Please see below the speakers for the 2018 ISACA Security & Risk Conference:
Brad Nix joined the Department of Homeland Security (DHS) in 2014 and has served as the Deputy Director and Acting Director of the United States Computer Emergency Readiness Team (US-CERT). In this capacity, he ensured the day-to-day operations aligned with the strategic focus on cybersecurity within the U.S. government. He led
efforts to improve the nation’s cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks. In his current position, he is the senior advisor to NCCIC leadership, lending his expertise to the overall management and strategy of U.S. government’s 24/7 hub for cybersecurity information exchange, incident response, and coordination. Prior to joining DHS, Mr. Nix served six years as the first Chief Information Security Officer (CISO) at the U.S. Department of Agriculture (USDA) Food and Nutrition Service. Mr. Nix has 20 years of IT and consulting experience with both small and large enterprise security programs with a focus on information security program development and assessments; governance, architecture, technical vulnerability assessments; and product assessments. Mr. Nix holds a master’s degree in Management Information Systems from the University of Virginia, and a bachelor’s degree in Business Administration from James Madison University. He is a Certified Information Systems Security Professional (CISSP) and an American Council for Technology / Industry Advisory Council (ACT-IAC) Fellow and former ACT-IAC Executive Committee Vice President at Large.
Dr. Lisa Bradley is currently the Senior Program Manager for NVIDIA’s Product Security Incident Response Team (PSIRT). Her responsibilities include the management and resolution of product security vulnerabilities involving all NVIDIA products. She has 5+ years of experience leading PSIRT programs as she previously worked at IBM for 17 years. Lisa has served as a spokeswoman for many tech-related events including 2016-2018 FIRST PSIRT Technical Colloquium, 2017 FIRST Annual Conference, the Security Journey White Belt modules, and helped develop the FIRST PSIRT Services Framework and Training Videos. Lisa received her BA degree in both Mathematics and Computer Science from SUNY Geneseo. She also has a Masters and PhD in Applied Mathematics from NC State University. Outside of her role with NVIDIA, Lisa has been an adjunct professor at local universities for the past 12 years.
Michael Wylie, Director of Cybersecurity Services, Richey Richey May Technology Solutions
Michael Wylie, MBA, CISSP is the Director of Cybersecurity Services at Richey Richey May Technology Solutions. In his role, Michael is responsible for delivering information assurance by means of vulnerability assessments, cloud security, penetration tests, risk management, and training. Michael has developed and taught numerous courses for the U.S. Department of Defense, Moorpark College, California State Universities, and clients around the country. Michael holds credentials from certifying bodies such as ISC2, Cisco, VMware, Dell, EC-Council, CompTIA, and more. Twitter: @TheMikeWylie
The Costly Mistakes of Being Unprepared
Atlanta spent millions to clean up the Ransomware attack earlier this year. Could the city have been better prepared? Would the damage have been so crippling? Lack of resources often lead to gaps in security posture leading to costly and inconclusive incident response ventures. This talk will use the recent Atlanta ransomware incident and how the city responded to it. We will use Atlanta as a case study in examining the costly mistakes of being under-prepared. The goal of this presentation is to provide insight to IT and organizational decision makers of the incident response process, costs, outcome, and how preparing can prevent costly IR ventures.
This talk will cover the following topics:
- The Atlanta ransomware incident and timeline
- Incident Response process
- The true costs of being under-prepared
Cloud Security on the Dollar Menu
Are we in the cloud yet? Yes. It’s not raining yet, but it will soon. In recent years, Fortune 500 organizations have suffered breaches and leaked data making the cloud scary. If you’ve got the big bucks, you can get fancy toys with pretty dashboards to protect your cloud, but what about the rest of us on the dollar menu budget? How do we protect our cloud? This workshop will focus on basic AWS cloud security methodologies, benchmarks, and using free/cheap tools to blue-ify your cloud. The goal of this presentation is to make it easy to identify what organizations are doing wrong, historically incidents, what common mistakes have resulted in, and how IT/Security professionals can build a secure cloud environment without common pitfalls.
This talk will cover the following topics:
- Introduction to AWS
- Major breaches in history
- Common pitfalls
- Popular paid tools to secure AWS
- How to audit and maintain secure AWS clouds with little budget
20 years in security, from analyst to CISO and everything in-between, currently responsible for cyber and physical security as well as security components of regulatory compliance; member of the editorial board of ‘Cybersecurity: a peer reviewed journal’; Chair of the ICTC’s National Cybersecurity Leadership Council on Youth and Education; have an MSc in InfoSec from Royal Holloway.
Cybersecurity apprenticeship – tackling the talent gap
A case study for the creation of a cybersecurity intern/apprenticeship program in a large enterprise. From first concept to completion. It will describe challenges that arose, and how they were overcome, the impacts to the business and improvements identified for the next iteration. Presentation sill include discussion about sourcing prospects, labour relations, creating job classifications and other aspects of a formal program in a mature business. The goal is to provide attendees with some behind the scenes insight to the journey that will help inform their own organization’s forays in tackling the cybersecurity talent shortage.
