• 2021 NYSCSC: Security in a Virtual Era

    2021 NYS Cyber Security Conference

    June 8 - 9

Day 1 - June 8, 2021

June 8 - 11:00am-12:00pm

Society is a lot more resilient than Cyber Marketers would like you to believe

Raj Goel, Brainlink International, Inc.

Since the last 1990s, we've been inundated with cybersecurity marketing.  Everyone is one password breach away from financial ruin; every company and organization is one zero-day attack away from going belly up. 

Yes, ransomware is real.  The Cyberthreat is real.

And the really good news is that people, systems and society are a lot more resilient than we give them credit for.

This talk will energize and enervate you because we'll spread sunshine and real world data to counter the cyber marketing gloom.

Digital Threats

Ondrej Krehel, LIFARS

Digital threats in commercial businesses, healthcare, and State and Local Governments have greatly increased as organizations adopt new ways of doing business.  This new hybrid way of working, exposes new risks made even more complex by an ever-changing cyber security landscape. Cyber terrorists, state-sponsored actors, organized cybercriminals, hacktivists, and even company insiders are motivated and funded to wreak havoc upon your company and employees. Dr. Krehel will present two real-world cases of ransomware and nation state attacks from the point of a digital forensic investigation.

Cyber Risk Quantification: A data driven approach to connecting 'above' and 'below' the surface costs to evolving mission decisions

Kelly Miller Smith, Deloitte

John Gelinne, Deloitte

One month a  top priority might be the process and systems used to secure a digital vaccine passport system, the next might be about making selections on minimum security levels as part of the Risk Management Framework. Yet government and private sector organizations alike struggle to have a repeatable approach to quantify decisions across the range of security topics in a way that drives alignment on priorities and investments.

Just as a dispersive prism can be used to break up light into its constituent spectral colors, this same science (i.e. information theory) can describe how a risk quantification model can disperse information to specific stakeholders. Cybersecurity professionals need the ability to pivot the lens they use without recreating the framework every time yet still accurately measure, quantify, and communicate risks in a way that business leaders across these diverse scenarios can understand. To safely navigate the expanding attack surface, organizations can automate the approach to pre-aggregate, correlate, and enrich data about their organization's cyber risk exposure so when these constantly changing questions arise, they can quickly tailor these templates to the decision at hand.

While the tooling to create these mathematical models for quantifying risk can be challenging to build, the more important element is a well-thought out strategy and specialization to connect the appropriate decisions with the relevant visualizations and models. Generic dashboards are often unable to provide the outcomes that an agile, repeatable asset that can create the specificity needed to answer these evolving real-world decisions. In this session, Deloitte's risk quantification leaders will outline a comprehensive framework for quantifying the "above and beneath the surface" costs of a cybersecurity attack. Using business impact and organization-specific characteristics to create priorities through defendable, transparent, and actionable calculations, participants will leave the session with an understanding of how to invest in and defend their mission-critical cybersecurity systems, data, and functions.

Exploring the New Digital Infrastructure Security Requirements

Patrick Robinson, AT&T

The perimeter of government has evolved and transformed from a defined physical location to one that must support hybrid work from a variety of new environments. In this new edgeless reality, government leaders must be prepared to navigate through a rapidly changing threat environment. This presentation will explore best practices and key digital infrastructure security requirements that government leaders should have in place.

Security Debt, Running with Scissors

Dave Lewis, Duo

Security debt, defined by Dave Lewis, Global Advisory CISO, Duo Security at Cisco, as "the accumulation of the patches missed, the risks accepted, and the configurations misapplied," is a serious and common problem for many organizations, especially with the move to cloud computing and rise of IoT. Part of the problem is that, while organizations might accept the risks they encounter, they often neglect to review them or make a plan for the future, and that risk is compounded when patches are passed from person-to-person through staff changes and/or employee churn. However, it doesn't have to be this way - to track and address security debt, organizations must develop and implement defined, repeatable processes. They should look to strategies like the zero-trust model, trust but verify, sanitation of inputs and outputs, and of course, make sure to execute patches instead of pushing it onto the next person.

