M1 COSAC International Roundtable Forum John O'Leary    

For the 17th time, we fill a room with international information security veterans and present them with scenarios that have happened recently or probably will happen soon. The assembled delegates use the wisdom accrued in each of their 15+ years of solid IT security experience to examine the given scenarios from business, technical, political and any other viewpoints that might reflect on that situation or similar situations they have faced or analyzed. This puts immediate emphasis on one of COSAC’s most characteristic and valuable features. Interactivity.

COSAC speakers (or moderators) realize that someone, maybe several people in the room, know more about the subject in dispute than the exalted session leader. Here is where COSAC consistently shows itself as the single best Information Security conference anywhere. COSAC session leaders draw out the room’s expertise and thus enrich the learning environment for everyone. In past forums, this moderator has learned much more from the delegates than any of them have from him.

In describing some recent event, the moderator poses a question or two about what the involved people did, whether it was appropriate, what other directions could have been taken, what alternative consequences might still be in play. Not surprisingly, there is often disagreement, occasional discord, but so far no duels. Appropriate solutions tend to be industry-based or public/private sector-based or organizational culture-based. The spirited discussions emanating from these very real differences augment learning for all.

We also predict the future for Information Security. 50 billion IoT devices by 2020! And no universally accepted security standards for them. How do we get our arms around that? Will legal systems ever catch up with technology? Where should we spend our security dollars?

Come help solve the problems of the world with a full day immersion into the COSAC way.


M2 GDPR: Impact, Innovation, Dilemma & Delivery

Part One – The Impact of GDPR on our Security Department Karel Koster

On the 25th of May 2018 the GDPR comes in to full effect. This has an impact on our customers, their clients, our legal department, our contracts, customer facing policies, etc. And a major impact on our information security function.

Besides stating what you can and can’t do with personal data, the GDPR also requires us to protect the personal information entrusted to us in a professional way. It does not specify how, but protecting that personal information is done by the security controls set and implemented by our information security department.

In this session I will share what impact GDPR compliancy has for our information security department. Which processes changed, which remained the same, which were added, and where do we need to go the extra mile.

Since the implementation is new, there is no undisputable right or wrong yet, as with all legislation the boundaries will need to be tested first. I will be sharing our approach and I invite you to share yours. Together this will provide us a more comprehensive view of the impact of the GDPR to our information security profession and responsibilities.

Part Two – GDPR Breach Disclosure: Time for a New Approach Mark Rasch

With the unveiling of the GDPR, entities worldwide will be subject to mandatory data breach disclosure requirements, and will have to inform both regulators and their customers of the fact, scope, extent, and circumstances surrounding a breach of personally identifiable information. However, these data breach disclosure laws fail to meet the original intent of notification -- to enlist the support of the breach "victim" in mitigating the harm resulting from the breach (e.g., canceling credit or debit cards, monitoring for identity fraud), and simply serve as a mechanism to further embarrass the victim of a criminal attack. Moreover, as companies spend more money on breach notification, lawyers, fines, public relations and mitigation, they have less money to spend on detection, prevention and comprehensive security. Breach notification laws also skew security decisions toward protecting one class of data (personal data) over others (proprietary data, trade secrets) and may not actually achieve meaningful security at all. Finally, despite all efforts toward detection and response, the vast majority of entities learn that they have been breached from a third party. This session will focus on data breaches, breach disclosures, and breach responses, and propose a new, more collaborative approach to breach disclosure and prevention.

Part Three – GDPR Research Exemptions: To Do or Not to Do Valerie Lyons

The deadline for GDPR is hurtling towards us, and vendors are working tirelessly at promoting GDPR readiness and 'the work that needs to be done'. Every week we are subject to another 'GDPR readiness summary' presentation but the current rhetoric does not include 'the work that doesn't need to be done'? And the GDPR makes provisions for certain activities related to Research, to have exemptions. These are important exemptions for any organisation, no matter what industry or sector they operate in:

Research occupies a privileged position within the Regulation: In an attempt to recognise how regulation can stifle innovation and/or limit opportunities for serving the public-good, the GDPR introduces several important exemptions for Research (research includes market­ research, historical-research, health data-research and scientific-research). Organisations that process personal data for research purposes may avoid restrictions on secondary processing and on processing sensitive categories of data (Article 6(4); Recital SO). As long as they implement appropriate safeguards, these organisations also may override a data subject's right to object to processing and to seek the erasure of personal data (Article 89). In the age of big data, where the data analytics activities of many organisations may qualify as research, it is unclear exactly how far the GDPR's research exemption will extend. This presentation provides an overview of the most significant exemptions for research, as outlined in the GDPR, and will be followed by a discussion of how these exemptions could positively be used to address some of the GDPR challenges our own organisations face.

Part Four – GDPR Will Make the Cloud Stronger Ross Spelman

My talk will be on the GDPR and it's impact on Cloud Service Providers and Consumers.

The GDPR is designed to strengthen data protection for EU citizens. Companies must comply by May 2018 or face substantial risk and steep fines. Given the complexity of GDPR requirements, this is a very short time-frame for companies to become fully compliant with the new data privacy regulations. The aim of the new European Data Protection Regulation is to harmonise the current data protection laws in place across the EU member states. The fact that it is a “regulation” instead of a “directive” means it will be directly applicable to all EU member states without a need for national implementing legislation.


M3 The 2nd COSAC Security ‘Design Off’ Jason Kobes    
William Schultz    

Back for the 3rd year, this design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or looking to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge.

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Last year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security architecture practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes will be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.



