SlideShare una empresa de Scribd logo

Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray) - February 2019

Kimberley Dray
Kimberley Dray

Held February 2019 Annual Privacy and Security Conference Workshop re: Cybersecurity, Ethics and Careers Presentation Schedule: https://psv20th.sched.com/event/Jrtl/you-are-the-alpha-and-omega-of-a-secure-future-explore-understand-and-practice-your-role-in-advancing-a-positive-cybersecurity

Internet
1 de 55
OCIO ES YOU are the Alpha and Omega of a secure future: Explore, understand and practice your role in advancing a positive cybersecurity. 2019
Welcome to the workshop an opportunity to explore together the weakest link of cybersecurity • PEOPLE
Alena Kottova, M.A., M.Sc., Ph.D. • Sessional Professor • Faculty of Engineering, University of Victoria
 • Faculty of Social Sciences, Department of Philosophy • akottova@uvic.ca • Sessional Professor • Faculty of Computing Science, • Vancouver Island University • alena.kottova@viu.ca
Kimberley Dray B.Ed. CISM CISSP GSEC • Sr. Information Security Analyst /Cybersecurity Professional • 20 years in the information technology and education sectors • Multiple information security certifications • Recent: CISSP (ISC2), CCSP (ISC2), CISM (ISACA). GIAC-GSEC (SANS) • Old: MSCA, MCP, SCNP (SCP) and Linux + • Bachelors of Education, Diploma in Information Technology, Diploma in Certified Network Security Analyst, Criminology Certificate • ISACA Victoria Chapter Communications Director
Workshop overview • Introductions & expectations • The Landscape: what it is & what do we want it to be? • Help from Ethics: How do we find out what decision is good in particular situation? • Practical decision making: simple tool to explore • Ethics vs law: understanding Privacy vs. Anonymity • BREAK
Workshop Overview • White, Black and Grey Hats • Social Engineering 101 – in the shoes of a hacker • Organizational view: Blue, Purple and Red teams • Cybersecurity professional • Closing discussion • Feedback • Good Byes
Working together • We want to target situations relevant to YOU • Explore & discuss openly and honestly • Take a positive view of cybersecurity in our lives • Create new micro-habits that we do not need to think about – like playing with juggling balls - try and practice
Work and PLAY • Play is an extremely important part of learning and adaptation • Helps to explore, create and learn new meanings (Vygotsky) • creates a unique space that feels safe and encourages risk taking • elements of playfulness: fun, spontaneity, relationship and connection, silliness or goofiness, creativity and imagination. • proven to help to gain the self-confidence required to engage in new experiences and environments. • positive affect such as fun, enjoyment, and laughter
Playfulness in Cybersecurity • cybersecurity landscape shifts every year • booming, immature industry • serious shortfall of skilled graduates • focus on developing individuals’ cybersecurity knowledge • talent is put on the front line as quickly as possible • WITH CARE and SUPPORT • “Fake it till you make it” attitude forces you to “play” the role and therefore adopt the meanings and attitudes required by the field
Lets test our playfulness • Turn to your partner, say hi, tell them your name • Take a sheet of paper and pencil and get ready: • You have 60 sec to draw/sketch a portrait of your colleague • START • FININSH
Introductions • Answer the questions on your worksheet (cc 3 min) • Fold the plane • Get ready to fly … • Collect one random plane • Read the answers • Discuss in group - combine results into 3 concerns (5 min) • present to the class
Landscape • Every company is a software company … technology company • Every person is connected, often using a variety of computerized tools • Every household is full of computerized tools • And all is changing constantly and with increased speed! • CYBERSECURITY IS A PROCESS NOT A PRODUCT (Bruce Schneier)
• Most software is poorly written and insecure • Internet was never designed with security in mind • Extensibility of computers means everything can be used against us • The complexity of computerized systems means attack is easier than defense • There are new vulnerabilities in the interconnections • Computers tend to fail in many different ways • Attacks always get better, easier, and faster (Bruce Schneier, Click here to kill Everybody)
ENISA 2018 • Mail & Phishing Messages became the primary malware infection vector • Spear phishing & whaling is on the rise • Trends in malicious attachments • 80-98% of attacks could be prevented
ENISA 2018 - trends • Mail and phishing messages have become the primary malware infection vector. • Web based attacks continue to be observed as one of the most important threats due to their wide spread surface across the threat landscape • Cryptominers have become an important monetization vector for cyber-criminals. • State-sponsored agents increasingly target banks by using attack- vectors utilised in cyber-crime. • Exploit Kits have lost their importance in the cyberthreat landscape.
ENISA 2018 • Skill and capability building are the main focus of defenders. • Public organizations struggle with staff retention due to strong competition with industry in attracting cybersecurity talents. • The technical orientation of most cyberthreat intelligence produced is considered an obstacle towards awareness raising at the level of security and executive management. • Cyberthreat intelligence needs to respond to increasingly automated attacks. • The emergence of IoT environments will remain a concern due to missing protection mechanisms. • The absence of cyberthreat intelligence solutions for low- capability organisations/end-users needs to be addressed by vendors and governments.
• These trends are influenced the way we build and use the technological tools. • Need for user awareness – “cybersecurity with human face” • Companies have tendency to limit use or track behavior – craze for data & data driven decisions • BUT • Careful review and in-depth though about the implications of these decisions are needed • How do we know what is good or evil in particular situation?
Help from Ethics • Ethics is not about making a list of good and bad acts,

