Ireland Sydney

Welcome to COSAC - Conferencing the way it should be!

The COSAC agenda is selected by previous COSAC participants to ensure sessions are unique, timely, cater for the participative COSAC ethos and deliver value for experienced security practitioners. 


Tuesday 4th December 2018

09:30 - 10:00 Delegate Registration & Coffee

Plenary Session

10:00 1P: Welcome to COSAC - Premium Value : Exceptional Trust Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
 

Welcome to a unique and special event that is destined to become APAC’s premium annual forum for elite professionals.

This brief introductory session sets expectations for the week: it describes the COSAC ethos and trust culture, and sets the tone through interaction and participation.

We will also discuss the rules and conventions for sessions and discussions held under Chatham House Rule or subject to full Non-Disclosure.

10:40 - 11:00 Morning Coffee

11:00 2A: Engineering Resilience through Attribute-based Dependency Modelling Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Andy Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics and Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984.He is a registered expert witness with more than twenty years’ experience of forensically analysing and presenting computer and information systems evidence in a wide range of cases in both criminal and civil matters. He is a co-author of the book of SABSA...
X
 

Dependency modelling is a way of analysing risks to an enterprise. It uses a variety of different approaches to describe and predict how different systems components interact and interdepend with each other. Typically it provides graphical representations of these relationships that help systems engineers design and implement resilient systems.

A dependency model is based on goals and objectives and the prerequisites to satisfy these goals. It is a positivist, top down approach that contrasts with other models that focus on faults, disasters and failures.

I first learned of Dependency modelling many years ago having been introduced to the subject by Professor John Gordon. He had developed a toolset specifically designed to help systems engineers, among other things, model risks to critical infrastructure. I was particularly interested in how his techniques were based on 'good' things - goals that he called 'paragons' and the Bayesian engine he developed that enabled you to build a dependency model and then 'drive it in reverse' to infer the most likely elements to cause compromise of each paragon. It occurred to me at the time that there were great similarities between paragons and SABSA Business Attributes and that, when I had time, I would explore that further. I still have not made the time to do anything other than scratch the surface of how Attribute-based Dependency Modelling might fit in the toolkit of SABSA practitioners. Most recently I discussed it with another Professor in UK academia who was surprised there had not been much academic study of how that might work and who encouraged me to take a further look at it - she implied there's probably a PhD waiting there for someone.

In true COSAC style I expect this session to be more of a workshop than a lecture. I shall outline John Gordon's excellent work and use some examples to highlight how it can be applied to SABSA Business Attribute-based Dependency Modelling. I welcome participation from delegates who are expert in the field and others to whom it is new - I hope that between us all we might just produce a catalyst for some of us to work together to produce techniques and approaches that will make the design of resilient business systems easier.

11:00 2B: Betsy, Fluffy and Herd 51 Speaker(s): William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 
X
 

IT Practices are changing at a rapid pace and are impacting the way we need to look at information security. A few of the hot topics like cloud computing, Dev Ops, zero boundary systems, are perfect examples of this. In some ways we are doing the same old thing, but in a way that doesn’t look exactly familiar. Recently in a conversation with a cloud vendor engineer it was implied that my question regarding configuration management was, well, old fashioned. Why would we treat our application like a pet, which needs a high degree of care and maintenance, rather than as cattle that are maintained in large quantities, and according to the metaphor, individuals can be removed from the herd and replaced with no noticeable impact? (No animals were harmed in the making of this session) After a bit of research, it was clear that this analogy has been around for a little while, but more in the context of servers and now more recently for applications. In this session we will look at a use case of a cloud implementation where several of these concepts came together and were put under a high level of security and compliance scrutiny. We will look at some of the successes as well as the lessons learned throughout this engagement. Finally, we will have group discussion regarding how we as security professionals can embrace, or at least keep up with the progression of IT practices.

