M1 COSAC International Roundtable Forum John O'Leary    

One of the defining and truly unique characteristics of COSAC is the almost limitless degree of interaction in sessions. You might have been to other conferences where knowledgeable speakers cast new light on existing security threats or structural problems or organizational issues or alerted you to new ones and gave sound, realistic, even creative strategies for coping. But you probably didn’t experience a level of audience interaction wherein the announced speaker, though clearly an expert in the area, is often one of the least experienced people in the room regarding the topic being discussed, and the audience, anything but shy, takes nothing said at face value. This is quintessential COSAC, and it leads to one of the most significant benefits of attending any conferences - the chance to compare notes, strategies and techniques with others who are similarly situated and facing the same types of problems on an everyday basis. The COSAC Forum difference is that the group of practitioners in the room are generally more experienced and knowledgeable than a similar array of high-priced consultants from high-profile firms. And their experience is more real-world, since they have had to live with the results of their security decisions. Forum participants know that solutions which appear technically elegant and look really good on paper can be hamstrung by political considerations or “minor” operational flaws. They know what works, what doesn’t and more importantly, how to make things work in the real world. They know how to craft and internally sell realistic strategies for creating and implementing information security solutions. They know how to and by how much to change direction when things don’t go as planned.

For the 15th annual COSAC International Round Table Forum, deep-dive immersion into the COSAC way (Think ….. Challenge ….. Help) will be the first order of business. Anyone can suggest topics or questions. Anyone can answer. Anyone can challenge answers or give clarifying comments. To start the ball rolling, the moderator has searched SANS newsbytes and multiple other sources and put together some questions and discussion topics. Here are a few of them:

Is there a right way to handle a security incident?

Target appears to have screwed up royally. Before, during and after the BLACKPOS attack, did the powers that be in Minneapolis make poor decisions or fail to make decisions that could have mitigated the eventual disaster? Goodbye CIO, Goodbye CEO, and the lawsuits have started. There is some speculation as to whether the widely admired Target brand has been seriously, perhaps even fatally wounded.

Anthem, on the other hand, started communicating with those affected by the breach of medical records and getting ahead of the press coverage. Will this save them?

How would you handle a serious breach?

CISO Reporting Level

(from SANS newsbytes) CSO Online Publisher Bob Bragdon cites findings of the 2014 Global State of Information Security Survey that support the idea that the CISO should report directly to the CEO. Organizations in which the CISO reported to the CIO had 14 percent more downtime than those in which the CISO reported to the CEO. Companies in which the CISO reported to the CIO had higher financial losses. "In fact, having the CISO report to almost any other position in senior management other than the CIO reduced losses from cyber incidents." The study gathered information from more than 9,000 respondents.

What’s your take on placement of the position?

The Internet of Things: Smart Lightbulb Exposes Wi-Fi Password

(SANS July 7, 2014) In a proof-of-concept attack, Internet connected LED lightbulbs were used to gain access to the Wi-Fi network that controls them. LIFX smart lightbulbs can be controlled with iOS and Android devices. LIFX was made aware of the problem and has issued a firmware update to address it. The attackers were able to trick the devices into revealing the network password; they had to be within 30 meters of the devices they were targeting.

Should we turn off all the lights? … and refrigerators, and …. automobiles … and

Security Not a Priority

Despite breaches, most critical infrastructure executives say security is not a priority. According to a 2014 Ponemon study from nearly 600 IT and IT security executives around the world, two-thirds of those responding said that their infrastructure had been compromised in the preceding year, but just over a quarter said that security is a top priority. Operators of infrastructure, particularly energy infrastructure, often believe that their need to operate the infrastructure trumps the need to keep others from mis-operating it.

Are they right? Are we wrong?

Cloud Forensics

(from SANS) Cloud services have saved money and improved efficiency, but the technology holds some challenges to forensic investigations. A draft NIST report describes 65 "challenges" forensic investigators encounter when dealing with cloud computing. One example of a challenge is email. On non-cloud systems, deleted email messages can often be recovered because they are not truly deleted until they are over-written. Because of the shared nature of the cloud, deleted files are more likely to be overwritten.

How do you do forensics in a cloud environment?

Big Brother Down Under

Legislation proposed by Australian attorney general George Brandis would broaden the Australian Security Intelligence Organisation's (ASIO) access to computers and networks. Some legal experts say that the law could be interpreted to give ASIO access to every Internet-connected computer. Civil liberties groups are also concerned about provisions that would criminalize journalists who receive and publish leaked documents.

Is this only an Australian issue?

Extra Added Attraction

Lenovo Laptops Shipped with Adware and Persistent Vulnerability (SANS February 19, 2015) Lenovo has been shipping laptops loaded with Superfish, adware designed to steal Internet traffic. Superfish is designed to "help users find and discover products visually." It also injects ads into web pages. Superfish hijacks encrypted web sessions, and could easily be misused to conduct man-in-the-middle attacks. Lenovo has stopped including Superfish on its new machines.

This isn’t just adware, it is malware. Will you still buy Lenovo?

ICS-CERT Monitor Quarterly Report - Phishing Reigns Supreme (March 12, 2015)

According to a quarterly report from the US Industrial Control System Computer Emergency Response Team (ICS-CERT), industrial control systems were targets of cyber attacks at least 245 times in the 12-month period between October 1, 2013 and September 30, 2014. Seventy-nine of the incidents involved companies in the energy sector. Sixty-five of the incidents involved attacks that managed to gain access to ICS manufacturer systems. Of the known vectors of attack, 42 of the incidents were attributed to directly to phishing attacks, while the attack vector could not be identified for the others.

Can we train our people especially executives, to effectively resist phishing? Will the training stick?

How do you control BYO_?

How has the legal environment affected (positively or negatively) your ability to secure your organization’s resources?

What’s the appropriate way of handling minor security infractions by sloppy or uncaring or pressured or confused users?

What will your security budget priorities be for 2016?

Can we even identify, much less secure all the devices connected to our networks?

How complicated will it be to implement federated I&AM?

Do we have any realistic chance of prosecuting cyber criminals from countries where they are actually adding to the GNP?

Will Apple Pay become the payment method of choice? Is its security adequate?

There are a host of other issues and questions, and we’ll address as many of them as time permits. One of the best singular features of the Forum is that discussions and strategy idea trading started here very often continues throughout COSAC and beyond.

The Forum should give you a feel for the rest of COSAC. The essence of this one-day session is give and take, therefore, participants must be prepared to discuss topics freely and be willing to both critique others and have their solutions subject to scrutiny. Participants may be asked prior to COSAC to submit lists of items they’re willing to discuss and want discussion on. Some may be asked to prepare short presentations on specific topics to lead into roundtable discussions. The better prepared you are, and the more you put into this session, the more you’ll get out of it.


M3 The 1st COSAC Security ‘Design Off’ Jason Kobes    
William Schultz    

You have heard of hack-a-thons and capture the flag events for Hackers? This is a new format geared for security engineers and architects, as well as non-architects (Project Managers, CIO’s, Business Managers,…) to work together and test their mettle. This is a hands-on workshop where participants will be engaged to apply security design principles to a real life business scenario and learn tricks to overcome challenges and address problems before they can begin. Participants will be challenged to work in teams to create actionable artefacts that are understandable by non-architects. The scenario will simulate real life situations and allow participants an opportunity to apply a combination of experience, tools, and techniques to solve a security problem.

