The organizing committee would like to thank all of our volunteer speakers!
Expand All +
  • Day 1 - Monday

  • Abstract: “The world is facing a wide array of online threats. To counter these attacks we need to work together to face the adversaries. While the Internet dispenses with geographical boundaries Canada needs to put on our rally caps and defend the populace. What does the future hold for us? How can we prepare for a digital jerseying? Canada can rise above the fray. Beauty eh?”
    Cyber Defence

  • DevSecOps has become the ultimate marketing buzzword, and is often suggested as a silver bullet to solve all software security issues. But what happens when things go wrong? This talk will cover what to do if you run into any of the most common pitfalls: false positives, slow tooling, lack of other SDLC security activities, unfixed bugs and lack of training & knowledge. Outline: Set the stage: Define DevOps and DevSecOps, give a few examples, so that everyone is on the same page - 3 mins State problem: DevSecOps is not a silver bullet and it is not the only security activity you should be doing (the entire SDLC deserves security attention, not just the testing/deployment phase. Even if its the most fun one). 5 common pitfalls, and how to solve them 1) Untuned tools - False Positives - Why we need to tune our tools, I will cover SCA, Secret Scanning, DAST and SAST (vendor agnostic for all of them) and give tuning tips and advice to avoid false positives 2) Slow tools - Explain the need for speed and that it is absolutely unacceptable to have security make the pipeline take more than twice as long, then how to speed things up as well as how to put your tools at different points in the SDLC (unit tests, scanning with local host, and upon repository checkin), so that you’ve already solved as many problems as you can before the CI/CD even starts 3) Security activities are ONLY in the pipeline - List of all places in the SDLC there should be security, with a page-page summary (perfect for taking pictures of to summarize) Requirements: Sec requirements for whatever you are building 4) Not fixing anything Tips on how to build buy-in with management and devs to get them to fix what you find, how to prioritize, then negotiate. Ensuring your bugs are in front of the devs, by using the same bug tracker and automating the sending of the bugs 5) No training (for sec, dev and/or ops) Explain problem of lack of training and knowledge in this area, and need for consulting, training and/or hiring to ensure your team makes excellent decisions, processes and software! Conclusion: summarize, with a 1 page picture-slide Free resources to help: #CyberMentoringMonday, WHP community, WHP podcast, awesome books on DevOps, then my personal blog

  • As Internet of Things systems become widely adopted, cyber-physical systems offer smarter environments and services than earlier networked systems by leveraging and integrating sensed data of various modalities. Despite adopting the benefits of the IoT technologies, critical infrastructures and cyber-physical systems have various weaknesses due to existing vulnerabilities in wireless networks, particularly in the 5G Era. With massively connected nodes that push sensed data, the cyber threat surface leaves more nodes as target points to enter the monitoring network. By considering connected and autonomous vehicles as a special use case of critical cyber-physical infrastructures, this talk will consist of the following parts: 1) A brief overview of the vulnerabilities and countermeasures in IoT and IIoT cybersecurity with a focus on threat models and attacks surfaces in cyber-physical critical infrastructures, 2)Threat vectors in 5G and their interplay with cyber-physical critical infrastructures 3) State of the art in machine/deep learning (ML/DL)-based intrusion detection in IoT and cyber-physical system networks, 4) The interplay between artificial intelligence and system/application-level security issues in cyber-physical settings, 5) Security-by design solutions for critical infrastructures by bridging ML/DL and Radio Frequency Domain. The talk will wrap up by presenting open issues, challenges and opportunities in this field are going to be presented for professionals, researchers and developers who are interested in this field. Furthermore, the talk will present remedies for performance degradation of ML/DL models in the case of dynamically changing physical/environmental conditions such as changing channel conditions since the training of an ML model to recognize the signatures of radio signals. At the end of the talk, the audience will have information on how to tackle the following problems from various angles: How can AI be leveraged to meet the requirements of holistic security / safety of cyber-physical critical infrastructures? What are the challenges and opportunities 5G introduces in empowering trained AI models for dependable decisions in a cyber-physical critical infrastructure?

  • Training a model using Natural Language Processing (NLP) is challenging. Training one adapted to the unique vocabulary of malicious actors becomes even more difficult. This complex process highlights the need of having a continuously adaptive lexical able to follow new trends in illicit communities. To overcome the challenge of the distinct vocabulary used by malicious actors, we’ve created and made public the first open-source tokenizer trained on a corpus containing years of content from interactions on the Dark Web. The tokenizer and lexical are in the format of Byte-Pair-Encoding and will be available on GitHub. We will demonstrate two applications of this model, applied to real world challenges and highlight some insights found by them. First, we will demonstrate how the ML auto-extractor is able to extract contents from a wide variety of illicit forums, without human configuration. Then, we will show how we were able to regroup multiple actors’ monikers based on their writing style. What you would learn during this talk: How to avoid the pitfalls when training NLP on slang/jargon. How to continuously adapt the lexical to follow new trends in illicit communities. With the release of this open-source model, malware researchers and threat hunters will be able to automate interactions with cybercriminals, support infiltration engagements, and analyze communications and data leaks. Additionally, by constantly updating the lexical based on cybercriminals’ interactions, the model allows researchers to discover and track rising trends.
    Dark Web

