External events February Update

OrganizationEventDateNote
CloudWorldCloudWorldFeb 18-19Free for developers & engineers
ASIS Canada Pacific ChapterWomen in SecurityFeb 18Free
Oktane21Okatane21April 6-8Free
ISACA Vancouver Chapter & Reboot Communications LTDVancouver International Privacy & Security SummitMay 5-7Commercial
SecureWorldSecureWorld Central Virtual ConferenceMay 6Commercial
BSides VancouverBSides VancouverMay 9-14Call for participation open
BC GovernmentBC Security DayMay 12Free
VanTUGVanTUG1st and 3rd Tues of each monthNext event Feb 16, Free
OWASP VancouverOWASP Vancouver4th Thursday of each monthNext event Feb 23, Free
VanCitySecVanCitySecMay not have regular meetings anymoreFree

February 12th, 2021 meeting

DATE:February 12th, 2021
TIME:2:00pm to 4:00pm (PST)
VENUE:Zoom Online meeting
(Please note Zoom link was updated)
RSVP Required – register at Zoom
TOPIC(S):Ransomware, Risk, and Recovery: Is Your DR Strategy Ready for Today’s Threats?
PRESENTER(S):  Sean Deuby (Director of Services, Semperis)

ABSTRACT

Disaster Recovery (DR) strategies have traditionally focused on natural disasters, then expanded into other physical events such as terrorism. Today, cyber weaponization is everywhere, and the “Extinction Event” is a genuine threat with no respect for geographic boundaries.


In 2017 the NotPetya ransomware attack impacted Maersk worldwide in under 10 minutes and cost the company over $300M. The 2018 Winter Olympics were hit by a targeted cyber attack. Ransomware attacks have become commonplace. Cyber risk directly correlates to business risk and cyber disasters strike more frequently with broader impact than their physical counterparts. Thus, modern DR strategies must prioritize cyber scenarios.


Takeaways:
Denial-of-availability malware is now the #1 risk to business operations
Cyber insurance policies are not the magic bullet they position themselves to be
New “cyber-first” DR technologies automate recovery of complex systems, facilitate recovery to the cloud, and eliminate the risk of reinfection from system state and bare-metal backups

BIOGRAPHY

Sean Deuby brings 30 years’ experience in Enterprise IT and Hybrid Identity to his role as Director of Services at Semperis. An original architect and technical leader of Intel Active Directory, Texas Instrument’s Windows NT network, and 15-time MVP alumnus, Sean has been involved with Microsoft identity technology since its inception. His experience as an identity strategy consultant for many Fortune 500 companies gives him a broad perspective on the challenges of today’s identity-centered security. Sean is also an industry journalism veteran; as former technical director for Windows IT Pro, he has over 400 published articles on Active Directory, Azure Active Directory and related security, and Windows Server. He has presented sessions at multiple CIS / Identiverse conferences.

January 8th, 2021 meeting

DATE:January 8th, 2021
TIME:2:00pm to 4:00pm (PST)
VENUE:Zoom Online meeting
Please obtain passcode to enter meeting from email confirmation

RSVP Required – register at Zoom
TOPIC(S):Learning through law:
Building a better defense by studying real legal cases
PRESENTER(S):  Chester Wisniewski (Principal Research Scientist, Sophos)

ABSTRACT

While we are inundated by headlines of cybercriminals hacking everything that moves, we seldom have the opportunity to learn how they go about their trade craft. Often stories are distilled to simple things like “didn’t patch” or “phishing attack”. The complexities of real life events are far deeper. We can use the openness of our legal system to discover how these attacks actually unfolded for those who we are fortunate enough to apprehend, or at least charge with a crime. This talk will analyze a dozen recent indictments and US Grand Jury documents to learn the tricks, tools and techniques used in some of the most well known recent cyber attacks.

BIOGRAPHY

Chester Wisniewski is a principal research scientist at Sophos. With more than 25 years of professional experience, his interest in security and privacy first peaked while learning to hack from bulletin board text files in the 1980s, and has since been a lifelong pursuit. 


Chester analyzes the massive amounts of attack data gathered by SophosLabs to distill and share relevant information in an effort to improve the industry’s understanding of evolving threats, attacker behaviors and effective security defenses. He’s helped organizations design enterprise-scale defense strategies, served as the primary technical lead on architecting Sophos’ first email security appliance, and consulted on security planning with some of the largest global brands.


As a former President of the Vancouver SecSIG he is grateful for no longer being responsible for the meetings, but excited to continue to share and contribute to the security knowledge of our community. You may recognize me from my appearances on Global News(https://t.co/VWNBOja8Iv), CBC and CTV if you are old enough to still watch news on a TV.

December 11th, 2020 meeting

DATE:December 11th, 2020
TIME:2:00pm to 4:00pm (PST)
VENUE:Zoom Online meeting
Please obtain passcode to enter meeting from email confirmation

RSVP Required – register at Zoom
TOPIC(S):Differential Privacy
PRESENTER(S):  Robert Slade (M. Sc.)

ABSTRACT

Differential privacy is a relatively recent topic, although it is an amalgam of well-known, and long utilized, concepts. Oddly, outside of academic circles, it was almost unknown until Apple made a big deal of it in an announcement in 2016. Differential privacy is, however, the “quantitative risk analysis” of privacy, which is why it has such important points to make to the field of privacy, and why almost nobody is using it. (Including, mostly, Apple.)

OK, CISSP question time:

Which privacy law does differential privacy support?

a. British law
b. Chinese law
c. EU law
d. US law

You want a clue?  OK, some initial discussion, then:

a. British privacy law is still primarily based on the original privacy directives, and
is mostly concerned with what data you can collect, and for how long, and how
accurate you have to be.
b. Yeah, I needed a good laugh, too.  But China *does* have a privacy law, and it
pretends to be compatible with the original privacy directives.
c. Well, GDPR is *mostly* just the original privacy directives, but the new
accountability directive *might* have to do with how well you protect what you
*have* collected …
d. OK, I often say the the US doesn’t have any privacy laws, but they do.  Those
are primarily concerned with how much you can sue when people disclose your
data.

For the final answer, attend the December 11th meeting on the topic of
differential privacy.

BIOGRAPHY

Robert Slade has been stuck inside for six months with nothing to do but study
the latest security and privacy buzzwords.  More information than anyone would
want to know about him is available at http://en.wikipedia.org/wiki/Robert_Slade
(and he doesn’t particularly care if you know that).