Blog

RSAC USA 2017 You Can’t Take It With You! Discussion Framework

During the RSA USA Conference 2017, in San Francisco, I facilitated a Peer-to-Peer session, held on Thursday, February 16, at 4 pm. The session title is:
You Can’t Take It With You! How to Manage Security When Personnel Depart (Session P2P2-R11)

The session description is:
How can you manage information security when people leave your organization? Expanding on the popular 2016 P2P session, let’s talk best practices for managing IT security for the off-boarding process.

This blog posts on the topic of my Peer-to-Peer session and presents the discussion framework I used in the session. It includes topics for consideration, including some that we did not have the opportunity to talk about in the session.

Context for discussion
  • “Off-Boarding” processes involves both People and Technology
  • Departure types – People
    • Human, emotional, belonging/identity aspects
    • Employees
    • Contractors
    • Interns
    • Guest workers
    • Visitors
  • Departure types — Process
    • Individual
      • Resignations (voluntary)
      • Terminations
      • Contractual
      • Internship
      • Visits
    • Group
      • Reorganizations
      • Spin-offs
      • Outsourcing
      • Organizational sales
      • Contractural
  • Team – cross functional
    • Planning
      • HR, Legal, Risk Management, IT, Payroll, Facilities, Physical Security
    • Process execution
      • HR, Legal, IT, Payroll, Facilities, Physical Security
  • Policy & Process design
    • Some call this “Off-boarding”
    • Processes different for different departure types
    • Policy framework, authoring, update
    • Process definition: A process that links HR, IT and other groups, to ensure personnel access to information systems, networks, applications and physical locations is disabled.
    • “Checklist” approach for consistency and completeness
  • Training, Operations & Audit
    • Tabletop exercises
    • Controls monitoring
    • “Residual” access
    • Incident response
Risks for consideration (particular to this issue)
  • Company information on personally owned computing devices and computing services
    • Forcing use of company-owned devices
    • Forcing management of personally owned computing devices
    • Restricting through policy company information uploaded to computing services
  • Departure of people in special roles, such as sys admin, manager, security, audit
  • Shared accounts (yes, they shouldn’t but maybe do exist)
  • Reluctant departures
  • Contacts back to the business
  • Special relationships with vendors and / or customers
  • Social media monitoring
  • Transition periods
    • End-of-day, end-of-contract, wind-down, guesting
  • Controversial: Moral and psychological balancing
  • Model for addressing risk and mitigation
Issues for consideration
  •  Events vs. transitions
    • Immediate departure events with no access
    • Transition phases with access limitations
  • Complete knowledge of every department impacted by departure
    • Different for different companies, divisions and job descriptions
    • Address really custom stuff, like special privileges, access and assets
  • What has the departing person got? (asset inventory & retention)
    • Internal network access
    • Remote access
    • Systems access
    • Internal application access
    • External application access
    • Social media access
      • Intentional upload
      • Unintentional upload
    • Computing assets
      • Laptops
      • Smart phones
      • Portable disks (data and backup)
      • Memory sticks
      • Other storage devices
    • ID badges
    • Credit cards
    • Authentication token devices
    • Company applications and data on personal devices
    • License recovery
    • Any and all other company-owned property
  • Exit interview
  • Archiving & information stewardship
    • Assignment & responsibilities of new ownership
    • Do not delete accounts, but make them inactive, with new ownership
    • Attribution risk?
    • Records review and assimilation
    • Scheduled destruction
  • Legal requirements
    • Intellectual property ownership and monitoring
    • Personal property ownership
    • e-discovery mitigations and restrictions
  • Other
    • Impulse to take
    • Prediction: HR -> legal -> IT (behavioral analytics)
    • Most property is taken within 90 days of departure
    • 50% admitted to taking property after departure
    • Most digital assets are taken via email, cloud, memory stick
    • Target critical roles for monitoring

Please contact me with any additions, ideas or questions on this material. I will update these framework notes with the feedback I receive.

 

RSAC USA 2017 You Can’t Take It With You! Discussion Notes

During the RSA USA Conference 2017, in San Francisco, I facilitated a Peer-to-Peer session, held on Thursday, February 16, at 4 pm. The session title is:
You Can’t Take It With You! How to Manage Security When Personnel Depart (Session P2P2-R11)

The session description is:
How can you manage information security when people leave your organization? Expanding on the popular 2016 P2P session, let’s talk best practices for managing IT security for the off-boarding process.

The session was almost completely full, and almost every one contributed to the conversation. A variety of points of interest were made, coming from different backgrounds and issues, with talk flowing around the room. This is the direct connection opportunity Peer-to-Peers sessions give within the larger conference, attended by more than 40,000 people.

Shortly after the session concluded I wrote out notes capturing what I remembered of the conversation, which I share here.

  • Defense contractor needs to track much more closely activity during employment, and before and after termination; looking to fold in social media activity
  • Onyx software to track activity
  • DLP is used to track activity, but the package used was biased toward Windows, which was a problem in a mixed platform environment
  • Network segmentation for departures
  • Most concerning activity happens just before, and within 30 days after termination
  • HR is often involved, but not prepared for IT-oriented issues
  • Large group changes, in the specific case a merger, overwhelmed HR and IT processes
  • Particular roles cause concern; specific case cited was sales people leaving with customer lists
  • People issues and technology issues
  • Identifying residual data can be particularly difficult for people who have had different roles through the years; existing processes focus on cleanup of the current (last) job, but have difficulty moving back through the previous roles
  • Risk incurred by transition periods, where some access is provided after termination or departure announcement
  • Concern about resignations, where the organization has no control visibility until the departure is announced by the person
  • Contractors are not trained to the level of employees, leading to risk
  • Issues with company data on personal devices; what access, impose agent control, how to reclaim or remove data upon departure
  • Issues balancing privacy with monitoring, particularly in countries with differing privacy requirements
  • Who is the driver of departure processes? It varies. Sometimes HR, sometimes Legal, never IT Sec. Driver gives momentum which supports funding and teaming

Please contact me with any additions, clarifications or questions. I will update the notes with the feedback I receive.

RSA Conference USA 2017

The RSA USA Conference for 2017, in San Francisco, took place last week. Each year my experience is similar: the time is so compressed, the experience is intense, I meet great new people, and I always learn something new.

Below I have copied my agenda for the week, so you know what sessions I attended. Please contact me if you have any comments or questions about these sessions.