The goals of this workshop are to forge relationships, learn from each other, and creatively leverage skills from other disciplines to be more effective at what we do. Skills covered will range from requirements gathering and definition, building assurable system designs and effectively communicating solutions to stakeholders. While the use of architecture, best practices, standards, and engineering principles is desired and encouraged, the winning design will be judged on appropriateness for the purpose, not on meeting or complying with a certain standard or format.

The most appropriate submission will win bragging rights and a special prize.



1A IPv6 Auto Configuration – Boon or Bane? Zbynek Houska

This talk aims to shine a light on IPv6 security issues and will attempt to take it from fringe circles of theoretical security researchers to the world of practical secure implementations.

In the wake of ubiquitous mobile computing, internet of things and online entertainment, followed by IPv4 address space exhaustion, there is demand for a production ready IPv6 protocol.

Not only does IPv6 offer virtually inexhaustible address space, but it was meant to address several problems seen previously in IPv4 protocol and a few additional ones to address the newly introduced complexity.

To offset this complexity, auto configuration mechanisms were introduced to deal with interface address auto configuration, router and DNS server selection, neighbour unreachability detection, prefix discovery, link layer address detection and others.

IPv6 is oftentimes enabled by default on modern operating systems and embedded devices. Vendors also tend to deploy an inconsistent implementation of the protocol whose level of compliance lags behind the most recent version standards. This, alongside auto configuration features and protocol complexity results in misconfigurations and security gaps going unnoticed by network administrators and security professionals.

This talk will critically look at IPv6 auto configuration features from a point of view of a security practitioner and will look at the following:

  • The old and the new (IPv4 vs IPv6) – an overview
  • Up to date threat analysis of IPv6 auto configuration features
  • Real world IPv6 problems in data centre and enterprise networks
  • Real world IPv6 attack vectors and exploitation of said problems
  • An overview of mitigation techniques and their effectiveness
  • Speculation about what the future holds for us in regards to IPv6 roll out from a security point of view

Attendees will be provided with an insight of the risks associated with the roll out of the IPv6 protocol, enabling them to determine if auto configuration is indeed boon or bane. Furthermore, participants will also gain an in depth understanding on how to effectively mitigate against these threats.


2A Compliant and Connected: Building Herd Immunity Lisa Lorenzin

The value of preventative compliance checking is well established; network security experts have for years identified software updating and patching as a critical step for preventing network intrusions. Application white listing, patching applications and operating systems, and using the latest versions of applications top the Australian Defense Signals Directorate's "Top 4 Mitigations to Protect Your ICT System". But implementing these controls can be difficult!

To facilitate endpoint compliance assessment, the Trusted Computing Group (TCG) has defined a framework for multi-vendor, interoperable collection of endpoint health and state reports - increasing visibility while building a foundation for remediation and attack detection. TCG-enabled technology allows determination of the compliance status of any type of endpoint on a network. A Compliant and Connected endpoint is less susceptible to compromise; keeping systems healthier helps resist attacks on endpoints and, therefore, on our information systems overall.

We'll review the TNC framework for endpoint compliance assessment and automated sharing of endpoint posture information, and discuss how technologies using these standards can reduce the security exposure of your network by confirming that all endpoints are uniquely identified, authorized to be on the network, and running up-to-date software.


3A Unique Analogs for Validating Security and Performance Claims (A Case Study) Rob Hale

This case study is focused on a test and evaluation model designed and used to evaluate an internally-developed security tool, which was developed to detect remote access Trojan activity in streaming traffic. The paper includes a general description of the tool under test, the claims of the tool, the test design and the results of the testing.

To authorize the tool for use internally, the tool had to detect the remote access Trojan successfully and had to have a false positive rate of less than .001%. Additionally, there was a requirement to validate which operating systems were usable from both an attacker and victim standpoint. These two requirements forced our joint operations analysis and cyber security teams to look at a number of statistical sampling methods to find a sound, proven methodology, which could withstand peer review. The team evaluated methods ranging from those used to detect manufacturing defects in cloth to air and water quality measurement methods before selecting assembly line testing of manufactured parts as an appropriate methodology.

The paper includes a description of the selection process and the reasoning behind the method selected. Finally, the paper includes a detailed description of the test environment, the conduct of the test and the results measured. The paper contains a description of future applicability and areas for further investigation.

The uniqueness and value of this case study lies in three primary areas. First, many organizations struggle to quantify what the ramifications of a given security solution will be in their environment. Vendor claims typically claim scalability, low false positive rates, and the like without solid, independent testing to validate their claims. In many cases this is due to the inability of the vendor or assessor to identify and apply appropriate statistical analysis measures to the process. This case study reveals not just what we selected, but how we selected it.

Second, many times security organizations are blamed for overall network performance problems due to the inability of the vendor and the organization to quantitatively demonstrate the true performance overhead of the security controls being implemented. In this paper we discuss how we tackled that problem and lay out the process we went through.

Finally, almost every security organization is asked something along the lines of “how much is a pound of security worth?” In this paper we present a model for addressing that question and briefly discuss how to use security metrics.


4A Back to Basics Lisa Lorenzin

There's a huge disconnect between what's sexy in Infosec right now - threat intelligence, information sharing, next-generation everything - and what's at the root of so many breaches lately - lack of two-factor authentication, phishing, failure to recognize breaches despite all the logs and alarms in our expensive security software. We talk so much about the failures at this essential level, without any concrete suggestions for fixing it! So - let's change the conversation. This will be an open discussion, under Chatham House rules, about what's working - and what isn't - when fundamental Infosec best practices collide with layer-8 (political/financial/ideological layer) issues. Please come prepared to share one real-world fundamental issue that your organization is struggling to solve, on which we could put our heads together and see if we can suggest anything useful, and/or one real-world example of a fundamental problem that you _did_ solve, so we can learn together what worked and why.


5A Heads of or Tails of Crypto Currencies Muhammed Z. Omarjee

As the global economy toys between recession and constant financial system instabilities, the current monetary model of centralised "trust" is proving unsustainable. These instabilities are giving rise to disruptive "trust-less" models that now question the existing currency and monetary systems, with the potential of rendering associated banking and financial systems obsolete.

This session aims to introduce the underlying mechanisms that enable the "trustless" model and provides a cursory overview of key concepts such as:

  • The "Block Chain" concept
  • Crypto Currencies and BitCoins Ecosystem
  • Enabling technologies

In addition, new use cases are also introduced to see how existing economies, banks and financial service providers can enable themselves to participate in this "trust-less" model to maintain their relevance.


6A The Need for Hardware-Enforced Security (A Case Study) Rob Hale

While malicious cyber events have dramatically accelerated in frequency, complexity, and damage over the past decade, traditional cyber security solutions have failed to evolve. The model of “what is not expressly prohibited is allowed” combined with a solution mindset focused on evolving current technology has led to an environment where security failures are guaranteed to occur.

The problem can be traced to a combination of three primary factors, which have contributed to the current environment: a) The lack of new approaches to information protection technologies, b) gaps in current technology coverage, and c) reliance on reactive approaches. A fundamental change in cyber security is necessary to provide a level of security, which ensures critical information systems remain operational regardless of attack.

A next generation security foundation must provide an uncompromising security platform where all of its security functionality is completely independent of the host operating system. The solution discussed in this paper leverages a combination of concepts and technologies, such as integration with Trusted Platform Modules, but also provides an array of more advanced security capabilities.

While this paper is based on a Lockheed Martin device specifically designed to address the security requirements discussed in the paper, the purpose is not to market a product, rather to present an reference architecture and implementation model in which the requirements can be met. One of the key points of the paper is the discussion of how this capability can and should be extended to address security issues in other devices in the Internet of Things.

