18th Annual New York State Cyber Security Conference Sessions

Conference

18th New York State Cyber Security Conference

10th Annual Symposium on Information Assurance

June 2 - 3, 2015

Empire State Plaza, Albany, NY

Tuesday - June 2, 2015

Risk Management

11:00am-11:50am

The Intersection of Security and Privacy

Srini Subramanianand Robert Glaser, Deloitte & Touche LLP

As CISOs take on more and more responsibilities, an important question arises: Have the responsibilities become too diversified for one executive to handle? If so, what priorities take a back seat? The CISO function might evolve to manage three broad areas: a) governance, risk, and compliance; b) privacy; and c) security technology and operations. While one or more positions may still report to an elevated CISO position, having leaders who specialize in each of these areas and assigning them resources can help improve program efficiency. As the role of Privacy Officer emerges across states, how can they improve collaboration on documenting potential risk to citizen and business data? Enterprise-level privacy officers can help determine which data needs to be protected and why. They also play an important role safeguarding citizen privacy and restoring trust when an incident occurs. Leading practices around how privacy officers and CISOs are working together to be better positioned to gain business leadership support for their programs and build a stronger enterprise risk management program will be discussed.

1:00pm-1:50pm

Future Trends: Why your Security program has to change going forward

Manny Morales,Independent Consultant

We have all heard of the threats to the retail business, the political actions taken by Anonymous, LulzSec, or other groups (Guardians of Peace, etc.), foreign attacks to gain money or intellectual property (Romania, China, etc.). We have also heard about the costs (millions of dollars) to address these breaches and what these business are trying to do. If you follow the direction these companies are taking, you will still not be addressing the bigger issue. Defense in depth is no longer the cure all, you now have to re-exam your program and take more of a risk approach. Understand that management, and not the implementation of more tools is your biggest challenge. In this session, you will be given a different approach to implementing security. Using the NIST standard, as well as others, the speaker will address the words no one wants to hear "you have been breached, now what." You will come away with a new way to address security and tell management that a good security program is not only about defenses but how to respond.

2:10pm-3:00pm

To Be Determined

Ms. Michael Redmond, Redmond Worldwide

The rapidly emerging cyber regulatory climate is creating increased compliance pressures across a wide range of industries. Product and service providers now find themselves subject to new compliance and governance obligations for which they may be unprepared. Revenue generation and cashflow are being impacted as enterprises struggle to demonstrate compliance as a condition of commercial tenders. The common tendency to view cyber governance as just another compliance activity and a cost of doing business denies enterprises the opportunity to recognize strategic value of cyber security as a business enabler and revenue driver. This session will cover the new approach to cyber security as a strategic business function, value generation through cyber maturity, and regulatory compliance as your competitive attribute.

3:20pm-4:15pm

"That Will Never Happen To Us": Five Ways to Make Security Risks Relevant to Your Organization

Todd Brasel, NYSTEC; Vince Hannon, NYSTEC

Does your organization grasp the relevance of security risks? Is your risk management program in jeopardy because executive management does not understand its relevance? Are you developing a risk management program? Smart information security practitioners understand that all levels of an organization need to manage security risks, but it's hard to focus attention on risk when there are so many other competing business needs. Risk management programs often stumble because managers don't realize their relevance, believe it's someone else's responsibility, or don't fully understand the risks involved. In this session, you'll get practical advice on effective methods for communicating security risks that you can immediately apply to your risk management program. Through real-life examples and industry-standard practices, you'll learn to structure communication about your existing risk management program around these five concepts:

  • Identifying and recruiting key allies for your risk management program

  • Talking about risk assessment with your stakeholders in business terms

  • Picking the right schedule of messages to keep people informed without tuning out

  • Choosing the best communication channels for your messages

  • Supporting the development of a risk-conscious culture

Encryption

11:00am-11:50am

Encryption and Data Security: A Conundrum?

Dan Srebnick, DynTek Services

Industry pundits talk about encryption of data as a panacea ensuring data security. But data must be decrypted in order to be processed. The issue of encryption for data security presents difficult questions for IT managers and the answers are not always obvious. This session will present the problems at hand and then methodically look at the possible answers.