Mon 2/13  ——
10a – 12p  SEM-M05
How-to-Series: Year One Innovators and Entrepreneurs, David Blumberg, Michael DeCesare, Theresa Gouw, Patrick Heir, Steve Hero, Jay Leek, Troels Oerting, Ted Schlein, Cat Zakrzewski

1p – 4:30p  ISB-M01
Innovation Sandbox: Top 10 most innovative startups

Tue 2/14  ——
8a – 10:30a  Keynotes
* Planning for Chaos, Zulfikar Ramzan, CTO, RSA
* Brad Smith, President, Microsoft
* Sweating the Small Stuff on a Global Scale, Andrew Young, SVP/GM, Intel Security
* The Cryptographers’ Panel (Paul Kocher, Whitfield Diffie, Susan Landau, Ronald Rivest, Adi Shamir

1:15p – 2p  EXP-T09
Regulating the Internet of Things, Bruce Schneier

2:30p – 3:15p  EXP-T10
Ted Schlein and Michèle Flournoy on the Future of Security and Defense

3:45p – 4:30p  HTA-T11R
Meet and Greet with the macOS Malware Class of 2016, Patrick Wardle, Synack

Wed 2/15  ——
8a – 8:45a  PNG-W02
Beyond Stuxnet: State of the Art in Cyberwarfare and Weapons, Kim Zetter, Gary Brown, Oren Falkowitz, Roy Katmar

9:15a – 10 a  EXP-W03
Hacking Exposed: Real-World Tradecraft of Bears, Pandas and Kittens, Dmitri Alperovitch, George Kurtz, CrowdStrike

10:30a – 12p  Keynotes
* The Seven Most Dangerous New Attack Techniques, and What’s Coming Next, Alan Paller, Michael Assante, Ed Skoudis, Johannes Ullrich, SANS

1:30p – 2:15p  PRV-W10
Resurrecting Privacy in the Cloud: A Privacy Engineering Implementation, Michelle Dennedy, Alissa Cooper, Michele Guel, Harvey Jang, Cisco

2:45p – 3:30p  GRC-W11
Crown Jewels Risk Assessment: Cost-Effective Risk Identification, Doug Landoll, Lantego

4p – 5:00p  Keynotes
* Radical Innovation: Revolutionizing the Future of Cybersecurity, Hugh Thompson
* The Great A.I. Awakening: A Conversation with Eric Schmidt, Google

Thu 2/16 ——
7a-7:45a BOF2-R01C
Birds of A Feather: Multifactor Authentication Redefined, Wendy Nather, Duo Security

8a – 8:45a  AIR-R02F
One-Hit Wonders: Dealing with Millions of Anomalies, Chris Larsen, Symantec

8:45a – 9:15a SBX2-R1
Ransomeware, Drones, Smart TVs, Bots: Protecting Consumers In the Age of IoT, Terrell McSweeny and Aaron Alva, Federal Trade Commission

9:15a – 10a  FON1-R03
Focus-on session: One-Hit Wonders, Chris Larsen, Symantec

10:30a – 11:40a  Keynotes
* Topics of Leadership and Teamwork with Dame Stella Rimington, MI5

1:30p – 2:15p  PDAC-R10F
How to Delete Data for Realz: This Presentation Will Self-Destruct In…, Davi Ottenheimer and Ian Smith

2:45p – 3:30p  FON3-R11
Focus-on session: How to Delete Data for Realz, David Ottenheimer and Ian Smith

4p – 4:45p  P2P2-R11
You Can’t Take It With You! How to Manage Security When Personnel Depart, Kenneth Morrison, Morrison Consulting

Fri 2/17 ——
9a – 9:45a  EXP-F01
The Future: Revealed, Ben Jun and Hugh Thompson

10:15a – 11a  MBS-F02
IoT End of Days, Chris Henderson, IBM

11:30a – 12:15p  CXO-F03
Corporate Security: Where the Physical and Digital Worlds Collide, Shawn Henry, CrowdStrike

RSAC USA 2016 Departing Personnel: Discussion Framework

The RSA USA Conference for 2016, set in San Francisco, started today in just a few days. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, start at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

My last blog post discussed a set of risks to consider when managing security for departed personnel, considering departure of people in special roles, shared accounts, reluctant departures, contacts back to the business, special relationship with vendors and customers, social media monitoring, more detail on personally-owned assets, and departure transition periods.

This is last blog post on the topic of my Peer-to-Peer session presents the discussion framework I will use in session, and includes some open questions on risk and mitigation that I hope the group will consider. Check back as I may add content to this discussion framework during the week.

Context

  • Types of people
  • Types of people departures
  • Types of group departures
  • Departure timing

Threat model

  • Systems and application access we don’t know about
  • Shared accounts we don’t know about
  • Departures of personnel with privileged access (SA, DBA, NA)
  • Reluctant departures
  • Cultural differences
  • Inappropriate contacts back to the organization
  • Social media disclosures, intentional and inadvertent
  • Partner and customer disclosures
  • Information assets they have and where they’ve stored it
  • Storage on personally-owned devices
  • Legal or privacy violation from intrusive survey
  • Leakage during transition periods
  • Unclear responsibility for information assets reclaimed
  • Reclaimed assets destroyed too soon, or kept too long (legal risk)

Controls

  • Appropriate design decision team, linking HR, IT, ITSec, Risk Mgmt, Payroll, Facilities, PhysicalSec
  • Foundational policy, communicated and tested
  • Set the stage for departure with good processes and controls during employment
  • Defined process threads with tailored to the departure context, with tested control points
  • Appropriate operations team
  • Risk avoidance, transference, acceptance
  • Checklist(s)
  • Evergreen: regular process renewal, regular training
  • Internal and external audits, with accountability and deadlined remediation
  • Management of personally-owned devices??
  • Remanent steward (manager?) controls inactive reclaimed assets

Questions

  • Monitoring after departure; risk, resources, harassment?
  • Inspection of personally-owned devices and personally-owned external accounts?
  • Timing of the end of access?
  • Conflicts between the design and operations teams?
  • Who should own the information left behind?

These Peer-to-Peer sessions provide the opportunity for an open, intimate discussion owned by the participants where the details of the discussion stay in the room. I hope this framework, and the questions I pose, spark insights and actionable ideas that can be implemented upon return.