The goal of this paper and associated presentations is to raise the need to change from a default permit to a default deny mindset for general purpose computers and to discuss an example of how this can be done.


1B Coding as the New Literacy Mary Dunphy
Lynette Hornung

In the past, only a few possessed the power of literacy and when the clergy used to be the only ones with the power to read, then they were able to harness this power in various ways to maintain their control. Now coding is the new literacy. How is this information harnessed differently in a networked world? What are the implications of the power to code? What types of safeguards are in place to check the power of the coders? Are coders taught to understand the need to protect the data from both a security and privacy/data protection standpoint? Even if coders possess the knowledge of understanding best coding practices, which includes understanding security risks from poor coding, what if their employers operate in an environment that focuses on turning out new applications as quickly as possible? When this leads to security requirements and privacy requirements getting compromised, if not sacrificed, then what can be done once the code is released into production?

What checks can be applied to agile environments that develop without regard for security and privacy and who is held accountable? Are innocent people thrown under the bus in a political and economic power play and do requirements work and how can there be accountability applied? How can security and privacy/data protection safeguards be applied without unduly compromising the ability of the coders to meet business/mission needs? What are creative solutions to connecting the coders to the users of the technology?

This session will be an interactive discussion on coding and exploring possible solutions on how we can have better coding from a security, privacy and functional standpoint, yet balance this with the market demands of turning out products with a quick turnaround.


2B The Cybersecurity Skills Gap : Building A Cybersecurity Workforce from Scratch Esther van Luit

One of the most frequently-cited problems encountered by companies, is the lack of skilled cybersecurity talent available in the job market.

The cybersecurity field is relatively new, and only recently with the increased media attention for breaches and a severe increase in cybersecurity labor demand, have educational institutions responded, be it with curricula that are hardly set in any stone. With the speed the field is developing, any knowledge that they offer to students is to be quickly rendered obsolete, and it will take time before the influx of these new cybersecurity students reaches the job market.

People with more working experience in cybersecurity, have usually entered the field through a side-step that has given them the required skills in either the technical or the management aspects of cybersecurity, but seldom provides them with the big picture. Furthermore, job titles greatly vary and do not allow for any definite conclusions on whether the person in question conforms to any specific profile in terms of skills, abilities, work values, knowledge and experience.

Meanwhile, working on the malicious side of cybersecurity is paying off well for those with the capabilities, and the speed with which attackers come up with new attack vectors requires a workforce that is beyond feasible for most companies to ensure protection.

The question the industry poses is thus: How to jumpstart a cybersecurity workforce, with the industry being in its early maturity stages and standardization incomplete? Or to put it more bluntly: “We want more people and we want it now”.

The NICE (National Initiative for Cybersecurity Education) has commendably initiated cybersecurity workforce standardization by attempting to define the types of jobs, the levels within these jobs and the skills required by the industry. With over a 1000 tasks to perform and over a 1000 knowledge, skills and abilities listed in order to perform them, this would seem a daunting task for even the most seasoned security professionals in the audience.

What is lacking is a concrete approach to training young people to be cybersecurity workers, without having to wait for years of experience or fully matured cyber curricula to develop.

In this talk I will thus address the following:

  • Talent Pool: Criteria to broaden the potential hiring pool beyond those graduating in Computer Science or already working in cybersecurity, such as work values, a subset of base skills and non-security knowledge, skills and abilities characteristic for people successful in the cybersecurity field. What is success? Do you need to know about Security? Do you even need to know about IT?
  • Base knowledge & skills: The fundamental knowledge and skills for each maturity level in cybersecurity job functions determines the starting point for further development. These can be extrapolated to educational requirements, going back to as far as the earliest years. What should a cybersecurity master program cover? What should kindergarten cover?
  • Trajectory of Development: A model of adjacent and associated skills (not unlike a game skill tree), which constitutes a pathway for additional development after proficiency in base knowledge and skills has been demonstrated. Certain security profiles can be discerned: What should a hacker be able to do? What should a security consultant be able to do? When is someone specialized in IoT security?
  • Maturity modelling: The development of the workforce as a whole can be used to denote the Capability Maturity of the organization at hand. Is there difference between all-round, leveled organizations, and organizations that consist of SME’s in terms of their maturity level? Is there a good and a bad posture depending on the security requirements / function of your company?

By broadening the talent pool, the influx of potential cybersecurity workers can be greatly increased, and with the specified base knowledge & skills and a trajectory of development, companies can actively educate and steer employees in the direction the security market demand is looking. As they move their workforces through the different stages of knowledge and skill development, the workforce will reach a certain level of maturity, providing a real insight into the capabilities of the organization. Altogether, this framework should provide a jumpstart for the cybersecurity labor market and a solid attempt to reach an equilibrium between labor demand and supply.

This is the first time this framework will be discussed in public, and the input from the audience will be anticipated and appreciated regarding the selected base knowledge and skills, and the suggested trajectories and maturity models. In general, the questions as mentioned in the bullets are suspected to generate a strong response from the audience.


3B The Importance of Being Earnest Helvi Salminen

"We should treat all trivial things in life very seriously, and all serious things of life with a sincere and studied triviality."

Security is not just technology, it is also human activity and organizational culture. Traditions of security tend to be formal and well defined, and to be taken seriously a security specialist of spokesman is expected to behave in a certain manner. Some of the early traditions inherited from physical security community may have changed, but has the information security community developed new rigid rules which a security practitioner must follow in order to be considered earnest enough?

Inspired by Oscar Wilde’s brilliant satire of Victorian earnestness, the speaker analyses the culture of information security community. The subject is discussed form different points of view in various contexts:

  • Security practitioner interfacing with his/her organization, customers, media, …
  • Security team in an organizational context,
  • Security associations,
  • Security conferences,
  • National or international security authorities,
  • … and many others.

This presentation may be fun, but it is not for fun only. It is fundamentally earnest in its objective to shed some light on potentially harmful cultural aspects of the security profession – behaviours which may undermine the important risk management objectives of security.


4B More Complex Challenges in Security G. Mark Hardy
Char Sample

This session builds on last year's well-attended program, "Complex Challenges in Security." The rate of change in security challenges is outstripping most organizations' ability to respond effectively. New attacks, new technology, new strategies; unless a defender is a master of all, attackers will succeed.

This session is designed to be interactive in nature with the presenters introducing key security topics, explaining the issues and offering recommendations, then opening up for audience participation to debate the merit and considerations of other solutions.

Topics will include: Risk assessment of insider vs. outsider threat; movement toward integrated event response strategies; acquisition and use of threat intelligence; forensics of embedded components that make comprise the Internet of things (TIOT); and trends in artificial intelligence as it applies to security. New key topics may emerge between submission time and presentation time. We will discuss from both the government and the business perspectives. We will also discuss changes and challenges that are occurring in the offensive realm and their implications.


5B The Internet of Things – Privacy, Security & Property Mark Rasch

The Internet of Things combines ubiquitous computing with ubiquitous sensing.  Wearables, smart homes, smart cars and embedded software have the capability of monitoring every movement and every interaction people make, and for retaining and using this data in new and unexpected ways.

However, there is a darker side to this technology.  The problems of negotiating privacy policies and data security policies, as well as supply chain security, data breach notification policies, security and interoperability policies, and simple notifications to consumers about what is being collected and how it is protected and used multiply a thousand-fold in the era of the Internet of Things.

Companies are not spending the time, money or other resources necessary to provide even a low level of security for internet connected devices that collect and store among the most intimate of information.  This information becomes available through cloud storage for large-scale data mining and data processing – the big data of things, and can impact what goods and services are offered to consumers and at what price.

