Ireland Melbourne

Welcome to COSAC - Conferencing the way it should be!

For almost 25 years COSAC has delivered a trusted environment in which to deliver value from shared experience and intensive, productive, participative debate and development. Sales content is strictly prohibited and there is no vendor exhibition to distract from opportunities, allowing delegates to focus on professional innovation.

Sunday 1st October 2017

19:30 Delegate Registration
19:30 Drinks Reception - Sponsored by Killashee
20:00 COSAC 2017 Welcome Dinner

Monday 2nd October 2017

Breaks COSAC Masterclasses are full-day, 09:30 - 17:30
09:00 Registration & Coffee
11:00 Morning Coffee
13:00 Lunch
15:30 Afternoon Tea

Masterclass M1

09:30 17th International Roundtable Security Forum Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

For the 17th time, we fill a room with international information security veterans and present them with scenarios that have happened recently or probably will happen soon. The assembled delegates use the wisdom accrued in each of their 15+ years of solid IT security experience to examine the given scenarios from business, technical, political and any other viewpoints that might reflect on that situation or similar situations they have faced or analyzed. This puts immediate emphasis on one of COSAC’s most characteristic and valuable features. Interactivity.

COSAC speakers (or moderators) realize that someone, maybe several people in the room, know more about the subject in dispute than the exalted session leader. Here is where COSAC consistently shows itself as the single best Information Security conference anywhere. COSAC session leaders draw out the room’s expertise and thus enrich the learning environment for everyone. In past forums, this moderator has learned much more from the delegates than any of them have from him.

In describing some recent event, the moderator poses a question or two about what the involved people did, whether it was appropriate, what other directions could have been taken, what alternative consequences might still be in play. Not surprisingly, there is often disagreement, occasional discord, but so far no duels. Appropriate solutions tend to be industry-based or public/private sector-based or organizational culture-based. The spirited discussions emanating from these very real differences augment learning for all.

We also predict the future for Information Security. 50 billion IoT devices by 2020! And no universally accepted security standards for them. How do we get our arms around that? Will legal systems ever catch up with technology? Where should we spend our security dollars?

Come help solve the problems of the world with a full day immersion into the COSAC way.

Masterclass M2 - GDPR: Impact, Innovation, Dilemma & Delivery

09:30 Part 1 - The Impact of GDPR on our Security Department Speaker(s): Karel Koster

Karel Koster

Head of Information Security, Ingenico ePayments (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various roles. He currently holds a position as Head of Information Security within Ingenico ePayments, one of the larger payment service providers on the web. Prior to Ingenico, Karel as an information security officer was responsible for information security awareness, vulnerability management and technical compliance at Aegon the Netherlands.
X
 

On the 25th of May 2018 the GDPR comes in to full effect. This has an impact on our customers, their clients, our legal department, our contracts, customer facing policies, etc. And a major impact on our information security function.

Besides stating what you can and can’t do with personal data, the GDPR also requires us to protect the personal information entrusted to us in a professional way. It does not specify how, but protecting that personal information is done by the security controls set and implemented by our information security department.

In this session I will share what impact GDPR compliancy has for our information security department. Which processes changed, which remained the same, which were added, and where do we need to go the extra mile.

Since the implementation is new, there is no undisputable right or wrong yet, as with all legislation the boundaries will need to be tested first. I will be sharing our approach and I invite you to share yours. Together this will provide us a more comprehensive view of the impact of the GDPR to our information security profession and responsibilities.

11:30 Part 2 - GDPR Breach Disclosure: Time for a New Approach Speaker(s): Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.
X
 

With the unveiling of the GDPR, entities worldwide will be subject to mandatory data breach disclosure requirements, and will have to inform both regulators and their customers of the fact, scope, extent, and circumstances surrounding a breach of personally identifiable information. However, these data breach disclosure laws fail to meet the original intent of notification -- to enlist the support of the breach "victim" in mitigating the harm resulting from the breach (e.g., canceling credit or debit cards, monitoring for identity fraud), and simply serve as a mechanism to further embarrass the victim of a criminal attack. Moreover, as companies spend more money on breach notification, lawyers, fines, public relations and mitigation, they have less money to spend on detection, prevention and comprehensive security. Breach notification laws also skew security decisions toward protecting one class of data (personal data) over others (proprietary data, trade secrets) and may not actually achieve meaningful security at all. Finally, despite all efforts toward detection and response, the vast majority of entities learn that they have been breached from a third party. This session will focus on data breaches, breach disclosures, and breach responses, and propose a new, more collaborative approach to breach disclosure and prevention.

14:00 Part 3 - GDPR Research Exemptions: To Do or Not To Do Speaker(s): Valerie Lyons

Valerie Lyons

Information Privacy Researcher & PhD Scholar, (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.
X
 

The deadline for GDPR is hurtling towards us, and vendors are working tirelessly at promoting GDPR readiness and 'the work that needs to be done'. Every week we are subject to another 'GDPR readiness summary' presentation but the current rhetoric does not include 'the work that doesn't need to be done'? And the GDPR makes provisions for certain activities related to Research, to have exemptions. These are important exemptions for any organisation, no matter what industry or sector they operate in:

Research occupies a privileged position within the Regulation: In an attempt to recognise how regulation can stifle innovation and/or limit opportunities for serving the public-good, the GDPR introduces several important exemptions for Research (research includes market­ research, historical-research, health data-research and scientific-research). Organisations that process personal data for research purposes may avoid restrictions on secondary processing and on processing sensitive categories of data (Article 6(4); Recital SO). As long as they implement appropriate safeguards, these organisations also may override a data subject's right to object to processing and to seek the erasure of personal data (Article 89). In the age of big data, where the data analytics activities of many organisations may qualify as research, it is unclear exactly how far the GDPR's research exemption will extend. This presentation provides an overview of the most significant exemptions for research, as outlined in the GDPR, and will be followed by a discussion of how these exemptions could positively be used to address some of the GDPR challenges our own organisations face.

16:00 Part 4 - GDPR Will Make the Cloud Stronger Speaker(s): Ross Spelman

Ross Spelman

Manager Cyber Risk Services, Deloitte (Ireland)

Role: Manager - Deloitte Advisory - Cyber Risk Services 10 years+ IT Technical and Service Delivery Management 5 years in Information Security specialising in information governance and cloud security Qualifications: MSc in Cloud Computing MSc in Software Engineering Numerous industry qualifications (CISM, ISO 27001, Prince2, ITIL, CCSK, SSCP etc.)
X
 

My talk will be on the GDPR and it's impact on Cloud Service Providers and Consumers.

The GDPR is designed to strengthen data protection for EU citizens. Companies must comply by May 2018 or face substantial risk and steep fines. Given the complexity of GDPR requirements, this is a very short time-frame for companies to become fully compliant with the new data privacy regulations. The aim of the new European Data Protection Regulation is to harmonise the current data protection laws in place across the EU member states. The fact that it is a “regulation” instead of a “directive” means it will be directly applicable to all EU member states without a need for national implementing legislation.

The GDPR will have a significant impact on Cloud Service Providers (CSP's) and their customers. Companies are becoming increasingly more dependant on cloud services in order to meet business requirements. Issues like shadow IT, CSP security assurance, data processing agreements, “special” data processing, data sharing restrictions, data transfer arrangements, data deletion arrangements and the role of encryption.

My talk will explore a method of effectively aligning a company's utilising cloud services and their cyber security profile to the GDPR requirements.