Wilco van Ginkel is a seasoned professional and entrepreneur with in-depth knowledge and extensive international working experience in the field of Cyber Security, Big Data, Cloud, and AI. He fulfilled various roles at strategic, tactical and operational levels within companies. He founded two Canadian organizations: a3i and Seculior. He also founded international organizations, such as the CSA Big Data Working Group, and the CSA Dutch Chapter. Wilco is also the Program Director for Startup Moncton, NB. He enjoys being a public speaker, author and lecturer. Wilco holds Master Degrees in Business Economics, Computer Science, Information Security, and Business Administration (MBA), as well as different certifications in AI and Cyber Security.
Trust or not to trust in AI – that’s the question!
Artificial Intelligence (AI) has become a fundamental and integral part of our (digital) society. A society where decision-making is becoming more machine and data-driven; within all types of organizations across all types of industry. Although AI has great potential for our society, it is also our responsibility as human beings to design and use AI in a responsible way. That is: AI, which can be trusted. Not only for our generation, but in particular for the future generations. Auditors will start to come across AI systems within their customer environments. This will only increase in the nearby future, given the fast pace of AI. Systems, which are part of customer’s business/operational processes. These systems will collect (private/big) data, process and store this data, and provide informed quantitative information to business/process owners to support them in their decision making. Or, in more and more cases, the AI systems make the decisions themselves. This leads to the fundamental question: can we trust these AI systems? A question, which auditors have to answer (to a certain degree) as part of their due diligence, audits or assessments. But where do they start? Which questions need to be answered? Which approach can be used?
Rob Samuel is the Chief Cybersecurity Officer for the Province of Nova Scotia. He is responsible for the strategic planning, governance, alignment and delivery of cybersecurity and risk management services that enable public sector entities to adequately address their cyber-related business risks. Rob concurrently serves as the Chair of the National CIO Subcommittee on Information Protection (NCSIP), a Pan-Canadian group of cybersecurity leaders from Federal, Provincial, Territorial and Municipal public services and is also a member of the Microsoft Canadian Security Council. Prior to joining the Nova Scotia public service, Rob gained over sixteen years of experience performing a variety of technical, managerial and leadership roles in the private sector, as a federal public servant and as a proud member of the Canadian Armed Forces.
From Boardroom to War Room: Practical Application of the NIST Cybersecurity Framework
It’s imperative for security leaders to articulate the maturity of their cybersecurity programs and outline their plans and progress in improving security. Unfortunately many security leaders struggle to clearly explain cybersecurity in a way that boards, executives and other stakeholders understand. This session will provide practical examples on using the NIST Cybersecurity Framework as a foundation to outline your organizational security maturity, facilitate informed conversations with executives and staff, articulate requirements and roadmap activities, track projects and report on continuous improvement.
Stop Cyber Threats with Adaptive Micro-Segmentation
Virtualization, the cloud, and the promise of containers have evolved the data center, bringing better application delivery and cost reduction. With these benefits come new risks that include increased East/West traffic and the potential for new cyber threats. Adaptive micro-segmentation is transforming and improving security inside data centers and clouds while speeding up application delivery.
In this session you’ll learn:
- How adaptive micro-segmentation enables security anywhere (on premises, AWS, Azure, etc.) on anything (bare metal, VMs, containers).
- How you can eliminate app delivery delays caused by traditional security approaches.
- How customers are using adaptive micro-segmentation to instantly protect high-value apps, separate dev and prod with one rule, take existing security policies to the cloud, and more.
From Assessor/Auditor to Executive -or- Aligning your security program to meet organizational objectives
Communicating Cyber risk to executive management and how to engage in meaningful conversations with board members is crucial for the adoption and effectiveness of any organizations security program. Historically CISOs present technical and security operation metrics to boards that are challenged to fully understand and comprehend the information presented and how it impacts their business. Changing perspectives from leadership where security is NOT viewed as technology spenders, cost centers and compliance chasers will require a new approach. To achieve this the security program needs to align with business priorities and risk appetite for the organization and also be effectively communicated to stake holders.
Patrick McBride is Chief Marketing Officer at Claroty. As a frequent speaker and panelist, he brings more than two decades of cybersecurity experience and a unique perspective that combines his views across the various end-user, industry analyst and vendor roles he has served in. Prior to joining the Claroty, he was the Vice President of Marketing and Communications at iSIGHT Partners (now FireEye). At iSIGHT Partners Mr. McBride was responsible for defining the global threat intelligence market and was a key advocate for security professionals shifting from attack response to proactive preparation. Before iSIGHT Partners, Patrick led global marketing at privileged identity management company, Xceedium Inc. Previously, he co-founded and served as the CEO of META Security Group, a security and compliance software and consulting company, and was a Senior Vice President of META Group (now Gartner), where he led the Global Research Team’s network security and IT operations practice. With nearly three decades of experience in cybersecurity, Mr. McBride is frequent speaker at industry events. He holds a BS in Management and an AS in Computer Programming from Keene State College.