Finally, the IoT’s embedded software raises the possibility of the death of the ownership society, and a new “leasehold” society, where everyday objects are no longer “owned” but are licensed from large companies subject to the terms and conditions of a software license agreement.  Just as visiting a website subjects the visitor to the dozens of pages of fine print on a Terms of Service agreement, the IoT subjects purchasers of everyday objects from appliances to light bulbs to draconian service agreements.  This session will focus on the legal, policy, privacy and security aspects of the Internet of Things, and discuss some possible contractual, regulatory and technological solutions for the privacy, security and ownership aspects of the new era of computing.


6B Every Step You Take: Geo Location Security & Privacy Issues Richard Hollis

Every device we carry is now enabled with geo-location capability and reports our every move. This presentation is an exploration of the sensitivity of geo-location data; how it’s collected; why it’s collected, and where it’s stored. The presentation details the user profile that geo-location data and the meta-data gleaned from the devices hosting a geo-location application provides to the collector. It explores the security issues it presents to businesses as well as the personal and privacy issues associated with the user. The presentation is devoid of commercial content.


1S Practical Experiences of SABSA Domain Modelling at ING Pieter Siedsma
Marc Verboven

ING is today still largely based on a classic, but outdated perimeter model. Outside of ING is dangerous, inside ING is a combination of geographical dispersed units that trust each other completely and haven open communication lines. Once you have proven that, as a business unit, you comply to the ING policies, you can without restrictions have open connections to all ING units. Regular re-certification is not required and evolution of the security posture of a business units is not tracked.

This is an outdated model. The demise of this model (the “Jericho Forum” movement; this is an industry-wide development) led to the concept of domain segmentation and the writing of the reference architecture domain segmentation./p>

In this session ING will highlight the lessons learned in applying SABSA Domain modelling as vehicle to deliver a reference architecture. The derived domain segmentation model will be discussed in detail.

The session will conclude with how the reference architecture is being translated into executable roadmaps for the different business units.

As usual at COSAC, the session in intended to be highly interactive


2S Away with Applications Security! Jacoba Sieders

ABN AMRO Bank is a multinational bank, operating in 20 countries, 22.500 employees, 7.5 million customers. Due to mergers and acquisitions the current IT-landscape is very complex, full of legacy systems, expensive, and difficult to manage. Therefore, a massive bank-wide 5-year program was started in 2014 to move all banking systems to the cloud and at the same time redesign the complete existing landscape into a fully Service Oriented Architecture (SOA).

New European privacy legislation (2012 - becoming mandatory in 2017) imposes extra strong requirements on companies for handling customer data. But user requirements are becoming more complex too: any device, any network, any time, any place, any request, and any type of user must be accommodated. How to gain full control on access while serving all requirements, especially in a heavily regulated financial industry?

The Corporate Information Security Office in co-operation with the Corporate Architecture& Data Management department, under full support of the ABN AMRO Executive Board, designed a completely new and innovative IAM architecture for employees and customers to operate in the new SOA based bank environment. All business rules are taken from the applications and managed through rule bases validating attributes, based on a common bank-wide data model . This is designed to be flexible enough to be future proof for the next 15 years. Fraud detection- and IAM will act as complementary functions in the security architecture. The ABNAMRO IT organisation was also redesigned to support the new Service Oriented Architecture, to be more business driven. The fact that an Architecture and Data Management department was installed on corporate level is proving the paradigm shift.

Today (March 2015) we are in the second year of building and implementing the IAM and the SOA program, and could not find peers yet (let alone of the same size and industry) who are moving to such innovative IAM concepts so straightforwardly. Since this is the newest approach known in the market today, this involves a lot of inventing and pioneering, and therefore the ABNAMRO IAM design cannot be shared in complete detail and is still under non-disclosure. Yet the high-level future state architecture, the principles and designed migration strategy, the lessons learned so far, and parts of the access modelling can.

Finally, the IAM team developed a new methodology for users to make online purchases while the user does not authenticate. This can be shown in a demo on screen, but the in-house-developed technology is still under non-disclosure. Sections of the presentation (depending on time available) can be:

  • Outline of the background and environment
  • New requirements from business, end-users and European privacy legislation leading to new IAM concepts, data centric security and attribute based access.
  • High level future IAM architecture of ABNAMRO to accommodate the new requirements and SOA
  • Explanation of components of the architecture and how they work together
  • From course grained to fine-grained access modelling, how to address data centric security
  • Implementation strategy
  • Migration strategy
  • Lessons learned so far
  • New role for the business (rule management)
  • Some use end-user cases
  • Authentication-less banking: “Privacy by Design” (demonstration on screen how an online purchase is done without authenticating to the bank or the website)


3S SABSA in a Governmental Security Program – Experiences & Lessons Learned Silvia Knittl

The case described in this talk is about the application of a requirements engineering based approach based on the SABSA method in an Identity and Access management program in a federal structured government. The organisational setup comprises departments and agencies (80) and a decentralised ICT organization. TOGAF and SABSA are used in parallel to structure the strategic approach to an overarching IAM program which shall serve the harmonization of local disconnected IAM systems and projects.

The presentation will concentrate on the requirements engineering part, as it contained the SABSA typical challenge to deal with many stakeholders from different domains with multiple points of view and sometimes colliding business requirements. These stakeholders were both from management and ICT, but in general representing the customer side and not the service provider side.

Both the requirement engineering process and its outcomes are shown in the presentation:

  • Individual stakeholder documents
  • Modelling schema of the requirements using Archimate
  • Normalization of the requirements with usage of SABSA business attributes
  • Generated reports and statistics, e.g. SABSA heatmap

The lessons learned to share and discuss with the audience in this project are, so far:

  • SABSA business attributes as a powerful tool in requirements engineering
  • Force to be concise because of modelling approach
  • Difficulties in adhering to the viewpoints from the SABSA matrix
  • Conflicts between the “plan – build –run”-perspective of the participants
  • Architecture versus process: Where to draw the line between architecture (static) and processes (dynamic)?
  • Dealing with “short term” implementation requirements by the customers vs. the long-term strategic development approach intended by the architect.


4S Roadmapping for SABSA John Czaplewski

Technology roadmapping is a tool used by to support analysis, decision-making, planning, and communications. The technique serves many purposes and has proven useful for dealing with tactical and strategic challenges from a variety of perspectives, including organization and industry.

This seminar will provide an introduction to roadmapping:

  1. Concept – What is this thing called Roadmapping
  2. Issues and inconsistencies of ESA and APQC
  3. Functional uses – What’s it good for, anyway?
  4. Basic Principals – Just the fundamentals please: Structure & Process
  5. Roadmap Examples – Formats and Inspiration from the Web
  6. “Yousing” Roadmapping – Roadmapping as a SABSA tool
  7. Digging deeper – a bibliography of useful references
  8. Take Away – Microsoft Visio Template – the Alpha Version


5S SABSA-Enhanced NIST Cybersecurity Framework: SENC Makes Sense Efrain Gonzalez

On February 12, 2014, the National Institute of Standards and Technology (NIST) published the much awaited NIST Cybersecurity Framework to mixed reviews. The framework was developed in response to a presidential order asking for the development of a voluntary risk-based cybersecurity framework that could be used to protect the nation’s critical infrastructure. At the time, the general consensus from the security community was that the framework was flawed, but that it could still be useful nonetheless. A year later, the framework is still struggling to gain traction and hasn’t reached the levels of widespread acceptance one would expect from an effort of this magnitude.