Key Points

  • Security debt occurs when patches are pushed aside, and risks are accepted but not addressed 
  • The longer organizations wait to address risks, the harder it is to address them
  • To eliminate debt, organizations should create defined and repeatable processes with plans for action

ISACA Panel on Threats to the Energy Infrastructure of the United States

Sanjay Goel, University at Albany - SUNY 

Matt Nielsen, GE Research

Shashi Talya, Haliburton

Joseph Weiss 

The disruption of energy supply through the colonial pipeline due to a ransomware attack is a poignant reminder of the vulnerability of our energy infrastructure. Our adversaries are constantly probing our infrastructure to identify weaknesses and be able to leverage them to gain strategic advantage during conflicts. Our energy infrastructure is especially vulnerable since it is complex intricate and interdependent. In the past, the electric grid in Ukraine and India have been compromised during conflicts. This panel discusses the state of the United States energy infrastructure and the challenge of improving cyber resilience.  The panel discusses some of the recent cyberattacks on our power grid and what if should we be doing to mitigate the threat to our power infrastructure

ASIA Session 1: Cyber Security Battleground

Paper: Scalable Infrastructure For Red-Blue Team Competitions (SIBRTCS)

Ali Alamri, Mohammed Alshehri, Daryl Johnson and Bill Stackpole, Rochester Institute of Technology

Paper: CSEC NEXUS: Gamification of Cyber Security

David Scudo, Daryl Johnson and Bill Stackpole, Rochester Institute of Technology

June 8 - 12:30pm-1:30pm

Animals We Have Become: Primitive Skills for Cybersecurity Survivors

Reg Harnish

Rwanda, Uganda, Kenya, Tanzania and Zanzibar. East Africa, often referred to as the "cradle of humanity", holds many of the world's greatest historical treasures. From the oldest human skull ever discovered to the birthplace of the Nile River, East Africa is the home to humankind's earliest recorded civilizations. But it may also be the birthplace to yet another evolutionary treasure - the secret to cybersecurity success. We've learned from paleontologists and other experts that the best survival tactics are simple, easy and familiar. Perhaps the answer to cybersecurity success lies in just that - getting primitive. Join Reg Harnish on his month-long adventure through 2,000 miles, five countries and countless treasures of East Africa, and learn how "getting primitive" will be the key to your cybersecurity evolution - and survival.

Ransomware in the Cloud

Carl Mazzanti, eMazzanti Technologies 

Ransomware attacks continue at alarming rates because it's profitable for cyber-criminals. Every business of every size is a target, even in the cloud, but small businesses are least prepared. Cyber-security consultant Carl Mazzanti will discuss the essential facts about ransomware, today's most persistent online security threat, including:   

  • How ransomware attacks happen in the cloud 
  • How cyber-criminals continue to get away with it 
  • What to do to protect your business easily and for a small investment

You can't protect your valuables if you don't know what they are

Roselle Safran, KeyCaliber

With cyber attacks, attackers, and attacker sophistication constantly on the rise while network and cloud environments grow in size and complexity, organizations face an increasingly difficult uphill battle trying to defend their environments. And with finite resources, it can seem almost impossible to robustly secure everything.  The reality is that organizations cannot - and should not - try to secure all their assets equally. Instead, they must focus squarely on what matters most: the assets that are required for mission critical and key strategic operations. These assets are the valuables, the "Crown Jewels", that need to be protected, monitored, and addressed first and foremost.   Since each organization has its own unique environment and different definition of "Crown Jewels", there are significant challenges in identifying what and where an organization's Crown Jewels are. This presentation will discuss the benefits of determining the Crown Jewels, the information sources that provide the best insight into what the Crown Jewels are, and the basic process for synthesizing that information to develop an understanding of the Crown Jewels within an organization.

Emerging Trends in US State Privacy Regulation

Bob Siegel, Privacy Ref, Inc.

Since GDPR took effect, there have been a number of new laws enacted or proposed to protect personal information of consumers in the US. Each of these have occurred in the individual states with the California Consumer Privacy Act (CCPA) taking the lead followed by enacted laws in Nevada and Maine. New laws have been proposed in at least 19 states including New York, Washington, New Hampshire, Florida, and Texas. Many of these follow the CCPA model, but each has their own twist.  This discussion will look at the current status of privacy legislation in the US identifying trends that may be found in the legislative discussions. We will also look at how an organization can prepare.