12:20 3A: Using SABSA for Cyber Resilience Speaker(s): Paul Blowers

Paul Blowers

CISO & Director, New Zealand Police & Hi-Spec Security (New Zealand)

Paul Blowers has more than  30 years experience  in the Intelligence, Law Enforcement, Defence and Border Security environments and approaching almost 10 as a SABSA® practitioner. He has spent the last 14 years in New Zealand having worked in the USA, the UK and mainland Europe. Currently, head of security for New Zealand Police he also runs his own small company, Hi-Spec Security Limited providing high-end consultation services. 
X
 

Security Operations Centre manage cyber security incidents effectively every day.....right? But what about those that occur on a grandiose global scale. How do you plan for the next Wannacry or the future NotPetya? They are almost impossible to predict but not impossible to plan for.

With the intensity of cyber security events increasing the need for a consistent approach cyber security incident response is non-negotiable. Underpinned by skilled staff, a good budget and the right technologies, a Cyber Security Incident Response Plan will lead to a stronger security posture and better overall cyber resilience provided it is tested and exercised against real-world scenarios.

My presentation will demonstrate how SABSA can help with cyber security incident exercise planning contextually and conceptually in support of detect, response and recovery activities at the operational layer.

Based partly on international research and planning for such an event, I aim to use SABSA to answer key operational exercise planning questions such as: What assets are required? Why are exercises necessary? How will security exercise management services be deployed? Who will be involved? Which locations will be impacted? When will the event occur?

12:20 3B: The Journey to Artificial Intelligence Speaker(s): MZ Omarjee

MZ Omarjee

Enterprise Security Architect, Standard Bank (South Africa)

Muhammed Zubair (Mz) Omarjee is an Enterprise Security Architect within the  Group IT Plan function of Standard Bank Group South Africa. He is instrumental in defining the security technology strategy and plays a pivotal role in  shaping the information security practice as  a transformative business driven and risk oriented discipline. 
X
 

Advances in technology have made artificial intelligence(AI) now a reality. This session will provide a cursory overview of Artificial Intelligence explaining what Artificial Intelligence is though the various dimensions , its types and categories of applications. The session will briefly cover some use cases as well as some considerations in selecting the relevant AI solution approach. In addition we will look at aspects on how AI can be used as an adversary , and the emerging cyber threats targeting Artificial Intelligence

13:30 - 14:30 Lunch

14:30 4A: In Search of the Elusive Securiton Speaker(s): Michael Hirschfeld

Michael Hirschfeld

Cyber Security Adviser, Envista (Australia)

Michael is a Cyber Security Adviser with Envista providing high level assistance on Cyber Related matters. He was formerly the CIO and CISO at the Australian Department of Finance where he had executive responsibility for ICT as well as physical security within that agency. He has previously held senior roles with government agencies including Department of Foreign Affairs. 
X
 

Early in my career, around 2001, I first heard the term “Securiton” used in the context of measuring effective return on investment for ICT Security Projects. “Securiton” was used, in a humorous way, as a fictitious measure of the outcomes of computer security projects to illustrate what we knew the executive wanted to hear to approve business cases for our projects.

We dreamed of being able to say:

“This project will make us 37 Securitons more secure at a cost of only $370,000 – a bargain at only $10,000 per securiton!”

Mark Twain has been quoted as saying “Humor is the good natured side of a truth.” And there is more than a grain of truth in the use of “Securiton”. We, as an industry, long for an objective measure that can help us explain what our complex and technical subject to the executive in a meaningful way.

As Peter Drucker said: “What gets measured gets managed.” and it is time that we started building effective and objective measures within security.

This workshop will interactively explore the possibility of building such an objective measure for risk in our industry.

We will start with a look at how people, in general, approach the consideration of ordinary risks in a very subjective way.

We will then look at real known risks and threats in our industry and discuss how organisations measure likelihood and consequences, both subjectively and objectively, to determine “risk”.

We will then workshop the possibility of building a standard subjective measure for various known cyber security risks considering a range of factors that might increase these risks in particular industries and organisations impacting.

This session will be run as a workshop.

