For over 20 years, Vulnerability Management has gone completely unchanged; sure, we have new ways to scan, detect, and report, but the ineffective process has stayed the same. What this means in today’s organizations is a flood of tickets, slow remediation, missed SLAs and constant conflict between IT and Security teams. Meanwhile, common vulnerabilities remain […]
Read moreIn 2021, the Canadian Center for Cyber Security released the top 10 mitigating actions that organizations should take to protect its Internet-connected networks and sensitive information from cyber security threats. Together, we will understand what these 10 actions are and validate what their impact could be on the protection of your most critical assets. This […]
Read moreGlobal and technological uncertainty is being weaponized by adversaries. Digital Transformation, Global Supply Chain issues, Mandated Lockdowns, and State Sponsored attacks are creating windows of opportunities for adversaries to exploit. We will discuss evolving attack trends and how defenders can employ core security pillars to mount a rigorous defense. Rigid defenses are obsolete and easily […]
Read moreHave you ever wondered what the ROI is on a security control? Or whether you should spend time fixing 2 highs or 47 mediums? FAIR STRIDE is a method for creating application threat models that can answer these questions by feeding the output from STRIDE into a quantitative risk model like FAIR rather than a […]
Read moreEXERCISE, EXERCISE, EXERCISE Despite efforts by organizations of all sizes to maintain a tight security posture, cyber intrusions still occur. Ensuring that your business effectively responds to cyber incidents is essential to maintaining a resilient cyber defense for todays and tomorrow’s threats. To combat these threats, organizations need to invest in the development and sustainment […]
Read moreIn October of 2020 Vastaamo, a chain of psychotherapy clinics with over 30.000 patients, was forced to admit that their patient database had been stolen. The database contained the therapist’s notes and personally identifying information for tens of thousands of Finnish citizens. The criminal, only known as RANSOM_MAN, was trying to exert pressure on the […]
Read moreThe COVID-19 pandemic helped the cyber insurance industry make record-breaking revenue growth in 2020. But it also saw record profit loss. This decline led insurance companies to alter their client coverage requirements, placing stricter cybersecurity conditions for eligibility. This session will dive into what organizations need to do in order to meet these requirements. The […]
Read moreThe traditional approach to quality assurance (QA) was disrupted when the Agile movement caused most development teams to start taking at least partial ownership of the quality of their products. The cloud-native and DevOps movements similarly disrupted traditional IT Ops. These were not mere shifts to the left, they all involved fundamental changes to mindset, […]
Read moreIn recent years, with the wake of numerous attacks, there has been a push to understand the risks posed by smart devices. While helping revolutionize the way the world operates, the innovation and convenience has often overshadowed – and sometimes completely – their security implications. This talk discusses the evolution of the ‘traditional’ device profiles […]
Read moreIn 2020, ransomware attackers made more than $350 million and caused terrible disruption, particularly in healthcare. Combatting this blight requires a comprehensive, multi-faceted strategy adopted in collaboration by governments around the world. To this end, the Ransomware Task Force brought together experts from governments, private, and nonprofit sectors to identify actions that would help to […]
Read moreThis talk will examine how cybersecurity researchers gather threat intelligence using a variety of open-source tools and open-source intelligence techniques on hacker forums, darknet websites, Reddit, and other forums. Researchers are constantly being asked to look at threats and understand the relationship between threats and threat actors. We will head down the yellow brick road […]
Read moreQuantum computers will break currently deployed public-key cryptography (RSA, ECC, Diffie-Hellman, etc.) which is one of the pillars of modern-day cybersecurity. Thus, we need to migrate our systems and practices to ones that cannot be broken by quantum computers before large-scale quantum computers are built. First, I will give an update on the “quantum threat-timeline”. […]
Read moreThreat Modeling is an important part of every company’s Security Development Lifecycle, but as development teams grow bigger, Security will have to choose which features they want to Threat Model or they will become a bottleneck for the development organization. What if I told you, you could have your cake and eat it too? It […]
Read moreThis session delivers two different real-life examples of an enterprise cloud transformation with emphasis on security implementation. You will get an insight into security architecture details across three main categories: security and data privacy integration bottom-up, applying security in depth by peeling down the layers of defense, and breaking down the setup of secure cloud […]
Read moreNumerous data governance laws and policies have been enacted to protect user privacy. Polices may define data retention (how long the data must be kept), data purging requirements (when the data must be destroyed), and data consent (whether the data can be used for a particular purpose). To comply with these requirements and to minimize […]
Read moreIn late 2020, the Canadian government proposed the Digital Charter Implementation Act, intending to modernize the framework for the protection of personal information in the private sector. Stemming from this Act, the Privacy Commissioner of Canada is set to receive more power to investigate privacy infractions and issue orders and fines. Simultaneously, Ontario is developing […]
Read moreWith security teams being vastly outnumbered many organizations have responded to this challenge with different program scaling methods, including building security champions programs. Which leads us to questions: How does a security champions program work? How do you select your champions? And once you have them, what do you DO with them? This session will […]