Perspectives on Global Threats and Modernizing Security Operations

Mark McIntyre, Microsoft

Ashley Campbell, Microsoft

As cyber defenders confront an evolving threat landscape, understanding the large and increasing amount of data coming into the environment will be more and more important. In this session, Microsoft will discuss its view of the cyber threat landscape and how global monitoring, cyber intelligence capabilities, and working with others in the security industry brings advantages to improve detection, response and remediation around the ecosystem.

ASIA Session 2: Cyber Deception

Paper: Categorizing & Aligning Cyber Deception Techniques with Industry Frameworks     

Jamison Scheeres and Bill Chu, UNC Charlotte


June 8 - 2:00pm-3:00pm

Securing your Data and Applications as your Best Defense

Robert Aragao, Micro Focus Government Solutions

The frequency of cyber-attacks continues to rise in every industry.   This is especially true of government, as government must protect massive amounts of sensitive data which leaves it even more vulnerable.  This is further compounded by regulatory rules like the European Union General Data Protection Regulation (GDPR) and New York State's Breach Notification and privacy laws.  Building a wall around the data center is no longer possible or practical; sooner or later the physical barrier will be penetrated.  In this new world, the security focus must be expanded to application and data based security.  Strengthening the security built into applications and data environments can provide a hardened environment that defeats security breaches at the core of the business, both from inside and outside the organization.

What Modern Identity and Access Management (IAM) Looks Like: From passwordless logins to cloudbased IAM

Ben Goodman, ForgeRock

We're living in a world where managing digital identities is becoming an increasingly complex and tedious task. Every organization must deal with multiple accounts and credentials for users, employees, and devices. These siloed identities can span across dozens or hundreds of locations, and number in the millions. Given all these moving parts, it can be extremely difficult to secure and protect critical information, resulting in frustrating experiences for both users and IT teams. This session will highlight innovative approaches for modernizing identity and access management (IAM), including: 

* Moving to a passwordless future: using low-friction, passwordless and username-less authentication, including biometric technologies, to deliver better cybersecurity that also offers better user experiences.

* Building a Zero Trust approach: applying device information and other digital signals (such as contextual, behavioral, and user choice) to make smarter and more secure access decisions.

* Journey to the cloud: moving from resource-intensive and hands-on systems to the benefits and options of cloud-based IAM.

Verizon 2021 Data Breach Investigations Report

 Neal Maguire, Verizon

Dive deep into the latest publication of the Verizon Data Breach Investigations Report - the most widely read security research report in the world. The session will cover the most notable and actionable shifts in the cybersecurity threat landscape along with key insights from Verizon's Insider Threat Report. Attendees will learn from real world investigations regarding threat actor tools, techniques, and procedures along with a walkthrough of a recent case study. The report leverages dozens of contributing organizations from around the world in order to provide the best possible cross-sectional view of the threat landscape.

The Lifecycle of a Vulnerability

Jon Clay, Trend Micro

Trend Micro research looked into how vulnerabilities are weaponized within the cybercriminal undergrounds and turned into exploits utilized in attacks on organizations.  In this session we will share our findings like which vulnerabilities are most exploited, how long they are used and sold within the undergrounds, the future of n-day vulnerability markets.  Finally, we will discuss the best practices in managing vulnerabilities to minimize the risk of exploitation.

The NYS Forum Information Security Workgroup Panel

We are all familiar with the phrase, "Cyber Security". Cyber Security is about protecting connected systems against vulnerabilities. Timely involvement of the entire leadership team is crucial. Finding opportunities to better integrate the IT response with the organization's business continuity plan is key, so that when an event does occur, the organization can provide a timely, coordinated response. After all, cyber security incidents often have business continuity implications and impacts that extend far beyond IT.

In this session the NYS Forum Information Security Workgroup will address these topics and more.