RSAC USA 2016 Departing Personnel: Security Risks

The RSA USA Conference for 2016, set in San Francisco, starts in just a few days. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, start at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

My last blog post explored in depth specific issues to consider when managing security for departing personnel, including transition vs. “event” departures; reviewing specifics of the organization within which the personnel worked; the importance of inventorying impacted information assets; specific issues from the use of social media; exit interviews; information archiving and stewardship; and legal considerations. Today’s post turns to exploring risks around managing security for departing personnel, considering departure of people in special roles, shared accounts, reluctant departures, contacts back to the business, special relationship with vendors and customers, social media monitoring, more detail on personally-owned assets, and departure transition periods.

Managing company information on personally-owned computing devices, laptops, smart phones, and computing services is a challenge even for those not departing the organization, but an even greater challenge for departing personnel. The foundation for managing this risk is set by policy. Each organization should decide how much control to exert. Most organizations restrict the use of company information on personally-owned devices and services, while others require the use of company-owned and provisioned devices and software, including company management, through software, of devices. Compliance with regulatory requirements influences this decision. Once determined, the organization sets down their requirements in a clear statement of policy, ensures all personnel covered by the policy understand it, and monitors for compliance. For the policy to be respected there need to be enforcement actions for violations.

Open question: is there any good way to monitor for company information on personally-owned computing devices and computing services after departure?

People in customer contact roles, such as sales, sales-support, marketing, and service are successful because they build relationships with customers. People in purchasing and supply roles also often work to build relationships with suppliers, to secure better terms, to build trust and reliability. A similar risk are those individuals with significant contact back to the organization following departure. These relationships can present a risk after departure if they are abused against the organization’s interest. This is true generally, but also can involve inappropriate disclosure of company information. The foundation for managing this risk is set by policy, with controls placed through hiring and confidentiality agreements.

People in roles with special privileges in the use of information assets, such as system administrators, database administrators, network engineers, IT security, audit, and managers in special roles, also can present risks leading up to and after departure. But these roles present risk at work, before departure, so it is essential that controls already exist, anchored by policy, to minimize risk of abuse of these special privileges. These controls typically include use of authentication tokens for access, logging of all access and activities, manager confirmation for special actions, and immediate suspension of privileges upon notice of departure.

Shared accounts are always a risk, as they provide no attestation directly to one individual. They shouldn’t exist, but often they do, ironically often system accounts used by systems and database administrators and network engineers, accounts with special, powerful privileges. These accounts can be particularly risky after departure, providing privileged access to systems even after the normal accounts of a departing person are locked or terminated. Shared accounts must be prohibited by policy, configurations designed and implemented so direct use of system accounts is unnecessary, and ongoing monitoring and audits of the direct use of system accounts.

Reluctant departures can involve significant risk. These are individuals who are not departing voluntarily, who may be angry, hostile, aggressive, and looking for retribution or revenge. One outlet for their retribution is inflicting damage on information assets. Here is a challenging balance between watchful awareness and professional respect. The accounts of individuals departing involuntarily should be immediately locked or terminated upon notice of termination.

Another challenging situation are those departures that move through a transition period before leaving. The period can be as short as the end of the business day of notice, or the wrap-up of a contract, or, in the case of senior management, may be as long as a few months. Immediate yet phased restricting of privileges rather than immediate account locking, is one strategy for enabling a productive, respectful termination period while minimizing risk. But special privilege account access should be terminated immediately upon notice.

As noted in a previous blog post, accounts on social media are a particular challenge. The foundation for managing this risk is set by policy, with controls placed through hiring and confidentiality agreements, Yet monitoring can be really difficult, time-consuming, and at risk of raising issues of privacy.

Open question: Is there any good way to monitor for company information on personally-owned social media accounts?

My last blog post on the topic of my Peer-to-Peer session will outline the discussion framework I will use in session, and include some open questions on risk and mitigation that I hope the group will consider. But the wonderful nature of these Peer-to-Peer sessions are that the discussion is owned by the participants, not by me in the role of facilitator. I expect a lively conversation!

RSAC USA 2016 Departing Personnel: Security Issues, Part 2

The RSA USA Conference for 2016, set in San Francisco, starts next week. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, start at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

My last blog post explored in more depth specific issues to consider when managing security for departing personnel, including transition vs. “event” departures, reviewing specifics of the organization within which the personnel worked, the importance of inventorying impacted information assets, and specific issues from the use of social media. Today’s post continues this theme of exploring issues.

Almost all departures involve an exit interview, usually with a member of the Human Resources (HR) team. While it is rare that IT or IT Security are present at the interview, it is essential that we contribute to the content of the interview. IT-specific content would include a review and confirmation of the information assets, including accounts, internal and external, and recovery of equipment. It would also include mention of specific policy points where legal responsibility extends beyond the date of departure.

Almost all departures involve a “residue” of information, created by or used by the departed person. This information is retained in the internal and external accounts, both application and system accounts, and on the equipment. Good security practice required an identifiable owner for all information. Following the departure ownership of this information must be transferred to a “custodian”, perhaps the direct manager but perhaps someone in a custodian role. By policy it is clearly understood and communicated that the custodian is not liable or responsible for the created information itself, attribution, but only to safeguard and manage it.

Next is to address the question: what to do with the information left behind?

Depending up the role of the departed person, there might be some process for review of the created information, before transfer to a replacement person, or archiving, or deletion. Out-boarding process design should account for this review, for critical roles.

In the case of transfer to a replacement person, that new individual likely will be integrating the acquired information with their own, making attribution challenging. The best and easiest solution for this is the retain an intact, digitally signed copy that would be used if later any question arises.

Most organizations have a policy for information retention and destruction, balancing the concerns for storage burden, possible future use, and legal risk of unnecessary retention. Archived information from departed personnel should follow this process. Perhaps review this retention and destruction process to be sure it accommodates this category of archive.

There are legal issues involving IT and IT Security for departed personnel. Already mentioned is the requirement to reduce legal risk of unnecessary retention. The counterpoint to this is policy and process in place to safeguard information that falls under the category of required e-discovery, and this information may be from departed personnel. There is also the need for policy and process to set the boundaries and clear demarkation between organization-owned and personally-owned assets, including computing equipment and intellectual property, and how these assets are to be used in conducting the business of the organization.

My next blog will turn to a set of risks to consider when managing security for departed personnel, considering departure of people in special roles, shared accounts, reluctant departures, contacts back to the business, special relationship with vendors and customers, social media monitoring, more detail on personally-owned assets, and departure transition periods.