The Perfect Storm Driving Industrial Cybersecurity
Over the last decade, enterprises worldwide made great strides implementing a “defense in depth” cybersecurity strategy to protect important information assets and financial transactions from a range of threats. Meanwhile, the industrial control networks that run our critical infrastructure, power our modern society and underpin production of the products that drive revenue have been largely ignored. In this presentation we will discuss the “perfect storm” that is driving this new segment of cybersecurity. We will explore:
- What changed and why has securing industrial networks become important now?
- The state of the state with cyber readiness for ICS systems – including observations from the front line.
- What approaches are companies taking to protect critical industrial control system networks?
Victoria McIntosh is an Information and Privacy professional residing in Halifax, Nova Scotia. With over six year’s experience, she is committed to assisting clients with strategic privacy practices, data governance, and information management. Victoria has received an honours BA in History from Mount Allison University, an MLIS degree from the University of Western Ontario, and is certified by the International Association of Privacy Professionals as an Information Privacy Technologist. Presently, Victoria operates as a freelance consultant under her business name, Information in Bloom Management Services.
Mirror, Mirror, on the Wall, Is Facial Recognition the Right Authenticator for All?
From authorizing employee access to snapshots of children enjoying summer camp, the adaptation of biometric technology is increasing in a big way. While we’ve been identifying individuals by their fingerprints since the 1800s, current and future trends show possibilities we never could have dreamed of, including opening personal devices with a smile. It’s not all fairy tales and happy endings however: if you have customers debating on the merits of adding biometrics as a security feature, you’ll need to walk them through reality. Are they aware of the challenges and risks of the technology, including inherent limitations and legal roadblocks? Do you have a toolkit ready, including foundational questions and auditing standards to help? Information and Privacy Professional Victoria McIntosh steps through the looking glass into a future that is already here, with the good, the bad and the ugly of biological identification technology.
Darryl is an Information Security Manager with Securicy and has been involved in the IT security industry for the last 18 years, most recently working as a QSA and risk assessment specialist. He has presented at the Atlantic HTCIA IT Security Conference, Halifax Area Security Klatch (HASK), Security B-Sides St. John’s, and the ISACA Atlantic Provinces Chapter Information Security & Risk Conference. He also sits on the Board of Directors for the Atlantic Security Conference (AtlSecCon) and is the former Lead Organizer for the Security B-Sides Cape Breton conference. He currently holds CISSP, CISA, and CCSK certifications.
The Security Questionnaire: To Do or Not To Do
A large company wants to purchase your startup’s product. They’ve sent over a substantial security questionnaire. It has a large amount of mostly irrelevant questions about your product, technology, and company… and the customer won’t budge until they see answers. On the other hand, they could be good questions, and you don’t have good answers yet. For most startups (and even some well-established companies), the questionnaire is the first time they’ve really considered their own security practices. Having recently gone through this exact process, I will provide valuable guidance on how to successfully navigate the mine field that is the epic security questionnaire.
- Does your startup have a security program?
- Is it a distraction, or a call to action?
- A questionnaire doesn’t care about your actual risks.
- You might not have to fill out the questionnaire!
- Your answers are just one part of the process.
- Questionnaires will lead to a compliance conversation.
Roger G. Johnston, Ph.D., CPP is head of Right Brain Sekurity, a small company in the Chicago area devoted to security consulting and vulnerability assessments. Roger received his Bachelor’s Degree from Carleton College in 1977, and his M.S. and Ph.D. degrees in physics from the University of Colorado in 1983. Dr. Johnston was founder and head of the Vulnerability Assessment Teams at Los Alamos National Laboratory (1985-2007) and Argonne National Laboratory (2007-2015). He has provided consulting, training, vulnerability assessments, and R&D on security for over 70 companies, NGOs, and government agencies, including IAEA, DoD, DOE/NNSA, NSF, Department of State, and intelligence agencies. Roger has won numerous awards for his work. He holds 10 patents, has authored over 200 technical papers and book chapters, and has given 90+ invited talks, including 6 Keynote Addresses at national and international conferences. Dr. Johnston has frequently been interviewed for his views on security by bloggers and journalists (Harper’s Magazine, CNN, CNBC, BBC, VOA, Wall Street Journal, etc.). Dr. Johnston serves as editor of The Journal of Physical Security.
How to Have Lousy Security: A Vulnerability Assessor’s Perspective
I’ve conducted or directed hundreds of vulnerability assessments over the past 30 years on a wide variety of different security devices, systems, and programs. The same kinds of general security mistakes and vulnerabilities pop up time and time again. This talk discusses these problems and suggests effective countermeasures. These frequent security blunders fall into the following categories: poor physical security for cyber systems; having unwarranted faith in “Security in Depth” (“Layered Security” or “Defense in Depth”); believing myths about security vulnerabilities; not conducting true vulnerability assessments (including confusing them with other analyzes such as penetration testing, “Red Teaming”, security surveys, security audits, etc.); confusing high-tech with high-security; having unwarranted faith in encryption; relying on compliance-based security; confusing control with security; fostering a poor Security Culture; having poor insider threat mitigation; failing to deal effectively with cognitive dissonance; failing to exploit psychological research to optimize security; and failing to consider unconventional security metrics (some of which will be briefly discussed).
