COSAC 2024 COSAC Connect COSAC APAC 2025

Welcome to COSAC - Information Security conferencing the way it should be! Join us in Ireland this October for 4 days of innovative & participative information security value. For 31 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. #COSAC2024 Delegate Registration is open with Early-Bird rates available until 30 June 2024.

Wednesday 2nd October 2024

09:00 - 09:30 Registration & Coffee

09:30 10A: NYETwork Warfare; the End of Civilisation As We Know It Speaker(s): G. Mark Hardy

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark Hardy serves as President of National Security Corporation and co-host of the award-winning CISO Tradecraft podcast. He has been providing cyber security expertise to government, military, and commercial clients for over 35 years, and is the author of over one hundred articles and presentations on security, privacy, and leadership. A graduate of Northwestern University and Loyola University, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration, a...

“Everything was destroyed, and few out of many returned home.”

- Thucydides

Two years ago, we discussed whether the Russian offensive included all-out cyber, or if the combatants were husbanding their resources. Last year, we noted that 50-year-old tanks and munitions work well in battle, whereas cyber weapons have a shelf life closer to milk than to wine. As a kinetic stalemate grinds through men and materiel, cyber has blossomed as a new form of expeditionary warfare, now targeting critical infrastructure, the most prominent of which (as of this writing) has been Kyivstar, Ukraine’s largest telecom provider. The fabric of society is now a target, seemingly in violation of Rule 1 of the Law of International Warfare.

"This attack is a big message, a big warning, not only to Ukraine, but for the whole Western world to understand that no one is actually untouchable."

- Illia Vitiuk, head of Security Service of Ukraine (SBU) cybersecurity department

Most critical infrastructures are not state-run in western nations. The United Kingdom has named thirteen critical infrastructures. The United States has sixteen. Regardless, these are being identified, cataloged, and targeted in a systematic way so as to provide a potential early strategic advantage in the event of future conflict.

What happens to our society if the digital gloves come off? What are the consequences of an adversary who cannot win on the battlefield taking the battle to the civilian population, shutting off power, water, and communications? What preparations can be made, realistically, to prepare our countries for what we can see is already happening? What message should we, as the senior global brain trust, craft to mobilize our societies and our governments before they suffer a catastrophic loss that might be avoided if we speak up now?

09:30 10B: Bridging The Gap: Fostering Collaboration Between Security & Technical Teams Speaker(s): Dan Schoemaker

Dan Schoemaker

Information Security Officer, Phoenix HSL (Australia)

Dan has been working in the IT support, Infrastructure/Operations and Security fields for the past decade. Currently working in a Group Security role, he is driven to ensure security is business driven and architected properly. Being a self-driven techie he ultimately believes in learning by doing and having a go.

Do you suffer from a team that can't seem to talk to each other? Can you cut the air with a knife when entering your security meetings? Do people audibly sigh whenever you mention raising a ticket or inquire about its status? If so, then this session is for you.

In today's fast-paced and interconnected digital world, the harmony between security and technical teams is crucial. Yet, all too often, these teams operate in silos, causing friction, inefficiencies, and ultimately, compromising security. But fear not, for there is hope.

Join us as we embark on a journey to transform discord into harmony, to dissolve the tension that permeates the air, and to replace sighs with nods of understanding. We'll delve into the heart of the matter, addressing the root causes of disconnection and discord between security and technical teams.

From inspiring motivation to breaking down barriers, we'll discuss what motivates and drives people to take ownership of their place in Information Security. Say goodbye to the days of disjointed communication and hello to a future where security and technical teams work hand in hand towards a common goal.

09:30 10S: Building An Adaptive Security Architecture Speaker(s): Steven Bradley,

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is an independent security consultant based in Brussels with 25+ years in IT and has undertaken major assignments for clients in the national & European public sector, finance, telecoms & utilities. He also lends his support to local cyber initiatives. His work in recent years has broadened geographically while becoming more specialised in the field of security by design through automation and modelling, leading to the 2021 foundation of a niche consultancy in this domain. Steven...
Ben Stephen Woods

Ben Stephen Woods

Head of Cyber Risk Assurance, The LEGO Group (Denmark)

Ben leads the Cyber Risk and Assurance team at the LEGO Group:, a global function that includes Human Risk, Risk Management, Technical Risk, and Assurance. Ben is also the Deputy CISO.

The presentation addresses 3 trends currently challenging the cybersecurity operating model.

• Customer expectations are shifting - Digital natives think in terms of customer journeys, and they want safe but low-friction experiences along the way.

• Threats are evolving - There are now new ways to exploit human nature and decision making, using technologies like AI. Lastly,

• Regulations are fragmenting - Countries recognise the value of data and are taking a stronger, more localised, position on how to protect it.

