| Stream A - Technical & Topical |
| Stream B - Management & General Interest |
| Stream S - SABSA World Congress |
| Stream P - Plenary Sessions |
‘Shoulder Surfing is a phenomenon that delegates will be aware of but probably regard as insignificant. However, recent technological developments means that this risk has changed and this change is one best demonstrated than explained.
Once upon a time looking over someone’s shoulder, or ‘Shoulder Surfing’ on a ‘long haul’ was part of the in-flight entertainment. If your neighbour was working on something interesting it might provide you with some insight or just a good anecdote. With the development of Smart Phones and tablet devices the image is clearer than ever and can be captured in better detail in a discrete way using the inbuilt smartphone camera. The risk to business data and business reputation is therefore growing.
This session will combine presented insight into ground breaking research with the opportunity for delegates to investigate visibility for themselves with hands-on experimentation. The resulting discussion will highlight differing risk exposures and risk appetites as well as different cultural responses all of which will add to the debate of whether business should care about Visual Data Capture
Phase 1– Why do people work insecurely – There are a range of reasons, ranging from cultural and psychological to organisational and these will be explained with reference to the research work already done.
Phase 2‘Research lab’ This will give delegates the opportunity to investigate ‘the risks from Visual Data Leakage. Delegates will form small groups and move between different zones in the ‘Lab’ at fixed time intervals and the tasks will be detailed on sheets in each zone
Tasks will include:
- Measuring the visibility of tablet devices to photo-capture
- Measuring the visibility of laptops to photo-capture
- Establishing the ratio of informational and ‘pictorial’ photos on group members’ phones.
Phase 3 Implications & the way forward Having drawn the various elements of research this will be used to discuss the full nature of the problem of visual data leakage. The presentation will consider why devices are popular with the mobile workforce and the risk to sensitive data. There will also be due consideration of regulatory pressures to reducing this risk such as those from the HIPAA and ISO 27000. Consideration will focus around identifying those areas of business that are of greatest risk from this threat, and understanding how technology and behaviour modification can be used to protect data in the developing world of mobile working.
Phase 4 Summary and conclusion – with any questions not raised in the body of the presentation
The hacker group Anonymous is constantly in the headlines. Unlike those who are motivated by money or personal gain, this international leaderless organization has become synonymous with hactivism. Unlike other groups, Anonymous can take both physical and virtual actions. Discussion of the group and how to cope with them has often been stilted for fear of retribution. The challenging, yet collegial atmosphere of COSAC is the perfect place to try and learn more about Anonymous and what organizations should be doing to protect themselves from leaderless groups in general.
| 10A |
From Eyes to Teeth to Sleight of Hand: Intrusion Deception to Protect Web Apps |
Lisa Lorenzin |
In 1994, Marcus Ranum declared that the only 100% secure firewall is a wire cutter. The intervening years have repeatedly proven him correct, as most firewalls share a common Achilles Heel - the traffic required to pass through them, connecting to insecure and vulnerable applications.
This past year has seen no shortage of epic and/or embarrassing compromises that used several well-known vulnerabilities in web servers and applications to succeed. Despite the security industry's best efforts to encourage secure coding practices and a disciplined patching process, successful attacks seem to be taking place with increasing regularity.
Insecure applications are not a new problem; intrusion detection technology was originally developed over a decade ago to identify such attacks traveling over legitimate protocols and services. The visibility offered by these eyes watching network traffic inevitably led to the desire for more active response, giving rise to intrusion prevention - awareness evolving into enforcement, eyes now backed up by teeth.
Attackers, too, have evolved: script kiddies harnessing the power of Metasploit, government-sponsored intruders with their Advanced Persistent Threats (APTs). Understanding the adversary is more important than ever in repelling their advances. Security technology must once again step up - this time with intrusion deception.
This new approach to preventing web-based attacks goes beyond enforcing controlled access, offering the additional ability to use the distinct characteristics of an attacker against them. Intrusion deception inserts fake, vulnerable-seeming code into application sessions to trick attackers into revealing themselves and allow you to learn more about them, slow them down, and ultimately repel them. Creation of tar traps that would only be accessed by a hacker (or researcher) probing for weaknesses enables detection and response much earlier in the attack phase than traditional IDS/IPS technology offers.
