interfaces. Such vulnerabilities could be used to steal private keys or attack users of the blockchain technology.

Next Steps and Considerations

The blockchain and distributed infrastructure technology represent a huge opportunity and organizations are rushing to invest and implement proof of concepts and use cases for it. Security of the systems needs to be considered at all times and this needs to be built in the design as well as followed through to implementation. This can be done by assessing threats early on during the project through activities such as security threat modelling, secure architecture design as well as testing security controls throughout the software lifecycle as well as in an agile manner.

  • Financial transactions
  • Public Records
  • Identification
  • Private records
  • Attestations
  • Physical
  • Intangible Assets


10A The End of Banking as we Know it G. Mark Hardy

The End of Banking as We Know It: How crypto currencies and e-Payments are breaking up a centuries-old monopoly

Are we finally ready to go mainstream with alt-currency? Bitcoin got off to a slow start but has attracted millions of VC dollars in the last two years. Apple jumped on the bandwagon with Apple Pay, followed by Samsung Pay, Android Pay (nee Google Wallet), and a whole host of thousands of alternative crypto currencies all struggling for attention, value, and survival.

We'll look at this brave new world of electronic money to understand what it is, how it works, what it can (and cannot) do, and probabilities of success or failure. We'll examine spin-off technologies such as blockchains, and look into the mechanics behind electronic payment systems such as Apple Pay, CurrentC, and Softcard. We'll even talk about why crooks love Bitcoin for ransomware extortion, and dig into the mechanics of how credit card fraud works, and whether that might be going away as well.


11A Threat Analysis Re-Visited Char Sample

Threat analysis includes threat intelligence and threat management became major components of the security architecture process. Unfortunately, a lot of hype and misinformation revolves around threat analysis ranging from potential misattribution, inappropriate prioritizing of actors and events, the threat intelligence echo chamber and the meaningless metrics that are considered vital.

This talk discusses first the appropriate role of threat analysis in architecture planning. Threat actors (both attackers and hunters), real motivations, values and other behavioral aspects will be discussed. This talk will also discuss the fallacy of placing attack campaigns into our own frameworks. Finally, putting all of this together, the discussion will cover meaningful, quantitative threat metrics that can be applied to security architectures that keep threat analysis in the proper perspective.


12A Security Service Design Chris Blunt

We all know that services are comprised of people, processes and technology, but what does this really mean? Since COSAC 2015 I have been involved in a number of discussions with clients and other security professionals that make me wonder if this axiom is not as widely understood and accepted as it would first appear.

During this interactive session we will explore and discuss a range of topics related to the design and delivery of security services. The following highlights some questions that will be considered:

  • What do we really mean by people, processes and technology?
  • Does everyone mean the same thing when they use these terms?
  • What is the relationship between the each of these components?
  • Are any of these service components more important than the others?
  • What about Assurance? Where does it fit in the design and delivery of security services?
  • Does addressing each of these components really result in better business outcomes?


8B Complex Challenges in Security G. Mark Hardy
Char Sample

What is new in security this year? This third annual edition of “Complex Challenges in Security” will examine a range of new attacks, technology, and research. It’s a continuous challenge to stay ahead of the curve, but we’ll do our best to make sure you’re prepared for 2017. We’ll provide insight and offer an interactive session to determine what strategies can be deployed to gain value from these observations.

Because this session is designed to be interactive in nature, presenters will introduce key security topics, explain the issues and offer recommendations, then open up for audience participation to debate the merit and considerations of other solutions.

Topics will include: Shift in malware techniques toward Ransomware, cyber-physical environment, metrics, complexity, emerging security research, big data analytics and insights, supply chain attacks, transposing security into virtualized environments, The Internet of Things (TIOT), and any key topics that may emerge between submission time and presentation time.


9B Meaningful, Repeatable, Successful Security Assessments Glen Bruce

Senior executives and the Board are increasingly anxious to know -- how secure is our organization? Are we protected from the threats we keep hearing about? How do we compare to others in our industry? To our competition? Assessments are the life blood of consulting and the go-to option for gathering more information but can also be a muddy road to achieve accurate and useful results. The objective of this session is to arrive at the ideas, approaches and considerations to help make assessments easier and more effective.