These factors have important consequences for how cybersecurity teams design and implement their governance, risk, compliance and assurance frameworks. We will argue that the new paradigm which is decentralised, where speed and accountability for decision-making are favoured over structures of centralised authority and control.

A pre-requisite of this kind of adaptive security is for decision making at all levels of the organization, which implies effective communications based on a common ‘source of‘truth’.

In this presentation, the speakers will present their experience of establishing a security architecture that reflects these aims and principles, based on control modelling, thresholds, and real-time security data.

The session should be of value to a wide range of delegates that may be facing similar challenges and would be interested in learning what an architectural approach can contribute to the solution.

This will be original content, being presented at conference for the first time.

10:25 11A: Towards Secure AI Speaker(s): Hugh Boyes

Hugh Boyes

Honorary Fellow, Loughborough University (UK)

Hugh is a security adviser and an Honorary Fellow at Loughborough University. He is a Chartered Engineer and a Principal member of the UK NPSA-sponsored Register of Security Engineers and Specialists (RSES). Hugh has been the technical author for several standards issued by BSI. As a security adviser Hugh works across a range of information intensive public sector initiatives, particularly those involving infrastructure and complex geospatial data. His research interests relate to the security...

The hype cycle continues to thrive as illustrated by recent press coverage and political attention regarding the “existential threat” posed by AI, particularly LLMs and generative AI. Inevitably some people are asking how do we secure AI? This session considers AI-related risks and their potential evolution. To address these risks, we need to consider what governance and security mean in an AI context.

Responding to the political attention AI has received, national and international standards organisations are embarking on development of new standards. This session will explore these initiatives, discussing the challenges facing us standardising a rapidly evolving technology. In framing these standards, further discussion is needed about whether AI really is a new problem, or simply highlights inadequacies in our current IT and security standards.

Drawing to a close, the session will explore the role that the supply chain, security professionals, and SABSA could play in addressing challenges arising from use of AI and the consequences and/or liabilities arising from AI embedded in solutions.

Key learning outcomes

• An understanding of AI security risks and vulnerabilities

• An appreciation of the limitations of security standards

• An outline of key issues to address in deployment of AI solutions

10:25 11B: If Socrates Was A CISO or Worse..Your Business Stakeholder Speaker(s): Dimitrios Delivasilis,

Dimitrios Delivasilis

CEO, Qiomos (UK)

Strong technology executive, specialising in business-driven security strategy, architecture and operational resilience. Dimitrios has more than 22 years of extensive experience in leadership roles predominantly within financial services (Head of Enterprise Security Architecture at Visa and Global Head of Information Risk Strategy at HSBC). He has built a success record of simplifying security decisions, delivering future proof information security strategies and helping organisations implement...
MZ Omarjee

MZ Omarjee

Head: Client Security and Moonshots, Standard Bank Group (South Africa)

Muhammed Zubair (Mz) Omarjee, is a former Enterprise Security Architect providing advisory to leading banking institutions in South Africa and abroad. He is instrumental in crafting technology strategies as it relates to digital transformation, mobile banking and cyber security. He plays a pivotal role in shaping information technology practices as a transformative business driven and risk-oriented discipline.

The nature of the cyber security risk is both complex and broad, and present in almost any part of digital operations making it a top non-financial risk. On a daily basis stakeholders are being faced with decisions on how to proceed with the implementation of the business strategy whilst providing a commensurate level of protection against ever evolving cyber threats and ensuring critical products and services operate within the desired risk thresholds. The accuracy, completeness and timely accessibility of the information required to determine the optimum way forward is more important than ever.

The session draws in from philosophy to illustrate how ancient wisdom can be applied to cyber security and risk management. Will illustrate how Socratic method, an interactive technique for establishing knowledge, allows us to test assumptions through honest dialogue, think differently and ultimately guide us towards better understanding the implications of decisions that needs to be made. The audience will experience how to draw strength from contrarian thought, and utilise it as a tool for both establishing ignorance and knowledge.

10:25 11S: Embedding Architecture to Keep Up With the Pace of Change Speaker(s): Gordon Jenkins

Gordon Jenkins

Head of Security Architecture, Admiral (UK)

Dr Gordon Jenkins heads up the security architecture team at Admiral Insurance in the UK. He has 25+ years’ experience in IT and security for large financial services organisations in the UK and US, across investment banking, life & pensions, asset management, and general insurance. He has worked as a security architect for the last 14 years, providing guidance to dozens of major business and infrastructure projects and helping to shape enterprise security functions.

