COSAC 2022 COSAC Connect COSAC APAC 2023

COSAC APAC returns to Melbourne in 2023.

For 28 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. The #COSAC2023 Call for Papers is now open!

Tuesday 3rd December 2019

09:00 - 09:30 Delegate Registration & Coffee

09:30 1A: Using SABSA to Architect Zero-Trust Networks Part 2

At COSAC APAC 2017, I presented a session discussing how to apply SABSA to architect a zero-trust network. This session explored the basic concepts of zero trust networks and showed how SABSA was used to deliver an Enterprise Security Architecture (ESA), which included a Conceptual Architecture for a zero-trust network.

But what has happened since then? Is it practical for an organisation without the resources of Microsoft, Amazon Web Service and Google to adopt these concepts? This session seeks to shed some light on this by building on the original sanitised NZ organisation case study.

This session will provide a brief overview of the zero-trust concepts, together with the pertinent details from the ESA and the Conceptual Architecture before exploring how they were used to develop and implement a solution architecture using cloud services, discussing the real-world challenges and how they were overcome.

Finally, if time and the demo gods permit there will be a demonstration of how zero-trust networks can work in the real-world using a replica of the NZ organisation’s implementation.

09:30 1B: Digital Identity -The Core of Digital Transformation Speaker(s): MZ Omarjee

MZ Omarjee

Enterprise Security Architect, Standard Bank (South Africa)

Muhammed Zubair (Mz) Omarjee is an Enterprise Security Architect within the Group IT Plan function of Standard Bank Group South Africa. He is instrumental in defining the security technology strategy and plays a pivotal role in shaping the information security practice as a transformative business driven and risk oriented discipline.

Objective of the session is to illustrate how Digital Identity is a fundamental enabler for digital business strategies underpinned through customer Identity and Access Management capability. 

Session will cover aspects as it relate to emerging business drivers, customer user stories, a new security stack required for Digital Identity that satisfies business objectives, as well as an architecture model required to synergise the use of identity. 

In addition, session will also provide insight into the future of identity leveraging emerging trends and technologies.

10:30 2A: SABSA in Mission Critical Systems Engineering Projects

The discussion of architecture frameworks and mission critical systems often misses the ‘elephant in the room’ since it excludes use system engineering practices to deliver large complex solutions. This is counter-intuitive since architecture frameworks were originally conceived to deal with complexities in delivery of systems and outcomes and often derived from system engineering principles.

Although the SABSA training content does highlight the system engineering pedigree of the SABSA framework and methodology, many SABSA trainees and practitioners are unfamiliar with the formal practice of system engineering. This often results in a great deal of misunderstanding when architects from an enterprise ICT background join an engineering organisation.

As a SABSA practitioner working in a System Engineering organisation and on large scale mission critical systems, I have developed a depth of experience and insights into the application of SABSA architectural practices and methods within the framework of system engineering and the challenges of integrating into a system engineering organisation. Often these challenges highlighted that non-technical considerations were just as important (if not more important) than purely technical considerations.

The presentation will familiarise SABSA practitioners with the practice of system engineering and its application to mission critical systems. It will provide guidance in applying SABSA methods in a system engineering context. This presentation is an example of how to apply SABSA security architecture practices even though the engineering / technical organisation has not ‘mandated’ the use of the SABSA framework.

10:30 2B: Understanding Trust for Digital Identity Speaker(s): Andrew Stephen

Andrew Stephen

All of Govt Enterprise Architect, Dept of Internal Affairs (New Zealand)

Over the past three decades Andrew has worked across many aspects of the information and technology industry, from deeply technical to security management and architecture. Today Andrew has a focus on improving security practice and the relationships between security functions and their organisations. His current work contributes to development of New Zealand government digital strategy and nationally significant digital service. 