1:00pm-1:50pm

Bad Cryptography

Bruce Barnett, NYSTEC

Cryptography is a key component for ensuring confidentiality and authenticity in communication. Passwords, cookies, account and session information, along with confidential information shared between sites, contain sensitive information that should be secured with encryption, but it is difficult to do this correctly. Even with the best of intentions using NIST-approved algorithms, mistakes can be made that result in unprotected information. This presentation provides an introduction to uses of cryptography, and describes how it can be implemented incorrectly. Examples include misuse of one-time-pads, the XOR function, nonces, initialization vectors, random number generator initialization, padding oracles, use of block cipher modes, storage of confidential information, and choice of cipher suites. Some of the attacks, including some that are frighteningly trivial, will be briefly described. In conclusion, recommendations will be given on how risk can be minimized.

Secure Coding

2:10pm-3:00pm

Application Security Testing - How to find software vulnerabilities before you ship code or procure code

Hassan Radwan, Secure Decisions; Anita D'Amico, Secure Decisions

Most cyber security incidents can be traced back to a software vulnerability that was inadvertently put there when the code was developed. Web application attacks were the top IT security threat in 2013 according to Verizon's 2014 Data Breach Investigations Report. Of the 1,367 confirmed data breaches covered in the report, 35 percent were caused by web application attacks. Despite the high risk of attacks, it is not uncommon for software developers to wait until the development process is complete before testing for weaknesses. This goes against industry best practices which have shown that it actually costs a lot less to build security in during the software development process than to fix the vulnerabilities later in the lifecycle. Furthermore, many organizations fail to ask about the security testing that was conducted on software applications that they are procuring. Application security testing involves taking measures throughout the code's life-cycle to prevent gaps in the design, development, deployment, upgrade, or maintenance of an application. This session will introduce the audience to a variety of application security testing techniques including:

  • Manual Testing - Analyzing the code line by line

  • Static Application Security Testing (SAST) - SAST tools, known as white box testing tools, analyze the application source, byte or binary code for weaknesses during the programming or testing phases of the software lifecycle

  • Dynamic Application Security Testing (DAST) - DAST tools, considered black box testing tools used for application penetration testing, DAST technology analyzes applications in real-time while the application is running.

3:20pm-4:15pm

We DevOps'd - Experience and Lessons Learned Securing the SDLC

Dr. Sherly Abraham, Excelsior College; Dr. Din Cox, CISSP, CSSLP Medical Science and Computing

Recent massive data breaches emphasize that organizations cannot afford to take a reactive approach to security, but calls for a proactive and ground-up collaboration to security. In this presentation we discuss an emerging concept - DevOps that fosters a proactive and built into approach to software application development and deployment. We elaborate on the DevOps model including the different techniques that can be employed in order to build secure code. The presentation will highlight the adoption of a rugged approach to DevOps for building secure software where each phase of the development process involves ongoing collaboration with the IT operations, security engineering, and QA/testing teams. This includes leveraging tools such as Source Code Analysis Tools (SAST), Dynamic Application Security Testing (DAST) and the automation of repeatable processes and best practice to reduce risk where possible. Through our DevOps strategy, we have seen reduction in application related vulnerabilities including remediation times from identification to resolution. We share lessons learned, challenges faced and best practices from the real time adoption of DevOps to secure code development and deployment, and offer recommendations on utilizing this strategy.

Incident Response

11:00am-11:50am

What would you say, ya do here?

Tactical steps to perform tomorrow to meaningfully increase security

Tyler Wrightson, Leet Systems

In this talk Tyler Wrightson reviews the chart toppers of technical security controls you can implement tomorrow to make your systems meaningfully more secure. Based on Tyler's experience penetration testing and red teaming for many diverse organizations, he focuses on the vulnerabilities that are most likely to be targeted by attackers. This talk is best suited for technical and management personnel such as systems admins, network admins, and application developers/owners.

1:00pm-1:50pm

Investigating Cyber Crime with the FBI

Michael Keller, FBI

2:10pm-3:00pm

Advanced Persistent Threats- What You Need to Know

Terry Hect, AT&T

Advanced threats and the frequency of breaches have elevated security to the executive level in organizations of every size. Additionally, nearly every new threat is now being created to be self-reliant or an "Advanced Persistent Threat" (APTs), which differ from other more simplistic attack types. The vast majority of threats that the industry is concerned with are very strategic in nature and often last for years if not discovered. By studying these attacks, we are learning that they are sometimes seen only once before their "signature" changes and they become nearly invisible again.

