Vulnerability Management: Try Fixing Less to Reduce More Risk

For over 20 years, Vulnerability Management has gone completely unchanged; sure, we have new ways to scan, detect, and report, but the ineffective process has stayed the same. What this means in today’s organizations is a flood of tickets, slow remediation, missed SLAs and constant conflict between IT and Security teams. Meanwhile, common vulnerabilities remain […]

Read more

Top 10 Cyber Security Actions for Canada

In 2021, the Canadian Center for Cyber Security released the top 10 mitigating actions that organizations should take to protect its Internet-connected networks and sensitive information from cyber security threats. Together, we will understand what these 10 actions are and validate what their impact could be on the protection of your most critical assets. This […]

Read more

Decision Making in Uncertain Times: Key teachings from Executive Exchanges

Global and technological uncertainty is being weaponized by adversaries.  Digital Transformation, Global Supply Chain issues, Mandated Lockdowns, and State Sponsored attacks are creating windows of opportunities for adversaries to exploit. We will discuss evolving attack trends and how defenders can employ core security pillars to mount a rigorous defense. Rigid defenses are obsolete and easily […]

Read more

FAIR STRIDE – Building Business Relevant Threat Models for AppSec

Have you ever wondered what the ROI is on a security control? Or whether you should spend time fixing 2 highs or 47 mediums? FAIR STRIDE is a method for creating application threat models that can answer these questions by feeding the output from STRIDE into a quantitative risk model like FAIR rather than a […]

Read more

“What do you Mean Moose Meat?” Advancing Resilience Through Preparing for the Unexpected.

EXERCISE, EXERCISE, EXERCISE Despite efforts by organizations of all sizes to maintain a tight security posture, cyber intrusions still occur. Ensuring that your business effectively responds to cyber incidents is essential to maintaining a resilient cyber defense for todays and tomorrow’s threats. To combat these threats, organizations need to invest in the development and sustainment […]

Read more

The Vastaamo Data Breach

In October of 2020 Vastaamo, a chain of psychotherapy clinics with over 30.000 patients, was forced to admit that their patient database had been stolen. The database contained the therapist’s notes and personally identifying information for tens of thousands of Finnish citizens. The criminal, only known as RANSOM_MAN, was trying to exert pressure on the […]

Read more

New Minimum Cybersecurity Requirements for Cyber Insurance

The COVID-19 pandemic helped the cyber insurance industry make record-breaking revenue growth in 2020. But it also saw record profit loss. This decline led insurance companies to alter their client coverage requirements, placing stricter cybersecurity conditions for eligibility. This session will dive into what organizations need to do in order to meet these requirements. The […]

Read more

A Transformation Blueprint for Developer-First Security

The traditional approach to quality assurance (QA) was disrupted when the Agile movement caused most development teams to start taking at least partial ownership of the quality of their products. The cloud-native and DevOps movements similarly disrupted traditional IT Ops. These were not mere shifts to the left, they all involved fundamental changes to mindset, […]

Read more

Innovation and Evolution – How Medical Device and IoT Profiles Have Evolved – But So is Your Attack Surface

In recent years, with the wake of numerous attacks, there has been a push to understand the risks posed by smart devices. While helping revolutionize the way the world operates, the innovation and convenience has often overshadowed – and sometimes completely – their security implications. This talk discusses the evolution of the ‘traditional’ device profiles […]

Read more

Reducing Ransomware at Scale: Exploring the Ransomware Task Force’s Recommendations

In 2020, ransomware attackers made more than $350 million and caused terrible disruption, particularly in healthcare. Combatting this blight requires a comprehensive, multi-faceted strategy adopted in collaboration by governments around the world. To this end, the Ransomware Task Force brought together experts from governments, private, and nonprofit sectors to identify actions that would help to […]

Read more

The Prestige

This talk will examine how cybersecurity researchers gather threat intelligence using a variety of open-source tools and open-source intelligence techniques on hacker forums, darknet websites, Reddit, and other forums. Researchers are constantly being asked to look at threats and understand the relationship between threats and threat actors. We will head down the yellow brick road […]

Read more

The Quantum Threat: Where Are We Today?