So, what happened? Was it a case of too much, too little, too late? Did too many cooks spoil the broth? Or, did the framework simply fail to deliver?

There are many reasons why the framework has not gained the level of acceptance one would have hoped for. Chief among them is probably the fact that the framework has many security gaps. Fortunately for us we don’t have to figure out what went wrong; we just have to figure out how to capitalize on this fact.

It turns out that there may be a silver lining in this cloud after all. The government has hinted to as yet unspecified legal and regulatory incentives for owners and operators of the nation’s critical infrastructure who voluntarily adopt the NIST Cybersecurity framework. Borrowing a strategy from the opposition, we may be able to use the NIST Cybersecurity framework as a Trojan horse to introduce SABSA into these organizations.

Here’s how it works. This presentation is based on the notion that critical infrastructure owners and operators will want to adopt the NIST Cybersecurity framework to take advantage of future incentives. This presentation shows you how to adopt and enhance the NIST Cybersecurity framework using the SABSA methodology to address the security gaps.

The enhanced framework is called the SABSA-Enhanced NIST Cybersecurity framework – or, SENC for short. Our tagline: “SENC Makes Sense”

Session attendees will not only be treated to an in-depth presentation on the NIST Cybersecurity framework; but more importantly, attendees will learn how to use the SABSA methodology to turn a fledgling contender into a world-class security framework.

Using SABSA to enhance the NIST Cybersecurity framework makes perfect sense, doesn’t it?


6S I’ve got I’s everywhere but I still can’t see Richard Peasley
Fabio Rosa

Business information is the logical representation of real heart of any business. The data running on an organization’s networks is the culmination of all the business efforts to develop a profitable, trustable and promising brand. How to protect them, really must be thought through.

Starting from the Conceptual level, down to Component and then to the Operational security architecture level of the SABSA model they all have one thing in common: They set requirements and success criteria that are achieved with the use of data encryption. This dependency combined with the rise of initiatives like SaaS, IaaS, mobile data, IoT and many others are causing a 20% increase of SSL traffic over year on corporate networks. In today’s network traffic, or most important traffic is often encrypted by default. This includes some of the bad traffic as well. This “When in doubt, Encrypt” scenario can have the downside of creating blind spots that prevent the visibility that organizations needs to manage their own traffic, and this leaves organizations exposed to risks and vulnerable to attacks, which are hidden in SSL traffic.

This presentation for the COSAC Conference 2015, will provide the most updated market statistics, recent data on threats under SSL and recommendations on how important is to guarantee SSL visibility starting on the conceptual security architecture to prevent blind spots and empower the security design effectiveness. The session will conclude with an overview mapping encrypted traffic management best practices to SABSA as the basis for questions and discussion.

Detailed presentation content:

  • Market statistics,
  • Real-world cases
  • SSL inspection impacts (performance, key management)
  • Control strategies and benefits
  • Mapping encrypted traffic management best practices to SABSA


7P Dance Band on the Titanic : The Data Loss Iceberg Principle Risk Factory

What if everything we’re doing to secure our data is for naught? Have you stopped and thought that perhaps this data has already been compromised and the efforts we continually make to protect it are - too little too late?

This presentation explores the idea that the vast majority of the sensitive data processed stored and transmitted every day by governments, NGO’s, businesses and private individuals has already been breached and we are wasting our time and money trying to protect it. Are the information technology systems we currently use even capable of this role?

The presentation compares the data losses publicly acknowledged to date through mandatory disclosure laws against the widely held principle that they are only a small percentage of the actually losses incurred. If this is true then a new security paradigm is required but what would this look like?

The presentation considers unconventional approaches but its primary objective is to engage the audience to think through the actual premise, challenge their understanding of the current state of information security and perhaps consider alternative ideas.

The presentation is devoid of commercial content.



8A Securing the Chaos G. Mark Hardy

Cybersecurity is chaos. No, not random chaos where there are no rules, but deterministic chaos, described by mathematician Edward Lorenz as, "When the present determines the future, but the approximate present does not approximately determine the future."

If we consider ourselves experts, why do we continue to be surprised by new types of attacks and intrusions? Why do we have such a hard time protecting ourselves and our clients? Can the cyber security problem ever be "solved"?

In this presentation, we'll look at the complexities of the man-made domain called cyberspace, and evaluate why securing cyberspace absolutely is not possible. Nevertheless, we can make significant progress by marrying preparation and prevention with detection, resulting in an adaptive security model that will allow us to reduce the impact of future adversaries. Finally, we'll explore whether the best defense really is having the best offense, and if so, how can we avoid a digital arms race that may escalate beyond our control?


9A Penetration Testing, PCI, and the Race to the Bottom Conor O’Neill

Compliance, as opposed to security, driven requirements for annual penetration testing coupled with a desire to have tests performed as inexpensively as possible, have created an industry-wide trend towards the commoditisation of penetration testing services. This issue has become even more pronounced recently with the introduction of PCI DSS 3.0 which mandates increased levels of penetration testing compared to version 2.0. This results in increased client costs, and to mitigate these increased costs, clients often attempt to reduce the duration and scope of testing to keep these costs down. The impact is a general reduction in the quality of penetration tests, with the output of many penetration tests being nothing more than re-branded vulnerability scan reports.

The speaker provides a unique insight from the tester’s point of view, and compares and contrasts the attitude to penetration testing when mandated by compliance versus when pro-actively introduced to assess risk.

The talk will look at the why cheaper is never better, and the inherent dangers that lie in the commoditisation approach. A discussion of what a good penetration test really entails, with real-life examples of where so-called ‘low’ severity scan findings have resulted in complete compromise of systems when manually examined will also be presented.

Users will gain an understanding of the various counter-measures to this trend of commoditisation. Conor will then open up to the floor to gain an understanding of what individuals at various levels of the industry can do to reverse the trend.


10A Hack Back – Legal Aspects of “Active Defence” Mark Rasch

Too often, companies are playing defense while hackers, hacktivists and foreign governments are on the offensive.  Laws, treaties, and public policy disfavor “self-help” in preventing attacks, probing attackers, and in retribution or punishment of hackers.  Laws that punish “intentional access without authorization” or “intentional access in excess of authorization” or willful harm or damage to computers or computer networks act to punish attacker and defender alike, and recent prosecutions in the US and UK highlight the fact that companies intent on using “active defense” are on perilous legal ground.

Yet the law has always recognized a right – both statutory and under common law – for defense of self and defense of property, and the right of an individual or entity to protect its assets with force.  Legal exclusions for authorized criminal investigations or intelligence activities, coupled with the law of self-defense may provide legal cover for some forms of active defense, but entities still must wrestle with civil damage and negligence liability, problems with attribution and misattribution, and other legal and policy issues associated with taking the law into one’s own hands.  Venue and jurisdictional issues complicate the authority of an entity to actively defend its data or network, or to put in beacons, dye packs or other technology designed to identify hackers or to destroy hacker networks.

This session will discuss the nature of the law and policy for active defense, and propose some solutions which will balance the needs of the defender against the needs of others in the community.