14:30 4B: The Missing Link - A Universal Security Capability Model Speaker(s): Andreas Dannert

Andreas Dannert

Enterprise Security Architect, NBN Co (Australia)

Andreas is an Enterprise Security Architect for Australia’s national broadband network (NBN Co). At nbn he is responsible for defining Security Strategy and Roadmap across the organisation. Prior to nbn, Andreas has worked for Deloitte and HSBC in the role of Enterprise Security Architect, developing Enterprise Security Architecture Frameworks and solutions. Andreas is currently the Research Director on the ISACA Melbourne Chapter board and an industry advisor to various organisations.
X
 

Most organisations have a consistent need for adjusting to changing market conditions and new customer demands if they want to survive in the long run. As business objectives and priorities are being adjusted as in response to the market, organisations need to adapt and fine tune their business capabilities, including their security services. Security service gaps need to be identified and immature services need to be optimised, in order to survive the constant battle for supremacy.

From a security perspective, one of the challenges for organisations often appears to be that they have immature processes in place to quickly adjust their business, including their security services. While SABSA provides a mature methodology for the delivery of security architecture, organisations often struggle to implement a framework around it that optimises the delivery process itself. Further tools and processes need to be developed to address this issue and assist organisations in maturing and adjusting their security services faster and in a more efficient way. One of these tools could be security capability model that complements the idea of a security service catalogue by providing a pre-defined security service taxonomy through the definition of meaningful security capability domains.

In this session we will be looking at a an organisation independent security capability model that defines a well-structured set of security capability domains and associated security capabilities. This model, as part of an Enterprise Security Architecture Framework, can assist larger organisations in more systematically assessing, communicating and transforming their security services landscape. The presented security capability model is based on experience gained through the implementation of similar models at various organisations across different industries. It has also been analysed against various control frameworks and their grouping of controls, which we also touch on.

At the end of this session, participants should be able to understand the value of such a reference model and how it can be utilised within an organisation.

The key takeaway from this session will hopefully be a new viewpoint of looking at the importance of security governing structures when faced with the challenge of more systematically and efficiently maturing an organisations security architecture service landscape.

In the spirit of COSAC, this session is designed to be interactive and it will allow participants to share their experiences in similar circumstances, governing and maturing the process of continuous security architecture solution delivery in an organisation. This session will provide attendees with an insight into some issues that were encountered during the development of the model and the introduction into other organisations with a less mature security architecture framework in place.

15:40 - 16:00 Afternoon Coffee

16:00 5A: Enterprise Security Architecture: The Broker Between Strategy and Delivery Speaker(s): Ross MacKenzie

Ross MacKenzie

Head of Security Architecture & Design, Westpac (Australia)

Ross MacKenzie is the Head of Security Architecture & Design at Westpac Banking Group, and is responsible Globally for the delivery of security architecture, design and security capabilities. Ross has over 15 years of experience in the information security field, and is based in Sydney, Australia. He is also SCF & SCP certified.
X
 

An insight into the application of SABSA aligned Enterprise Security Architecture to create an organizational engagement model that delivers consistent security outcomes across the enterprise.

16:00 5B: Security Culture is Broken: Let's Fix it Speaker(s): Andrew Stephen

Andrew Stephen

All of Govt Enterprise Architect, Dept of Internal Affairs (New Zealand)

Over the past three decades Andrew has worked across many aspects of the information and technology industry, from deeply technical to security management and architecture. Today Andrew has a focus on improving security practice and the relationships between security functions and their organisations. His current work contributes to development of New Zealand government digital strategy and nationally significant digital service. 
X
 

At MIT in 1961 they had a problem. Their new operating system, the Compatible Time-Sharing System (CTSS), had many users sharing the same resources, and people were having trouble keeping their files seperate from everybody else’s. To address this they implemented a new feature - passwords. A few months later a graduate student in need of additional computer time found a novel solution; he submitted an off-line print job to print the entire password file and simply started using other people’s accounts. Passwords have been a failed access control ever since.

For decades the security profession has been recommending security controls and practices that are impractical, unjustified, and often ineffective. We have inadvertently forced people to work around the very controls that we hoped would protect them just so they can do their jobs. We have based our advice on “best practice” mythology, and we have driven a cultural wedge between our profession and the organisations we are supposed to serve.

In this talk Andrew brings together 20 years of observation and contemplation of security practice and culture into a human-centric view of security that he hopes can re-shape how we think about security, help us to repair the damage, and deliver real value from our skills and knowledge.