Quantum computers will break currently deployed public-key cryptography (RSA, ECC, Diffie-Hellman, etc.) which is one of the pillars of modern-day cybersecurity. Thus, we need to migrate our systems and practices to ones that cannot be broken by quantum computers before large-scale quantum computers are built. First, I will give an update on the “quantum threat-timeline”. […]

Read more

Redefining Threat Modeling: Security Team Goes on Vacation

Threat Modeling is an important part of every company’s Security Development Lifecycle, but as development teams grow bigger, Security will have to choose which features they want to Threat Model or they will become a bottleneck for the development organization. What if I told you, you could have your cake and eat it too? It […]

Read more

Epic journey of an enterprise cloud transformation

This session delivers two different real-life examples of an enterprise cloud transformation with emphasis on security implementation. You will get an insight into security architecture details across three main categories: security and data privacy integration bottom-up, applying security in depth by peeling down the layers of defense, and breaking down the setup of secure cloud […]

Read more

The Cross-Disciplinary Challenges of Data Governance Policies

Numerous data governance laws and policies have been enacted to protect user privacy. Polices may define data retention (how long the data must be kept), data purging requirements (when the data must be destroyed), and data consent (whether the data can be used for a particular purpose). To comply with these requirements and to minimize […]

Read more

Harder, Better, Faster, Stronger – Privacy Laws and the Anatomy of a Breach Response

In late 2020, the Canadian government proposed the Digital Charter Implementation Act, intending to modernize the framework for the protection of personal information in the private sector. Stemming from this Act, the Privacy Commissioner of Canada is set to receive more power to investigate privacy infractions and issue orders and fines. Simultaneously, Ontario is developing […]

Read more

Building Security Champions

With security teams being vastly outnumbered many organizations have responded to this challenge with different program scaling methods, including building security champions programs. Which leads us to questions: How does a security champions program work? How do you select your champions? And once you have them, what do you DO with them?  This session will […]

Read more

Maturing your toolkit with mental models

Ask anyone about “infosec tools” and the list will depend on red/blue perspective and experience but will usually include the likes of BloodHound, Metasploit, Burp, Mimikatz, Cobalt Strike, Nmap, and Netcat. These are all great but, too often we ignore that there is a separate side to infosec: there is a “non-technical” dimension we all […]

Read more

Pentesting for Success – Critical Success Factors

Most organizations conduct a vulnerability assessment or penetration test of their network as part of their security program. Testing may be conducted by employees, or by external specialists, and the results may be used to comply with regulations such as PCI DSS, or they may just satisfy your sense of “security’s being done right”. However, […]

Read more

The Year in Cybersecurity Law

CIPPIC is the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, Canada’s only public interest technology law clinic. CIPPIC is based at the University of Ottawa’s Centre for Law Technology and Society. In this session, CIPPIC staff will review the year’s legal developments in cybersecurity and provide a look ahead at what we might expect […]

Read more

Outrunning the Avalanche of Unmanaged, Un-agentable Devices

There’s a torrent of unmanaged, un-agentable devices sweeping across businesses in every industry. From devices like smart TVs, MRI machines, patient infusion pumps, industrial device controllers, and manufacturing robotic arms, to printers, smartwatches, smart HVACs, and badge readers. These devices form an attack surface which is neither protected by nor monitored by traditional security products. […]

Read more

Beyond Spam: Using CASL to Stop the Spread of Malware in Canada

The purpose of this session is to explain the less well-known aspects of the Canadian Anti-Spam Legislation (CASL or the Act) and illustrate those in action through a series of case studies based on the actual enforcement activities of the Canadian Radio-television and Telecommunications Commission (CRTC). In so doing, we aim to position CASL as […]

Read more

Securing pipes with TACOs

TACO is an acronym I use with clients to help them map controls from their software delivery pipelines to the organizational controls. TACO stands for Traceability, Access, Compliance, and Operations. The approach consists of a base list of 25 automatable controls that are documented and the control activity, artifacts and SOR identified. After mapping how […]

Read more

The Race Against the Adversary: How to Win in the Era of the 18 Minute Breach

This exclusive session delves into the details of some of CrowdStrike’s most eye opening breach investigations of the past year and highlights the need for speed in modern security operations centers. See new research on “breakout time” and learn how you can use the 1-10-60 Rule to benchmark your organization and see if you have […]

Read more

Tony Stark and Cybersecurity

With 23 MCU movies, I have learned some valuable lessons surrounding cybersecurity. Why didn’t Jarvis run on a segmented network (Avengers: Age of Ultron)? Why didn’t Edith have 2-FactorAuthentication (Spider-Man: Far from Home)? Let’s explore how, if Shield had implemented cybersecurity frameworks such as Mitre ATT@CK, they could have saved New York with much less […]

