• 2021 NYSCSC: Security in a Virtual Era

    2021 NYS Cyber Security Conference

    June 8 - 9

Day 2 - June 9, 2021

June 9 - 11:00am-12:00pm

From the Dumpsters to the Front Page:  Let's talk about IT's dirty little Security Secrets

Matt Malone, Vistrada

This presentation is to help the audience understand the importance of the most valuable asset a company can have against hackers..... People.  It teaches effective training methods and how to build a Risk-Aware Culture.  Human nature overrules Security controls without training every time.  Many Elements can contribute to the vulnerability of your organization however none is more prevalent than the human factor and optimistic bias.  A large issue facing all industry as it relates to security is its misguided faith in technology that either does not exist or does not work as configured.  We must all take back responsibility and quit assuming someone must be on watch as we all lay sleeping.  While dumpster diving, I have found numerous company records, private data, even classified missile guidance system documents on a flash drive, all discarded in the trash.  We will explore human nature and the hard to believe truths about where our data ends up and how it can cripple your company.  One man's trash is another man's information goldmine.  What you will learn:

  • Security Beliefs vs. Security Truths      
  • Risks facing organizations 
  • Account Management 
  • Learn to prevent Phishing, Pharming, and Social Engineering Attacks 
  • Security Awareness Training - Field proven methods
  • Optimistic Bias - Why we think we are safe 
  • Dumpster Diving: What would you find in your company dumpster? 
  • Social Engineering:  Base, Controls, and Testing Methods

People-Centric Security Analytics--State Government Edition

Chris Montgomery, Proofpoint

Social engineering is king.  Email is the primary delivery vector.  It's easier to find someone who will click than to find an exploit for a modern operating system or browser.  Even attacks that end up on an ICS system, start with a phish.  The attacker simply needs to know who has access to the data they want, then get creative.  The org chart is the new zero-day and today it's publicly available on social media.  Most security teams don't have the same perspective that the threat actors do, they think of their attack surface in terms of VLAN and IP address, instead of department, function, or job title.  By enriching email threat data, from ten state governments, with names, job titles, and functions; we will present an attacker's-eye view of the state government peer group.   Targeted job title trends and clusters common to multiple organizations reflect an accurate educated guess as to where the attackers will strike next or have already.  Gaining this People-Centric perspective makes the problem of defending a large organization manageable.  Imagine trying to defend 100,000 users in the same manner, without any idea where the next compromise could come from.  With the attacker's targets and delivered threats attained, organized by job title, department, and function; defensive efforts are prioritized on key personnel and groups trending in the data.  Risk management is less of a guessing game, threat hunting gets a big head start, and the security team can finally communicate with leadership in organizational terms.

2021: Year of the Hybrid and What It Means for Your Organization

Jim Richberg, Fortinet

2021 will be a year of blended activity by government organizations, employees, and threat actors alike. Work patterns and locations will continue to shift, robotic process automation will affect how organizations operate and support their customers, and threat activity will evolve in terms of types of attack, tactics, and impact. Join this session to hear what some companies are doing in response to this changing dynamic and how these lessons learned can help public sector organizations. Hear recommendations on three specific areas your organization should focus to enable expanding digital services efficiently and securely -- even if your IT and security budget are declining.

How to Comply with Consumer Protection Laws and your Cyber Insurance Policy

Mike Semel, Semel Consulting

F. Paul Greene, Harter, Secrest, and Emery LLP

Whenever you hear the word 'compliance' you probably think about HIPAA, GLBA, the SHIELD Act, or another law.   You should also think about complying with other requirements like consumer protection laws and your cyber liability policy. Businesses have been blind-sided when they have been accused of unfair business practices by the FTC or NY Attorney General after complaints or data breaches. Organizations have been shocked to find out their cyber insurance won't cover them - just when they needed it most.   Cyber attorney F. Paul Greene and cybersecurity and compliance expert Mike Semel will explain consumer protection laws and insurance requirements, and help you identify your risks so you don't learn lessons the hard way.

