Day 2 - June 5, 2024

Keynote: “Cybersecurity Threats to the United States: How we Must Prepare for the Next Decade”

The United States remains the preeminent global power economically, politically, and militarily. This position incentivizes adversaries to use asymmetric tactics to attempt to level the playing field. To that end, adversaries use cyberweapons to steal our intellectual property, break into our critical infrastructure, and disrupt our democratic processes. As a nation, we recognize the impact to our national security, as well as the need to stand up to our adversaries and stay resilient by securing our critical assets and infrastructure. As noted by President Biden when discussing the National Cybersecurity Strategy, “Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense.” This presentation will discuss the cybersecurity threats that the nation faces and the posture that the federal government has taken to directly address them through strategies at the national and Department of Defense levels. This session will also talk about the need to identify, develop, recruit, and retain the best and the brightest minds in the country for national cybersecurity through partnership with academia and industry.

Chester Maciag, Director for Cyber Science and Technology Research and Academic Outreach 

Office of the Under Secretary of Defense for Research and Engineering 

Chester Maciag is the Director for Cyber Science and Technology Research and Academic Outreach within the Office of the Under Secretary of Defense for Research and Engineering (OUSD(R&E)). In this role, he oversees more than $550 million per year in basic, applied, and advanced cyber science and technology for the Department and supports a non-kinetic joint warfighting vision through investment in integrated cyber and spectrum capabilities and related policy studies. Mr. Maciag also leads the VICEROY talent pathway program designed to deliver mission-capable cyber and spectrum leaders prepared to meet tomorrow’s non-kinetic operations and related national security challenges for the Department of Defense.

Previously, Mr. Maciag was the Acting Principal Director for Cyber in the Office of the Defense Director for Research and Engineering Modernization, where he was responsible for making investment and policy recommendations for the $4B annual cyber research, development, test and evaluation (RDT&E) portfolio. He also served as Acting Director, Command, Control, Communication, Computers, Cyber, Intelligence, Surveillance, Reconnaissance, and Electromagnetic Warfare (C5ISREW) office, where he provided scientific leadership, management oversight, policy guidance, and coordination for the more than $2 billion per year in related Defense Agency programs. Mr. Maciag has a bachelor’s degree in electrical engineering from the Rochester Institute of Technology, a master’s degree in financial crimes management from Utica College, and a master’s degree in military and strategic leadership from Air University. 

Penetration Testing For NOT Dummies

Alex Holden, Hold Security, LLC

Penetration, or “pen,” testing is a vital part of a company's cybersecurity defense strategy. Pen testing efforts need to catch 100% of vulnerabilities, but cybercriminals need to find just one way to breach your systems. How do you make sure that your pen testing methodologies are correct? In my presentation, I'll take a deep dive into complexities of pen testing and discuss tools, techniques, limitations, scope and understanding what to test. We are not dummies, and our pen tests need to be done with intelligence and skills to assess the true scope of system readiness to remediate the findings.

2024 is the Year of Compliance – Are You Ready?

Mike Semel, Semel Consulting

Rose Ketchum, Semel Consulting

We have never seen a year with so many new and changed regulations. The alphabet soup includes NIST, HIPAA, CMMC, NY DFS, PCI DSS, FTC Safeguards Rule, GLBA, and more. Non-regulatory compliance is growing, with more contractual and insurance cybersecurity requirements than ever, and they all stack up and must be dealt with at once. Certified compliance expert and thought leader Mike Semel will explain what has changed and how to be ready for more changes by implementing a simple system that covers multiple compliance requirements at once.

Healthcare Data Sharing Hurdles: How to Identify, Understand, and Overcome Them

Michele Warner, NYSTEC

Jeffrey Wilson, NYSTEC

As privacy professionals, we see firsthand how rapidly privacy is changing in today's world, or rather, we see how rapidly today’s world is changing the very idea of privacy. In health care, HIPAA tends to be the pole star around which all else revolves. However, there is so much more to data sharing in health care than just HIPAA, which is just one hurdle to overcome when considering security and privacy requirements related to data sharing. There are many factors organizations must consider before sharing health information with another entity, including: Which international, federal, and state laws/regulations apply? Should your organization consider creating standardized Limited Data Set files to reduce the administrative overhead of continually creating curated data sets? Are sensitive data sets involved, such as HIV/AIDS, SUD, reproductive health, or mental health data? What data sharing agreements will be needed or cover the data? What other restrictions might apply? This presentation will walk the attendee through what to consider when sharing health information with an external party.

Navigating the Cybersecurity Landscape: A Guide to Defending Against Evolving Threats, Securing Board Buy-In, and the Critical Role of Cyber Insurance.

Robin Purnell, Trend Micro Inc.

