Day 1 - June 4, 2019

June 4 - 11:00am-11:50am

Pen Testing

Here We go Again. Red Teaming Stories from the Trenches

Tyler Wrightson, Leet Cyber Security

In this talk Tyler reviews the interesting, hilarious, unique, awesome and familiar things that happened in the past year during penetration tests. All of the information is from first hand experience and will give attendees insight into how organizations are actually broken into. The attack vectors include intrusions via external, internal, social engineering, physical, and more.

Security Evolution

The Leadership Vision for Security and Risk Management, 2019

Jeffrey Wheatman, Gartner Research

Digital transformation continues to challenge the conventions of information risk and security management. It requires a coherent digital security program based on a clear vision and strategy.

This presentation will:

  • share a compelling vision for security and risk management.
  • identify the key 'digital differences' that must be integrated into the security program.


Navigating Security and Privacy Compliance Challenges

Michael Corby, M Corby & Associates, Inc.

In nearly every industry, security and privacy compliance is a key consideration. In fact, very few IT projects exist without security or privacy implications. There is a robust cottage industry based on collecting personal or company data from a variety of sources to assemble profiles, which can then find their way into the hands of cyber criminals.  The wise Cyber Security leader will keep security and privacy concerns in focus. The project sponsor may not recognize or acknowledge the risk of failure that is present when IT projects are audited for the security and privacy compliance elements left out during project charter creation.  This session will present the challenges of strengthening information security, while staying focused on project objectives, performance and quality.

Data Protection

Digital identity - the fabric connecting and securing internal and external access

Mike Wyatt, Deloitte

In this age of digital transformation with continuous engagement of new technology and digitization of services and information, the door has opened even wider for potential risks around the wrong entity getting to targeted information or assets.  Digital transformation and connected assets are essential for government to provide services, drive economic development, and improve citizens quality of life.  The spheres of an individual's identity points --as a government employee, consumer or business owner, and private citizen--are interlinked in a complex digital structure, like a piece of fabric. The growing ability to piece together an individual's digital picture and enable appropriate levels of access is critical - now more than ever.

Join Mike Wyatt for a discussion on steps organizations can take to help make digital identity (ID) a strong fabric that supports their digital economy. Mike will discuss key points in your digital journey where digital ID strategies should be considered or evolved.  Whether helping to proof the identities of internal human resource staff, or providing a new licensing mobile app to business owners, there are strategies to create efficiencies, help reduce risk, and plan for evolution to support the change needs of business.  Developing methods that are scalable and adaptive is also key.  Digital ID, when strategically designed as part of your digital journey, can help create a personalized, frictionless user experiences across different channels to better engage with citizens and internal staff, while also addressing risks to help close the door on unwanted access. 

Managing AI

Immoral Software: How AI Embeds Human Bias and Distorts Our Decision Making


Antony Haynes, Albany Law

Leading diverse organizations not only requires consciously engaging human beings and culture but also requires carefully selecting and evaluating what automated systems are employed in all aspects of decision-making. Technologies ranging from resume scanners to language translation, from face recognition to criminal sentencing software--all encode and perpetuate biases present in human society. These systems show we cannot program away human prejudice by blindly relying on computer code. The purpose of this talk is to raise awareness of the ways computer algorithms reflect the biases of their human designers and to present a call to action for a code of ethics and for benchmarking standards around automated decision making systems.


Session 1: Deviant Behavior and Deception

Paper: Workplace Deviance in the Indian Organizational Context  

Akanksha Malik, Shuchi Sinha, Indian Inst. Of Tech., New Delhi, India, and Sanjay Goel, University at Albany, SUNY

Paper: Security Perceptions and Antecedents

Victoria Kisekka, Sanjay Goel, University at Albany, SUNY

June 4 - 1:00pm-1:50pm

Pen Testing

Unleash the Infection Monkey: A Modern Alternative to Pen-Tests

Hans Johnson, Guardicore

The security testing toolset available to security professionals today consists mainly of penetration testing and vulnerability scanners.These tools were designed for traditional, relatively static networks and can no longer address ALL the possible vulnerabilities of today's dynamic and hybrid network. While there is no replacement to a highly skilled human pen-test hacker, penetration tests are limited to specific parts of a network, are expensive, and may become obsolete within months. Automatic vulnerability scanners have limited accessibility and can not simulate today's advanced lateral movement attack methods. The result is network blind spots which is where security threats often arise.     This calls for a new approach to testing network security resilience. An ideal tool would be easy to use, budgetary conscious, autonomous and scalable. We propose using the Infection Monkey, an open source breach and attack simulation tool, designed to thoroughly test a network from an attacker's point of view. Inspired by Netflix's Chaos Monkey that would randomly delete servers in Netflix' infrastructure to test a service's ability to withstand server failures, Infection Monkey, "infects" your network to test its defenses capabilities.   Freely available, Infection Monkey spins up an infected virtual machine inside random parts of your data center, to test for potential security failures. By "inside", we mean behind the firewall and any other perimeter defense you are deploying for your computing infrastructure. By equipping the monkey with advanced exploitation abilities (without destructive payloads), it can spread to any vulnerable machine within reach. Along with the ability to spread onwards from its victims, the monkey can detect surprising weak spots throughout the network.   