In late 2018 New Zealand's government began an ambitious project to develop a trust framework to establish the future environment for the digital identities of New Zealanders. With a list of stakeholders that potentially includes every New Zealander and NZ organisation - as well as off-shore entities which transact with New Zealanders - the task of understanding the outcomes and attributes necessary for a successful and trusted digital identity ecosystem looked overwhelming. As the Enterprise Architect for this programme Andrew Stephen began by formulating an approach to shaping a trust framework that focussed on the diverse outcomes needed for the many stakeholders to confidently participate in the future ecosystem, and determining the dependencies needed to achieve them. In this talk Andrew will explain how he developed this approach and will also give an overview of the findings and how these are being reflected in the trust framework itself.

11:20 - 11:40 Morning Coffee

11:40 3A: The SABSA Minimum Viable Product Speaker(s): Harley Aw

Harley Aw

CISO, Phoenix HSL (Australia)

Harley is an Information Security and IT industry veteran based in Sydney Australia with over 20 years in multiple sectors including retail, hospitality, tertiary education, sporting and gaming multi-nationals, as well as consulting in the financial, government and resources sectors. He is a certified digital forensic examiner, cybersecurity incident handler, a member of the GIAC Advisory Board and a Founding Member of the SABSA Institute. He is currently the CISO of the Phoenix Group.

One of the most common questions that befalls a newly minted SABSA architect is “Where do I start?” And it’s not just SABSA neophytes faced with this problem ‒ we have all struggled in some way with delivering effective value whilst justifying the lengthy time and breadth needed to develop (often nascent) enterprise security architecture, particularly when first joining a new organisation where the SABSA practitioner has to produce the goods to make it through their probation. So where do you start? And more importantly, where you should be spending your precious time and energy, particularly during those first crucial months in a new role when all eyes are watching you in silent judgement of your level of competency and effectiveness? Taking inspiration from the much-heralded approach by the Australian Signals Directorate (ASD) in producing the Top 4 / Essential 8, this entertaining, thought-provoking and, no doubt, controversial presentation proposes a set of core set of architectural ‘products’ and the minimum criteria they must meet that the Enterprise Security Architect needs to focus on in order for their efforts to be rightly deemed ‘security architecture’ in the eyes of your peers, as well as allow the budding architect to pass probation and keep their job!

11:40 3B: Liminal Spaces & Cyber Deception Speaker(s): Debi Ashenden

Debi Ashenden

Professor, Deakin University (Australia)

Debi is Professor of Cyber Security and Human Behaviour at Deakin University & a Director of Industry Research for Deakin’s Centre for Cyber Security Research and Innovation (CSRI). Debi is also a Professor of Cyber Security at the University of Portsmouth (UK) & a visiting Professor at Royal Holloway, University of London. She is Programme Director for Protective Security & Risk at CREST (the Centre for Research & Evidence for Security Threats.)

As the virtual domain increasingly dominates the physical domain, cyber operations in the grey zone continue to pose a threat to organisational security. While deception techniques such as honeypots and fake networks have long been an aspect of cyber defence, this talk argues that cyber deception is still a capability that is underutilised. Organisations such as Darktrace and Penten continue to advance deception technology but there is potential to deepen the use of cyber deception to shape attacker decision-making, manipulate behaviours to disrupt efforts to conduct cyber operations, and to achieve adversarial behaviour change. This talk examines the grey zone both as a physical space and a cognitive space using the concept of liminality to illustrate the opportunities available. By drawing a link between hacking, magic and military deception we will discuss what opportunities and challenges are presented for cyber security practitioners and how principles from behavioural science could be used to add depth to cyber deception.

12:40 4A: SABSA Modelling in ArchiMate Speaker(s): Steven Bradley

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is an independent security consultant based in Brussels with 25+ years in IT. Steven has undertaken major assignments for clients in the national & European public sector, finance, telecoms and utilities and also lends his support to local cyber-security initiatives. His work in recent years has broadened geographically while becoming more specialised in the field of security by design through automation and modelling, leading to >span class="NormalTextRun SCXW185586280...

