Clicking a session code on the timetable page will bring up the relevant session details that are found on this page.

You can use the links below to skip to the day in which you are interested. Click on a speakers name to read his/her bio.


M1 COSAC 13th International Security Round-Table Forum John O'Leary    

Lucky 13. This year, the 20th annual COSAC, marks the 13th annual no-holds-barred session of the COSAC International Security Forum. Back in the pre-cloud, pre-BYOD and pre-Anonymous era when the professionals attending COSAC started this 1-day full-body immersion in the COSAC way, the overriding premise was that “the most significant benefit of attending any conference is the chance to compare notes, strategies and techniques with others who are similarly situated and facing the same types of problems on an everyday basis.” That’s still true. In mid-to-late 2013, we’ve been handed some truly original problem scenarios, ones that could keep us busy 24/7 seeking viable solutions or workarounds. But we can’t devote 24/7 to the new issues because the old ones also keep rearing their heads and roaring, perhaps with updated verbiage and at different decibel levels from their original manifestations.

Last year, we solved the security problems of the world. Not surprisingly, the world decided that our solutions were not permanent and that new colours and flavours of problems would make our lives more interesting

What if your outsourcer outsources to someone else?
Yes, it has happened. How can it affect security? What can or should you do about it? Is it too late? How difficult is it to renegotiate a contract?

Is there a magic formula for retaining good people?
How do you screen them prior to hiring? Do they have to be techies? How do you keep good ones interested and motivated?

Is this the year of IPv6?
Have you converted? Are you actively converting? What are the security issues? Are they manageable?

Will BYOD become the normal way of doing business?
Or has it already become the norm? Can you stop it? Do you want to? Can you put any realistic controls on the use of their own devices? How do you enforce strictures?

Similarly, we’re seeing a casual shift to the use of consumer devices for business purposes. Should you try to stop it? Limit it? Formalize it? Is security adequate when using these devices? What can you do?

How Does Security Help You Retain Customers?
Can it really be a selling point? Have expectations changed with the history of compromises and security incidents?

Are DDoS attacks still an issue?
The plague of them hasn’t really abated. How prepared are you? What else do you need to do? How will you manage customer contact during an outage? Will you be willing to prosecute offenders?

What are you doing in the area of website security?
Does management comprehend the threats to your websites and resident data? How long an outage could you reasonably handle without major negative impact? What website security measures seem to work for you?

Can you expect to implement reasonable governance in the cloud?
Is it even possible? What has to be spelled out in the contract with the cloud service provider?

Have the concepts or actions of “recovery” changed?
How ready are you to recover from a “Sandy-like” storm? Can you recover from your recovery?

Do “Rogue clouds” appear in your organization?
Under what circumstances? Do you support them? What can you do about them? Any consequences for the perpetrator?

How much virtualization is enough?
Are there times when you just need to go buy another server? Is vSphere from VMware the only realistic way to go? How secure are your hypervisors?

How much virtualization is enough?
How will you convince management to allocate funds? What other resources will you need (besides money)? How will you demonstrate ROI?

Are your spear phishing defenses adequate?
This technique is a primary vector and starting point for attacks against networks run by power companies and other SCADA entities. How are you preparing your executives to resist such probes?

How are you coping with new laws and regulations?
In any venue where you operate, laws and regs on privacy, intellectual property, personnel info, and the like may be very different from those at home base. What are the reporting requirements? How do you keep up? What does it cost? What are the security ramifications?

Of course, this is only a partial list. Forum participants invariably come up with additional relevant, timely and complicated issues.

Two of the key drivers to success of the forum are the experience levels of the participants and their willingness to shed light on the reality of situations, not just spout textbook solutions. Forum delegates haven’t just been there, done that and gotten the t-shirt, they bear the scars of sometimes savage corporate infighting and know what battles are truly worth fighting. Over the years of the forum, delegates have, for the most part, been willing if not eager to share information about and approaches to the vast array of problems we address, building on each others’ ideas. Prevention of problems is certainly a primary goal, but we can learn indelible lessons from failures and from recoveries as well as successes. Not everybody agrees with the analyses or proposed solutions, but everyone usually participates in the discussions. Such give and take helps prepare us to defend our positions with logic and determination back at the office.

The delegates who participate in the forum have been good at anticipating issues and concerns we’ll face in the near future. Grounded in reality, they have also seen what they perceived as security necessity gets trumped by politics or genuine financial constraints.

The forum is a microcosm of the COSAC experience – security heavyweights trading ideas and opinions based on real experience in real situations, veterans defending their opinions, but ever-willing to help others and learn from each other. The moderator tries to not get in the way so that participants may discuss topics and experiences freely and subject their ideas to the scrutiny and analysis of all the experience in the room. And that is what makes it so valuable - the chance to compare notes, strategies and techniques with others who have run this gauntlet, perhaps several times, are facing similar challenges and know how to avoid or survive the tomahawks.

The COSAC Forum usually contains the volume and breadth of security expertise that consulting firms would salivate over. And the people participating are not trying to sell you anything.

In 2013, as we’ve done for the last several years, we invite participants to prepare and deliver short presentations on topics they want the group to discuss. No demands, but you might take a few minutes, perhaps prepare a few slides. Success stories, horror stories, pleas for assistance, disagreements with vendor philosophies or management decisions – all are fair game. Maybe you’ll be willing to lead the discussion on a specific topic. We’ll try to build an agenda, setting reasonable coverage goals for the day, knowing that discussions started here invariable continue through the week at COSAC. To make sure that everyone gets some of his or her major points of interest put before the group, we’ll see what participants wish to cover, set up a schedule for the topics and proceed to solve the problems of the world (again).

Potential topics for 2013 include the ones listed at the top of this abstract and any others you may deem relevant, such as:

  • Security Architecture (yes, SABSA)
  • Mobile Payment Technology
  • Usable Security Metrics
  • Hacktivism
  • Security for Cloud Services
  • Getting the Basics Right
  • Organizational Upheaval (mergers, re-orgs, layoffs, etc.)
  • Cyber Warfare
  • Federated I&AM
  • Threat Management – including APT’s
  • Security and Austerity
  • Securing Apple Technology in the Workplace
  • International Aspects of Computer Crime
  • Pandemic Planning
  • Risk Analysis and Management
  • Windows 8 Security
  • Outsourcing and Bringing IT Back In-house
  • End Point Security for User-owned Devices
  • External Communications in Crisis Mode
  • Survivability and Recovery
  • Spam Control

Keep an open mind, be willing and ready to share techniques and strategies, and come join us.

M2 COSAC Master Class: Security Analytics Char Sample    
Michael Burnetto    

The security industry has undergone significant changes in the past 20 years. Presently, the industry is experiencing another round of significant change that promises to redefine the required skillset for security professionals. Security professionals are increasingly required to define and implement security analytics.. Security analytics requirements have been growing in popularity for the last few years and promise to grow at an even greater rate in the coming decade. The rise in security analytic requirements promises to change the security profession.

What are security analytics and why are security professionals increasingly being asked (or expected) to define, create, and implement analytics? This workshop answers these questions, and more. We will cover basic analytics, Big Data analytics, cloud security analytics, and analytic trends as they relate to security architects.

The first part of the class discusses each of the six security analytic areas: host, network, service, metadata, cloud, and behavior. The second part of the class contains specific examples for each of the six security analytic areas.

Included are security analytics that apply to:

1. Signatures vs AD

  • Some of the well-known advantages & disadvantages of the signature model
  • How to create a signature
  • AD methods and how they are used to create analytics using:
  • How to avoid creating anomalous “signatures”

2. Creating analytics using:

  • Flow data
  • Logs
  • Meta data
  • Behavior tracking
  • Full packet capture (pcap)

This workshop discusses deep technical issues associated with security analytic definition and creation along with what these issues mean for security architectural decisions. We will cover issues from the top level to the bits and expect lots of interaction with the audience. Bring your security problems and issues, we like good challenges!

Value: Changes in the information security industry are resulting in significant new requirements for security professionals. Architects and integrators are expected to understand network situational awareness issues and be able to anticipate new problems before they appear.