RSAC USA 2016 Departing Personnel: Security Issues, Part 1

The RSA USA Conference for 2016, set in San Francisco, is less than a week away. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, start at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

My last blog post outlined a framework for understanding, planning and managing various types of personnel departures. Today’s post, and the next, explore in more depth specific issues to consider when managing security for departing personnel.

Many personnel departures come about after advance notice, providing the benefit of time to plan for these transitions and manage through them. Referring to the framework outlined in the last post, almost all organizational transitions, that impact groups of people, occur with advance notice. Most individual departures also occur with some amount of advance notice. But some departures are immediate, “events” rather than “transitions”. Event departures still require the “off-boarding” team to follow defined processes, but at speed, with the risk of missing an important task. This makes use of a checklist even more important. And unique to event departures, the first task often is to negotiate for more transition time.

The framework for managing security for departing personnel includes establishing a sound process. This process must include steps to develop a full knowledge of the organizational structure and the information resources used that are impacted by the departure. In practice developing this understanding is unique to each organization, division, or department. There are likely to be reporting and teaming relationships, information assets, and system privileges unique to the role of the departing person. To successfully manage security and decrease risk you have to ask good questions, probe and document, then implement your process to control and transition access.

You have to answer the question: what has the departing person got? Answering this leads to the identification of an inventory of information assets and privileges that need to be secured. Among these:

  • Internal network access
  • Remote access to internal networks
  • Access to specific systems
  • Access to internally hosted applications
  • Access to externally hosted applications
  • Accounts on social media on behalf of the organization
  • Computing assets
    • laptops
    • smart phones
    • portable disks (data and backup)
    • memory sticks, and other storage devices
  • ID badges
  • Credit cards
  • Authentication token devices
  • Company applications and data on personally-owned devices
  • Software license recovery
  • Any and all other property owned by the organization

I stress again that a good checklist is essential to manage a good departure.

Accounts on social media are a particular challenge. People often have personal accounts, where exposure of organization information can really only be addressed by policy and monitoring, and monitoring is really difficult, time-consuming, and at risk of raising issues of privacy. For accounts on

social media on behalf of the organization, it should be clearly agreed by established policy that upon creation these accounts are owned by and managed on behalf of the organization. If possible there should be an opportunity for the organization to control the account without the aid of the departed person.

My next blog post will continue walking through the various issues faced with managing security for departed personnel, including exit interviews, archiving and information stewardship, and legal requirements.

RSAC USA 2016 Departing Personnel: A Security Framework

The RSA USA Conference for 2016, set in San Francisco, is only a week away. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, starting at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

This blog post, and others this week, will address this topic in more detail, to provide a preview of some of those issues I hope the group will consider and discuss.

Personnel departures are a daily occurrence for large organizations, and are also not uncommon on a regular basis for small and medium-sized organizations. I use the term “organization” to mean both companies and other types of organizations, such as government and NGO’s, Non-Governmental Organizations. These NGO’s can be both for-profit and non-profit. In short, all organizations face personnel departures.

Most often we think of those leaving as former employees, but departures of other categories of people can be even more common: contractors hired by the business; interns gaining experience; guest workers who arrived from another company or division; and even visitors who come for a day or a week or longer, who are meeting, inspecting or just visiting.

There are two distinct types of departures: individuals who leave and groups who leave.

Individuals can depart under various circumstances, voluntary resignations; terminations (often involuntary); contractors leaving at the end of their contract; interns leaving at the end of their internships; visitors leaving at the end of their visits.

Group departures include organizational re-organizations; spin-offs of portions of the organization to other organizations; outsourcing of organizational functions; group contractors; and outright sales of the organization or portions of it. Group departures often involve many of the types of individual departures.

Constructing a framework for understanding, planning and management for these various types of personnel departures requires first the gathering of a team of stakeholders all consistently involved with departures. Typical members on this team include representatives from Human Resources, Legal, IT (and IT Security), Payroll, Facilities, and Physical Security.

Next, representatives of this group complete a detailed review of existing policies and processes, sometimes called “off-boarding”, used to conduct these departures. The framework must accommodate differences for the different types of individual and group departures. Policy and process re-design or re-engineering follows. Most organizations use some existing policy and process design methodologies. Supported by policy, a good set of processes links HR, IT and the other stakeholders to ensure personnel access ton information system, networks, application and physical locations is disabled.

Like other organizational processes, departure processes, anchored by policies, require orientation, training, exercise, controls, controls monitoring, good communications, and incident response. They also require regular, scheduled review and update.

In my next blog post I will discuss specific issues to consider for personnel departures.

RSAC USA 2016 Day 4 – Thursday

The RSA Conference USA for 2016 starts a week from today. This blog post will share with you my schedule for Thursday, my fourth day of the conference. As I did in my last posting, Wednesday’s schedule, my schedule for Thursday is followed by some alternate sessions that are my fall-back choices, all very interesting.

Thursday, March 3, 2016

08:00 a – 08:50 a – Thursday Track Session 1 | West 3008 | HUM-R02
Preventing Cyber-Exposure: You Say Criminal, I Say Intractable
David Porter, Special Advisor, Digital Shadows

Try preventing cyber-exposure and you risk focusing on the wrong areas. Most incidents arise by accident rather than criminality. We must unpick intractable socio-technical systems where incidents spring from nowhere. Understand why things normally succeed, not why they sometimes go wrong. That way we can contain cyber-exposure, identify critical functions and understand what risk really means.

09:10 a – 10:00 a – Thursday Track Session 2 | West 2007 | IDY-R03
Deconstructing Identity in Security [Panel]

Identity experts from Google, Microsoft and Ping Identity will tackle tough questions and offer unique points of view on the role identity plays in security. They will deconstruct what identity means to security by sharing how they are building identity into the most popular cloud services in the world and by showing what can be done to strengthen identity in a borderless world.
Moderator: Ariel Tseitlin, Partner, Scale Venture Partners
Panelists: Andre Durand, CEO, Ping Identity; Eric Sachs, Product Management Director, Identity, Google; Kim Cameron, Chief Identity Architect, Distinguished Engineer, Microsoft

10:20 a – 11:10 a – Thursday Track Session 3 | West 3003 | EXP-R04
Hacking Exposed: The Mac Attack
Dmitri Alperovitch, Co-Founder & CTO, CrowdStrike; George Kurtz, CEO, CrowdStrike

Windows attacks receive all the attention. However, Mac and Linux have gained in popularity with the adversary. This session will focus on common Mac attack vectors and other cross-platform hacks that are typically seen in enterprise intrusions. We will also cover practical counter measures to make these alternate platforms more resilient.