This session will guide you through the recent SABSA White Paper: T100 - Security Modelling with ArchiMate. This paper presents a novel, model-driven approach to Enterprise Security Architecture and in particular, how SABSA analysis can be expressed visually using the ArchiMate modelling language.

The session will cover:

- the case for adopting a model -driven approach: the drivers & benefits of integrating security into EA models;

- the techniques / design patterns for expressing security within ArchiMate's notational & grammar constraints, updated with the latest features of ArchiMate 3.1 released in Nov 2019;

- a glimpse of how these models can be used in practice, previewing the practical applications of this technique that will be explored in more depth in the session on Cyber Enterprise Modelling.

A basic familiarity with the ArchiMate language is recommended but not absolutely necessary.

12:40 4B: Vendor Engagement in the Security Ecosystem Speaker(s): Nigel Hedges

Nigel Hedges

CISO, CPA (Australia)

Nigel Hedges has been in the local Australian/New Zealand IT Security industry for 20 years, having spent a lot of time in the information security vendor and customer sectors, across security consulting, analyst and management roles. Nigel is currently the Information Security Manager (CISO) for CPA Australia, but spent several recent years as the Enterprise Security Architect for a large national Australian & New Zealand retail organisation.

An open-floor panel discussion with an opportunity for delegates to both share opinions and ask questions of some senior Information Security leaders in the market. The session will be facilitated by Nigel Hedges, Head of Information Security and joined by some representation from both the supply side of our industry and CISOs from the industry. It promises to be an interest exploration of the challenges and opportunities for vendors and suppliers to play a more enabling and valuable role in the security ecosystem that Security Architects and leaders are trying to build.

13:30 - 14:30 Lunch

14:30 5A: Architecting Design for Trustworthy Software (DfTS)

The SABSA methodology provides a framework for security design but as with other standards does not specify any specific process to use. This presentation looks at the Design for Trustworthy Software (DfTS) approach to product design, and aligns it to the SABSA Framework. DfTS incorporates the best practices and features from a number of earlier development methodologies to ensure customer-driven design, and provides a context for deploying software quality management schemes. We will conclude with some insights into translating secure design into secure code by using the relevant elements from the Correctness by Construction methodology.

14:30 5B: Penetration Testing for the Grizzled veteran Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

If you’re not doing it, someone else is doing it for you, and they’re not delivering final reports or checklists. Even those innocent souls and naïve managers who haven’t yet been hit (more accurately, who think they haven’t been hit) have heard enough horror stories from us and their contemporaries that they're almost convinced that penetration testing is a necessity. But they truly don’t know what effective penetration testing in 2019 and beyond requires and entails. They’re uneasy about the whole concept, don’t really know where to start, and they have no reality-based ideas about what to expect for an outcome. You, a grizzled veteran and COSAC APAC delegate, know why and how and what to expect. But Ransomware, Spearphishing, nation-state hacking, massive breaches, IoT, GDPR, Big Data Analytics, Cloud computing and BYOD have opened up new avenues for probing defenses. Calling on the experiences of COSAC APAC delegates in the room, we’ll lay out some absolutes rules for pen testing, analyze driving forces, examine realistic testing options, and pinpoint focus areas for testing. We’ll then identify pitfalls to avoid and finish with recommendations to help organizations get maximal return from this complex, expensive, but valuable, probably even mandatory security measure. You’ll be more able to explain the need, concepts and activities of pen testing to those who have final say and budget authority but don’t really understand (or don’t want to know) the why and how.

15:30 6A: Forensic Readiness: Not So Much A Buzzword, More a Set of Attributes Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.

Firstly I should own up that our choice of title was a shameless attempt to get this presentation accepted into the SABSA stream at COSAC; if we get to read this in the conference schedule we will all know if I have been successful.