During this session, we'll delve into the current threat landscape, exploring the challenges it presents and projecting what lies ahead. We'll examine the essential components for recognizing and mitigating risks, emphasizing the need for organizations to embrace a more adaptable strategy in response to the intricate nature of modern threats, exemplified by the zero-trust framework. Furthermore, we'll connect these discussions to the realm of cyber insurance, outlining best practices for organizations to enhance their insurability and trust in claim settlements.

Securing a World Without Boundaries Through HR Transformations

Walt Sokoll, Deloitte Consulting LLP

Jennifer Lauer, Deloitte Consulting LLP

Sameek Pathak, Deloitte Consulting LLP

In an ever-increasing boundaryless world with remote and hybrid work, a surge in AI reinventing how work gets done, and the acceleration of digital solutions defining the next generation of workers, the speed and scale of change is truly revolutionary. From combating cyber threats across IT/OT environments, to managing third party data transfers, to increased usage of mobile solutions, to guarding against ransomware – this presentation will help NY agencies engage in a future-focused cyber strategy. Attendees will learn leading practices for how to approach transformational technology changes in the face of increasingly challenging cybersecurity threats and how to maximize the success of your investments by shifting your organizational culture and breaking down silos amongst HR, IT, and your workforce. Recognizing the challenges from organizations facing payroll disruptions to investing in ERP systems to the rapid pace of change with AI, we focus on real-life scenarios and practical recommendations from our experience with government agencies and the private sector on how to safeguard your organization and future-proof operations to minimize cybersecurity threats as you modernize your technology and invest in the future of NY and your workforce.

ASIA: Cybersecurity Risk

Paper: Cloud Access Security Broker: Security and Resilience Risk Evaluation

Paper:   Endpoint Controls through a lens of PCI DSS 

Paper: Enhancing Enterprise Third Party Cyber Security Risk Posture
 

How to Recover Active Directory When Every Second Counts

Sean Deuby, Semperis

Microsoft Active Directory (AD) is a key target for cyberattackers. When AD goes down, so do your operations. Yet most organizations lack an AD-specific recovery plan or rely on manual recovery, which can take days if not weeks. Auditing your AD security stance and maintaining a solid incident response plan are vital protective steps, but AD recovery should also be a priority of any identity threat detection and response (ITDR) strategy. Join Sean Deuby, Semperis’ Principal Technologist, to discover how threat actors breach hybrid AD environments, how you can reduce the risk, and why hybrid AD recovery planning is vital to operational resilience. You’ll learn how to detect vulnerabilities in hybrid AD environments; how to reduce the risk of a breach that targets AD; how to ensure, a fast, clean AD forest recovery post-attack; and points to consider when developing an AD incident response or recovery plan.

Regulatory Risk in Data Protection: Making the Most of Your Data Protection Compliance Efforts

Michael Melore, IBM

Sean Kelly, Highmark Health

Randy Rose, Center for Internet Security 

It's tough being a security professional. Your adversaries are highly motivated and well funded, your users are your greatest risk, and regulators regularly move the goalposts, or go so far as to change the playing field entirely, when writing the rules on how you must protect your data and your systems. The key to mastering the complexity of data protection regulation is learning to think like a regulator. This involves focusing on the issues that regulators care about, and being aware of the pitfalls of regulatory sprawl. By grasping the key issues that matter to regulators, you can streamline your organization's compliance efforts, and create a defensible and robust approach to data protection.

Practical and Policy Implications of New Cyber Incident Reporting Rules

Robert Mayer, US Telecom

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enactment of CIRCIA marked an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. In April 2024, CISA released a Notice of Proposed Rulemaking seeking comment on the proposed rule. In this session, we will explore CIRCIA's requirements, and the practical and policy considerations related to the implementation.

Embracing the Tech Frontier for Public Sector Innovation

Jason Trunk, Island

Emerging technologies like artificial intelligence (AI), machine learning, and IoT are reshaping how government operates, enhancing efficiency, and enabling new ways to connect with residents. How can the public sector lead the use of these cutting-edge tools to drive innovation? This session delves into the technological frontier, uncovering methods to bolster productivity, foster creativity, and offer a visionary roadmap to leading the future of government technology.

Security Modernization – The Future of Hybrid Work

Aundre Dudley, CDWG

During this session, Aundre will discuss how SASE will enable the future of work to protect users and devices no matter where they are located. After the session, attendees should walk away with a solid understanding of the role SASE will play in the future of work, and how organizations can begin to take steps to futureproof their network security environments.