Masterclass M3

09:30 The 3rd COSAC Design-Off Speaker(s): William Schultz,

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 
X
Maurice Smit,

Maurice Smit

Trustee, The SABSA Institute (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.
X
 

Back for the 3rd year, this design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or looking to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge.

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Last year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security architecture practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes will be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Networking & Dinner

19:00 Drinks Reception
19:30 onwards Dinner

Tuesday 3rd October 2017

09:00 - 09:30 Delegate Registration & Coffee

09:30 1A: The Potential of Artificial Intelligence for the Security Industry Speaker(s): Esther van Luit

Esther van Luit

Senior Security Consultant, Deloitte (Netherlands)

Ester van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.
X
 

Considering a serious need for skilled people in technical security roles, AI in security (also termed ‘Cognitive Security’) seems to be at hand just in time. The speaker has investigated the implementation of IBM Watson, other upcoming cognitive security products and the DARPA CGC outcomes for the last half year to discover AI’s current added value in a security operations context and its broader potential in the security world. We will be looking at some typical roles in the security world and how they can be aided or even replaced by cognitive security technologies.

The audience will be invited to engage in a discussion on whether this is a desirable trend, whether AI will actually lessen the cybersecurity skills gap or whether many more new jobs will be created because of the implementation and security needs of AI, and lastly what qualitative impact this will have on the people working in the security industry.

09:30 1B: A Common Scale for Cyber Risk: Can it be Done? Speaker(s): Glen Bruce

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures and Policies supporting business and governments in their approach to managing information security risk. He has over 42 years of in-depth experience in information security consulting, systems management and technical positions. He has lead many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies and infrastructure implementations.
X
 

How do you provide a meaningful answer the Board or senior executives when they ask “are we at risk” from the latest cyber threat in the news? How do you provide easy-to-understand information about the actual risk to the organization? Can there be a “Securiton” (TM John O’Leary) to provide an indication of risk much like the Beaufort scale does for wind, the Saffir-Simpson scale for hurricanes or the Fujita scale for tornadoes?

There are many cyber threat level definitions but there isn’t a consistent cyber risk index that will provide insight into the relative risk of a newly discovered vulnerability and threat. When a new threat is identified (usually accompanied with a catchy name and logo), often a vague or misleading analysis of the risk is published in the press, copied and re-reported compounding the panic. How do you leverage your organization’s security dashboard to summarize risk? We will review and discuss the components of risk reporting how we can get to an effective way of defining risk that is quickly understood.

We will examine the Board’s and C-Suite’s evolving requirement to be knowledgeable and involved in cyber risk involving their organization. We will look at the available methods for defining vulnerabilities and exposures that result in risk and the available repositories of this information. We will examine the factors for defining and categorizing cyber risk and what contributes to making it meaningful to all levels of the organization. We will describe a set of risk reporting principles that will help guide how cyber risk can be defined and reported. We will also describe a method and process that can be leveraged to categorize risks into a more easily understood form. The goal is to make the risk of cyber threats easily understandable across the organization and be better positioned to effectively deal with the risks. If we can arrive at a globally applied cyber risk.

09:30 1S: Aligning SABSA with FAIR Speaker(s): William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 
X
 

The activity of conducting risk assessments in the information technology domain can often be tricky business. The results of the assessments can be used to drive long term strategy, with a great deal of investment in strategic and tactical plans are based on the findings. However, most risk assessments involve making assumptions about the organization, as well as the assets, threats, vulnerabilities, and the levels of risk that the organization is facing. The quality of these assumptions will have a significant impact on the success or failure of the resulting security strategy and plans to appropriately address the organizations risk.

In this session, we will discuss how the FAIR (Factor Analysis of Information Risk) risk analysis methods can be integrated with SABSA to enhance risk posture knowledge and improve the understanding of the assumptions being made. FAIR has implemented a risk ontology to help organizations quantify risk in a way which is less about assumptions and more about traceability. FAIR takes a unique approach to defining and tackling some the more difficult aspects of risk analysis which haunt our profession. We will look at how FAIR can help us enhance our architectural approach to assessing and analyzing risk.

10:30 - 10:50 Morning Coffee

10:50 2A: Smarter Toys: Next-Level Social Engineering Malicious Insiders Speaker(s): Esther van Luit

Esther van Luit

Senior Security Consultant, Deloitte (Netherlands)

Ester van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.
X
 

Connecting toys to the internet has led to a revolution of interactivity between toy and child, with sensors taking a child’s queries as a starting point for analysis and response to deliver a customized playing experience. The next wave of innovation in playmates is already on the rise with toys that go beyond static responses selected from a database, and tailor answers to the personal needs of its user through artificial intelligence. This new level of interactivity is expected to create a different relationship between the toy and the child that could potentially be abused by those that gain access and possess the right knowledge to adapt the AI functionality in such a way that a toy can be seen as a malicious insider with social engineering capabilities.

The question on how artificial intelligence-enabled toys can be abused by hackers as an attack vector is a valid one when we consider the vulnerable target audience of children, the intransparency on whether an AI-enabled toy is functioning within the parameters of its design and the heightened intimacy between the toy and the child, opening up avenues for social engineering. The security vulnerabilities in smart toys are currently being covered from a privacy perspective and the lack of secure information transfer. This study looks ahead to the more advanced security issues associated with Artificial Intelligence and the implications that a breach of the integrity of AI might have on the cognitive action of its users.

The speaker will present a three-part argument on the changing nature of playing with toys, the lack of security controls regarding toys at the moment and the potential for increased danger when these toys are enabled by Artificial Intelligence. The audience will be invited to share their interaction with these Internet of Things-toys so far and speculate about how to improve the security on these items so dear to our children.

10:50 2B: Cyber Insurance: The Wrong Product for the Wrong Problem Speaker(s): Mark Rasch,

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.
X
G. Mark Hardy

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark Hardy serves as President of National Security Corporation, an information security management consulting firm he founded in 1988. He has been providing cyber security expertise to government, military and commercial clients for over 30 years and is the author of over 100 articles and presentations on security, privacy and leadership. He serves on the US National Science Foundation’s CyberWATCH Advisory Board and is a retired US Navy Captain.
X
 

One answer to cyber-risk is to insure against it. Many companies purchase cyber-insurance, including data breach insurance, ransomware insurance, e-commerce insurance, or other insurance products to guard against risk, but these products do not typically cover the kinds of risks associated with conducting business online, and many insurance companies are reluctant to pay claims after a company suffers a loss. Cybersecurity professionals are rarely consulted in the risk mitigation process, and when the business purchases such cyberinsurance, leading to significant gaps in coverage. For example, if a policy covers "loss" of data, a ransomware attack may not be covered because the data is not "lost." A policy which excludes from coverage damages resulting from employee misconduct may not cover harm resulting from a successful phishing attack where an employee is deceived into clicking a link to install the malicious code. Harms to customers may not be covered under so-called "first party" policies. GCL and professional liability policies may or may not cover things like damage to reputation, loss of privacy, or publicity. This session will focus on recent cases in which coverage was denied or challenged from cyberattacks, and ways cybersecurity professionals can read these policies and help mitigate risk.

10:50 2S: Using SABSA to Architect Zero Trust Networks Speaker(s): Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.
X
 

In 2014, Google threw away its traditional approach to securing its services and reimagined what a security should look like to be truly effective in today's world of distributed teams, systems, and applications.