Encrypted DNS -  Friend, foe or frenemy?

Tom Grimes, Infoblox

DNS is the last critical service on the Internet and in your organization that runs unencrypted or 'in the clear'.  Competing consortiums of standards bodies, IT security associations and internet behemoths are trying to close the DNS encryption gap with varied approaches.  Some advocate browser-based extensions, others opt for infrastructure and OS upgrades and others propose measures to block encrypted DNS traffic.   Even if a web session is encrypted, unencrypted DNS provides important behavioral metadata that can be used to track network activity.  Used properly, encrypted DNS can close privacy and security gaps that leaves DNS queries open to surveillance data miners like Internet behemoths, law enforcement, ISPs, business competitors and advertisers.  However, with zero sophistication, any user in your organization can use encrypted DNS, which is now embedded in the world's most popular web browsers, to completely bypass IT security policies, steal data and run unauthorized applications - all undetectable by most security tools.  In many ways, encrypted DNS poses the same risks to information security as the TOR network.  However, in areas where accessing the wrong web content can lead to severe consequences, encrypted DNS can literally save lives.    In this session, we will discuss the rationale and tech behind encrypted DNS, the risks and benefits and it can bring, and strategies information security teams can use to approach this rapidly emerging technology.

ASIA Session 5: Cyber Security Frameworks

Paper: Web-based Cybersecurity Framework Exercises

Delbert Hart, SUNY Plattsburgh

Paper: CoD3: A Collaborative & Distributed Framework for Defending Distributed Denial of Service (DDoS) Attack

Ashutosh Dutta, UNC Charlotte;  Ehab Al-Shaer,Carnegie Mellon University; and Bei-Tseng Chu, UNC Charlotte

June 9 - 12:30pm-1:30pm

It's Never Too Late. Get your Third Party Risk Management up to Speed!

Robert Adams, iSECURE

Summary of the session:

  • Managing third party risk presents everyday challenges for customers and vendors alike
  • How to examine and recognize risk across multiple industries including education, Industrial and healthcare
  • Identify and create core third party risk management activities and processes to protect your organization from unknown or unexpected risks
  • Review of various compliance frameworks that will aid in improving your risk posture and maturity
  • What to do when a critical vendor or service doesn't maintain the same level of compliance

Creating a "Next Decade" Cybersecurity Program

Michael Corby, M Corby & Associates, Inc.

Raising cybersecurity awareness has been a challenge for many years.  Recently, many challenges have emerged to existing cybersecurity programs including the rise of state sponsored cyberattacks, vulnerabilities in autonomous and home protection devices, and renewed attention on personal privacy.    This session will look at the organizational structure of a responsive cybersecurity program, the skills needed to navigate technical, legal and governance obstacles and propose some metrics to illustrate program successes and identify needed enhancements.    Cybersecurity program managers, CISO's, CIOs and any other organization leader will find this session an illustrative and productive planning tool.

Dark Web Review - a Deep Dive into a Dark World

Alex Holden, Hold Security,LLC

We will take a journey to the dark side, and examine Black-Market dynamics, see real hacker systems through which they steal our data, and identify their targeting techniques. In order to defeat your adversary, you must get to know them, and understand them better. This fascinating journey will help you not only to learn more about the Dark Web but also to know what you can do to prevent breaches.

Practical Cyber Security Analysis Crash Course

Leonard Jacobs, Netsecuris LLC

Session will teach the fundamentals of Cyber Security Analysis in a practical manner.  Session participants will learn to apply Network Security Monitoring (NSM) concepts and techniques in order to be better prepared to protect their employer's networks and systems.  Open source tools will be used to illustrate these concepts and techniques.  Session participants will be expected to understand TCP/IP network concepts.  The fundamentals of packet analysis, data parsing, cyber security intelligence gathering, cyber incident response, and threat hunting concepts will be explored and illustrated.