Based on experience, we will identify the requirements and attributes that are required for effective assessments. We will discuss various approaches to assessments: maturity vs process? controls, capabilities or risk? What makes a good maturity scale? How do you arrive at an assessment that is accurate as well as easy to compare with others? Are these mutually exclusive? We will examine several reference standards that are commonly used for assessments and the many maturity standards and scales that are used to report the results. Is “0” a valid maturity level? What is the appropriate method: checklist, documentation reviews, interviews, testing, all of them? What is the best way to report the results? We will address all of these questions and provide perspectives and considerations that you can apply in your own environment.

Based on real world experiences, we will present nine principles for assessments that will help make them more meaningful, repeatable and successful. We will outline the motivations why each principle is important and the implications that result from following them. You likely will have more experiences and principles to contribute. At the conclusion we will identify what resources are available to help and where to go to obtain more information.


10B Information Governance on the Edge Matthew Pemble

The best personal and organisational benefits are usually accrued in what are known as “edge” or “marginal” situations. However, information governance structures are normally designed around the mundane operations of an organisation and cope poorly with testing opportunities.

This talk presents some bowdlerised scenarios that tested the information governance of various organisations:

  • James Bond’s Mastercard. What happens when 007 needs a credit card, because Q doesn't own a local car rental franchise, but their life depends on nobody knowing that it is paid off monthly by Her Majesty’s Secret Service?
  • Brain cancer in the Scilly Isles? Sharing medical information between organisations is heavily regulated for quite understandable reasons. But what happens, as far as data protection is concerned, if somebody lives remotely, needs regular check-ups and there are no specialist consultants available?
  • A murderer goes back to school. Long term prisoners might spend twenty years locked-up and will require retraining before they can return to work. Most training companies don’t expect that people might want revenge on their trainees.

A survivor of the above (and more) will help you to identify where you might include more recognition of beneficial opportunities, while still meeting governance obligations.


11B The air source heat pump is stagnant Helvi Salminen
Tuija Kohonen

Mr Murphy, director of SEALIOT was sitting in his room, drumming his desk with his fingers and looking happy. He had just returned from an important meeting with excellent results to be reported to the board – a multi-million contract was practically finalized. The technology, which SEALIOT had been developing for years, was going to be a part of the automatically updating intelligent device network of a big customer.

Too excited to work, Mr Murphy started reading some recent technical articles of interest: intelligent road with self-driving cars, intelligent home which could be controlled and monitored remotely, refrigerator which ordered automatically food from the supermarket … all these used SEALIOT ’s technology.

To rest his eyes Mr Murphy looked out of his office window: it was snowing heavily. “I must check how things are at home” he thought and decided to connect to his home network using his mobile phone. “No alarms, no reason to be worried” he thought, “but it’s better check anyway”. The connection was irritatingly slow, but finally Mr Murphy could see on his mobile phone screen the controls of his home network. All indicators were green, but the air-to-air heat pump seemed to be working a bit inefficiently. “It must be the bad weather, I’ll look at it when I’m at home”, he thought.

Somebody knocked on the door and entered the room. “I have here the past month’s monitoring reports here”, said the technician. “I have looked at them on the screen already, and didn’t notice anything alarming. Is there some kind of problem?” asked Mr Murphy. “First I thought that there’s just a little normal noise, but then I noticed some odd details. Some connection times, which are slightly different from normal, remote connection to a server, which should not be accessed remotely …” and the technician continued with many additional details. “I also looked at the development server and in its DLP system logs I found some copying attempts, and the physical security system logs indicated that there had been changes but the details of the changes could not be found in the logs. I think we have some kind of problem”.

The happy smile had by now been wiped off form Mr Murphy’s face and replaced by a worried frown

This was the beginning of a long and exhausting battle against the forces conducting a sophisticated attack via multiple channels. We will follow Mr Murphy and his team through this marathon and in the end we will find out if SEALIOT survived the attack.

The story told in this presentation is fictitious, and not in any way linked with the presenters’ organizations. Its purpose is to highlight some attack methods which don’t get enough attention, and the presentation also gives ideas for defense.