They developed BeyondCorp, a perimeterless architecture that does away with the idea of trusted networks and treats all applications as if they are Internet connected, thereby creating an environment that is zero-trust by default. Every request is authenticated and authorised in real-time based on a set of dynamic conditions that considers changes in user status and device state.

This interactive session will explore how to apply SABSA to architect a zero-trust network through the layers of the SABSA matrix. This will be supported by a sanitised case study to highlight and discuss the real-world challenges and how they were overcome when a zero-trust network for a New Zealand organisation.

12:00 3A: The Newest Frontier in Cyber Research: The Human-Machine Interface Speaker(s): Char Sample

Char Sample

Research Fellow, ICF Army Research Labs (USA)

Dr. Char Sample is research fellow employed for ICF at the US Army Research Laboratory in Adelphi, Maryland and with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.
X
 

Much has happened in the cyber + culture research area since this topic first appeared in the 2011 COSAC rump session. The human-machine interface is now widely recognized as the newest frontier in cyber research and cultural values are seen as setting the norms in nation-state behaviors on the virtual battlefield.

This interactive discussion covers the various studies that have been performed, along with the studies in progress as well as future studies planned. The session will provide details on the studies performed to date and the relevance of the study findings that allow for extrapolation to more comprehensive rules that can be applied over a larger set of users. Also discussed will be the emerging models for attackers, defenders and other actors. Other discussion areas include the planned and potential uses for this research in defending, attacking, deception and counter-deception.

The findings have questioned the assumption of a single hacker culture, and supported Nisbett’s observation that people “think the way they do because of the nature of the societies they live in”. By using the six dimensions of culture evidence-based research provides a compelling explanation for the online activities of various actors. The behavioral traits that associate with the cultural values are behavioral traits that are consistent with cyber behaviors.

12:00 3B: Cyber Insurance: A Reason to Up Our Game Speaker(s): Ross Spelman

Ross Spelman

Manager Cyber Risk Services, Deloitte (Ireland)

Role: Manager - Deloitte Advisory - Cyber Risk Services 10 years+ IT Technical and Service Delivery Management 5 years in Information Security specialising in information governance and cloud security Qualifications: MSc in Cloud Computing MSc in Software Engineering Numerous industry qualifications (CISM, ISO 27001, Prince2, ITIL, CCSK, SSCP etc.)
X
 

Companies generally implement a wide array of controls and techniques in an effort to prevent cyber attacks. However, not all of these controls and techniques are effective, and not all companies implement these techniques in a manner that achieves the best results. Even when a company has a strong risk management programme, most insurers do not have an objective, evidence-based method to assess its risk profile.

This uncertainty and lack of objective intelligence can result in policies with high premiums, low coverage, and broad exclusions. Most cyber insurance providers only use questionnaires to gather information for cyber insurance underwriting as part of the application. This process is far to broad and subjective for such an important risk.

Insurance companies and their customers need an objective, evidence-based cyber risk metric to measure security effectiveness, not simply policies and procedures.

A contextualised, risk-based approach for measuring the strength of cyber security in an organisation can offer underwriters a uniquely distinctive way to help assess the potential for cyber loss at a particular company.

My talk will explore a method of effectively scoring a company's cyber security profile and the benefits for all by carrying out this process.

12:00 3S: Architecting a Modern Authentication Service in the Cloud Speaker(s): Michael Price

Michael Price

Senior Security Consultant, Axenic (New Zealand)

Michael is a Senior Consultant at Axenic Ltd. He is enthusiastic about security architecture and exploring how different methodologies and techniques can be used to achieve business outcomes. Michael has a Postgraduate Diploma in Computer Security and Forensics from the University of Canterbury and holds SCPA, SCPR, SCF, CCSK and ISO/IEC 27001:2013 Lead Auditor certifications.
X
 

Every organisation needs to appropriately authenticate users before granting them access to resources. It should be reasonably straightforward for any organisation to architect, design, implement and manage an Authentication Service but it appears that this couldn’t be further from the truth.

We often hear of organisations struggling with some pretty common issues; implementing and enforcing strong passwords, implementing ‘same sign-on' solutions rather than a true ‘single sign-on', and ensuring that user accounts are removed when the user no longer require access.

But we live in a modern world, and there are new and emerging services, methods, and technologies that make user authentication more effective and easier to manage than ever before. Identity Federation, access tokens, and universal authentication (U2F/UAF) are just some of the technologies that have the potential to create an effective and efficient authentication service that makes life easier for the end-user, while ensuring that an organisations resources are securely accessed.

This session will provide an overview of how SABSA was used to architect and design a modern Authentication Service for an organisation adopting cloud services. It will present a sanitised case study and will show how SABSA was applied to deliver a service based on popular cloud services platform.

13:00 - 14:00 Lunch

14:00 4A: Blockchain: The New Digital Swiss Army Knife Speaker(s): G. Mark Hardy

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark Hardy serves as President of National Security Corporation, an information security management consulting firm he founded in 1988. He has been providing cyber security expertise to government, military and commercial clients for over 30 years and is the author of over 100 articles and presentations on security, privacy and leadership. He serves on the US National Science Foundation’s CyberWATCH Advisory Board and is a retired US Navy Captain.
X
 

Now that the price of a single Bitcoin has surpassed the price of an ounce of gold, is blockchain becoming a runaway train with businesses scrambling to hop on? If so, will the mistakes be minor or catastrophic?

Blockchain as a technology has been proposed as a solution to everything from frictionless currency transfer to tracking cargo on ships. With over €1bn in venture funds invested and several hundred patents filed, every security professional must know the impact on organizations in terms of risk, volatility, and competitiveness.

This discussion started in 2014 when we explored weaponising digital currency, and continued in 2016 with the end of banking as we know it. However, the most powerful blockchain applications may not be as electronic money. We'll look beyond the security risks of blockchain (covered brilliantly last year by Rahul Lobo) to discerning where blockchain is truly the best business choice, and situations "when all you have is a hammer, everything looks like a nail."

This interactive session will review some of the patent filings to gain an insight into the direction of blockchain; look at VC investment portfolios to anticipate the most promising applications, and apply our collective knowledge to predict the winners and losers for 2018 and beyond.

14:00 4B: Privacy by Design: What Do You Mean? Speaker(s): Marc Verboven

Marc Verboven

Security Architect, ING (Belgium)

Marc Verboven is an experienced IT Security Architect with over 30 years of experience. After working for Dow Chemical, IBM and startups in Belgium, always in the area of IT Security, he joined ING Belgium in 2003. Since then he mainly worked on projects in the area of Retail & Commercial Banking Channels, acting both as a security & application architect. Since 2006 Marc is member of the Enterprise Architecture group of ING with continued focus on the area of Risk & Security.
X
 

Subtitle: Practical experience @ ING in developing a framework to implement Privacy by Design on an enterprise scale.

One of the key elements in the EU General Data Protection Regulation (GDPR) is 'Privacy by Design'. In this session we will tell the story how ING discovered GDPR, how we approach GDPR in general and, more in detail, how we are making sure 'Privacy by Design' is understood and applied in the organization.

Policies, regulation and GDPR use cases are input for the development of a Reference Architecture (RA). This RA then ensures Privacy by Design by:

  • Providing architectural guidance on privacy aspects.
  • Providing a basis (framework) for building specific guidance for applications like Audit Trail, Legal Archive, Data Inventory, ...
  • Providing guidance for current systems, where the RA is the reference to determine the technical gaps to be mitigated depending on cost and risk

The intended audience for the RA are IT Architects and other IT stakeholders when they need to ensure compliance with GDPR.