Attackers, regardless of their origin are a national security issue. Nation states, terrorists, organized crime and social hacktivists are all utilizing the same kinds of weapons and frequently the same cyber mercenaries. There are only so many ways to identify attackers and fewer ways to stop them.

3:20pm-4:15pm

Pitfalls and Potholes of the Dark Net

Leonard Popyack, Utica College; Antony Martino, Northeast Cyber Forensics Center (NCFC)

This session will examine some of the inner workings of the Dark Net. The Dark Net is an encrypted anonymous overlay network, such as Tor. We will highlight current activity and showcase some properties of the Dark Net of which you should be aware. Furthermore, we will show how unique cyber operations can be conducted with the use of specialized routers that can make use of Dark Nets and their unique properties.

Legal Issues

11:00am-11:50am

Bulletproofing Your Incident Response Plan: Effective Tabletops

Reg Harnish, GreyCastle Security

The pace of databreaches has reached epic proportions. Organizations large and small, in every industry are falling victim to hackers, hacktivists and nation states. Your intellectual property, data and bank accounts have never been at greater risk - it's not if, but when your organization will be victimized. Testing and maintaining an effective Incident Response plan has never been more important.

Join GreyCastle Security for an interactive table top exercise, and put your Incident Response Plan to the test. This session will raise awareness to the importance of the IR plan while exposing attendee's processes, policy and procedure to the various cyber threats every organization is currently facing. Attendees will take away actionable information for performing effective table top exercises and testing their own Incident Response programs.

1:00pm-1:50pm

GRC (Governance, Risk Management, Compliance) -- Why All the Recent Commotion, What are the Consequences, and What Can You Do to Comply? (CLE Credit)

Stephen Treglia, Absolute Software Corporation

This presentation will cover the evolution of the laws and regulations (HIPAA, Sarbanes Oxley, Gramm Leach Bliley, state breach notification, FERPA, FISMA, PIPEDA, and the EU's Data Protection Regulation), some recent case law starting to address civil damages for breaches, and a few suggested solutions.

2:10pm-3:00pm

Data Governance in the Era of the Data Breach

Ron Raether, Faruki Ireland & Cox P.L.L.

Ripped from today's headlines in which company after company is reporting breaches of their information security, this session will provide a fresh perspective on some tried and true information security practices. While companies rush to spend dollars on improved technologies and contracting with third parties to build bigger fortresses around their data, many of them fail to address information security at the fundamental level through sound data governance and the implementation of layered security. Information security technology is only as good as the people using that technology and the policies under which such technology is implemented. Ron Raether will speak on the importance of an enterprise-wide data governance policy, to include real-world examples of policy driving technology selection and implementation. Ron will also discuss the importance of security in depth and how such data governance should serve as but one of many layers in an enterprise-wide information security plan, tying these concepts into various regulatory regimes.

3:20pm-4:15pm

Government Use of Social Media - The Legal Issues

David Menken, Smith Buss & Jacobs LLP

The session will explore how local governments use social media. The session will first identify the many benefits of using social media in government (i.e., Facebook, Twitter, LinkedIn, Instagram), including improved government transparency, increased collaboration, enhanced citizen participation, and improved efficiency. The session will then identify two important issues relating to government use of social media, free speech issues, and compliance by government entities with new legal requirements.

The presentation will touch on the First Amendment, the application of the First Amendment to local government and limitations on speech in the public forum by the public and governmental employees. The presentation will review evolving laws relating to government use of social media, specifically the Freedom of Information Act, the Open Meetings Law, Record Retention Laws and the NYS Personal Privacy Protection Law. The session will then discuss social media policies which are appropriate for a local government entity to adopt, such as the type of information/opinion to be permitted, how sites are moderated and an acceptable use policy for government entities.

Security Strategies

11:00am-11:50am

Securing Your Company for Today's Cyber War: A Three-Pronged Approach to a Comprehensive IT Security Strategy

Peter Allor, IBM Security Security Strategist Federal Sector, Critical Infrastructure Group

In 2014, we saw more major cyber attacks than ever before which continued to put pressure on organizations in every industry to have the right measures in place to protect both themselves and their customers. While most organizations already have some sort of security practices in place, it does not mean they have a complete security strategy for end-to-end coverage. In fact, a recent study found 80 percent of CISOs feel they are not properly prepared for today's cyber war. In this talk, Pete Allor will detail three critically important aspects to building a complete, end-to-end security strategy. The first, integrate your organization's operations and security leaders. By doing so, security leaders gain visibility into operation partners, vendors, and practices which allows them to have a complete view of the ecosystem that needs protection. Second, adopt security intelligence/situational awareness processes. Most companies lack the ability to understand where potential threats many be in their infrastructure which means attacks can go unnoticed for extended periods of time before they receive a proper response. Third, make your security strategy your own. No security strategy is the same, because every organization has different business critical data and different operations. Each organization needs to take the understanding of their operations and security needs and then apply it to the necessary security steps appropriate for their company.