17:20 6A: Bones, Nutshells & Breadcrumbs Speaker(s): Maurice Smit

Maurice Smit

Principal Consultant, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
 

In this session I will take up the challenge to model a business requirement from the audience on the fly…..with of course the appropriate input from the audience.

While doing so I will draw and populate the SABSA matrix in the order of our needs for the solution to fulfil the given requirement – SABSA in a ‘Nutshell’. As we go through the process of populating the ‘Bones’ of the solution I will discuss and share a few ‘Breadcrumbs’ (challenges, questions) that have come to light while presenting SABSA Foundation Courses around the World.

In keeping with COSAC ethos and tradition, this session anticipates a high-degree of participation and interaction.

17:20 6B: Are We Just Snake Oil Salespeople? Speaker(s): Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.
X
 

“We cannot solve our problems with the same thinking we used when we created them.” - Albert Einstein

Join me for a rant; I mean discussion, about the potentially damaging approach we continue to take to address the information security problems we face.
Information Security is not a science, in fact, I'd argue it doesn't even qualify as art. So, what is it then? The closest thing I can find to equate it to is folklore. Security solutions have been handed down from generation to generation, either as oral histories or enshrined in texts as 'best practices'. As a result, we employ the same control or combination of controls over and over again to address a particular security problem and expect different results, which as the old saying states is the very definition of madness.

I’ll discuss some standard information security practices and solutions, explore their origins before looking at whether they are even designed to solve the problems they are applied to.

I’ll then discuss why we need to abandon the status quo and refocus on our efforts on understanding the problems we are trying to solve or be condemned forever to be perceived as snake oil salespeople.

Networking & Dinner

18:30 Drinks Reception
19:00 Dinner

Wednesday 5th December 2018

09:00 - 09:30 Delegate Registration & Coffee

Plenary Session

09:30 7P: SABSA and Humankind Speaker(s): Maurice Smit

Maurice Smit

Principal Consultant, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
 

SABSA. You may have heard of it. You may not have heard of it. But did you know that when Security is considered to be a property of something else, this whole concept can actually be applied to anything and everything? To solve your problems! As long as there is a problem, of course. In this presentation you will see how SABSA could be used to solve problems in human life.

10:30 - 10:50 Morning Coffee

10:50 8A: Engineering; Architecture; Security: How SABSA Draws Disciplines Together Speaker(s): Michael Hirschfeld

Michael Hirschfeld

Cyber Security Adviser, Envista (Australia)

Michael is a Cyber Security Adviser with Envista providing high level assistance on Cyber Related matters. He was formerly the CIO and CISO at the Australian Department of Finance where he had executive responsibility for ICT as well as physical security within that agency. He has previously held senior roles with government agencies including Department of Foreign Affairs. 
X
 

The roles of engineers, architects and security professionals have evolved over time as very different and task specific professions. We often see these separate entities in a competitive light – An Architect may be trying to design and deliver a particular artistic outcome; the engineer may be trying to deliver a functional product, machine or system, and the security professional may be trying to lock down and protect a system.

In focusing on their specific goals, each discipline can lose sight of the bigger picture which should be about delivering successful outcomes for the client.

Each discipline may take a different approach, look at the task from a different perspective, use different tools, engage differently and focus on different priorities but, in reality, there is no single right approach to delivering outcomes as each engagement and assignment is unique.

Each engagement and assignment needs the right, unique, approach for that engagement.

As an engineer I think I take a pragmatic, results oriented approach, that some would argue is, at times, inflexible and black and white. Engineers tend to be problem solvers, have strong technical skills and a need to work things out. They are different to architects who tend to be creative, passionate, and easier going. And different again to security professionals who are often very technical, have a deep understanding of the system vulnerabilities and weaknesses, understand where the threats are coming from but who have, historically, taken a somewhat rule driven approach.

SABSA draws strength from each of these disciples and provides a framework that blends these strengths in a pragmatic results-oriented way.

This presentation looks at a number of engineering and security projects I have been involved with over my career and the engineering tools used to approach those problems and retrospectively applies some of the SABSA logic to that approach to understand how we could have achieved a better outcome. In doing so, this presentation will discuss a number of standard approaches we take to engineering and security problems and how these can be improved through an understanding of the SABSA approach.