Read moreAsk anyone about “infosec tools” and the list will depend on red/blue perspective and experience but will usually include the likes of BloodHound, Metasploit, Burp, Mimikatz, Cobalt Strike, Nmap, and Netcat. These are all great but, too often we ignore that there is a separate side to infosec: there is a “non-technical” dimension we all […]
Read moreMost organizations conduct a vulnerability assessment or penetration test of their network as part of their security program. Testing may be conducted by employees, or by external specialists, and the results may be used to comply with regulations such as PCI DSS, or they may just satisfy your sense of “security’s being done right”. However, […]
Read moreCIPPIC is the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, Canada’s only public interest technology law clinic. CIPPIC is based at the University of Ottawa’s Centre for Law Technology and Society. In this session, CIPPIC staff will review the year’s legal developments in cybersecurity and provide a look ahead at what we might expect […]
Read moreThere’s a torrent of unmanaged, un-agentable devices sweeping across businesses in every industry. From devices like smart TVs, MRI machines, patient infusion pumps, industrial device controllers, and manufacturing robotic arms, to printers, smartwatches, smart HVACs, and badge readers. These devices form an attack surface which is neither protected by nor monitored by traditional security products. […]
Read moreThe purpose of this session is to explain the less well-known aspects of the Canadian Anti-Spam Legislation (CASL or the Act) and illustrate those in action through a series of case studies based on the actual enforcement activities of the Canadian Radio-television and Telecommunications Commission (CRTC). In so doing, we aim to position CASL as […]
Read moreTACO is an acronym I use with clients to help them map controls from their software delivery pipelines to the organizational controls. TACO stands for Traceability, Access, Compliance, and Operations. The approach consists of a base list of 25 automatable controls that are documented and the control activity, artifacts and SOR identified. After mapping how […]
Read moreThis exclusive session delves into the details of some of CrowdStrike’s most eye opening breach investigations of the past year and highlights the need for speed in modern security operations centers. See new research on “breakout time” and learn how you can use the 1-10-60 Rule to benchmark your organization and see if you have […]
Read moreWith 23 MCU movies, I have learned some valuable lessons surrounding cybersecurity. Why didn’t Jarvis run on a segmented network (Avengers: Age of Ultron)? Why didn’t Edith have 2-FactorAuthentication (Spider-Man: Far from Home)? Let’s explore how, if Shield had implemented cybersecurity frameworks such as Mitre ATT@CK, they could have saved New York with much less […]
Read moreQuantitative risk analysis often isn’t used in security because things may be difficult to quantify. If an attack hasn’t happened before, then what is its likelihood? If no data exists, how do we know how much a breach will cost? Despite these unknowns, there are several strategies for quantifying risk. Types of unknowns: First time […]
Read moreCyber security and privacy are inextricably linked. GDPR kicked in last May, the California Consumer Privacy Act (CCPA) in June and Canada amended PIPEDA with the Digital Privacy Act in November 2018. This presentation will be two-fold: first, the presentation will explore the requirements and obligations placed on organizations by these new regulations and the […]
Read morePrivacy Engineering is an emerging discipline and this presentation will talk about privacy engineering in the context of emerging standards and best practices for consent, consent management, and permissioned data. The Kantara Initiative released a standard for User Managed Access (based on OATH 2), Consent Receipts, and has a working group on Consent Management practices. […]
Read moreThe 2017 M.E. Docs cyber-attack that crippled hundreds of companies crafted the blueprints for hijacking a vendor to attack clients through their trusted vendors. These attacks herald a new generation of supply-chain based attacks that pit vendor and client against each other as they struggle to navigate co-managed risk mitigation and the resulting consumer, regulatory […]
Read moreWhat does a targeted attack really look like? How can you effectively defend your organization? What does it take to recover from a headline-grabbing breach and rebuild trust with your customers? Join Matthew Maglieri, CISO of Ashley Madison’s parent company Ruby Life Inc. and ex-Mandiant consultant, as he presents this unique look at what is […]
Read moreSimple lessons to teach you how you can fill the knowledge gap within your staff…today! Few industries are expanding faster or evolving more rapidly than IT security. There is no shortage of bad actors trying to outsmart you and get to your data. The bad guys are relentless in their never-ending pursuit to find a […]
Read moreIn Philip K. Dick’s 1956 “The Minority Report,” murder ceased to occur due to the work of the “Pre-Crime Division,” which anticipated and prevented violent killings before they happened. Today, we are only beginning to see the impact of predictive analytics upon cybersecurity—especially for insider threat detection and prevention. Based on user interaction with data, […]
Read moreAs the extraction of value from data becomes more critical to a company’s success, organizations are trying to stay ahead of the data deluge. Unfortunately, data technologies often have security bolted on, not baked into the DNA, leaving far too many doors open to compromise. This session will cover the challenges of big data and […]
Read moreA lot is expected of software developers these days; they are expected to be experts in everything despite very little training. Throw in the IT security team (often with little-to-no knowledge of how to build software) telling developers what to do and how to do it, and the situation becomes strained. This silo-filled, tension-laced situation, coupled with short deadlines and […]
Read moreIdentity innovations like zero-trust networks, zero login, and one identity initiatives are transforming today’s most successful organizations from within. Trust boundaries are changing. Find out the technical details behind these innovations and take home a game plan to start transforming your organization today, this week, and in the long run.