1:00pm-1:50pm

Cybersecurity: A Shared Responsibility

Erin Meehan, DHS

The world is more interconnected today than ever before; with more connectivity comes more responsibility. The Federal government is committed to raising cybersecurity awareness across the Nation and is working across all levels of government, with the private sector, and internationally to defend against and respond to cyber incidents, while protecting individual privacy, civil rights, and civil liberties. During this presentation, you will learn about the U.S. Department of Homeland Security's free cybersecurity resources including the Stop.Think.Connect.TM Campaign. As a partner in the Campaign, the State of New York is part of a national public awareness effort to empower the American public to be more vigilant about practicing safer online behavior. Learn more at www.dhs.gov/stopthinkconnect or www.dhs.gov/cyber.

2:10pm-3:00pm

What Your Employees Don't Know, Can Hurt You: Creating the Vigilant Employee in the Cybersecurity War

Dane Boyd, Dell Secure Works

Social engineering has become a choice tactic for today's cyber-threat actors. Learn how vital security awareness is for your organization and see what methods are necessary to change employee behavior to result in a stronger security posture. This session can also include how to talk to senior management about needing a security awareness program.

3:20pm-4:15pm

Cyber Security's Weakest Link: YOU

Michael McCutcheon, Rational Enterprise

All companies have a baseline of security, which typically includes firewalls, proxy servers, intrusion detection, data loss prevention, spam filtering, and anti-virus. However, even prominent organizations that spend huge budgets on data security and have significantly more than baseline protections still lose massive volumes of data. Cyber security is only as strong as its weakest link: You. This presentation will explore the end user's role in cyber security and the need to mitigate that risk with technology that allows organizations to be more content aware. Automated, content-based classification of organizational data enhances cyber security protections by providing definitive answers to the troubling questions that arise following a data breach: "what data did we lose?" and "what is our exposure?" Moreover, a content aware organization can proactively defend against cyber security threats by moving sensitive data to the most secure storage locations.

Wednesday - June 3, 2015

Forensics

10:30am-11:20am

Tales from the Crypt: Fighting Ransomware

James Antonakos, National Cybersecurity Institute

Ransomware, such as Cryptolocker and Cryptowall, does not bother to steal your critical files as it is much easier to just encrypt them in place and give you a ransom note. This session describes the forensic analysis of a ransomware attack and describes the vulnerabilities exploited to infect the victim computer, the damage done to the system's files, other actions taken by the ransomware, and the lessons learned during the investigation of different incidents. Ransomware requires that we take a fresh look at access control, intrusion detection, and backup strategies.

11:40am-12:30pm

Are you Tired of Hearing that the Sky is Falling when we Talk about Information Security?

Tom Brennan, ProactiveRISK

It is time for tactical and practical suggestions. Attend this proactive session and learn how to identify issues before they become headline news. Learn about practical and many times overlooked system configurations changes that could have stopped many breaches and where to start when investigations of computer crime are needed. Discuss, debate and ask your hypothetical questions.

1:40pm-2:30pm

The Critical Role of Netflow/IPFIX Telemetry in the Next-Generation Network Security Infrastructure

Ken Kaminski, Cisco Systems

More and more we have seen the security perimeter of the network breached with attackers taking up an increasing number of footholds inside of the network. This session takes an in-depth look at NetFlow/IPFIX with the goal of leveraging this technology to provide heightened visibility and context into network traffic in order to identify attackers and accelerate incident response. Use of this technology is recognized as one of the most effective ways to combat Advanced Persistent Threat penetrations. Design and deployment of technology utilizing Netflow/IPFIX as a collection and analysis system will be presented. Use cases include using Network Identity Management systems as an additional telemetry source, integration with SIEM vendors, and using Netflow/IPFIX to identify an attacker's presence on the network.