 • …. it’s about creating a method • to evaluate each decision and each act from an ethical perspective. • It needs to become a part of thinking, part of system design
Ethical thinking • Every digital use decision is a decision made on behalf of the users. • our decisions impact the person on the other end of the conversation. • With every decision, we have the shared opportunity and responsibility to think about the ethics of the decisions, • not just as a high flying ideal of “doing no harm” or doing the right thing, but as a fundamental part of our everyday process. • allows understanding of the benefits & therefore the value to “customers” as well as to “adversaries”
Ethics vs Morals • Morals are the social, cultural and religious beliefs or values of an individual or group • tells us what is right or wrong, what is acceptable behaviour and what is considered deviant behaviour. • These are rules and standards made by the society or culture which is to be followed by us to be accepted by the society.
Ethics vs Morals • Ethics is a branch of philosophy, a theoretical subject • it deals with the principles of conduct of an individual or group. • works as a guiding principle as to decide what is good or bad. • They are the standards which govern the life of a person (regardless of society). • these standards are explored in depth by philosophy; Ethics as moral philosophy.
Ethics vs Morals
Normative Ethics • Examines standards for the rightness and wrongness of actions • Three main approaches: • Consequentialism • Deontology • Virtue ethics (ethics of character)
Capability • Capability Approach: • What world are you building for the end-user? • What capabilities are you granting or enabling? • What limitations are you imposing? • What dangers you mitigate and/or enliven
Virtue • Virtue Ethics: • What type of person do you become in the process? • What type of person you force the customer/user to become? • What virtue (good thing) you protect/establish? • Whose virtue you protect/establish?
Deontology • Deontology: • What norms and expectations are you establishing? • What duties you are upholding? • How are you implementing your duties of care?
Consequentialism • Consequentialism: • What are the consequences of your decision? • Do they improve the common good of those affected? • Who (or how many) will benefit from the consequences? • Who (or how many) might suffer by the consequences?
Lets try this • Use the worksheet • Select a question & imagine a scenario around that question. • In groups discuss the four pillars, note FOR & AGAINST • Come to decision • Note the support to the decision within your team
Privacy versus Anonymity What is the difference between having privacy and being anonymous? What does it mean to have privacy? What does it mean to be anonymous? General personal safety and best practices with respect to our digital use and footprint VPNs: Are they secure and what can they do for you? Anonymity options: TOR , Darknet exploration, other tools & considerations
Privacy and Anonymity • Focal Point is your IP and geo location • Regular usage - saved passwords, links, bookmarks, recent files, Internet history details, etc. Ease of use. ☺ • Browsers in private or incognito mode • Local Network proxying and filtering - monitoring and logging • Internet Service Provider • Not very effective if hey have access to your laptop or your router logs and they want to check out your activities; • Use private mode and some clean-up plugins and possibly add a VPN client
Privacy • Options: • Virtual Private Networks (VPNs) • Anonymizing Services i.e. TOR
Virtual Private Networks (VPNs) • Acquire a different IP address as your destination • Most, if secure and transparent are not free. @$10/month • Login just like any other application with username and passwords. Few minutes to setup. • VPN will provide you with privacy, but not necessarily anonymity • VPN Service Provider knows your real IP • Offers privacy, not anonymity
The layers of our cyberspace / the Internet • Clear net /Surface Net Regular indexed and searchable internet/web; No Login • Deep Web /Dark Web? Non-public internet resources requiring login or subscription only services • Dark Web /Dark Web Can only access via TOR
Anonymity Tools: The TOR Browser and the Dark Net • Comes configured with Firefox with default privacy, anti-tracking plugins (i.e. https everywhere, noscript) • Several applications can expose your IP ie. Javascript, Torrents • Tor Onion websites – hidden – access only from Tor network • Site owner and visitors cannot be traced • “hidden service protocol” via “onion routing”
TOR Network Who’s Using it? Free speech enthusiasts Cybersecurity Professionals Government Officials Good law-sab ing dissident Journalists Oppressed People Policing and legal professionals What can you find there? How to obtain illegal drugs Warez operations Virus creation Anonymous use of bitcoins, Illegal pornography Hacked PayPal accounts How to hire contract killers Sites to expose human rights abuse, political corruption, and government /politician scandals. Deep Web It is what these Deep Web resources and services are eventually used for that define their ethics.
