Ireland Sydney

Welcome to COSAC - Conferencing the way it should be!

For almost 25 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. Sales content is strictly prohibited and there is no vendor exhibition to distract from opportunities, allowing delegates to focus on professional innovation.

The Call for Papers for our 25th annual event in Ireland is now open. View our 2017 agenda to gain an understanding of the value COSAC provides for attendees. 

Wednesday 4th October 2017

09:00 - 09:30 Delegate Registration & Coffee

09:30 8A: Cognitive Hacking: Recognising & Countering 21st Century Deception Speaker(s): Char Sample

Char Sample

Research Fellow, ICF Army Research Labs (USA)

Dr. Char Sample is research fellow employed for ICF at the US Army Research Laboratory in Adelphi, Maryland and with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.

The events of 2016 resurrected the term "cognitive hacking". First identified by Cybenko in 2002 this forgotten research area has garnered new attention due in part to "fake news", weaponized information and other activities designed to shape online perception. While the world may have been caught off guard by these events, the physical world has mechanisms to detect and counter these efforts. The virtual world has no such mechanisms.

This talk first defines cognitive hacking, provides examples including examples of perception shaping occurs in security monitoring. Next the session will focus on some of the research activities into deception by Rowe, Jones and other notable efforts. Then will move countering deception, what can be done technically as well as behaviorally.

The discussion will be workshop focused with the facilitator providing brief explanations of each of the focus areas (identification, countering and post-hoc analysis).

09:30 8B: Women in Security: Drivers & Challenges - Part 2 Speaker(s): Esther van Luit

Esther van Luit

Senior Security Consultant, Deloitte (Netherlands)

Esther van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.

On a global average only 10% of the people working in the security industry are women, and this includes those working in the communication and marketing. In the Netherlands, this percentage is only 3%. The speaker has been involved in research with a Dutch institute to further investigate the cause of and countermeasures for addressing the extraordinarily low share of women in the industry. Considering how the security industry is short on 1.5 million security professionals globally by 2019, we cannot afford to let half of our population sit idly by without investigating the reasons for them not to take up a career in this industry.

Esther presented on this topic at COSAC 2016, but due to interesting discussions only managed to cover the challenges and not the drivers before running out of time. This year, she would like to shortly recap the challenges and discuss the drivers for success in more detail while having similar engaging discussions with the COSAC audience.

09:30 8S: It's Sooooo Fluffy! Speaker(s): Jaco Jacobs

Jaco Jacobs

Senior Manager, Accenture (Netherlands)

Jaco is Cyber Defense domain lead for the Gallia region at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to a number of companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.

There is a terrifying misconception about Security Architecture that I have to deal with more often than I would like to admit. I cringe every time I hear "well, that's all good in theory, but how are you actually going to make it work?", and I am sure that I am not the only one. Yes, you've guessed it, we are too often accused of being theorists!

Very few of us ever get the opportunity to dive into the nuts & bolts of the architectures we develop all the way through to instantiating all of those wonderfully mystical and mythical concepts of ours.

In this session, we will look at a couple of ways to make an Enterprise Security Architecture more tangible for the folks who are going to end up using it. We will dive a little deeper into the Logical, Physical and Component layers of SABSA, exploring the deliverables and outcomes of each of these layers in detail and with the appropriate audience and stakeholders in mind, all while maintaining the necessary traceability back to the Contextual and Conceptual layers.

10:30 - 10:50 Morning Coffee

10:50 9A: IoT, Industrial IoT and Industry 4.0 - The Security Challenges Speaker(s): Hugh Boyes

Hugh Boyes

Principal Engineer, University of Warwick (UK)

Hugh Boyes is a Chartered Engineer, a Fellow of the Institution of Engineering and Technology (IET) and divides his time between working as a Principal Engineer at the University of Warwick and undertaking cyber security consultancy assignments. Hugh is the leading industry expert on cyber threats in the built environment and supports infrastructure protection. He has written four guidance documents for the IET on cyber security in the built environment, ports and vessels. 

