Ireland Melbourne

Welcome to COSAC - Conferencing the way it should be!

Call for Papers is now open for COSAC 2020!

For 27 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. Sales content is strictly prohibited and there is no vendor exhibition to distract from opportunities, allowing delegates to focus on professional innovation.

Monday 30th September 2019

Breaks COSAC Masterclasses are full-day, 09:30 - 17:30
09:00 Registration & Coffee
11:00 Morning Coffee
13:00 Lunch
15:30 Afternoon Tea

Masterclass M1

09:30 The 19th International Roundtable Security Forum Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

The 19th International Forum stands alone as a full-contact, no-holds-barred excursion into the COSAC experience. But it’s also a harbinger of things to come and a deep-immersion in the COSAC way. There'll be a room full of savvy, scar-bearing security professionals analyzing hypothetical scenarios and actual events from widely different perspectives based on widely different experiences and perceptions of success and failure learned in the trenches. Information security masters offer and rigorously defend their opinions, but past editions of the Forum have shown that they are also ever-willing to help others and learn from each other. Duels and mortal combat cage matches are rare. Much more prevalent is reality-based analysis of recent and probable future events and trends from perspectives illuminated by deep and broad information security knowledge and experience.

The moderator describes some actual event or prediction of the future or analysis of security-related issues, then comes up with a question or two about associated issues. He might then prod one or more attendees for their take on the issues in question, but more likely, he’ll try to avoid getting in the way, thus prompting participants to discuss topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room.

It was true when we started the Forum, and it’s true in 2019 - “the most significant benefit of attending any conference is the chance to compare notes, strategies and techniques with others who are similarly situated and facing the same types of problems on an everyday basis.” Ransomware, cryptojacking, social network privacy and security issues, GDPR, nation-state offensive activity, IoT device proliferation and security, finding and keeping competent help … – the 2019 list of real and potential concerns will no doubt continue to grow and bleed into 2020. Even if we could address them all, we have to keep playing whack-a-mole on the classic security gems that never seem to get fully resolved - password discipline, cloud security, access control, end-point security, policy writing and implementation, awareness and training, … ad infinitum. One of the features that make the Forum so valuable is learning from the grizzled veterans what we can do and what we can’t – where to focus our limited resources. Trying to do everything at once is a sure prescription for failure.

The discussion and analyses started here in the Forum almost always continue throughout COSAC, often beyond that, leading to unique, realistic and workable solutions to seemingly intractable dilemmas. Leading also to building a network of intelligent, experienced, realistic people you can count on for trenchant analysis and real help. Come join us and help solve the information security problems of the world.

Masterclass M2

09:30 The 5th COSAC Design-Off Speaker(s): Jason Kobes,

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
William Schultz

William Schultz

Associate Director, Vanderbilt University Medical Centre (USA)

Bill Schultz is a security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards.

This year will mark the 5th year of running this interactive and unique competition at COSAC Ireland. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. Each year we incorporate feedback from past attendees in order to enhance the experience and keep the scenarios interesting and applicable to real life!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year winners have proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client in order to deliver architectural guidance that will address their problems. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes may be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design-off workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Masterclass M3

09:30 Understanding the Human: Why the Human Link Matters Speaker(s): Lynette Hornung,

Lynette Hornung

Senior Enterprise Security Architecture & Privacy Manager , (USA)

Lynette is a Senior Privacy and Security Architecture Manager leading a privacy program with a federal agency focusing on data protection and security architecture that provides security and privacy by design. She has supported a variety of federal agencies with privacy and security architecture services and solutions. She was CyberCorps and has her MS in Information Assurance from Iowa State University.
Helvi Salminen,

Helvi Salminen

Information Security Manager, Gemalto (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014. 
Char Sample

Char Sample

Chief Scientist Cybersecurity Cybercore, Idaho National Laboratory (USA)

Dr. Char Sample is research fellow employed for ICF at the US Army Research Laboratory in Adelphi, Maryland and with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.