2:50pm-3:45pm

Next Generation Endpoint Security: Protection, Detection and Response

Jesse Torzs,Bit9

A new generation of threats is attacking your endpoints and servers--you need to a modern defense. Today's attackers are after the data and intellectual property on your endpoints and servers. If you're only relying on traditional endpoint security, such as antivirus, or network security, you're putting your organization at risk. AV doesn't see or stop targeted attacks, nor does it help you respond to an incident. And if an attack bypasses your network security, your endpoints will be compromised. Do you know what's happening on your endpoints and servers--right now? Most security teams have no way of knowing. If you suspect malware is in your environment, how can you tell what machines it's on? Is it executing? What is it doing? In this content-rich presentation you'll learn how to solve these problems - now!

Collaboration

10:30am-11:20am

The Promises and Pitfalls of Public-Private Sector Cooperation in Cybersecurity

Austen Givens, Utica College

This talk examines the advantages and challenges of closer public-private sector cooperation in cybersecurity. The presentation content comes from a three year research project examining the dynamics of public-private sector coordination in homeland security and cybersecurity. While some believe that "public-private partnership" is little more than a feel-good buzzword, these partnerships have actually yielded tangible benefits for firms and government agencies since 2001. However, closer ties between the government and business sectors have also introduced new challenges that must be navigated carefully. This talk is ideal for senior government leaders, business managers, IT security professionals, law enforcement personnel, and owner/operators of critical infrastructure.

11:40am-12:30pm

Information Sharing in Multi-agency Disaster and Crisis Response:

Smithfield tornado disaster and DeRuyter shooter man-made crisis events discussed

Joe Treglia, Syracuse University

This discussion focuses on how information is shared within and across boundaries of government and non-government stakeholder agencies at natural and man-made crisis incidents that involve multiple agencies and jurisdictions. This session is based on evaluation of actual incidents and debriefings from recent incidents in central New York State. Various types of technologies and processes for communication and sharing are identified and discussed in terms of their strengths and encountered challenges reflecting on actual incidents. Current research on centralized versus decentralized information types of sharing is considered in this area. Formal and informal information channels are discussed along with attendant security and privacy concerns. Best practices and lessons learned from these current disaster crisis events are presented for consideration in future incidents and for policy and procedure development.

Critical Infrastructure

1:40pm-2:30pm

ICT Supply Chain Risk in 2015: Can the Private Sector be Engaged?

Michael Aisenberg, MITRE Corp/ABA Information Security Committee

While new statutory and agency authorities to address ICT Supply Chain Risk in the defense and intelligence agencies have been developed, 2014 Congressional authority to DHS to reach out to private sector critical infrastructure operators is new and untested. This session will review the "As Is" state of SCRM among the key critical infrastructure sectors in banking/finance, power, oil and gas, transportation and communications, the state of supply chain threats in hardware/components, software and services, and the path on which DHS is setting to engage these companies to address the continuing estimated $1 trillion threat to the U.S. domestic economy from potential exploits against these and other CI sectors. Past DHS outreach measures, the Cyber Framework and new proposals will be summarized, and areas of potential green field efforts, such as improved product testing and software code analysis will be outlined, along with discussion of the legal/liability risks remaining for CI businesses.

2:50pm-3:45pm

Mind the Gap: Evolving Information Sharing; Protecting U.S. Critical Infrastructure Against Growing Cyber Threats

John Cassidy, CenturyLink Government

Private companies operate our nation's most critical infrastructure including our electrical grid, water utilities, hospitals, and financial institutions. Well-funded nation state and organized crime cyber-organizations are aggressively attacking U.S. critical infrastructure every minute of every day. Ensuring that these private companies are able to protect themselves from these sophisticated attacks is deemed a matter of national security by the U.S. government. As such, the U.S. government is interested in arming these private entities with sensitive and classified government vetted cyber threat intelligence to assist in thwarting these attacks. This session will focus on how the U.S. government utilizes creative information sharing programs to protect private critical infrastructure companies and federal civilian agencies from infiltration and attack. The session will highlight two Department of Homeland Security Programs - Enhanced Cybersecurity Services (ECS) and Einstein 3 Accelerated (E3A) - as key tools used to combat against the evolving cyber threat.