Unboiling the ocean: Distilling cyber regulations and frameworks into actionable, achievable activities

Jeff Miller, Arctic Wolf Networks

Ryan Spelman, CyberClarity360, Division of Duff & Phelps

What's the difference between NIST and CIS?  Which is better or more applicable to my organization?  Why do we need the NYS SHIELD Act?  Aren't there already enough regulations?  What's new in SHIELD?  What about this pending legislation Senate Bill S7246?  What would this mean for NY municipalities if it were passed and they could no longer, by law, pay ransomware?    This presentation will answer these and other questions around cybersecurity frameworks and compliance. 

ASIA Session 6: Applied Cyber Security

Paper: Taxonomy of Applications of Artificial Intelligence for Cyber Security Administration  

Jordan Shropshire, Madelyn Allen and Ryan Benton, University of South Alabama

Paper: Leveraging Weakness in Human Vision for Printed Covert Channels

Lukas Vacula and Daryl Johnson, Rochester Institute of Technology

June 9 - 2:00pm-3:00pm

Getting to know the NICE Framework and Community Coordinating Council: resources and benefit

Laurin Buchanan, Secure Decisions

You may already be adopting, adapting, or extending the National Initiative for Cybersecurity Education (NICE) Workforce Framework in some way, but do you know everything that NICE has to offer - to students and educators, employers and employees? This session will introduce the NICE Community Coordinating Council, which seeks to energize, promote, and coordinate a robust community working together to advance an integrated ecosystem of cybersecurity education, training, and workforce development. This work is supported by community members participating in focused Working Groups (Modernize Talent Management, Promote Career Discovery, and Transform Learning Process) and Communities of Interest (Apprenticeships, Cybersecurity Skills Competitions, K12 Cybersecurity Education, and NICE Framework Users). Hear the inside perspective on NICE from an active member of the Community Coordinating Council who has also co-chaired multiple subgroups. This session will highlight several of the free resources created by NICE, such as the NICE Challenge platform, the interactive CyberSeek tool, and the Workforce Management Guidebook, and events such as webinars and Cybersecurity Career Awareness Week, national conferences and more. Get a sneak peek at several projects currently in development, such as the K12 Cybersecurity Education Roadmap. Even if you decide not to join the Coordinating Community Council, you will learn how you can stay informed, get involved, give feedback on the NICE Framework or share your experiences with the NICE Framework.

AppSec Policy: Is Yours Built for Modern Development Approaches?

Stephen Gates, Checkmarx

Duffin Newman, Checkmarx

There's no denying that enterprise applications must be protected, but thwarting increasingly severe and frequent threats to customer data and confidential information requires more out of our AppSec policies than ever before. Add in the challenge of building increasingly secure applications to address the current pressures of digital transformation, many organizations are finding that their AppSec policies just can't keep up, resulting in costly post-development vulnerability triage and deployment delays.  Therefore, company-wide AppSec policies that directly influence developers and security teams are imperative to meet time-to-market demands.

During this talk, I'll discuss how the development of an organization's AppSec policy drives developer training initiatives, and how proper and consistent secure coding education must be available to developers while coding. Finally, I'll focus on the needs of State Agencies, both from the perspective of their own developers, in addition to their contractors who may need a refresher on becoming better developers.

C4I-Cyber Command & Control Supremacy: Why it's more critical than AI & Quantum Supremacy & What You Can Do About It: Security in Post-COVID Virtual Era Beyond Data, Models, Algorithms