As usual at COSAC, the session is intended to be highly interactive.

14:00 4S: Show Me the Controls! Cuba Gooding Jr & a SABSA/TOGAF Alignment Speaker(s): Peter Nikitser

Peter Nikitser

Director, ALC Cyber Security (Australia)

Peter Nikitser is in his 30th year of IT, most of which has been spent in information security. He is a co-founding member of both AusCERT and SL-CERT. When he is not travelling teaching students or consulting, Peter spends time renovating his acreage, and can tell you all about lantana.
X
 

As security professionals, we have most likely experienced client engagements where we have had to manage both scope and expectations. Whilst working for one of the big four consulting firms, we responded to an open tender asking for help with designing a security architecture framework based on SABSA for a Queensland state government agency, the duration of which was not to exceed six weeks.

Fair enough, sounds reasonable and straight-forward, and we were more than happy to help them spend their end-of-year budget.

The response was sent to the client outlining the approach, highlighting any constraints and assumptions in our response and expectations of the client in arranging timely meetings with key stakeholders.

During the first week of the engagement, I asked for access to key stakeholders or their delegates, and was told that was not possible. It soon became apparent that I had stumbled across a long-standing cultural and political issue, and that I was not going to get an audience with key stakeholders or their delegates. Furthermore, the intent of the engagement started off with a desire to apply SABSA to the entire organisation, yet I uncovered they had already made an investment in TOGAF, which they neglected to mention in their RFP.

Where this engagement led to next, and the approach I had to take in order to manage their expectations, is what you will have to hear for yourself.

The presentation will demonstrate examples of the artefacts I produced, the adjustments that had to be made in order to accommodate the scope creep, and how I turned the engagement around to deliver a top-down meets bottom-up approach. And yes, I showed them some controls too …

15:10 5A: Blockchain: The Best Thing Since Sliced Bread Speaker(s): Lex Borger

Lex Borger

Security Consultant, i-to-i (Netherlands)

Lex Borger is security consultant at I-to-I and advises large enterprises on the application of security in their environment. Lex has more than 20 years of experience in information security and system security. He was involved in the development of operating systems, where he learned how to apply security from the inside out. He broadened his view on information security to all aspects of business automation. Lex gathered most of his experience in the United States of America. 
X
 

Blockchain is the bookkeeping technology behind Bitcoin. It is named as the technology to solve any administration and registration challenge. It is going to push out regular banking.

  • How much of this true?
  • Is it such a revolutionary idea?
  • Is it so universally applicable?
  • Is it scalable enough?
  • Is it secure?

In this presentation, we are going to uncover the elements that make up blockchain and go in search of the applicability of this technology in today’s society. This is not a definitive story. The audience will need to participate and contribute insights and ideas.

The ultimate questions to be answered are:

  • What is blockchain good for?
  • What are the risks of depending on blockchain?
15:10 5B: Information Privacy as CSR: Benevolent or Malevolent Speaker(s): Valerie Lyons

Valerie Lyons

Information Privacy Researcher & PhD Scholar, (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.
X
 

Since the 1990s, it has become a de-facto standard for larger organisations to publish social reports documenting how they address issues such as pollution, energy use, waste production, child-labour, workforce-diversi ty etc. These reports are referred to as Corporate Social Responsibility {CSR) reports. Traditional arguments in support of CSR underscore the benefits a socially responsible organisation should reap from key stakeholder groups. Several research findings suggest a positive correlation between an organisation's CSR program and consumer trust and behaviour. Additionally, socially oriented organisations can distinguish themselves from competitors, enhance customer satisfaction and improve their reputation through positive stakeholder response to their actions.

So what does CSR have to do with Information Privacy? In 2010 the Global Reporting Initiative (GRI is an international organisation who develop the CSR reporting standards) included Information Privacy and Data protection in its core standards. Since 2010, several large financial institutions and technology companies report information privacy within their CSR reports. CSR reports provide a channel for an organisation to promote and demonstrate a strong sense of responsibility and accountability for privacy protection, which in turn acts as a core element in building trust with key stakeholders. On the face of it, this seems like a positive step for Information Privacy, however there is a more 'heated' view that CSR is merely a channel for organisations to repair a reputation which has been damaged by its sectors historical irresponsible behaviour and that CSR is simply tokenistic compliance 're­ packaged'.

This presentation explores the many facets of CSR, using case studies from several recent CSR reports and explores CSR's relationship with Information Privacy/Data Protection. The presentation aims to encourage the audience to consider that as Information Privacy Protection matures in capabilities, it may not as traditionally expected, report into Legal and Risk Departments, but into the Marketing Department's CSR program office. Rather than resist this progression, this presentation arms the audience with an informed overview of the growing relationship between CSR and Information Privacy, so that they can leverage this knowledge to increase resources and budget allocations for Privacy Protection initiatives in the future.

15:10 5S: Selecting, Aligning & Effectively Using Compliance & Control Frameworks Speaker(s): Andrew Hutchinson,

Andrew Hutchinson

Executive Director, Vanderbilt University Medical Center (USA)

Andrew Hutchinson is the Executive Director of the Vanderbilt University Medical Center Information Technology (VUMC IT) Architecture and Portfolio Services groups. In this role, he oversees IT strategy, information security strategy, IT resource management (including service and portfolio strategy), and customer relationship management for VUMC IT Services delivered to Vanderbilt University Medical Center.
X
William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 
X
 

Security Programs are constantly challenged to flexibly adapt to organizational change and maintain compliance with regulatory requirements, while actively defending against an ever changing array of IT threats. Leveraging existing frameworks or methodologies such as NIST, or HITRUST allows organizations to take advantage of work already done to address common security concerns but need to be integrated in a way that allows the organization to effectively customize information security frameworks to their risk appetite. It can be challenging to identify which frameworks are most appropriate and where and when to apply them, however this is a key and important component of a security architect’s role.

This session will look at an organization that is leveraging SABSA architecture to do this and how they are addressing compliance requirements applicable to healthcare organizations (HIPAA, FISMA, and PCI), will review some common security control frameworks, models, and methodologies that are being leveraged (NIST, HITRUST), and look at the risk management frameworks (SABSA, NIST, FAIR) that can be leveraged to efficiently address compliance challenges. We will explore how these frameworks, models, and methodologies overlap and complement each other, and how they can be practically integrated. Since there is a drastic difference between understanding a model and applying it, we will present several use cases and practical examples explaining how we have used these models, the lessons we have learned, and the challenges that remain.

16:10 - 16:30 Afternoon Tea

16:30 6A: Cognitive Hacking: Recognising & Countering 21st Century Deception Speaker(s): Char Sample

Char Sample

Research Fellow, ICF Army Research Labs (USA)

Dr. Char Sample is research fellow employed for ICF at the US Army Research Laboratory in Adelphi, Maryland and with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.
X
 

The events of 2016 resurrected the term "cognitive hacking". First identified by Cybenko in 2002 this forgotten research area has garnered new attention due in part to "fake news", weaponized information and other activities designed to shape online perception. While the world may have been caught off guard by these events, the physical world has mechanisms to detect and counter these efforts. The virtual world has no such mechanisms.

This talk first defines cognitive hacking, provides examples including examples of perception shaping occurs in security monitoring. Next the session will focus on some of the research activities into deception by Rowe, Jones and other notable efforts. Then will move countering deception, what can be done technically as well as behaviorally.

The discussion will be workshop focused with the facilitator providing brief explanations of each of the focus areas (identification, countering and post-hoc analysis).