Social Engineering 101 • YOU ARE THE TARGET! • Based on the trends • Phishing attacks became more targeted. • Shift from consumer to enterprise targets. • Steady growth in mobile phishing attacks. • Rapid increase in phishing sites using HTTPS • The problem of Business Email Compromise (BEC or whaling) • Spearphishing is the de facto delivery method for APT groups. • Trends in malicious attachments.
White, grey and black hatters • Not new terms. • Black hats • Grey Hats • White Hats • Sub type that can fall into any of the above categories: • Script kiddies • Hacktivists
Blue, purple and red teams – Corporate view • Red Team • Purple Team – temporary engagement? • Blue Team • Ideally red and blue work in harmony. No need for purple • Goals shared between them: improve the security posture of the organization
Your Value as Target • People often do not realize what value they have for an attacker • We have hard time imagining the complex web of connections and interactions we participate in • The complexity muddles our view of the possible connections points • But the data available about you, your connections, your friends and family and their connections to friends and family and organizations et cetera … provide the opportunities for an attacker
Draft your value • Check the worksheet • fill in the possible connections • How many companies do you – theoretically – provide access to?
Context • Social context and news provide opportunities for an attacker • Check the news worksheet • What kind of messages you may get in your e-mail tempting you to click (and kill everybody)
Let’s see this in action • https://phishingquiz.withgoogle.com/
The Cybersecurity Profession • Organizational Size, Industry and Maturity Level • Job Roles and Responsibilities • Threats and What Keeps Us Up At Night • How do we stay current or keep up? • What are we/YOU doing about the so-called cybersecurity skills gap?
Certifications and Training • Cybersecurity Certifications • ISC2 CISSP • ISACA CISM • ISC2 CCSP • GIAC-GSEC – SANS • Websites: CodeAcademy • Soft Skill development: Debate clubs, Toastmasters, Lunch and Learns, other public speaking opportunities • Certification body official courseware: SANS, ISC2, ISACA, • Cybrary.it • Udemy • LinkedIn Learning • Local Meetup groups: Coding, Dev, Hack, etc.
What does a cyber professional do? Types of tasks and activities • Proactive Threat Prevention and Monitoring • Phishing Mitigation and Response • Data Loss Prevention Monitoring • Anti-virus Administration, Management and Response • Security Consults, Vulnerability and Risk Assessments and Reviews Tools and processes - Syslog Querying – bash / grep etc. - Data Analysis, Aggregation and Correlation (Log Monitoring and Analysis) - Host and Network Vulnerability Testing ie. Nessus, Wireshark - Web Application Testing ie. Burpsuite, Acunetix, OWASP Zap Proxy - SIEM Security Information and Event Management Risk assessment, prevention and response
How do we stay current and keep up? • Lifelong Learners • Professional Mailing lists and security intelligence sharing • Home Labs • Local Meetups • Online courses • Conferences, webinars, workshops
We are our own enemies! The So-Called Skills GAP
The so-called Skills Gap • Imposter Syndrome • Certifications or NOT • Entry level options /Certs? • Computer Science/Math backgrounds vs. Arts and Business • Women in IT, Tech, Science and/or Cybersecurity Initiatives • Technology, Coding and Cybersecurity Skills for K-12 • Our existing IT teams are doing security. You are doing security. • We are all doing security and where there are gaps we seek training, knowledge sharing, and job shadowing opportunities.
Closing • Please fill in the feedback card for us • Feel free to contact us with questions, suggestions or stories. • THANK YOU
Call to Action • Consider your present digital usage and interactions: • Review all of your email and social media accounts, check privacy settings and clean them up. Great resource: https://www.lockdownyourlogin.org/ • Get a Password Manager • Ensure there’s no Password Reuse • Use Two factor or Multifactor whenever it is offered • Don’t save passwords in your browsers or on websites • Only visit sites that use HTTPS but don’t assume they are safe sites. ☺ • Use privacy plugins to prevent tracking and stop scripts from running • Research and consider use of a reliable virtual private network (VPN) client • Consider trying Tor only after you have investigated and explored safe ways to navigate
Resources and References • Electronic Frontier Federation (EFF): https://www.eff.org/ • Tor Project: https://www.torproject.org/ (Tor Browser and the Onion Project) • “Tor and the Deep Web: bitcoin, darknet and cryptocurrency in 2017-2018”, by Lance Henderson • “The Dark Web” – Geoff White and Bernard P. Achampong • Dark Net – isn’t what you think. Key to your privacy – Alex Winter (Bill & Ted) –https://www.youtube.com/watch?v=luvthTjC0OI • Have I Been Pwned: https://haveibeenpwned.com • How Secure Is Your Password: https://howsecureismypassword.net/ • Shining a Light on the Encryption Debate (L. Gill, T. Israel, C. Parsons): https://citizenlab.ca/2018/05/shining-light-on-encryption-debate-canadian- field-guide/ • VPN Comparison Chart: https://thatoneprivacysite.net/vpn-comparison- chart/
Cont. • Bruce Schneier: Click here to kill everybody. • Morten Rand-Hendriksen: Using Ethics In Web Design • ENISA 2018 • Canadian Cybersecurity 2018 • A. Kottova: Course in Cybersecurity Ethics • https://phishingquiz.withgoogle.com/