Yogesh Malhotra, Global Risk Management Network, LLC

Despite exponential improvements in Data, Models, and, Algorithms and advancements in Artificial Intelligence (AI) and Quantum Computing technologies, the bar on national and organizational Security has been raised by COVID19 global disruptions that include ongoing global cyber-attacks. As world's first, foremost, and, largest Digital Transformation Network that pioneered Digital and Virtual Organizations practices spanning Silicon Valley, Wall Street, Pentagon, and, worldwide organizations, our latest Air Force Research Lab Ventures are advancing C4I-Cyber Command & Control Practices, Technologies, Ventures, and Networks to meet the post-COVID19 Risk Management realities. In spite of latest AI and Quantum Computing capabilities powering Business-IT Performance, COVID19 has highlighted the critical significance of Resilience and Sustainability of Command and Control (C2) capabilities of Systems powering National Defense & Space, Critical Infrastructures, all Enterprises, and, Intra- and Inter-Enterprise Networks for organizational, national, and, global survival. Given unprecedented global and national cyber-attacks, critical Systems need to advance beyond C2 to include focus on Adversarial C2 and Counter-Adversarial C2 capabilities to survive and thrive. Drawing upon our latest contributions to advancing US Global and National Defense & Space capabilities spanning Air-Space-Cyberspace such as the Advanced Battle Management System (ABMS) Joint All Domain Command & Control (JADC2), our latest State of New York Cybersecurity conference presentation will help Cyber Security and Risk Management professionals, managers, and, leaders advance Beyond Data, Beyond Models, and, Beyond Algorithms to effectively preempt risks posed by the latest and greatest adversarial threats. We shall build upon our Practices advancing upon the National Institute of Standards and Technology (NIST) Risk Management and Risk Engineering frameworks for AI, Machine Learning, Quantitative, Cyber, Crypto, and, Quantum Risk Computing to counter the C2 risks for enterprises, systems, and, infrastructures - commercial, government, military, and other - connected to the Internet.

DMARC in a nutshell

Shehzad Mirza, Global Cyber Alliance

In this webinar, we provide an overview of DMARC, explaining what DMARC protects against, why it is important to implement, and the various components involved with implementation.

How to Improve Modern Security Awareness Training

Robert Siciliano, ProtectNowLLC.com

There's so much about security awareness training that "lacks". It lacks connection, it lacks depth, and it lacks emotion. Worse, it lacks trainers or training that connect with audiences. You've heard the phrase "people don't care how much you know until they know how much you care", and modern security awareness training, while often packed with information, simply doesn't show it cares.

Our philosophy is "all security is personal". People don't want to think about, nor do they believe security incidents can or will happen to them, therefore they generally discount the realities or the vulnerabilities that they or their business might face. The key is to show them how security is a personal benefit to them and how it enriches their lives and benefits their employers.

When teaching security awareness and making it personal, the student is more likely to take action in the workplace as it is first about them. Humans are selfish or self-interested creatures and their day-to-day activities need to benefit them first.

In this session, the instructor Robert Siciliano CSP, CITRMS, CSI will show you how to weave in stories and emotion into your training, and how to tie together topics like personal security, information security, identity security, and even social media security which are all "independent" upon each other to drive home the message.

ASIA Session 7: Network Security

Paper: Security in Software-Defined Networks

Oluwatola Adeniyi, Mojisola Ayeni, Digvijay Chauhan, Ugochukwu Ezidonye, Vishwa Patel and Sergey Butakov, Concordia University of Edmonton                       

Paper: Additional Security Mechanism in Single Packet Authorization

Sukhraj Brar and Sergey Butakov, Concordia University of Edmonton  

June 9 - 3:30pm-4:30pm

Cyber Awareness Training - Making it Stick

Mandouh Csintalan, RenaissanceRe

Security often struggles to capture the attention of our non-security colleagues, but when an incident happens they are all ears. Learn how to effectively gear your cyber awareness program to capture their attention before an incident happens. We will cover the 3 artistic proofs, phishing gamification, presenter tips, format variations, metrics, and more.  The financial services industry faces some of the most targeted and sophisticated cyber-attacks. Due to this, we must train our colleagues to be an extension of our cyber army to thwart any phishing, vishing, and smishing attacks. To do this you must understand your audience from the trader to the underwriter, the investment banker, and beyond. Furthermore, we'll learn how to simulate more realistic cyber-attacks so we can better train our colleagues to look out for actual attacks.  You'll walk away with knowing how to stimulate their senses, get them enlisted as part of your cyber army, and leave yourself looking like a presentation Rockstar.