  • With recent advancements in both the academic and commercial spaces, quantum computing is going to revolutionize the Information Technology space and pose the single biggest challenge for Cyber security practitioners within the next two to five years. Recently the US government through the National Institute of Standards and Technology (NIST) released, four public quantum resistant cryptographic algorithms. How are these new algorithms going to be used, what questions do they answer, and what effects are they going to have on both an organizations security architecture and security teams’ day to day operations. This presentation will answer these questions. The presentation starts by explaining the monumental consequences that shores algorithm has unleashed on current cyber security practises. Then the presentation explains, in hopefully a humorous manner, what quantum mechanics is and how quantum mechanics is implemented in quantum computing. The presentation then focuses on quantum encryption and quantum attacks. After that the presentation shows how encryption algorithms can be quantum resistant and how a quantum resistance algorithm differs from normal encryption algorithms. This then leads to a discussion around the recently released NIST post quantum algorithms. By attending this brief, cyber security practitioners and professionals will understand how quantum computing works, how quantum computing will be used against a network and what tools are available to defend against quantum attacks (for example the NIST post quantum algorithms). Since organizations security architectures and postures usually take time to change, this brief will give practical steps both an individual and organization can take to be ready for the quantum threat.
    Quantum Computing

  • Clouds, Clouds - everywhere there are Clouds! Built-in cloud-based controls only go so far and may be limited in capabilities. With multi-cloud deployments, these technologies become fragmented and add an extra layer of complexity. In this action-packed session, we will discuss security capabilities offered by cloud service providers and how to systematically determine the right controls to secure the cloud environment while empowering practitioners with the ability to stretch these capabilities. This includes coverage across a multi-cloud, on-premises, and SaaS based environment reducing the overall complexity. Clouds inherently have a better security footprint out of the gate compared to traditional environments, but these controls can quickly become complex and fragmented increasing operational overhead in a multi-IT environment and may in fact increase an organization's overall risk. Stepping back and understanding the capabilities, the complexities, and the overall risk to each use case allows practitioners to build comprehensive security solutions that are resilient. We will review the capabilities in general, typical controls required, and then review a fictitious breach that highlights the challenges for practitioners. We will then provide a methodology based on a use case to build security solutions with broader coverage that simplify the overall solution.

  • The challenges facing today’s CISO and corporate cyber teams are daunting. Cyber Security partners now number in the 100s and product options seem to be 10 times that. The only thing that is certain is that the number of threats and attacks are increasing at an alarming rate. There was a time when you could build or hire a SOC to monitor your environment and, once connected, you could sleep well at night knowing that there was a watchful eye on your corporate environment. Today, however, attackers can identify a new exposure and act on it before most organizations even know that they are exposed. This session looks at this situation from the eyes of a Security Professional charged with protecting their global operations and will talk about creating an Active Defence program that goes beyond a traditional SIEM to proactively ensure that you are protected against both basic and advanced threats.

  • We've often had the opportunity to hear about bug hunting & bug bounty programs from the researcher perspective, or in the form of sales pitches from companies that help build programs, but less often do we hear from the folks who work on those programs as their main focus. In this talk we'll explore the ins and outs of GitHub's Bug Bounty program, along with advice for those working in BB/VDP programs, or submitting bounty reports. GitHub’s Bug Bounty program is often noted as being a leader in bug bounty - an early adopter, consistently offering generous awards with clear scoping. In addition to having a dedicated team to work with researchers, we’ve helped host three live hacking events with HackerOne, and have paid out over $3,400,000 USD in bounties since the inception of our program in January 2014. I'll aim to cover: - An overview of GitHub's Bug Bounty program, including our payout strategies, key milestones, and lessons learned - How GitHub handles report triage & severity assignment including our tooling/automation - How GitHub’s bounty team interacts with researchers and aims to more deeply understand and analyze bug reports - Operational considerations of working with a SaaS & on-premise product that has a shared code base - Our report/vulnerability disclosure practices and why we do things the way we do - Bug bounty triage as a job & career stepping stone - Tips for researchers, bounty staff, and program owners Attendees should walk away from this talk having a better understanding of GitHub's lessons learned running a bug bounty program, the nuances and challenges that triagers/engineers face working with bounty reports, and also how to improve their ROI when working on or with bounty programs.
    Bug Bounty

  • Day 2 - Tuesday

  • In the session I will share insights on quantum computing overall, how it applies to Canadian business and Government, and share the work we are already have underway with Quantum Safe Encryption and Satellite Communications. I will be speak to those who only have heard of Quantum Computing as something to worry about in the future, while also getting into the weeds at a Quantum Mechanics level. The talk with clarify Quantum topics including Entanglement, Wave Function Collapse, QKD and the use of Quantum Entropy to protect our data now and in the future. It will help the audience understand why QC is such a big deal to all aspects of industry, why it is taking so long for Quantum Computing to happen, where we are along the QC path and who in the world is leading the Quantum race. As part of the discussion around the World Race in QC, how does Canada fit into that picture, why can we be a integral contributor and what that means for Canadian business.
    Quantum Computing