16:30 6B: We See What We Want to See: Pitfalls of Perception & Decision Making Speaker(s): Helvi Salminen

Helvi Salminen

Information Security Manager, Gemalto (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014. 
X
 

We are often convinced that we have a clear picture of the reality and are throughly rational in our thinking and decision making.

However, our perception of the reality is limited and prone to errors. We often jump to conclusions based on partial or erroneous information, and eloquently justify our decisions with apparently rational arguments.

Is many areas of human activities, including security management, limits of perception and errors in decision making can have disastrous consequences.

The phenomenon of cognitive biases - systematic errors in thinking affecting decisions and judgments - has been studied in various contexts, and the results have been applied to improve decision making processes. In the compliance dominated world of security management cognitive biases have not, however, got sufficient attention. So an important risk factor is regularly underestimated.

This presentation gives an overview of the concept of cognitive bias and describes in more detail some of the biases which can be particularly harmful in security management. This introduction is followed by presentation of scenarios where erroneous perception and decision making of security actors leads to disasters - and by discussion how these biases can be identified an their impact limited.

16:30 6S: How to Write a Great SABSA Advanced Exam Answer Speaker(s): Chris Blunt,

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.
X
Michael Price

Michael Price

Senior Security Consultant, Axenic (New Zealand)

Michael is a Senior Consultant at Axenic Ltd. He is enthusiastic about security architecture and exploring how different methodologies and techniques can be used to achieve business outcomes. Michael has a Postgraduate Diploma in Computer Security and Forensics from the University of Canterbury and holds SCPA, SCPR, SCF, CCSK and ISO/IEC 27001:2013 Lead Auditor certifications.
X
 

Are you planning to sit a SABSA Advanced course? Or have you recently attended a course but haven’t yet written and submitted your exam answers? Then this is a session you can’t afford to miss!

During this interactive session we will explore and discuss a range of strategies for writing a great SABSA Advanced exam answer using model exam questions to show how to:

  • evaluate the question to ensure you know what is being asked of you;
  • use a hypothetical or real-world case study to frame your answer;
  • plan and structure your answer to ensure that you cover each area of the question;
  • assess the competency verbs in the question to ensure that you understand them and can meet them; and
  • effectively present the application of your chosen combination of SABSA methodologies, techniques and approaches.

The presenters have scored between 91% and 100% in their Advanced exams, with the average being 96.25% between them. One of them is a SABSA Chartered Architect Master (SCM) and a marker of Advanced exam papers.

The goal of the session is to provide the participants with a set of tools they can use to write great answers for their SABSA Advanced exams!

Plenary Session

17:45 7P: SABSA and Human Kind Speaker(s): Maurice Smit

Maurice Smit

Trustee, The SABSA Institute (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
 

Even though the SABSA methodology has mainly been used in the IT (EA) landscape, the usage of this methodology can help to create a more complete picture in any sector, industry or area. To solve any problem. And even so for human needs, thanks to all methods, models and frameworks in the SABSA methodology. The Attributes Profiling delivers a unified common language for and in every phase of human existence. The SABSA methodology is based on a holistic approach towards security as the property of something else. So this even accounts for humans and the accomplishments in our lives, this will be presented in this session.

Networking & Dinner

19:30-20:00 Drinks Reception
20:00 onwards Dinner

Wednesday 4th October 2017

09:00 - 09:30 Delegate Registration & Coffee

09:30 8A: CyberSecurity & Analytics: Rise of the CyberHunter Speaker(s): Lynette Hornung,

Lynette Hornung

Senior Enterprise Security Architecture & Privacy Manager , TCG (USA)

Lynette Hornung is a Senior Enterprise Security Architecture and Privacy Manager with TCG, Inc. She has her SABSA Foundation and SCPR and SCPA and her CIPP-US. She has over 20 years of experience in information security and privacy. She has worked with a variety of federal agencies providing various enterprise security architecture, computer security and privacy solutions and services working with a variety of stakeholders.
X
Lori Murray

Lori Murray

PhD Student, Iowa State University (USA)

Lori Murray is a Senior Advanced 3 Information Assurance Systems Engineer, currently enrolled at Iowa State University as a PhD student studying Computer Engineering. She has her Masters of Science degrees in Information Assurance and Business Analytics from Iowa State University, along with her CISSP. Lori has 15 years of experience between Systems Engineering as a Cyber Security SME building security architecture from requirements definition to design.
X
 

The buzz in cyber today includes machine learning and big data. What are some of the challenges that come along with "big data" promises, and how can you effectively use data analytics and machine learning to bring some real value? Data Analytics and machine learning allow you to drill down to gather the data, analyze it, and find the answers to the questions you seek. It is likely you are using it more often than you think! Let's talk about some use cases for applied data analytics and machine learning in cyber security.

This presentation will present a use case for anomaly detection through analytics, and the processes required to make it effective in different environments. Understanding how to mine through the data, clean out the noise, and focus on the relevant data for cyber hunting is where the value is.

09:30 8B: Women in Security: Drivers & Challenges - Part 2 Speaker(s): Esther van Luit

Esther van Luit

Senior Security Consultant, Deloitte (Netherlands)

Ester van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.
X
 

On a global average only 10% of the people working in the security industry are women, and this includes those working in the communication and marketing. In the Netherlands, this percentage is only 3%. The speaker has been involved in research with a Dutch institute to further investigate the cause of and countermeasures for addressing the extraordinarily low share of women in the industry. Considering how the security industry is short on 1.5 million security professionals globally by 2019, we cannot afford to let half of our population sit idly by without investigating the reasons for them not to take up a career in this industry.

Esther presented on this topic at COSAC 2016, but due to interesting discussions only managed to cover the challenges and not the drivers before running out of time. This year, she would like to shortly recap the challenges and discuss the drivers for success in more detail while having similar engaging discussions with the COSAC audience.

09:30 8S: It's Sooooo Fluffy! Speaker(s): Jaco Jacobs

Jaco Jacobs

Senior Manager, Accenture (Netherlands)

Jaco is Cyber Defense domain lead for the Gallia region at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to a number of companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

There is a terrifying misconception about Security Architecture that I have to deal with more often than I would like to admit. I cringe every time I hear "well, that's all good in theory, but how are you actually going to make it work?", and I am sure that I am not the only one. Yes, you've guessed it, we are too often accused of being theorists!

Very few of us ever get the opportunity to dive into the nuts & bolts of the architectures we develop all the way through to instantiating all of those wonderfully mystical and mythical concepts of ours.

In this session, we will look at a couple of ways to make an Enterprise Security Architecture more tangible for the folks who are going to end up using it. We will dive a little deeper into the Logical, Physical and Component layers of SABSA, exploring the deliverables and outcomes of each of these layers in detail and with the appropriate audience and stakeholders in mind, all while maintaining the necessary traceability back to the Contextual and Conceptual layers.

10:30 - 10:50 Morning Coffee

10:50 9A: Make it BLEed: Hacking BLE Applications Speaker(s): Tal Melamed

Tal Melamed

Application Security Tech Lead, AppSec Labs (Israel)

Tal is an Application Security Expert. As AppSec Labs' Technical Leader, he is leading a variety of security projects for IoT, Mobile, Web, and Client applications. Prior to working at AppSec Labs, Tal has worked at Amdocs, CheckPoint and RSA, having more than a decade of experience in security research and security vulnerability assessment. Tal is a keen speaker, training and lecturing world-wide for secure coding and hacking; participating and leading the R&D of security tools.
X
 

Although IoT is already embedded in our everyday lives, our security and privacy are sometime left behind for comfort and other reasons. But IoT vulnerabilities have real impact on our digital and physical security.