This session will provide an overview of how intrusion deception can be applied to stop several automated and manual attack methods used today. It will discuss coding techniques to detect attackers quickly and with few false positives, allowing you to take more definitive actions that will slow down and potentially stop the attack entirely. We will also have a discussion about the merits and concerns of applying this technique to other areas of security.
Identity management (IdM) solutions have been around for years and have provided stable solutions for user access and authorizations. Cloud migrations and various integration efforts threaten this stability by introducing a new threat environment, and new issues with migrating to Big Data. Simple authentication & authorization (A&A) solutions are no longer sufficient; A&A solutions must integrate securely with Big Data, this activity introduces a variety of privacy concerns such as, including how much individual privacy information is being collected, how this information is stored, and mechanisms that make this data available for use when needed.
Additional concerns deal with Individual control over data collection, and individual access to correct erroneous data. For example, in the United States, individuals do not have as much control over privacy data that has been and is collected in many different databases by governmental entities as well as privacy industry. In recent years, due to risks of identity theft, greater privacy awareness and the need to engage in international business with the European Union and other countries, who more strictly control access to privacy or sensitive data, there have been some modest gains in the US moving towards greater awareness of the need to protect, safeguard and monitor the collection, use and sharing of privacy data.
Use of IdM data in order to create user profiles creates additional controversy. Profiling user behavior results in significant benefit as well as serious detriments. Marketing and sales tend to be in favor of profiling user behavior as may certain governmental entities, but this needs to be balanced with the dangers of undue intrusion into the privacy of individual citizens. Also, this will not be allowed under the EU Data Protection Act and other countries have similar data protection laws, which prohibit such actions, unless the individuals provide explicit consent. Even with consent, the individual would require transparency and access to such information and there must be methods to correct any inaccurate information. Also, certain nations, such as Germany have laws that greatly restrict the government from intruding and gathering information on German citizens.
Even when consent is given it is usually granted to a specific entity where a standalone environment has been the norm. The virtual environment is different, where in a public cloud a strategic breach can result in many entities revealing compromised data. Big Data and its metadata that results from the cloud environment requires different management, storage and processing than the traditional standalone data of IdM solutions.
New scalability and security issues will accompany the integration of our IdM solutions. The whole of aggregated data creates new data that is greater in security value than the sum of its parts. This newly aggregated data introduces privacy concerns and ownership issues. For example, are there various pieces of data about an individual that when aggregated provide an intrusive view into their habits, such as buying, bank account activity, what stores they shop at, etc. that are pieces of data that the individual has concerns over the government and/or private companies harvesting?
Furthermore, if this data is inaccurate, does the individual have any real access to the data and recourse to correct it without incurring an undue personal financial cost? Finally, the interface between individual use access and Big Data creates a new vector for both controlled access and potential exploitation.
As with many new technologies, security solutions are not plentiful, this places additional burden on the enterprise security architects. This session addresses some of these burdens and offers recommendations, including the exploration of how SABSA can offer some good approaches to solutions to deal with some of the unique problems that arise from the integration of IdM data with Big Data.
There are ever increasing references to big data, data governance, data management, information management, information governance, unstructured data, dark data with overlapping use of terms, inconsistent or missing definitions and a general overlay of vendor pitch.
It is estimated that up to 80% of an organisation’s information is dark or unstructured and the volume of data in organisations is growing by up to 50% annually.
This session will examine the terminology used and look at what methods can be used to manage dark data effectively. We will use real life examples to show how effectively managing your unstructured data can provide a return to the organisation and how mismanaging your unstructured data can impact the bottom line of an organisation. In particular we will analyse the impact that different levels of information governance over dark data had on a number of multi-national eDiscovery cases.
This session would also seek to promote discussion with the group to understand:
- Is there an issue at all, is this data already effectively managed?
- If it does exist is there really a desire to open up the issue of dark data?
- Would greater interest on dark data by regulators help?
- Is investing in this area worth it?
- How easy is it to automate the process?
A facilitated discussion about security projects that have added real value to the business
This will be a highly participative session. Under Chatham House rules the attendees are positively encouraged to share tangible successes from their workplaces with each other in the following areas:
- Where business requirements have been truly met by security
- Where business requirements have been led by security
- Where business innovation has been shown to come from security practitioners
There are two forms of “success” that we would like to examine:
1. Empirical success: A large publishing business was spending over 10% of revenue on IT before moving to the cloud. The initial migration cost an initial 1% but after 2 years as a customer the savings was 20% and the increase in revenue and profits was an additional 20%.
