Atlantic Security Conference

When we think of the process for attacking an organization, OSINT comes to the front and center of our minds. This presentation takes a presenter with experience in applying OSINT to effective penetration testing and social engineering and reverse engineers the process to determine what steps can be taken to further complicate their efforts. This is a presentation that talks about online deception, decoy accounts, canary data, encryption, maintaining one’s social media in a secure manner, and protecting one’s identity as much as possible. While nothing is absolute, this is a presentation that will leave attendees more aware of techniques to make it harder for attackers to collect accurate OSINT, either by removal or deception.

It's extensive, expensive and coming in for the kill: meet the General Data Protection Regulation, the massive new set of privacy provisions for all who do business within European Union shores. With strict safeguards, increased governance expectations and massive fines for failure to comply, the GDPR breaks new ground for personal privacy and individual data rights.  Officially in force starting May 2018, if your business is handling the personally identifiable information of E.U citizens and you're not in compliance, you'll want to get caught up, fast.

For Canadian businesses, the question is cropping up from European partners: what makes the GDPR so different from existing privacy agreements, and why do they need to comply? What are the implications for technology development, data controls, and why is it so revolutionary? Privacy Technologist Victoria McIntosh unravels the driving forces behind the world's largest privacy protection regulation, and what makes it unique against past provisions.

Whether it’s a bubble or the new world order, the recent rise in the value of Bitcoin has forced governments to grapple with the reality of cryptocurrencies and their implications for the economy and society. What is Bitcoin, legally?Is it cash?Is it a commodity?Can I take it across the border?Is it terrorist lunch money?I’ll explore the current legal status of cryptocurrencies in Canada, and abroad, and discuss where the law is headed in cryptocurrency regulation in an age of techno-panic and uncertainty.

IoT has moved beyond kettles, thermostats, and doorbells. Operational technologies (otherwise known as IIoT) like tractors, factories, healthcare devices, and even robots are helping to enable the fourth industrial revolution.

Companies that embrace these changes will lead the charge. Those that don’t will fall behind. These technologies lead to exciting new designs, leveraging the latest and greatest buzzword-laden offerings. Build on a clean slate, and you can drive strong security concepts into every layer of the system.

Unfortunately, these designs don’t get implemented in the real world. The real world of operational technology is messy. It’s dealing with years and years of technology decisions made with wildly different threat models. It’s trying to match technologies built with 20-year lifespans with defences that need to be updated minute-by-minute.

In this talk, we’ll examine the reality of operational technology deployments. How do we match modern cybersecurity practices with decades-old technologies and regulations? Can we?  You’ll come away with a better appreciation of the challenges involved in securing operational technologies.

Often defenders worry about the intangible security problems. Defenders need to concentrate their efforts defending the enterprise by focusing on the fundamentals. Too often issues such as patching or system configuration failures lead to system compromise. These along with issues such as SQL injection are preventable problems. Defenders can best protect their digital assets by first understanding the sheer magnitude that a data breach can have on an enterprise.

In this talk I review my findings after analyzing hundreds of data breach disclosures as it pertains to what went wrong. I had previously done this for 2016 and I plan to have the 2017 review ready by the time of this talk.

It is pretty standard to to view an organization's cyber security defenders as its blue team, with red teamers performing pen tests or otherwise simulated attacks.  Recently, purple teaming has been integrated, which is a more collaborative effort between the two.  But many factors go into determining the outcome of the engagement, and many end with mixed results.  Many questions are not properly addressed, such as, who should be "in the know" about the red team exercise?  Should the attackers start inside or outside the network?  How should it be scoped?  How do we ensure that the results accurately reflect the security of the organization and the capabilities of the blue team?  Are we even ready for a pen test?

In this talk, we will evaluate multiple scenarios and models that will help organizations and defenders determine the best red, blue, purple, green, or yellow architecture to ensure continuous 360 insight into security gaps.  We will cover how to evaluate if a model is working, where tweaks can be made, and starting small, but getting big results.

No matter how small your Dev shop is, if the first time you think about the security of the software is during a major incident, it’s not going to go well.  I will teach developers and security teams to prepare for, manage, and hopefully prevent, application security incidents.  Starting with preparation; do you have a proper application inventory? How do you manage your technology stack?  Disaster Recover?  Backup strategy?  Do you have a WAF?  Monitoring? Tools that are at the ready when the s* hits the fan?  During an incident; who’s managing the incident? Do you know? What is triage? Who does the investigation? Do you have a “safe” place to do potentially destructive testing?  This talk ends with an immediate plan for the audience to get started, with a list of open source tools the security team and/or developers will use to ensure that they are ready for the worst.

The Communications Security Establishment (CSE), Canada’s national cryptologic agency and a leading expert in cyber security, believes in fostering collaboration and innovation. For the first time ever, CSE is releasing one of its own tools to the public as an open source platform. Developed internally, AssemblyLine is a cyber defence framework designed to perform distributed analytics at scale, focusing primarily on detecting and analyzing malicious files. Learn how AssemblyLine can not only minimize the number of innocuous files that cyber security professionals are required to inspect every day, but how you can collaborate with others to customize and improve the platform.

Medical record breaches have a double impact, since they harm the healthcare institutions, but also disclose private and sensitive information about the patients. Because of this, the value of EHR (Electronic Health Records) has exceeded the value of financial records, not only because it opens the door for liability actions, but also because it can damage (or ruin) the patients life.

In this talk I will cover the different ways in which an owned server could be taken advantage of for profit purposes, and then I will discuss about the sell value of medical and financial information in the black market. I will cover a few specific recent cases (like the last one from Equifax), describe the attack vector, calculate how much it cost to the companies and end users, and talk about how it could have been fixed.

Patching - it's complicated!  As much as we like to point fingers of blame and malign the processes in place, the fact is that one size does not fit all when security updates get issued.

What's the definition of insanity: doing the same thing over and over. Organizations at every level seem to be struggling with staying on top of patching, but it feels more like a necessary evil rather than a best practice.

Ignorance is not bliss when it comes to uncovering longstanding widespread vulnerabilities and attempting mitigation. As Meltddown and Spectre have painfully demonstrated, we're damned if we do and damned if we don't.

I've done some real life research into the issues to find new approaches to an old problem. We need to go beyond just finding the sweet spot between mitigating business risk with vulnerability exposure. Let's talk about how can we fix this process that seems inherently broken, especially as it now affects IoT, OT and medical devices. Because the cure isn't supposed to be worse than the disease.

How we treat people has impact and consequences, especially when it comes to welcoming new professionals to infosec. Telling someone to simply ‘try harder’ without any support is detrimental to progress and motivation.  In order for learners to be successful in developing their skills, we need to accept that learning is a dynamic process that should recognize the individual.  Infosec training should not function like a Fraternity- we should be there to support each other not make it like hazing! Come hear from two experienced teachers on the current paradigm in infosec training and offer clear strategies to make infosec training more inclusive, welcoming, accessible, empathetic - and pain free.