Bluetooth Low Energy (BLE), also known as Bluetooth Smart is the most popular protocol used for interfacing IoT and smart devices, wearables and medical equipment.

In this presentation I will perform demonstrations of how to perform penetration-testing for BLE applications, what equipment is required, what tools can be used and what approaches and techniques should be considered in order to secure the application.

10:50 9B: Project Management - the CIO Speaker(s): Michael Hirschfeld

Michael Hirschfeld

First Assistant Secretary, Department of Finance (Australia)

Michael is acting Chief Information Officer and First Assistant Secretary, IT and Workplace Division in the Australian Commonwealth Department of Finance and has executive responsibility for ICT as well as physical security within that agency.He has previously held senior roles with a number of Australian government agencies including as Assistant Secretary for ICT Planning and Governance at the Australian Department of Foreign Affairs and Trade. 
X
 

I have held middle management and senior executive roles in Security, ICT Security, and ICT in general in various Australian Government Agencies over the past 23 years.

I have learnt a lot about managing the delivery and leading the strategic improvement of these fields. I also have much much more to learn.

Many believe that great leaders are born and not made – this may be true - but good leaders and great managers are, more often than not, made through the dedication to personal development of individuals.

There are innumerable capabilities and skills that take us from being technical experts to being good managers and then good leaders. In this presentation, I will share some of my experiences and tools that can be used to help you manage your deliverables and career.

There are a number of topics to cover - this session will focus on three fundamentals: committing to action, planning and delivery. Understanding the nature of commitment to action and if your team has committed to what you are committed. How do you successfully plan tasks, for teams and projects and then, how do you make sure you and your team deliver successfully.

10:50 9S: Applying SABSA in an Ever-Changing Digital World Speaker(s): Dimitrios Delivasilis

Dimitrios Delivasilis

Head of Enterprise Security Architecture, VISA (UK)

Strong technology executive, specializing in business-driven security architectures and business risk control management. I have more than 16 years of extensive experience gained within information security consultancy firms as well as financial services and telecom organizations. During the last eight years I have been offering enterprise security strategy services to C-Level executives across Europe due to my ability to simplify complex technological issues.
X
 

“The world is changing at a pace that challenges our ability to adapt” is a realization that is equally applicable to most of the organisations across the various sectors. The technological disruptors have almost unilaterally been credited for this frenetic pace. From the rather broad spectrum of digital transformations we will focus on the most aggressive one… mergers and acquisitions (M&A).

Having already implemented a security framework by following the SABSA approach, this time the challenge was twofold: get buy-in from the new stakeholders and then update the framework to depict the security posture of the new organization. Sharing the “scars” of applying SABSA methodology and principles to consolidate two technology stacks that had very little in common, standardize the information security services, augment capabilities to support global operations, drive decision making for future investments and cultivate security professionals with diametrically opposed backgrounds could be just few of the key takeaways.

12:00 10A: Unmasking Chatbots: Hacking API Interfaces and Countermeasures Speaker(s): Stephen Singam

Stephen Singam

Managing Director - Research, Distil Networks (USA)

Stephen is an Information Security & Technology Management professional with extensive experience in the Financial Services, Startups, Media & Entertainment and Cybersecurity Consulting industries, who has held senior cybersecurity positions at Hewlett Packard (Asia Pacific & Japan), Commonwealth Bank of Australia (Sydney), 20th Century Fox/News Corporation (Los Angeles), Salesforce.com (San Francisco), IBM Corp (New York) and Nokia (Helsinki, Finland).
X
 

A chatbot is an interactive chat robot based on artificial intelligence that is designed to simulate human conversation. Chatbots market is predicted to expand at an incredibly high CAGR of 27.8% in terms of revenue, within a forecast period from 2016 to 2024 (Transparency Market Research). Lloyds Banking Group, Royal Bank of Scotland, Renault and Citroën are now using automated online assistants instead of call centers with humans. But, APIs are the glue to chatbots because are entirely APIs & events driven, negates the need for CSS interface needed, facilitates ease of services’ integration including NLP and for example. AWS<>MongoDB<>salesforce<>Slack, and, enables Monitoring, Testing, and Security. And did we say, Security?!.

In this presentation, we will demonstrate how to hack chatbots APIs, to exploit privacy data breaches and even cause DDoS attacks using the exploited API endpoints.

And we close this presentation with some practical countermeasures such as using the proper encryption key management practices, addressing business logic flaws and hardening of API endpoints securely, and of course SABSA architecture and governance.

12:00 10B: Organisational Upheaval Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

It comes in many forms. COSAC veterans have probably seen them all. Rarely welcome, always more disruptive than planned, never arriving at precisely the synergistic outcome the suits guaranteed at the beginning of the project. Outsourcing, mergers, acquisitions, divestitures, "right-sizing,” layoffs and major reorganizations are facts of life as we approach the third decade of the 21st century. All these situations can create serious information protection concerns, but security is usually at best an afterthought, considered only after financial, legal and structural issues have been settled, the new management structure coronation is complete, the old guard (and their “old school” ideas) have been defenestrated, and the ink is dry on the bottom line. Viewing large-scale organizational change from an IT security perspective, we’ll emphasize realistic strategies for handling the very real and emotionally charged issues that inevitably arise at the first discussion of moving functions downstairs or across the street or out the door or offshore. We’ll examines what to do before, during and after major organizational upheaval to ensure that adequate controls are in place.

12:00 10S: Zero Knowledge Business Attributes Speaker(s): Martin Hopkins

Martin Hopkins

Principal Consultant, Gotham Digital Science (UK)

Martin is a Principal Security Consultant and Head of R&D at Gotham Digital Science. He has over 24 years experience in the IT industry notably including development and testing of emulation and virtual machine technology, development of host and network security products, security architecture consultancy and penetration testing. During his career he has worked on a wide range of systems and platforms ranging from small embedded devices to mid-range and mainframe systems.
X
 

How can we generate a business attributes profile for another enterprise using only publicly available information? Why would we even want to do this, what use could it possibly have? If we don't have well defined, specific metrics and performance targets is there any value? This talk will introduce an approach to producing such a profile, seek to answer these questions and provide examples of where this technique has been used such as:

  • How does a very technical security consultant communicate the outcome of an assessment to executive management using language they will understand, and relate risks to their business context and what they really care about?
  • How can we take a standard Threat Modelling methodology up a step, stop focussing solely on information assets, and start considering threats against what matters most to the enterprise?
  • How can a security consultant respond to their client when asked "but what is the impact to my business?" and the rote answer of "I can tell you the technical impact but I don't know enough about your business to answer that question" isn't going to be good enough?

We'll propose that even if the profile is not even close to 100% accurate and is not the product of a rigorous engineering process it still has value as a communications tool and demonstrates to stakeholders a method for bridging the gap between technical and business viewpoints of risk, before opening up the remainder of the session for audience participation to debate the merits of this approach and proposal of alternative solutions.