The IT organisation around our team is making key structural and governance changes, including re-aligning to business value stream structures, migrating from waterfall processes to Agile change delivery, and introducing a new control framework. And these are just some examples.

To keep up with these changes, and this pace of change, we need to update our security architecture practices. We are aligning Security Architects with their Solution and Enterprise counterparts to maximise security “shift left”. We are embedding architects in value stream verticals and service horizontals to maximise our coverage with limited resources. We’re helping to share the definition and roll out of the new control framework, to ensure Architecture and Risk processes and artefacts are aligned from the outset. And to keep up with the pace of Agile, we’re taking first steps from point in time design docs towards living architecture artefacts, and re-learning what re-usable architecture means as a result.

In this talk I will explain how we’re tackling all of these changes, lessons learned to date and where we’re going next.

11:15 - 11:35 Morning Coffee

11:35 12A: It Is Not A Duck: How OT Differs from IT Speaker(s): Jan van Kemenade

Jan van Kemenade

Information Security Officer, Durmazon (Netherlands)

I’m a 61 year old dutchman with 35+ years experience in various roles in IT and 10+ years insecurity. Currently working, self-employed, as an Information Security Officer assigned to a (relatively) small company – a pension administration service that works for 40+ pension providers in the Netherlands. In the past I have worked for a number of companies, mostly in the financial sector. Once I start talking I’m hard to stop but I’m not that great at writing, so I’ll leave it at this.

The idea for this came to me today (March 21st) after having visited a dutch conference. It has been lingering in the back of my mind for some time but having seen the call for speakers in my Linkedin-feed this morning I decided to put it forward. On my way home I even came up with a title.

The core of my presentation is that there is a difference between IT and OT and that it should be treated differently, from a security perspective. In the past I have seen that large companies treat the OT they have (HVAC of camera surveillance systems) as if it were a regular IT system. Leading to frustation of both security professionals - trying to secure these systems - and facility departments – trying to operate them.

So I’d like to argue that the IT Security guy (with his ISO2700x of equivalt framework) is not the one to turn to when it comes to securing OT. It the OT Security guy with the IEC62443 certificate. And perhaps explain the basics of IEC62433..

I’d really like to start a discussion on why companies have their OT connected to the internet…

11:35 12B: Recovering Personal Privacy Through Web Decentralisation Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.

Outside China, Apple and Google control more than 95 percent of app store market share with the Apple App Store holding nearly 2 million and Google’s Play store holding nearly 3.5 million. The impact of this proliferation of apps and their everyday routine use, together with other web interactions, means that users’ personal data is spread widely on suppliers’ servers throughout the Internet.

This arrangement provides an enormous attack surface for malevolent actors. This array of personal digital data points is taking on a much more important role in personal identification than previously, with their compromise potentially leading to individuals losing control of their (digital) identity used by a large number of service providers.

In 1989 Tim Berners-Lee conceived the Solid (SOcial LInked Data) project as a way to give individual users full control over their personal data and the freedom to combine it or share it between applications.

Users keep their personal data in "pods" (personal online data stores) hosted wherever they choose. Applications that are authenticated by Solid are allowed to request data if the user has given the application permission.

2024 has seen the first substantial rollouts of this technology in Europe in the recruitment and healthcare sectors. In this talk we discuss the architecture and technical operation of Solid and whether it has the potential to disrupt existing business models where an individual data subject can become the data controller.

11:35 12S: The Grammar of Attributes, Requirements & ESA Speaker(s): Kirk Nicholls

Kirk Nicholls

Consultant, SABSA World (Australia)

Kirk is a security advisor with a focus on disaster and incident response exercises. He develops and manages exercise programs through the discipline of serious games, using research-based practice. Through the lens of serious games, simulation and a military background he enables clients to gracefully handle the unexpected.

‘Words mean things’, as Drill Sergeant once enthusiastically bellowed at me after failing to communicate effectively. I came to understand this was because of the lethal consequences of the profession he was training me for.

When undertaking any work as a risk professional, it is sensible to proceed with caution and choose our words wisely. Business Drivers, Attributes and the careful crafting of their definitions for the Enterprise to which they belong are foundational to the ESA toolbox. With our work, we hope to capture complexity within plain language expressions while remaining flexible and removing ambiguity.

This session is for those who feel that creating meaning from words is both a powerful and dangerous undertaking. These brave persons will want to better harness language for their work. It is also for anyone who enjoys a cheeky bit of wordplay.

Attendees will be exposed to principles and tools from game design, systems engineering and linguistics. These concepts will be connected back to Security Attribute writing and demonstrate their utility for ESA. By the end of the session you will be equipped to define Requirements and Attributes with the decisiveness of James Murray heading the Oxford Scriptorium.