Interest in the human link has been gaining interest in cyber security. Last year we opened the discussion on the human link by suggesting that the human is the least understood link in a security system. This year we will have updated the workshop while providing the foundation for understanding the last (or perhaps) first frontier of the security landscape… the human mind. This workshop is designed to improve the understanding of the human and the complex relationship between the human and machine when sensing, perceiving and deciding, while explaining how this relationship influences and impacts the security environment. We offer a fresh examination of the human security relationship with the hope of making security user enabling. This requires examination from several points of view, including the following:

  • - Understanding the commonalities and differences between humans and machines?
  • - Understanding how the human machine relationship gives rise to complex systems.
  • - Defining security in this way, we will also discuss complexity theory and how it relates to human-machine behavior.
  • - A discussion of neural networks and other classifiers in behavioral modeling.
  • - Artificial intelligence technology is increasingly applied in various contexts, including security. In many areas of expertise people fear – sometimes for a good reason - that AI systems will make their skills obsolete.
  • - What does it mean in security?
  • - What prevents AI systems from providing optimal performance
  • - Can AI systems be subverted?
  • - Do we need to have ethical implications considered for Artificial Intelligence?
  • - Are there privacy implications with Artificial Intelligence?
  • - Perception management and how it can be manipulated in spite of target awareness.
  • - Factors that influence problem perception, organization, and data formation and why this is important in the age of AI
  • - Data encoding & visualization
  • - Context recognition and evaluation
  • - Deception
  • - How are security actors (attackers, defenders and victims) deceived?
  • - How can deception be identified?
  • - How to counter deception?
  • - What are the legal remedies with deception? How can the legal world catch up to the technical developments with Artificial Intelligence?
  • - Understanding of the human brain from biology to decisions.
  • - Can the brain be re-programmed?
  • - Hardwiring, learned, conscious and unconscious behaviors
  • - Do we have ethical considerations with re-programming?
  • - Environmental factors (physical reality, virtual reality and augmented realities) and how the brain acts and responds in these environments.
  • - Future scenarios – where technology is taking us humans or where we humans are taking technology
  • - How to apply these discussions to security in your organization.

Masterclass M4

09:30 Cryptography in the Real World Speaker(s): Dan Houser

Dan Houser

Senior InfoSec Manager, The American Chemical Society (USA)

Dan Houser is a practitioner who brings 30 years of experience to his presentations from knowledge learned in the trenches, and is a published author and frequent speaker at international conferences. Mr. Houser has set strategy, lead strategic projects and established EA/Security Architecture practices at several Fortune 500/Global 500 firms, including banking, insurance, finance, healthcare, retail and higher education. He is formerly head of cryptographic practice for a top-20 insurer.

Few of us are protecting state secrets, or have the budget of the GCHQ or NSA - but we must create defensible cryptographic systems given the constraints we're handed. How can we avoid the mistakes that have lead to the downfall of major cryptosystems, while still achieving due diligence?

This session will provide an overview of what really matters with cryptography in the field, and help dispel bad practice with regards to cryptographic assessment. We will uncover the failure modes of crypto in the real world, and how to select and implement cryptographic components & capabilities securely as part of an enterprise initiative. We will present case studies of multiple cryptanalysis projects that permitted the author to break commercial cryptosystems, and detail the weaknesses that were introduced, and what we might learn from these failures. We will discuss failure modes of other commercial crypto systems, why those failed, and why crypto is hard to get right in practice.

Auditors and risk analysts frequently ask the wrong questions regarding cryptography, so we will provide better lists (e.g. "Describe the key management escrow lifecycle, and your process for responding to the death or disqualification of a key holder.") and examples of terrible questions (e.g. "Is it using SSL?") . Lessons for audit failures will be touched on, to better assess the strength of third-party cryptographic solutions. This interactive session will conclude with snake-oil cryptography dodges and how to avoid them, and step through the execution a defensible due-diligence cryptographic project, including team formation, segregation of duties, architectural challenges and risk strategies.

This is an approachable version of cryptography for cryptographic implementers, architects and project leads that focuses on risk management, engineering and implementation, rather than NP-hard math. No calculator required.

Networking & Dinner

18:30 Drinks Reception - Sponsored by SABSAcourses
18:30 Book Signing in aid of The National Museum of Computing
19:00 Dinner - Sponsored by Deloitte
21:00 Networking Event