Uniqueness: Not the usual boring checklist talk, this workshop meets the next generation of security challenges head-on and shows the student how to meet and master those challenges. There will be sample data and very specific examples provided for attendees. We can tailor the level of detail the audience comfort level.

Timeliness: This workshop is extremely timely the industry changes are taking place faster than most insiders have anticipated. This is due in part to the rise of fuzzing technologies and the early battles in the current cyberwar are forcing these changes at a quickened pace.

Approach: Part lecture, part interactive problem discussion, if possible may attempt “hands-on” but just in case we will have handouts, part interactive dialogue between instructors and audience (would we expect anything less at COSAC?)

M3 Practical Guides to Delivering Security Architecture

    Part One - Contextual Architecture – Building a Working Business Architecture Bill Schultz    
Jason Kobes    

One of the common problems facing organizations and IT management is how to determine when you have enough security in place. In many organizations, the business protection strategy follows only IT best practices, trends, control lists or highly publicized events without really looking at the specific risks to the business. This can lead to wasted time and money.

SABSA provides a great way to address the business risk an organization faces.We will show you an example of how the SABSA Contextual and Conceptual layerscan be used in conjunction with DODAF and Zachman models, as well as NIST guidelines to create business architecture view. In this talk we will outline our risk assessment procedure with details on how we overcame the issue of aggregating the risk from many threats. We will show how we built attribute strategies and how we used those strategies to build process models which started with the strategies and worked into the underlying technology. We will also show how we addressed the functional layers of the technology. We built this tool set to allow the business managers to define high level requirements as well as provide traceability to the lower level strategies, services, and components. We believe that this will provide a robust lens for ranking, prioritizing, and strategizing risk in a way that will enable the business to succeed.

This session provides a case study of integrating SABSA, Zachman, DODAF, and NIST to build a working business architecture.

    Part Two – Conceptual Architecture – A Practical Approach to Conceptual Assessment Malcolm Shore    

This paper describes how the Australian National Broadband Network Corporation (NBN Co), using standard Fast Track results as a start point, developed a full conceptual assessment of business security requirements. Of particular interest in this case study is the application of co-dependent attribute profiles in an organisation that has an evolving balance of network build and network operation.

Out of this work, the authors have created a Fast Track-II process document complete with associated templates to enable any organisation using SABSA to progress their standard Fast Track assessments through to the completion of conceptual analysis.

    Part Three – Logical Architecture – Design Patterns in SABSA Logical Layer Robert Trapp    

Its day two of the project. Your sponsor asks “Have you started coding yet? Are the servers built? Can we at least see a network diagram, you know, something tangible?” Those are typical questions (or at best unspoken thoughts) from many system owners and end user managers, who don’t know or care much about architecture, much less security architecture, except that it makes their eyes glaze over. As practitioners we know the architecting process provides client value with designs and systems that are traceably business driven, and conceptually sound. But the architecture process takes time up front. Most system owners are under terrific pressure to “get it done”, and as a result so are you. Most people are more comfortable, and willing to spend more money, wrestling with tangible, physical design artifacts. So the faster we can make the process of getting to and through the meat of the issues in the early phases of business modeling, or conceptual and logical architectures,the better. One way to condense the logical architecture development process may be the use of security design patterns.

This session explores using security design patterns in creating services at the logical architecture layer of the SABSA framework, and using those patterns in the transition from logical to physical architecture. Design patterns are a proven technique in many areas of ICT technical design, especially software engineering where it first arose. There is also an existing body of work in security design patterns to serve as a foundation. But design patterns, to my knowledge, have not yet been applied to enrich the SABSA method, nor has SABSA been used to enrich security design patterns.

Some of the questions we will explore include:

  • How can design patterns speed the development of a SABSAlogical architectureservices design?
  • Can design patterns improve quality, by jumpstarting a comprehensive view of relevant design issues?
  • How can the SABSA framework enhance design pattern content, stakeholder interaction, and analysis?
  • Can we accumulate a library of reusable service patterns that provide a deep and more useful service definition than a textual descriptions of services, and still be vendor agnostic?
  • At the logical layer, how should we include technology guidance to speed the transition to a preliminary physical layer architecture that does include product and configuration specifics?
  • Should we have separate patterns for logical and physical layers?
  • Could this approach present security problems, through careless cookie cutter process?

The discussion will be seeded with work done to date. However, this is expected to be an interactive session of feedback and ideas exchange.

    Part Four – Physical Architecture – Design Patterns in SABSA Physical Layer Perry Bryden    

Okay, your sponsor is intrigued by your logical architecture, but you sense skepticism on his or her part. Is the sponsor thinking “What was the real value of the logical architecture if the physical and component architectures will lead to the same point solutions that every vendor has been proposing?” The question often asked is “Why not request proposals from the top few vendors and choose the one that seems to meet your needs, is this architecture stuff really necessary?” As practitioners we recognize the value of the SABSA holistic business drive approach but how do we deliver solutions tailored to the client needs and build on the business driven approach within the time constraints of most businesses and agencies?

This session explores using design patterns at the physical layer, building on the use of logical layer security design patterns (see session by Bob Trapp). Design patterns are a proven technique to guide engineers in selecting and organizing components and interaction dynamics of the systems under design.

Several related topics are planned, to include:

  • The discussion will be based around a couple real-world examples of existing or being-built physical architectures.
  • How can design patterns help organize design intelligence into an easily "referencable" format suitable for a SABSA physical architecture, in particular security services design, while accelerating solutions design?
  • Where’s the real value of doing this vs. just accepting a vendors packaged solution?
  • Examine how to bridge from logical to physical architecture design patterns.
  • What content has to be in a physical layer security design pattern? How detailed must it be?

We will seed the discussion with our examples, but invite the COSAC audience to build on this work. Expect a lively interactive session.


Stream A - Technical & Topical
Stream B - Management & General Interest
Stream S - SABSA World Congress
Stream P - Plenary Sessions

1A The Wit, Wisdom & Policies of VapidBank Tom Trusty    

Many of us have ‘done time’ at VapidBank, or its wholly owned subsidiary Cretin Investments. The corporate logo is the Sand Crab – a creature that moves in one direction only (hint: it isn’t forward). On the surface, the policies do not seem to make sense. Dig a little deeper, and any doubt is gone.

The entire organization is protected by the best security of all, security by obscurity, and management is proud of the term – openly embracing it. The staff live in fear of everything it implies – even talking about a weakness is tantamount to treason and severely punished. Outside adversaries are bound to be equally afraid, which is fortunate because there is no intrusion detection strategy either. Obviously, there is no need for intrusion detection – after all, if the staff on the inside have not complained about anything being wrong, no one from the outside will ever find anything either. Choosing an external audit firm is reminiscent of you at 17, asking your friends to recommend a friendly garage for that problematic vehicle inspection of your first car.

This therapeutic reunion will be fully interactive and will start off with examples including how VapidBank went green, transforming a room full of old typewriters into a secure PIN system. We will see how interpretation of banking regulations and PCI-DSS gave criminals higher levels of access than bank staff, and the plethora of workarounds that evolved to enable staff to do their jobs. We will look at the rigid process for closing fraudulently established accounts – and where all those identity theft proceeds go when a fraudulent account is identified. Then of course we have the first line of defense: identity verification (KYC – Know Your Customer), which keeps the bad guys out so many other risk frameworks, processes and policies need never be put to the test. Bring your best experiences to share.

2A Mapping Internet Usage & Behaviour Statistics to Threats Sian John    

Most of the security vendors publish statistics on countries of origin for different types of attack from phishing and SPAM to malware and botnets. During the last year I have spent some time analysing the general statistics for population, wealth, amount spent online, population online, social attitudes to protection to the threat statistics provided by at least one vendor. This aimed to see if there was a correlation between online behaviour, maturity and threat statistics. I would like to present these findings to COSAC for review and feedback before documenting further.

3A Cultural Markers in Attack Attribution: Results Char Sample    

This talk is the follow-up talk to the COSAC 2012 Cultural Markers in Attack Attribution from last year. The research has been completed and the results are in. Studying the role of culture in technology use represents a new frontier in Cybersecurity research, and COSAC has played a key role in supporting this research from inception through completion.