Threat Landscape

10:30am-11:20am

The Truth about Cybersecurity: A real-world look into the current threat landscape and the business and financial impact of targeted cyber attacks

Nick Bennett, Mandiant, A Fire Eye Company

Cybersecurity is a critical consideration for today's government and business leaders alike. Considering the high-profile breaches making headlines almost daily, it is clear that the financial and business repercussions can be devastating. In fact, the aftermath of these exploits strike at the heart of leadership, including technology, line-of-business and financial teams. In this presentation we will provide a first-hand, inside look into these attacks and the related risks cybercrime creates for leadership and their organizations.

Organizations around the world of all shapes and sizes are being targeted by advanced cybercriminals who have become experts in morphing their appearance and tactics faster than it takes your team to configure a new endpoint. While defense-in-depth architecture has been the de facto cybersecurity standard, the newfound speed of attackers has led to this architecture seeing 97 percent of "secure" companies breached over the last year*. Diving into global attack data, and his learnings from responding to decades of breaches, Nick Bennett will provide insights on the best answer to today's threats: making security faster in responding to incidents. Nick will will dissect recent campaigns that have seen even the "basic" cybercriminal adopting advanced attack techniques to bypass defense layers, and present case studies that demonstrate why having an architecture that makes incident response a 10-minute, not 10-month, cycle is critical.

Nick will address how these developments are reshaping the cybersecurity focus of agency leadership -- how they and their financial teams are stepping up the battle against these threats, and how the agency leadership is playing an increasingly significant role in advocating for and pursuing critical security investments that promote long-term business enablement.

* FireEye, Inc. Advanced Threat Intelligence data

11:40am-12:30pm

After the Recently Publicized Events, What's Next?

Michael Corby, CGI Solutions and Technologies, Inc.

Sony Pictures, Target, Staples, Home Depot, etc.. What's happening and where are we going? The recent rash of widely publicized security events have given us plenty of opportunities for party discussions, but what's behind this? This session will explore some interesting background behind the recent frequent release of plenty of these stories. At best, we get to have a budget discussion, but is there more that we can learn from these events?

1:40pm-2:30pm

Reporting on the Current Risk landscape - The Verizon Data Breach Investigative Report

Chris Novak, Verizon Enterprise Solutions

The Verizon Data Breach Investigations Report is an internationally recognized report that brings together statistics and findings from worldwide investigative response organizations around the globe, as of 2014 there were 50 contributing organizations and more are being added yearly. The contributors include: The Dutch National High Tech Crime Unit, U.S. Secret Service, Australian Federal Police, Irish Reporting and Information Security Service, and Police Central e-crime unit. Chris Novak is the Global Managing Principal of the Verizon Investigative Response team and a contributing author to the Data Breach report. He is knowledgeable regarding data breaches, cybercrime and investigations worldwide. In this session Chris will discuss the current DBIR as well as how to apply the data to shape your own risk modeling in order to address the most real and credible threats that are resulting in breaches for organizations every day.

2:50pm-3:45pm

The Explosion of Cybercrime - The 5 Ways IT May Be an Accomplice

Mark Villinski, Kaspersky Lab

Mobile devices, social media sites, and the exponential growth of cybercriminals are threatening your users and your data every day. Can your IT department become an unwitting accomplice to cybercrime? Mark Villinski, Kaspersky Lab Marketing Manager, sheds light on the growing challenges facing IT today and discusses the 5 ways that IT departments may be unknowingly enabling cybercrime in their organizations. During this session, you will hear:

  • A comprehensive overview of the current state of the cybercrime threat landscape

  • Several real life examples and stories of attacks; where they come from and ways to detect them

  • Examples of current IT policies and procedures that may be exposing your network to attacks

Mobile/BYOD

10:30am-11:20am

Planning Mobile?!

Eric Green, Mobile Active Defense; Larry Whiteside Jr., Lower Colorado River Authority (LCRA)

The value and need for proper research and planning to both take your organization mobile, and periodically re-evaluate that strategy and direction cannot be underscored enough. "We bought a Mobile Device Management product so we have it under control" is the farthest thing from true as this dynamic, ever changing environment needs constant care. This topic may not be as flashy as hacking Android or trash talking iOS - BUT - without this critical piece, in the end none of the flashy stuff matters. Okay, so maybe we will demonstrate using a trojanized app to gain full command and control of an iOS device.....and....demonstrate a Man-in-the-Middle attack.

11:40am-12:30pm

BYOD - It's not so hard!