10:50 8B: Smart Transport: Smart Security Speaker(s): Malcolm Shore

Malcolm Shore

Cyber Security Officer, Huawei (Australia)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University.  He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.
X
 

Transport is one of the key applications for the ubiquitous connectivity which makes up the internet of things. In this presentation an overall architecture for smart transport will be presented and sample use cases for remote driving and train communications will be mapped to the architecture.

The UK and Australian Rail Industry Safety and Standards guidance on cybersecurity will be presented, and also the X.805 telecommunications security architecture. Specific threats as detailed in the NIST LTE Security Guide will be included to provide the basis of the risk model.

The Smart Transport Security Architecture will be described, and mapped to the NIST Cybersecurity Framework.

12:00 9A: Leveraging Business Value Chains in Information Risk Management Speaker(s): William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 
X
 

The challenge of integrating business drivers and business impacts into an Information Risk (or Cybersecurity) Program can be an elusive task. It is mentioned in most risk management frameworks and is a common theme from industry strategy leaders. It sounds simple enough, but the actual implementation is usually anything but. Even with a solid approach, there are challenges in getting the business to buy-in, getting the right people involved, getting the right information, and then scaling and managing the information in a reproducible way for the enterprise. In this session we will look at an organization that has recently revamped its enterprise cybersecurity program and is intentionally striving to build a foundation that engages the business to this end using value chains. We will review how the organization is leveraging SABSA Risk Management and Architecture approaches to tie in existing risk management processes and control frameworks (Including NIST and HITRUST) to a vendor introduced process that engages business leaders to identify value chains and align them to information assets and systems. We will look at some of the theory and methods behind the approach, including some of the ways we had already introduced SABSA business attributes and risk management in the organization, and will look at how the use of value chains is integrating with, and complementing them. We will look at the process around building value chains, and also discuss the systems that are being used to support these activities. Finally, we will discuss the successes that we have seen so far, as well as the obstacles that had to be overcome (some to even get started) and that we anticipate as we continue down this path.

12:00 9B: Debunking GDPR Myths Speaker(s): Ahmed ElAshmawy

Ahmed ElAshmawy

Principal Information Security Consultant, Axenic (New Zealand)

Ahmed is a Senior Consultant at Axenic Ltd. He has significant experience as a trainer, as well as being a hands-on practitioner. He is a CERT-Certified Computer Security Incident Handler (CSIH) and a SEI-Authorised Instructor. He has been previously a member of the technical team of Q-CERT, Qatar’s national Computer Emergency Response Team. 
X
 

Surprise, Surprise the world did not end on the 25th of May 2018, or GDPR day as it became known. We haven't seen any organisations hit with a fine of 4% of its global revenue or several millions of Euros for a GDPR breach.
However, a lot of Australian and New Zealand based organisations believe they don't have to comply with the GDPR just because they are not based or do not operate in the EU.

In between both extremes, a lot of fear, uncertainty and doubt around GDPR has grown to confuse decision makers and professionals alike. From "expert" opinion to social media, it is more likely they will come across a range of GDPR myths and misconceptions than factual information.

For example, the term "EU citizen" (or just "citizen") did not appear even once in the official regulation text, yet many think that EU citizens' data is what GDPR is all about.

This session will discuss some of the key myths that are commonly repeated around GDPR using the regulation text as a reference.

13:00 - 14:00 Lunch

14:00 10A: Four Years at the Coal Face Speaker(s): Glen McCauley

Glen McCauley

Business Transformation Security Architect, Dept of Inland Revenue (New Zealand)

Glen McCauley - Security Architect since 1998.  Through my career path I have been dealing with information security from a risk and architecture perspective.  Engagements and activities are primarily in the Government and Financial services sectors.  Projects have ranged from the security assessment of critical applications such as only reporting and Internet Banking through to the development of PKI systems for New Zealand's Electronic Passport solution.
X
 

Over the last 4 years I have been security architect on the project transforming the electronic processing systems for the New Zealand taxation department. This project has a mandate to re-invent the organisation from the ground up, including green fields applications and operating models.

We are investing heavily in a new PaaS based core platform, cloud based PaaS for new non-core services, SaaS cloud based solutions for back office functions and most critically, full adoption of Microsoft 365 capabilities.