  • The importance of open source security management made headlines in 2017 when the Equifax breach resulted in the compromise of the personal information of millions of users. The breach was attributed to the use of a known vulnerable version of the Apache Struts open source framework. Since then, we’ve seen a rise in the disclosure (and exploitation) of vulnerabilities in open source software, such as the famous Log4Shell vulnerability that was dubbed as the “worst security flaw of the decade”. This resulted in studies being conducted and determining that open-source components make up more than half of an application codebase. The security implications of such a ratio can be significant. While organizations spend considerable time and effort ensuring that the custom code developed by them is secure, usually little to no consideration is put into evaluating the security of the used open-source components. This presentation will introduce Software Composition Analysis (SCA) - the process of identifying vulnerabilities in open-source dependencies. We’ll discuss the criteria you should consider when selecting an SCA solution and the importance of integrating such tools in your DevOps pipelines.

  • By the end of this talk the attendee will have gained a working abstraction of 4G and 5G systems, RAN and Core, and how 5G is bringing cloud native security concepts and risks to carrier class telephony systems. I intend to bring the audience through a short technical journey from enterprise security knowledge to prime the attendee to carrier mobility security challenges and promise in 5G.

  • Wait… my attack surface is how big? I’ve heard this question - or some variation - over and over throughout my career. With the widespread adoption of cloud platforms, as well as the maintenance of legacy (sometimes forgotten) servers, we can sometimes lose track of our areas for entry. Let’s not forget remote workers and shadow IT! When we don’t know what we need to protect, how successful can our information security programs, practices, and people possibly be? Some of the naughty (and completely unknown) findings we’ve provided to customers tells us “not very”. With an ever-expanding attack surface due to experiments, merger and acquisition, and misconfiguration, how can we possibly know what we don’t know? This talk is meant to help InfoSec professionals and teams get a better understanding of how to discover, monitor, and manage their attack surface. We will examine questions such as: “How can we define and enumerate our own attack surface?”, “What are the attackers able to discover without active reconnaissance?”, “What tools are at our (the good guys) disposal to help us better understand our attack surface?” and “How can we better reduce and/or manage our attack surface?” We will also examine what exactly we can do with the data we mine around our own attack surface to augment our security operations practice.
    Attack Surface

  • Attackers know that most modern application code is composed primarily of open-source software with a relatively small amount of 1st-party code. Researchers, including our own are witnessing, in real-time, attackers planting packages with malicious code into open-source software supply chains. As a result, as application developers incorporate these affected libraries into their codebase , this malicious code becomes part of the applications you are publishing. Making matters even worse, these malicious packages are not tracked as CVEs on – organizations have no idea that they have just become a victim because the traditional methods for identifying risky open-source components are blind to these attacks. These security concerns are not inherent to the open-source software itself, but rather, how the malicious software propagates undetected throughout software supply chains. Software developers and software security professionals will find this session useful if they would like to learn more about: · Techniques attackers use to plant malicious code in the supply chain · The differences between identifying the presence of CVEs in open-source components and outright malicious packages · Steps to take now so you do not fall victim to these attacks · How to focus mitigation and remediation efforts without disrupting development teams
    Supply Chain

  • Adobe Campaign Classic is a marketing software for campaign management and automation. Originally from a company called Neolane, it was bought by Adobe in 2013. The on-premise version of the software features client-supplied JavaScript execution that runs server-side. We study this authenticated attack surface and present bugs that result in access-control bypass that were found using 1337 techniques like reading the documentation and trying stuff. These bugs were reported to Adobe and will be part of their November release.

  • Today’s cyber threat landscape and strict regulatory controls continue to evolve, and for organizations and government agencies, especially those that are hybrid or cloud first it can be challenging to know where to start. By securing user and machine identities, organizations can stop modern threats in their path, ultimately eliminating fraud while ensuring they stay regulatory compliant. For organizations that leverage existing PKI deployments for authentication, Microsoft Azure allows Certificate Based Authentication (CBA) for direct access into Azure without the federation requirement. This aligns with OMB's M-22-09 push to rely on cloud-based infrastructure and offers a seamless transition towards cloud authentication while maintaining requirements for phishing-resistant, AAL3 compliant access to data and apps for employees, contractors. In addition, cloud authentication offers modern protocols such as FIDO2 authentication based on public key cryptography offering the most effective defense against emerging cyber threats. Yubico’s Solution Engineer, Shakeel Aziz, will share with attendees how to future-proof their identity and access management strategy across on-premise and cloud-hosted applications using smart card technology today and modern FIDO protocols tomorrow. Shakeel Aziz will also explain what strong authentication is, how it supports Zero Trust security models, and important information around FIDO authentication standards.