Computer network attack (CNA) attribution presents on going challenges for information security professionals. The distributed nature of the Internet combined with various anonymizing technologies contributes to making the attribution problem more difficult, especially when traversing hostile networks. Culture offers a cross-discipline, technology independent approach for CNA analysis. This research examined cultural influences in CNA choices and behaviors.

This talk originates from a late night discussion at COSAC 2011 that led to a rump talk at COSAC 2011 before becoming a dissertation topic. Do cultural thought patterns influence CNA choices and behaviors? The short answer is yes. This talk discusses how this answer was reached and what can be learned from this line of study. The speaker applied Hofstede’s cultural dimensions model to CNAs with the thought of how this knowledge can be applied cyber security and information warfare for both defensive and offensive capabilities. The speaker discusses the research findings, lessons learned, and the next steps in this exciting research area.

The findings revealed valuable data in both the easily seen visible results, and in the areas that lacked data. These findings suggest that culture not only influences CNA choices and behaviors, but may also influence non-behaviors. This talk discusses the findings and what they mean for CNA as well as their cyberwar implications. This area of research represents a new frontier of cyber security that is rapidly gaining attention globally. This talk offers COSAC attendees an opportunity to learn about this work and research areas related to this topic.

Value: High value providing attendees insight to a leading edge research area.

Uniqueness: This topic is distinctly different from other security talks that repackage standard security practices

Timeliness: New security businesses are rapidly appearing that claim to assist users in understanding their threats and attackers. In reality, these business are re-packaging old processes and techniques. This talk is truly unique and the speaker is one of the most experienced researchers in the world in this area of research.

Approach: Interactive lecture. Speaker will present findings and current state of research, and the speaker anticipates many questions.

4A State of Cyber: from DoD to DHS to OMG Mary Dunphy    

If we can now give medals to persons who fly drones who are never in physical danger, why can’t the same geeks handle cyber security? What is the new face of the Department of Defense? The Department of Homeland Security has now been solely tasked to provide all of the cyber security defenses, their solution? Hand it off to selected companies like Ratheon and Lockheed Martin.

These companies are now competing with the telecommunications providers to enhance their commercial offerings with the sanitized signature files from the government. Bloomberg reports “Under the program, the companies are provided -- free of charge -- computer threat “signatures,” such as timestamps and coding used in attacks, which have been obtained by the National Security Agency and other agencies. The companies can use this intelligence to strengthen cyber security services they sell to businesses that maintain critical infrastructure.

The Homeland Security department determines which companies qualify as “commercial service providers.” To be eligible, companies must be able to safeguard classified information, have employees with security clearances, and be positioned to provide cyber security services to businesses, Darrell Durst, a vice president of cyber solutions at Bethesda, Maryland-based Lockheed said in an e-mail.”

All this made possible by executive order February 2013. The creation of a market based on classified U.S. cyber threat data follows Congress’s failure in November to pass legislation requiring companies operating critical infrastructure to adopt cyber security standards.

On the now cool heels of StuxNet – and the current expansion of DDOS from financial institutions to critical infrastructure SCADA systems, we have now chosen to follow the course of allowing big business to provide for our cyber- security. So far, the two defense contractors have signed up for DHS’s Enhanced Cyber security Services program, joining previous participants AT&T Inc. and CenturyLink Inc. (formerly Qwest communications).

With the abuse of financial industries in the not too distant past, what will the new face of cyber-security look like and what role does our Department of Defense play in this new landscape? Who will watch the watchers?

What are the European initiatives? What is the approach? How can we learn from each other?

5A Cyber Threat Landscape for Nuclear Power Pascal de Koning    

During the last decade, industrial control systems (ICS) have made a move towards IP-based networks. This enabled the use of wide-spread knowledge, existing communication specs and cheap network devices. The result was that ICS networks became accessible from business LAN or even from the internet for remote maintenance. Nuclear power plants have made this shift as well. A consequence is that nuclear power plants now also face more cyber threats. Stuxnet is a well-known example of this. This presentation contains an analysis of that cyber threat landscape, based on a survey of public sources.

We will look at cyber-related incidents at nuclear power plants in the past, the development of highly advanced attacks like Stuxnet, the current view of attacks on ICS environments, and the availability of security policies in this respect. Finally, we might be able to put some pieces together and get an idea of future threat scenarios and defence mechanisms.

6A How the West Was Pwned G. Mark Hardy    

Can you hear it? The giant sucking sound to the East? With it are going more than just manufacturing jobs -- it's our manufacturing know-how, intellectual property, military secrets, and just about anything you can think of. If we're so technologically advanced, how are the People's Republic of China (PRC) and others able to continue to pull this off? Why do we keep getting pwned at our own game?

The Mandiant APT1 report released in February detailed research into People's Liberation Army (PLA) Unit 61398 (61398部队) and their significant penetration into western networks. It was followed quickly by a series of political and diplomatic statements denouncing China's actions, which China flatly denied. Where's the truth? We'll try to find it.

Last year I talked about "Hacking as an Act of War," but there may not be a war. If a victor can extract tribute from the vanquished, war isn't necessary. Today, intellectual capital is a proxy for tribute. This year we'll look at some specifics, including documents that outline the plan of attack, details about what operations have been run against us, and progress in efforts to create an international legal framework for cyberwar in case the bits start flying.

1B Legal Aspects of BYOD Larry Dietz

The exploding use of employee owned devices in the workplace is fraught with legal uncertainty. This is especially true in Europe where the new EU Privacy rules will place increased security requirements on employers. This session provides practical advice and a clear methodology for employers to use so as to minimize their legal liability while building employee confidence in the organization. The session looks at legal issues before an employee or contractor is hired, during their tenure with the company and at termination and beyond. Case studies will be used to bring the legal issues to life and participant discussion will be encouraged.

Among the issues to be discussed are: pornography, mobile phones as labor records, use of devices by family members and other, data from multiple businesses on the same device, responsibility for loss or damage, minimum security requirements and ownership of intellectual property that was created on the devices.

Case studies will be used to bring the legal issues to life and participant discussion will be encouraged.

2B Outsourcing Security John O'Leary

Veteran security professionals know that in 2013 we just can’t do it all anymore, even if we ever could. So we look to Security service providers to fill holes in our perimeters, solidify Cloud defenses, draft appropriate and workable policies, relieve the tedium of repetitive administrative security tasks, architect our future, detect and repel intrusions, … and the list goes on and on, even as far as managing the entire IT Security function (That one didn’t work too well, by the way). The range of activities covered by managed security services keeps growing, and whatever list you may find, one guarantee is that tomorrow’s Security-related outsourcing services list will include more than today’s.

This COSAC-rules interactive session will analyze the ever-expanding phenomenon of having someone outside the organization perform sensitive security tasks. With a focus on when it makes sense to outsource some or all security needs, we’ll analyze delegates’ own experiences for positives and negatives of managed security services, delving into the reasons organizations give for selecting this option or that and whether the provider actually provided. We’ll then survey various types of security outsourcing that either are or will be or ought to be available. Finally, we’ll cite protective measures to help effectively manage the process and keep the security outsourcing experience positive. The information in this session should prepare delegates to make informed and realistic business decisions regarding security outsourcing.

3B Getting the Most from Your Supplier: the Definitely “Do"s and the Mostly “Don’t"s Dave Barnett

A highly interactive discussion from a veteran from the vendor and service provider world.

In this session the focus will be on the non-commercial side of a supplier-customer relationship. Clearly several of these topics will relate to SABSA methodologies the session is intended to complement those. There will be examples of success and examples of failure with an analysis of what works and what doesn’t in the following areas:

Product vendor

  • Researching the market to defining reasonable requirements aligned with business need.
  • Researching market trends as well as trends in academia to anticipate future product needs and directions Communicating requirements effectively and how to interpret the response Conducting a balanced “proof of concept “within the selection process
  • Effective ways of maintaining the relationship with the product vendor and deriving value

Service provider

  • Balancing the need for availability with the need for confidentiality and integrity in a contract
  • What works and what doesn’t work in defining the service you would like to be provided
  • How to avoid change restrictions and lock-in
  • Techniques to build adaptable risk models into the life of the contract
  • Achieving service provider efficiencies without weakening security??