12:30 13A: Contextual Trust: Trust In the Untrustable World of Connected and Autonomous Vehicles Speaker(s): Rob Campbell

Rob Campbell

Enterprise Security Architecture, PA Consulting (UK)

Rob Campbell is a seasoned Enterprise Architect specialising in the security field, boasting over 30 years of professional experience, including a dedicated 27 years in Information Security. His expertise is anchored in security consultancy and architecture methodologies, primarily focusing on the EA domain. Recently, Rob has been actively engaged in many industries and organisations enhancing their information security frameworks, products, and services. Passionate about innovation and sharing...

The Connected and Autonomous Vehicle (CAV) sector is rapidly evolving, presenting unparalleled opportunities for integration and third-party data utilisation. This evolution, however, introduces significant challenges, particularly regarding the integrity and reliability of vehicle-generated data. The stakes are high: compromised data could lead to accidents, traffic disruptions, hinder emergency services, and more. This session delves into the technologies underpinning CAVs, upcoming enhancements, potential threats, and necessary controls. It will explore the intricate web of supply chain relationships, the data exchanged between stakeholders, and how these factors contribute to the sector's security posture.

A central theme of this presentation is the concept of "contextual trust" – a framework for assessing and ensuring the integrity of data in environments which could be considered untrustable. By leveraging contextual data points and blockchain technology, we can construct a more robust, trust-based model that safeguards against data spoofing, unreliability, and unavailability. This approach not only enhances the security of CAV operations but also underpins the development of safer, more reliable autonomous transportation systems.

Attendees will gain insights into:

  • • The current and future landscape of CAV technologies and the pivotal role of data integrity.
  • • The multifaceted security threats facing the CAV sector and the controls to mitigate these risks.
  • • The mechanics of contextual trust and blockchain technology in establishing a dependable data ecosystem.
  • • Strategies for implementing these technologies to foster trust and security within the untrustable facets of CAV operations.

This session builds on the Gordon Jenkins work presented at COSAC a couple of years ago but refocuses on CAV. It aims to equip attendees with the knowledge and tools to navigate the complexities of CAV security, focusing on the importance of trust and integrity in advancing the sector's safety and reliability.

12:30 13B: Telegram & Discord, A Wretched Hive of Scum and Villainy Speaker(s): Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is a lawyer and computer security and privacy expert and a lawyer in Bethesda, Maryland and is the General Counsel of Threat Intelligence firm Unit 221B. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. This includes expertise in GDPR, CCPA, and US and international privacy laws and regulations. Earlier in his career, Rasch was with the U.S. Department of Justice where...

In the sprawling digital landscape, platforms like Telegram and Discord have become pivotal arenas for threat actor communications, offering a blend of anonymity and accessibility that is highly attractive to the cybercriminal underworld. This session, entitled "Telegram and Discord - A Wretched Hive of Scum and Villainy," will peel back the layers of these digital ecosystems to reveal the dynamics of threat actor communities. The focus will be on understanding where these actors converge, the nature of their interactions, and the illicit activities they orchestrate within these seemingly benign platforms.

The presentation will navigate the complexities of infiltrating these communities, detailing strategies for gaining trust and gathering intelligence within networks that are notoriously wary of outsiders. Attendees will gain insights into the sophisticated methods employed by threat actors to safeguard their forums from prying eyes, including the weaponization of tools against security researchers, law enforcement officials, and others who venture too close.

A special emphasis will be placed on the gaming community, a vibrant and often-targeted sector where threat actors blend seamlessly with legitimate users, exploiting platforms and tools for malicious purposes. This segment will explore the unique challenges and opportunities that the gaming ecosystem presents for cybersecurity efforts, highlighting recent incidents that underscore the urgency of addressing these threats.

Moreover, the session will discuss recent U.S. criminal prosecutions that have brought to light the activities of cybercriminals operating within Telegram and Discord. These cases serve as a critical reminder of the legal and ethical considerations involved in tracking and engaging with threat actors, offering lessons for cybersecurity professionals navigating this treacherous terrain.

This presentation promises to offer a comprehensive overview of the digital underbelly that thrives on platforms like Telegram and Discord. Participants will leave with a deeper understanding of the methods and motives of cybercriminal communities, equipped with the knowledge to more effectively combat the threats they pose. Through a blend of technical insight, real-world examples, and strategic guidance, this session aims to empower attendees to confront the challenges of cybersecurity in the era of social messaging platforms.