1A The Potential of Artificial Intelligence for the Security Industry Esther van Luit

Considering a serious need for skilled people in technical security roles, AI in security (also termed ‘Cognitive Security’) seems to be at hand just in time. The speaker has investigated the implementation of IBM Watson, other upcoming cognitive security products and the DARPA CGC outcomes for the last half year to discover AI’s current added value in a security operations context and its broader potential in the security world. We will be looking at some typical roles in the security world and how they can be aided or even replaced by cognitive security technologies.

The audience will be invited to engage in a discussion on whether this is a desirable trend, whether AI will actually lessen the cybersecurity skills gap or whether many more new jobs will be created because of the implementation and security needs of AI, and lastly what qualitative impact this will have on the people working in the security industry.


2A Smarter (AI) Toys: the Next-Level Social Engineering Malicious Insiders Esther van Luit

Connecting toys to the internet has led to a revolution of interactivity between toy and child, with sensors taking a child’s queries as a starting point for analysis and response to deliver a customized playing experience. The next wave of innovation in playmates is already on the rise with toys that go beyond static responses selected from a database, and tailor answers to the personal needs of its user through artificial intelligence. This new level of interactivity is expected to create a different relationship between the toy and the child that could potentially be abused by those that gain access and possess the right knowledge to adapt the AI functionality in such a way that a toy can be seen as a malicious insider with social engineering capabilities.

The question on how artificial intelligence-enabled toys can be abused by hackers as an attack vector is a valid one when we consider the vulnerable target audience of children, the intransparency on whether an AI-enabled toy is functioning within the parameters of its design and the heightened intimacy between the toy and the child, opening up avenues for social engineering. The security vulnerabilities in smart toys are currently being covered from a privacy perspective and the lack of secure information transfer. This study looks ahead to the more advanced security issues associated with Artificial Intelligence and the implications that a breach of the integrity of AI might have on the cognitive action of its users.

The speaker will present a three-part argument on the changing nature of playing with toys, the lack of security controls regarding toys at the moment and the potential for increased danger when these toys are enabled by Artificial Intelligence. The audience will be invited to share their interaction with these Internet of Things-toys so far and speculate about how to improve the security on these items so dear to our children.


3A The Newest Frontier in Cyber Research: The Human-Machine Interface Char Sample

Much has happened in the cyber + culture research area since this topic first appeared in the 2011 COSAC rump session. The human-machine interface is now widely recognized as the newest frontier in cyber research and cultural values are seen as setting the norms in nation-state behaviors on the virtual battlefield.

This interactive discussion covers the various studies that have been performed, along with the studies in progress as well as future studies planned. The session will provide details on the studies performed to date and the relevance of the study findings that allow for extrapolation to more comprehensive rules that can be applied over a larger set of users. Also discussed will be the emerging models for attackers, defenders and other actors. Other discussion areas include the planned and potential uses for this research in defending, attacking, deception and counter-deception.

The findings have questioned the assumption of a single hacker culture, and supported Nisbett’s observation that people “think the way they do because of the nature of the societies they live in”. By using the six dimensions of culture evidence-based research provides a compelling explanation for the online activities of various actors. The behavioral traits that associate with the cultural values are behavioral traits that are consistent with cyber behaviors.


4A Blockchain: The New Digital Swiss Army Knife G. Mark Hardy

Now that the price of a single Bitcoin has surpassed the price of an ounce of gold, is blockchain becoming a runaway train with businesses scrambling to hop on? If so, will the mistakes be minor or catastrophic?

Blockchain as a technology has been proposed as a solution to everything from frictionless currency transfer to tracking cargo on ships. With over €1bn in venture funds invested and several hundred patents filed, every security professional must know the impact on organizations in terms of risk, volatility, and competitiveness.

This discussion started in 2014 when we explored weaponising digital currency, and continued in 2016 with the end of banking as we know it. However, the most powerful blockchain applications may not be as electronic money. We'll look beyond the security risks of blockchain (covered brilliantly last year by Rahul Lobo) to discerning where blockchain is truly the best business choice, and situations "when all you have is a hammer, everything looks like a nail."

This interactive session will review some of the patent filings to gain an insight into the direction of blockchain; look at VC investment portfolios to anticipate the most promising applications, and apply our collective knowledge to predict the winners and losers for 2018 and beyond.


5A Blockchain: The Best Thing Since Sliced Bread Lex Borger

Blockchain is the bookkeeping technology behind Bitcoin. It is named as the technology to solve any administration and registration challenge. It is going to push out regular banking.

  • How much of this true?
  • Is it such a revolutionary idea?
  • Is it so universally applicable?
  • Is it scalable enough?
  • Is it secure?

In this presentation, we are going to uncover the elements that make up blockchain and go in search of the applicability of this technology in today’s society. This is not a definitive story. The audience will need to participate and contribute insights and ideas.

The ultimate questions to be answered are:

  • What is blockchain good for?
  • What are the risks of depending on blockchain?


6A Cognitive Hacking: Recognising & Countering 21st Century Deception Char Sample

The events of 2016 resurrected the term "cognitive hacking". First identified by Cybenko in 2002 this forgotten research area has garnered new attention due in part to "fake news", weaponized information and other activities designed to shape online perception. While the world may have been caught off guard by these events, the physical world has mechanisms to detect and counter these efforts. The virtual world has no such mechanisms.

This talk first defines cognitive hacking, provides examples including examples of perception shaping occurs in security monitoring. Next the session will focus on some of the research activities into deception by Rowe, Jones and other notable efforts. Then will move countering deception, what can be done technically as well as behaviorally.

The discussion will be workshop focused with the facilitator providing brief explanations of each of the focus areas (identification, countering and post-hoc analysis).