  • How to ask questions to receive the answers you need
  • Understanding the corporate environment and positioning yourself to ask the right questions.
  • Reading between the lines with Analysts who may be reluctant to help you decide
  • Balancing cost with security

4B Honing Your IT Jiu Jitsu Bill Schultz

How is the reaction to a physical attack, similar to the reaction to a denial of service attack? Or perhaps, the caution you use traveling in a bad part of town like the caution in operating a high risk application? The concept of personal security or self-defense is an ancient endeavor that is evidenced by numerous martial arts across the world. Yet, despite its longevity, many of the principles of self-defense are counter-intuitive to people who are not versed in them.While each respective martial art is designed for specific situations where they are more effective, certain principles and techniques are held in common. The field of information security presents a different set of attacks and responses, however, some principles from personal self-defense can be applied to Information Security. In this session, we will look at some of the foundational principles of Gracie Jiu-Jitsu and apply them to the types of attacks we face in Information Security. In particular, will look at specific techniques where the proper response is the opposite of what people typically do. This analysis will lead into discussion on existing security strategies, and how we can use this perspective to come up with new and innovative protection strategies. Who knows, you might also learn something about self-defense in the process.

5B Garbo, D-Day & Ultimate Social Engineering John O'Leary


At past COSACs, the late Tony Sale gave us astonishing insights into the mechanics, rationales and personalities of codebreaking at Bletchley Park in WWII. He related those efforts to the challenges we face today as Information Security professionals.

This session is not intended to substitute for him. There is no substitute for someone of Tony’s caliber, character and quiet achievement. Let this instead be dedicated to and in honor of a man who brought smiles and knowledge to us and who made a difference.


Social Engineers in 2013 can be clever, creative and trust-inducing as they go about their (usually) nefarious deeds. But not one of them has or will come close to the exploits of an unassuming Spanish chicken farmer who convinced the Germans that D-Day’s primary target was not Normandy.

The web of deception that Juan Pujol and a few others wove kept overwhelming forces away from the invasion beaches long enough to ensure that the largest and most complex invasion ever attempted would not be pushed back into the sea.

From this convoluted story we can learn some valuable lessons regarding social engineering - perpetrators, targets, methods, obstacles, dangers and consequences, both intended and unintended.

6B Security Redefined: Lessons from Burning Man Lisa Lorenzin

What does security mean to you? Protecting your network, safeguarding your data, ensuring that your business is able to operate uninterrupted… There are as many answers as there are information security practitioners.

Security takes on a whole new meaning at Burning Man, a week-long annual art event and temporary community deep in the heart of the Nevada desert. Fifty thousand people gather to create art, experience nature, and pursue “radical self-expression and radical self-reliance” - and some of them find the latter a little harder than they expect!

Scorching sun, freezing darkness, dust, wind, dust storms, and the occasional torrential downpour are just the natural hazards - then there’s fire, art cars, and your fellow citizens. Staying safe, keeping hydrated, and having fun on the playa require close attention to your environment and application of some fundamental safety principles - which can carry over to our efforts in the information security arena.

This talk owes its existence to COSAC! Inspired by a conversation at lunch in 2010, it started out as a COSAC rump session, then evolved into a lightning talk at our local hackerspace and a fire talk at Shmoocon 2011. Now it’s a full-length tour of what I’ve learned about security across six years as a citizen of Black Rock City, and how to apply those lessons to our information security challenges.

1S Smart Grid Security from an Architectural Perspective Pascal de Koning

Smart Grids are being developed worldwide. In Europe, the future trans-European grids must provide all consumers with a highly reliable, cost-effective power supply, fully exploiting the use of both large centralised generators and smaller distributed power. Currently, industrial control systems (ICS) for electric utilities are focused on the integration of advanced metering infrastructure (AMI) and a migration to internet protocol (IP)-based networks for control systems in order to keep up with emerging Smart Grid technology. This presentation focuses on the security architecture of the Smart Grid.

What does the word “architecture” really mean in the context of the Smart Grid? This will be answered from both enterprise architecture (TOGAF) and enterprise security architecture (SABSA) perspective. The architecture approach will be used in this presentation to keep oversight of current developments regarding Smart Grid security.

What standards for cyber security are currently available in the Smart Grid context? In March 2012, CEN (European Committee for Standardization), CENELEC (European Committee for Electrotechnical Standardization) and ETSI (European Telecommunications Standards Institute) have been tasked by the European Commission to deliver the following:

  1. A technical reference architecture
  2. A set of consistent standards to support the information exchange
  3. Sustainable standardization processes and collaborative tools to enable stakeholder interaction

Furthermore, they have been asked to investigate standards for information security and data privacy encompassing harmonised high level requirements.

The ‘electricity subsector cybersecurity Risk Management Process guideline’ was developed by the Department of Energy (DOE), in collaboration with the National Institute of Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC). What’s the difference with the existing Risk Management approach in ICT context? How useful are the classic CIA attributes (confidentiality, integrity and availability) for the ICS environment? And what are ‘Ideal Driven Technical Metrics’ in this respect? What can ICT risk managers learn from the world of Industrial Control Systems (ICS)?


2S Delivering Information Security Business Value at Scale –
Experiences at Accenture in Building Global Enterprise Security Architecture Consulting Services
Stirling Goetz

Gone are the days when Chief Information Security Officers went begging for funding and a receptive ear to listen to why security matters. Information Security is now a board room concern and top security leaders have influence and budget to make an impact. But how can they transform information security to achieve maximum impact for their business?

Come learn about how Accenture is leveraging management consulting, enterprise architecture consulting, and security strategy and planning consulting approaches to define enterprise security architecture services that help information security leaders to achieve maximum business value. You will also learn about tools and techniques Accenture is using to train our security architects from a pool of 2200+ security professionals. This session is useful for organizations of all sizes struggling to building out an enterprise security architecture capability.

This session includes:

  • Perspective on ideal information security operational models and how enterprise security architecture fits within them
  • Insight into industry centric enterprise architecture approaches and how this affects enterprise security architecture delivery.
  • How Accenture is integrating SABSA, TOGAF, and other approaches with Accenture security architecture methodologies.
  • Assessment of recent industry security analyst views (Gartner, Forrester, etc…) on enterprise security architecture.
  • Considerations for tools that enable industrialized enterprise security architecture delivery at scale
  • Scrubbed (anonymized) case studies of enterprise security architecture work at successful organizations
  • A journey description of industrializing enterprise security architecture services delivered at scale and with consistency to achieve maximum business value.

3S Using SABSA to Improve the Security and Privacy of Government Information Services Chris Blunt

The New Zealand government has published its Government Enterprise Architecture for New Zealand (GEA-NZ). This session will explore how SABSA can be used to improve the security and privacy of information services and support the Government’s ICT strategy.

Specifically it will look at how the SABSA methodology can be used to:

  • Define a common language for capturing security requirements using a Business Attributes Taxonomy customised for the New Zealand Government;
  • Define security requirementsfor new government information services using the Business Attribute Profiling and Control and Enablement Objectives techniques;
  • Define security domains based on the classification of official information and the business context of the service (e.g., whether the service is multi-agency common capability or a unique single-agency service);
  • Incorporate other standards and frameworks to bridge the gap between the business drivers for security and the controls defined in the New Zealand Information Security Manual (NZISM);
  • Support the Certification and Accreditation of information services to ensure that the required security controls have been implemented and are effective at managing the associated risks.

It will also explore some of the challenges of implementing an Enterprise Security Architecture across the government meta-enterprise.

4S Meta-SABSA: Exploring the Architecture of an Architecture Design Method Vince Gallo

Derivation of an “architecture” applied to either a new Enterprise structure, or to an existing one by reverse engineering, will yield a description of the Enterprise. In both cases the goal is to produce a collection of information that represents the enterprise itself: a schematic, a map or collection of engineering drawings. However, that “the map is not the territory” (Alfred Korzybski – 1931) is a realisation that should be burned into the consciousness of all architects and software engineers.