12:30 13S: Seamlessly Traversing Shifting Boundaries Speaker(s): Jaco Jacobs

Jaco Jacobs

Director of Consulting Services, David Lynas Consulting (Netherlands)

Jaco is the Director of Consulting Services for David Lynas Consulting based out of the Netherlands. He has been a “security guy” for more than 25 years during which time he has provided security consulting services to many of the largest organizations around the world. He has spent most his career developing security IP, training and services for the largest global security providers as well as co-authoring several security publications.

The ability to cross boundaries is one of the most natural human behaviours, in fact, it is so natural and normal that we don’t even give it a second thought. Whether we walk out of our houses into public or walk into a bank or store from the street, we don’t even consciously think of the fact that we are crossing a boundary or that each boundary that we cross is beholden to a set of rules that we learn to follow from a young age. One can even go so far as to say that each of these boundaries defines and protects a zone. The Oxford dictionary defines a zone as “an area or stretch of land having a particular characteristic, purpose, or use, or subject to particular restrictions”. Why is it then that we make it so incredibly difficult for ourselves to define and traverse zones in modern business environments? In this session we will explore how we can use an adapted version of SABSA domain modelling to define and manage zones within a modern enterprise and use these zones to create and communicate security information flows and controls to stakeholders concisely and consistently.

13:20 - 14:00 Lunch

14:00 14A: Computer Crime Prosecutions As A tool To Stifle Dissent Speaker(s): Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is a lawyer and computer security and privacy expert and a lawyer in Bethesda, Maryland and is the General Counsel of Threat Intelligence firm Unit 221B. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. This includes expertise in GDPR, CCPA, and US and international privacy laws and regulations. Earlier in his career, Rasch was with the U.S. Department of Justice where...

In an era where digital information flows freely, the boundary between public interest journalism and computer hacking has become increasingly blurred. This session will delve into the controversial prosecution of Timothy Burke, a journalist from Tampa, Florida, who faced legal repercussions for his investigative work exposing hypocrisy in Fox News' broadcasts, including interviews between Tucker Carlson and Kanye West. His case serves as a stark example of how governments and corporations are leveraging computer crime laws to suppress dissent and penalize whistleblowers and journalists.

At the core of modern computer hacking statutes are vague and ambiguous terms such as "without authorization" and "in excess of authorization." These phrases, initially designed to protect against unauthorized access to computer systems, have evolved into tools that facilitate the transformation of hacking laws into generalized secrecy laws. This presentation will explore the implications of such legal frameworks, highlighting how they are used to prosecute individuals for exposing government or corporate secrets, thereby stifacing critical journalistic endeavors and public discourse.

Furthermore, we will examine the historical underpinnings of these statutes, tracing back to common law trespass laws. The session will argue that concepts of property and trespass, formulated in the 14th century, are ill-suited to govern the complex, interconnected landscape of the 21st-century internet infrastructure. The presentation will critically assess the adequacy of these outdated legal foundations in addressing contemporary cyber challenges, arguing for a reevaluation and modernization of legal principles to reflect the realities of digital age.

This session aims to shed light on the precarious balance between safeguarding digital assets and ensuring the freedom of information and expression. By dissecting the case of Timothy Burke and the broader context of computer crime prosecutions, we aim to foster a nuanced understanding of the legal, ethical, and societal implications of using hacking laws as instruments to stifle dissent. Attendees will leave with a deeper appreciation of the need for legal reforms that both protect against genuine cyber threats and uphold the principles of democracy and free speech.

14:00 14B: Outgrowing Chaos: Transforming Security In Fast Paced Environments Speaker(s): Chris Blunt

Chris Blunt

Enterprise Security Architect, ESO (Northern Ireland)

Chris is the Enterprise Security Architect for a SaaS provider specialising in software and data analytics for health and fire services. He is a seasoned cybersecurity professional and is passionate about business-driven security and delivering pragmatic advice that enables organisations to achieve their business objectives.

Today, Agile and DevOps practices enable many organisations to develop and deploy software at an ever-increasing pace. At the same time, thanks to cloud computing, systems are becoming increasingly abstract and complex, making them difficult to secure.

We will discuss some of the real-world challenges facing security professionals in modern environments, including:

  • • Poorly defined roles, responsibilities, and authorities
  • • The pace of change
  • • The constant need to reinvent the wheel
  • • The amount of technical debt
  • • Busy work vs. meaningful work

This interactive session will explore strategies to address these challenges, including the following:

  • • Defining and implementing effective RACI models
  • • Fostering collaboration between DevOps and Security
  • • Integrating security into the DevOps Lifecycle
  • • Automating security activities
  • • Specifying reusable patterns
  • • Limiting and eliminating sprawl
  • • Evaluating and prioritising work
14:00 14S: A4 Reinvented: Recasting the SABSA A4 Advanced Course Speaker(s): Malcolm Shore

Malcolm Shore

Consultant, Offensive Security (New Zealand)

Malcolm had a career in the RNZAF before joining GSCB as the Director of Information Systems Security where he developed and managed the national information security programme. He was Technical Director at CES Communications where he was responsible for developing embedded cryptography products. He also held the role of Technical Director at BAE Systems Applied Intelligence where he managed the security evaluation, reverse engineering and penetration testing teams. He has held a number of Chief...