Shira’s background is as a security researcher and technical expert with a focus on Threat Intelligence. Shira began her cybersecurity career by spending 13 years as a military officer in the elite intelligence unit 8200 of the Israel Defense Force and has extensive hands-on, front-lines experience. Shira has a Bachelor of Science degree in Engineering from Tel-Aviv University.
Grant has more than 30 years of experience in sales, marketing, business development and management in enterprise software with the last 20 years focused within security. Grant held worldwide evangelist roles at Check Point Software Technologies and more recently Blue Coat Systems, Inc. where he was Director of Evangelism.
Gone in 127 Minutes – Why Ephemeral Infrastructures Need Native Visibility, Security and Compliance
What was once considered radical as few as five years ago has now gone mainstream; Enterprises are moving their data centers and workloads to the public cloud. According to Gartner, among public cloud services, the fastest growing segment is IaaS, forecast to grow 35.9 percent in 2018 and to reach $40.8 billion. One of the key benefits fueling this transformation is the increased agility IT organizations achieve. And, with cloud-native ephemeral services such as Amazon Lambda functions as well as other cloud-native platform components (RDS, Redshift, ELB, ALB, ECS) the efficiency and agility has a consequence. With the life of an average public cloud server being only 127 minutes, using traditional on-premise tools and approaches for network traffic attribution and threat detection within your cloud data center is folly. Learn why cloud-native ephemeral services require new approaches and new tools in order to obtain a complete snapshot across time of your cloud infrastructure. Organizations can no longer depend on on-premise threat detection tools and the once popular ‘lift and shift’ strategy simply doesn’t work and cannot be relied upon.
As the use of public cloud continues to go mainstream and becomes expected, enterprises need to anticipate the changes and challenges they will face as they scale their use of public cloud, especially with regard to security as they move to a Shared Responsibility model. According to Gartner, “Through 2022, at least 95% of cloud security failures will be the customer’s fault.”
During this session we will combine real-world use cases, familiar dialogue (we expect you have either heard or have participated in) between senior management and the front lines and humor to highlight the sometimes drastic and often nuanced differences between operating an on-premise data center vs- operating a data center running in the public cloud. All will be in the context of security and securing your use of public cloud(s) as your data center and for running critical workloads. We will specifically identify the top three obstacles/challenges when operating a data center in the public cloud(s). We will demonstrate, with multiple examples, why virtually all of the cloud security failures will be the customers own fault. We will also outline, and clearly articulate best practices enterprises can follow to mitigate introducing any potential security vulnerabilities.
With 16+ years of experience in roles at both the business and technical level, Trevor is a customer-first thinker with a rare mix of business and technical acumen, making him as comfortable in the boardroom as he is on the data centre floor.
Leveraging Intelligent Cloud Security for Great User Experiences
For years, IT had a choice: you could be secure, or, you could be productive, but you couldn’t be both. The move of traditional IT workloads out of the data center and into the cloud has necessitated changes in security approaches. With an attack perimeter that is now effectively anywhere on any device, we cannot limit our focus to a narrowly defined boundary. Initial attempts to apply traditional security controls in these new cloud environments had significant negative impact on user experience driving users to find ways to work around the controls. With the release of a new generation of cloud-based security solutions that protect your business users, data and devices without sacrificing user experience, the landscape has changed. Ultimately the best controls are the ones that exist without the user even knowing they are there. Examples discussed and reviewed will include:
- Mobile Application Management vs. Mobile Device Management
- Conditional Access
- Risk Based Analysis vs Constant Password Cycling
- Extending SSO to SaaS Apps
- User Enablement and Awareness
How stealthier attacks are blurring the lines between cybercrime and statecraft
Join CrowdStrike as we reveal some of the most alarming tactics, techniques and procedures (TTPs) being employed by today’s highly sophisticated adversaries. This session addresses the enhanced risks companies face, how organizations should leverage security capabilities and resources to best defend their assets and how a robust intelligence program separates the strong from the weak in operational security.
- The current global threat landscape and some of the latest cyber trends that have been uncovered by a team of elite intelligence professionals
- Some of the most advanced tactics, techniques and procedures (TTPs) utilized by nation-state actors, which are finding their way into mainstream criminality – these are an indicator of what to prepare for
- Best practice strategies you can implement to best protect your organization from increasingly sophisticated attacks
A brief and concise overview of your professional history. You will be able to upload a copy of your full bio, head shot photo and other supporting documents (e.g. c.v., resume, recognition, etc…) later in the submission process Sean Keef is a security technology professional with a passion for teaching and talent for simplifying difficult technology concepts. His career in networking and security spans three decades and has brought him in contact with a vast array of enterprises in financial, manufacturing, retail and technology. Keef has been with Skybox for six years, advising customers and serving in various technical roles, including sales engineer, technical educator and technical field consultant. Keef now serves as the Global Director of Technical Product
Marketing, where he frequently meets with customers in the field to gather insight on their security strategy, as well as day-to-day workflows and processes. He uses that insight to influence the direction of Skybox’s product development. Prior to joining Skybox, Keef worked a very long stint at IBM and has worked with several startups.