1B A Common Scale for Cyber Risk: Can it be Done Glen Bruce

How do you provide a meaningful answer the Board or senior executives when they ask “are we at risk” from the latest cyber threat in the news? How do you provide easy-to-understand information about the actual risk to the organization? Can there be a “Securiton” (TM John O’Leary) to provide an indication of risk much like the Beaufort scale does for wind, the Saffir-Simpson scale for hurricanes or the Fujita scale for tornadoes?

There are many cyber threat level definitions but there isn’t a consistent cyber risk index that will provide insight into the relative risk of a newly discovered vulnerability and threat. When a new threat is identified (usually accompanied with a catchy name and logo), often a vague or misleading analysis of the risk is published in the press, copied and re-reported compounding the panic. How do you leverage your organization’s security dashboard to summarize risk? We will review and discuss the components of risk reporting how we can get to an effective way of defining risk that is quickly understood.

We will examine the Board’s and C-Suite’s evolving requirement to be knowledgeable and involved in cyber risk involving their organization. We will look at the available methods for defining vulnerabilities and exposures that result in risk and the available repositories of this information. We will examine the factors for defining and categorizing cyber risk and what contributes to making it meaningful to all levels of the organization. We will describe a set of risk reporting principles that will help guide how cyber risk can be defined and reported. We will also describe a method and process that can be leveraged to categorize risks into a more easily understood form. The goal is to make the risk of cyber threats easily understandable across the organization and be better positioned to effectively deal with the risks. If we can arrive at a globally applied cyber risk.


2B CyberInsurance: The Wrong Product for the Wrong Problem Mark Rasch
G. Mark Hardy

One answer to cyber-risk is to insure against it. Many companies purchase cyber-insurance, including data breach insurance, ransomware insurance, e-commerce insurance, or other insurance products to guard against risk, but these products do not typically cover the kinds of risks associated with conducting business online, and many insurance companies are reluctant to pay claims after a company suffers a loss. Cybersecurity professionals are rarely consulted in the risk mitigation process, and when the business purchases such cyberinsurance, leading to significant gaps in coverage. For example, if a policy covers "loss" of data, a ransomware attack may not be covered because the data is not "lost." A policy which excludes from coverage damages resulting from employee misconduct may not cover harm resulting from a successful phishing attack where an employee is deceived into clicking a link to install the malicious code. Harms to customers may not be covered under so-called "first party" policies. GCL and professional liability policies may or may not cover things like damage to reputation, loss of privacy, or publicity. This session will focus on recent cases in which coverage was denied or challenged from cyberattacks, and ways cybersecurity professionals can read these policies and help mitigate risk.


3B CyberInsurance: A Reason to Up Our Game Ross Spelman

Companies generally implement a wide array of controls and techniques in an effort to prevent cyber attacks. However, not all of these controls and techniques are effective, and not all companies implement these techniques in a manner that achieves the best results. Even when a company has a strong risk management programme, most insurers do not have an objective, evidence-based method to assess its risk profile.

This uncertainty and lack of objective intelligence can result in policies with high premiums, low coverage, and broad exclusions. Most cyber insurance providers only use questionnaires to gather information for cyber insurance underwriting as part of the application. This process is far to broad and subjective for such an important risk.

Insurance companies and their customers need an objective, evidence-based cyber risk metric to measure security effectiveness, not simply policies and procedures.

A contextualised, risk-based approach for measuring the strength of cyber security in an organisation can offer underwriters a uniquely distinctive way to help assess the potential for cyber loss at a particular company.

My talk will explore a method of effectively scoring a company's cyber security profile and the benefits for all by carrying out this process.


4B Privacy by Design: What Do You Mean? Marc Verboven

Subtitle: Practical experience @ ING in developing a framework to implement Privacy by Design on an enterprise scale.

One of the key elements in the EU General Data Protection Regulation (GDPR) is 'Privacy by Design'. In this session we will tell the story how ING discovered GDPR, how we approach GDPR in general and, more in detail, how we are making sure 'Privacy by Design' is understood and applied in the organization.

Policies, regulation and GDPR use cases are input for the development of a Reference Architecture (RA). This RA then ensures Privacy by Design by:

  • Providing architectural guidance on privacy aspects.
  • Providing a basis (framework) for building specific guidance for applications like Audit Trail, Legal Archive, Data Inventory, ...
  • Providing guidance for current systems, where the RA is the reference to determine the technical gaps to be mitigated depending on cost and risk

The intended audience for the RA are IT Architects and other IT stakeholders when they need to ensure compliance with GDPR.

As usual at COSAC, the session is intended to be highly interactive.


5B Information Privacy as Corporate Social Responsibility: Benevolent or Malevolent Valerie Lyons

Since the 1990s, it has become a de-facto standard for larger organisations to publish social reports documenting how they address issues such as pollution, energy use, waste production, child-labour, workforce-diversi ty etc. These reports are referred to as Corporate Social Responsibility {CSR) reports. Traditional arguments in support of CSR underscore the benefits a socially responsible organisation should reap from key stakeholder groups. Several research findings suggest a positive correlation between an organisation's CSR program and consumer trust and behaviour. Additionally, socially oriented organisations can distinguish themselves from competitors, enhance customer satisfaction and improve their reputation through positive stakeholder response to their actions.