12B Guerrilla style awareness Karel Koster

Information security awareness campaigns can be painfully hard to organize, cumbersome to follow up on, and frankly the mandatory presentation and e-learnings are not always very effective. It’s more effective, realistic and fun to embed IS awareness within the other events of a company. Show people their weaknesses when they least expect it. This presentation describes how company events can be high jacked to deliver security awareness through guerrilla actions to prove within you company that people’s behaviour often although well intended is the weakest link. You can tell employees not to click on links, fill in forms or answer question on the phone but having them experience the fall out if they do is far more effective. This presentation shows you how awareness can be made a personal experience and explosive without getting fired.

This presentation covers

  • When to use Guerrilla style awareness
  • Which types of events are suitable to use
  • Risks and benefits
  • A real life example of a successful campaign
    • Preparation
    • Execution
    • Contingency plan
    • Communication
    • Lessons learned
    • Tangible results


8S Implementing GRC Framework for a Fortune 500 Company:
Challenges, Rationale & Requirements
Andrew S. Townley

This case study will address the challenges, approach, rationale and requirements for defining, implementing and adopting a SABSA Framework to manage the full lifecycle of IT Security Governance, Risk Management and Compliance for the IT Security teams in a multi-national manufacturing enterprise.

We will cover the approaches taken and issues faced when gathering requirements and engineering these requirements to identify business drivers for security, attributes and policy domains; adopting SABSA principles, concepts and processes; and defining an Enterprise specific set of reference artifacts to illustrate the application and benefits of fully adopting the framework at all levels of the IT Security function.


9S Finally, a GRC Reference Architecture Maurice Smit

Achieving good governance of security is a key requirement for the security functions in many organisations, especially where the implementation and operation of security is federated throughout the organisation and extended out into service providers. There are many governance, risk and compliance tools, but the governance capabilities are generally limited to audit and compliance management and none of them are actually architected to the real needs of organisations.

This presentation shows and explains the constructs of a GRC Reference Architecture that can be used to establish the requirements for an effective GRC tool. We will share the overall GRC landscape for any organisation, and zoom in on the key areas for an enhanced governance capability. This will include the ability to deliver a multi-tier risk dashboard capability and allows integration with existing tools and processes.

The Reference GRC Architecture will provide an architectural perspective or viewpoint on main components every organisation needs for proper Governance Risk and Compliance to manage and mitigate the risks in all sorts of business domains.


10S Governing Cyber Defence through the GRC Reference Architecture Malcolm Shore

Organisations are now at an unprecedented level of threat from cyber attack, with adversaries coming from the worlds of cyber crime, hacktivism, and state sponsored attack. However, organisations often do not understand the connection between the arcane world of cyber exploitation and day-to-day business outcomes.

Following on from the S11 presentation the GRC Reference Architecture, this presentation deep dives the Cyber Defence Domain and looks in detail at what is required to provide good governance across the areas of Situational Awareness and Security Operations. This is particularly focused on how the range of activities in the Cyber Defence realm can be architected in a way that provides clear visibility of the impacts of cyber attack on business outcomes, and describes to the business the value of their cyber defences.


11S Aligning SABSA with Software Engineering Jason Kobes

11S Aligning SABSA with Software Engineering The domains of Business Risk and Software Engineering are worlds apart and seem to speak a different language, leaving both domains struggling to show traceability to one another. SABSA uses business attributes while software engineering uses system/software quality attributes. Understanding how each domain uses Attributes holds the solution to solving this problem and can lead to a new level of cooperation, understanding, risk management, and most of all mission enablement.

In this session we will discuss the software engineering and the SABSA methods of using attributes to organize and communicate requirements. We will also explore ways to align these methods to capitalize on their similarities and strengths. Both domains should benefit from this linking.


12S Improving Software through Better Architectural Choices Brenda Langedijk

Research already perfomed discusses the causes of vulnerabilities in software systems. It describes research that has been done on Security Risk Assessments (SecRA’s) performed on three operational software systems in the Netherlands. Using systematic interviews with the analysts who performed the assessments the vulnerabilities were categorized to those relating to architectural choices and other vulnerabilities like implementation issues. The results show that for these three software systems over sixty percent of the vulnerabilities relate to architectural choices.

Building upon this research I will evaluate the vulnerabilities relating to architecture choices in terms of the SABSA architecture. The idea is that the results of this analysis will enable architects to make better (more secure) software.