If for example you can show how an investment of $x which equates to a% of revenue is to save a business $y which equates to b% of revenue. As long as x < y and a < b in that example. This formula will be discussed in the session.
2. Anecdotal success: Social media use is a recurring security theme for professionals. Attempts to block use of these items often times results in the users circumventing security in order to achieve their goals. One solution is the use of web filtering.
Mobile devices assist in supporting the 24x7 business cycle, but they also introduce an unintended attack vector into most environments. A recent success story with mobile device integration known as the MDM project will be discussed.
| 9B |
Applying Social Policy Analysis & Economics to Information Security |
Sian John |
Information Security and Social Policy have something in common, the inability to define outcomes in direct monetary terms. A number of Social Policy economic proposals can be applied to understand risk in the information security industry. This session will examine some common social policy topics, the models used, and how these can be adjusted to deal with the unique challenges of information security. Particular models to be considered at this moment are:
- Social insurance and how this can be mapped to information security as an insurance for the IT industry / modern business.
- Insurance risk models for public goods such as healthcare and how these can be adjusted to the IT industry
- Information security as a "public good" (a good that cannot be excluded from certain individuals and where the cost of keeping individuals from benefiting is prohibitive)
- The economic effect of those who do not invest in information security on those who do.
Way back in 2010, we gave the COSAC treatment to a session titled “Whaddya do Now?” Over the past 3 years, the security landscape has changed so much that we need to revisit the concept of dealing with sensitive scenarios, even if the landscapes and motivating factors are quantitatively and qualitatively different. That said, some of the security events we have to deal with were with us in some form or another back in the last century. Politics and user nonchalance are still significant pain points, but now we also have to worry about legislative activity in cloud computing venues and Facebook postings and being on the wrong side of “Anonymous” and who left what in Dropbox. COSAC delegates are battle-hardened, if not politically savvy professionals. But dealing with a North Korean cyber attack on media and banking systems in a country where we do business can be daunting, to say the least. Some of the sensitive issues we face are still political or organizational. These ones don’t usually respond to technology and in seeming contradiction they both persist for a long time and multiply fast. And some issues never seem to die. Can you say “trivial passwords?”
To encourage idea sharing and gaining from the experiences of fellow COSAC delegates, we will outline scenarios that you might face in 2013 or 2014 and hope that they’re not the same ones we faced in 1982. Your experiences, positive and negative, will shape the discussions. “Simple and obvious” solutions might not work in the constraints of another firm. Technology, business reality, Geopolitical considerations, corporate politics, ethics, the economy, corporate culture, mergers and multiple other factors help delineate viable solutions. Bring your own “sensitive issue” scenarios, and we’ll address them as time permits.
These information security standards have been showing signs of tiredness for some time now as they are around 8 years old. By COSAC the updated version should be either in its final stages or actually issued and live.
This session will look at the changes to ISO 27001, the management system, and the (expected to be) smaller set of controls that are detailed in ISO 27002. We will set out what the changes mean to companies from the aspect of the management system. We will then examine the changes to the controls in ISO 27002.
There are also changes in the area of risk assessment and treatment, which may mean that using a method that is not focused on assets (for example SABSA) is easier with the revised version.
Talking about international standards is neither exciting nor entertaining; but this revised version of ISO 27001 is going to be used by organisations to judge the implementation of information security for the foreseeable future –so we need to understand it!!
| 12B |
Why did my Information Security Strategy Fail? – History Repeating Itself |
Glen Bruce |
As information security professionals we seem to be solving the same problems over and over. Why do information security frameworks and strategies become shelf ware for many organizations? With the ever increasing expenditure on information security solutions, why do problems persist? Threats are evolving at a rapid rate along with the technology to detect, prevent and mitigate the risk – and yet significant risk persists. Technology is neither the source nor the solution to why information and system risk never seem to be significantly reduced. We will explore some of the underlying reasons for this continued lack of success. Some would say that it’s due to seduction of the new – a lot of attention given to the darkest new threats and the shiniest new defenses while losing sight of the fundamental problems to solve. We will use industry sources and surveys to examine and highlight this disconnect and look at trends for success and in many cases failure. Are organizations really as mature as they think they are? As they need to be?