ASIA Session 3: Insider Threat 

Insider Threat Discussion Panel

Merrill Warkentin, Mississippi State University; Craig Orgeron, Amazon Web Services; Stephanie Jaros, US Department of Defense Personnel and Security Research Center; Karen Renaud, University of Strathclyde; Rob Gatlin, Wells Fargo; Steven Furnell, University of Nottingham 

June 8 - 3:30pm-4:30pm

How to Improve Cyber Resilience with Modern PAM

Dean Lindstrom, Centrify

Cyber breaches are more frequent and impactful than ever. Hardly a day goes by without headlines alerting us to yet another devastating attack. To protect against such breaches, modern privileged access management founded on Zero Trust is in the spotlight, seeing huge growth in adoption.   There are many starting points on the path to modern PAM. However, all roads still converge on identity. Hackers don't hack in anymore -- they log in using weak, default, stolen, or otherwise compromised credentials. Indeed, Forrester Research estimates that 80 percent of today's breaches involve privileged access abuse -- that is, compromised user accounts that have administrative access to critical systems in the organization.   The session will explore how modern PAM helps organizations ensure that access to their compute (on-premises or in the cloud), network, DevOps, and data resources is appropriate, sanctioned, compliant, and secure.

Words are the Hardest Part

Mick Baccio, Splunk

New technologies and terminologies are being introduced at a pace necessary to match the needs of today's threat landscape. Machine Learning, AI, Orchestration - these are all terms we've grown familiar with in the past few years. We'll talk about four words, their impact, and how to consider them when traveling along your security journey. 

Knock Knock....Knowing who's on the other end of the password

 Bil Harmer, SecureAuth

Companies are responsible for the data they have and need to protect it.  This includes the identities of their employees and customers.  As life on the Net continues to develop, people are going to have multiple identities that will merge into a single identity with multiple profiles (work, play, family etc) while businesses continue to push MFA and eventually password-less access.  While all of this is going on we're headed to a "new normal" for the workforce which will be anything from full remote to full on premise depending on the company.  Organizations will begin the mass migration in the coming months. The big question is, how do we manage things between now and then to ensure we protect our assets?


Shane Allen and Mike Tornincasa, Rubrik

So what does ransomware preparedness look like? Initially, constant vigilance can help agencies foil possible attacks. After that, agencies must implement the right tools to shield their data and heal it after successful breaches. They should be able to rely on their backups to recover quickly and reliably with as little data loss and financial impact as possible. Developing and testing a strong remediation plan prior to an attack should be a top priority for agency IT organizations. The discussion will include:

  • Having the right backup and recovery for cyber resiliency
  • Time to Recovery - Availability of data and applications for critical systems
  • Governance and Compliance
  • Technical requirements of a secure architecture
  • Lessons learned from real-life ransomware attacks
  • Ransomware remediation

We will walk through what to look for in a backup and recovery solution and how to build an effective ransomware remediation plan to ensure your agency can quickly respond to a cyberattack without paying any ransom.

Ransomware ranks among the fastest-growing cybersecurity threats facing today's governments. Nationwide, agencies are finding that ransomware presents a clear, present danger to their missions. State and local agencies are particularly vulnerable to ransomware because, having smaller budgets and workforces than their federal peers, they are perceived as "soft" targets.

Government agencies that decided to pay ransoms paid almost 10 times as much money on average as their private-sector peers over the second quarter of 20191. And with over 100 successful ransomware attacks against US government bodies in 2019, you can see that this has been very costly for state and local agencies. Unfortunately, this is only going to get worse without the right tools in place. Advanced ransomware is now targeting backups, modifying them, or completely wiping them out, compromising the last line of defense and maximizing chances of ransom payout.

Citizens rely on their governments for everything from fishing licenses to paying utility bills. When those capabilities vanish, citizens may become increasingly disappointed with the agencies serving them. The fallout only worsens when the services agencies provide directly influence people's lives. Ransomware can delay critical functions such as emergency services, health care and electricity. Gradually, ransomware can erode the delicate trust between agencies and the citizens they engage with.

ASIA Session 4: Cyber Security Threats and Challenges

Paper: High Level view of Cyber Security

George Markowsky, Missouri Science and Technology

Paper: Analysis of Data Breaches in the U.S. Healthcare Provider Sector

In-Lee, Western Illinois University