Attendees of this session will:

  • Identify vulnerabilities still in the industry's collective blind spot 
  • Understand how testing can shed light on weaker parts of the security chain 
  • Become advocates for better testing as a means to strengthen security

Security Evolution

Biometrics, Facial Recognition and Autonomous Vehicles  

CLE Eligible

Peter Moomjian

As biometrics and facial recognition technology become more prevalent, concerns about the privacy and security of the data they generate increase, along with calls for government regulation and legislation.  Similarly, as Level 4 autonomous vehicles take to the road and with predictions of vehicles with Level 5 technology becoming available in the next few years, more attention is being focused on the significant amount of geolocation and other sensitive data associated with these vehicles and related security issues.  This panel will discuss the data collected by these emerging technologies, the state of the law and regulations applicable to them, and cybersecurity guidance and best practices.


A Calm Approach to Regulatory Confusion

Mike Semel, Semel Consulting LLC

F. Paul Greene, Harter Secrest & Emery LLP

How to avoid regulation aggravation.  Every business in the United States has to comply with a data breach laws.   If you are in healthcare, you know about HIPAA. If you are in finance, you know about the strict NYS DFS cyber security regulations.   But, do you know about New York's data breach law and the proposed SHIELD Act? You work in New York, but do you understand why should you be worried about the Massachusetts Attorney General? How does the European Union's GDPR regulations affect you, and do you know if California's version of GDPR will or won't affect your company? What if you are a health plan that has to comply with HIPAA and NYS DFS Part 500 and New York's data breach laws, in a way that satisfies your cyber liability insurance policy? What questions will your executives and board want answers to? Do you understand how to leverage regulations to lower your risks of a lawsuit settlement or jury award?   Information security and privacy Attorney Paul Greene and cyber security and compliance expert Mike Semel will help guide you through the confusing maze of cyber security regulations.   You will learn how to build a practical security and compliance program to address multiple requirements. You will leave with a better approach to deal with existing regulations, and how to be prepared for the increased legislation that's on its way.

Data Protection

Digital Compliance:  Understanding Your Sensitive Data Footprint

Michael Giordano, DynTek Services

As both government and enterprise continue to digitally transform their organizations and operations, more and more digital and private data is making its way through our networks, data centers and cloud environments.  With the mounting tide of data privacy compliance initiatives -- such as GDPR and the California Consumer Privacy Act -- the impending impact on New York government institutions and businesses is inevitable.  Join us for a discussion on how to start preparing now to protect your constituents and future proof your digital infrastructure. 

We will discuss:

  • Impact of recent compliance legislation
  • Future of data privacy
  • How data privacy relates to government              
  • Understanding how your organization's data footprint leads to smarter security overall 
  • How to accurately assess your data risk

Managing AI

Rise of the Machines: Cybercannibals or Humanity's Last Hope?

Reg Harnish, Center for Internet Security

The Internet has, in a single lifetime, become the single greatest invention in the history of mankind. The ubiquitous connectedness of devices and humans has transformed every aspect of life today, and irreversibly changed every aspect of life tomorrow. And while the ubermodern conveniences of connectedness have simplified the way we communicate, learn and live, this fundamental shift in human evolution has produced tragic consequences of epic proportions. Worse yet, the next chapter in this saga is already written and it's even more sobering - computers that think, decide and act for themselves. Perhaps worst of all, this evolutionary path continues to lay waste to privacy, security and the very essence of human interaction. The machines have risen. The question now is, will they guide us through digital nihilism or catalyze the extinction of the human race.   