There has been no simple approach or technical solution that solves all or most of the threats. However, a few common characteristics and approaches have emerged to help avoid continued high levels of risk and history repeating itself. A well-defined and operating business-driven, management system for information security has led to less risk and greater business success – how do you get there? Based on real world experiences, we will present nine principles that should be considered as a foundation to build longer term success for managing information security risk. We will outline the motivations as to why each principle is needed and the implications that result from following them. You likely have more principles to contribute. We will conclude with examples where adhering to the principles have helped or more importantly could have helped build a more effective approach to managing information security risk.
| 8S |
SABSA to the Clouds:
Cloud-Specific SABSA Attributes & Security Enablement in the Cloud |
Jason Kobes |
Cloud Computing has dramatically risen, and a tremendous amount of time spent on understanding the unique advantages, disadvantages, requirements and conditions that the cloud has to offer. Organizations who want to utilize cloud to its fullest potential often wonder if they have done enough to secure themselves from the risks that this new technology introduces.
This talk will outline those unique mission requirements that have given rise to the advantages of cloud computing and abstract them into a unique set of Cloud Specific SABSA Attributes. Some of the attributes are well known, but others are unique and new to Cloud Computing with new definitions, threats and opportunities tied to each one.
We will then map the cloud specific attributes back to the NIST and Cloud Security Alliance controls. We will look at how cloud control strategies are built through aligning the attributes and how to determine where these controls must be implemented.
Cloud Specific attributes will help organizations get a complete perspective of the new security challenges and operational opportunities they face in the Cloud, as well as help Security Architects provide better completeness when assisting customers with reducing the security complexity and abstractness of “The Cloud”
| 9S |
Architecting to the Cloud: Where Have We Missed the Mark on Services & Security? |
Andy Rogers |
Why do Developers always want to create their own stuff? “Because it works better!” Why do we need more reusable systems for the Enterprise? Because it typically takes years to work the bugs out of created ones. Services Oriented Architecture (SOA) was originally designed to make enterprise software modules more useable/reusable within and external to enterprise applications. The Goals of capability, performance, and security could be addressed once and then built on to save in future development cost. The focus is on the data, resources, and what you want done with them rather than how the applications are being accomplished.
These same principles can and are being used for capturing data requirements for interfacing with cloud services. SOA concepts and Cloud computing technology are working together providing the first real revolution in software engineering and IT systems design since the transition from Procedural Programming to Object Oriented Design (OOD) back in the early 1980s. With the cloud adding layers of abstraction and the ever growing complexity and risk involved, Mission/ Product Owners and solution providers need a way to capture the complexity and some way to try and minimize the cost that goes with it.
The US Jump Start: As an example, consider the US Department of Defense Architecture Framework (DoDAF) V2.0. It was an attempt to take advantage of SOA principles and allow designers to model the Cloud services within their Enterprise and Solutions Architectures. However, this first attempt to formalize the concepts within an operational framework really missed the mark in several critical ways.
This presentation advocates for what should be a reasonably straightforward restructuring of architecture frameworks, like the TOGAF, MODAF, DoDAF, and FEA approach to modeling Services and recommends development of a simpler approach to the Meta Data volume.
More importantly, the EA community needs to demand EA tool vendors step up to the challenge to apply these changes to their products. EA is more than just software and systems…; the Key word is Enterprise. The products EA practitioners provide to the organization can at times make the difference between missions/business success or failure and at the very least will certainly affect the level of success in long term.
What cloud computing needs and SOA methodologies call for, is to really capture both the technical and business differences between service and systems. Tools make the difference: A quality EA Tool is absolutely required for a professional organization to keep track of the complexities of the technology revolution at an Enterprise Level. Additionally, the tool’s user interface and associated visualization options have to be simple to use for practitioners and the non-IT functional decision leaders. EA products are for “techies” to build with, but only after the Non-Techies have approved it. EA practitioners must pressure Tool providers to properly capture “Services” to support applications hosted in a Cloud.
The bottom line is that Enterprise Architecture still needs to do a better job bridging the gap between business, security, and the computers that enable and/or degrade them. EA tools need to provide more direct ties between the business and technology and display it for engineers and non-technical leaders alike to help both to manage ever growing levels of complexity. For the Tool vendors to do this, we need to ensure we properly define and apply “Services” in our mission/business world.
