This talk will begin with a historical walk through as to how we got to our present state of security. The discussion will look at the promises that were made of a security future that we’re still in search of today. This is analogous to the personal jetpack that we were promised in the early days of science fiction.
The talk will then proceed to subject matter areas of user management, device management, policies to govern activity, control for accessing applications and the need to effectively search for anomalies in the access control analytics. There will be case studies presented to help demonstrate the need to better protect the workforce, workplace and workload. As well there will be a data driven element to further illustrate the benefit of zero trust.
Security Culture and Credential Sharing: How to reduce the risk of credential sharing by 52
This talk is based on the latest research from KnowBe4 Research and CLTRe, a KnowBe4 company. The latest study analyzes 97,661 employees in 1,115 organizations worldwide. The findings reveal that organizations with improved security culture see significantly lower risky security behaviors.
Actions such as opening phishing emails, clicking on malicious links, and unintentional credential sharing are all reduced when an organization’s security culture score improves.
As organizations improve their security culture, the risky behaviors of their employees are significantly reduced. For example, organizations with Poor Security Culture (5.2% of employees enter data) have 52 times as much risky behaviors as those organizations classed as having Good Security Culture.
These findings provide very important reasons to focus on improving security culture in organizations. The authors recommend that organizations work to improve their security culture and that they measure the progress. A number of actions that can be taken to move to a better security culture class are suggested.
Poisoning the Well: the rising risk of software supply chain attacks
Our technology-driven world increasingly relies on software dependencies: third-party code, open source libraries and shared repositories. Recent attacks show how easy it is to create confusion and send malicious code undetected through automated channels to waiting recipients. SolarWinds delivered a hard truth to defenders: everyone is vulnerable when trust can be abused.
Are we ready for what else can be sent down the pipeline?
Building better privacy (data and information protections) into software, systems, and practices doesn’t have to be overly complicated. Privacy, at its core, is protecting data from unauthorized access and misuse. Regulatory frameworks in the US, EU, and LATAM are increasingly requiring heightened data privacy and protections. Evolving ransomware attacks moving beyond encrypting data to exfiltration and even release of the data, further highlight the need for additional attention to strengthening data privacy practices. The same offensive ADR: Attack * Detect * Respond tactics and tools utilized for building playbooks can be leveraged for engineering privacy. We will walk through some of the common offensive technologies and tools used to practice attack, detect, and respond (ADR) and identify how these should be leveraged to focus on privacy engineering.
Associate Teaching Professor in the Tufts University Department of Computer Science.
Lessons Not Learned in the Last Ten Years
In 2013, there was a talk titled "We See the Future and it’s Not Pretty" given by Veracode. How true is that statement today? In this talk, we look at the last ten years in Cyber Security. What has changed, and more importantly, what has not changed? We will look at the changes in education, data privacy, application architecture, and also geopolitical matters to see how much we have progressed in Security --or not.