The result of the documentation process can be literally a narrative document, or perhaps a data collection with associated software that may permit subsequent editing and/or exploration of the outcome that may results from some perturbation. The enterprise is the territory and the documentation derived by the SABSA method is the map.

The SABSA method, akin to other software design endeavours, considers a real-world item (eg the Enterprise, a production facility or an accounts system) then derives a ‘map’ that can eventually be transcribed into a software model to emulate or automate the item.

In this session we will demonstrate taking the process of analysis one degree of abstraction further whereby the SABSA process itself is the territory. We consider how to describe and manipulate a suite of virtual objects comprising properties and behaviour that comprise a model of the SABSA ‘system’. As with all sound software architectures we will look for areas of commonality; opportunities for reuse where objects therefore need be designed and built once only. Once equipped with the map of the SABSA territory we will explore whether manipulation of the virtual SABSA objects using software may offer higher productivity and greater reliability when undertaking the SABSA derivation process itself.

As SABSA produces an Enterprise Security description (a meta-Enterprise) which can be used as a tool to model the security aspects of the Enterprise, so we shall see how a meta-SABSA can provide tools to manipulate SABSA.

5S Re-engineering User Access Management (UAM) with SABSA Attributes John sherwood

This case is one of a major international bank for which UAM had become a nightmare of high cost and low value to the business stakeholders. UA administration was outsourced and the service quality was low. Previous UAM processes had been built from an IT perspective and not from a business view. Patchwork changes and developments over time had left the UAM systems architecturally weak. This is a common story and therefore relevant, timely and valuable to other professionals in a world where cost cutting is essential and operational excellence and value for money are key performance targets for all businesses.

JThe case provides a unique opportunity to see how SABA Business Attribute Profiling (BAP) can be applied to a very large scale organisation, enterprise-wide, with the specific intention of re-engineering UAM as a high-level business service, starting with pure business requirements. It is particularly timely as the Open Group TOGAF Next Generation team are integrating the BAP process into TOGAF. This presentation will address all the issues encountered, including the need to change culture and mind-set in an organisation that has for decades been IT-focused in its thinking and is struggling to get back to basing its change programmes on business need. At the time of writing this synopsis the project has been running just one week. The presentation at COSAC will reveal the reality of the experiences that the project team encountered.

6S Creating Integrated Multi-dimensional Governance Architecture David Lynas

Imagine a world in which:

  • Stakeholders demand risk ownership rather than dismissively shrugging shoulders
  • Policy at every level is supported and enforced with a passion rather than brushed under the carpet
  • Processes are engineered with the vertical consistency that ensures what we do down in the engine room is what the ship’s captain really wanted in the first place
  • Technology is built to achieve a clearly understood, articulated business target

People, Process & Technology. We’ve seen that trinity so many times in so many models but can we really integrate them into a cohesive business system or is it all just so much management-speak?

We’ve all experienced the process zealot who believes the process to be more important than common sense and who instead of recognizing the urgency of a situation tells us to raise a ticket. We’ve all been there to witness the devotee of co-called best practice overrule the real best interests of the business. We’ve all observed what we believe to be all-important policy being completely ignored in favour of pragmatism, or worse, we’ve tried in vain to drive innovation in an environment where nothing can be achieved because the business is policy driven rather than policy being business-driven. And at some point we have all tried to convince a stakeholder that a risk is real and that they own it when they clearly don’t see it that way: it’s like trying to push water uphill. Nothing in the real world really works without the ultimate motivator – human vested interest.

The reality, as with so many models, is that the trinity of People, Process & Technology can be viewed from the business perspective as nothing more than a spurious charade, a jar of snake oil, a mere check-list of unconnected fluff. It’s all smoke and mirrors unless it can somehow be made to truly work together. It’s time to change the landscape.

This session will apply a variety of SABSA models (Governance, Risk Management, Policy, Process Engineering & Systems Engineering) within a cohesive, integrated Architectural framework designed to make it all work together, at every level, and all driven by the powerful force of human vested interest.

7P Big Daddy Digs Big Data Richard Hollis

Is "Big Data" just the latest hype or in fact a new way to document and understand the world we live in? More and more data is collected every day. Why? Who benefits by it and how? The presentation addresses the way we've always collected and analysed data and how this must change to get value from the tremendous amounts of data we current collect. It discusses the potential impact on personal privacy and the ways in which data protection frameworks must be modified to meet Big Data challenges. More importantly, the presentation explores the new security paradigm needed to address Big Data - starting today.


Stream A - Technical & Topical
Stream B - Management & General Interest
Stream S - SABSA World Congress
Stream P - Plenary Sessions

8A Investigating the Risk of Visual Data Capture Wendy Goucher

‘Shoulder Surfing is a phenomenon that delegates will be aware of but probably regard as insignificant. However, recent technological developments means that this risk has changed and this change is one best demonstrated than explained.

Once upon a time looking over someone’s shoulder, or ‘Shoulder Surfing’ on a ‘long haul’ was part of the in-flight entertainment. If your neighbour was working on something interesting it might provide you with some insight or just a good anecdote. With the development of Smart Phones and tablet devices the image is clearer than ever and can be captured in better detail in a discrete way using the inbuilt smartphone camera. The risk to business data and business reputation is therefore growing.

This session will combine presented insight into ground breaking research with the opportunity for delegates to investigate visibility for themselves with hands-on experimentation. The resulting discussion will highlight differing risk exposures and risk appetites as well as different cultural responses all of which will add to the debate of whether business should care about Visual Data Capture

Phase 1– Why do people work insecurely – There are a range of reasons, ranging from cultural and psychological to organisational and these will be explained with reference to the research work already done.

Phase 2‘Research lab’ This will give delegates the opportunity to investigate ‘the risks from Visual Data Leakage. Delegates will form small groups and move between different zones in the ‘Lab’ at fixed time intervals and the tasks will be detailed on sheets in each zone

Tasks will include:

  • Measuring the visibility of tablet devices to photo-capture
  • Measuring the visibility of laptops to photo-capture
  • Establishing the ratio of informational and ‘pictorial’ photos on group members’ phones.

Phase 3 Implications & the way forward Having drawn the various elements of research this will be used to discuss the full nature of the problem of visual data leakage. The presentation will consider why devices are popular with the mobile workforce and the risk to sensitive data. There will also be due consideration of regulatory pressures to reducing this risk such as those from the HIPAA and ISO 27000. Consideration will focus around identifying those areas of business that are of greatest risk from this threat, and understanding how technology and behaviour modification can be used to protect data in the developing world of mobile working.

Phase 4 Summary and conclusion – with any questions not raised in the body of the presentation

9A Considering Anonymous Larry Dietz

The hacker group Anonymous is constantly in the headlines. Unlike those who are motivated by money or personal gain, this international leaderless organization has become synonymous with hactivism. Unlike other groups, Anonymous can take both physical and virtual actions. Discussion of the group and how to cope with them has often been stilted for fear of retribution. The challenging, yet collegial atmosphere of COSAC is the perfect place to try and learn more about Anonymous and what organizations should be doing to protect themselves from leaderless groups in general.

10A From Eyes to Teeth to Sleight of Hand: Intrusion Deception to Protect Web Apps Lisa Lorenzin

In 1994, Marcus Ranum declared that the only 100% secure firewall is a wire cutter. The intervening years have repeatedly proven him correct, as most firewalls share a common Achilles Heel - the traffic required to pass through them, connecting to insecure and vulnerable applications.

This past year has seen no shortage of epic and/or embarrassing compromises that used several well-known vulnerabilities in web servers and applications to succeed. Despite the security industry's best efforts to encourage secure coding practices and a disciplined patching process, successful attacks seem to be taking place with increasing regularity.

Insecure applications are not a new problem; intrusion detection technology was originally developed over a decade ago to identify such attacks traveling over legitimate protocols and services. The visibility offered by these eyes watching network traffic inevitably led to the desire for more active response, giving rise to intrusion prevention - awareness evolving into enforcement, eyes now backed up by teeth.

Attackers, too, have evolved: script kiddies harnessing the power of Metasploit, government-sponsored intruders with their Advanced Persistent Threats (APTs). Understanding the adversary is more important than ever in repelling their advances. Security technology must once again step up - this time with intrusion deception.