The deployment of IoT devices and architectures in the work environment poses a number of new security challenges, particularly where these devices are connected to cyber-physical systems (e.g. industrial automation and control systems and intelligent transport systems). Hugh is a technical lead for the Supply and Control Systems stand of the UK's EPSRC funded PETRAS Internet of Things Cyber Security Research Hub. He will explore and discuss some of the security engineering challenges we face if these systems are to be both safe and secure.

10:50 9B: Project Management - the CIO Speaker(s): Michael Hirschfeld

Michael Hirschfeld

First Assistant Secretary, Department of Finance (Australia)

Michael is acting Chief Information Officer and First Assistant Secretary, IT and Workplace Division in the Australian Commonwealth Department of Finance and has executive responsibility for ICT as well as physical security within that agency.He has previously held senior roles with a number of Australian government agencies including as Assistant Secretary for ICT Planning and Governance at the Australian Department of Foreign Affairs and Trade. 

I have held middle management and senior executive roles in Security, ICT Security, and ICT in general in various Australian Government Agencies over the past 23 years.

I have learnt a lot about managing the delivery and leading the strategic improvement of these fields. I also have much much more to learn.

Many believe that great leaders are born and not made – this may be true - but good leaders and great managers are, more often than not, made through the dedication to personal development of individuals.

There are innumerable capabilities and skills that take us from being technical experts to being good managers and then good leaders. In this presentation, I will share some of my experiences and tools that can be used to help you manage your deliverables and career.

There are a number of topics to cover - this session will focus on three fundamentals: committing to action, planning and delivery. Understanding the nature of commitment to action and if your team has committed to what you are committed. How do you successfully plan tasks, for teams and projects and then, how do you make sure you and your team deliver successfully.

10:50 9S: Redefining Security Architecture in a Digitally Disrupted World Speaker(s): John Sherwood

John Sherwood

Chief Architect, The SABSA Institute (UK)

John Sherwood is the Chief Architect of SABSA, working at The SABSA Institute, leading the development of the SABSA framework by engaging with the global SABSA Community to harness new thinking and innovation in the practice of security architecture. He also leads the collaboration between the institute and The Open Group in this area of work.

This presentation will explore first the nature of cyberspace: its complexity, dynamic change and emergent properties.

We move on then to consider the following consequences:

The death of system centricity and perimeter security, 
The new security challenge: security as added value, not added cost.
Risk optimisation as competitive advantage.
The new security architecture paradigm: trusted operations, any place, any time, any person.

12:00 10A: No More M&M Security: The Rise of the Software-Defined Perimeter Speaker(s): Lisa Lorenzin

Lisa Lorenzin

Director, Emerging Technologies, Americas, Zscaler (USA)

Lisa Lorenzin is the Director, Emerging Technologies, Americas at Zscaler, specializing in zero trust networks, and co-chair of Trusted Network Connect, a work group of the Trusted Computing Group that defines an open architecture and standards for endpoint integrity and network security. She has worked in a variety of Internet-related roles since 1994, with more than a decade of that focused on network and information security, and is currently concentrating on enterprise security. 

Network security has traditionally involved an "M&M" approach: create a hard shell or perimeter around a soft interior.  Despite movements such as de-perimeterization, this is still a common model today.  On-premise users have the run of the network, with complex network segmentation required to restrict access. For remote users, traditional L3 VPNs extend that perimeter, placing remote users' endpoints directly onto the enterprise network.  This puts the enterprise's network and data at risk from a range of threats - compromised credentials can lead to unintended exposure, as attackers move laterally throughout the network environment.

The hard, brittle network perimeter method is giving way to a new approach: the software-defined perimeter (SDP), where authenticated users on authorized devices are provided access only to specific applications. Migration to a software-defined perimeter can appear challenging - how do you transition from full network access over a L3 IPsec VPN or on-premise, to application access for authorized users on approved devices regardless of location?  We'll discuss the origins and current state of SDP, benefits and caveats, and how to approach the transition from legacy access models to SDP.

