Day 2 - Tuesday
Today’s cyber threat landscape and strict regulatory controls continue to evolve, and for organizations and government agencies, especially those that are hybrid or cloud first it can be challenging to know where to start. By securing user and machine identities, organizations can stop modern threats in their path, ultimately eliminating fraud while ensuring they stay regulatory compliant.
For organizations that leverage existing PKI deployments for authentication, Microsoft Azure allows Certificate Based Authentication (CBA) for direct access into Azure without the federation requirement. This aligns with OMB’s M-22-09 push to rely on cloud-based infrastructure and offers a seamless transition towards cloud authentication while maintaining requirements for phishing-resistant, AAL3 compliant access to data and apps for employees, contractors. In addition, cloud authentication offers modern protocols such as FIDO2 authentication based on public key cryptography offering the most effective defense against emerging cyber threats.
Yubico’s Solution Engineer, Shakeel Aziz, will share with attendees how to future-proof their identity and access management strategy across on-premise and cloud-hosted applications using smart card technology today and modern FIDO protocols tomorrow. Shakeel Aziz will also explain what strong authentication is, how it supports Zero Trust security models, and important information around FIDO authentication standards.
Adobe Campaign Classic is a marketing software for campaign management and automation. Originally from a company called Neolane, it was bought by Adobe in 2013. The on-premise version of the software features client-supplied JavaScript execution that runs server-side.
We study this authenticated attack surface and present bugs that result in access-control bypass that were found using 1337 techniques like reading the documentation and trying stuff. These bugs were reported to Adobe and will be part of their November release.
Attackers know that most modern application code is composed primarily of open-source software with a relatively small amount of 1st-party code. Researchers, including our own are witnessing, in real-time, attackers planting packages with malicious code into open-source software supply chains. As a result, as application developers incorporate these affected libraries into their codebase , this malicious code becomes part of the applications you are publishing. Making matters even worse, these malicious packages are not tracked as CVEs on Mitre.org – organizations have no idea that they have just become a victim because the traditional methods for identifying risky open-source components are blind to these attacks. These security concerns are not inherent to the open-source software itself, but rather, how the malicious software propagates undetected throughout software supply chains.
Software developers and software security professionals will find this session useful if they would like to learn more about:
· Techniques attackers use to plant malicious code in the supply chain
· The differences between identifying the presence of CVEs in open-source components and outright malicious packages
· Steps to take now so you do not fall victim to these attacks
· How to focus mitigation and remediation efforts without disrupting development teams
Wait… my attack surface is how big?
I’ve heard this question – or some variation – over and over throughout my career. With the widespread adoption of cloud platforms, as well as the maintenance of legacy (sometimes forgotten) servers, we can sometimes lose track of our areas for entry. Let’s not forget remote workers and shadow IT! When we don’t know what we need to protect, how successful can our information security programs, practices, and people possibly be? Some of the naughty (and completely unknown) findings we’ve provided to customers tells us “not very”. With an ever-expanding attack surface due to experiments, merger and acquisition, and misconfiguration, how can we possibly know what we don’t know?
This talk is meant to help InfoSec professionals and teams get a better understanding of how to discover, monitor, and manage their attack surface. We will examine questions such as: “How can we define and enumerate our own attack surface?”, “What are the attackers able to discover without active reconnaissance?”, “What tools are at our (the good guys) disposal to help us better understand our attack surface?” and “How can we better reduce and/or manage our attack surface?” We will also examine what exactly we can do with the data we mine around our own attack surface to augment our security operations practice.
By the end of this talk the attendee will have gained a working abstraction of 4G and 5G systems, RAN and Core, and how 5G is bringing cloud native security concepts and risks to carrier class telephony systems. I intend to bring the audience through a short technical journey from enterprise security knowledge to prime the attendee to carrier mobility security challenges and promise in 5G.
The importance of open source security management made headlines in 2017 when the Equifax breach resulted in the compromise of the personal information of millions of users. The breach was attributed to the use of a known vulnerable version of the Apache Struts open source framework. Since then, we’ve seen a rise in the disclosure (and exploitation) of vulnerabilities in open source software, such as the famous Log4Shell vulnerability that was dubbed as the “worst security flaw of the decade”.
This resulted in studies being conducted and determining that open-source components make up more than half of an application codebase. The security implications of such a ratio can be significant. While organizations spend considerable time and effort ensuring that the custom code developed by them is secure, usually little to no consideration is put into evaluating the security of the used open-source components. This presentation will introduce Software Composition Analysis (SCA) – the process of identifying vulnerabilities in open-source dependencies. We’ll discuss the criteria you should consider when selecting an SCA solution and the importance of integrating such tools in your DevOps pipelines.
In the session I will share insights on quantum computing overall, how it applies to Canadian business and Government, and share the work we are already have underway with Quantum Safe Encryption and Satellite Communications. I will be speak to those who only have heard of Quantum Computing as something to worry about in the future, while also getting into the weeds at a Quantum Mechanics level.
The talk with clarify Quantum topics including Entanglement, Wave Function Collapse, QKD and the use of Quantum Entropy to protect our data now and in the future. It will help the audience understand why QC is such a big deal to all aspects of industry, why it is taking so long for Quantum Computing to happen, where we are along the QC path and who in the world is leading the Quantum race. As part of the discussion around the World Race in QC, how does Canada fit into that picture, why can we be a integral contributor and what that means for Canadian business.
12
Page 1 of 2