So what does CSR have to do with Information Privacy? In 2010 the Global Reporting Initiative (GRI is an international organisation who develop the CSR reporting standards) included Information Privacy and Data protection in its core standards. Since 2010, several large financial institutions and technology companies report information privacy within their CSR reports. CSR reports provide a channel for an organisation to promote and demonstrate a strong sense of responsibility and accountability for privacy protection, which in turn acts as a core element in building trust with key stakeholders. On the face of it, this seems like a positive step for Information Privacy, however there is a more 'heated' view that CSR is merely a channel for organisations to repair a reputation which has been damaged by its sectors historical irresponsible behaviour and that CSR is simply tokenistic compliance 're­ packaged'.

This presentation explores the many facets of CSR, using case studies from several recent CSR reports and explores CSR's relationship with Information Privacy/Data Protection. The presentation aims to encourage the audience to consider that as Information Privacy Protection matures in capabilities, it may not as traditionally expected, report into Legal and Risk Departments, but into the Marketing Department's CSR program office. Rather than resist this progression, this presentation arms the audience with an informed overview of the growing relationship between CSR and Information Privacy, so that they can leverage this knowledge to increase resources and budget allocations for Privacy Protection initiatives in the future.


6B We See What We Want to See: Pitfalls of Perception & Decision-Making in Information Security Helvi Salminen

We are often convinced that we have a clear picture of the reality and are throughly rational in our thinking and decision making.

However, our perception of the reality is limited and prone to errors. We often jump to conclusions based on partial or erroneous information, and eloquently justify our decisions with apparently rational arguments.

Is many areas of human activities, including security management, limits of perception and errors in decision making can have disastrous consequences.

The phenomenon of cognitive biases - systematic errors in thinking affecting decisions and judgments - has been studied in various contexts, and the results have been applied to improve decision making processes. In the compliance dominated world of security management cognitive biases have not, however, got sufficient attention. So an important risk factor is regularly underestimated.

This presentation gives an overview of the concept of cognitive bias and describes in more detail some of the biases which can be particularly harmful in security management. This introduction is followed by presentation of scenarios where erroneous perception and decision making of security actors leads to disasters - and by discussion how these biases can be identified an their impact limited.


1S Aligning SABSA with FAIR Jason Kobes
William Schultz

The activity of conducting risk assessments in the information technology domain can often be tricky business. The results of the assessments can be used to drive long term strategy, with a great deal of investment in strategic and tactical plans are based on the findings. However, most risk assessments involve making assumptions about the organization, as well as the assets, threats, vulnerabilities, and the levels of risk that the organization is facing. The quality of these assumptions will have a significant impact on the success or failure of the resulting security strategy and plans to appropriately address the organizations risk.

In this session, we will discuss how the FAIR (Factor Analysis of Information Risk) risk analysis methods can be integrated with SABSA to enhance risk posture knowledge and improve the understanding of the assumptions being made. FAIR has implemented a risk ontology to help organizations quantify risk in a way which is less about assumptions and more about traceability. FAIR takes a unique approach to defining and tackling some the more difficult aspects of risk analysis which haunt our profession. We will look at how FAIR can help us enhance our architectural approach to assessing and analyzing risk.


2S Using SABSA to Architect Zero Trust Networks Chris Blunt

In 2014, Google threw away its traditional approach to securing its services and reimagined what a security should look like to be truly effective in today's world of distributed teams, systems, and applications.

They developed BeyondCorp, a perimeterless architecture that does away with the idea of trusted networks and treats all applications as if they are Internet connected, thereby creating an environment that is zero-trust by default. Every request is authenticated and authorised in real-time based on a set of dynamic conditions that considers changes in user status and device state.

This interactive session will explore how to apply SABSA to architect a zero-trust network through the layers of the SABSA matrix. This will be supported by a sanitised case study to highlight and discuss the real-world challenges and how they were overcome when a zero-trust network for a New Zealand organisation.


3S Architecting a Modern Authentication Service in the Cloud Michael Price

Every organisation needs to appropriately authenticate users before granting them access to resources. It should be reasonably straightforward for any organisation to architect, design, implement and manage an Authentication Service but it appears that this couldn’t be further from the truth.

We often hear of organisations struggling with some pretty common issues; implementing and enforcing strong passwords, implementing ‘same sign-on' solutions rather than a true ‘single sign-on', and ensuring that user accounts are removed when the user no longer require access.

But we live in a modern world, and there are new and emerging services, methods, and technologies that make user authentication more effective and easier to manage than ever before. Identity Federation, access tokens, and universal authentication (U2F/UAF) are just some of the technologies that have the potential to create an effective and efficient authentication service that makes life easier for the end-user, while ensuring that an organisations resources are securely accessed.

This session will provide an overview of how SABSA was used to architect and design a modern Authentication Service for an organisation adopting cloud services. It will present a sanitised case study and will show how SABSA was applied to deliver a service based on popular cloud services platform.


4S Show Me the Controls! What Happens When Cuba Gooding Jr Meets A SABSA/TOGAF Alignment Consultancy Peter Nikitser

As security professionals, we have most likely experienced client engagements where we have had to manage both scope and expectations. Whilst working for one of the big four consulting firms, we responded to an open tender asking for help with designing a security architecture framework based on SABSA for a Queensland state government agency, the duration of which was not to exceed six weeks.

Fair enough, sounds reasonable and straight-forward, and we were more than happy to help them spend their end-of-year budget.

The response was sent to the client outlining the approach, highlighting any constraints and assumptions in our response and expectations of the client in arranging timely meetings with key stakeholders.

During the first week of the engagement, I asked for access to key stakeholders or their delegates, and was told that was not possible. It soon became apparent that I had stumbled across a long-standing cultural and political issue, and that I was not going to get an audience with key stakeholders or their delegates. Furthermore, the intent of the engagement started off with a desire to apply SABSA to the entire organisation, yet I uncovered they had already made an investment in TOGAF, which they neglected to mention in their RFP.