Attendees will be treated to:   

  •  A fresh perspective on the emerging technologies and their risks 
  •  A thought-provoking dissection of the most important risks you never thought of 
  •  An unhealthy slathering of cybersecurity contrarianism


Session 2: SCADA Security

Talk: Current Challenges in State-of-the-art IoT Security

Suryadipta Majumdar and Sanjay Goel, University at Albany, SUNY

Paper: Multi-Domain Modeling for Industrial Control Systems Using Graph and Adaptive Methods

Matthew Davis, Andrey Dolgikh, Zachary Birnbaum and Victor Skormin, University at Binghamton, SUNY 

June 4 - 2:10pm-3:00pm

Supply Chain Management

Supply Chain Risk Management - Where Security, Trade and Politics Converge

Robert Mayer, USTelecom

With relentless cyber attacks emanating from foreign nations including Russia, China, Iran and North Korea, the United States government is now working closely with industry to identify and mitigate supply chain risks.  The hyper-interconnected digital ecosystem and the highly distributed nature of the supply chain can make the risk mitigation process appear overwhelming, yet organizations must address the risks associated with an increasingly diverse chain of custody for both hardware and software inputs.  Products such as Kaspersky, ZTE and Huawei have come under intense scrutiny, but the range of potential threats go well beyond these vendors.

In response to the cyber threats generally, the Department of Homeland Security (DHS) recently created the National Risk Management Center under which joint Federal government and private sector collaboration is underway in areas addressing systemic risk, cross-sector collaboration and supply chain risk management.  In this session, you will get a broad perspective of multiple government and industry initiatives in this arena and hear directly from one of the co-chairs on the important work being undertaken as part of the DHS Information and Communications (ICT) Supply Chain Risk Management Task Force.

Security Evolution

Who Owns Your "Personal" Emails and Social Media Data

CLE Eligible

Mark A Berman

Shawndra G. Jones

With many companies maintaining Bring Your Own Device (BYOD) policies and with employees posting on social media as part of their job or sending personal emails using work or personal accounts, who actually owns "personal" email and social media data?  And, to further complicate the matter, who owns information stored in the cloud?  When the duty to preserve arises, to what extent might electronic data stored on personal devices by current or former employees be implicated?  This panel will examine these questions, privacy and information security issues, and applicable ethics and privilege concerns which attorneys face.


State and Federal Privacy Regulations Abound: What It Means for New York Businesses

Debra Farber, BigID

With the transitional period under the New York State Department of Financial Services Cybersecurity Regulation ending, New York state Senator Brad Hoylman recently proposing the Right to Know Act, and other federal and state privacy regulations being introduced, businesses based in and doing work in New York are facing a new data privacy reality - they must understand what data they have, whose data it is, where it resides and who has access to it if they're going to meet the requirements of regulations and the demands of customers. 

 In this session you will explore how organizations can better meet these new regulations, including:    Implementing automated data discovery programs to better inventory data, manage consent requirements, fulfill data subject access requests, improve breach notifications and more;  adopting a cost-effective way to integrate and analyze massive amounts of data across all data sources - not just structured data - to expand enterprises' data-driven intelligence and the ability to make more meaningful data-driven decisions.   Applying new techniques, such as AI-based automation, to better understand personal data, address security, privacy and regulatory requirements affecting both that data, and reduce corporate risk.    By reconsidering how to manage and secure personal data, organizations can not only become more effective and responsible stewards of personal information, they can improve business decision-making and performance.

Cyber Defense

Importance of having an end to end, Integrated Security Fabric

David Leinberry, Fortinet

I will cover the current cyber and malicious threats confronting organizations today.  The importance of having an end to end, integrated security fabric to proactively alert, block and update all the surfaces and fronts within your network.  Getting your Firewalls, Web, mail, endpoint, File-share and East - West traffic, sharing threat intelligence with one another all centered around a sandbox, the last line of defense.  Whether in the cloud or on premise.  The goal is to have automated detection with assisted mitigation, looking for Zero Days, Polymorphic Ransomware, targeted attacks and APT's.     Then, the significance of getting a holistic view of your entire network by using a SIEM, that will alert to brute force attacks, DLP, stolen credentials, miss configurations and vulnerabilities with in your network.  A SIEM will also provide regulatory and compliance reporting for auditors and government regulations.   

Managing AI

Augmented Intelligence in Cybersecurity: Data Driven Risk Reduction

Ed Cabrera, Trend Micro

Some of the greatest advancements recently include artificial intelligence (AI) and machine learning (ML). While these initiatives are only just coming to the forefront in many areas, a number of forward-thinking security organizations have invested in these innovations for years - particularly when it comes to their applications for cybersecurity.  However, now these same models are now being utilized in augmented intelligent SOCs to speed up detection, response, and remediation.  The future will bring greater opportunities in augmented intelligent Risk Operation Centers (ROC) to identify enterprise wide cyber risks using dark data from across the organization from corporate, business applications and data lakes.