12:00 10B: Organisational Upheaval Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

It comes in many forms. COSAC veterans have probably seen them all. Rarely welcome, always more disruptive than planned, never arriving at precisely the synergistic outcome the suits guaranteed at the beginning of the project. Outsourcing, mergers, acquisitions, divestitures, "right-sizing,” layoffs and major reorganizations are facts of life as we approach the third decade of the 21st century. All these situations can create serious information protection concerns, but security is usually at best an afterthought, considered only after financial, legal and structural issues have been settled, the new management structure coronation is complete, the old guard (and their “old school” ideas) have been defenestrated, and the ink is dry on the bottom line. Viewing large-scale organizational change from an IT security perspective, we’ll emphasize realistic strategies for handling the very real and emotionally charged issues that inevitably arise at the first discussion of moving functions downstairs or across the street or out the door or offshore. We’ll examines what to do before, during and after major organizational upheaval to ensure that adequate controls are in place.

12:00 10S: Zero Knowledge Business Attributes Speaker(s): Martin Hopkins

Martin Hopkins

Principal Consultant, Gotham Digital Science (UK)

Martin is a Principal Security Consultant and Head of R&D at Gotham Digital Science. He has over 24 years experience in the IT industry notably including development and testing of emulation and virtual machine technology, development of host and network security products, security architecture consultancy and penetration testing. During his career he has worked on a wide range of systems and platforms ranging from small embedded devices to mid-range and mainframe systems.

How can we generate a business attributes profile for another enterprise using only publicly available information? Why would we even want to do this, what use could it possibly have? If we don't have well defined, specific metrics and performance targets is there any value? This talk will introduce an approach to producing such a profile, seek to answer these questions and provide examples of where this technique has been used such as:

  • How does a very technical security consultant communicate the outcome of an assessment to executive management using language they will understand, and relate risks to their business context and what they really care about?
  • How can we take a standard Threat Modelling methodology up a step, stop focussing solely on information assets, and start considering threats against what matters most to the enterprise?
  • How can a security consultant respond to their client when asked "but what is the impact to my business?" and the rote answer of "I can tell you the technical impact but I don't know enough about your business to answer that question" isn't going to be good enough?

We'll propose that even if the profile is not even close to 100% accurate and is not the product of a rigorous engineering process it still has value as a communications tool and demonstrates to stakeholders a method for bridging the gap between technical and business viewpoints of risk, before opening up the remainder of the session for audience participation to debate the merits of this approach and proposal of alternative solutions.

13:00 - 14:00 Lunch

14:00 11A: IoT & SCADA: Applying Lessons Learned & Case Studies Speaker(s): Lawrence Dietz

Lawrence Dietz

General Counsel & Managing Director - Information Security, TAL Global (USA)

Lawrence Dietz, has extensive military and commercial intelligence and security experience. At TAL Global he has managed a variety of technically complex investigations involving intellectual property, sensitive data compromise, potential international illegal shipments, and celebrity reputation issues. As the company’s chief legal officer he is responsible for a variety of legal transactions. Prior to joining TAL Global Dietz served in senior roles at Symantec Corporation.

From connected refrigerators to self-driving automobiles to medical devices, the IoT offers great promise. However, as the Mirai attack has shown, IoT these benefits come with some perils as well. This session will first set the stage by reviewing SCADA and IoT attacks to agree on attack parameters, perpetrators and best practices.

We will then examine a hypothetical company and three hypothetical incidents. Each incident plays of a different set of facts about the hypothetical company and highlights different likely perpetrators.

We will then analyze each incident starting with by identifying likely perpetrators. Next we address legal issue such as potential liability, data privacy and intellectual privacy protection. Case studies will conclude with assessing lessons learned and practical actions that can be taken to minimize the likelihood of these types of incidents and their negative impact on the organization.

14:00 11B: Are We Boring the Board? Speaker(s): Todd Fitzgerald

Todd Fitzgerald

SVP, Chief Administrative Officer - Information Security & Technology Risk, Northern Trust (USA)

Todd is SVP and Chief Administrative Officer – Information Security and Technology Risk, Northern Trust. He led multiple Fortune 500/large company information security programs for 19 years, was named 2016 Chicago CISO of the Year by AITP, ISSA, ISACA, Infragard and SIM, ranked Top 50 Information Security Executive and authored 3 books on Information Security. 