11:30 a – 12:20 p – Thursday Track Session 4 | West 3008 | HUM-R05
Securing the “Weakest Link”
Adam Shostack, CEO and Founder, Stealth Startup

Security professionals often call people “the weakest link.” We claim that they’ll always make mistakes, however hard we try, and throw up our hands. But the simple truth is that we can help people do well at a wide variety of security tasks, and it’s easy to get started. Building on work in usable security and threat modeling, this session will give you actionable, proven ways to secure people.

01:00 p – 01:50 p | South The Viewing Point at Gateway | FRM-R07
Safeguarding the Digital Frontier: Balancing “Security” and “Security”
Michael McCaul, Member of Congress, Chairman, House Committee on Homeland Security, US House of Representatives

Every day, our enemies are trying to wage war against the U.S., but those attacks are no longer confined to the physical battlefield in faraway lands and terrorists are no longer plotting using caves and couriers. How can we promote effective information sharing and ensure that the digital technologies that protect our nation and civil liberties are not exploited by those who seek to do us harm?

02:10 p – 03:00 p | West 2021 | P2P3-R08
P2P: Saying Goodbye: Managing Security for Departing Personnel
Kenneth Morrison, Principal, Morrison Consulting

Personnel departures are a daily occurrence, with resignations, layoffs, terminations, outsourcing, reorganizations and spin-offs. How do you plan for these? Have you removed all access? Who should manage the data left behind? What are the risks and the best frameworks for addressing this risk? In this session participants will discuss best practices for managing the off-boarding process effectively.

03:40 p – 04:00 p | South Live at Esplanade Ballroom | KEY-R13
Keynote: Not Lost in Translation: Building an Architecture to Reshape
Cybersecurity
Pat Gelsinger – CEO, VMware

Across the industry, there is pent-up demand for an architecture that can serve as a “Rosetta Stone” or translation layer between apps and data above and the IT infrastructure below. VMware CEO Pat Gelsinger will share a perspective on the opportunity to fundamentally rethink and reshape cybersecurity as we know it—at a time when enterprises and governments alike are aggressively seeking a new approach and a more effective path forward.

04:00 p – 04:40 p | South Live at Esplanade Ballroom | KEY-R14
Keynote: CSI: Cyber Panel: Security Dramas Arrive on the Small Screen [Panel]

The remarkable success of television’s CSI franchise continues with “CSI Cyber”, in which an elite team of FBI Special Agents is tasked with tackling cybercrime across North America. RSAC Curator Sandra Toms will interview “CSI: Cyber” show creator Anthony E. Zuiker, plus two cast members Charley Koontz (Daniel Krumitz) and Shad Moss (Brody Nelson). The panel will discuss how they develop the show’s plot, how they respond to any industry criticism and what they hope to convey to the average viewer who may not be familiar with the nuts and bolts of infosecurity. Don’t miss what will be a fun intersection of security and show business.
Moderator: Sandra Toms, Vice President and Curator, RSA Conference
Panelists: Anthony E. Zuiker, Creator/Executive Producer of the CSI Franchise, Technology Visionary; Charley Koontz, Actor, CSI: Cyber; Shad Moss, Actor, CSI: Cyber

Alternatives:

08:00 a – 08:50 a – Thursday Track Session 1 | West 2007 | IDY-R02
Do Something Smart with All the Smart Things
Andrés Molina-Markham, Dartmouth College; Kevin Bowers, Manager, RSA Labs

Devices are increasingly becoming “smart”—connected and interconnected—but the extent of that intelligence is limited. Using a reinforcement learning approach, this presentation will show how the available information and computation in such devices can be coopted to provide both an increase in security and in usability, adjusting over time to find the optimal balance for each and every user.

08:00 a – 08:50 a – Thursday Track Session 1 | West 3006 | ASD-R02
Understanding HTTP/2
Nathan LaFollette, Trustwave SpiderLabs

A new HTTP protocol standard is here. This session will review the HTTP/2 protocol in depth—the good, the bad and the ugly. HTTP/2 will affect how we test for vulnerabilities and scale our applications.

09:10 a – 10:00 a – Thursday Track Session 2 | West 2004 | CXO-R03F
Managing Complex M&A Security Risks — A Detailed Case Study
Ahmad Mahdi, Director of Information Security & Risk Management, Microsoft

The focus of this talk will be walking through the step-by-step approach one information security organization took to secure a massive acquisition with a global footprint. This acquisition included thousands of new employees and a myriad of technical, geopolitical and financial considerations.

09:10 a – 10:00 a – Thursday Track Session 2 | West 2018 | LAW-R03
Not So Fast… Myths and Misunderstanding Surrounding Reactive Strikes
Gerry Stegmaier, Partner, Goodwin Procter; Shawn Henry, President, CrowdStrike

Is the best defense a good offense in cybersecurity, or is it a digital slippery slope? There are a lot of misconceptions circulating about “hacking back” to gather information about your attackers. Before you venture down that path, hear this presentation as the speakers unravel the truth from the hype and highlight the real implications of active defense.

10:20 a – 11:10 a – Thursday Track Session 3 | West 2009 | MASH-R04
Dissecting Bitcoin Security
Cassio Goldschmidt, Principal Information Security Leader, Cassio Goldschmidt

Bitcoin introduced a new form of organization and consensus. Activities that previously required central authorities can now be decentralized. This has profound implications for security. This presentation will review and dissect some of Bitcoin’s core components and their security controls. The speaker will analyze each control and how they could be used in other domains.

10:20 a – 11:10 a – Thursday Track Session 3 | South The Sandbox-ICS Stage | SBX1-R04
Sandbox: ICS Sec for n00bz: an Intro to ICS Defense by Defending the Death Star
Kara Turner, Critical Infrastructure Cybersecurity Threat Analyst, ISIGHT Partners

In a humorous and nerdy take on ICS security, Kara Turner will share basic ways to defend the Galactic Empire from Rebel attacks on the Death Star. Learn best practices and policies to address these issues and more in a memorable way that easily translates to your own ICS environment. Rebel scum are attacking the Death Star through the ICS networks—the Empire needs you!