My co-author Nick Spenceley and I have for many years spent much of our time examining digital systems that have been the subject of compromise. In the early 2000’s and together with another colleague Vince Gallo we were among the first in the UK to promote the phrase “Forensic Readiness” as a measure of an organisations capability to preserve, collect, protect and analyse digital evidence to a level of rigour and correctness necessary for it to be presented and used in legal matters ranging from internal security processes to criminal trials in a court of law.

While the terminology was new, the underlying requirements had first been identified and then enshrined in Australian Government mandatory compliance statements for (new) IT systems many years before. We cannot say how effectively those requirements had been implemented over time but we wish that others had followed Australia’s lead earlier.

Typically at that time, the scope and interfaces of most IT systems could be readily identified and mapped and the ownership of relevant domains and associated policies confirmed; as a result it was relatively straightforward to define how the forensic readiness requirements would be complied with.

The environment in which we operate today is clearly very different. Cloud computing, and in particular the provision of Software as a Service is ubiquitous and the practice of digital forensic analysis now has to span a wide variety of elements including, at one extreme, physical devices such as laptops and mobile phones, dedicated servers, networking equipment and at the other virtualised elements owned and operated by third parties that might, at worst, disappear pending an investigation. It is rare now that a commercial client of a cloud services provider can mandate their own forensic readiness requirements, typically at best they get to choose from a variety of levels of audit data that the provider can make available.

So what do these changes mean for us? In this session we would like to explore how Forensic Readiness levels generally, in our opinion, have been eroded in some cases leading to failure of a company’s ability to properly investigate and remediate security compromises; and how we might regain the initiative - maybe we could use SABSA attributes to assist ... it’s all up for grabs in this highly interactive session. Dress to impress.

15:30 6B: Ethics in Social Engineering & Penetration Testing Speaker(s): Kathleen Mullin

Kathleen Mullin

CISO, Cancer Treatment Centers of America (USA)

Kate Mullin CISSP, CCSFP is CISO at Healthmap Solutions, Inc. & an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information...

Ethics in social engineering is frequently left up to the individuals involved, sometimes with disastrous results, without ethical boundaries sometimes destroying people’s lives.

This discussion is the best practices and the potential adverse impacts of unethical behavior. Why should the Social Engineer care about the target and why should the client care about the Social Engineers ethical values and approach.

What is the difference between morals, ethics, and culture? Why do those distinctions matter? Let' look at the equivalency of testing on human subjects.

Decision making of the client and how they make those decision. Who should they hire?

Also, the importance of trust. Can or should you terminate an employee based on the information that is garnered during the Social Engineering exercise. If an employee is terminated what is the impact on trust relationships.

Rules of engagement, setting expectations, and outlining ethical behavior. Decision making of the Social Engineer: What to do when OSINT finds sensitive information or when the engagement goes wrong and there is the temptation to cross the line.

What to do when it all goes wrong even with good intentions. What should the outcome of a Social Engineering engagement be after the report is issued?

16:20 - 16:40 Afternoon Coffee

16:40 7A: Using SABSA to Design a Cyber Security Strategy Speaker(s): Michael Hirschfeld

Michael Hirschfeld

Director, David Lynas Consulting (Australia)

Michael has 20 years’ experience in Information Security and is a Director of David Lynas Consulting and the Chair of the SABSA Founders Bursary. He has provided high level assistance on information security related matters to a range of clients within Australia and internationally. He was formerly the Chief Information Officer and CISO at the Australian Commonwealth Department of Finance where he had executive responsibility for ICT as well as physical security.

The SABSA architectural methodology has a number of tools, techniques and frameworks that can help IT Security professionals understand the challenges they face, present and discuss with their executive and stakeholders when building and progressing a Cyber Security Program.

Fundamentally, a strategy is a document that sets out how you plan to achieve a series of long-term objectives.

Within Cyber Security our objectives must be closely aligned with those of the ICT group and, just as importantly, with those of the business as a whole.

If our Cyber Security Strategy isn’t helping the Business or ICT meet their objectives, then we will struggle to articulate our relevance and we will find it difficult to get budget. On the other hand, when our strategy clearly aligns and strengthens the business we are viewed more as a partner.