Today many CISO's are having to address the Board of Directors in their organizations across all vertical industries. Are the boards asking the right questions? What questions should they be asking? Are the CISOs delivering the right message? How do we measure if they are really being effective?

This presentation will provide never presented analysis of the 'Presenting to the Board" literature that is published from time to time, and challenges through interactive discussion what information is relevant to "the board".

There will be a deliverable that results from this discussion, the top 10 items, in priority order, that a board must know. Can we accomplish that feat at COSAC? Only the participants can know for sure.

Note: Presentations are communicated in a very interactive, audience participation style with visual and audio effects.

14:00 11S: Zero to SABSA: Consistent Enterprise Security Architecture Delivery Speaker(s): Andreas Dannert

Andreas Dannert

Enterprise Security Architect, Deloitte (Australia)

Andreas is an Enterprise Security Architect in Deloitte’s Cyber Risk Advisory Services line with over 25 years of experience in IT and security consulting. He has worked on defining the security architectures and models for various global organisations across various industries and global locations. In addition to his work at Deloitte Andreas is a long standing member of the ISACA Melbourne Chapter board where he held various positions as director and president.

While most medium to large global organisations these days appreciate and/or have a security architecture function, not all have a framework defined that ensures security architecture is delivered based on a consistent, organisation specific approach that enables security architecture delivery to an agreed set of performance criteria within the organisation.

The problem appears to be non-standardised terminology being used for security architecture, non-standardized security architecture delivery processes within the organisation, and the inability of security architects to clearly articulate the dependencies of various organisational functions within an organisation when it comes to delivering security architecture. While one part of the company might be great at security architecture delivery others could be average and sometimes they are not well integrated with areas that they should align with. The security architecture function in organisations is often siloed off from departments that should be involved in the security architecture delivery process. Departments in a global enterprise, responsible for physical security, risk, governance, policies, and security operations, are often working side by side, but not towards a unified, integrated plan that an Enterprise Security Architecture would present. Metrics are developed for the sake of metrics and are not actually measuring anything of value, like how well security architecture is actually being delivered within an organisation.

This session is based on a large global financial organization that set out to redefine their security architecture delivery approach. We will look at what obstacle were encountered along the way, what worked, what didn’t work, and look at some of those “oh sh…” moments.

At the end of this session participants should be able to understand why it is equally important to have an experienced team of security architects as having an agreed approach to delivering enterprise security architecture in a large global organisation.

The key takeaway from this session will be that defining an approach/methodology for delivering security architecture in a large enterprises is essential for consistent delivery of qualitative security architecture solutions across the organisation. An example of such an approach, i.e. a “Security Architecture Framework”, based on a real world case study, will be presented. The framework includes a set of security architecture principles, an enterprise security domain model, and a performance management model that enables an organisation to have a consistent approach to security architecture delivery that can be fine-tuned and scaled across a global organisation.

In the spirit of COSAC, this session is designed to be interactive and allows participants to share what their experiences were in similar scenarios before we will look at what happened in the real world case study this presentation is based on. This session will provide attendees with an insight into some issues that were encountered when developing a security architecture framework with the intention of providing a more structured approach of delivering security architecture in large organisations.

15:10 12A: Shining Light in the Darkness - A Look at the Dark Web Speaker(s): Rob Hale

Rob Hale

Fellow, Lockhead Martin (USA)

Rob is a Lockheed Martin Fellow with over 25 years of experience in information systems and security. During his career he has been responsible for conducting and supporting information assurance and cyber security activities for federal, state and commercial organisations in the defense, law enforcement, financial services, utility and healthcare industries. Additionally, he has designed and implemented secure networks to support nuclear emergency response teams and top US banks. 

The Dark Web has become a buzz-word over the past few years due to the rise in successful cyber attacks, overt criminal activity, media hype, and data disclosure. Although more and more people have heard of the Dark Web, it remains an enigma to many security professionals. As the Dark Web becomes a greater and greater market and hiding place for cyber activity, however, it is incumbent upon cyber security professionals, particularly, researchers to understand and learn how to safely navigate along its many tangled threads.

