HexCon22 day 2 highlights: A quick recap

The second day of HexCon22 has come to an end. With a host of incredible sessions on cybersecurity, incident response, data privacy, and more, we’ve got some great highlights lined-up for you.

Read more to catch up on the talks, interviews, and discussions you may have missed at HexCon22.

Interview with Joe Tidy

Day 2 officially kicked off with Joe Tidy, BBC’s first cyber security correspondent, sharing his insights and knowledge in an interview session with Sarika Abraham, Media and Public Relations Manager at Hexnode.

Joe talked about many of his interesting stories from his days of investigative journalism, where he met and interviewed many famous cybercriminals, from the notorious hacker group called ‘Lizard squad’, who hacked the networks of PlayStation and Xbox Live, to cybercriminals and malicious hackers from countries all around the world.

He answered questions including how it is when you contact these malicious actors, why they do what they do, the risks involved in meeting and interviewing these agents, and more.

In fact, here’s something that caught my eye.

“The one thing that almost always connects the cybercriminals and hackers, they always started off as gamers. There’s a real intersection between gaming and hacking.”

As a fellow gamer, this was certainly an eye-opener 🙂

Moving on, Joe shared his valuable insights on how to remain safe in the cyber world. He talked about,

• The impact of cyber-attacks on full-scale wars, and how the Ukraine situation changed the perspective on cyber warfare.
• The impact of cyber-attacks and spywares on individuals, and how manufacturers have begun including security features to offer solid protection (Apple’s lockdown mode).
• What companies and/or individuals can do if they’re hit by a cyber-attack.
• The recent trends in cyber-attacks, what kind of attacks are more popular.
• The importance of privacy regulations in enhancing cybersecurity.

Protecting the Crown Jewels: Intellectual Property Protection 101

With over 25 years of experience as an FBI agent, and over 5 years as a corporate security executive specializing in intellectual property protection, Frank Figliuzzi talked about protecting what matters most – Your company’s crown jewels.

He kicked off the session by establishing a simple but effective analogy between protecting the royal crown jewels of England, and protecting your company’s critical components.

Akin to protecting and preserving the crown jewels while at the same time putting them on display for the entire world, Frank talks about how businesses should identify their critical business information (CBI), understand, secure, and preserve them, even in the frenzied threat and business environment of today’s business world.

He talked about the 3 core questions executives must ask, to help build a plan, or review and adapt an existing plan into a mature model – What, where and who.

• What is proprietary to our company, uniquely ours, that makes us what we are now, and what we plan to be in the future. What are the things we do or possess that give us our competitive advantage. What is it that most merits our protection.
• Where is the most critical information located? Is it located digitally, physically, in the cloud, on employees’ laptops, within unrestricted shareable files and folders, in email attachments?
• Who amongst your company has regular access to critical business information (CBI). Who requires access to CBI. Are there any irregularities in the names within these two lists?

“If done correctly, this approach provides a laser-like focus on what really matters.”

– Frank Figliuzzi, @HexCon22

Moving on, he talked about how executives should go about answering the questions, what where and who.

• Critical business information (CBI) protection is a team sport. Build your team.
• Do your homework. Gather data on losses suffered across the industry, across components of the supply chain, losses experienced by customers, and more.
• Start meeting one-on-one with senior thought leaders and formulate a strategy.

Incident Response War Stories

With 29 years of experience in cybersecurity, information technology (IT) operations, audit & risk management, and incident response and investigations, Mike Saylor, CEO and Executive Leader at Black Swan Cyber Security, LLC, covered crucial aspects of incident response strategies, including,

• Responding to a breach, and what incident response is all about.
• Legal considerations, and considerations from a breach coach.
• Opinions on insurance claims and risk reduction.
• Some of his incident response war stories.

Mike began the session by comparing a data breach to a typical train wreck.

He talked about what it takes to prepare for a cyber incident, and the difference in response time to a breach when an organization is prepared, and unprepared.

To be prepared, businesses must,

• Have an incident response plan
• Have Identified subject matter experts
• Have an inventory of all your assets and what it takes to run your organization
• Have backups of how things are configured
• Continuously monitor your environment
• Have proper alerting mechanisms in place

Moving on, Mike shows a basic timeline of ransomware response activities businesses should follow depending how much time has elapsed, from hour 1, 12 – 72 hours, to 1 – 48 months.

He provides an in-depth checklist for companies to be prepared with an incident response plan, including questions like,

• Have you collectively brainstormed to think about your greatest cyber risks?
• How are incidents reported?
• Do you have easy access to contact information for appropriate personnel?
• Do you have relationships already established with necessary third-parties?
• Have you conducted ‘Table Tops’ exercises to test your preparedness?

Mike gave detailed instructions on how to perform a table top exercise, by laying out all the steps involved.

