In late 2020, the Canadian government proposed the Digital Charter Implementation Act, intending to modernize the framework for the protection of personal information in the private sector. Stemming from this Act, the Privacy Commissioner of Canada is set to receive more power to investigate privacy infractions and issue orders and fines. Simultaneously, Ontario is developing […]
Read moreWith security teams being vastly outnumbered many organizations have responded to this challenge with different program scaling methods, including building security champions programs. Which leads us to questions: How does a security champions program work? How do you select your champions? And once you have them, what do you DO with them? This session will […]
Read moreAsk anyone about “infosec tools” and the list will depend on red/blue perspective and experience but will usually include the likes of BloodHound, Metasploit, Burp, Mimikatz, Cobalt Strike, Nmap, and Netcat. These are all great but, too often we ignore that there is a separate side to infosec: there is a “non-technical” dimension we all […]
Read moreTypically, business leaders find it challenging to provide oversight, guidance and act upon their organization’s Cyber strategy. To be able to make risk-informed decisions and invest judiciously in Cyber risk posture improvement, it is crucial to identify and effectively govern the protection of the organization’s Crown Jewels. I will provide a clear understanding of what […]
Read moreCybersecurity issues are plaguing organizations large and small today, and not only due to technical issues. With the wide variety of tools available to cybercriminals, there is a significant need to introduce more qualified defenders to level the playing field. However, this is far from reality due to a well-documented skills gap – a problem […]
Read moreDevOps philosophies reduces the barriers between development and operations teams. Therefore, DevSecOps is when all three teams are working together in perfect harmony. DevSecOps is vying for the buzzword of the year and little else. In a PowerPoint slide, it’s a solid solution. But when put into practice, years of security team, communications challenges, and […]
Read moreOnly after disaster can we be resurrected. While you’d think it’s wisdom from Gandhi or perhaps Buddha, it’s the insightful musings of fictitious character, Tyler Durden from the 1999 movie, Fight Club. This alter ego has it right. We can learn more from mistakes, errors or even disaster than we can from what went right. […]
Read moreStatistics are speaking loudly! There is a disconnection between defenders’ perceptions of the value of the security controls they implement, and the most common attack vectors leveraged by penetration testers acting as potential attackers. This presentation highlights the key results of a two-year-long research study aimed at understanding this disconnection. The perceptions and practices of […]
Read moreOne of the core purposes of cybersecurity is to protect data gathered by an organization. Numerous countries around the world have enacted statutes to force organizations to protect their users’ data. Although organizations are making efforts to comply with regulations and implementing revolutionary cybersecurity products into their operations, we continue to see breaches of businesses […]
Read moreThis talk showcases lessons learned from firsthand experience implementing everything from power transmission systems, smart meters, first responder radio systems, voting and election software to building automation (doors, HVAC, etc). We are increasingly asked to believe “that’s not IT” for a variety of reasons. This talk covers all the reasons, lies and how to deescalate […]
Read moreMost organizations conduct a vulnerability assessment or penetration test of their network as part of their security program. Testing may be conducted by employees, or by external specialists, and the results may be used to comply with regulations such as PCI DSS, or they may just satisfy your sense of “security’s being done right”. However, […]
Read moreCIPPIC is the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, Canada’s only public interest technology law clinic. CIPPIC is based at the University of Ottawa’s Centre for Law Technology and Society. In this session, CIPPIC staff will review the year’s legal developments in cybersecurity and provide a look ahead at what we might expect […]
Read moreThere’s a torrent of unmanaged, un-agentable devices sweeping across businesses in every industry. From devices like smart TVs, MRI machines, patient infusion pumps, industrial device controllers, and manufacturing robotic arms, to printers, smartwatches, smart HVACs, and badge readers. These devices form an attack surface which is neither protected by nor monitored by traditional security products. […]
Read moreThe purpose of this session is to explain the less well-known aspects of the Canadian Anti-Spam Legislation (CASL or the Act) and illustrate those in action through a series of case studies based on the actual enforcement activities of the Canadian Radio-television and Telecommunications Commission (CRTC). In so doing, we aim to position CASL as […]
Read moreTACO is an acronym I use with clients to help them map controls from their software delivery pipelines to the organizational controls. TACO stands for Traceability, Access, Compliance, and Operations. The approach consists of a base list of 25 automatable controls that are documented and the control activity, artifacts and SOR identified. After mapping how […]
Read moreQuantitative risk analysis often isn’t used in security because things may be difficult to quantify. If an attack hasn’t happened before, then what is its likelihood? If no data exists, how do we know how much a breach will cost? Despite these unknowns, there are several strategies for quantifying risk. Types of unknowns: First time […]