11A The Next Cyber War : Geo-political Events & Cyber Attacks Werner Thalmeier

The last few years we are facing a significant increase of geopolitical events and conflicts. As a matter of fact, each political conflict has included now or is followed by cyber-attacks. In other words, as mankind physically struggles with each other, there has been new outgrowth with corollary cyber techniques. More than ever, our world seems wrought in strife and civil discontent. Basically we can see two main directions of events and related cyber attacks:

Nation-State Oriented:

  • Israel / Gaza
  • Ukraine/Russia
  • Syria (internal)
  • Iraq (internal)
  • Afghanistan (internal)
  • Egypt (internal)
  • Libya (internal)
  • Somalia (internal)
  • India / Pakistan
  • Sudan (internal)
  • China / Japan (South China Sea)


  • World Cup
  • Ukraine Presidential Elections
  • Ferguson, Missouri / Michael Brown Shooting Conflict

What these events all have in common is that each conflict has included cyber-attack weapons and attacks. In other words, as mankind physically struggles with each other, there has been new outgrowth with corollary cyber techniques.

2014 was a watershed year for the security industry. Cyber-attacks reached a tipping point in terms of quantity, length, complexity and targets. Media coverage has kept pace, with plenty of coverage about the latest high-profile cyber-attack. We will have a big-picture view that is far more frightening than even the most ominous nightly newscast. Cyber threats are growing and expanding to new targets. The technical “bag of tricks” is bigger than ever, and hackers are combining “tricks” in new (and terrifying) ways.

This session will help you to:

  • Understand the relationship between geopolitical events and cyber attacks
  • Learn about possible consequences of those cyber-attacks for own business
  • Get insight on the latest attack tools and trends
  • Learn what kind of technologies are required to become protected
  • Understand principal protection strategies and how to implement them successfully


12A Government Surveillance: Citizen Privacy versus Protection of Society John Sherwood

On November 4th 2014 the newly appointed Director of GCHQ, Robert Hannigan, published an opinion piece in the Financial Times. It was a call to arms for increased government surveillance of Internet traffic and usage. Mr Hannigan argues that in order for Western governments to be effective in combating terrorism, organised crime and child exploitation, Western society must relinquish its right to personal privacy, human rights notwithstanding. In January 2015, following the Sony hack and the Paris terror attack, the UK Prime Minister, David Cameron, in a political speech in Nottingham, UK, effectively called for a complete ban on peer-to-peer encryption. There are similar official government voices saying similar things in the USA.

Robert Hannigan has a job to do, and one can understand his frustration that US technology companies are unwilling to co-operate fully with Western governments in allowing full scale surveillance of Internet usage through the companies' own technical capabilities. He accuses them directly of being passively supportive of ISIS by taking a neutral political position. However, this point of view begs many questions. He talks about 'misuse' of the Internet and 'ordinary users', without any explanation of where boundaries might be drawn around these concepts. He works on the assumption that all Western governments are, and will continue to be, benign in their motives and applications of surveillance capabilities, whereas history shows that democratic processes have been used in the past for the ascendency of evil political powers. What of the future? Once these powers are enshrined into law they too can be 'misused', if not by governments corporately (which is possible) but also by individual government officials or sub-groups in pursuing their own agenda. There are many examples of misuse of the law for inappropriate goals.

Mr Hannigan tells us that it is time for Western society to make 'urgent and difficult decisions'. He welcomes a public debate and states his willingness for GCHQ to engage in that debate. As a COSAC community we have a lot of insights into these matters that we should express both internally, and perhaps through some public statements to contribute to the debate. This issue is about the future of Western society and it values, and is directly related to our professional areas of interest. We are long-term professionals with much experience and wisdom. We should take this opportunity to enter this debate. Clearly there are two extreme possible views, but most rational citizens will want to find a 'middle way', providing appropriate balance. But where exactly can we find the middle of the road?


8B Social Engineering, Misdirection, and Mind Hacking Jason Kobes
William Schultz

A walk down memory lane of Brad Smith’s work and where we are today.

These security professionals went into a Hotel in Ireland, what happened next will shock you. Click bait, social engineering, and neuro-linguistic programming were topics Brad Smith was discussing before they were cool. This session will talk about his impact on the community (and us) to bring awareness of these subjects into our consciousness. We will discuss the way he presented these ideas in ways that engaged us, and also how these topics have changed since. For example, the way social engineers can break down your defenses to make you, your employees, and the people you support vulnerable. Knowledge of these practices, and a basic understanding of how they work will help protect you and your organizations by helping to realize when it is happening. For those of you who witnessed “The Nurse” in action you can help us relive the memories and the knowledge that we have lost. For those who have not, this is a rare opportunity to see what you have missed.

Brad was especially adept at explaining and illustrating the technical hacks of the mind. His courses often left you fully empowered to use these hacks with a little practice. Those of us who had the privilege of studying with him will never forget the impact those classes have had on us. Social Engineers are using these techniques against us and our organizations. As the technology matures, the individual mind hacks become more important to the hacker. This makes it critical for us to know how these attacks work. Of course, as Brad would always say, “these skills are powerful; use your skills for good.”


9B Breaches and Screams: They Woulda, Coulda, Shoulda,….but Didn’t John O'Leary

In this full COSAC rules interactive session, we’ll analyze what happened in some notorious and some not so well-known recent security incidents. Calling on the expertise of all delegates in the room, we’ll try to determine what the breached organizations could and should have done to either prevent or limit illicit access and subsequent damage. We’ll cover the before, during and after phases and ask what attending delegates would have done had they been walking in the shoes of the target companies’ responsible person(s). Since some of the cases will still be active, we’ll also ask what appropriate next steps should be for the victim firms. Nobody will get fired or sued or physically punished during this session. We hope that the material covered here will help prevent those things in the future.


10B Capturing Cyber Value-at-Risk : Towards a Model for Quantifying Cyber Risk Maarten van Wieren

“Know thy self, know thy enemy. A thousand battles, a thousand victories.” (Sun Tzu)

Due to an increasing number of cybersecurity breaches making the media headlines, cybersecurity has finally become a boardroom issue. However, up until this day, it remains difficult to measure and quantify cyber risks due to limited threat intelligence and rapidly evolving cyber threats.

The World Economic Forum acknowledges this difficulty in the paper they published earlier this year (“Towards the Quantification of Cyber Threats”), which describes a quantitative framework for cyber risks with the goal to enable organizations to measure and manage cyber risk, and reach and maintain the right level of security maturity in line with the business strategy.

In the project that will be presented for the first time at this conference, an attempt has been made to bring this theoretical framework to life. The focus of this talk will thus be on how the Cyber Value-a-Risk (VaR) methodology can be applied to real-life use cases, and how each of the model components uniquely contributes to the Cyber VaR outcome. Together, these components can form a Cyber Value-at-Risk dashboard to display the assets that are subject to risk, the threats that they are facing and the resulting loss exposure. Based on this dashboard, companies should be able to make an informed decision on what risks to mitigate, how much money to spend on mitigating them, and what risks to accept or transfer through cyber insurance.

In this talk, I will cover:

  • Each of the model components that make up the Cyber Value-at-Risk framework, and how they are represented by measurable parameters;
  • The unique interactions that take place between these model components to arrive at a single, quantitative outcome;
  • The challenges of this approach, that lie in the lack of quality data concerning attacker profiles and evolving attacks, and the complicated estimation of cyber asset value and risk exposure.

The model presented here is not intended to provide an exact dollar value in this stage of development, but rather a well-rounded assessment of the risk the organization is facing. It should facilitate boardroom deciders in creating a connection between strategic decisions, financial risk management and cyber risks. The ultimate goal of this project is thus to enable companies to focus on their core business and remove some of the barriers to safely be at the forefront of the digital realm.

The input of the audience will be appreciated in order to enable further improvements to the model, based on the many years of field experience of the conference attendees. The suggestion of nuances in the relations between model components or unexpected additional and/or confounding variables that change the output of equation, if any, would be highly beneficial to the accuracy of our final model.