As architect, I have been applying SABSA principles - well to use a Kiwi colloquialism - yeah nah! This talk will go through the journey we have been through and how SABSA has been applied, and where the shortfalls in applying SABSA have been encountered.

14:00 10B: Quantum Computing & SABSA
15:10 11A: 5G From a SABSA Viewpoint Speaker(s): Malcolm Shore

Malcolm Shore

Cyber Security Officer, Huawei (Australia)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University.  He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.
X
 

The emergence of 5G in its initial release will enable data services at up to 1.5Gb/s which will enable substantially more applications of mobile online services. 5G in this form is also known as Release 15 of LTE. However, this is just the beginning and with Release 16, the full 5G release, we will see massive machine type connections providing a next generation service for Internet of Things, and ultra low latency services will enable services such as real time control for transport, robots and remote surgery applications. There will, however, be an explosion of different applications that we cannot yet envisage. The potential of 5G has caused significant concerns in some governments to the extent that consideration is being given to ban the leading telecommunications vendors from selling 5G equipment.

In this presentation we will look at what 5G is and how it is secured. We’ll cover the new radio approach, the radio access network, and the core services. We’ll then take a look at 5G from a SABSA perspective to form a traceable and balanced risk model to enable robust decision making on security countermeasures.

15:10 11B: Dissecting Election Cyber Attacks and their Impact to Critical Information and Infrastructure Speaker(s): Gokul Srinivasan

Gokul Srinivasan

Associate Director, Control Risks (Australia)

Gokul is a cyber-security expert specialising in cyber threat intelligence, crisis management, incident response and cyber resilience. Gokul is interested in helping organisations understand the cyber implications of geo-political changes and the threats they trigger. He advocates taking a threat-led approach to building cyber resilience and incident response capabilities. Gokul has helped clients design enterprise security solutions in complex cloud and multi-tenant environments. 
X
 

There has been an exponential increase in the number and sophistication of cyber-attacks over the last few years. Nation states are increasingly using cyber as an instrument of power, and attacks on critical infrastructure can go beyond a catastrophic disruption to day-to-day business, and expose a calamitous risk to property and lives.

Sophisticated threat actors are using elections as an opportunity to cause disruption, influence voter perception, manipulate votes and shake public trust in government institutions and in the democratic process. An analysis of the elections conducted in different countries in the last 18 months reveals that there were incidents of cyber-attacks in all of them.

It is not just electoral commissions and government agencies that are being targeted. Threat actors are targeting a range of organisations including those in the supply chain directly related to the election and those who hold data on individuals who may be targeted in influence campaigns.

These cyber-attacks range from highly sophisticated nation state attacks such as breach of 90 million voter registration records of Mexican citizens to cyber activism that caused attacks on internet service providers and data centres in Iran. In some countries, misinformation campaigns on social media were run against specific organisations causing huge financial and reputational loss to them.

In this fast evolving threat landscape, organisations often struggle to comprehend the nature of the threats they face: Who the threat actors are? What are their motivations? What are the risks to my organisation? How will the threat actors initiate cyber-attacks?

This intelligence will help security professionals predict the evolving threat landscape and implement appropriate protection measures at the right places.

Through case study examples, Gokul will provide an analysis of the cyber-attacks based on study of recent elections in Malaysia, Russia, Germany and Czech Republic. The analysis will include study of the geo-political situation in these countries, attack types, the threat actors, their motivation, the assets targeted and what organisations in other countries are doing to defend against such attacks.

16:10 - 16:30 Afternoon Coffee

16:30 12A: A Night at the Museum Speaker(s): Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.
X
 

Te Papa Tongarewa, the national museum of New Zealand, celebrated its 20 birthday this year and is in the middle of a $50 million renewal programme. The museum sector, like many sectors, believes that digital is the key to innovation and transformation. As part of the renewal programme, the CTO was charged with modernising the technology used by the museum to ensure support and enable its digital ambitions. In addition to this, he was also tasked with providing the Board with an appropriate level of assurance that the information security and privacy risks associated with Te Papa’s use of technology are effectively managed.