Analytics-Driven Automation for Better Attack Surface Management
Security automation includes a wide range of technologies, many of which can help shrink the attack surface by driving improvements in firewall and security policy management and vulnerability/threat management. However, whether you’re struggling with compliance and network changes, tasked with auditing and reporting, or grappling with vulnerability discovery and prioritization, deciding where to automate is challenging.
Join Sean Keef, Global Director of Technical Product Marketing, Skybox Security
to examine where automation makes the most sense and why it’s essential to effectively controlling and managing your attack surface.
- How automaton can be used to merge myriad data sources that contain contain
information about your network — including on-prem, multi-cloud and even OT
- How this can then be turned into a “queryable” network model that can be used for
things like path analysis, attack simulation and more
- Which critical workflows in firewall and security policy management are ripe for
automation, such as change management
- Why analytics–driven automation is needed to analyze vulnerabilities in the complete context of your attack surface
- How automated analysis can identify best vulnerability remediation options — and not just available patches
Patrick has spent over 25 years leading internal audit, business resiliency, strategic planning, process improvement and related activities at Fortune 500 companies in both practitioner and consulting roles. He is currently a GRC Strategist and subject matter expert for RSA Archer Audit Management and Business Resiliency solutions. Patrick has developed a broad perspective working with analysts, partners and customers spanning such industries as financial services, higher education, manufacturing, high-tech, healthcare, and media and hospitality
EMBRACE Risk in your Digital Transformation Journey
Business Risk Management is really about ONE GOAL – helping the business grow. Companies are constantly on the lookout for opportunities – quicker speed-to-market, digitization of the business, and becoming data driven are some of the top priorities for growth. Most, if not all, organizations today are using technology to fuel their growth, it’s called the Digital Transformation. While executives see technology as key growth opportunities, this universe of growth activities also has a ‘parallel universe’ – the Risk Universe. For example, cybersecurity is a constant concern at the management level and the perception that security functions are falling behind is fueled by a variety of reasons – technology gaps, skills shortage, high visibility breaches, and significant costs associated with incidents. Management also has a common perception that risk management groups are falling behind which is why so many organizations are focused on improving risk processes. However, risk management is not just about protecting value but helping the organization move towards opportunity; managing risk in the context of business strategies and objectives.
Attend this interactive session to learn how your risk program can rely on better data, more consistent processes and better reporting. As new risks continue to appear, learn how the business can be agile and move faster. Finally, learn how organizations can not only better leverage expert support in your risk/compliance/security functions (2nd and 3rd Lines of Defense) but also groom their own internal business resources (1st Line of Defense) and engage those closest to the risks as part of the risk management strategy.
Alina Matyukhina is a cyber security researcher and 3rd-year PhD candidate at Canadian Institute for Cybersecurity (CIC). Her research work focuses on applying machine learning, computational intelligence, and data analysis techniques to design innovative security solutions. Before joining CIC, she worked as a research assistant at Swiss Federal Institute of Technology where she took part in cryptography and security research projects. Both her B.S. and M.S. was completed in Math and IT. During her studies she has been awarded 2 gold medals as well as 3 silver medals in national and international competitions. She has been named “Young Scientist of the Year”, one of the “Ten Outstanding Young Persons of Ukraine” and received “Yale Science & Engineering Association Medallion” for her contribution in the field of mathematics and computer science.
Anonymity and security in blockchain
Anonymity in blockchain, is a complicated issue. Within the system, users are identified by user accounts (public-keys only). An attacker wishing to de-anonymize its users will attempt to construct the one-to-many mapping between users and public-keys and associate information external to the system with the users. Blockchain tries to prevent this attack by storing the mapping of a user to his or her public-keys on that users node only and by allowing each user to generate as many public-keys as required. This session seeks to better understand the anonymity in blockchain and the trace-ability of smart contracts flows.
I am a Manager in KPMG’s management consulting practice and I specialize in risk management. My experience includes supporting business leadership through a wide range of key strategic, transformational and operational initiatives and providing pragmatic solutions to IT and business risks. I also hold the certified information systems auditor (CISA) and certified business continuity professional (CBCP) designations, and as such I bring a strong background in overall risk and control frameworks, business resilience, disaster recovery planning, business impact analysis, and business continuity planning.
A practical approach to business resilience: crisis management, business continuity and disaster recovery
Every organization must plan for the worst to ensure they preserve shareholder value and continue to meet the needs of their stakeholders. Significant business interruptions can come from various sources ranging from a cyber-attack to natural catastrophes or even intentional sabotage by insiders. Organizations are expected to have safeguards and response/recovery plans to ensure their survival and continuity of operations in the event of a significant business interruption, however, business resilience is often perceived to be a large undertaking that requires a great deal of effort and investment. This presentation covers practical approaches to achieve a foundational level of business resilience – on a budget.