This presentation will cover a few of the basics of SABSA, provide you with a framework for a Cyber Security Strategy and then demonstrate how understanding and applying some key techniques from the SABSA tool kit can assist you in developing and presenting a coherent and aligned Cyber Security Strategy that the business will understand.

16:40 7B: DevSecOps: Enterprise Automation - Challenges & Approaches Speaker(s): Rahul Lobo

Rahul Lobo

Director, Ernst & Young (Australia)

Rahul is an experienced Cybersecurity professional with 15 years of experience including 10 years managing a high performing cyber security team involved in attack and penetration testing. Rahul consults in attack and penetration testing, application security, security controls automation, Devsecops, Cloud Security, vulnerability management, IT security risk management and mitigation, IT security remediation, security architecture and security consulting.

Digitally disruptive technologies are rapidly converging. These technologies are fundamentally shaping value propositions and operating models.

In order to compete in the digital economy, enterprises are increasingly competing on time-to-market. The pace of change observed in digital solutions necessitates that security be built in instead of bolted on.

New threat landscape

  • Technology disruption is making online services more open and accessible to customers and attackers alike.
  • The advent of the connected world, and the inherent interconnectivity of people, devices and organizations, opens up a whole new playing field of vulnerabilities.
  • Critical information assets of organizations are more exposed to targeted attacks than ever

Quick iterative releases

  • Typical sprint cycle for technology deployment is less than 30 days compared to 6-12 months for Waterfall SDLC
  • Short, time-boxed development iterations of small functional stories
  • Traditional security activities such as manual penetration testing don’t fit short iterative sprints
  • Development team are only focused on changes for that iteration

Automated tools challenge

  • Tools need to be configured and tuned to get adequate coverage of critical application functionality and different testing strategies need to be used
  • Too many different types of tools and approaches available
  • Too many false positives from traditional security tools for the developer to deal with

In response to the challenges facing the inclusion of security testing into Devops Pipelines and the requirement to be able to perform automated security testing early on in the development lifecycle EY developed a platform that can infuse automated security testing into development pipelines. The Team leveraged the SABSA framework to define the business problem as well as drive the business case for development of the platform.

The solution overview will look at various approaches for automated testing as well as their benefits / weaknesses as well as stages where they are appropriate. The presentation will also share case studies of successful integration of these approaches in large enterprises as well as typical challenges and how we overcame them.

Plenary Session

17:40 8P: Moving Security to the Left - Putting the Sec in DevSecOps Speaker(s): Debi Ashenden

Debi Ashenden

Professor, Deakin University (Australia)

Debi is Professor of Cyber Security and Human Behaviour at Deakin University & a Director of Industry Research for Deakin’s Centre for Cyber Security Research and Innovation (CSRI). Debi is also a Professor of Cyber Security at the University of Portsmouth (UK) & a visiting Professor at Royal Holloway, University of London. She is Programme Director for Protective Security & Risk at CREST (the Centre for Research & Evidence for Security Threats.)

With the move to continuous integration/continuous delivery and agile software development, shorter cycle times have led to initiatives such as DevSecOps that aim to integrate security with software development. While there are now processes and frameworks to support this integration, motivating software developers to develop secure code is a cultural and behavioural problem as much as a process issue. To develop a successful DevSecOps team requires security practitioners to understand the cultural and behavioural aspects of software development in order to successfully ‘shift security to the left’.

This talk starts from an illustration of the problem in a real-world setting before presenting research carried out with software developers to understand software development as a social practice. We look at the barriers and incentives that can hinder or help the integration of security with software development including code analysis, code reviews and the culture of open source development. The final part of the talk will be a facilitated discussion tooutline interventions that are more likely to ensure the successful implementation of DevSecOps and secure software development.

Networking & Dinner

18:45 Drinks Reception
19:15 Dinner