Kevin Wilkins, iSecure LLC

Bring Your Own Device (BYOD) is one of the biggest challenges in IT today. As opposed to engaging in the very complex issue of MDM technology, it may be possible to look at it from a standpoint of remote access. Remote access has been an IT deliverable since the age of the modem, and can be looked upon for guidance in facing this contemporary need.

Compliance

1:40pm-2:30pm

Cyber Security Threat, Trends and Best Practices to Secure your Government Organization

Tim Finnand Ron Smalley, First Data

First Data will describe and dissect the information security challenges facing organizations in both public and private sectors. Security experts will discuss the concepts, strategies, and best practices as part of an overall security strategy, including Encryption and Tokenization, Protection of data in motion, at rest & in flight and Cyber threats, Cyber crimes and Cyber trends.

2:50pm-3:45pm

Strong Medicine for HIPAA Compliance

Paul Romeo, GreyCastle Security

Join us as we journey into the world of healthcare cybersecurity to uncover why your medical information and electronic health records are arguably the most sought after information on the black market today. Learn actionable information on what healthcare organizations can do to protect your data while improving security posture, better aligning with the HIPAA security rule and reducing overall cybersecurity risks.

Invasion of Technology

10:30am-11:20am

Biometrics: Who Are You?

Stephanie Schuckers, Clarkson University

In our society with the ubiquity of electronic mediums, there is a need to establish a trusted relationship between individuals, and between individuals and organizations, in order to support: electronic commerce (including mobile transactions); worker and employer interactions; delivery of benefits from governments; movement of individuals across international borders; social connections; and delivery of quality healthcare. Ways to establish a trusted relationship include:

  • What you have?(birth certificates, drivers licenses, credit cards, passports, key)

  • What you know? (passwords, PINs, mother's maiden name, address, email, phone number, Social Security Number )

  • Who you are? (personal traits, biometrics)

Biometrics is defined as "automated methods of recognizing an individual based on measurable biological (anatomical and physiological) and behavioral characteristics." The addition of biometrics adds another dimension of security which promotes security and reduces the burden on individuals to provide additional information. As with other personal information such as demographic information, biometric data must be protected. Combinations of security mechanisms, as well as enhancing the protections of the biometrics and other security mechanisms are critical to keeping personal information safe, while ensuring the free flow of data for the right people at the right time. This talk will give an overview of biometrics systems and give some examples of emerging privacy enhancements including template protection, cancelable biometrics, and liveness detection.

11:40am-12:30pm

The Day After Passwords Die - How Biometrics will usher in a New Age of Technocreepiness

Thomas Keenan, University of Calgary

As companies and government agencies scramble to recover from wholesale credential thefts, thought leaders are suggesting that we need to bury the password once and for all. As explained in my book, Technocreep, Google's Regina Dugan has mused publicly about magnetic ink tattoos or daily password pills that broadcast from your tummy. Others think your fingerprints, ear shape, DNA, microgestures, heart rhythm, brainwaves, iris scan or even breath or body odor will be used to identify you. These techniques all bring their own creepy problems. You can change your password. But if your biometric credentials are stolen by a hacker, what do you do, change your face or heartbeats? This presentation will showcase the real, planned, and "day after tomorrow" technologies that can be used to identify us, and assess their social implications, particularly in the area of privacy. After all, Target famously found out that a teenage girl was pregnant, before her father knew, from her purchase history. What if they also grabbed your DNA as you typed on the checkout keypad and sent it out for analysis? "We notice you are pre-diabetic" might pop up on the display the next time you shop. "We have a special coupon for you." As explained on Gizmodo, "Your Fuelband Knows When You're Having Sex" (you burned 150 calories at 2 a.m. and took zero steps.) This demonstrates that biodata grabbed innocuously for one purpose can be analyzed and used to draw conclusions about us. Only time will tell if consumers think biometric identification is cool or creepy. However, now is the time to think about the implications of sharing some of our most intimate and personal data, just to prove who we are.