13:00 - 14:00 Lunch

14:00 11A: IoT & SCADA: Applying Lessons Learned & Case Studies Speaker(s): Lawrence Dietz

Lawrence Dietz

General Counsel & Managing Director - Information Security, TAL Global (USA)

Lawrence Dietz, has extensive military and commercial intelligence and security experience. At TAL Global he has managed a variety of technically complex investigations involving intellectual property, sensitive data compromise, potential international illegal shipments, and celebrity reputation issues. As the company’s chief legal officer he is responsible for a variety of legal transactions. Prior to joining TAL Global Dietz served in senior roles at Symantec Corporation.
X
 

From connected refrigerators to self-driving automobiles to medical devices, the IoT offers great promise. However, as the Mirai attack has shown, IoT these benefits come with some perils as well. This session will first set the stage by reviewing SCADA and IoT attacks to agree on attack parameters, perpetrators and best practices.

We will then examine a hypothetical company and three hypothetical incidents. Each incident plays of a different set of facts about the hypothetical company and highlights different likely perpetrators.

We will then analyze each incident starting with by identifying likely perpetrators. Next we address legal issue such as potential liability, data privacy and intellectual privacy protection. Case studies will conclude with assessing lessons learned and practical actions that can be taken to minimize the likelihood of these types of incidents and their negative impact on the organization.

14:00 11B: Are We Boring the Board? Speaker(s): Todd Fitzgerald

Todd Fitzgerald

SVP, Chief Administrative Officer - Information Security & Technology Risk, Northern Trust (USA)

Todd is SVP and Chief Administrative Officer – Information Security and Technology Risk, Northern Trust. He led multiple Fortune 500/large company information security programs for 19 years, was named 2016 Chicago CISO of the Year by AITP, ISSA, ISACA, Infragard and SIM, ranked Top 50 Information Security Executive and authored 3 books on Information Security. 
X
 

Today many CISO's are having to address the Board of Directors in their organizations across all vertical industries. Are the boards asking the right questions? What questions should they be asking? Are the CISOs delivering the right message? How do we measure if they are really being effective?

This presentation will provide never presented analysis of the 'Presenting to the Board" literature that is published from time to time, and challenges through interactive discussion what information is relevant to "the board".

There will be a deliverable that results from this discussion, the top 10 items, in priority order, that a board must know. Can we accomplish that feat at COSAC? Only the participants can know for sure.

Note: Presentations are communicated in a very interactive, audience participation style with visual and audio effects.

14:00 11S: Zero to SABSA: Consistent Enterprise Security Architecture Delivery Speaker(s): Andreas Dannert

Andreas Dannert

Enterprise Security Architect, Deloitte (Australia)

Andreas is an Enterprise Security Architect in Deloitte’s Cyber Risk Advisory Services line with over 25 years of experience in IT and security consulting. He has worked on defining the security architectures and models for various global organisations across various industries and global locations. In addition to his work at Deloitte Andreas is a long standing member of the ISACA Melbourne Chapter board where he held various positions as director and president.
X
 

While most medium to large global organisations these days appreciate and/or have a security architecture function, not all have a framework defined that ensures security architecture is delivered based on a consistent, organisation specific approach that enables security architecture delivery to an agreed set of performance criteria within the organisation.

The problem appears to be non-standardised terminology being used for security architecture, non-standardized security architecture delivery processes within the organisation, and the inability of security architects to clearly articulate the dependencies of various organisational functions within an organisation when it comes to delivering security architecture. While one part of the company might be great at security architecture delivery others could be average and sometimes they are not well integrated with areas that they should align with. The security architecture function in organisations is often siloed off from departments that should be involved in the security architecture delivery process. Departments in a global enterprise, responsible for physical security, risk, governance, policies, and security operations, are often working side by side, but not towards a unified, integrated plan that an Enterprise Security Architecture would present. Metrics are developed for the sake of metrics and are not actually measuring anything of value, like how well security architecture is actually being delivered within an organisation.

This session is based on a large global financial organization that set out to redefine their security architecture delivery approach. We will look at what obstacle were encountered along the way, what worked, what didn’t work, and look at some of those “oh sh…” moments.

At the end of this session participants should be able to understand why it is equally important to have an experienced team of security architects as having an agreed approach to delivering enterprise security architecture in a large global organisation.

The key takeaway from this session will be that defining an approach/methodology for delivering security architecture in a large enterprises is essential for consistent delivery of qualitative security architecture solutions across the organisation. An example of such an approach, i.e. a “Security Architecture Framework”, based on a real world case study, will be presented. The framework includes a set of security architecture principles, an enterprise security domain model, and a performance management model that enables an organisation to have a consistent approach to security architecture delivery that can be fine-tuned and scaled across a global organisation.

In the spirit of COSAC, this session is designed to be interactive and allows participants to share what their experiences were in similar scenarios before we will look at what happened in the real world case study this presentation is based on. This session will provide attendees with an insight into some issues that were encountered when developing a security architecture framework with the intention of providing a more structured approach of delivering security architecture in large organisations.

15:10 12A: Shining Light in the Darkness - A Look at the Dark Web Speaker(s): Rob Hale

Rob Hale

Fellow, Lockhead Martin (USA)

Rob is a Lockheed Martin Fellow with over 25 years of experience in information systems and security. During his career he has been responsible for conducting and supporting information assurance and cyber security activities for federal, state and commercial organisations in the defense, law enforcement, financial services, utility and healthcare industries. Additionally, he has designed and implemented secure networks to support nuclear emergency response teams and top US banks. 
X
 

The Dark Web has become a buzz-word over the past few years due to the rise in successful cyber attacks, overt criminal activity, media hype, and data disclosure. Although more and more people have heard of the Dark Web, it remains an enigma to many security professionals. As the Dark Web becomes a greater and greater market and hiding place for cyber activity, however, it is incumbent upon cyber security professionals, particularly, researchers to understand and learn how to safely navigate along its many tangled threads.

This presentation is comprised of two principal sections. The first section walks through an introduction to the topology of the Dark Web and describes an architecture and process for accessing it in a protected fashion. It also includes a discussion on how business is conducted on the Dark Web. The second section is a live demonstration and exploration of specific sites of interest on the Dark Web. As the purpose is to familiarize security practitioners and research professionals, at no time will any illegal or unethical activities be demonstrated or condoned.

For those interested a written description of the processes and architecture components will be provided in a pdf format.

15:10 12B: When Just Being Right is Not Enough Speaker(s): Karel Koster

Karel Koster

Head of Information Security, Ingenico ePayments (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various roles. He currently holds a position as Head of Information Security within Ingenico ePayments, one of the larger payment service providers on the web. Prior to Ingenico, Karel as an information security officer was responsible for information security awareness, vulnerability management and technical compliance at Aegon the Netherlands.
X
 

In these times of alternative facts, being rational and right is not always enough to get the support of management you need. While facts and figures are my preferred way to deliver my message to my stakeholders, I found that not all of them share my preference for ratio over emotion. Our different communication preferences sometimes prevent my message from being received correctly. Communicating in the right way, in the way my stakeholder prefers will helps me to deliver my message clearly.

We all have our communication preferences and so do our stakeholders. I’ve investigated my preferences and got insight into my strong and weaker points. I also examine those of my main stakeholders, in order to tweak my communications to them when delivering a critical message. This ensures that personalities and communication preferences do not intervene and the message is well received and therefor more likely to be accepted. In this presentation I share my insights, what I have learned about my own communication style and how I adapt my communication to the preferences of others in order to align with them. I will introduce the tools and frameworks I use and point you in the right direction if you would want to do the same.