Session 3: Mobile/SCADA Security

Paper: D.I.F.E.N.S.E.: Distributed Intelligent Framework for Expendable Android Security Evaluation     

Igor Khokhlov, Qiaoran Li and Leon Reznik, University at Binghamton, SUNY 

Paper: Passive Automatic Extraction of Industrial Control System Model

Matthew Davis, Zachary Birnbaum, Kiel Gordon and Andrey Dolgikh, University at Binghamton, SUNY 

June 4 - 3:20pm-4:15pm

Supply Chain Management

Contracting for Cybersecurity (And What To Do When You Can't Get Everything You Want)


Mark Francis, Holland & Knight LLP

The global economy relies heavily on supply chains.  Cybersecurity risk management and data privacy considerations are increasingly a critical factor in those supplier relationships, with many business, technology and legal implications arising from the parties' respective contractual commitments, cyber and privacy practices, and allocation of risk.     

Although there is a lot of public information available on industry standards and frameworks, as well as legal developments, much if not most activity around vendor risk management takes place behind closed doors, as businesses negotiate with each other on security and privacy practices, and negotiate contractual commitments and in these areas.  This session will address key risks and common stress-points around cybersecurity and data privacy issues in such relationships, with helpful tips and options for consideration.

Security Evolution

From the Engine Room to the Board Room

Chris Hallenbeck, Tanium

Articulating the value of security to non-technical leadership


Privacy and Breach Protection - achieving safe harbor by knowing what you have and how to protect it

Robert Roy, Micro Focus Government Solutions

With new rules like the European Union General Data Protection Regulation (GDPR) for all entities hosting EU citizen data, and New York State Breach Notification and privacy laws, you may be wondering if your agency is at risk and what you can do about that risk. The data lifecycle of most organizations, both in the public and private sector, may lack rigid structure that enables the rapid discovery, classification, governance, knowledge management, security, and other functions. While data is important to the daily mission of New York agencies, it comes with a variety of opportunities to increase its value to the mission, while simultaneously placing the organization at risk of a data breach impacting the personal and sensitive data of state citizens. Join this session to learn more about data management opportunities and a surefire way to protect yourself in the event of a data breach.

Data Protection

Protect your data by understanding how a White Hacker finds a Data Leak?


Tom Buoniello, BinaryEdge

By understanding the techniques used to find "a data leak" attendees will be better positioned to protect their data from external "eyes".

Presentation Outline:

  • Define a Data Leak, describe where data typically "lives" in an organization.
  • List out a few recent (or well know) Data Leaks
  • Define White Hacker
  • Describe generic approach White Hacker uses
  • Describe typical tools a White Hacker uses
  • Show in detail how a Data Leak is found
  • Describe how a Data Leak is reported

Managing AI

AI-Machine Learning Augmentation and Cybersecurity: Why Smart Minds Using Smart Tools are critical for Minimizing Risks, and, What You Can Do About It?


Yogesh Malhotra, Global Risk Management Network, LLC

The primary focus of the presentation is on helping advance intuitive understanding about AI-Machine Learning Augmentation and Cybersecurity for auditors, business managers, critical infrastructure owners, educators, executives, information security professionals, forensic specialists, IT professionals, law enforcement, process improvement managers, and project managers about the emerging contours. With great power comes great responsibility! In the case of AI and Machine Learning technologies, the realization and application of such great power can yield unprecedented automation and optimization capabilities for developing more sophisticated cybersecurity and cyber risk management capabilities. However, the same AI and Machine Learning technologies also provide the 'adversary' with unprecedented deception, manipulation, and, attack capabilities to launch much more sophisticated cyberattacks with unprecedented destructive power. Furthermore, for designers, developers, and, users of AI and Machine Learning technologies, greater responsibility is needed not only for acutely recognizing the limitations of underlying mathematical models and algorithms but also for smartly deploying human imagination, intuition, and, insight to make up for the mechanistic limitations inherent in the design of the machines and related automation technologies. We shall advance upon the latest insights generated, hi-tech practices developed, and, lessons learned from leading global industry leaders at programs such as MIT and Princeton and industry conferences such as the latest Armed Forces Communications and Electronics Association (AFCEA) C4I conference. By doing so, we shall help you develop intuitive understanding about AI-Machine Learning Augmentation as well as its most critical role in minimizing the downside risks in ongoing and future Cybersecurity and Risk Management capabilities and practices development and deployment.


Session 4: Privacy and Media

Paper: Harmonizing Privacy Concerns

Gupta and Sanjay Goel, University at Albany, SUNY

Paper: TBD

Devipsitta Bhattacha, University at Albany, SUNY