Read more

Quantifying Unknown Risks: Data-Driven Ways to Estimate First-Time Hacks, Emerging Risks, and Rare Incidents

Quantitative risk analysis often isn’t used in security because things may be difficult to quantify. If an attack hasn’t happened before, then what is its likelihood? If no data exists, how do we know how much a breach will cost? Despite these unknowns, there are several strategies for quantifying risk. Types of unknowns:  First time […]

Read more

The Year of Privacy and Its Effect on Cyber Security

Cyber security and privacy are inextricably linked. GDPR kicked in last May, the California Consumer Privacy Act (CCPA) in June and Canada amended PIPEDA with the Digital Privacy Act in November 2018. This presentation will be two-fold: first, the presentation will explore the requirements and obligations placed on organizations by these new regulations and the […]

Read more

Integrating Privacy Engineering into Your Security Practices

Privacy Engineering is an emerging discipline and this presentation will talk about privacy engineering in the context of emerging standards and best practices for consent, consent management, and permissioned data. The Kantara Initiative released a standard for User Managed Access (based on OATH 2), Consent Receipts, and has a working group on Consent Management practices. […]

Read more

Who’s Watching the Watchers? Keeping Your Security Provider Honest

The 2017 M.E. Docs cyber-attack that crippled hundreds of companies crafted the blueprints for hijacking a vendor to attack clients through their trusted vendors. These attacks herald a new generation of supply-chain based attacks that pit vendor and client against each other as they struggle to navigate co-managed risk mitigation and the resulting consumer, regulatory […]

Read more

Ashley Madison: Cybersecurity in a World of Discretion

What does a targeted attack really look like? How can you effectively defend your organization? What does it take to recover from a headline-grabbing breach and rebuild trust with your customers? Join Matthew Maglieri, CISO of Ashley Madison’s parent company Ruby Life Inc. and ex-Mandiant consultant, as he presents this unique look at what is […]

Read more

Turning Your Cybersecurity Toddlers into Warriors!

Simple lessons to teach you how you can fill the knowledge gap within your staff…today! Few industries are expanding faster or evolving more rapidly than IT security. There is no shortage of bad actors trying to outsmart you and get to your data. The bad guys are relentless in their never-ending pursuit to find a […]

Read more

Minority Report: A Predictive “Pre-crime” Approach Requires a Human Focus

In Philip K. Dick’s 1956 “The Minority Report,” murder ceased to occur due to the work of the “Pre-Crime Division,” which anticipated and prevented violent killings before they happened. Today, we are only beginning to see the impact of predictive analytics upon cybersecurity—especially for insider threat detection and prevention. Based on user interaction with data, […]

Read more

Security Powered by Big Data

As the extraction of value from data becomes more critical to a company’s success, organizations are trying to stay ahead of the data deluge. Unfortunately, data technologies often have security bolted on, not baked into the DNA, leaving far too many doors open to compromise. This session will cover the challenges of big data and […]

Read more

Why Can’t We Build Secure Software?

A lot is expected of software developers these days; they are expected to be experts in everything despite very little training. Throw in the IT security team (often with little-to-no knowledge of how to build software) telling developers what to do and how to do it, and the situation becomes strained. This silo-filled, tension-laced situation, coupled with short deadlines and […]

Read more

How Identity Management is Transforming Modern Business

Identity innovations like zero-trust networks, zero login, and one identity initiatives are transforming today’s most successful organizations from within. Trust boundaries are changing. Find out the technical details behind these innovations and take home a game plan to start transforming your organization today, this week, and in the long run.

Read more

ISO 27001 & The GDPR

ISO 27001 & The GDPR: A Research-Based Approach to Identifying Overlap and Streamlining Efforts Together, security and privacy teams share a common goal: Protect the organization from reputational damage, lawsuits, and regulatory trouble. ISO 27001 focuses on the assessment of risks and protection of the organization while GDPR aims to assess and protect the rights […]

Read more

Power Up/Level Up: Supercharging Your Security Program for Cloud and DevOps

Few things have ever transformed the practice and technology of information technology than the dual impacts of cloud computing and DevOps. In this executive session we will detail specific strategies and tactics for transforming your security organization without orphaning your historical investments. This won’t be generic policy mumbo-jumbo; comes learn the hard-earned lessons from dozens […]

Read more

GDPR for Canadian Organisations – What you need to know!