15:10 12S: Real-World SABSA on a Global Scale Speaker(s): Mark Keating

Mark Keating

Global Information Security Architect, Deloitte (UK)

Mark is currently serving as a Global Information Security Architect for Deloitte, where he is responsible for helping define the global technology strategy and roadmap for over 250,000 people spread across 150 countries. He has been with Deloitte since 2002, and prior to his current position, was the Network & Security Architect for the UK & Switzerland where he was responsible for the design and implementation of most of the UK’s network and security platforms supporting 18,000 staff.
X
 

How do you go about creating a global security architecture framework for one of the worlds largest professional services organisation?

Where do you start, when the organisation consists of 250k empolyees, operates in over 100 countries, consists of 40 separate member firms each with their own CIO and they all have differing views to security & risk?

This session will provide an overview of what our journey looks like, what we have already achieved, what challenges we have faced so far, and what we are doing next.

16:10 - 16:30 Afternoon Tea

Plenary Sessions

16:30 13P: Edgar Allen Poe: 19th Century CISSP Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

He was an enigma – a quintessential Southern gentleman who was born in Boston, raised in England and Virginia, and poor for all of his adult life. He was a paradox – unfailingly polite and helpful, especially to women, yet a savagely fierce critic of anyone, even established celebrity writers who didn’t share his literary views or meet his extremely rigorous standards. He was also indisputably a genius – inventor of the detective story, revered by Bram Stoker and Arthur Conan Doyle, the most influential critic of his time, a lavishly praised poet, and a short story writer who could weave horror and reality into tales we still read today (and still shudder). Poe used encryption as the primary plot element in “The Gold Bug” and presaged the Big Bang theory by seventy years in his prose poem “Eureka.” And much of what he did and how he did it relates directly to our profession and how information security is perceived almost two centuries later.

Come join us as we decrypt Edgar Allan Poe and relate his life and works to the information security challenges of this century.

17:30 14P: COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
 

The hugely popular COSAC "rump" is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

Submissions should include a requested amount of time for the presentation. An anticipated maximum of four minutes will be allocated for each presentation.

Networking & Dinner

20:00 onwards Dinner

Thursday 5th October 2017

09:00 - 09:30 Delegate Registration & Coffee

11:00 Morning Coffee

Workshop W1

09:30 Wonderful, Terrible, Inevitable: Big Data, Analytics & IoT Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

Big Data and the Internet of Things are revolutionizing virtually every industry. We’re told of pinpoint accurate medical records and diagnostics, all-encompassing analytics, mastery of industrial processes, effortless control of our static and moving environments and complete connectivity and communication with anything and everything we might ever imagine being useful. Wonderful!

But COSAC delegates have an internal red flag that goes up upon hearing “It’s gonna be great!” Then those euphoria-deflating security questions start multiplying and running through our somewhat addled brains. Where is all this Big Data coming from? Where will it reside? Who controls it? Who grants access? On what basis? How do we know it’s accurate, relevant? Is it complete enough for life and death medical decisions? What about analytics system administration; data monitoring and correction procedures; incompatible security architectures? Oh yeah, and privacy?

What kind of security is built into all these Internet-connected devices? How easy is it to control access? Is the data they trade and store encrypted? Who’s liable if they fail or give erroneous signals?

Big Data and IoT are neither fads nor merely trends, they constitute a revolution. There’s no going back. Join us as we look from a security perspective at both the bright and dark sides

Workshop W2

09:30 COSACopoly: A Surprisingly Serious Approach to Enterprise Security Speaker(s): Chris Blunt,

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.
X
Lisa Lorenzin

Lisa Lorenzin

Director, Emerging Technologies, Americas, Zscaler (USA)

Lisa Lorenzin is the Director, Emerging Technologies, Americas at Zscaler, specializing in zero trust networks, and co-chair of Trusted Network Connect, a work group of the Trusted Computing Group that defines an open architecture and standards for endpoint integrity and network security. She has worked in a variety of Internet-related roles since 1994, with more than a decade of that focused on network and information security, and is currently concentrating on enterprise security. 
X
 

How can a lifelong infosec practitioner find a new way of looking at enterprise security? 

By learning the way a child does - through play. Our update to a popular childhood game provides a new lens for examining common issues in information security; players start with money and data, and must spend that money acquiring "properties" (security services) to protect their data from "chance" (random risks and opportunities).  

Like all great conference presentations, this one was inspired by a conversation in the pub after a previous COSAC...  We learn best from each other, and from the chance to go off-script and see where inspiration takes us.  From resource utilization to risk mitigation to adaptability in the face of changing circumstances, COSACopoly will spark conversations, demand tough decisions, and offer a free-form venue for exploring a variety of approaches to today's infosec challenges.

Workshop W3: SABSA & Agile

09:30 Part 1 - SAFe and Secure Speaker(s): Narendra Ramakrishna

Narendra Ramakrishna

Business Solution Architect, SIEM Advisory & Consulting (UK)

Narendra Ramakrishna is an accomplished Enterprise and Solution Architect specializing in delivering solutions in the areas of Cybersecurity, CloudSecurity, and PCI-DSS. He has worked in a variety of roles across security development design and security architecture since 1999, with more than a decade of that focused on various transformation programs which include process changes, implementation of various industry strength methods and is currently focusing on enterprise security. 
X
 

SAFe (http://www.scaledagileframework.com) provides an Agile framework that attempts to achieve agility vertically (from Business Portfolio Management through to delivery teams [Agile/Scrum teams]) through the organization. However, SAFe is heavily oriented towards delivering functionality and classifies security as a set of non-functional requirements.

This presentation intends to augment SAFe with risk based approach mainly using the tenets of SABSA. This would cover -

  1. Practical Agile implementation within large organizations.
  2. An approach to incorporate risk based approach (SABSA) at the portfolio level (alongside business strategy and technology roadmap)
  3. The method through which risk based approach could percolate down to release sprints and Scrum teams
  4. Alignment with DevOps and SABSA Service Management Matrix
11:30 Part 2 - Securing Agile the SABSA Way Speaker(s): Maurice Smit

Maurice Smit

Trustee, The SABSA Institute (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
 

The analysis, design and delivery of software has changed fundamentally in the last few years, with flowcharts and specification documents giving way to user stories and post-it notes. This seems fundamentally opposed to the more structured architected waterfall approach that typified early software efforts. However, experience with agile has shown it can deliver results early and produce software that fits closely to user needs, outcomes that were becoming increasingly difficult to achieve with the waterfall approach to software development.

There are two agile methodologies currently in play: Scrum and Kanban. These are quite different approaches to making software development agile and many development shops deploy a combination of both – Scrum providing the sprint culture and Kanban the post-it notes. A culture of Extreme Programming – XP – is also often woven into agile deployments.

Agile development is a cultural approach to software delivery which has a number of fundamental implications for security. As a business solution delivery approach which is designed to “fail fast, fix quickly”, it relies upon user identification of functional mismatches. There is little chance that the same approach will identify anything other than very large security holes – the subtle ones will likely go unnoticed. Security has also developed in a strong waterfall manner, with assurance testing and accreditation against recognised standards being a common approach to delivering security assurance. This approach does not work in an agile shop.

This presentation addresses the new paradigm of agile security, in which the approach to security assurance aligns with the cadence of agile delivery. Concepts such as continuous security integration and testing can be effective alternatives to waterfall security, and security guard rails provide the cultural alignment necessary to remove security blocks and ensure security is an effective partner in agile delivery. SABSA provides the agile architectural approach which brings these and other tactics together into a strategic solution for building an agile security program.

13:00 - 14:00 Lunch

14:00 SABSA Open Forum
16:00 Conference Close