Planning and designing:

• Define ground rules
• Identify high risk threats and significant risks
• Review and control existing controls and procedures

Training day:

• Conduct the exercise
• Establish a moderator and scribe
• Reiterate ground rules
• Present the threat
• Walk through response activities

Remediation:

• Post exercise planning
• Review exercise notes and capture all opportunities for improvement

Mike concluded the session by talking about his war stories, where he assisted a variety of public and privately-held companies, as well as government, not-for-profit and educational institutions, and gave recommendations for being more effective in their incident response capabilities.

Make cyber not cyber

With nearly 40 years of experience working in all aspects of computer, network, and information security, Jeffery Mann, Information Security Consultant at Online Business Systems, shared his insights on what used to be known as information security and is now referred to as cybersecurity.

Jeff began the session by contemplating on the first lesson he learnt in data security, during his tenure as an intern in a DoD research facility – the importance of layered security in data protection.

He talked about the differences and similarities between cyber security and information security.

Jeff says, when it comes to protecting data, the processes splits up into 3 categories – Confidentiality, Integrity, and Availability – The CIA triad.

He moves on to give a very simplistic depiction of how to calculate the values of risk, called ‘the risk equation’, marking the overall goal as to reduce or decrease the risk that a business is experiencing.

The risk equation: risk = vulnerabilities + threats – countermeasures

Where,

• Risk is a possibility that a particular threat will adversely impact an information system by exploiting a particular vulnerability
• Vulnerability is a weakness in an information system, security procedures, internal controls, or implementation that could be exploited
• Threat is any circumstance or event with the potential to adversely impact an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.
• Countermeasure is an action, device, procedure, technique, or other measure that reduces vulnerability of an information system.

Moving on, he talked about the 3 elements of information security – People, processes, and technology.

However, Jeff says,

“If you don’t have some sort of understanding on why you’re doing, what the purpose is, you’re gonna spend a lot of needless time and money, and may miss the point of securing your environment.”

With that, Jeff brings up a fourth ‘new’ element of information security, the ‘Purpose’. He moves on to explain how and where these elements fit into the risk equation, and introduces the ‘risk-based security model’, which fulfils a more commercial context.

Risk-based security model: risk = (vulnerabilities + threats – countermeasures) * value of data

Securing the Digital Beachhead: The Myth of Cybersecurity Compliance

Mike Crandall, founder and CEO at Digital Beachhead, talked about the relations and interdependencies between security and compliance, and how companies can bridge the gap between the two.

Mike kicked off the session by giving a brief definition on ‘what is cybersecurity’. He introduced the different definitions associated with cybersecurity, and talked about the ‘myths’ of cybersecurity and compliance.

He talks about the differences between compliance and security, where,

• Security is the practice of implementing effective policies, processes, and technical controls, to protect company assets.
• Compliance involves applying regulatory standards to meet contractual or third-party regulatory requirements.

Moving on, Mike offered real-world examples of compliance ‘fails’, including some of which he encountered during his time at Digital Beachhead.

He talked about how compliance can be expensive to maintain, and stressed the importance of focusing on ‘reliable’ security mechanisms to meet compliance requirements.

Mike reiterates how compliance does not always guarantee security, and that as cyber professionals, executives must focus on enforcing and maintaining cybersecurity, and go beyond simply meeting regulatory compliance requirements.

Mike moves on to talk about how cyber risk management is an ever-evolving cycle with no end-goals, and with it comes the need to always evolve and change with the risks that pop up.

“Knowing what risks are still out there, and deciding on what risks you’re willing to accept is a key part of cyber risk management.”

– Mike Crandall @HexCon22

Saving the Internet with Zero Trust

Tina Gravel, CEO of Pinecone Hill, LLC, talked about the importance of zero-trust in cyber security, and elaborates on practical ideas around what can be done to protect public or private firms by implementing Zero Trust.

Tina began the session by talking about how the cloud, SaaS adoption, and distributed computing on the public internet has led to increased threats including intrusion, fraud, ransomware, phishing, and viruses.

In such a scenario, the workplace perimeter is no longer static. Rather, it is dynamic. Moreover, exponential data growth has led to increased privacy requirements.

Tina talks about the history and definition of Zero-Trust, and how it is not simply one single software or product.

“Zero-Trust is a cybersecurity strategy premised on the idea that no user or asset is to be implicitly trusted.”

She moves on to talk about the NIST framework for a successful zero-trust strategy, and how to navigate through the complexity and noise of zero-trust. Tina talks about the need for zero-trust and provides valuable insights and resources to help organizations put a zero-trust strategy in place.

How Safe are you Online?

Ben Owen, Co-Director of Fortalice Solutions, talked about the rise in social engineering attacks targeting individuals and businesses, and the tools used by social engineers to target individuals.