Recomendados

Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Bug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentBug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentDinesh O Bareja
 
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...ITCamp
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco moranaMarco Morana
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Michele Chubirka
 

Recomendados

Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Bug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentBug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentDinesh O Bareja
 
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...ITCamp
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco moranaMarco Morana
 
Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Digital Defense for Activists (and the rest of us)
Digital Defense for Activists (and the rest of us)Michele Chubirka
 
Cyberwar - Is India Ready
Cyberwar - Is India ReadyCyberwar - Is India Ready
Cyberwar - Is India ReadyDinesh O Bareja
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaDinesh O Bareja
 
Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Kim Jensen
 
Introduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeIntroduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeMelbourne IT
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingUmang Patel
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemskhalavak
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
 
NATO Cyber Security Conference: Creating IT-Security Start-Ups
NATO Cyber Security Conference: Creating IT-Security Start-UpsNATO Cyber Security Conference: Creating IT-Security Start-Ups
NATO Cyber Security Conference: Creating IT-Security Start-UpsBenjamin Rohé
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Sean Whalen
 
Lofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and EncryptionLofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and EncryptionSean Whalen
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for ActivistsGreg Stromire
 
Talks submitted
Talks submittedTalks submitted
Talks submittedKim Minh
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Personal Digital Hygiene
Personal Digital HygienePersonal Digital Hygiene
Personal Digital HygieneLars Hilse Global Thought Leader in #CyberSecurity, #CyberTerrorism, #CyberDefence, #CyberCrime
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)Network Intelligence India
 
Phishing Attacks: Trends, Detection Systems and Computer Vision as a Promisin...
Phishing Attacks: Trends, Detection Systems and Computer Vision as a Promisin...Phishing Attacks: Trends, Detection Systems and Computer Vision as a Promisin...
Phishing Attacks: Trends, Detection Systems and Computer Vision as a Promisin...Selman Bozkır
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Andris Soroka
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Marco Morana
 
Bright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aBright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aMark Henshaw
 
How big is your shadow?
How big is your shadow?How big is your shadow?
How big is your shadow?digital_shadows
 
Community IT Innovators - IT Security Best Practices
Community IT Innovators - IT Security Best PracticesCommunity IT Innovators - IT Security Best Practices
Community IT Innovators - IT Security Best PracticesCommunity IT Innovators
 