10:20 a – 11:10 a – Thursday Track Session 3 | West 3014 | TV-R04
RSAC Studio: Privacy Perspectives: How It’s Lost and the Implications
Florindo Gallicchio, Director, Information Security, Office of the CISO, Optiv; Kelley Misata, Ph.D. Candidate, Purdue University

Privacy and security are not fixed points, but rather moving points we must continually assess and reframe.
10:20 AM: Gone in 15 Minutes: Losing Your Privacy While Standing in a Crowd; Florindo Gallicchio;
10:50 AM: Get Out of Your Comfort Zone: Redefining Privacy and Security; Kelley Misata

11:30 a – 12:20 p – Thursday Track Session 4 | West 2004 | CXO-R05
Data Breach Litigation: How to Avoid It and Be Better Prepared for Defense
Andrea Hoy, Virtual CISO, A. Hoy & Associates; Rondal Raether, Partner, Troutman Sanders LLC

With the law evolving, it is important for companies to understand what circumstances give rise to and sustain a lawsuit. Learn why some of these lawsuits die on the vine and others settle with very few making it to witness testimony or e-document production and what can be done before and after the event to shrink the target on your company and improve your chances of success in any lawsuit.

11:30 a – 12:20 p – Thursday Track Session 4 | South The Sandbox-IoT Stage | SBX1-R05
Sandbox: Tactical Survival Tips Building and Leveraging IoT Technologies
Brian Witten, Senior Director, Internet of Things, Symantec

In 16 months, cars were “hacked, tracked and stolen,” MRI and X-Ray machines infected, power grids crashed, and a steel mill blast furnace damaged, all via security mistakes building and leveraging IoT gear. This session offers advice on using IoT gear as safely as possible in these “buyer beware” years, and a framework to build security into IoT products that should be secure “by design.”

01:00 p – 01:50 p | West 3014 | TV-R07
RSAC Studio: Guiding Principles to Defending Organizations
Dawn Cappelli, Vice President, Information Risk Management, Rockwell Automation; Rick Howard, Chief Security Officer, Palo Alto Networks

Effective security principles come from an inside out understanding of the basic building blocks necessary for success.
1:00 PM: The Power of a Network Defender’s First Principles, Rick Howard
1:30 PM: Predictive Techniques to Catch Insider Threats Before they Become Criminals, Dawn Cappelli

End

RSAC USA 2016 Day 3 – Wednesday

The RSA Conference USA for 2016 starts a week from tomorrow. Today’s blog post will share with you my schedule for Wednesday, my third day of the conference. As I did in my last posting, Tuesday’s schedule, my schedule for Wednesday is followed by some alternate sessions that are my fall-back choices, all very interesting.

Wednesday, March 2, 2016

08:00 a – 08:50 a | Wednesday Track Session 1 | West 3002 | TECH-W02
Giving the Bubble Boy an Immune System so He Can Play OUtside
Kevin Mahaffey, Co-Founder, CTO, Lokout

Why are Google, Facebook and others removing “standard” elements, such as VPNs, Firewalls, and rigid ACLs from their IT architecture? This presentation will share lessons learned and pitfalls in moving to data-driven security from experience securing a fast-moving organization, building security products and investing in a number of security startups.

09:10 a – 10:00 a | Wednesday Track Session 2 | West 2007 | PRV-W03
Can Government Encryption Backdoors and Privacy Co-exist? Is It an Oxymoron? [Panel]

Three distinguished panelists, a privacy expert, a crypto expert and a former cybersecurity policy maker for the Office of the President, will engage in a lively debate on whether government encryption backdoors and privacy can co-exist or are they in such a fundamental conflict that one necessarily obliterates the other.
Moderator: Chenxi Wang, Chief Strategy Officer, Twistlock, Inc.
Panelists: Matthew Green, Assistant Professor, Johns Hopkins University, Michelle Dennedy, Chief Privacy Officer, Ciso

10:20 a – 11:10 a | Wednesday Track Session 3 | North 133 | SPO3-W04
More Books You Should Have Read By Now: The Cybersecurity Canon Project
Rick Howard, Chief Security Officer, Palo Alto Networks

Last year, the Palo Alto Networks CSO presented 20 books that we all should have read by now. Since then, he has formed the Cybersecurity Canon Committee to add more books to the list and to select candidate books to officially induct into the Canon. He will discuss how the community can help with the project and will present five new books that are on the candidate list.

11:30 a – 12:20 p | Wednesday Track Session 4 | West 3003 | EXP-W05
A Conversation on Silicon Valley/DC Security Collaboration [Panel]
Ashton B. Carter, Secretary of Defense, Department of Defense, USA; Ted Schlein, General Partner, Kleiner Perkins, Caufield & Byers

U.S. Secretary of Defense Ashton Carter will speak with Ted Schlein, regarding the importance of technology, innovation and cybersecurity, and the opportunities for the Department of Defense and Silicon Valley to join forces.

01:00 p – 01:50 p | West 2015 | P2P1-W07
P2P: Security of Public Cloud Services: It Takes a Village
Ben Rothke, Senior eRC Consultant, The Nettitude Group

Your cloud provider may have every attestation from PCI to SSAE-16, but that means nothing if your team doesn’t know cloud security and what they have to do. Cloud security is inherently a shared responsibility model. If you are not doing your part, you won’t have security. Even with the move to the cloud, there’s a huge of amount of security that still needs to be done.

02:00 p – 02:40 | South Live at Esplanade Ballroom | Key-W08
Keynote: Dave Isay on the History of StoryCorps and the Power of Storytelling
Dave Isay, Founder, StoryCorps

Dave Isay is one of the most trusted and respected broadcasters working today. The recipient of four Peabody Awards, a MacArthur Fellowship and the 2015 TED Prize, his lectures tap into the heart and soul of human experience by interweaving stories told by the people that lived them. He is an author, documentarian and founder of StoryCorps.

02:40 p – 03:10 p | South Live at Esplanade Ballroom | Key-W10
Keynote: Turning the Tables: Radical New Approaches to Security Analytics
Martin Fink – Executive Vice President, Chief Technology Officer, Hewlett Packard Enterprise

The battle between attackers and attacked has long been asymmetric. The answer lies in Big Data analytics. But as security operations mature, current analytics approaches will struggle to handle the exponentially growing volume of data with richer context, new machine sources and at machine speed. Martin Fink will talk about a radically new system and data protection architectures that could turn this asymmetry on its head.