Business resilience covers three domains:
- Crisis/emergency management: the processes by which an organization deals with sudden emergency situations, e.g., cyber-attack, active shooter, site evacuation, media scandal, etc.
- Business continuity: the capability of the organization to continue delivery of products or services at acceptable pre-defined levels following a significant interruption, e.g., after loss of facilities, loss of personnel, loss of suppliers, etc.
- IT disaster recovery: the capability of the organization to recover an organization’s systems and access to its data in the event of a significant IT-related interruption, e.g., prolonged/permanent loss of datacenter, workstations, network connectivity, etc.
Sunny Jamwal is a Senior Security Consultant for MNP’s Cyber Security team. With over 10 years of experience, Sunny has extensive knowledge of information security, networking, and related information technologies allowing him to quickly and knowledgeably inspect system architectures, identify vulnerabilities, assess risks and recommend safeguards to reduce and mitigate risk to information assets. Sunny has acted as the primary technical lead and subject matter expert on numerous Cyber Security Assessments for various private and public organizations in government and industries such as retail, finance, insurance, manufacturing, computer, communication, utilities, healthcare, and business services.
Subsistence* Living using PowerShell and WMI
The information security industry has seen a shift as attackers move from zero-day vulnerabilities to social engineering as a means of gaining un-authorized access in an organization. Some experts have attributed this to improvements in secure software development, bug bounties, ASLR, DEP etc. However, this shift could also be attributed to the ever-increasing use of technology for daily activities. Technology has become a part of every aspect of our daily life from paying bills, shopping online, subscribing to streaming service etc. This is all handled primarily through email. Email has replaced traditional forms of communication. Email is the primary mode of communication for our personal and professional life. Attackers know this and abuse this for exploitation.
Once attackers are successful in abusing email as an attack vector, the next step is to gain and maintain access to the system. An attacker has two primary methods to achieve this; either write custom malware or use system tools. Writing custom malware takes time and resources and there is always a risk of getting caught. System tools provide not only stability but zero risk of being flagged as malware. Moreover, custom built malware always has the risk of not working due to system dependencies, however on the other hand system tools are immune to this problem.
PowerShell and WMI are powerful technologies designed by Microsoft for streamlining administrative workloads, however attackers are abusing this technology for malicious purpose. PowerShell is installed by default on Microsoft Windows operating system, since Windows 7 and Windows 2008 R2. WMI is part of the Windows OS since long before the author bought his first computer; since NT 4.0 SP4 era (as an out-of-band download). Since WMI and PowerShell are built-in system technology it is nearly impossible for traditional security tools to distinguish between legitimate and malicious use of these two technologies. While WMI remains elusive, PowerShell has recently gained momentum among system administrators to automate their workloads making it even more likely for malicious activity to fly under the radar.
PowerShell is a command line utility build on top of .NET framework. PowerShell contains number of cmdlets to carry out various tasks, new cmdlets are added with each new version of PowerShell. System administrators can simply automate workloads using PowerShell. PowerShell remoting can be used by administrators to execute commands on multiple computers without having to log into each system and running the commands on individual systems.
WMI is Microsoft representation of system information which follows the Web Based Enterprise Management (WBEM) built on the Common Information Model (CIM). In laymen words WMI is a database which contain information about the system. A powerful feature of WMI is WMI eventing. WMI eventing provides the capability to generate alerts on every major or minor change to the system, in turn response triggers can be configured for an alert. A response can be anything from simply generating a log entry to execution of a command or script. An attacker can leverage this to execute a command or a script based on an event.
PowerShell and WMI are legitimate system tools making it impossible for defenders to block them. Logging is not enabled by default for either PowerShell or WMI, however once logging is enabled PowerShell and in particular WMI can generate copious logs; overloading the log management solution and SOC team. The purpose of this talk is to educate the audience including defenders about PowerShell and WMI. We hope this will help them to think like an attacker and be creative in implementing controls to flag malicious use of PowerShell and WMI.
Garry Coldwells has over 25 years of cyber security experience. In this time, he has held many industry certifications, including the CISSP (1997). His projects have ensured that governments and enterprises architected and deployed security technologies of significance. Garry has spoken at security conferences, delivered training courses and has been a regular panel participant on cyber security and blockchain technologies. As manager of a system engineering team at Palo Alto Networks, Garry currently overseas a diverse group of highly skilled SEs who cover finance, retail, government and technology projects of global scope.
The imperative for auditing of admin rights and storage in cloud deployments
This talk will discuss the cloud security landscape (SAAS/ PAAS/ IAAS), some common mistakes with examples of unintended data exposures. Audit of cloud deployments, both the data storage component and the administrative rights aspect, are essential to ensure that provisioning, deployment and maintenance are all within acceptable guidelines. The ability to swiftly audit, validate and respond to cloud deployments is critical to trusting that what we put in other people’s infrastructures is sound.
Greg Young has 30 years of IT security experience and is Vice President of Cybersecurity for Trend Micro. He has been an analyst and Research Vice President with Gartner for 13 years, headed several large security consulting practices, was CISO for the Department of Communications, Chief Security Architect for a security product company and was a Captain in the military police and counter-intelligence branch.