This new approach to preventing web-based attacks goes beyond enforcing controlled access, offering the additional ability to use the distinct characteristics of an attacker against them. Intrusion deception inserts fake, vulnerable-seeming code into application sessions to trick attackers into revealing themselves and allow you to learn more about them, slow them down, and ultimately repel them. Creation of tar traps that would only be accessed by a hacker (or researcher) probing for weaknesses enables detection and response much earlier in the attack phase than traditional IDS/IPS technology offers.

This session will provide an overview of how intrusion deception can be applied to stop several automated and manual attack methods used today. It will discuss coding techniques to detect attackers quickly and with few false positives, allowing you to take more definitive actions that will slow down and potentially stop the attack entirely. We will also have a discussion about the merits and concerns of applying this technique to other areas of security.

11A Identity Management & Big Data Char Sample
Lynette Hornung

Identity management (IdM) solutions have been around for years and have provided stable solutions for user access and authorizations. Cloud migrations and various integration efforts threaten this stability by introducing a new threat environment, and new issues with migrating to Big Data.  Simple authentication & authorization (A&A) solutions are no longer sufficient; A&A solutions must integrate securely with Big Data, this activity introduces a variety of privacy concerns such as, including how much individual privacy information is being collected, how this information is stored, and mechanisms that make this data available for use when needed.

Additional concerns deal with Individual control over data collection, and individual access to correct erroneous data.  For example, in the United States, individuals do not have as much control over privacy data that has been and is collected in many different databases by governmental entities as well as privacy industry.  In recent years, due to risks of identity theft, greater privacy awareness and the need to engage in international business with the European Union and other countries, who more strictly control access to privacy or sensitive data, there have been some modest gains in the US moving towards greater awareness of the need to protect, safeguard and monitor the collection, use and sharing of privacy data.

Use of IdM data in order to create user profiles creates additional controversy. Profiling user behavior results in significant benefit as well as serious detriments. Marketing and sales tend to be in favor of profiling user behavior as may certain governmental entities, but this needs to be balanced with the dangers of undue intrusion into the privacy of individual citizens.  Also, this will not be allowed under the EU Data Protection Act and other countries have similar data protection laws, which prohibit such actions, unless the individuals provide explicit consent.  Even with consent, the individual would require transparency and access to such information and there must be methods to correct any inaccurate information.  Also, certain nations, such as Germany have laws that greatly restrict the government from intruding and gathering information on German citizens.

Even when consent is given it is usually granted to a specific entity where a standalone environment has been the norm. The virtual environment is different, where in a public cloud a strategic breach can result in many entities revealing compromised data.  Big Data and its metadata that results from the cloud environment requires different management, storage and processing than the traditional standalone data of IdM solutions.

New scalability and security issues will accompany the integration of our IdM solutions.  The whole of aggregated data creates new data that is greater in security value than the sum of its parts. This newly aggregated data introduces privacy concerns and ownership issues.  For example, are there various pieces of data about an individual that when aggregated provide an intrusive view into their habits, such as buying, bank account activity, what stores they shop at, etc. that are pieces of data that the individual has concerns over the government and/or private companies harvesting?

Furthermore, if this data is inaccurate, does the individual have any real access to the data and recourse to correct it without incurring an undue personal financial cost?  Finally, the interface between individual use access and Big Data creates a new vector for both controlled access and potential exploitation.

As with many new technologies, security solutions are not plentiful, this places additional burden on the enterprise security architects.  This session addresses some of these burdens and offers recommendations, including the exploration of how SABSA can offer some good approaches to solutions to deal with some of the unique problems that arise from the integration of IdM data with Big Data.

12A Govern Your Dark Data or Suffer a Cataclysmic Event – Myth or Reality Stephen O'Boyle

There are ever increasing references to big data, data governance, data management, information management, information governance, unstructured data, dark data with overlapping use of terms, inconsistent or missing definitions and a general overlay of vendor pitch.

It is estimated that up to 80% of an organisation’s information is dark or unstructured and the volume of data in organisations is growing by up to 50% annually.

This session will examine the terminology used and look at what methods can be used to manage dark data effectively. We will use real life examples to show how effectively managing your unstructured data can provide a return to the organisation and how mismanaging your unstructured data can impact the bottom line of an organisation. In particular we will analyse the impact that different levels of information governance over dark data had on a number of multi-national eDiscovery cases.

This session would also seek to promote discussion with the group to understand:

  • Is there an issue at all, is this data already effectively managed?
  • If it does exist is there really a desire to open up the issue of dark data?
  • Would greater interest on dark data by regulators help?
  • Is investing in this area worth it?
  • How easy is it to automate the process?

8B Security as an Enabler – Let’s Talk Success Dave Barnett

A facilitated discussion about security projects that have added real value to the business

This will be a highly participative session. Under Chatham House rules the attendees are positively encouraged to share tangible successes from their workplaces with each other in the following areas:

  • Where business requirements have been truly met by security
  • Where business requirements have been led by security
  • Where business innovation has been shown to come from security practitioners

There are two forms of “success” that we would like to examine:

1. Empirical success: A large publishing business was spending over 10% of revenue on IT before moving to the cloud. The initial migration cost an initial 1% but after 2 years as a customer the savings was 20% and the increase in revenue and profits was an additional 20%.

If for example you can show how an investment of $x which equates to a% of revenue is to save a business $y which equates to b% of revenue.  As long as x < y and a < b in that example. This formula will be discussed in the session.

2. Anecdotal success: Social media use is a recurring security theme for professionals. Attempts to block use of these items often times results in the users circumventing security in order to achieve their goals. One solution is the use of web filtering.

Mobile devices assist in supporting the 24x7 business cycle, but they also introduce an unintended attack vector into most environments. A recent success story with mobile device integration known as the MDM project will be discussed.

9B Applying Social Policy Analysis & Economics to Information Security Sian John

Information Security and Social Policy have something in common, the inability to define outcomes in direct monetary terms. A number of Social Policy economic proposals can be applied to understand risk in the information security industry. This session will examine some common social policy topics, the models used, and how these can be adjusted to deal with the unique challenges of information security. Particular models to be considered at this moment are:

  • Social insurance and how this can be mapped to information security as an insurance for the IT industry / modern business.
  • Insurance risk models for public goods such as healthcare and how these can be adjusted to the IT industry
  • Information security as a "public good" (a good that cannot be excluded from certain individuals and where the cost of keeping individuals from benefiting is prohibitive)
  • The economic effect of those who do not invest in information security on those who do.

10B Handling Sensitive, Complex Security Issues John O'Leary

Way back in 2010, we gave the COSAC treatment to a session titled “Whaddya do Now?” Over the past 3 years, the security landscape has changed so much that we need to revisit the concept of dealing with sensitive scenarios, even if the landscapes and motivating factors are quantitatively and qualitatively different. That said, some of the security events we have to deal with were with us in some form or another back in the last century. Politics and user nonchalance are still significant pain points, but now we also have to worry about legislative activity in cloud computing venues and Facebook postings and being on the wrong side of “Anonymous” and who left what in Dropbox. COSAC delegates are battle-hardened, if not politically savvy professionals. But dealing with a North Korean cyber attack on media and banking systems in a country where we do business can be daunting, to say the least. Some of the sensitive issues we face are still political or organizational. These ones don’t usually respond to technology and in seeming contradiction they both persist for a long time and multiply fast. And some issues never seem to die. Can you say “trivial passwords?”

To encourage idea sharing and gaining from the experiences of fellow COSAC delegates, we will outline scenarios that you might face in 2013 or 2014 and hope that they’re not the same ones we faced in 1982. Your experiences, positive and negative, will shape the discussions. “Simple and obvious” solutions might not work in the constraints of another firm. Technology, business reality, Geopolitical considerations, corporate politics, ethics, the economy, corporate culture, mergers and multiple other factors help delineate viable solutions. Bring your own “sensitive issue” scenarios, and we’ll address them as time permits.

11B At Last!! A New Version of 27001 / 27002 Mike Softley

These information security standards have been showing signs of tiredness for some time now as they are around 8 years old. By COSAC the updated version should be either in its final stages or actually issued and live.