The General Data Protection Regulation (GDPR) comes in to force on May 25th 2018 and many Canadian organisations are unsure if they even have to comply, let alone how. During this session, Bruce will take you through not only what the GDPR is and how it may impact you, but common questions and scenarios Canadian […]

Read more

Best Practices to Secure Application Containers and Microservices

Containers such as Docker and CoreOS Rkt deliver incredible capabilities to developers and operators and are powering the DevOps revolution in application development and deployment. Docker in particular has taken industry by storm, resulting in over 8 billion downloads and 500,000+ containerized applications in this open source platform. With all this new-found power comes significant […]

Read more

Does a BEAR Leak in the Woods? What the DNC breach, Guccifer and Russian APT’s have taught us about attribution analysis

The June 2016 revelations of the DNC breach by two Russia-based advanced persistent threat groups was only the beginning of a series of strategic leaks and conflicting attribution claims. In this presentation we’ll demonstrate techniques used to identify additional malicious infrastructure, evaluate the validity of “faketivists” like the Guccifer 2.0 persona, and strengths and gaps […]

Read more

The Power Of Integration

As cyber criminals grow more aggressive, organizations are installing new security tools to protect themselves against threats. In fact, the average enterprise runs 508 applications and allows 89 different vendors to access their network each week. (Source Bomgar.com and Forbes.com) You likely manage dozens of security tools across your organization– from firewalls to authentication software. […]

Read more

Cloud Security is Application Security – Securing the Cloud as a Team

“Infrastructure” is software in the era of Cloud; you should consider the software design choices as they impact not only the application structure, but also security in the Cloud. The convergence of the AppDev team and the security team allows for securing the cloud throughout the process without impacting agility. Bringing security in at the […]

Read more

Establishing the CSIRT Team for The Rio 2016 Olympic Games

This presentation examines the journey taken to establish the CSIRT team for the Rio 2016 Olympic Games. This large project was executed in a short period of time and posed a lot challenges. Rocha will explain the strategy in getting his team ready for the games, the CSIRT timeline, their preparation using wargames exercise, the […]

Read more

Leveraging Best Practices to Determine Your Cyber Insurance Needs

Dave Millier has created a novel new approach that leverages well known information security frameworks and Chubb’s Cyber COPE®, a well-established property insurance measurement methodology that has been adapted to cyber risks.  In this talk, Dave will present his methodology, including various ways of gathering the information and reporting on the results, providing the audience […]

Read more

Your Chance to Get It Right: 5 Keys to Building AppSec Into DevOps

Security’s goal of minimizing risk can seem at odds with development’s need for rapid change. There is a middle path that allows development to deliver secure code at DevOps speed, but it requires security to adopt principles that have proven successful for DevOps. This session will discuss organizational, process and technology innovations that enable security […]

Read more

Held for Ransom: Defending your Data Against Ransomware

This session will detail the evolution of ransomware, its methods of infection, and ways an organization can help protect itself and avoid having to pay a ransom. Hear from a Trustwave SpiderLabs forensic expert analyze a ransomware infection and its actions on a compromised system. Ransomware requires that we reassess our access control, intrusion detection, […]

Read more

The Cyber Security Readiness of Canadian Organizations

We surveyed 654 IT and IT security practitioners in Canada to answer the following questions: Do organizations feel more or less prepared to deal with attacks than last year? How have cyber attacks targeting Canadian organizations changed in the past year? What is the average cost of cyber attacks for Canadian organizations? What cyber security […]

Read more

Safety Should be the Security Paradigm

The main government approach to cybersecurity has been to think of it through the lens of the military and intelligence community. After all that is where the most expertise lies today. This lens is problematic going forward. We should instead be looking to the way the government thinks of safety: for transportation, disease, consumer products, […]

Read more

How to Rob a Bank or The SWIFT and Easy Way to Grow Your Online Savings

Bank heists make great stories.  This year, we’ve got some really good stories to tell courtesy of a trusted network known as SWIFT, and some banks that believed they were inherently protected by virtue of being connected – except they weren’t. Hundreds of millions of dollars have revealed some ugly truths and dangerous assumptions.  In […]

Read more

Getting Business Value from Penetration Testing

Penetration tests rarely improve a client’s security. We know this because last year’s test feels horribly close to this year’s. In terms of value to the business, they fall flat in most ways – they are misunderstood from the start, during the test, and at the report. We want to dispel the confusion and tie […]

Read more
Subscribe to the Sector Blog
Enter your contact information below to have future blog posts delivered directly to your inbox!