Ben showcased a live case study to enlighten us about the ways social engineers use to scrape out the personal data of individuals. He talks about the kind of information these attackers look for, including,

• Email addresses and passwords
• Phone numbers
• Physical addresses and personal information

The end goal of these attackers? – To use social engineering to scrape out personal data and create a believable attack strategy to target individuals.

Ben showcased some of the tools used by these social engineers, including,

• Geolocation data scraping tool that scrapes out information on the locations obtained from posts on social media.
• Tools that scrape out personal information including email address and contact details from social media profiles
• Tools that offer the passwords and emails addresses of breached individuals
• Network identification tool used to find the MAC address of unprotected WiFi networks.
• Facial recognition tools used to identify individuals using their pictures.

Modernizing the Security Goals: – “CIA” is half the story (or less)

Many organizations are facing cybersecurity concerns as they strive to speed up their digital transformation. Cyber security and GRC Architect Brett Osborne explained the need to modernize the security goals to keep up with this transformation. He kicked off the session by explaining the traditional security goals.

• Confidentiality: Confidentiality is all about preserving authorized restrictions on information access and disclosure. This majorly contains intellectual property, which encompasses copyrighted or patented content. Controlled distribution of data, either within the company or to certain parties exclusively, is another part of it.
• Integrity: Guarding against improper information modification or destruction-this is how Integrity is defined regarding the security objectives. This is achieved by cryptography, which uses functions such as hash and digest. He also advises organizations to always get help from experts when designing cryptographic functions.
• Availability: As the term suggests, it means ensuring access to information. Cloud services inherently offer near-100% availability and high resilience.

Although these are the fundamental objectives, they don’t touch all domains of cybersecurity. Brett proposed three more security goals to further strengthen the security infrastructure.

• Functional: This contrasts with “available,” which only refers to information being available. Being functional means that the information is useable to achieve a specific purpose.
• Bonafide-Authentic: Being genuine and being able to be verified and trusted are the major elements of this objective. Technologies such as public-private keys and digital signatures are examples of ensuring authenticity.
• Individuals’ Privacy, aka Right to Anonymity: Privacy is the protection of persons from identification. Disclosure of Personally Identifiable Information or PII can cause a person to be identified, which is a significant threat for organizations.

Brett concluded the session by mentioning that security objectives need to be updated as data security is always evolving.

Panel Session: DevSecOps

Is security something that can be left isolated to a specific team in the final stages of development? Or should it be integrated as a shared responsibility throughout the entire IT lifecycle? Cybersecurity experts Sam Sehgal, Chris Kirschke, and Kapil Bareja talked about the need to integrate security into the “Software Development Lifecycle” in the panel discussion with Amith Manoj, the Lead Brand Strategist at Hexnode.

The session began with the experts talking about the important security considerations for a DevOps team. According to Chris Kirschke, security is to be integrated into DevOps to speed up delivery without compromising security. This is essential to reduce risks in the lifecycle.

“You can’t have security for DevOps until you have a DevOps for security.”

-Kapil Bareja, @HexCon22

Sam Sehgal explained that security belongs in every stage of a software development lifecycle, starting from the requirement to deployment. The cost of fixing a security bug will always be cheaper in the early stages.

The session ended by addressing the biggest challenges teams face while adopting DevSecOps. According to Kapil, the abundance of security tools available today makes it difficult for organizations to decide on the most suitable one for their organization. Sam added that it is essential to have proper instrumentation to periodically track the success or failure rates of the security policies.

Understanding “Human Side” of Cybersecurity

Making mistakes is an essential aspect of the human experience; it is how we learn and evolve. However, human errors are much too often neglected in cyber security. Christopher Crummey, Director of Executive and Board Cyber Services at Sygnia, talked about the human factor of cybersecurity through real events of cybersecurity breaches in the previous decades. He also mentions the steps taken by mature companies to mitigate human errors.

Christopher began the session by talking about the typical causes of data breaches, including,

• Shadow IT
• Cloud & API misconfiguration
• Phishing attacks
• Malicious Insider
• Business Email Compromise
• Social Engineering

He went on to point out that all these cyberattack vectors have a human element beneath them. He then explained how threat actors use the concept called “perception blindness” to get what they want from the employees.

This concept uses creative ways of catching people off-guard. The threat actors also leverage human emotions such as fear, greed, curiosity, and urgency to make them distracted.

Mature companies have come up with strategies to reduce the risks of security breaches, which include,

• Periodic training programs to create awareness among the employees about potential cyber-attacks.
• Establishing policies and behaviors which reduce the risk of data breaches (for instance, using file sharing platforms instead of USB drives)
• Having runbooks that allow employees to start crisis response quickly.
• Chris concluded the session by addressing the importance of being prepared with an effective communication and collaboration strategy in the event of a security breach.

Smart Devices & IoT is a threat to compliance and digital transformation!