This session will look at the changes to ISO 27001, the management system, and the (expected to be) smaller set of controls that are detailed in ISO 27002. We will set out what the changes mean to companies from the aspect of the management system. We will then examine the changes to the controls in ISO 27002.

There are also changes in the area of risk assessment and treatment, which may mean that using a method that is not focused on assets (for example SABSA) is easier with the revised version.

Talking about international standards is neither exciting nor entertaining; but this revised version of ISO 27001 is going to be used by organisations to judge the implementation of information security for the foreseeable future –so we need to understand it!!

12B Why did my Information Security Strategy Fail? – History Repeating Itself Glen Bruce

As information security professionals we seem to be solving the same problems over and over. Why do information security frameworks and strategies become shelf ware for many organizations? With the ever increasing expenditure on information security solutions, why do problems persist? Threats are evolving at a rapid rate along with the technology to detect, prevent and mitigate the risk – and yet significant risk persists. Technology is neither the source nor the solution to why information and system risk never seem to be significantly reduced. We will explore some of the underlying reasons for this continued lack of success. Some would say that it’s due to seduction of the new – a lot of attention given to the darkest new threats and the shiniest new defenses while losing sight of the fundamental problems to solve. We will use industry sources and surveys to examine and highlight this disconnect and look at trends for success and in many cases failure. Are organizations really as mature as they think they are? As they need to be?

There has been no simple approach or technical solution that solves all or most of the threats. However, a few common characteristics and approaches have emerged to help avoid continued high levels of risk and history repeating itself. A well-defined and operating business-driven, management system for information security has led to less risk and greater business success – how do you get there? Based on real world experiences, we will present nine principles that should be considered as a foundation to build longer term success for managing information security risk. We will outline the motivations as to why each principle is needed and the implications that result from following them. You likely have more principles to contribute. We will conclude with examples where adhering to the principles have helped or more importantly could have helped build a more effective approach to managing information security risk.

8S SABSA to the Clouds:
Cloud-Specific SABSA Attributes & Security Enablement in the Cloud
Jason Kobes

Cloud Computing has dramatically risen, and a tremendous amount of time spent on understanding the unique advantages, disadvantages, requirements and conditions that the cloud has to offer. Organizations who want to utilize cloud to its fullest potential often wonder if they have done enough to secure themselves from the risks that this new technology introduces.

This talk will outline those unique mission requirements that have given rise to the advantages of cloud computing and abstract them into a unique set of Cloud Specific SABSA Attributes. Some of the attributes are well known, but others are unique and new to Cloud Computing with new definitions, threats and opportunities tied to each one.

We will then map the cloud specific attributes back to the NIST and Cloud Security Alliance controls. We will look at how cloud control strategies are built through aligning the attributes and how to determine where these controls must be implemented.

Cloud Specific attributes will help organizations get a complete perspective of the new security challenges and operational opportunities they face in the Cloud, as well as help Security Architects provide better completeness when assisting customers with reducing the security complexity and abstractness of “The Cloud”

9S Architecting to the Cloud: Where Have We Missed the Mark on Services & Security? Andy Rogers

Why do Developers always want to create their own stuff? “Because it works better!” Why do we need more reusable systems for the Enterprise? Because it typically takes years to work the bugs out of created ones. Services Oriented Architecture (SOA) was originally designed to make enterprise software modules more useable/reusable within and external to enterprise applications. The Goals of capability, performance, and security could be addressed once and then built on to save in future development cost. The focus is on the data, resources, and what you want done with them rather than how the applications are being accomplished.

These same principles can and are being used for capturing data requirements for interfacing with cloud services. SOA concepts and Cloud computing technology are working together providing the first real revolution in software engineering and IT systems design since the transition from Procedural Programming to Object Oriented Design (OOD) back in the early 1980s. With the cloud adding layers of abstraction and the ever growing complexity and risk involved, Mission/ Product Owners and solution providers need a way to capture the complexity and some way to try and minimize the cost that goes with it.

The US Jump Start: As an example, consider the US Department of Defense Architecture Framework (DoDAF) V2.0. It was an attempt to take advantage of SOA principles and allow designers to model the Cloud services within their Enterprise and Solutions Architectures. However, this first attempt to formalize the concepts within an operational framework really missed the mark in several critical ways.

This presentation advocates for what should be a reasonably straightforward restructuring of architecture frameworks, like the TOGAF, MODAF, DoDAF, and FEA approach to modeling Services and recommends development of a simpler approach to the Meta Data volume.

More importantly, the EA community needs to demand EA tool vendors step up to the challenge to apply these changes to their products. EA is more than just software and systems…; the Key word is Enterprise. The products EA practitioners provide to the organization can at times make the difference between missions/business success or failure and at the very least will certainly affect the level of success in long term.

What cloud computing needs and SOA methodologies call for, is to really capture both the technical and business differences between service and systems. Tools make the difference: A quality EA Tool is absolutely required for a professional organization to keep track of the complexities of the technology revolution at an Enterprise Level. Additionally, the tool’s user interface and associated visualization options have to be simple to use for practitioners and the non-IT functional decision leaders. EA products are for “techies” to build with, but only after the Non-Techies have approved it. EA practitioners must pressure Tool providers to properly capture “Services” to support applications hosted in a Cloud.

The bottom line is that Enterprise Architecture still needs to do a better job bridging the gap between business, security, and the computers that enable and/or degrade them. EA tools need to provide more direct ties between the business and technology and display it for engineers and non-technical leaders alike to help both to manage ever growing levels of complexity. For the Tool vendors to do this, we need to ensure we properly define and apply “Services” in our mission/business world.

I am not a product developer or someone trying to sell. This presentation will look at how SOA has evolved from OOD and provide examples of real success. We’ll also looks at some missed opportunities and opportunities in real need of Effective Enterprise Architecture… NOW!

10S Information-Centric Security: A Business-Driven Approach for Mobile Devices Simphiwe Mayisela

Information-centric security is significant in understanding, assessing and mitigating the various risks and impacts of sharing information outside corporate boundaries. Information generally leaves corporate boundaries through mobile devices. Mobile devices continue to evolve as multi-functional tools for everyday life, surpassing their initial intended use. This added capability and increasingly extensive use of mobile devices does not come without a degree of risk - hence the need to guard and protect information as it exists beyond the corporate boundaries and throughout its lifecycle.

The proposed presentation looks at the risks that mobile devices bear on corporate information. It also looks at the technologies that organisations have adopted to mitigate risks that mobile devices have on corporate information. The presentation concludes by suggesting a realistic framework model (based on SABSA) that addresses the shortcomings of existing technologies and industry approaches in mitigating mobile device risks.


11S Moving Beyond SWIFT Payments: A Whole Bank SABSA Implementation Ed Blanchfield
Ross McKenzie

Westpac Banking Corporation is a Multinational Financial-Services provider.

Westpac is one of Australia’s "big four" banks, and is the second-largest bank in New Zealand. At COSAC 2009, we presented “A Journey Through Modernisation of an ESA at a Leading Bank”, and this year we are back to share our achievements, lessons learned, and next steps.

With this presentation we will demonstrate how the SABSA Method influenced the security architecture of Westpac's Strategic Investment Programs including, but not limited to, large scale:

  • Enterprise perimeter security environments
  • On-line banking platforms and applications
  • Enterprise service bus implementations

We will outline Westpac’s approach to managing the risks of current industry trends, such as infrastructure virtualisation, private cloud deployments, business asset zoning and service management.

Share our real-world lessons for “what can go wrong” in addition to the great things that “can be achieved”.

12S Security Architecture at ING: How to Avoid Becoming a Blocking Factor Marc Verboven

The number of security architects is limited; ING Belgium with a yearly change budget of over several million euro has exactly one security architect. Most change projects have architectural impact and for all these projects security impact needs to be assessed, documented and reviewed against corporate guidelines and applicable reference architectures. This creates a high demand on security architecture and could thus result in security architecture become a potential blocking factor.