11B Business Security Requirements (and How We Might Recover from Them) Matthew Pemble

One of the critical aspects of information security development and, particularly, security architectures, has been the move away from requirements and architectures based on security-driven designs towards designs based on business security requirements. A significant part of security work on projects has always been identifying who might know what the business could, should and actually do (not always the same thing) need, what these business requirements then are and finally reconciling them with the available (and affordable) technologies.

Security professionals have therefore been keen to get detailed requirements from the business at early stages of the project. Sometimes, now, these requirements doarrive. This is not always the very good thing that we might have hoped.

Businesses, whether executive leadership, operational managers or especially project and programme managers, often have insufficient understanding of the technical environment, the legal and regulatory environment, and the possible capabilities of current and proposed security controls. It is also impossible to fix insecure business processes with technology – no matter how brilliant a security architect you are.

Based on a case study of the redesign of the core systems and operational security services for a large financial organisation, with asides from other major projects, this presentation will discuss where the business can misunderstand security and generate requirements that are essentially nonsensical, counter-productive or just, simply, wrong. And what we can do about them, without retreating in to the old “Security knows best, security says “No”, paradigm.


12B From I.T. Security To Business Security Vernon Poole

Vernon has been involved in developing ISO standards, worked with many professional associations (ISACA, ISO community; BSI & BCS) and for one time only with give his irreverent session on what we have learnt and what the future holds. We have grown from teenagers to screenagers, and from gentleman to cyber men – but are we any better? Vernon is a blunt Northener (from North of England) and will both surprise and amuse you with his tales of methodologies and standards.

He will explore the virtues of ISO27001 (from its humble beginning of BS7799) the emergence of BMIS (Business Model of Information Security) through to COBIT5 & Cyber Security. In its path Vernon will discuss other standards like PCI, and UK Government’s methodologies.

If you are afraid of the truth, do not attend his session, but if you want to have the courage to smile at our mistakes and learn how to succeed going forward, then come along for the ride.

With all the hype about cybersecurity, this session is a timely reminder on what we have learnt before we get too carried away in the zest for glory – let us follow a path that has the support of the Board and not blind them.

With all the hype about cybersecurity, this session is a timely reminder on what we have learnt before we get too carried away in the zest for glory – let us follow a path that has the support of the Board and not blind them.


8S From Concept to Implementation Chris Blunt
Michael Price

You’ve successfully delivered the Strategy and Planning phase of the Enterprise Security Architecture (ESA) lifecycle and have an approved Contextual and Conceptual architecture, so what do you do now?

This session will provide an overview of how the SABSA methodologies and techniques were applied to complete the Design phase of an ESA for an organisation adopting cloud computing and mobile devices to deliver front line services. It will follow-up on Chris’ presentation from last year to discuss how SABSA was used to help architect and design security services. Specifically it will look at how it was used to:

  • Ensure that the business’s requirements established during the Strategy and Planning phase were met;
  • Develop a security service addressing the logical, physical, component and service management layers; and
  • Establish trusted reference architectures to support and enable reuse of security services across the organisation.

It will also discuss some of the challenges encountered during the project, together with the strategies that were used to overcome them.


9S Cloud Computing Enablement : To the Cloud or to the Ground Muhammed Z. Omarjee

As IT Execs contemplate ways to adapt their IT to adopt cloud based models, the business cannot wait. With everything now on-demand - and as easy as a paid credit card subscription - almost anyone can do anything on anyone’s cloud. The resultant impact, a loss of visibility and control in terms of “who” does “what” in the cloud, “where” in the cloud, “how” in the cloud , “why” in the cloud and “when” in the cloud.

To enable business adopt cloud as efficiently and sensibly, a Cloud Enablement Strategy is proposed. The strategy aims to define:

  • A set of core capabilities to determine core processes and functions required for cloud enablement.
  • A decision tree that is question oriented at a business level to help businesses decide on whether to go cloud or not.
  • A set of patterns to guide and what can possibly be done in the cloud.
  • A set of business objectives based on attributes of Trust and Dependability.
  • A structure for a centre of excellence, and responsibilities based on business domains within an Enterprise Architecture Lifecycle framework
  • A set of governance considerations should a decision to adopt cloud be made

Adopting such a strategy (or parts there-off), aims to adopt cloud as a mutual partnership between both business and IT, where benefits of cost, risk and operational impact are harmonised to minimise impact to day to day business.


10S Why Should I Trust You? SABSA and Zero Trust Richard Peasley
Fabio Rosa

Forrester Research responded to a NIST, RFI on Critical Infrastructure security in April of 2013. Even before that there has been a slow movement towards the concept of an organization or an application being truly sovereign over its data and the access to it. Trusted relationships and Trust zones on competition with micro-segmentation of virtual environments, both public and private.

Starting with the Contextual level, all the way down and back up, we will map the SABSA model to the more stable elements in the Zero Trust movement, including the possible demise of mobile device management and the “Bring you own Everything” BYOx story. We will walk through 2 client high-level security architectures then business drives what drove the designs.

This presentation for the COSAC Conference 2015, will conclude with an overview suggested mapping for Zero Trust best practices to SABSA as the basis for questions and discussion. We expect the conversation to be lively and will facilitate and capture comments to distribute after the session.

Detailed presentation content:

  • Outline of bibliography on Zero Trust, Who is talking and who is not?
  • 2 Example security architectures
  • Mobile Device Management and Agent Wars
  • BYOx strategies and benefits to Zero Trust
  • Mapping Zero Trust best practices to SABSA


11S There and back again – An enterprise security architect’s tale of maintaining sanity while establishing traceability Jaco Jacobs

When it comes to the reality of using SABSA for my projects there are a number of challenges that I face regularly. Among them is the question “Can a set of rules be built to guide the structure of how SABSA artefacts must link together?. Also, for a little bit of a selfish reason if I’m honest, to try and figure out if I’ve been doing an “okay” job of it myself over the years.

As a dedicated acolyte of the “Order of the Blue Book”, I try my very best to stay true to the SABSA principles, methods and techniques, after all, these are the things that opened our (at least my own) eyes to what the world needed to see … And here comes that inevitable “BUT” … I find it harder and harder to maintain structure and traceability as the complexity of modern environments increases. To make things worse, many of the companies that I typically develop architectures for, are hell-bent on showing that they are compliant to something, even if it’s just for the sake of being compliant, and so, I usually end up having to use some controls library/repository from some or the other industry standard or “Best Practice” and then end up having to show how the controls link to other standards, how they are cross-referenced, how they relate to security domains, which attributes they are linked to, and finally, how they become usable and tangible …

This session will present a small use-case of how I try to maintain my sanity when working through the chainmail that is Enterprise Security Architecture using “Structure and Guidelines” and some re-usable artefacts (Excel and PowerPoint ?) with the focus of maintaining traceability. I will also spend a little bit of time showing how I try to achieve “Compliance by Design” using the “Structure and Guidelines”.


12S Using Risk Management to Enable Organisational Achievement William Schultz

Does your Risk Program have a positive impact on your organizations bottom line? Can you prove it?