03:10 p – 03:30 p | South Live at Esplanade Ballroom | KEY-W11
Keynote: Ascending the Path to Better Security
Martin Roesch – Vice President and Chief Architect, Cisco Security Business Group

Security professionals are grappling with how to protect their organization from a multitude of new and unforeseen threats. Gaining an advantage against attackers and improving security outcomes requires having a true sense of the value of the protection capabilities in place. Martin Roesch will discuss methods to measure the value of existing security approaches to ascend the pyramid of pain, enable business growth and deliver better security.

03:30 p – 04:00 p | South Live at Esplanade Ballroom | KEY-W14
Keynote: The (Inevitable?) Decline of the Digital Age…
Mark McLaughlin – Chairman, President and CEO, Palo Alto Networks

We live in the digital age, an age of immense productivity but at serious risk due to the increasing lack of trust driven by security concerns. This must and will be corrected. The future will show the decline of legacy, point-product security based on technologies that primarily focus on detection. Instead, we’ll see the rise of next-generation prevention-oriented security platforms. Old-line thinking that hurts trust will fall to the wayside.

04:00 p – 04:50 p | South Live at Esplanade Ballroom | KEY-W15
Keynote: The Great Questions of Tomorrow
David Rothkopf – Chief Executive Officer and Editor, FP Group

There is a universal view that the changes associated with the technological revolution have been profound and will accelerate. Rothkopf will argue that those changes have been underestimated. He will assert that the very fabric of civilization is being rewoven and that the result will force us to rethink basic concepts about who we are, how we govern ourselves, our fundamental rights and the nature of war, peace and money.

Alternates:

01:00 p – 01:50 p | South The Viewing Point at Gateway | FRM-W07
A Roundtable with Three Cyber-Wisemen [Panel]

Six years ago no country had a cyber-coordinator or even a cybersecurity strategy. That’s changed, and it may need to change again. All the old topics are still in play, but new problems are reshaping policy agendas. The job of cyber-coordinator is evolving in ways we can’t yet predict. Three cyber-coordinators will have a frank discussion about agendas and top priorities for the coming year.
Moderator: James Lewis, Director and Senior Fellow, Strategic Technologies Program, CSIS
Panelists: Alex Dewdney, Director, Cyber Security, CESG; Eviatar Matania, Head of the Israeli National Cyber Bureau, Israel National Cyber Bureau, Prime Minister’s Office; Michael Daniel, Special Assistant the to President and Cybersecurity Coordinator, The White House

08:00 a – 08:50 a | Wednesday Track Session 1 | West 2004 | CXO-W02
Real-World Examples of Positive Security ROI
John Pescatore, Director, SANS Institute

In every industry and across government agencies, there are those who suffered a major breach and those who avoided the same attacks or greatly minimized the damage. This session will detail six real-world examples of security organizations that avoided breaches by delivering and quantifying positive business return on investments in improving security. Real numbers will be used in all examples.

08:00 a – 08:50 a | Wednesday Track Session 1 | West 3008 | HUM-W02
Trends in Social Engineering: How to Detect and Quantify Persuasion
Markus Jakobsson, CTO, ZapFraud

Email scams are still very effective as they have evolved to avoid current security countermeasures by making its contents more individualized and credible to the recipient. We describe persuasion in 419 scams and Business Email Compromise (BEC) scams, and discuss how an improved understanding of persuasion can help lay the foundation for more effective anti-scam tools.

09:10 a – 10:00 a | Wednesday Track Session 2 | West 3006 | ASD-W03
Transforming Security: Containers, Virtualization and Softwarization
Dennis Moreau, Senior Engineering Architect, VMware

This session will explore how we can leverage containers, network/endpoint virtualization technologies and virtualized security instrumentation, concurrently, to transformationally improve security visibility, security analytics, system resilience and actionable context, greatly increasing our ability to attest that systems will be secure and compliant in any state into which they may be driven.

09:10 a – 10:00 a | Wednesday Track Session 2 | West 3008 | HUM-W03
Proactive Measures to Mitigate Insider Threat
Andrew Case, Director of Research, Volexity

The threat posed by rogue insiders affects every organization worldwide. The difficulties in balancing employees’ legitimate need to access corporate data along with the need to compartmentalize access are often in conflict. This presentation will walk through several real-world insider threat cases and discuss proactive measures that could have greatly mitigated the damage and losses.

09:10 a – 10:00 a | Wednesday Track Session 2 | West 3014 | TV-W03
RSAC Studio: The Dark Web and Cyberespionage: Fact, Fiction and Future
Vicente Diaz, Principal Security Researcher, Kaspersky Lab Global Research & Analysis Team, Kaspersky Lab; William Gragido, Head of Threat Intelligence Research, DS Labs, Digital Shadows

Attackers are lurking. What is the current and future state. and how can we prepare?
9:10 AM: In the Dark: An Introduction to the Hidden World of the Dark Web,  William Gragido
9:40 AM: A Futurist’s Look at Nation-State Cyberespionage, Vicente Diaz

10:20 a – 11:10 a | Wednesday Track Session 3 | West 2016 | PNG-W04
Government in the Crossfire: Data Privacy in an Era of Growing Cyberthreats [Panel]

Join ex-Microsoft CISO and former U.S. Cybersecurity Coordinator Howard Schmidt, EFF attorney Lee Tien and State of Wyoming CIO, Flint Waters, for a discussion about safeguarding citizen data in the cloud. They will tackle responsibilities of cloud providers and government, the latest threats and challenges, and how they are dealing with them.
Moderator: Paul Roberts, Editor in Chief, The Security Ledger
Panelists: Flint Waters, State Chief Information Officer, Director, State of Wyoming; Lee Tien, Senior Staff Attorney, Electronic Frontier Foundation

10:20 a – 11:10 a | Wednesday Track Session 3 | West 3002 | TECH-W04
Applying Top Secret and Military Network Grade Security in the Real World
Dan Amiga, Founder and CTO, Fireglass; Dor Knafo, Security Research Team Leader, FireGlass

The technologies around protecting top classified military grade networks goes far beyond traditional security practices like firewalls, proxies, IPS and advanced endpoint protection. This session will share and demo experiences building military grade solutions like real air-gapped and transparent networks, one-way communication, shadow services, visual only modes and how one can use them today.