Creating A Diverse CyberSecurity Program
Creating A Diverse CyberSecurity ProgramCreating A Diverse CyberSecurity Program
Creating A Diverse CyberSecurity ProgramTyrone Grandison
 

Más contenido relacionado

La actualidad más candente

Cyberwar - Is India Ready
Cyberwar - Is India ReadyCyberwar - Is India Ready
Cyberwar - Is India ReadyDinesh O Bareja
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaDinesh O Bareja
 
Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Kim Jensen
 
Introduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeIntroduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeMelbourne IT
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemskhalavak
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
 
NATO Cyber Security Conference: Creating IT-Security Start-Ups
NATO Cyber Security Conference: Creating IT-Security Start-UpsNATO Cyber Security Conference: Creating IT-Security Start-Ups
NATO Cyber Security Conference: Creating IT-Security Start-UpsBenjamin Rohé
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Sean Whalen
 
Lofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and EncryptionLofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and EncryptionSean Whalen
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for ActivistsGreg Stromire
 
Talks submitted
Talks submittedTalks submitted
Talks submittedKim Minh
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Phishing Attacks: Trends, Detection Systems and Computer Vision as a Promisin...
Phishing Attacks: Trends, Detection Systems and Computer Vision as a Promisin...Phishing Attacks: Trends, Detection Systems and Computer Vision as a Promisin...
Phishing Attacks: Trends, Detection Systems and Computer Vision as a Promisin...Selman Bozkır
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Andris Soroka
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Marco Morana
 
Bright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aBright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aMark Henshaw
 

La actualidad más candente (20)

Cyberwar - Is India Ready
Cyberwar - Is India ReadyCyberwar - Is India Ready
Cyberwar - Is India Ready
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
 
Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Cloud security Deep Dive 2011
Cloud security Deep Dive 2011
 
Introduction to the Current Threat Landscape
Introduction to the Current Threat LandscapeIntroduction to the Current Threat Landscape
Introduction to the Current Threat Landscape
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
 
NATO Cyber Security Conference: Creating IT-Security Start-Ups
NATO Cyber Security Conference: Creating IT-Security Start-UpsNATO Cyber Security Conference: Creating IT-Security Start-Ups
NATO Cyber Security Conference: Creating IT-Security Start-Ups
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
 
Lofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and EncryptionLofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and Encryption
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
 
Talks submitted
Talks submittedTalks submitted
Talks submitted
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Personal Digital Hygiene
Personal Digital HygienePersonal Digital Hygiene
Personal Digital Hygiene
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
Phishing Attacks: Trends, Detection Systems and Computer Vision as a Promisin...
Phishing Attacks: Trends, Detection Systems and Computer Vision as a Promisin...Phishing Attacks: Trends, Detection Systems and Computer Vision as a Promisin...
Phishing Attacks: Trends, Detection Systems and Computer Vision as a Promisin...
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
 
Bright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aBright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 a
 
How big is your shadow?
How big is your shadow?How big is your shadow?
How big is your shadow?
 

Similar a Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray) - February 2019

Community IT Innovators - IT Security Best Practices
Community IT Innovators - IT Security Best PracticesCommunity IT Innovators - IT Security Best Practices
Community IT Innovators - IT Security Best PracticesCommunity IT Innovators
 
Creating A Diverse CyberSecurity Program
Creating A Diverse CyberSecurity ProgramCreating A Diverse CyberSecurity Program
Creating A Diverse CyberSecurity ProgramTyrone Grandison
 
HDI Capital Area Slides August 17, 2018
HDI Capital Area Slides August 17, 2018HDI Capital Area Slides August 17, 2018
HDI Capital Area Slides August 17, 2018hdicapitalarea
 
Tech and Ethics
Tech and EthicsTech and Ethics
Tech and EthicsDeb Osborn
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecuritySecurity Innovation
 
[r]evolution Digital Literacy Workshop Slides
[r]evolution Digital Literacy Workshop Slides[r]evolution Digital Literacy Workshop Slides
[r]evolution Digital Literacy Workshop SlidesNathanielCarlson2
 
So, you wanna be a pen tester ctsc2017
So, you wanna be a pen tester ctsc2017So, you wanna be a pen tester ctsc2017
So, you wanna be a pen tester ctsc2017Adrien de Beaupre
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 
Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Rachel Harpley
 