The A4: Advanced SABSA Incident, Monitoring & Investigations Architecture course has been listed as an advanced course but is rarely run and the current training material dates back to 2015. However, this course is arguably one of the most important areas of focus for advanced architectural attention. Despite the many cyber defence approaches that have been adopted in industry, cyber attacks continue to penetrate the preventative layer of controls. Having the operational aspects of an organisation’s cyber defences built as an integrated part of a solid architecture is key to minimising damage to the business and the executives running it.

The 2015 course covers monitoring, transforming log data, augmentation, and incident management and investigations. This presentation describes the changes that have been applied to bring the course to a 2024 perspective with the coverage of more advanced processes for threat hunting, current best practices in the existing processes, and introduces the architectural placement of contemporary tools in the component layers. In particular, it covers the emerging area of artificial intelligence in the form of LLMs, and addresses AI component augmentation in the architecture.

14:55 15A: Cybercrime – Does it Pay? Speaker(s): John Ceraolo

John Ceraolo

Head of Information Security, Skilljar, Inc. (USA)

John Ceraolo, an internationally recognized author, and speaker on multiple security topics including social engineering, security services and awareness, brings more than 30 years of experience in the information security industry. Ceraolo is currently the Head of Information Security at Skilljar, a Seattle-based customer education SaaS platform provider.

Our goal as security practitioners is to stop bad things from happening to the organization we have chosen to protect. When this happens and law enforcement is able to finally catch the bad actors, what actually happens? Do they get what they deserve or does cyber crime actually pay? In this session we'll look at this issue globally - is the punishment fitting the crime? What can we do to make this a crime that doesn't actually pay, or at the very least, comes with some significant risk? As with all COSAC presentations, this should spark a lively debate and hopefully can serve as a call to action to our governments to make a change.

14:55 15B: Security Awareness Training for Generative AI Speaker(s): Karel Koster,

Karel Koster

Manager IT - Information Security, FedEx Express Int (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information roles. He currently manages a global information security team for FedEx. Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.
John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.

Generative AI is remarkable for its ability to utilize extensive data to answer complex questions. However, in a business context, not all data should be accessible to everyone.

Human customer service representatives are adept at utilizing their comprehensive knowledge of previous cases and processes to respond to customer inquiries while safeguarding sensitive company and customer information.

In contrast, generative AI, in its default setting, strives to provide detailed answers and can inadvertently overshare information. This becomes a significant concern when handling customer interactions. The pivotal question then arises: how can one enhance the security of an AI model, ensuring both operational efficiency and data confidentiality? For seasoned security professionals like us, this entails adopting innovative approaches.

Join two COSAC regulars who will unveil their journey of deconstructing this challenge and reconstructing a solution. Participants will gain insights into current best practices for designing and implementing the following control objectives in AI:

  • • Data Sanitization and Filtering
  • • Privacy by Design
  • • Audits and Monitoring
  • • User Consent and Transparency
  • • Anti-Phishing Measures

Let’s enrich our biological intelligence with a skillset needed to secure the artificial one.

14:55 15S: Using the SABSA Enhanced NIST Cybersecurity Framework Speaker(s): Glen Bruce

Glen Bruce

Cybersecurity Consultant, GDB Cyber Security Consulting (Canada)

Glen Bruce is focused on Security Frameworks, Strategies, Architectures, PKI and Governancesupporting business and governments in their approach to managing information and cybersecurityrisk. He has over 50 years of in-depth experience in IT and security consulting, systems management and technical implementations. He has led many information/cyber security engagements, where he has helped clients establish effective frameworks, strategies, governance, architectures, frameworks, policies, PKIs...

What is the best way to leverage the NIST Cybersecurity Framework (CSF) 2.0 when implementing or updating a SABSA developed security architecture? The NIST CSF 2.0 is a significant upgrade to the de-facto global framework for managing cybersecurity threats but it still lacks several of the essential elements for a robust cybersecurity program. The SABSA Institute (TSI) sponsored SABSA Enhance NIST Cybersecurity Framework (SENC) workgroup project is developing various tools, techniques and guidance to help your organization put the NIST CSF 2.0 to work.