Read moreCyber security and privacy are inextricably linked. GDPR kicked in last May, the California Consumer Privacy Act (CCPA) in June and Canada amended PIPEDA with the Digital Privacy Act in November 2018. This presentation will be two-fold: first, the presentation will explore the requirements and obligations placed on organizations by these new regulations and the […]
Read morePrivacy Engineering is an emerging discipline and this presentation will talk about privacy engineering in the context of emerging standards and best practices for consent, consent management, and permissioned data. The Kantara Initiative released a standard for User Managed Access (based on OATH 2), Consent Receipts, and has a working group on Consent Management practices. […]
Read moreThe 2017 M.E. Docs cyber-attack that crippled hundreds of companies crafted the blueprints for hijacking a vendor to attack clients through their trusted vendors. These attacks herald a new generation of supply-chain based attacks that pit vendor and client against each other as they struggle to navigate co-managed risk mitigation and the resulting consumer, regulatory […]
Read moreWhat does a targeted attack really look like? How can you effectively defend your organization? What does it take to recover from a headline-grabbing breach and rebuild trust with your customers? Join Matthew Maglieri, CISO of Ashley Madison’s parent company Ruby Life Inc. and ex-Mandiant consultant, as he presents this unique look at what is […]
Read moreSimple lessons to teach you how you can fill the knowledge gap within your staff…today! Few industries are expanding faster or evolving more rapidly than IT security. There is no shortage of bad actors trying to outsmart you and get to your data. The bad guys are relentless in their never-ending pursuit to find a […]
Read moreA lot is expected of software developers these days; they are expected to be experts in everything despite very little training. Throw in the IT security team (often with little-to-no knowledge of how to build software) telling developers what to do and how to do it, and the situation becomes strained. This silo-filled, tension-laced situation, coupled with short deadlines and […]
Read moreIdentity innovations like zero-trust networks, zero login, and one identity initiatives are transforming today’s most successful organizations from within. Trust boundaries are changing. Find out the technical details behind these innovations and take home a game plan to start transforming your organization today, this week, and in the long run.
Read moreISO 27001 & The GDPR: A Research-Based Approach to Identifying Overlap and Streamlining Efforts Together, security and privacy teams share a common goal: Protect the organization from reputational damage, lawsuits, and regulatory trouble. ISO 27001 focuses on the assessment of risks and protection of the organization while GDPR aims to assess and protect the rights […]
Read moreFew things have ever transformed the practice and technology of information technology than the dual impacts of cloud computing and DevOps. In this executive session we will detail specific strategies and tactics for transforming your security organization without orphaning your historical investments. This won’t be generic policy mumbo-jumbo; comes learn the hard-earned lessons from dozens […]
Read moreThe General Data Protection Regulation (GDPR) comes in to force on May 25th 2018 and many Canadian organisations are unsure if they even have to comply, let alone how. During this session, Bruce will take you through not only what the GDPR is and how it may impact you, but common questions and scenarios Canadian […]
Read moreContainers such as Docker and CoreOS Rkt deliver incredible capabilities to developers and operators and are powering the DevOps revolution in application development and deployment. Docker in particular has taken industry by storm, resulting in over 8 billion downloads and 500,000+ containerized applications in this open source platform. With all this new-found power comes significant […]
Read moreThe June 2016 revelations of the DNC breach by two Russia-based advanced persistent threat groups was only the beginning of a series of strategic leaks and conflicting attribution claims. In this presentation we’ll demonstrate techniques used to identify additional malicious infrastructure, evaluate the validity of “faketivists” like the Guccifer 2.0 persona, and strengths and gaps […]
Read moreThis presentation examines the journey taken to establish the CSIRT team for the Rio 2016 Olympic Games. This large project was executed in a short period of time and posed a lot challenges. Rocha will explain the strategy in getting his team ready for the games, the CSIRT timeline, their preparation using wargames exercise, the […]
Read moreDave Millier has created a novel new approach that leverages well known information security frameworks and Chubb’s Cyber COPE®, a well-established property insurance measurement methodology that has been adapted to cyber risks. In this talk, Dave will present his methodology, including various ways of gathering the information and reporting on the results, providing the audience […]
Read moreSecurity’s goal of minimizing risk can seem at odds with development’s need for rapid change. There is a middle path that allows development to deliver secure code at DevOps speed, but it requires security to adopt principles that have proven successful for DevOps. This session will discuss organizational, process and technology innovations that enable security […]
Read moreThe main government approach to cybersecurity has been to think of it through the lens of the military and intelligence community. After all that is where the most expertise lies today. This lens is problematic going forward. We should instead be looking to the way the government thinks of safety: for transportation, disease, consumer products, […]
Read moreBank heists make great stories. This year, we’ve got some really good stories to tell courtesy of a trusted network known as SWIFT, and some banks that believed they were inherently protected by virtue of being connected – except they weren’t. Hundreds of millions of dollars have revealed some ugly truths and dangerous assumptions. In […]