The State of Cybersecurity Careers

Deidre Diamond, CyberSN

The unemployment rate for cybersecurity professionals--the people protecting us from cyber-attacks--is zero and the majority of these professionals are open to leaving their current jobs. Our ability to recruit and retain cyber professionals is a critical national security issue. It's no wonder the question we are most frequently asked is: "What are the 'best ways to attract and hire? The answer is, "what is your retention strategy?" In this talk, Deidre Diamond, Founder and CEO of CyberSN, the largest solely focused cybersecurity talent acquisition firm in the US, will share exactly how to retain and hire. With the right strategies, security managers can quickly build strong teams with diversity that stay.

Cybersecurity Threat Detection & Response Using Digital Identity Intelligence

George Freeman, LexisNexis Risk Solutions

The digital economy is fast becoming the dominant economy. This is driving a transformation that has changed consumer interactions from location-centric and in-person to predominantly digital and increasingly global. The threat of cybercrime grows; data breaches continue to proliferate, and identity credentials are widely available on the dark web.  Sophisticated cyberattacks are bypassing traditional security defenses by mimicking trusted user behavior. Static identity assessment methods alone are now much less effective in verifying a person's real identity. The solution lies in understanding the digital DNA of users and their unique online footprint that knits together trusted digital identities that fraudsters cannot fake.

A modern intrusion analysis framework and mitigation strategy to thwart modern attacks

Hector Rodriguez,  Amazon Web Services

Cyber attackers follow a process leveraging modern technology, data, and other resources to infiltrate their targets.  Attackers follow a defined set of phases and actions to execute attacks known as a "kill chain".  In this session, we will introduce a modified and modern intrusion analysis framework and process.  We will explore how to leverage that framework to mitigate risk, thwart attackers, and minimize intrusions in today's cloud first or hybrid-cloud world.

A Cybersecurity Curriculum for ALL Middle School Teachers and Students

Laurin Buchanan, Secure Decisions

If YOU had to introduce middle school students to cybersecurity concepts and careers, what would you need to know, or have, beforehand? To date, there is very little evidence-based research published on what works in K12 cybersecurity education or how best to prepare teachers. There is almost no general cybersecurity curriculum for K12 classrooms that includes appropriate student assessments. Recently, the NYS Education Department approved new Computer Science and Digital Fluency standards intended to prepare all NYS K12 students for the dynamic and technology-driven world of the 21st-century. Cybersecurity is one of the five concepts for all K12 grade bands in the new standard. For a successful roll-out of these standards across all grade bands by fall 2024, more focus on curriculum development, resource acquisition, and professional development for K12 teachers is needed immediately. This session will discuss this new standard and share recent outcomes from CyberMiSTS, a project to create and evaluate a professional development workshop that enables any teacher to successfully introduce cybersecurity concepts and careers to a broad and diverse set of middle school students, enabling schools to infuse cybersecurity across their curriculum. With funding from the National Science Foundation, the CyberMiSTS team on Long Island piloted summer workshops with curriculum for teachers that focuses on big questions and key concepts that engages students without needing a computer science or coding experience. We'll review the workshop, outcomes and lessons learned with a wide range of participating teachers and our future plans to expand the offering.

ASIA Session 8: Security Audit

Paper: Audit and Assurance Program for NoSQL DMBS

Hitesh Bhola, Kanwarpreet Brar and Sergey Butakov, Concordia University of Edmonton

Paper: IT Audit Transformation: Impact of Pandemic and Role of Fintech

Aeshita Tewari, Sai Teja Bollina, Xiyi Zou, and Gunju Lee, University at Buffalo (SUNY at Buffalo)

Dr. Manish Gupta, M&T Bank