This session is a high-level view of what the updated NIST CSF 2.0 provides, and a first look at what the SENC project is delivering to enhance implementation of the CSF. The SENC project is defining SABSA-specific guidance for leveraging the NIST CSF 2.0 including: developing the contextual architecture to front end use of the CSF with the SABSA attributes profiling process including a few example Attribute Profiles for selected industry sectors; a SABSA NIST CSF 2.0 Profile to include enhanced and additional CSF categories and subcategories aligned to the SABSA method; SABSA NIST CSF 2.0 Informative References that map the SABSA NIST CSF 2.0 Profile to the SABSA matrix; and a collection of SABSA-specific Examples for the CSF subcategories aligned to the SABSA NIST CSF 2.0 Profile.

Too often, the application of the NIST CSF focusses on the processes, technologies and controls while losing sight of managing the business value and risks involved. We will outline example content from the SENC project deliverables and what will be available to the SABSA community when the project is completed. The SENC project will provide specific recommendations for leveraging SABSA to apply and enhance the NIST Cybersecurity Framework 2.0 to help manage your organization’s business risk requirements.

15:45 - 16:05 Afternoon Tea

16:05 16A: 10 years, 10 cases, 10 Lessons Learned Speaker(s): Stephen Bowes

Stephen Bowes

Practice Director, BSI Group (Ireland)

Stephen cut his teeth in the financial services industry working his way up the technology stack from mainframe programmer (he wrote the code for the left-handed cheque book for AIB) through to Head of Technical Delivery with companies such as AIB, ACCBank, Anglo Irish Bank, IBRC and Bank of Ireland. Following the fallout of the banking inspired financial crash Stephen has spent the last 10 years on the other side of the fence with BSI Group Consulting Services engaging with dozens of clients...

In this highly graphical session, I will present a mostly anonymised journey across the threat landscape that businesses have had to endure over the last decade. Like a casebook of notes from the field I will cover the weaponization of the legal system, the malicious commercial director, the IT team who were a little too smart, the overly curious manager, one of the largest regulatory investigations ever undertaken, investigations, accidents, misconfigurations and consequences, a dalliance with state sponsored actors and finally and for the first time the Anglo Irish Bank story from the insider in the room. Covering retail, services, legal, manufacturing, financial services, regulatory bodies, and local government my intention is to inform, entertain and enable attendees to take home some food for thought and potentially incorporation into their organisations irrespective of vertical or technology stack.

16:05 16B: The Key Challenges of Adapting AI Governance Into Europe’s Data Protection Framework Speaker(s): Valerie Lyons

Valerie Lyons

COO, BH Consulting (Ireland)

Included in the ‘Top 100 Women in Cybersecurity in Europe’, Dr. Lyons is an accomplished and driven cybersecurity & privacy leadership expert, with 20+ years experience in financial services e.g., she served as Head of Information Security Risk in KBC Bank for almost 15 years. COO for BH Consulting since 2015, Valerie has a strong focus on team development and mentoring, with excellent collaborative and interpersonal skills. Valerie has an in-depth knowledge of European data protection law...

In the digital age, the proliferation of Artificial Intelligence (AI) technologies has transformed the way we interact, work, and conduct business. From personalized recommendations to autonomous decision-making systems, AI has permeated various facets of society, promising efficiency, innovation, and convenience. However, with these advancements come concerns regarding privacy, data protection, and ethical use of AI. In response to these challenges, regulatory frameworks such as the General Data Protection Regulation (GDPR) have been established to safeguard individuals' rights and regulate the processing of personal data. Yet, the evolving landscape of AI necessitates continual adaptation and augmentation of these regulations. Addressing this gap, the EU has recently formalised the introduction of the AI Act. This act aims to 1) establish a comprehensive framework for the regulation of AI systems, addressing issues of transparency, accountability, and fundamental rights and 2) provide AI developers and deployers with clear requirements and obligations regarding specific uses of AI. However, the act’s alignment with the GDPR presents a myriad of challenges. This presentation delves into the intricate interplay between the AI Act and GDPR, examining ten key challenges that compliance with the EU data protection framework presents for the use and development of AI tools and will cover topics such as:

  • • Overlapping Regulations: Analyzing the areas of convergence and disparity between the AI Act and GDPR, and identifying potential conflicts in compliance requirements.
  • • Data Protection and Privacy: Evaluating the implications of AI algorithms on data privacy and the extent to which they adhere to GDPR principles such as purpose limitation, data minimization, and data subject rights.
  • • Ethical Considerations: Discussing the ethical dilemmas arising from AI technologies and their impact on fundamental rights, including the right to privacy, non-discrimination, and autonomy.
  • • Regulatory Enforcement and Accountability: Examining the enforcement mechanisms under both the AI Act and GDPR, and the responsibilities of stakeholders in ensuring compliance and accountability.