In this session we will explain the architectural governance at ING, how it is linked to the project governance and what specific touch points for risk & security are needed. This session will also explain how architecture artefacts are produced at ING using TOGAF as a process model and IAF as a content framework and how security artefacts are embedded in the architecture deliverables.

The main part of this session will be dedicated to show how communication and automation have provided for the necessary scalability. Communication, by publishing one-pagers on the architecture intranet, prevents that the security architect becomes the single point of contact for security questions. Automation, by embedding SABSA derived artefacts (IAF views) into the architecture deliverables allows the typical project architect to follow the security architect way of thinking and to do proactive validation of architecture deliverables.

Finally the session will conclude with lessons learnt and plans for the future.

13P Tracking Clones with MindMaps Tom Trusty

Those pesky clones duck and cover just as you are about to catch one, only to reappear without warning months later.  They cost banks billions of dollars a year and cause ordinary consumers great pain. A sudden infestation can be catastrophic.

Skip the snake oil. For guaranteed results, implement a purpose-built adaptation of the MindMap. Scalable to banks of any size, with over 99% demonstrated accuracy, this formidable weapon in the fight against fraud and identity theft enables mitigation at a rate that will quickly get you in front of hackers.

This session will show you how to implement MindMaps into any transaction processing system regardless of the technical platform. We will also discuss the lifecycle of a clone: from conception and birth, to usage in fraud, and of course my favourite phase of the lifecycle: death.

You will also see how MindMaps facilitate accurate metrics for calculating loss projections, helping you manage to plan for maximum loss avoidance and secure funding to enable expansion of fraud fighting efforts.

This session will be heavy on real life examples and you will see the latest, most coveted secret tricks that hackers use, and you will see how these same tricks can be turned against our adversaries We will discuss simple enhancements to popular card processing systems that will enable you to maximize the value in this process that is easy to learn and likely to become the cornerstone of your fraud mitigation efforts.

14P The COSAC Rump Session Various

The hugely popular COSAC "rump" is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

  • Electronic submission: Send email to the rump session chair David Lynas at before 10AM GMT Friday, September 27.
  • Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday October 2.

Submissions should include a requested amount of time for the presentation. An anticipated maximum of five minutes will be allocated for each presentation.


W1 Virtualisation and Cloud Security John O’Leary

Virtualization and Cloud Computing are technological trends that to COSAC veterans may seem more like irresistible tides. Most organizations have at least put their toes in the water. Many have dived in headfirst and those that have resurfaced seem to be swimming, perhaps comfortably, perhaps not. But what about security for our information in this virtualized and “Cloudy” infrastructure? Is it better? Worse? Simpler or more complicated? Do we have to worry about the same things? What else?

We'll run through relevant concepts and risks, showing you vulnerabilities and realistic approaches to shoring up defenses. And this is COSAC, so we'll also invite questions, comments and sharing of experiences to learn from each other. We’ll give you some security related questions to ask cloud vendors before signing the contract. Virtualization and cloud computing may well be unavoidable. Come join us and help prepare your organization.

W2 Battle in the Clouds: CyberWar Goes Virtual Char Sample    
G. Mark Hardy    
Jason Kobes    

The emerging battlefield of choice for governments, terrorists, and organized crime is cyberspace. The "usual suspects" will continue to evolve capabilities to match new technologies. Cyberwarriors are being trained and equipped globally for cyberwar. Cloud Warfare is next.

The promise of cost savings, efficiencies, scalability, and reduced maintenance has lured corporations and governments alike into the cloud. However, cloud computing design assumptions never included resistance to full-scale cyber attacks. In spite of the cloud’s advertised resilience, it remains brittle and vulnerable (think Netflix losing all capabilities when the Amazon cloud hiccupped last December) to large scale cyber attacks.

Part I: We will look at the cloud and cloud tenants as cyber targets. Part I of this talk discusses how to architect defensive strategies designed for the cloud clients who are cyber targets. We will also discuss strategies designed for the in-house private cloud and the Cloud Service Provider (CSP), keeping in mind the unique security situation providing an abstract multitenant cloud services puts them in. This all leads to security gaps between the cloud client, and the CSP which are not realized by either party due nature of the virtual environment also known as the cloud.

Part II: Presents the perspective of the cyber warrior and how this actor views the cloud. We'll examine intelligence, surveillance, and reconnaissance of potential cloud targets, acquiring (legitimately or otherwise) cloud-based attack capabilities, and scenarios for engagement from simple corporate espionage to massive, distributed attacks against nation-state infrastructures. We will identify what makes the cloud more vulnerable (and more resistant) to cyberwar, and will walk through real-world scenarios of some noted cyber attacks and explicitly explain how they will be different in the cloud.

Value: Very high, cloud migrations continue to go forward and many of the issues surrounding cloud security have not even been articulated much less understood. The consolidation of assets in the cloud along with the rise in cyber activities promises to create unique problem set for security professionals, cloud clients and CSP.

Uniqueness: Very unique talk pulls together experiences and thoughts of researchers who are on the leading edge and in the position of having to deal with problems months (or years) before the public is even aware of them.

Timeliness: Recent cyber activities by China, Russia and Iran, and other unknown world political actors, make this talk extremely timely. The ongoing cyber battles being waged have resulted in all sides increasing resources in development of cyber warrior, cyber tools and weapons and cyber strategies.

Approach: Examples and discussion both interactive and direct. Specific public cyber activities and events will be discussed and will be discussed within the context of the cloud.

W3 Architecting Mobility

    Part One - An Arresting Story: Mobilising New Zealand Police Paul Blowers    

Quote: “People are very protective of their cell phones, how it's used, where it's used and how much it costs. It has become a very personal issue for a whole lot of people....” - Steve Largent: President and CEO of CTIA – The Wireless Association

During 2013, New Zealand Police became the first law enforcement in the Asia Pacific region to roll out smartphones and tablets to its frontline staff. It is estimated 30 minutes each eight-hour shift was saved by using the new technologies. That equates to 520,000 hours per year saved based on the initial rollout to 6086 officers. This means the equivalent of an additional 345 extra frontline police will be active and visible working in and for the community. The deployed iPhones and iPADS fundamentally change the way officers do their jobs. Frontline staff will no longer have to return to Police Stations to complete paperwork, can remain in the community and focus on crime prevention. My presentation answers the questions: What is the purpose? Why mobilise somebody whose job it is to be on the move? How can mobile devices benefit Police? Where will they be used? When will they be used?

I will discuss the architectural challenges of implementing a mobile solution that includes Mobile Device Management (MDM) and integration with a security and compliance policy based infrastructure.

True-life examples will be provided that demonstrate the benefits of adopting SABSA through-life risk management practices to promote business and security led decision making assertions that ultimately achieved formal certification and accreditation for the end-to-end solution.

My discussion will include case in point SABSA techniques that were used to ensure Police business requirements were met. The goal is to balance security against usability that at the same time ensures compliance with national security policies and standards. This will be demonstrated using personally designed security architecture business assurance resource tools developed from experiences gained through my SABSA learnings.

The presentation will be concluded in time-honoured COSAC fashion with an open debate regarding the value of the New Zealand and Australian government mitigation strategies (read: control libraries!) and comparing those to the SABSA value added approaches that were discussed throughout.

    Part Two - Mobile Banking Architecture (including the Customer Living Under a     Tree) M.Z. Omarjee    

In an effort to create to new business revenue models as well as extend banking services to growing business segments, this session will demonstrate how a strategic security solution approach can enable business to adapt their business strategy to support a Channel Convenience strategy, allowing customers to be able to bank anywhere from any device and at any time leveraging innovative technologies offered though emerging mobility platforms.

In addition, the session will aim to :

  • Provide an understanding of the mobile business problem domain and its related complexities at Standard Bank,
  • Show how to analyse business strategy to define business security requirements and key business attributes
  • Illustrate how the business problem can be solved through design and creation and population of SABSA styled domain maps and entities
  • Indicate the various security mechanisms through associated product components and service management capabilities to solve the business problem of mobility

Address in-house organizational challenges:

  • Comparison of tactical "build" versus "buy" decisions on security solutions, and its associated trade off's.

Copyright © 2013 COSAC
- All Rights Reserved -