10:20 a – 11:10 a | Wednesday Track Session 3 | West 3014 | TV-W04
RSAC Studio: Embracing and Extending Kids’ Curiosity to Inspire Future Professionals
Michael Kaiser, Executive Director, National Cyber Security Alliance; Pete Herzog, Managing Director, ISECOM

We expect kids today to use technology yet not know how it works. We need to teach them how to enjoy taking control of their gadgets and inspire future cybersecurity rock stars. 10:20: The Awesome Truth about Hackers; Pete Herzog; 10:50: Attracting a New Generation of Cybersecurity Professionals; Michael Kaiser

11:30 a – 12:20 p | Wednesday Track Session 4 | West 2016 | PNG-W05
How the USG’s Rule for Intrusion Software Will Kill Global Cybersecurity [Panel]

In seeking to prevent the sale of surveillance tools to oppressive regimes that use technology to commit human rights abuses, the Commerce Department announced a new proposal for implementing of the Wassenaar Arrangement export controls. Panelists discuss the proposed rule, the potential costs to U.S. industry and global cybersecurity if the rule is implemented, offering more sound alternatives.
Moderator: Catherine Lotrionte, Professor, Georgetown University
Panelists: Cheri McGuire, Vice President, Global Government Affairs & Cybersecurity Policy, Symantec Corporation; Chris Boyer, Assistant Vice President, Global Public Policy, AT&T Services, Inc.; Eric Wenger, Director for Cybersecurity & Privacy, Cisco Systems; Ian Schneller, Executive Director, Global Cyber Partnerships and Government Strategy, JPMorgan Chase

11:30 a – 12:20 p | Wednesday Track Session 4 | South The Viewing Point at Gateway | SBX3-W05
Sandbox: Cryptoparty: tuTORial — Learn How to Use TOR to Be Anonymous Online
Runa Sandvik, Privacy and Security Researcher

The avalanche of disclosures in recent years has made it clear that encryption is the way forward for those who wish to protect their data and their communications. This presentation will take a look at Tor and how the tool allows users to be anonymous online. This presentation will also discuss how you can build an enterprise onion site (like Facebook) and better support users of the Tor network.

11:30 a – 12:20 p | Wednesday Track Session 4 | West 2001 | HUM-T10R
300+ Cities, Millennials and a Mobile Workforce: A Security Gauntlet
Samantha Davison, Security Program Manager, Uber

The words that strike fear in most security practitioners: internationalization, millennial, mobile, fierce “at all costs” culture. This is what we were faced with at Uber. Using a combination of a gamified learning program, outside-the-box ideas, and department and culturally focused training, we were able to build a secure workforce. Learn how to take on these challenges and lessons learned.

02:10 p – 03:00 p | West 2004 | CXO-W05F
Focus-on: How to Prepare for Cybersecurity in 2020: A Panel Discussion (Focus-On) [Panel]

Continue the How to Prepare for Cybersecurity in 2020: A Panel Discussion in a smaller group discussion and Q&A with the presenter. This session will be discussion based—no new slides will be presented. This session is limited to 50 attendees. Adding a session to your Schedule does not guarantee you a seat. Admission to this session is on a first come, first served basis.
Moderators: Betsy Cooper, Executive Director, UC Berkeley Center for Long-Term Cybersecurity; Steve Weber, Professor, UC Berkeley School of Information
Panelists: Marc Goodman, Founder, Future Crimes Institute; Martin Giles, Partner, Former Writer, The Economist and Partner, Wing Venture Capital; Sameer Bhalotra, CEO, StackRox

02:10 p – 03:00 p | South The Sandbox-ICS Stage | SBX-W09
Sandbox: Industrial Cyberthreats: The Kaspersky Lab View
Andrey Nikishin, Special Projects Director, Kaspersky Lab

Since Stuxnet we have registered a growing number of cybersecurity incidents in the industrial environment. In this presentation we will share the data collected, analyze some examples of attacks on the industrial environment, provide some forecasts for the future development of industrial cyberthreats and discuss possible solutions for mitigating the risk of cyberincidents.

02:10 p – 03:00 p | West 2017 | P2P2-W09
P2P: Effective (or Ineffective…) Methods of Managing Third-Party Risk
Corey Epps, Senior Director, Information Security, CVS Health

Most organizations today rely on their third parties. Recent studies show 84% of healthcare companies share sensitive data with third parties. Given the rise of cybercrime, identity theft, regulations and contractual requirements where companies must comply, the management of third parties is paramount now more than ever. Come discuss what methods others use to manage risk in third parties.

03:20 p —4:10 p | West 2014 | FON1-W13
Focus-on: End Island Hopping Hackers’ Vacation in Your Information Supply Chain
Ed Cabrera, Vice President of Cybersecurity Strategy, Trend Micro; Tom Kellermann, Chief Cybersecurity Officer, Trend Micro

Forget spear phishing—hackers are now focused on weaknesses across the entire information supply chain of publicly traded multinationals, including cloud hosting providers, PR agencies and other sources of market intelligence. Join this session to explore the latest island-hopping tactics and learn advanced strategies for managing the systemic risk within the modern information supply chain. Continue this conversation in a smaller group discussion and Q&A with the presenter. This session will be discussion based—no new slides will be presented.

03:20 p – 04:10 p | South The Sandbox-IoT Stage | SBX1-W13
Sandbox: Hacking IoT: Why Security in IoT is Failing (and how to fix it!)
Ted Harrington, Executive Partner, Independent Security Evaluators

Utilizing case study analysis of attack anatomies, this session will explore the fundamental security shortcomings that plague the IoT industry and articulate how to resolve those problems. Data and outcomes from both IoT Village in particular as well as the broader research community are analyzed in order to present actionable guidance.

04:30 p – 05:20 p | West 2018 | FON3-W16
Focus-on: How Infosec Maturity Models Are Missing the Point
Jack Jones, EVP Research & Development, RiskLens

Infosec maturity models abound, and although they provide some value, they completely ignore fundamental elements that ultimately determine whether an infosec program is mature—or not. This session will explore what those missing elements are, why they are so critical, how to gauge maturity in those dimensions, and the steps you can take to help make your organization more mature. Continue this conversation in a smaller group discussion and Q&A with the presenter. This session will be discussion based—no new slides will be presented.

End