He received the Confederation Medal from the Governor General of Canada for his work with smart card security, was named in the “12 Most Powerful Security Companies” and as one of “100 Most Powerful Voices In Worldwide Security”. Greg too often mentions he was an extra in 2 episodes of Airwolf.
A Crash Course in Getting Security Right in 2019
There is a lot going on in security. We can’t know, do or afford it all, so what is truly important? It turns out that many of the things we are being told are important are not, and much of what is minimized is actually a big deal. Greg Young presents what the attackers and enterprises are really doing, and what is important in the security realms of risk, cloud, IoT, and threats in 2019.
Lilly works with GoSecure on Threat Intelligence and started her journey being mostly self-taught making hacking tools in her spare time. Chameleon (custom base64 steganography), Badger (DLL Security Enumeration including ASLR Entropy), Dirty-Needle (DLL Injection Tool) and more. She has presented at the Atlantic Security Conference on PE File Structure Security Enumeration and Custom Base64 Steganography, Hask (Halifax Area Security Klatch) on using file upload vulnerabilities to obtain shell access to a webserver using injection techniques, she has also presented at Digital Discovery Camp for kids on Phishing Awareness and SQLi with interactive demos helping children understand Cyber Security and how to keep an ethical approach, at the same time she is making Cyber Security a more attractive profession to young people.
Don’t RAT me Out
Dive into the world of RATs in lower level programming languages. Learn what tricks malware developers use to evade detection and annoy reverse engineers. We will also discuss challenges when detecting command and control communications in more complex RATs and enjoy live demos to showcase these concepts.
Erik Denis is the University of New Brunswick’s Senior Cybersecurity Officer. He is a graduate of the University of Ottawa (1997-Political Science and History) and the Université de Moncton (2000-Law). Erik began his career as a lawyer at a major Atlantic Canada Law firm concentrating his practice on civil litigation and privacy law. He then joined the Government of New Brunswick as a policy analyst and legislative drafter for various projects including the current Right to Information and Protection of Privacy Act. Before moving to UNB in 2014 as its Records Management, Access and Privacy Coordinator, Erik was a stay-at-home father with his young son.
Early stages of a cybersecurity awareness program: How UNB is addressing the urgent need for better cybersecurity awareness throughout the organization
Early stages of a cybersecurity awareness program: How UNB is addressing the urgent need for better cybersecurity awareness throughout the organization. We’ll discuss the tools, methods and results we’ve been able to achieve. I attach my presentation slides for your convenience.
Peter is a Director in KPMG’s Risk Consulting – Cyber Security practice. He is a senior cyber security professional with over 20 years of experience focusing on information security risk management, cyber threat incident response, threat hunting, malware analysis, and computer forensics. Peter has worked in senior positions for a number of organizations, including a national telecommunications and media company, Fortune 500 cloud-computing company, a recognized cyber security software company and most recently a major US defense contractor where he focused on developing insider threat solutions, engaging in incident response and threat hunting and implementing monitoring and detection systems for security operations centers. Peter holds a number of designations including the CISSP, CISA, CRISC, CGEIT as well as a number of SANS GIAC certifications. Peter has presented at numerous events held by the FBI, US Department of Homeland Security, HTCIA, PMI, SANS, and ISACA. Peter is also a frequent guest lecturer at numerous colleges and university throughout North America.
Shifting to the Offensive – Enabling Your Teams for Cyber Threat Hunting
Given the complex breaches occurring a regular basis, the chances that hidden threats are already lurking in your network are high. Organizations are still focused on deploying perimeter defenses, endpoint agents and other point security products. In many cases these prevention systems on their own cannot be used to detect intruders that are skilled at moving laterally around your network, masking their attacks as normal activity. During this presentation, attendees will learn about the following:
- What is cyber threat hunting and what specifically it is not?
- Why would you want to hunt? What are your security tools not identifying?
- What skillset is needed to perform cyber threat hunting
- Looking at various methodologies used to for cyber threat hunting
- Manual searching vs. automated searching
- Analytic vs. situational-awareness vs. intelligence driven cyber threat hunting (i.e. machine learning, UEBA, etc.)
- Various tools and cyber threat hunting solution providers
Elaheh Samani is a software reverse engineer and malware analyst at Google. As a part of Chrome protection team, she is responsible for preventing users from downloading malware and unwanted software. She has been specializing in cyber security for more than 6 years. Prior to joining google, she worked as a software engineer at Forcepoint, a cyber security company owned by Raytheon. Elaheh did her Master’s Studies in the field of Network Security at the Canadian Institute of Cyber Security, University of New Brunswick.
What is my “Cute kitten” really doing?! A recipe to dissect Chrome
Chrome extensions are getting more and more attention as a venue for Cyber
crimes. Mostly because they get executed within Chrome, a trusted application by
operating systems and anti-virus software. Many of us have a little Ad Blocker or Emoji creator widget next to our chrome URL bar which is probably leaking our Facebook likes and comments to some external entities or is making revenue for some ad-fraud companies by visiting Ads in the background. The true fact is that people don’t keep track of all the extensions they’ve installed. Google’s Chrome browser has been praised for continuously updating its security architecture and screening published extensions. However, it is really hard to keep the ecosystem free from Malware and abuse and predict what developers will intentionally or unintentionally implement in their code.