Where this engagement led to next, and the approach I had to take in order to manage their expectations, is what you will have to hear for yourself.

The presentation will demonstrate examples of the artefacts I produced, the adjustments that had to be made in order to accommodate the scope creep, and how I turned the engagement around to deliver a top-down meets bottom-up approach. And yes, I showed them some controls too …


5S Selecting, Aligning & Effectively Using Compliance & Control Frameworks Andrew Hutchinson
William Schultz

Security Programs are constantly challenged to flexibly adapt to organizational change and maintain compliance with regulatory requirements, while actively defending against an ever changing array of IT threats. Leveraging existing frameworks or methodologies such as NIST, or HITRUST allows organizations to take advantage of work already done to address common security concerns but need to be integrated in a way that allows the organization to effectively customize information security frameworks to their risk appetite. It can be challenging to identify which frameworks are most appropriate and where and when to apply them, however this is a key and important component of a security architect’s role.

This session will look at an organization that is leveraging SABSA architecture to do this and how they are addressing compliance requirements applicable to healthcare organizations (HIPAA, FISMA, and PCI), will review some common security control frameworks, models, and methodologies that are being leveraged (NIST, HITRUST), and look at the risk management frameworks (SABSA, NIST, FAIR) that can be leveraged to efficiently address compliance challenges. We will explore how these frameworks, models, and methodologies overlap and complement each other, and how they can be practically integrated. Since there is a drastic difference between understanding a model and applying it, we will present several use cases and practical examples explaining how we have used these models, the lessons we have learned, and the challenges that remain.


6S How to Write a Great SABSA Advanced Exam Answer Chris Blunt
Michael Price

Are you planning to sit a SABSA Advanced course? Or have you recently attended a course but haven’t yet written and submitted your exam answers? Then this is a session you can’t afford to miss!

During this interactive session we will explore and discuss a range of strategies for writing a great SABSA Advanced exam answer using model exam questions to show how to:

  • evaluate the question to ensure you know what is being asked of you;
  • use a hypothetical or real-world case study to frame your answer;
  • plan and structure your answer to ensure that you cover each area of the question;
  • assess the competency verbs in the question to ensure that you understand them and can meet them; and
  • effectively present the application of your chosen combination of SABSA methodologies, techniques and approaches.

The presenters have scored between 91% and 100% in their Advanced exams, with the average being 96.25% between them. One of them is a SABSA Chartered Architect Master (SCM) and a marker of Advanced exam papers.

The goal of the session is to provide the participants with a set of tools they can use to write great answers for their SABSA Advanced exams!


7P SABSA and HumanKind Maurice Smit

Even though the SABSA methodology has mainly been used in the IT (EA) landscape, the usage of this methodology can help to create a more complete picture in any sector, industry or area. To solve any problem. And even so for human needs, thanks to all methods, models and frameworks in the SABSA methodology. The Attributes Profiling delivers a unified common language for and in every phase of human existence. The SABSA methodology is based on a holistic approach towards security as the property of something else. So this even accounts for humans and the accomplishments in our lives, this will be presented in this session.



8A CyberSecurity & Analytics: Rise of the CyberHunter Lynette Hornung
Lori Murray

The buzz in cyber today includes machine learning and big data. What are some of the challenges that come along with "big data" promises, and how can you effectively use data analytics and machine learning to bring some real value? Data Analytics and machine learning allow you to drill down to gather the data, analyze it, and find the answers to the questions you seek. It is likely you are using it more often than you think! Let's talk about some use cases for applied data analytics and machine learning in cyber security.

This presentation will present a use case for anomaly detection through analytics, and the processes required to make it effective in different environments. Understanding how to mine through the data, clean out the noise, and focus on the relevant data for cyber hunting is where the value is.


9A Make it BLEed: Hacking BLE Applications Tal Melamed

Although IoT is already embedded in our everyday lives, our security and privacy are sometime left behind for comfort and other reasons. But IoT vulnerabilities have real impact on our digital and physical security.

Bluetooth Low Energy (BLE), also known as Bluetooth Smart is the most popular protocol used for interfacing IoT and smart devices, wearables and medical equipment.

In this presentation I will perform demonstrations of how to perform penetration-testing for BLE applications, what equipment is required, what tools can be used and what approaches and techniques should be considered in order to secure the application.


10A Unmasking Chatbots: Hacking API Interfaces and Countermeasures Stephen Singam

A chatbot is an interactive chat robot based on artificial intelligence that is designed to simulate human conversation. Chatbots market is predicted to expand at an incredibly high CAGR of 27.8% in terms of revenue, within a forecast period from 2016 to 2024 (Transparency Market Research). Lloyds Banking Group, Royal Bank of Scotland, Renault and Citroën are now using automated online assistants instead of call centers with humans. But, APIs are the glue to chatbots because are entirely APIs & events driven, negates the need for CSS interface needed, facilitates ease of services’ integration including NLP and for example. AWS<>MongoDB<>salesforce<>Slack, and, enables Monitoring, Testing, and Security. And did we say, Security?!.

In this presentation, we will demonstrate how to hack chatbots APIs, to exploit privacy data breaches and even cause DDoS attacks using the exploited API endpoints.

And we close this presentation with some practical countermeasures such as using the proper encryption key management practices, addressing business logic flaws and hardening of API endpoints securely, and of course SABSA architecture and governance.