IT admins often find it difficult to keep track of IT devices. These devices can remain in the field for many years indefinitely. Hence, setting clear compliance standards for these devices is crucial to achieving consistent security. Zhanwei Chan, IoT Lead of CheckPoint Software Technologies Ltd explained how global organizations are securing their OT, IoT, and unmanaged devices.

Zhanwei Chan starts by saying that IoT devices are involved in so many sectors such as;

• Utilities
• Manufacturing
• Healthcare
• Smart cities
• Building automation
• Smart offices
• Unmanaged devices

There have been numerous cyber threats in the past in non-IT organizations also. Some of them include Honda, Loop, Polycom, and KNX. This makes it evident that you can’t use traditional cybersecurity as it is. You need specialized technology which needs to be thought of very well.

The root causes for these threats can be summarized as:

• Unable to install the agent
• Installed on a separate network
• Cannot be scanned
• Cannot be upgraded or patched

The solution to all these threats starts with generating visibility for these devices. This includes discovering the device and identifying its connection profile. Then comes the step of enforcing network segmentation and virtual patching.

Zhanwei Chan concluded the session by mentioning that the first step in making sure your IoT devices are compliant is to identify them.

“You can’t protect what you can’t see”

Privacy and Security as a part of the agenda

Environmental, Social, Governance (ESG) criteria is widely used by investors to assess the social responsibility effort of companies. This framework is designed to be integrated into an organization’s strategy to enhance the enterprise’s value. Dr. Valerie Lyons, who is the COO of BH Consulting, talks about why companies should entrench privacy along with the ESG criteria.

ESG simply means using Environmental, Social, and Governance factors to evaluate companies on how far they are advanced with sustainability. It focuses on qualifying and quantifying a company’s impact on the environment and the control it has in place to ensure ethical operations.

Some of the policies that are included in each of these criteria are:

Environment

• Publishes a sustainability report
• Uses renewable energy sources
• Limits harmful pollutants

Social

• Operates an ethical supply chain
• Policies against sexual misconduct
• Pays fair wages

Governance

• Embraces diversity on board of directors
• Embraces corporate transparency

The objective of Privacy as an ESG or ES(p)G is to gain market advantage by focusing on privacy initiatives that align with customer values. Organizations undertaking this program understand the profile of their customers and the factors that lead to trust.

The three key ESG strategies or privacy include:

• Privacy as a social responsibility
• Privacy as a political responsibility
• Privacy as a socio-political responsibility

5 Recommendations to Secure Identities

What are cloud identity and access management? How can we prevent our cloud identities from being compromised? Dwayne Natwick, the Senior Product Manager at Cloudreach answered these questions through his five recommendations to secure cloud identities.

In simpler terms, cloud identity and access management enable the right individuals to access the right resources at the right time. Identity providers such as Google and Microsoft control the permissions and access for users.

Dwayne Natwick also put forward five recommendations to secure cloud identities.

• Zero Trust: As the name suggests, it requires the user to continuously verify his/her identity. The evolution of this identity verification was also discussed.
• Least Privilege: This lets users have access to only the essential privileges. This is achieved in two ways— Just-in-time access and Just-enough access.
• Device Management: Device management can be realized by various tools such as Mobile Device Management (MDM), Advanced Threat Protection, and OS Encryption.
• Conditional Access and Risk Identification: This utilizes technologies such as machine learning and artificial intelligence to identify whether the user is at risk or not. The Risk identification part looks for user risk or sign-in risk which can be due to malicious location or anonymous IP.
• User Experience: This involves utilizing techniques such as Multi-Factor Authentication (MFA) in a way that is easier for the users to adopt.

Lastly, Dwayne concluded the session by stating that implementing these elements and not affecting the user experience comes down to planning the communication. A proper communication plan where all the elements work together will ensure a secure identity infrastructure across cloud applications.

Can you ever be ready for a breach?

Sharon Knowles, Founder of Da Vinci CyberSecurity takes a look at data breach response measures from a different perspective. She states that having effective leadership is as equally important as having appropriate technical remedial measures to make sure your organization comes out of a data breach unscathed.

Sharon started the session by taking us through an interesting thought experiment: “If you discovered right now that your organization has a data breach, would you know what to do?” Companies adopt different response plans of action in the event of a cyber-attack. Sharon talked about three essential steps that the management should take to mitigate the risks.

The first step would be to make sure that the person who is responsible for initiating the response measures has a well-rehearsed and effective cyber resilience plan. There should be proper classification of cyber security incidents. This is essential in making sure incidents are handled correctly with appropriate measures.

Another major role of management is to understand what people need from the management and by responding to it. Staying focused on external communications and providing a timely response is critical.

Well, that’s it for Day 2. All the insightful sessions, interviews, and discussions made for an exciting day no doubt.

Stay tuned for Day 3 where there’ll be more exciting sessions in store!