In this talk, I will go over some tips and techniques of reversing chrome extensions. We’ll have an in-depth look at some cases where obfuscation and run time changes were used to sneak malicious extensions into the Chrome Web store.
Anthony has worked in utilities, law enforcement, health care, education, lottery and gaming, and provided services in multiple other sectors including manufacturing, oil and gas, small to medium business, point of sale/retail, telecommunications, research, banking/financial, not for profit, and more. Anthony holds several industry certifications as well as a degree from UNB and he serves on committees for the IAPP, DRI Canada, Cloud Security Alliance, and Canada Standards Council.
Third Party Due Diligence
The security threats faced by organizations today evolve rapidly and attackers and hackers are always looking for weak points in the security that is put in place to slow them down. One area that will remain an obscure back door threat vector is any third party your organization has partnered with for any reason. Ensuring third party’s are as secure as you are should always be part of your security program. This presentation will cover the topic of how to conduct third party due diligence and how to integrate this into your organization’s business processes.
Over 20 years of governance and operational security experience. Executive level security consulting, to include program/portfolio creation and management. Provided board level reporting, security strategy creation and implementation, and global business security integrations. Acting CISO and Director of Security for large corporations. Led large multi-project teams at the program level, with oversight of multiple simultaneous and complex implementations of technical security projects. Designed and implemented most aspects of corporate security programs. Assisted large organizations in defining CISO responsibilities and requirements in order to provide alignment of security programs to business operations. Consulting experience includes delivery of services to include large multi-project/multi-year programs. Provided executive advisory services in a variety of industries, to include retail, aerospace engineering, national/international banking, healthcare, manufacturing, logistics and transportation, federal/state organizations, and others. A wide range of regulatory experience includes PCI, SOX, FFIEC/FIDC, HIPAA, NERC CIP, and security framework knowledge extends to ISO/IEC 27001/27001, NIST, FISMA, OCTAVE and others. Program level services for customers, including advisement to Fortune 100 executives (CIO and CISO), creation of corporate security programs and strategies, risk program operational definitions and implementation, and delivery of security/privacy framework implementations. Provided all aspects of creating and implementing multi-project technical programs, from requirements gathering to shifting systems into operational SDLC maintenance cycles. Created large risk management frameworks for global enterprises, to include complex operations such as mergers, acquisitions, and divestitures. 21-year military veteran as a nuclear weapons technician, threat officer, OH-58/AH-1/UH- 60 helicopter pilot and maintenance operations officer.
Swarm vs. Hive – The Cyberwarfare Landscape of Today
Defense systems continue to improve, leveraging technologies such as deep learning neural networks to defend against an exploding attack surface and determined attackers. Cybercriminals are not stagnating, but are instead adapting to our defensive strategies. For instance, zombies used to require explicit commands from botnet herders. Now they are becoming intelligent, capable of making decisions as was observed with Hajime in 2017. Swarm tactics are gaining in popularity by malware designers, creating pervasive attack capabilities. What can we do to defend?
Samuel is a Financial Services Regulatory Compliance professional based in Canada but also consulting for KPMG East Africa. He has facilitated Financial Crime and regulatory compliance related courses to Canada Revenue Agency, RCMP and
several CPA bodies in Canada. In August, he facilitated a training on “Cryptocurrency Laundering” to the Directors of The Canadian Security Intelligence Service. Samuel is a Certified Public Accountant of Kenya -CPA (K) and a member of the Certified Public Secretaries of Kenya. He holds a Masters in Business Administration from the University of Liverpool in the UK and a Certified Anti-Money Laundering Specialist (CAMS).He started his career with KPMG Kenya and latter joined KPMG in the Cayman Islands. He has also worked in the hedge fund industry with UBS Bank and Mitsubishi Banks both in Cayman Islands and Canada. Currently, he is the coordinator of financial services programs at Nova Scotia Community College, where he develops and teaches financial services related courses. He also teaches Accounting and Finance courses at Mount Saint Vincent University. Samuel is also consulting with KPMG East Africa in their Forensic Department.
Keeping regulators awake! Cybercrime and other related crimes;
Regulatory Compliance around the world
Banks hacked, customers’ data stolen! No one is immune to the modern and sophisticated cyberattacks. Even regulators and law enforcements are being beaten in
their own games by the same notorious guys they are trying to keep at bay! It is concerning when a regulator like Security Exchange Commission (SEC) is
hacked too. To complicate the equation, ransom is paid in cryptocurrencies. Cybersecurity risk give rise to other evolving risks relating to fraud and money laundering. As with any evolving risks, the regulators in Canada and around the
world are now playing catch up. Around the world, there are emerging regulations to protect the valuable data and protect market stability. Some of regulations like GDPR have extraterritorial reach and have a potential of bringing down non-compliant institutions due to massive fines and penalties.