2019 Phoenix Security & Audit Conference

Agenda

  Go

    • Ballroom Bonus
    • 9:45 AM  -  10:45 AM
      Vendor Risk Management: Overcoming Today’s Most Common Security & Privacy Challenges
      Ballroom

      Managing third-party vendor risk before, during and after onboarding is a continuous effort under global privacy laws and security regulations. While outsourcing operations to vendors can alleviate business challenges, managing the associated risk with manual tools like spreadsheets is complex and time consuming. To streamline this process, organizations must put procedures in place to secure sufficient vendor guarantees and effectively work together during an audit, incident – or much more. In this session, we'll breakdown a six-step approach for automating third-party vendor risk management and explore helpful tips and real-world practical advice to automate third-party privacy and security risk programs.

      • Review the drivers and challenges organizations face when managing third-party vendor risk
      • Identify priorities before, during and after vendor procurement
      • Takeaway a six-step approach for automating the third-party vendor risk lifecycle
      • Hear real case studies from privacy experts on how to practically tackle the third-party vendor risk

      Speakers:
      11:00 AM  -  12:00 PM
      California Consumer Privacy Act: What Compliance Entails & What It Will Mean for Your organization!
      Ballroom

      We will cover:

      1. Core components: Core components of CCPA, including history, rights granted consumers, and scope of the law
      2. Risks and obligations: Risks and obligations for businesses that impact your data privacy operations
      3. Key differences: Key differences between CCPA and GDPR, so you can address each with appropriate measures
      4. Steps to get started: Steps to get started and ensure you have the agility to evolve as the law changes
      5. Resources to shorten your organizations time-to-compliance: Ways to maximize the efficiency of internal resources to ease the budgetary strain of becoming compliant
      Speakers:
      1:45 PM  -  2:45 PM
      Pulling the Ripcord on Cloud Threats: Securing Your Data & Users in a Direct-to-Internet World
      Ballroom

      The cloud has changed how we do business, making work more intuitive, connected, open, and collaborative. This change has presented new security risks, unlike what enterprises have seen before. As enterprises continue to adopt new clouds, with or without the involvement of IT and Security, new ways of defending, responding to, and technical control capabilities are required to succeed in this new reality. In this talk, practitioners will hear from Cloud industry leader, Sean Cordero, who will provide tips, lessons learned, and recommendations on how to defend from these new vectors of attack and share the lessons learned from defending some of the largest public and private organizations in the world.

      Attendees will learn:

      1. Common challenges & cloud sourced risks facing organizations in a cloud-first world and how to address them.
      2. Technological innovations which have enabled large enterprises to securely adopt cloud services while protecting their core data assets.
      3. Real-world examples of modern attacks used to damage public and private organizations which leverage the cloud.
      Speakers:
      3:00 PM  -  4:00 PM
      SIM Swapping - Your Phone Might be Worth More than You Think
      Ballroom
      This session will take an in-depth look at the SIM Swapping process, reveal trends/best practices on how to protect yourself against SIM Swapping, and what the mobile carriers should be doing to protect us. Learning Objectives: 1: Gain a better understanding on how SIM Swapping works 2: Learn how to protect yourself against this attack 3: Learn what can be implemented by the mobile carriers to prevent unauthorized SIM Swapping"
      Speakers:

    • Cyber Warfare Range
    • 9:45 AM  -  10:45 AM
      Live Cyber Incident Hands-On Scenario
      McDowell - South
      How well will you and your team do in a real-life cybersecurity emergency? How much will your team's lack of experience and depth hurt your organization financially? Cybersecurity incidents are a harsh reality. Most are not afforded an opportunity to learn until it is too late. Then when they do get a chance, the urgency minimizes the learning experience. The National Cyber Warfare Foundation (NCWF) with The Cyber Warfare Range Information Sharing and Analysis Organization (CWR ISAO) have developed real-world cybersecurity incident scenarios that immerse your team into an ultra-realistic, state-of-the-art and completely unique experience. The scenarios are groundbreaking in 6 different areas, starting with their format is a "choose your own adventure" format. It continues with engaging your entire organization from the c-level to the technicians, and much more. Do not pass up the opportunity to benefit from our immersive experience. (CWR Session 2 is a repeat of this session).
      11:00 AM  -  12:00 PM
      Live Cyber Incident Hands-On Scenario
      McDowell - South
      How well will you and your team do in a real-life cybersecurity emergency? How much will your team's lack of experience and depth hurt your organization financially? Cybersecurity incidents are a harsh reality. Most are not afforded an opportunity to learn until it is too late. Then when they do get a chance, the urgency minimizes the learning experience. The National Cyber Warfare Foundation (NCWF) with The Cyber Warfare Range Information Sharing and Analysis Organization (CWR ISAO) have developed real-world cybersecurity incident scenarios that immerse your team into an ultra-realistic, state-of-the-art and completely unique experience. The scenarios are groundbreaking in 6 different areas, starting with their format is a "choose your own adventure" format. It continues with engaging your entire organization from the c-level to the technicians, and much more. Do not pass up the opportunity to benefit from our immersive experience. (this is a repeat of CWR Session 1).
      1:45 PM  -  2:45 PM
      Open Panel w/ Chris Roberts and the CWR Team
      McDowell - South
      Join us for a lively and spirited Q&A session with Chris Roberts, Brett Scott, and some of the highly talented members of the CWR. Caution: Some content and language may not be suitable for younger audiences. Come ask the questions you couldn't ask at the lunch keynote!
      Speakers:
      3:00 PM  -  4:00 PM
      Open Season!
      McDowell - South
      The CWR will once again have the Mobile Range with all your favorite hacking scenarios for you to explore hands-on.

    • Data Analytics
    • 9:45 AM  -  10:45 AM
      Data Analytics & Internal Audit: Overcoming Challenges
      Paloma I
      We'll discuss how internal audit shops can take advantage of data analytics to add corporate value. We'll review challenges and solutions for using data analytic tools. We'll also review some examples of how audit shops are using data analytics.
      Speakers:
      11:00 AM  -  12:00 PM
      Next Generation Internal Audit - Turning Today’s Unknown into Tomorrow’s Advantage w/ Process Mining
      Paloma I
      This session will highlight a variety of Next Gen IA topics, including a deep dive into a relatively new technology: process mining. During the session, participants will be introduced to process mining, understand how it works and how it can be used for Internal Audit. The session will include a live demo of a process mining tool, Celonis.
      Speakers:
      1:45 PM  -  2:45 PM
      Understanding Your Enterprise’s Data—One Database at a Time
      Paloma I

      We’ve all been there: You receive a question from a decision maker, and are left wondering: Where is this requested information stored within the enterprise? Is the information duplicated in multiple databases? If the information is duplicated in the databases of multiple information systems, is there a source of truth for the information?

      This presentation will focus on an approach that BerryDunn developed to understand what data elements were stored in the nearly 150 databases that comprised a major division of a state government agency. In addition, the presentation will share tips on developing a standardized enterprise-wide data dictionary, identifying sensitive data elements, and analyzing information from databases to identify similarities. Session participants will gain an approach they can implement to better understand data elements—particularly sensitive and duplicative data elements—within their own enterprise.

      Speakers:
      3:00 PM  -  4:00 PM
      Visualizing Data Analytics in Immersive Virtual Reality
      Paloma I
      Data analysis typically entails applications of various statistical methods, computational algorithms, and visualization techniques. In this session we will discuss a variety of innovative visualization techniques using immersive, virtual reality technology. We will discuss several approaches to analyzing data, leveraging the VR experience. We will also show a demonstration of a system we built to simulate the generation, capture, and analysis of a variety of data streams and the interaction with data in virtual space. Such interaction can offer additional insights into big data, while amplifying additional human sensory abilities.
      Speakers:

    • General
    • 8:30 AM  -  9:30 AM
      Conquering Corporate America: How to Architect a Career That Works for You!
      Ballroom

      We are five-plus years into one of the hottest economies for Audit and Security professionals that we may ever be fortunate enough to experience. But no one knows how long these boom conditions will last. The potential for a global trade war, rising interest rates, an increasingly volatile stock market, not to mention a bull market long in the tooth could result in changing winds in the market.