CSA Fall Summit 2017
CSA Fall Summit 2017CSA Fall Summit 2017
CSA Fall Summit 2017Chad Hoffmann
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online PrivacyKazi Sarwar Hossain
 
A process for measuring cyber security culture (very draft)
A process for measuring cyber security culture (very draft)A process for measuring cyber security culture (very draft)
A process for measuring cyber security culture (very draft)Mosoco Ltd
 
The Best from the UX Summit in Chicago
The Best from the UX Summit in ChicagoThe Best from the UX Summit in Chicago
The Best from the UX Summit in ChicagoLina Angel
 
Building a professional digital identity
Building a professional digital identityBuilding a professional digital identity
Building a professional digital identityLisa Harris
 
01-Introduction to HCI.pptx
01-Introduction to HCI.pptx01-Introduction to HCI.pptx
01-Introduction to HCI.pptxLe Hung
 
BYOD: Beating IT’s Kobayashi Maru
BYOD: Beating IT’s Kobayashi MaruBYOD: Beating IT’s Kobayashi Maru
BYOD: Beating IT’s Kobayashi MaruMichele Chubirka
 
Trust from a Human Computer Interaction perspective
Trust from a Human Computer Interaction perspective Trust from a Human Computer Interaction perspective
Trust from a Human Computer Interaction perspective Sónia
 

Similar a Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray) - February 2019 (20)

Community IT Innovators - IT Security Best Practices
Community IT Innovators - IT Security Best PracticesCommunity IT Innovators - IT Security Best Practices
Community IT Innovators - IT Security Best Practices
 
Creating A Diverse CyberSecurity Program
Creating A Diverse CyberSecurity ProgramCreating A Diverse CyberSecurity Program
Creating A Diverse CyberSecurity Program
 
HDI Capital Area Slides August 17, 2018
HDI Capital Area Slides August 17, 2018HDI Capital Area Slides August 17, 2018
HDI Capital Area Slides August 17, 2018
 
Tech and Ethics
Tech and EthicsTech and Ethics
Tech and Ethics
 
CIO 360 grados: empoderamiento total
CIO 360 grados: empoderamiento totalCIO 360 grados: empoderamiento total
CIO 360 grados: empoderamiento total
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to Security
 
[r]evolution Digital Literacy Workshop Slides
[r]evolution Digital Literacy Workshop Slides[r]evolution Digital Literacy Workshop Slides
[r]evolution Digital Literacy Workshop Slides
 
So, you wanna be a pen tester ctsc2017
So, you wanna be a pen tester ctsc2017So, you wanna be a pen tester ctsc2017
So, you wanna be a pen tester ctsc2017
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Opi cyber talk for executives
Opi cyber talk for executivesOpi cyber talk for executives
Opi cyber talk for executives
 
Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021
 
CSA Fall Summit 2017
CSA Fall Summit 2017CSA Fall Summit 2017
CSA Fall Summit 2017
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online Privacy
 
A process for measuring cyber security culture (very draft)
A process for measuring cyber security culture (very draft)A process for measuring cyber security culture (very draft)
A process for measuring cyber security culture (very draft)
 
The Best from the UX Summit in Chicago
The Best from the UX Summit in ChicagoThe Best from the UX Summit in Chicago
The Best from the UX Summit in Chicago
 
Building a professional digital identity
Building a professional digital identityBuilding a professional digital identity
Building a professional digital identity
 
01-Introduction to HCI.pptx
01-Introduction to HCI.pptx01-Introduction to HCI.pptx
01-Introduction to HCI.pptx
 
BYOD: Beating IT’s Kobayashi Maru
BYOD: Beating IT’s Kobayashi MaruBYOD: Beating IT’s Kobayashi Maru
BYOD: Beating IT’s Kobayashi Maru
 
Trust from a Human Computer Interaction perspective
Trust from a Human Computer Interaction perspective Trust from a Human Computer Interaction perspective
Trust from a Human Computer Interaction perspective
 

Último

Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxBipin Adhikari
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 

Último (20)

Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptx
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 

Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray) - February 2019

  • 1. OCIO ES YOU are the Alpha and Omega of a secure future: Explore, understand and practice your role in advancing a positive cybersecurity. 2019
  • 2. Welcome to the workshop an opportunity to explore together the weakest link of cybersecurity • PEOPLE
  • 3. Alena Kottova, M.A., M.Sc., Ph.D. • Sessional Professor • Faculty of Engineering, University of Victoria
 • Faculty of Social Sciences, Department of Philosophy • akottova@uvic.ca • Sessional Professor • Faculty of Computing Science, • Vancouver Island University • alena.kottova@viu.ca
  • 4. Kimberley Dray B.Ed. CISM CISSP GSEC • Sr. Information Security Analyst /Cybersecurity Professional • 20 years in the information technology and education sectors • Multiple information security certifications • Recent: CISSP (ISC2), CCSP (ISC2), CISM (ISACA). GIAC-GSEC (SANS) • Old: MSCA, MCP, SCNP (SCP) and Linux + • Bachelors of Education, Diploma in Information Technology, Diploma in Certified Network Security Analyst, Criminology Certificate • ISACA Victoria Chapter Communications Director
  • 5. Workshop overview • Introductions & expectations • The Landscape: what it is & what do we want it to be? • Help from Ethics: How do we find out what decision is good in particular situation? • Practical decision making: simple tool to explore • Ethics vs law: understanding Privacy vs. Anonymity • BREAK
  • 6. Workshop Overview • White, Black and Grey Hats • Social Engineering 101 – in the shoes of a hacker • Organizational view: Blue, Purple and Red teams • Cybersecurity professional • Closing discussion • Feedback • Good Byes
  • 7. Working together • We want to target situations relevant to YOU • Explore & discuss openly and honestly • Take a positive view of cybersecurity in our lives • Create new micro-habits that we do not need to think about – like playing with juggling balls - try and practice
  • 8. Work and PLAY • Play is an extremely important part of learning and adaptation • Helps to explore, create and learn new meanings (Vygotsky) • creates a unique space that feels safe and encourages risk taking • elements of playfulness: fun, spontaneity, relationship and connection, silliness or goofiness, creativity and imagination. • proven to help to gain the self-confidence required to engage in new experiences and environments. • positive affect such as fun, enjoyment, and laughter
  • 9. Playfulness in Cybersecurity • cybersecurity landscape shifts every year • booming, immature industry • serious shortfall of skilled graduates • focus on developing individuals’ cybersecurity knowledge • talent is put on the front line as quickly as possible • WITH CARE and SUPPORT • “Fake it till you make it” attitude forces you to “play” the role and therefore adopt the meanings and attitudes required by the field
  • 10. Lets test our playfulness • Turn to your partner, say hi, tell them your name • Take a sheet of paper and pencil and get ready: • You have 60 sec to draw/sketch a portrait of your colleague • START • FININSH
  • 11. Introductions • Answer the questions on your worksheet (cc 3 min) • Fold the plane • Get ready to fly … • Collect one random plane • Read the answers • Discuss in group - combine results into 3 concerns (5 min) • present to the class
  • 12. Landscape • Every company is a software company … technology company • Every person is connected, often using a variety of computerized tools • Every household is full of computerized tools • And all is changing constantly and with increased speed! • CYBERSECURITY IS A PROCESS NOT A PRODUCT (Bruce Schneier)
  • 13. • Most software is poorly written and insecure • Internet was never designed with security in mind • Extensibility of computers means everything can be used against us • The complexity of computerized systems means attack is easier than defense • There are new vulnerabilities in the interconnections • Computers tend to fail in many different ways • Attacks always get better, easier, and faster (Bruce Schneier, Click here to kill Everybody)
  • 14. ENISA 2018 • Mail & Phishing Messages became the primary malware infection vector • Spear phishing & whaling is on the rise • Trends in malicious attachments • 80-98% of attacks could be prevented
  • 15. ENISA 2018 - trends • Mail and phishing messages have become the primary malware infection vector. • Web based attacks continue to be observed as one of the most important threats due to their wide spread surface across the threat landscape • Cryptominers have become an important monetization vector for cyber-criminals. • State-sponsored agents increasingly target banks by using attack- vectors utilised in cyber-crime. • Exploit Kits have lost their importance in the cyberthreat landscape.
  • 16. ENISA 2018 • Skill and capability building are the main focus of defenders. • Public organizations struggle with staff retention due to strong competition with industry in attracting cybersecurity talents. • The technical orientation of most cyberthreat intelligence produced is considered an obstacle towards awareness raising at the level of security and executive management. • Cyberthreat intelligence needs to respond to increasingly automated attacks. • The emergence of IoT environments will remain a concern due to missing protection mechanisms. • The absence of cyberthreat intelligence solutions for low- capability organisations/end-users needs to be addressed by vendors and governments.
  • 17. • These trends are influenced the way we build and use the technological tools. • Need for user awareness – “cybersecurity with human face” • Companies have tendency to limit use or track behavior – craze for data & data driven decisions • BUT • Careful review and in-depth though about the implications of these decisions are needed • How do we know what is good or evil in particular situation?
  • 18. Help from Ethics • Ethics is not about making a list of good and bad acts,