13P Phishing Without Computers John O’Leary

In 1943, computers were living and breathing humans, malware had yet to be invented, but deception of the enemy was a venerable institution. D-Day in Normandy wouldn’t come until next year. Sicily was the current target for invasion and misdirecting the Germans was the mission for a novel-like cast of characters. A lawyer, a family of undertakers, a gold prospector, a forensic pathologist, a pretty secretary, a submarine captain, a transvestite spy master, an inventor, a rally driver and a fly-fisherman who also happened to be an admiral all worked to pull off a scam on Axis-leaning Spaniards and a gullible Nazi that would make any current phisher of C-level executives bow in reverence. And the primary star of the whole enterprise was a slightly used corpse.

We’ll trace how an almost unknown man who really was became a thoroughly documented man who never was and “infected” German thinking regarding the Southern Europe invasion. We’ll see how remarkable attention to detail coupled with shrewd understanding of the German military mind and the “neutral” Spaniards made the bait all but irresistible. The specifics are very different, but parallels to today’s phishing strategies and tactics are clear, so we’ll also examine the lessons to be learned today from Operation Mincemeat of 70+ years ago.


14P The COSAC Rump Session Various

The hugely popular COSAC "rump" is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

  • Electronic submission: Send email to the rump session chair David Lynas at before 10AM GMT Friday, September 30.
  • Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 5 October.

Submissions should include a requested amount of time for the presentation. An anticipated maximum of four minutes will be allocated for each presentation.



W1 Managing Incidents John O’Leary

COSAC veterans know it’s going to happen. The only real questions are when, how and how bad. It will serve you and your organization well to be prepared to handle, even better, to manage a security incident. Target’s CIO wasn’t well-prepared, didn’t handle, much less manage their incident, and she got fired. This half-day COSAC class focuses on getting control and staying ahead of the curve when the bad guys get in or the sensitive data gets compromised or something else happens that gets management nervous. Security veterans are expected to be cool, calm and collected, even while others are running around with their hair on fire. To make sure we’re ready, we’ll identify and analyze ways to effectively handle and manage incidents, even if they’re only tangentially tied to Information Security. We’ll dig into details of actual incidents, well-known and not-so-well-known to determine where we agree and disagree with the chosen response philosophies and steps. Since buying the software or service isn’t enough, we’ll cover procedural and managerial necessities of intrusion detection and response, including post-incident follow-up. We’ll also emphasize the criticality of effectively communicating with various constituencies, including users, customers, employees, regulators and the media and ensuring that security holes get plugged.


W2 COSACopoly: A Surprisingly Serious Approach to Enterprise Security Chris Blunt
Lisa Lorenzin

How can a lifelong infosec practitioner find a new way of looking at enterprise security? By learning the way a child does - through play. Our update to a popular childhood game provides a new lens for examining common issues in information security; players start with money and data, and must spend that money acquiring "properties" (security services) to protect their data from "chance" (random risks and opportunities). Like all great conference presentations, this one was inspired by a conversation in the pub after a previous COSAC... We learn best from each other, and from the chance to go off-script and see where inspiration takes us. From resource utilization to risk mitigation to adaptability in the face of changing circumstances, COSACopoly will spark conversations, demand tough decisions, and offer a free-form venue for exploring a variety of approaches to today's infosec challenges.


W3 Future Issues: An Early Look at Research & What it Means for Our Industry Andy Clark
Char Sample

Future issues for security professionals, ideas in the pipeline – A look at early research solutions and what they mean for our industry.

In the past five years both Government and industry bodies have significantly increased their interest in all aspects of cyber security. In the former case in particular this has led to funding new areas of research and supporting higher level academic programmes. The outcome of this enhanced level of research has been new perspectives on some classical and practical problems.

In particular this growth in research has started to reduce the latency between, for example, the discovery of theoretical attacks on critical network protocols and the development of new countermeasures or new approaches for the identification of "bad actors" and understanding their modus operandi.

As security architects we need to understand these new areas of reearch to consider at least the timeliness of them to practical implementation in our current and next generation information systems.

In this workshop the presenters will examine some of the new ideas in cyber security research, providing a brief explanation of the study, what is important about the research, and why this research should be of interest to security professionals. This workshop will be interactive in nature.


Copyright © 2016 COSAC - All Rights Reserved -