1:40pm-2:30pm

From the Hobbyist's Garage to Threat From Above - Defending Against Drones

George Palmer, AX Enterprize, LLC; Stuart Card Ph.D, AX Enterprize, LLC

Out of the workshops of hobbyists an unsuspected threat has arisen. Unmanned Air Vehicles or UAV's have been under development and in use by the military for quite some time, but there has been a parallel development effort underway by thousands of hobbyists whose only intent was to create an inexpensive Unmanned Aerial System (UAS) for personal use. In recent years this massively distributed development has been commercialized and many "personal" UAV's have flooded the consumer market. The cost of these systems has become so low that practically anyone can afford one. Therein lies the threat. The small UAV's on the market today have non-trivial payload capacities. Many are capable of lifting 5-10 lbs over considerable distances. The autopilot control systems can be nearly as accurate as a military guided bomb. It is only a matter of time until persons of mal intent attempt, and most likely succeed, at using a small UAV to deliver a harmful payload upon an unsuspecting target. There are an astoundingly large number of ways a UAV could be used maliciously. Possible uses range from physical energy attacks to psychological attacks to cyber warfare attacks. A relevant example would be the use of a UAV to transfer a payload over physical security installations (fences, walls, etc.) in order to place it within range of a supposedly "safe" wireless network it wishes to monitor or exploit. This presentation attempts to identify and classify the various possible methods of attack using small UAV's. We go on to describe some of the techniques which may, after significant development, be used to detect and mitigate against these attacks.

2:50pm-3:45pm

Is your Privacy Being Mickey Moused

Raj Goel, Brainlink

This presentation distills 11 years of research in online threats, 4th amendment cases, ECPA enforcement, FTC actions, cloud applications, vendors, criminals, Internet of Things, Government Actions, user behavior and human psyche to develop a picture of where we are, where society is heading and what we can do to preserve and protect privacy, security and civil society.

Cyber Potluck

10:30am-11:20am

Ahead of the Curve: Better Cybersecurity through Tech Transfer Partnerships

Dr. Douglas Maughan, DHS

There's no shortage of great ideas, tools and technologies in cybersecurity - much of it in our national labs and universities, especially in New York. But new ideas will only make a difference if they are deployed and used. The challenge is putting these new concepts into practice. This tough task requires contributions from all sources including researchers and developers, security practitioners and end users, both public and private. This talk will illustrate how the cybersecurity research and development program at the U.S. Department of Homeland Security, Science and Technology Directorate (DHS S&T) seeks to address this challenge and harness new ideas for meeting the cybersecurity challenges of today and tomorrow.

11:40am-12:30pm

 

<h3 height:="" 30px;"="">What Makes a Good Cyber Security Policy?

 

George Duchak, Director of the Air Force Research Lab

The development of cyber security policy is informed by a broad spectrum of inputs ranging from strategic direction through knowledge of best practices. This talk will address the process of developing IT policies as they are influenced and derived from strategic vectors, industry best practices, and localized factors. References to available DoD and Air Force guiding documents will be shared for attendee use.

1:40pm-2:30pm

Cooperating in Cyber Defense: Learning Together and Sharing Knowledge

Kim McKinney, NYS Office of Information Technology Services

Nancy Mulholland, NYS Office of Information Technology Services

Leo PFohl, GENESYS Consulting

Mark Spreitzer, CGI Federal

Deborah Synder,NYS Office of Information Technology Services

Protecting the Cyber Space is a huge challenge for both public and private organizations. Despite massive investments in cyber security breaches continue to occur. Organizations struggle to make decisions on security and IT investments since the return on investment is not clear. It is a colossal waste of national resources when neophyte organization struggle and learn on their own rather than benefiting from experience of others who have established their programs. A forum for sharing best practices and concerns of organizations is very instrumental in creating a broad coalition working collectively towards a shared goal of protecting information and networks. During this session we discuss the various initiatives and directives on information and knowledge sharing in cyber security. We also talk aboutNYS State Forum which is one such organizations that supports knowledge sharing in cyber security. Learn how you can participate in this forum and learn from the collective wisdom and experience of other participants.

2:50pm-3:45pm

Establishing a Prototype to Enable Usage-based Cyber Liability Insurance

Steve Hamby, Independent Consultant

Cyber liability insurance is a rapidly growing tool that organizations use to transfer risks from threats and vulnerabilities associated with cyberspace operations. However, the cyber liability insurance premiums are very volatile, and increasing continuously. This session describes a prototype using existing enterprise IT tools that organizations can implement to enable usage-based insurance (UBI) for their cyber liability insurance policies. The implementation of UBI in other insurance markets has been successful in reducing premiums for the insured, while providing the insurer with increased awareness of the risks associated with a specific insured entity. This UBI prototype provides a semi-automated tool to establish cyber situational awareness of threats and vulnerabilities, based on prioritized organizational missions, coupled with continuous monitoring of security controls that mitigate cyber liability risk.