ASIA: Identity Management

Paper: Self-Sovereign Identity in Health Care Systems on Metaverse Platform
 

Paper: Classic Bluetooth Security Vulnerabilities and Exploitation
 

Modern ColdFusion Exploitation and Attack Surface Reduction

Brian Reilly

Yes, an Adobe ColdFusion talk in 2024. It’s been a busy year-and-a-half for ColdFusion security, from new 0-day vulnerabilities discovered in the wild to ancient vulnerabilities being part of ransomware playbooks. Even if you haven’t embraced modern CFML, ColdFusion remains a common legacy application platform in organizations of all sizes and verticals. In this talk we’ll review some vulnerabilities, map out the attack surface of modern ColdFusion environments, and look at some approaches for attack surface reduction: part offense and part defense, with the end goal of improving protection against known and unknown vulnerabilities. Whether you consider ColdFusion to be a modern JVM scripting language or legacy application tech debt (or an easy pentest win), this talk is for you, and if you think you’re too cool for ColdFusion, just squint and pretend it’s a Java talk.

Governing AI: Operationalizing the NIST AI Risk Management Framework

F. Paul Greene, Harter Secrest & Emery LLP

AI hype surrounds us, and many organizations are following a “FOMO” approach when it comes to implementing AI, letting fear of missing out drive their investment and deployment decisions. The rules of the AI road are in flux, with regulators struggling to keep pace. Yet without firm guidelines, the risk of AI proliferates, be it through sharing protected data with public AI platforms, unchecked bias, or the explosion of shadow AI within an organization. This presentation will explore the structure and process of the NIST AI Risk Management Framework and provide key insights on how to efficiently operationalize the RMF in your organization. Participants will leave with a better understanding of how the NIST AI RMF works, how to tailor it to their organization, and how to marry a NIST AI RMF approach with existing data protection approaches.

Using AI to Protect Data and Fight Fraud in State and Local Government Programs

Jeffrey Baez, Splunk

State and local government programs face significant challenges in protecting data and combating fraud. Most instances of fraud come from nation-states and organized crime rings. These crime actors are particularly dangerous because they spend significant time cultivating the best ways to commit fraud against our government and educational institutions at scale, often committing hundreds or even thousands of fraudulent claims or transactions at a time. Advanced AI capabilities, like those used in data analytics platforms, play a crucial role in addressing these issues effectively. By leveraging sophisticated algorithms and machine learning techniques, organizations can detect anomalous patterns indicative of fraudulent activities, thus safeguarding sensitive information and resources. These systems can monitor vast amounts of data generated by state government programs in real-time, enabling rapid detection and response to suspicious activities. By correlating disparate data sources, it is possible to uncover hidden connections and identify potentially fraudulent behaviors that may evade traditional detection methods. Additionally, they facilitate proactive measures by providing insights into emerging fraud trends, allowing state and local agencies to implement pre-emptive strategies. Additionally, advanced analytics tools empower state governments to enhance compliance efforts by identifying discrepancies and enforcing regulatory requirements. By analyzing historical data, these platforms can uncover past instances of fraud, helping authorities refine prevention strategies and strengthen regulatory frameworks. This presentation will focus on seven key value areas of using AI to provide comprehensive cybersecurity and prevent fraud: anomaly detection, predictive analytics, behavioral analysis, temporal and spatial analysis, real-time monitoring, data encryption and access control, and fraud detection models.

Automation to Help Organizations with Security

Sebastian Dunne, Red Hat

Security is a leading issue for most organizations. One study estimates 30% of organizations will experience a cyberattack within the next 2 years. Along with the fact that the average cost of a data breach in 2019 was $3.92 million, it's clear that IT security should be a top concern for any organization. Unfortunately, most organizations use manual processes for security operations, leaving themselves prone to error and slow to respond. Using an Automation Platform can help organizations boost efficiency and speed, increase security at scale, and reduce the risk and costs of breaches. Our presentation will help you better understand what security automation is, what organizations typically automate, and how organizations typically start out.

Cybersecurity and Resilience in the Digital Era

Dr. Dave Huff, Western Governors University

Rachael Killian, Western Governors University

Rashaan Green, Google

Our panel, moderated by Dave Huff, Associate Dean at Western Governors University, will facilitate an interactive discussion with Rashaan Green, Security Program Manager, Google and Rachael Killian, Senior Lead Credential Integrity Strategist at Western Governors University to provide an inside look on how influential organizations are supporting their workforce and preparing their teams and business for the future.

This session will focus on cybersecurity and resilience planning; aligning with New York State’s homeland security goals: enhancing statewide cybersecurity; and becoming more resilient against future events. This panel will provide actionable strategies that attendees can immediately implement to prepare their workforce and business. We will address the impact of enhancing statewide cybersecurity through outreach and education, as well as bolstering resilience against future events.

Gain insights into the practical applications of machine learning (ML) and generative AI in cybersecurity. Understand the evolving threat landscape and effective strategies to counter sophisticated cyberthreats. Learn about collaborative approaches and partnership models for enhancing statewide cybersecurity. Acquire practical insights into resilience planning and mitigation initiatives for ensuring business continuity.

ASIA: Security Management

Paper: A Fragility Metric for Software Diversity
 

Paper: BLE Device Fingerprinting: A solution for MAC address randomization