      At the same time, working in Corporate America presents its own myriad of challenges, while advances in automation, AI, and robotics, threaten to eliminate some jobs. In this environment, it is important to take steps to ensure your continued marketability. It is also precisely this type of climate that leads to career management missteps that can follow you for your entire career. Whether you are trying to climb the corporate ladder or just trying to hang on until retirement, now is the time to be particularly attentive to making the right decisions about your career.

      Learning Objectives:

      • Understanding some of the key challenges of navigating a career in Corporate America
      • How to define and implement a professional development plan that you own!
      • Networking 101: A quick primer on this essential skill
      • What you need to know about Social Media
      Speakers:
      12:40 PM  -  1:30 PM
      “We reap what we have sown” OR “A Hackers Perspective, where do we go from here?”
      Ballroom
      For 25 years or more we have fought the battle of passwords and patches while all around us, the world has developed, data has exponentially increased, attack surfaces are everywhere and technology had quite simply forced the human race to consider the evolution cycle in single lifespans as opposed to millennia. During the last 25 years we have done little to protect the charges we are responsible for, we have failed to secure systems, allowed financial attacks, infrastructure attacks, and now attacks directly against humans. At what point will we be able to stem the bleeding and actually take charge of our realm? Have we left it too late, or are we still able to claw back out of the abyss and face our adversary in a more asymmetrical defensive manner? Can we actually provide safety and security to our charges or will we continue to fail? And, critically, how do we communicate this, and educate a population that is content to watch from the sidelines, while they are being digitally eviscerated.
      Speakers:

    • Governance, Risk, & Compliance
    • 9:45 AM  -  10:45 AM
      GRC and the Marriage of InfoSec: GDPR and SOC
      Paloma III
      GRC and the marriage of InfoSec: GDPR and SOC. 18+ months real life lessons learned on how Information Security aligned with Risk & Compliance to meet the requirement of GDPR from a Security mindset while laying the ground work and framework to then move immediately into SOC 2.
      Speakers:
      11:00 AM  -  12:00 PM
      The Integrated DevSecOps GRC
      Paloma III
      Overview of the role and criticality of the ‘single-pane-of-glass’ in successfully leveraging DevSecOps tenants to mitigate interdisciplinary risk and enhance visibility across the enterprise to facilitate actionable outcomes. This session will cover: (1) Advancing DevSecOps Beyond SDLC Practices, (2) Comprehensively Closing Cybersecurity Gaps, (3) Enabling Decision Support for Leadership, and (4) The Business Case for the Integrated DevSecOps GRC.
      Speakers:
      1:45 PM  -  2:45 PM
      Don’t Tempt Fate – Quantify It
      Paloma III
      An in-depth look at why most firms struggle to design and implement operationally feasible, repeatable, and accurate risk quantification methodology and tooling. Exploring how complex and often overlapping threat frameworks can be normalized and threats/TTPS can be measured and tracked to build a quantified input for risk calculation. Actionable insights to start or enhance threat intelligence and risk management functions and how downstream security processes and tools can all benefit from using a single source of truth. In this session we’ll look at pros and cons of methodologies, accuracy vs precision, specific attributes that can or can’t be measured, and some hands-on threat quantification examples and interactions to demonstrate proposed methods.
      Speakers:
      3:00 PM  -  4:00 PM
      How Security Leaders Gain Trust in the Boardroom
      Paloma III
      Security Leaders need a solid and comprehensive approach in communicating their cybersecurity programs. Kudelski Security surveyed CISOs, CSOs, and CIOs about communicating their cybersecurity program with their Board of Directors. The collective responses provide insight into what interests boards the most, suggested strategies and metrics that resonate when answering the board’s most challenging questions. A summary of the research will be provided to all participants in hardcopy booklet format.
      Speakers:

    • Hackers & Threats
    • 9:45 AM  -  10:45 AM
      Nation-State Cyber Warfare: How to recognize an attack, defend yourself, and defend the enterprise
      McDowell - North
      Security researchers been reporting a disturbing trend among organizations that have been hacked: Their systems are often victimized by not just one state-sponsored hacking group, but several. The typical nation state hacking operation involves a fairly complex network of highly trained, highly skilled actors who patiently create malware and other malicious content specifically designed for particular organization. When nation-state hackers do breach an organization, they tend to work quick. That's why organizations need to react fast to a live hacking threat.
      Speakers:
      11:00 AM  -  12:00 PM
      A Better Pen Test
      McDowell - North
      Why a Traditional Pen Test isn't enough and why organizations are turning to hackers to protect themselves.
      Speakers:
      1:45 PM  -  2:45 PM
      Data Breaches & Other Cyber Frauds: What’s Our Risk
      McDowell - North
      This course is designed for individuals who would like to obtain an understanding of the risks of data breaches & other cyber frauds and how their company could be affected. We will discuss various types of data breaches and cyber frauds and demonstrate how the criminals steal data from organizations. We will discuss ransomware, credential stuffing, social networking, phishing, vishing, smishing, and other common cybercrimes. We will review some of the legal and ethical implications involved. Examples of real world cases will be provided to help develop and understanding of the risks involved. We will review policies, procedures, hardware, software, and internal controls that can be used to help prevent an organization from being a victim. We will discuss steps internal auditors can take to help protect their organizations from data breaches and cyber frauds.
      Speakers:
      3:00 PM  -  4:00 PM
      Vulnerability Scanning - Why Are Your Scans Crap?
      McDowell - North
      Vulnerability scans have to be done correctly to provide value... 1) If you are a noob in Security, your first job will probably be running Vuln Scans.... and 2) the noob needs to understand how to do a complete and successful scan by knowing what the network really does.
      Speakers:

    • Hot Topics
    • 9:45 AM  -  10:45 AM
      Table Top Exercise - Notification Nuances
      Mohave III
      A unique blend of technical and legal views through a table top exercise focusing on a ransomware investigation turned data breach turned employee personal web browser credential harvesting. The exercise is based upon actual TRICKBOT malware modules increasingly seen in the wild, what to consider when the breach is important but does not contain traditional PII, and new considerations encountered when employee personal credentials are suspected to have been collaterally captured during the compromise.
      Speakers:
      11:00 AM  -  12:00 PM
      Identifying and Mitigating Your Insider Threat
      Mohave III
      Since the dawn of computer security, we’ve worried about the insider threat, like the network administrator who held San Francisco hostage by refusing to divulge administrative passwords or the engineer who sold his company’s intellectual property to China. Drawing on research conducted by the U.S. Intelligence Community and others, this session describes the common characteristics, behaviors, and motivations of the average insider. You’ll learn how to prevent employees from turning into “insiders,” identify potential insiders, and take action to prevent your organization from becoming the next insider threat horror story.
      Speakers:
      1:45 PM  -  2:45 PM
      GDPR, CCPA, and Coming Wave of Privacy Regs - Risk or Opportunity?
      Mohave III
      Consumers and employees are filing GDPR complaints against companies at a rate of 400 per day, leading to large regulatory fines even when no breach has occurred. If Europe sounds distant, the California Consumer Privacy Act (CCPA) comes into full force in July 2020 – and while some of its provisions are already in effect, many companies have not even heard about this law yet. Its fines are potentially even larger than the GDPR’s. Just when we thought we were getting our arms around cybersecurity, along comes a new regulatory wave that changes, and expands, companies' obligations for the data they hold. In this session, we will cover the latest updates and emerging trends in data privacy regulations worldwide - diving into lessons learned from GDPR compliance implementation and enforcement, the expectations for the CCPA in 2020, and the broader context of privacy regulations around the world. These regulations are coming… do they represent a risk or an opportunity? How can we leverage compliance for competitive advantage? Join us as we explore this new regulatory landscape and its implications for your business.
      Speakers:
      3:00 PM  -  4:00 PM
      Best Cybersecurity Requires Integrated Efforts
      Mohave III
      Every organization manages about 20 distinct security technologies, with enough staff to operate five of them well. Hiring isn’t the answer — the talent pool is nearly dry. Instead, we must get all our existing security investments to work. Together. You’ll see: (1) How products and vendors are sharing information, (2) Operational benefits from integrations, and (3) Improved cybersecurity results – a safer, more resilient company.
      Speakers:

    • Info Sec
    • 9:45 AM  -  10:45 AM
      Data Privacy Concerns in the Age of Technology and Data Analytics
      Mohave II
      In the vendor race to release the newest technology, usually involving the word ‘AI’ or ‘machine learning’, or the consumer frenzy to find ways to work smarter with fewer resources, you don’t tend to hear much along the lines of data privacy concerns. This should be a concern for all of us. This concern crosses multiple technology stacks, from IoT to data analytics to AI and machine learning. Each of these areas have unique ways that they can, and often times, infringe upon data privacy but what they all have in common is the unintended possibility of revealing more information of a personal/private nature than envisioned. In this session we will collaboratively explore how these areas of technology can create data privacy concerns and what can be done to address them.
      Speakers:
      11:00 AM  -  12:00 PM
      SSL Everywhere: Encrypted Malware, PFS, and TLS 1.3
      Mohave II
      Kudelski Security's Daniel Tavernier, cybersecurity and application delivery expert, discusses how to identify and prevent malware and zero day attacks, when encryption is ubiquitous and turned on by default throughout the Internet. According to Internet Trends, 87% of internet traffic is encrypted with SSL/TLS. And, according to Qualys, over 97% of the top 150,000 websites support Perfect Forward Secrecy (PFS), which will become a requirement with the newly ratified TLS 1.3 protocol. Attackers increasingly use encryption to hide malicious payloads. If you’re not inspecting SSL/TLS traffic and using tools that enable you to identify malware within this encrypted traffic, you will miss attacks and leave your organization vulnerable. Learn how the F5 SSL Orchestrator provides robust decryption/encryption and intelligent security service chaining to maximize network visibility and availability.
      Speakers:
      1:45 PM  -  2:45 PM
      2020 Cybersecurity Readiness: CCPA, SB 327, HITRUST, NIST & More…
      Mohave II

      In this fast-paced, fact-based, cyber brief, we will:

      • Examine the impact of GDPR and CCPA on an enterprise cybersecurity program
      • Walk through key areas of cyber risk with IoT/biomed devices and compliance with mandates such as SB 327
      • Enhance cyber priorities by leveraging prescriptive standards such as the NIS CsF and HITRUST CSF
      Speakers:
      3:00 PM  -  4:00 PM
      Importance of a Security Awareness Program
      Mohave II
      Security Awareness is important for any organization in helping to reduce risks. With the implementation of a robust security awareness program, it can help address concerns for your Information Security department as well as provide the training and awareness most often referred to during audits.
      Speakers:

    • Internal Audit
    • 9:45 AM  -  10:45 AM
      The Audit of Digital Assets
      Paloma II
      Digital Assets are disrupting the financial services industry. With just a few clicks and the right interface, anyone in the world can become a participant in a public blockchain ecosystem and have ownership of digital assets. Technological advancement of cryptocurrencies and digital assets has far outpaced risk management. This session will focus on specialist involvement in audit and internal audit for digital assets, understanding the implications of disruptive financial technology to your business, identifying and addressing risks to your business from digital assets, and interpreting information technology standards when developing digital asset controls.
      Speakers:
      11:00 AM  -  12:00 PM
      Internal Audit Reimagined and Dynamic Internal Auditing
      Paloma II
      Rapid technology change. Shifting regulations. Talent shortages. Emerging risks. Unprecedented changes in business models. Businesses are being disrupted from many fronts, and the effects are permeating to internal audit functions. The next three to five years will add significant complexity to the business of internal audit, presenting both new challenges to overcome and opportunities to shine. This new era demands new thinking, new skills, new capabilities, and even new delivery models. Given the scope and pace of change, traditional approaches to internal audit will soon prove incapable of providing the level of risk assurance and actionable insight business leaders need to protect and enhance organizational value. For internal audit to effectively meet the raised expectations of stakeholders – including the audit committee, executive team, and business line managers – greater speed, agility, business alignment, and focus on the future will be paramount. Therefore, internal audit will need to become more data enabled, dynamic, and driven than ever before. This session will cover the evolution of the internal audit profession driven by changes in technology and stakeholder expectations. The session will provide practical examples on the concept of “Audit Re-Imagined” and use of data analytics that are transforming the internal audit profession.
      Speakers:
      1:45 PM  -  2:45 PM
      2019 Sarbanes-Oxley Compliance Survey
      Paloma II

      In this presentation we will:

      1. Discuss the internal and external forces, such as digital transformation initiatives and PCAOB inspections, impacting SOC compliance.
      2. Outline the efficiency and effectiveness benefits that can be delivered by automating controls and other SOX project activities.
      3. Discover what it means to move into the next generation of SOX compliance.
      4. Explore why many organizations experienced changes in their SOX compliance costs and hours during last fiscal year.
      Speakers:
      3:00 PM  -  4:00 PM
      Business Continuity – Will you be open?
      Paloma II
      A business that continues to operate despite interruptions is fundamental to a good operational plan. Although most of us would like to see the world through “rose-colored glasses’, it is important to stop to consider what could happen that would prevent an organization from conducting business. Organizations need to plan for the unexpected – thus, the Business Continuity Plan.
      Speakers:

    • IT Audit
    • 9:45 AM  -  10:45 AM
      Session 1 - IT Audit
      Mohave I
      11:00 AM  -  12:00 PM
      Stored Hashed Passwords - You Need to up Your Game
      Mohave I
      Salting and large iterations are no longer enough to protect hashed passwords. Using techniques and specialized processors developed for cryptocurrency mining, attackers have the cost/performance advantage in computing large quantities of password hash values. Memory-hard hashing as recommended by the 2017 NIST guidance on passwords lets traditional servers recover that advantage. Using hash methods like balloon and enlisting users in detecting credential attacks will secure your business in the future. Attendees will receive a brief background on current methods for securely storing passwords, a description of credential attacks including use of specialize processors, a brief review of NIST SP 800-63 Digital Identity Guidelines, a description of memory-hard hashing, suggested methods for helping users spot credential attacks against their accounts, and guidance on how to deploy these latest tools.
      1:45 PM  -  2:45 PM
      Application Controls and How to Test Them
      Mohave I
      While applications process data so it is available, produce expected results, and protect from unauthorized access, accuracy and completeness of that data are a key concern for management, users and auditors.
      Speakers:
      3:00 PM  -  4:00 PM
      Controlling and Securing Your Mobile Device Environment
      Mohave I
      In February The National Institute of Standards and Technology (NIST) released guidance on how organizations can better secure mobile devices used for work, including recommendations for enterprise mobile management and mobile device management. Using that guidance and other framework guidance we will cover the topic of how to know if your Mobile Device Management platform is meeting your data security needs. We will integrate topics from various frameworks and regulatory standards to share how your MDM program can address governance, risk and compliance concerns.
      Speakers:
    Top