Read morePenetration tests rarely improve a client’s security. We know this because last year’s test feels horribly close to this year’s. In terms of value to the business, they fall flat in most ways – they are misunderstood from the start, during the test, and at the report. We want to dispel the confusion and tie […]
Read moreThis talk is focused on some of the biggest problems associated with computer security defenses. Main topics include: Misaligned defenses Lack of focus on root-causes Lack of focus on local current and historical exploits Lack of data in driving computer security defense decisions Roger will discuss how things got this way and how to fix […]
Read moreDo you need a GRC tool but can’t afford the cost of one? Let’s use a batteries included automation first framework to rapidly assemble our own tools that work in the way you want. We won’t create anything with a web interface but we will be able to manage large amounts of information using existing […]
Read moreAre you tired of knowing everything, having people ignore “the security person” because “reasons,” and then having “I told you so” as your only comfort? Sick of the hostile relationship between security and development, security and operations, security and HR, and/or security and everyone not wearing a black t-shirt? There’s a better way. Faced with […]
Read moreQuantum computers will break currently deployed public-key cryptography (RSA, ECC, Diffie-Hellman, etc.) which is one of the pillars of modern-day cybersecurity. Thus we need to migrate our systems and practices to ones that cannot be broken by quantum computers before large-scale quantum computers are built. There are viable options for quantum-proofing our cryptographic infrastructure, but […]
Read moreThe pace of databreaches has reached epic proportions. Organizations large and small, in every industry are falling victim to hackers, hacktivists and nation states. Your intellectual property, data and bank accounts have never been at greater risk – it’s not if, but when your organization will be victimized. Testing and maintaining an effective Incident Response […]
Read moreThe CISO lives with a target on his/her back, usually lasts a mere 12-18 months and takes the fall for security issues often out of their control. Yet, this is a strategic, C-level position and essential to the success of any organization. The disconnect lies in the CISO being able to elevate their worth with their […]
Read moreOrganizations worldwide face a dangerous shortage of Cyber Warriors with the skills required to defend against cyber terrorism. This urgent situation is made worse by the weaknesses and vulnerabilities that continue to pervade critical IT infrastructures – despite billions of dollars invested in cyber security measures. Answering these problems requires Internet-scale simulation environments, along with […]
Read moreThe hardest part of cybercrime is the cashout. The strategy for cashing out needs to be easy enough to make it worth your while and safe enough to stay out of the clink. With more and more focus on identifying and stopping credit card fraud, cybercrooks are diversifying their methods for cashing out. While criminals […]
Read moreThis talk will discuss how the team prepared for the largest sporting event held in Canada, the TORONTO 2015 Pan Am / Parapan Am Games. The session will include how we created a Cyber Security Group, staff scheduling, contingency planning, and communications. I will also discuss how we managed the day to day security operations, offer a recap […]
Read moreMetrics needn’t be meddlesome (alliteration!), as long as you’re measuring something. Focus on the metrics that make the most impact instead of trying to do it all. Regardless of your maturity level, you can still implement a metrics program. It comes down to value over quantity. Mix straightforward metrics like the overall reduction of incidents […]
Read moreJim will provide an in-depth background of the changing cyber threat landscape, with specific focus on recent incidents including the cyber attack on Sony Pictures Entertainment, the massive data breach at Anthem Healthcare, and the compromise at the US Office of Personnel Management of nearly every US government employees’ personal information. Jim will share his […]
Read moreAgile Scrum is here to stay, and security teams aren’t adapting quickly enough. “Best-practice” Agile SDL models aren’t very helpful because they assume a simplified, idealized model of how software is built. In the real world, software development often involves multiple Scrum teams working on various components of a larger product. As a result, application […]
Read moreRisk analysis – nobody wants to do it, but everybody wants the answer when it’s done. Business today is full of qualitative methods for assessing risk, but these tend to fall short of giving Information Security professionals the tools to express risk in a meaningful way. FAIR (Factor Analysis of Information Risk) was recently adopted […]
Read moreThe ugly bastard child of the ugly bastard child of FAIL Panel, in its 3rd year running, a discussion on the cybers and other general observations on infosec. We’ll disagree, agree, talk over each other, ramble until cut-off, throw things, contradict each other (and ourselves), have no clue what Jamie is asking us and generally […]
Read moreWilliam will dive in to the fundamental tools and resources needed by network attackers and defenders and look at basic adversary methodology and scaling effects in network attack and defense. After laying this foundation, he will dive deeper into asymmetrical advantages for defenders and how to implement them in your network from an architecture and […]
Read moreThe human element is one of the weakest links, as a result your employees are now the primary attack vector. From phishing and infected USB drives to lost mobile devices and weak passwords, people represent the greatest risk to most organizations. Many organizations are now rolling out security awareness programs with the intent of changing […]
Read more