This presentation is comprised of two principal sections. The first section walks through an introduction to the topology of the Dark Web and describes an architecture and process for accessing it in a protected fashion. It also includes a discussion on how business is conducted on the Dark Web. The second section is a live demonstration and exploration of specific sites of interest on the Dark Web. As the purpose is to familiarize security practitioners and research professionals, at no time will any illegal or unethical activities be demonstrated or condoned.

For those interested a written description of the processes and architecture components will be provided in a pdf format.

15:10 12B: When Just Being Right is Not Enough Speaker(s): Karel Koster

Karel Koster

Head of Information Security, Ingenico ePayments (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various roles. He currently holds a position as Head of Information Security within Ingenico ePayments, one of the larger payment service providers on the web. Prior to Ingenico, Karel as an information security officer was responsible for information security awareness, vulnerability management and technical compliance at Aegon the Netherlands.

In these times of alternative facts, being rational and right is not always enough to get the support of management you need. While facts and figures are my preferred way to deliver my message to my stakeholders, I found that not all of them share my preference for ratio over emotion. Our different communication preferences sometimes prevent my message from being received correctly. Communicating in the right way, in the way my stakeholder prefers will helps me to deliver my message clearly.

We all have our communication preferences and so do our stakeholders. I’ve investigated my preferences and got insight into my strong and weaker points. I also examine those of my main stakeholders, in order to tweak my communications to them when delivering a critical message. This ensures that personalities and communication preferences do not intervene and the message is well received and therefor more likely to be accepted. In this presentation I share my insights, what I have learned about my own communication style and how I adapt my communication to the preferences of others in order to align with them. I will introduce the tools and frameworks I use and point you in the right direction if you would want to do the same.

15:10 12S: Real-World SABSA on a Global Scale Speaker(s): Mark Keating

Mark Keating

Global Information Security Architect, Deloitte (UK)

Mark is currently serving as a Global Information Security Architect for Deloitte, where he is responsible for helping define the global technology strategy and roadmap for over 250,000 people spread across 150 countries. He has been with Deloitte since 2002, and prior to his current position, was the Network & Security Architect for the UK & Switzerland where he was responsible for the design and implementation of most of the UK’s network and security platforms supporting 18,000 staff.

How do you go about creating a global security architecture framework for one of the worlds largest professional services organisation?

Where do you start, when the organisation consists of 250k empolyees, operates in over 100 countries, consists of 40 separate member firms each with their own CIO and they all have differing views to security & risk?

This session will provide an overview of what our journey looks like, what we have already achieved, what challenges we have faced so far, and what we are doing next.

16:10 - 16:30 Afternoon Tea

Plenary Sessions

16:30 13P: Edgar Allen Poe: 19th Century CISSP Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

He was an enigma – a quintessential Southern gentleman who was born in Boston, raised in England and Virginia, and poor for all of his adult life. He was a paradox – unfailingly polite and helpful, especially to women, yet a savagely fierce critic of anyone, even established celebrity writers who didn’t share his literary views or meet his extremely rigorous standards. He was also indisputably a genius – inventor of the detective story, revered by Bram Stoker and Arthur Conan Doyle, the most influential critic of his time, a lavishly praised poet, and a short story writer who could weave horror and reality into tales we still read today (and still shudder). Poe used encryption as the primary plot element in “The Gold Bug” and presaged the Big Bang theory by seventy years in his prose poem “Eureka.” And much of what he did and how he did it relates directly to our profession and how information security is perceived almost two centuries later.

Come join us as we decrypt Edgar Allan Poe and relate his life and works to the information security challenges of this century.

17:30 14P: COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.

The hugely popular COSAC "rump" is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

  • Electronic submission: Send email to the rump session chair David Lynas at [email protected] before 10AM GMT Friday, September 29.
  • Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 4 October.

Submissions should include a requested amount of time for the presentation. An anticipated maximum of four minutes will be allocated for each presentation.

Networking & Dinner

20:00 onwards Dinner