I am not a product developer or someone trying to sell. This presentation will look at how SOA has evolved from OOD and provide examples of real success. We’ll also looks at some missed opportunities and opportunities in real need of Effective Enterprise Architecture… NOW!
Information-centric security is significant in understanding, assessing and mitigating the various risks and impacts of sharing information outside corporate boundaries. Information generally leaves corporate boundaries through mobile devices. Mobile devices continue to evolve as multi-functional tools for everyday life, surpassing their initial intended use. This added capability and increasingly extensive use of mobile devices does not come without a degree of risk - hence the need to guard and protect information as it exists beyond the corporate boundaries and throughout its lifecycle.
The proposed presentation looks at the risks that mobile devices bear on corporate information. It also looks at the technologies that organisations have adopted to mitigate risks that mobile devices have on corporate information. The presentation concludes by suggesting a realistic framework model (based on SABSA) that addresses the shortcomings of existing technologies and industry approaches in mitigating mobile device risks.
Westpac Banking Corporation is a Multinational Financial-Services provider.
Westpac is one of Australia’s "big four" banks, and is the second-largest bank in New Zealand. At COSAC 2009, we presented “A Journey Through Modernisation of an ESA at a Leading Bank”, and this year we are back to share our achievements, lessons learned, and next steps.
With this presentation we will demonstrate how the SABSA Method influenced the security architecture of Westpac's Strategic Investment Programs including, but not limited to, large scale:
- Enterprise perimeter security environments
- On-line banking platforms and applications
- Enterprise service bus implementations
We will outline Westpac’s approach to managing the risks of current industry trends, such as infrastructure virtualisation, private cloud deployments, business asset zoning and service management.
Share our real-world lessons for “what can go wrong” in addition to the great things that “can be achieved”.
| 12S |
Security Architecture at ING: How to Avoid Becoming a Blocking Factor |
Marc Verboven |
The number of security architects is limited; ING Belgium with a yearly change budget of over several million euro has exactly one security architect. Most change projects have architectural impact and for all these projects security impact needs to be assessed, documented and reviewed against corporate guidelines and applicable reference architectures. This creates a high demand on security architecture and could thus result in security architecture become a potential blocking factor.
In this session we will explain the architectural governance at ING, how it is linked to the project governance and what specific touch points for risk & security are needed. This session will also explain how architecture artefacts are produced at ING using TOGAF as a process model and IAF as a content framework and how security artefacts are embedded in the architecture deliverables.
The main part of this session will be dedicated to show how communication and automation have provided for the necessary scalability. Communication, by publishing one-pagers on the architecture intranet, prevents that the security architect becomes the single point of contact for security questions. Automation, by embedding SABSA derived artefacts (IAF views) into the architecture deliverables allows the typical project architect to follow the security architect way of thinking and to do proactive validation of architecture deliverables.
Finally the session will conclude with lessons learnt and plans for the future.
Those pesky clones duck and cover just as you are about to catch one, only to reappear without warning months later. They cost banks billions of dollars a year and cause ordinary consumers great pain. A sudden infestation can be catastrophic.
Skip the snake oil. For guaranteed results, implement a purpose-built adaptation of the MindMap. Scalable to banks of any size, with over 99% demonstrated accuracy, this formidable weapon in the fight against fraud and identity theft enables mitigation at a rate that will quickly get you in front of hackers.
This session will show you how to implement MindMaps into any transaction processing system regardless of the technical platform. We will also discuss the lifecycle of a clone: from conception and birth, to usage in fraud, and of course my favourite phase of the lifecycle: death.
You will also see how MindMaps facilitate accurate metrics for calculating loss projections, helping you manage to plan for maximum loss avoidance and secure funding to enable expansion of fraud fighting efforts.
This session will be heavy on real life examples and you will see the latest, most coveted secret tricks that hackers use, and you will see how these same tricks can be turned against our adversaries We will discuss simple enhancements to popular card processing systems that will enable you to maximize the value in this process that is easy to learn and likely to become the cornerstone of your fraud mitigation efforts.
| 14P |
The COSAC Rump Session |
Various |
The hugely popular COSAC "rump" is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.
Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:
- Electronic submission: Send email to the rump session chair David Lynas at chair@cosac.fsnet.co.uk before 10AM GMT Friday, September 27.
- Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday October 2.
Submissions should include a requested amount of time for the presentation. An anticipated maximum of five minutes will be allocated for each presentation.