By shedding light on the intersection and challenges posed by the AI Act and GDPR, this presentation aims to provide a comprehensive understanding of the regulatory landscape surrounding AI technologies, empowering organizations to navigate regulatory compliance while fostering innovation and ethical use of AI.

Key Learning Outcomes:

  • • An understanding of the key requirements of the AI Act that relate to GDPR.
  • • An overview of the opposing approaches to data protection in the AI Act and GDPR.
  • • An understanding of data subject rights, and data protection principles
  • • An understanding of organisations’ obligations under both the AI Act and the GDPR
16:05 16S: Dynamic Business Security Architecture Speaker(s): Mikko Larikka

Mikko Larikka

Senior Principal Consultant, Nixu, a DNV Company (Finland)

Mikko has over 20 years of experience in building and assessing security for continuously digitalizing business. Latest assignments relate to a world-class automated recovery requirements management for businesses in fields of energy, media, government, national security, health, and finance business. Mikko has a solid background: he started as in intern at Nixu in the early 00’s and worked with Active Directory, Symantec Enterprise Security Architecture, Digital Services Development and...

In the evolving landscape of business security, the integration of MITRE ATT&CK® framework plays a pivotal role in enhancing organizational resilience against cyber threats. Our approach leverages the MITRE ATT&CK® from understanding adversary motives to the implementation of mitigation strategies and ensuring robust protection mechanisms. We introduce the Critical Information Protection Strategy Dependency Map, a novel tool designed to navigate the complex interplay between business impact, adversary techniques, and mitigation procedures. This dynamic map begins with identifying business impacts and systematically links them to potential adversarial techniques. Subsequently, it aligns appropriate mitigation techniques and procedures, culminating in targeted assurance questions. This methodology ensures that mitigations are contextually relevant, activated based on the specific business context at the point of impact and adversarial interaction.

Key insights from our strategy include the importance of deep business knowledge through the identification and analysis of critical information assets in collaboration with technology users. Utilizing the MITRE ATT&CK® framework as a foundation, we optimize it to fortify business resilience. Our strategy emphasizes outcome-focused strategic planning to protect the business context against adverse activities, thereby safeguarding the company's financial health. Moreover, our approach eliminates redundancy and bias by employing an effective mapping process. This not only manages the intricate business context but also ensures the dynamic and consistent application of mitigation techniques across different layers of the business, adhering to the principles of Engineering Trustworthy Secure Systems. Our methodology stands as a testament to building secure systems that are both dynamic and aligned with business objectives, offering a comprehensive blueprint for organizations aiming to enhance their security architecture.

16:55 - 17:15 Refreshments

2023 Anthony Sale Memorial Session

17:15 17P: The Spy in the Coffee Machine Speaker(s): Mark Brooks,

Mark Brooks

Consultant , Strident Consultancy Ltd. (UK)

Mark Brooks is a consultant who specialises in advising the defence and security sector in the United Kingdom. He started his engineering career at British Telecom Research Labs in 1985 and joined the Foreign and Commonwealth Office in 1991, serving at home and overseas until he left in 2019 to join UK NACE (which he left in 2022). He now has several advisory roles and is a supporter of the National Museum of Computing at Bletchley Park.
Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.

Overtly Tony Sale was known for his outstanding engineering talents which he used to rebuild the WW2 code breaking Colossus and create the National Museum of Computing at Bletchley Park. However, during the Cold War Tony toiled secretly supporting MI5’s efforts to identify covert radio transmissions in the UK, signals which were used by hostile intelligence services working to undermine the UK Government and its allies.

This work was the precursor to modern technical surveillance counter measures (TSCM), an increasingly important field, and one that is practiced today both by Governments and commercial entities who are trying to protect their most sensitive information from competitors and hostile nations.

This paper draws upon TSCM principles to identify the threats from the Internet of Things (IoT) and how our dependence on 21st Century Personal Communication Devices and applications can expose our ‘signals’ to hostile state and organized crime actors.

We will explore the TSCM techniques in use today and how we can help protect from, or at least confuse, a modern attacker.

The question really is …. is there a spy in my coffee machine?

Plenary Session

18:10 18P: The COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his 42nd year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute and CEO of David Lynas Consulting.

The COSAC “rump” has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community. Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives.

Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

  • • Electronic submission: Send email to the rump session chair David Lynas at [email protected]
  • • Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 2nd October.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Drinks Reception & Dinner

19:15 Drinks Reception
19:45 Dinner & COSAC Prize Night