11A IoT & SCADA: Applying Lessons Learned & Case Studies Lawrence Dietz

From connected refrigerators to self-driving automobiles to medical devices, the IoT offers great promise. However, as the Mirai attack has shown, IoT these benefits come with some perils as well. This session will first set the stage by reviewing SCADA and IoT attacks to agree on attack parameters, perpetrators and best practices.

We will then examine a hypothetical company and three hypothetical incidents. Each incident plays of a different set of facts about the hypothetical company and highlights different likely perpetrators.

We will then analyze each incident starting with by identifying likely perpetrators. Next we address legal issue such as potential liability, data privacy and intellectual privacy protection. Case studies will conclude with assessing lessons learned and practical actions that can be taken to minimize the likelihood of these types of incidents and their negative impact on the organization.


12A Shining Light in the Darkness – A Look at the Dark Web Rob Hale

The Dark Web has become a buzz-word over the past few years due to the rise in successful cyber attacks, overt criminal activity, media hype, and data disclosure. Although more and more people have heard of the Dark Web, it remains an enigma to many security professionals. As the Dark Web becomes a greater and greater market and hiding place for cyber activity, however, it is incumbent upon cyber security professionals, particularly, researchers to understand and learn how to safely navigate along its many tangled threads.

This presentation is comprised of two principal sections. The first section walks through an introduction to the topology of the Dark Web and describes an architecture and process for accessing it in a protected fashion. It also includes a discussion on how business is conducted on the Dark Web. The second section is a live demonstration and exploration of specific sites of interest on the Dark Web. As the purpose is to familiarize security practitioners and research professionals, at no time will any illegal or unethical activities be demonstrated or condoned.

For those interested a written description of the processes and architecture components will be provided in a pdf format.


8B Women in Security: Drivers & Challenges, Part 2 Esther van Luit

On a global average only 10% of the people working in the security industry are women, and this includes those working in the communication and marketing. In the Netherlands, this percentage is only 3%. The speaker has been involved in research with a Dutch institute to further investigate the cause of and countermeasures for addressing the extraordinarily low share of women in the industry. Considering how the security industry is short on 1.5 million security professionals globally by 2019, we cannot afford to let half of our population sit idly by without investigating the reasons for them not to take up a career in this industry.

Esther presented on this topic at COSAC 2016, but due to interesting discussions only managed to cover the challenges and not the drivers before running out of time. This year, she would like to shortly recap the challenges and discuss the drivers for success in more detail while having similar engaging discussions with the COSAC audience.


9B Project Management – the CIO Michael Hirschfeld

I have held middle management and senior executive roles in Security, ICT Security, and ICT in general in various Australian Government Agencies over the past 23 years.

I have learnt a lot about managing the delivery and leading the strategic improvement of these fields. I also have much much more to learn.

Many believe that great leaders are born and not made – this may be true - but good leaders and great managers are, more often than not, made through the dedication to personal development of individuals.

There are innumerable capabilities and skills that take us from being technical experts to being good managers and then good leaders. In this presentation, I will share some of my experiences and tools that can be used to help you manage your deliverables and career.

There are a number of topics to cover - this session will focus on three fundamentals: committing to action, planning and delivery. Understanding the nature of commitment to action and if your team has committed to what you are committed. How do you successfully plan tasks, for teams and projects and then, how do you make sure you and your team deliver successfully.


10B Organisational Upheaval John O'Leary

It comes in many forms. COSAC veterans have probably seen them all. Rarely welcome, always more disruptive than planned, never arriving at precisely the synergistic outcome the suits guaranteed at the beginning of the project. Outsourcing, mergers, acquisitions, divestitures, "right-sizing,” layoffs and major reorganizations are facts of life as we approach the third decade of the 21st century. All these situations can create serious information protection concerns, but security is usually at best an afterthought, considered only after financial, legal and structural issues have been settled, the new management structure coronation is complete, the old guard (and their “old school” ideas) have been defenestrated, and the ink is dry on the bottom line. Viewing large-scale organizational change from an IT security perspective, we’ll emphasize realistic strategies for handling the very real and emotionally charged issues that inevitably arise at the first discussion of moving functions downstairs or across the street or out the door or offshore. We’ll examines what to do before, during and after major organizational upheaval to ensure that adequate controls are in place.


11B Are We Boring the Board? Todd Fitzgerald

Today many CISO's are having to address the Board of Directors in their organizations across all vertical industries. Are the boards asking the right questions? What questions should they be asking? Are the CISOs delivering the right message? How do we measure if they are really being effective?

This presentation will provide never presented analysis of the 'Presenting to the Board" literature that is published from time to time, and challenges through interactive discussion what information is relevant to "the board".

There will be a deliverable that results from this discussion, the top 10 items, in priority order, that a board must know. Can we accomplish that feat at COSAC? Only the participants can know for sure.

Note: Presentations are communicated in a very interactive, audience participation style with visual and audio effects.


12B When Just Being Right is Not Enough Karel Koster

In these times of alternative facts, being rational and right is not always enough to get the support of management you need. While facts and figures are my preferred way to deliver my message to my stakeholders, I found that not all of them share my preference for ratio over emotion. Our different communication preferences sometimes prevent my message from being received correctly. Communicating in the right way, in the way my stakeholder prefers will helps me to deliver my message clearly.

We all have our communication preferences and so do our stakeholders. I’ve investigated my preferences and got insight into my strong and weaker points. I also examine those of my main stakeholders, in order to tweak my communications to them when delivering a critical message. This ensures that personalities and communication preferences do not intervene and the message is well received and therefor more likely to be accepted. In this presentation I share my insights, what I have learned about my own communication style and how I adapt my communication to the preferences of others in order to align with them. I will introduce the tools and frameworks I use and point you in the right direction if you would want to do the same.