In this talk, we will discuss how SABSA was used to develop and implement an Enterprise Security Architecture and Security Strategy for a complex and heterogeneous environment with competing and conflicting business requirements for security (funnily enough confidentiality is not the primary attribute for most of the museum’s information). However, we will also examine some of the other significant challenges that we had to overcome, including the absence of a business or enterprise architecture, organisation culture and communication style, and ageing technology infrastructure in dire need of modernisation.

This session will provide you with some real-world practical approaches for addressing both the real and perceived roadblocks to developing an Enterprise Security Architecture and Security Strategy that delivers value by genuinely supporting and enabling the business to achieve its desired outcomes.

Won’t you join us for a night at the museum?

16:30 12B: A Different Perspective on Security Assurance - Bug Bounties Speaker(s): Martin Choluj

Martin Choluj

Director of Security, Campaign Monitor (Australia)

Martin has over a decade of technical leadership experience in a consulting and practitioner capacity. He is a Director of Security at Campaign Monitor, where he focuses on hands-on management, assurance, cloud security and DevOpsSec practices.
X
 

There are many different ways to identify bugs in your code - penetration testing, code scanning, unit and integration testing, vulnerability management - just to name a few. Different methods deliver different quality, speed and ROI.

In this session we are going to look into bug bounty programs as another method for delivering security assurance.

In his talk, Martin will offer his perspective on running bug bounty programs as the main source of security assurance and cover the good and bad of crowdsourced security.

Plenary Session

17:40 13P: COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
 

The COSAC "rump" has for many years been a hugely popular closing session to COSAC and the SABAS World Congress. Now, making its debut in APAC, is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

-Electronic submission: Send email to the rump session chair David Lynas at chair@cosac.net

-Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 5th December.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Dinner & Networking

18:45 Drinks Reception
19:15 Dinner

Thursday 6th December 2018

09:30 - 10:00 Delegate Registration & Coffee

11:40 Morning Coffee
16:10 Afternoon Coffee

Workshop W1

10:00 1st COSAC APAC Design-Off Speaker(s): William Schultz,

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 
X
Jason Kobes

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
X
 

This year we are bringing the highly successful Security Architecture Design-off to COSAC APAC! In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the COSAC - Ireland Design-off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set to provide context for the activities. This year we have several tweaks planned based on feedback from past attendees that we think will further enhance the experience!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. The activity will involve skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement!

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Workshop W2

10:00 2nd Annual APAC international Roundtable Security Forum Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

The 2018 iteration of the COSAC APAC International Forum will be a microcosm of the COSAC experience:

  • Seasoned security veterans trading ideas and opinions based on real experience in real situations
  • Practitioner heavyweights offering and defending their opinions, but ever-willing to help others and learn from each other
  • Trenchant analysis of recent security-related events and trends from perspectives illuminated by knowledge and experience

The moderator posits real-life scenarios, asks a question or two about relevant issues, then tries to not get in the way so that participants may discuss topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experiential wisdom in the room.

Even at its COSAC Ireland inception, back in the pre-cloud, pre-Ransomware, pre-GDPR, pre-Cambridge Analytica and pre-IoT era, the overriding premise for the Forum was that “the most significant benefit of attending any conference or session is the chance to compare notes, strategies and techniques with others who are similarly situated and facing the same types of problems every day.”

That’s still just as true in Australia and New Zealand in late 2018. We’ve been facing some truly original problem scenarios, ones that could keep us busy 24/7 seeking viable solutions or workarounds. But we can’t devote all our time and resources to new issues because old ones keep rearing their heads and roaring, perhaps with updated verbiage and at different decibel levels from their original manifestations.

What makes the Forum so valuable is learning from the hard-earned skills, fortitude and wisdom of others who have run this gauntlet, perhaps several times, are facing similar challenges and know how to avoid or survive the tomahawks.

The Forum also gives us a chance to articulate our own issues and collect reactions from genuine practitioners rather than consultants looking for a lucrative engagement or to sell a specific product.

Come join us. Help solve the information security problems of the world and develop unerring (we hope) predictions for the future.

13:30 - 14:30 Lunch

Dinner & Networking

18:00 Drinks Reception
18:30 Dinner