Enterprise Risk Management is a fundamental and critical component in ensuring the strategic success of an organization. The ultimate goal of which is to allow the business to effectively manage uncertainties to enable the achievement of the business objectives. It should serve as an essential resource for business leaders and executives to make informed decisions, and serve as a critical input to Business Architects, Enterprise Architects, and Enterprise Security Architects to build strategically aligned architectures. However, the effective implementation of an enterprise risk management program is an endeavour lined with challenges and pitfalls which threaten to diminish the value of the program. This is demonstrated in a recent study that looked for a relationship that looked at organizations with mature enterprise risk management (ERM) and performance management systems (PMS) respectively, to see if those organizations performed better financially than those organizations with less mature programs. The study found an insignificant correlation between having a mature ERM and PMS and increased financial performance. In this session we will look at this problem to explore possible explanations, common problems, and ways to address the issue. In particular, we will look at how the SABSA Risk Management Framework can be leveraged on its own, or integrated with other Risk Management methodologies


13P Kim Philby and the Ultimate Insider Threat John O’Leary

The Tony Sale Memorial Session for 2015 will cover perhaps the most notorious spy of the 20th Century. The presenter believes that Tony would have caught him.

We hear about cases of insider malfeasance and corruption and revenge-seeking. We probably have seen or know of more insider mistake-making than outright fraud or malice. But when the turned insider (in this case, a Soviet spy) is running and making decisions for a major section of British Intelligence, the ante is upped considerably. How do you catch him when he’s the boss? How do you even question his actions or decisions when he is a charter member of the “Old Boys” network? How do you conduct discreet inquiries on him when he is almost universally revered? And how do you keep your suspicions and investigative strategies secret when the target is running the whole show?

Philby and his 4 cohorts, together known as the Cambridge 5, did excellent work for the Allies against the Germans, but all 5 were ideologically and financially tied to Stalin’s Russia. British, Canadian, Australian and American secrets went directly to Moscow throughout World War II. Agents were uncovered and executed. Careers of those who befriended and trusted Philby and the others were destroyed or sent in very negative directions. The map of post-WWII Europe featured much more Soviet domination than it would have.

The consequences for our organizations of the insider threat will not, let’s hope, be anywhere near as severe. But there can be real and very negative outcomes from a crooked or angry insider. We’ll attempt to draw lessons from Philby and the Cambridge 5 that we can use to prevent, deter, detect and recover from the insider threats we may face today or tomorrow.


14P The COSAC Rump Session Various

The hugely popular COSAC "rump" is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

  • Electronic submission: Send email to the rump session chair David Lynas at before 10AM GMT Friday, September 25.
  • Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 30 September.

Submissions should include a requested amount of time for the presentation. An anticipated maximum of four minutes will be allocated for each presentation.



W1 The SABSA International Peer Group John O’Leary

Please note: this session is conducted under full NDA and is not open to vendors or consultants.

Brand new for COSAC/SABSA 2015, a Peer Group dedicated to sharing and expanding our knowledge and usage of the SABSA methodology and associated security concepts and practices. This half-day session introduces the concept and previews the benefits to be gained in future, lengthier meetings. The inaugural session of the COSAC/SABSA Peer Group promises to be the start of something that will deliver focused, relevant value to peer group members and their organizations for years to come.

Primary focus in this group is the sharing and exchanging of ideas. Participants are expected to participate. The moderator will ensure that they all do. This is not a “here are all the answers” meeting where one sponsoring organization gives their analyses and solutions to everyone else’s issues. This is fully participative. Peer Group members will volunteer (or be volunteered) to give small presentations or explanations of problems or issues or even solutions that they have encountered, developed or expect to confront. These small member presentations will be the lead-in for detailed and wide ranging discussion amongst the group members.

Even though member organization industries might be diverse and varied, the types of issues and problems plaguing them will have significant commonalities. Those commonalities and the industry to industry differences are the meat of the group’s discussions and where real value is to be found. Bouncing a SABSA idea or looking for insight into an issue in a roomful of certified SABSA experts, each with his or her own wealth of experiences, is something that no consulting firm, no matter how much they charge, can effectively do. And the people in the Peer Group are not looking to make another sale of their services.

Deep understanding and mutual assistance will characterize the group. Members will find themselves contacting each other fairly frequently, over and above the regular meetings. And the friendships, based on shared experiences, mutual trust and recognition of competence tend to be fulfilling and long-lasting.

The moderator will prepare an agenda for this first meeting based on input (and presentation volunteer statements) from charter members of the group. Come join us and help each other face the future.


W2 Rise of the Machines

Part One – Artificial Intelligence : Rise of the Machines or Human Triumph? Char Sample
Dave Barnett

A debate is emerging in the scientific community regarding the impact of Artificial Intelligence (AI) on mankind. Bill Gates and Stephen Hawking have voiced serious concerns about the potential negative impact of AI. However, the AI defenders and other scientists believe otherwise. This interactive session, like all COSAC sessions, requires active audience participation. The session will be divided into two groups, the speakers will represent each side of the argument and discuss the pros, cons and everything in between. The speakers will facilitate the discussion by addressing key themes, related to capabilities, ethics, security and other relevant areas. The final portion of the session will have both groups discussing or presenting their consolidated views.

Part Two – What is Telemetrics and How Does it Impact You? Mary Dunphy
Jason Kobes

We all know our car, phone, house, online relationships, computers, tablets, applications, bank cards, watches, GPS and other devices are collecting data on us, but did you know there is now an actual study and name for the collection and use of this data?  Starting with Automotive GPS data the field has quickly expanded into many GPS and other devices that collect useful data about people, who they associated with and where they go.

In this talk we will explore the rules that govern telemetrics, how telemetrics evolved into what it is today, and where it may be heading.   How can telemetrics change the world?   Should we be afraid, very afraid, or is there a very positive side to this data. Further, if Telemetrics is becoming the new way companies set themselves apart, does your organization need to understand and hire telemetrics security experts?  


W3 SABSA-TOGAF Integration : Security & Risk in Enterprise Architecture

Part One – Integration of Security & Risk in a TOGAF Enterprise Architecture Pascal de Koning

A mainstream framework for enterprise architecture is TOGAF. Surprisingly, this successful framework does not consider information security. At current, the Security Forum of The Open Group runs a project that aims to support the integration of security and risk in the TOGAF standard for Enterprise Architecture. The project is inspired by the business-driven approach of SABSA.

In this presentation, the foundation work is explained that has been developed in the past three years. It contains the core security and risk concepts from Information Security Management (ISM) and Enterprise Risk Management (ERM) and relates them to the TOGAF framework. This approach is holistic, risk-integrated and security-integrated. No check-in-the-box mentality here.

The items discussed will give direction to thoughts about future developments of the TOGAF standard and provide guidance for security practitioners who need to work in a TOGAF 9 environment. It will also provide a glossary of security concepts that serves as a basis for future practitioner guidance.

Part Two – Proceedings of Security Services Catalogue Project Pascal de Koning

Many SABSA practitioners have been working on the definition and inventory of the business drivers and business attributes. The subsequent activity is filling in the security functions at the logical layer. The Security Services Catalogue helps to find and choose the proper security services. Unlike existing control frameworks that contain requirements, the security services catalogue describes functional security services that actually deliver protection. The Security Service Catalogue project is a joint initiative of the Open Group Security Forum and The SABSA Institute. Last year at COSAC we did the kick-off workshop.

In this talk, the status and proceedings of the project will be presented.

  • The first part is on the core concepts of the Security Services Catalogue and on how it is used in the SABSA development lifecycle: how to select a service, how to implement it and how to measure both performance and risk.
  • The second part is on the actual content of the catalogue: what is already created and how is it made available. The service taxonomy will be shown, as well as information that describes or characterizes the services.
  • The final part is on the ultimate goal of this project, the challenges and next steps. This is a global project with over 80 participants.


Copyright © 2015 COSAC
- All Rights Reserved -