8S It’s Sooooo Fluffy! Jaco Jacobs

There is a terrifying misconception about Security Architecture that I have to deal with more often than I would like to admit. I cringe every time I hear "well, that's all good in theory, but how are you actually going to make it work?", and I am sure that I am not the only one. Yes, you've guessed it, we are too often accused of being theorists!

Very few of us ever get the opportunity to dive into the nuts & bolts of the architectures we develop all the way through to instantiating all of those wonderfully mystical and mythical concepts of ours.

In this session, we will look at a couple of ways to make an Enterprise Security Architecture more tangible for the folks who are going to end up using it. We will dive a little deeper into the Logical, Physical and Component layers of SABSA, exploring the deliverables and outcomes of each of these layers in detail and with the appropriate audience and stakeholders in mind, all while maintaining the necessary traceability back to the Contextual and Conceptual layers.


9S Applying SABSA in an Ever-Changing Digital World Dimitrios Delivasilis

“The world is changing at a pace that challenges our ability to adapt” is a realization that is equally applicable to most of the organisations across the various sectors. The technological disruptors have almost unilaterally been credited for this frenetic pace. From the rather broad spectrum of digital transformations we will focus on the most aggressive one… mergers and acquisitions (M&A).

Having already implemented a security framework by following the SABSA approach, this time the challenge was twofold: get buy-in from the new stakeholders and then update the framework to depict the security posture of the new organization. Sharing the “scars” of applying SABSA methodology and principles to consolidate two technology stacks that had very little in common, standardize the information security services, augment capabilities to support global operations, drive decision making for future investments and cultivate security professionals with diametrically opposed backgrounds could be just few of the key takeaways.


10S Zero Knowledge Business Attributes Martin Hopkins

How can we generate a business attributes profile for another enterprise using only publicly available information? Why would we even want to do this, what use could it possibly have? If we don't have well defined, specific metrics and performance targets is there any value? This talk will introduce an approach to producing such a profile, seek to answer these questions and provide examples of where this technique has been used such as:

  • How does a very technical security consultant communicate the outcome of an assessment to executive management using language they will understand, and relate risks to their business context and what they really care about?
  • How can we take a standard Threat Modelling methodology up a step, stop focussing solely on information assets, and start considering threats against what matters most to the enterprise?
  • How can a security consultant respond to their client when asked "but what is the impact to my business?" and the rote answer of "I can tell you the technical impact but I don't know enough about your business to answer that question" isn't going to be good enough?

We'll propose that even if the profile is not even close to 100% accurate and is not the product of a rigorous engineering process it still has value as a communications tool and demonstrates to stakeholders a method for bridging the gap between technical and business viewpoints of risk, before opening up the remainder of the session for audience participation to debate the merits of this approach and proposal of alternative solutions.


11S From Zero to SABSA: How to Setup an Enterprise for Consistent Security Architecture Delivery Andreas Dannert

While most medium to large global organisations these days appreciate and/or have a security architecture function, not all have a framework defined that ensures security architecture is delivered based on a consistent, organisation specific approach that enables security architecture delivery to an agreed set of performance criteria within the organisation.

The problem appears to be non-standardised terminology being used for security architecture, non-standardized security architecture delivery processes within the organisation, and the inability of security architects to clearly articulate the dependencies of various organisational functions within an organisation when it comes to delivering security architecture. While one part of the company might be great at security architecture delivery others could be average and sometimes they are not well integrated with areas that they should align with. The security architecture function in organisations is often siloed off from departments that should be involved in the security architecture delivery process. Departments in a global enterprise, responsible for physical security, risk, governance, policies, and security operations, are often working side by side, but not towards a unified, integrated plan that an Enterprise Security Architecture would present. Metrics are developed for the sake of metrics and are not actually measuring anything of value, like how well security architecture is actually being delivered within an organisation.

This session is based on a large global financial organization that set out to redefine their security architecture delivery approach. We will look at what obstacle were encountered along the way, what worked, what didn’t work, and look at some of those “oh sh…” moments.

At the end of this session participants should be able to understand why it is equally important to have an experienced team of security architects as having an agreed approach to delivering enterprise security architecture in a large global organisation.

The key takeaway from this session will be that defining an approach/methodology for delivering security architecture in a large enterprises is essential for consistent delivery of qualitative security architecture solutions across the organisation. An example of such an approach, i.e. a “Security Architecture Framework”, based on a real world case study, will be presented. The framework includes a set of security architecture principles, an enterprise security domain model, and a performance management model that enables an organisation to have a consistent approach to security architecture delivery that can be fine-tuned and scaled across a global organisation.

In the spirit of COSAC, this session is designed to be interactive and allows participants to share what their experiences were in similar scenarios before we will look at what happened in the real world case study this presentation is based on. This session will provide attendees with an insight into some issues that were encountered when developing a security architecture framework with the intention of providing a more structured approach of delivering security architecture in large organisations.


12S Real-World SABSA on a Global Scale Mark Keating

How do you go about creating a global security architecture framework for one of the worlds largest professional services organisation?

Where do you start, when the organisation consists of 250k empolyees, operates in over 100 countries, consists of 40 separate member firms each with their own CIO and they all have differing views to security & risk?

This session will provide an overview of what our journey looks like, what we have already achieved, what challenges we have faced so far, and what we are doing next.