Read moreISO 27001 & The GDPR: A Research-Based Approach to Identifying Overlap and Streamlining Efforts Together, security and privacy teams share a common goal: Protect the organization from reputational damage, lawsuits, and regulatory trouble. ISO 27001 focuses on the assessment of risks and protection of the organization while GDPR aims to assess and protect the rights […]
Read moreFew things have ever transformed the practice and technology of information technology than the dual impacts of cloud computing and DevOps. In this executive session we will detail specific strategies and tactics for transforming your security organization without orphaning your historical investments. This won’t be generic policy mumbo-jumbo; comes learn the hard-earned lessons from dozens […]
Read moreThe General Data Protection Regulation (GDPR) comes in to force on May 25th 2018 and many Canadian organisations are unsure if they even have to comply, let alone how. During this session, Bruce will take you through not only what the GDPR is and how it may impact you, but common questions and scenarios Canadian […]
Read moreContainers such as Docker and CoreOS Rkt deliver incredible capabilities to developers and operators and are powering the DevOps revolution in application development and deployment. Docker in particular has taken industry by storm, resulting in over 8 billion downloads and 500,000+ containerized applications in this open source platform. With all this new-found power comes significant […]
Read moreThe June 2016 revelations of the DNC breach by two Russia-based advanced persistent threat groups was only the beginning of a series of strategic leaks and conflicting attribution claims. In this presentation we’ll demonstrate techniques used to identify additional malicious infrastructure, evaluate the validity of “faketivists” like the Guccifer 2.0 persona, and strengths and gaps […]
Read moreAs cyber criminals grow more aggressive, organizations are installing new security tools to protect themselves against threats. In fact, the average enterprise runs 508 applications and allows 89 different vendors to access their network each week. (Source Bomgar.com and Forbes.com) You likely manage dozens of security tools across your organization– from firewalls to authentication software. […]
Read more“Infrastructure” is software in the era of Cloud; you should consider the software design choices as they impact not only the application structure, but also security in the Cloud. The convergence of the AppDev team and the security team allows for securing the cloud throughout the process without impacting agility. Bringing security in at the […]
Read moreThis presentation examines the journey taken to establish the CSIRT team for the Rio 2016 Olympic Games. This large project was executed in a short period of time and posed a lot challenges. Rocha will explain the strategy in getting his team ready for the games, the CSIRT timeline, their preparation using wargames exercise, the […]
Read moreDave Millier has created a novel new approach that leverages well known information security frameworks and Chubb’s Cyber COPE®, a well-established property insurance measurement methodology that has been adapted to cyber risks. In this talk, Dave will present his methodology, including various ways of gathering the information and reporting on the results, providing the audience […]
Read moreSecurity’s goal of minimizing risk can seem at odds with development’s need for rapid change. There is a middle path that allows development to deliver secure code at DevOps speed, but it requires security to adopt principles that have proven successful for DevOps. This session will discuss organizational, process and technology innovations that enable security […]
Read moreThis session will detail the evolution of ransomware, its methods of infection, and ways an organization can help protect itself and avoid having to pay a ransom. Hear from a Trustwave SpiderLabs forensic expert analyze a ransomware infection and its actions on a compromised system. Ransomware requires that we reassess our access control, intrusion detection, […]
Read moreWe surveyed 654 IT and IT security practitioners in Canada to answer the following questions: Do organizations feel more or less prepared to deal with attacks than last year? How have cyber attacks targeting Canadian organizations changed in the past year? What is the average cost of cyber attacks for Canadian organizations? What cyber security […]
Read moreThe main government approach to cybersecurity has been to think of it through the lens of the military and intelligence community. After all that is where the most expertise lies today. This lens is problematic going forward. We should instead be looking to the way the government thinks of safety: for transportation, disease, consumer products, […]
Read moreBank heists make great stories. This year, we’ve got some really good stories to tell courtesy of a trusted network known as SWIFT, and some banks that believed they were inherently protected by virtue of being connected – except they weren’t. Hundreds of millions of dollars have revealed some ugly truths and dangerous assumptions. In […]
Read morePenetration tests rarely improve a client’s security. We know this because last year’s test feels horribly close to this year’s. In terms of value to the business, they fall flat in most ways – they are misunderstood from the start, during the test, and at the report. We want to dispel the confusion and tie […]
Read more