13P Edgar Allan Poe: 19th Century CISSP John O’Leary

He was an enigma – a quintessential Southern gentleman who was born in Boston, raised in England and Virginia, and poor for all of his adult life. He was a paradox – unfailingly polite and helpful, especially to women, yet a savagely fierce critic of anyone, even established celebrity writers who didn’t share his literary views or meet his extremely rigorous standards. He was also indisputably a genius – inventor of the detective story, revered by Bram Stoker and Arthur Conan Doyle, the most influential critic of his time, a lavishly praised poet, and a short story writer who could weave horror and reality into tales we still read today (and still shudder). Poe used encryption as the primary plot element in “The Gold Bug” and presaged the Big Bang theory by seventy years in his prose poem “Eureka.” And much of what he did and how he did it relates directly to our profession and how information security is perceived almost two centuries later.

Come join us as we decrypt Edgar Allan Poe and relate his life and works to the information security challenges of this century.


14P The COSAC Rump Session Various

The hugely popular COSAC "rump" is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

  • Electronic submission: Send email to the rump session chair David Lynas at before 10AM GMT Friday, September 29.
  • Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 4 October.

Submissions should include a requested amount of time for the presentation. An anticipated maximum of four minutes will be allocated for each presentation.



W1 Wonderful, Terrible, Inevitable: Big Data, Analytics & IoT John O’Leary

Big Data and the Internet of Things are revolutionizing virtually every industry. We’re told of pinpoint accurate medical records and diagnostics, all-encompassing analytics, mastery of industrial processes, effortless control of our static and moving environments and complete connectivity and communication with anything and everything we might ever imagine being useful. Wonderful!

But COSAC delegates have an internal red flag that goes up upon hearing “It’s gonna be great!” Then those euphoria-deflating security questions start multiplying and running through our somewhat addled brains. Where is all this Big Data coming from? Where will it reside? Who controls it? Who grants access? On what basis? How do we know it’s accurate, relevant? Is it complete enough for life and death medical decisions? What about analytics system administration; data monitoring and correction procedures; incompatible security architectures? Oh yeah, and privacy?

What kind of security is built into all these Internet-connected devices? How easy is it to control access? Is the data they trade and store encrypted? Who’s liable if they fail or give erroneous signals?

Big Data and IoT are neither fads nor merely trends, they constitute a revolution. There’s no going back. Join us as we look from a security perspective at both the bright and dark sides.


W2 COSACclue: A Surprisingly Serious Approach to Incident Response. Chris Blunt
Lisa Lorenzin

Last year we explored how security practitioners can find a new way of looking at enterprise security by learning the way a child does - through play. We found that by updating a popular board game to create COSACopoloy, lifelong security practitioners discussed common information security issues and freely shared and learned from each other's experiences whilst having fun!

This year we build on this to explore how play can help security practitioners explore incident detection and response. Again, we will update a popular childhood game to provide a new lens for examining evidence and common issues in incident response. Players will collect clues and examine evidence to try and determine "who" (which threat actor), "how" (exploited what vulnerability), to do "what" (gain advantage).

We will also be running a couple of games of COSACopoly for those that missed out on the opportunity to play it last year. Players start with money and data, and must spend that money acquiring "properties" (security services) to protect their data from "chance" (random risks and opportunities).

We learn best from each other, and from the chance to go off-script and see where inspiration takes us. COSACclue, like COSACopoly, will spark conversations, demand tough decisions, and offer a free-form venue for exploring a variety of approaches to today's information security challenges.


W3 SABSA & Agile:

Part One - SAFe and Secure Narendra Ramakrishna

SAFe ( provides an Agile framework that attempts to achieve agility vertically (from Business Portfolio Management through to delivery teams [Agile/Scrum teams]) through the organization. However, SAFe is heavily oriented towards delivering functionality and classifies security as a set of non-functional requirements.

This presentation intends to augment SAFe with risk based approach mainly using the tenets of SABSA. This would cover -

  1. Practical Agile implementation within large organizations.
  2. An approach to incorporate risk based approach (SABSA) at the portfolio level (alongside business strategy and technology roadmap)
  3. The method through which risk based approach could percolate down to release sprints and Scrum teams
  4. Alignment with DevOps and SABSA Service Management Matrix

Part Two - Securing Agile the SABSA Way Malcolm Shore

The analysis, design and delivery of software has changed fundamentally in the last few years, with flowcharts and specification documents giving way to user stories and post-it notes. This seems fundamentally opposed to the more structured architected waterfall approach that typified early software efforts. However, experience with agile has shown it can deliver results early and produce software that fits closely to user needs, outcomes that were becoming increasingly difficult to achieve with the waterfall approach to software development.

There are two agile methodologies currently in play: Scrum and Kanban. These are quite different approaches to making software development agile and many development shops deploy a combination of both – Scrum providing the sprint culture and Kanban the post-it notes. A culture of Extreme Programming – XP – is also often woven into agile deployments.

Agile development is a cultural approach to software delivery which has a number of fundamental implications for security. As a business solution delivery approach which is designed to “fail fast, fix quickly”, it relies upon user identification of functional mismatches. There is little chance that the same approach will identify anything other than very large security holes – the subtle ones will likely go unnoticed. Security has also developed in a strong waterfall manner, with assurance testing and accreditation against recognised standards being a common approach to delivering security assurance. This approach does not work in an agile shop.

This presentation addresses the new paradigm of agile security, in which the approach to security assurance aligns with the cadence of agile delivery. Concepts such as continuous security integration and testing can be effective alternatives to waterfall security, and security guard rails provide the cultural alignment necessary to remove security blocks and ensure security is an effective partner in agile delivery. SABSA provides the agile architectural approach which brings these and other tactics together into a strategic solution for building an agile security program.


Copyright © 2017 COSAC - All Rights Reserved -