 • …. it’s about creating a method • to evaluate each decision and each act from an ethical perspective. • It needs to become a part of thinking, part of system design
  • 19. Ethical thinking • Every digital use decision is a decision made on behalf of the users. • our decisions impact the person on the other end of the conversation. • With every decision, we have the shared opportunity and responsibility to think about the ethics of the decisions, • not just as a high flying ideal of “doing no harm” or doing the right thing, but as a fundamental part of our everyday process. • allows understanding of the benefits & therefore the value to “customers” as well as to “adversaries”
  • 20. Ethics vs Morals • Morals are the social, cultural and religious beliefs or values of an individual or group • tells us what is right or wrong, what is acceptable behaviour and what is considered deviant behaviour. • These are rules and standards made by the society or culture which is to be followed by us to be accepted by the society.
  • 21. Ethics vs Morals • Ethics is a branch of philosophy, a theoretical subject • it deals with the principles of conduct of an individual or group. • works as a guiding principle as to decide what is good or bad. • They are the standards which govern the life of a person (regardless of society). • these standards are explored in depth by philosophy; Ethics as moral philosophy.
  • 23.
  • 24. Normative Ethics • Examines standards for the rightness and wrongness of actions • Three main approaches: • Consequentialism • Deontology • Virtue ethics (ethics of character)
  • 25.
  • 26.
  • 27. Capability • Capability Approach: • What world are you building for the end-user? • What capabilities are you granting or enabling? • What limitations are you imposing? • What dangers you mitigate and/or enliven
  • 28. Virtue • Virtue Ethics: • What type of person do you become in the process? • What type of person you force the customer/user to become? • What virtue (good thing) you protect/establish? • Whose virtue you protect/establish?
  • 29. Deontology • Deontology: • What norms and expectations are you establishing? • What duties you are upholding? • How are you implementing your duties of care?
  • 30. Consequentialism • Consequentialism: • What are the consequences of your decision? • Do they improve the common good of those affected? • Who (or how many) will benefit from the consequences? • Who (or how many) might suffer by the consequences?
  • 31. Lets try this • Use the worksheet • Select a question & imagine a scenario around that question. • In groups discuss the four pillars, note FOR & AGAINST • Come to decision • Note the support to the decision within your team
  • 32. Privacy versus Anonymity What is the difference between having privacy and being anonymous? What does it mean to have privacy? What does it mean to be anonymous? General personal safety and best practices with respect to our digital use and footprint VPNs: Are they secure and what can they do for you? Anonymity options: TOR , Darknet exploration, other tools & considerations
  • 33. Privacy and Anonymity • Focal Point is your IP and geo location • Regular usage - saved passwords, links, bookmarks, recent files, Internet history details, etc. Ease of use. ☺ • Browsers in private or incognito mode • Local Network proxying and filtering - monitoring and logging • Internet Service Provider • Not very effective if hey have access to your laptop or your router logs and they want to check out your activities; • Use private mode and some clean-up plugins and possibly add a VPN client
  • 34. Privacy • Options: • Virtual Private Networks (VPNs) • Anonymizing Services i.e. TOR
  • 35. Virtual Private Networks (VPNs) • Acquire a different IP address as your destination • Most, if secure and transparent are not free. @$10/month • Login just like any other application with username and passwords. Few minutes to setup. • VPN will provide you with privacy, but not necessarily anonymity • VPN Service Provider knows your real IP • Offers privacy, not anonymity
  • 36. The layers of our cyberspace / the Internet • Clear net /Surface Net Regular indexed and searchable internet/web; No Login • Deep Web /Dark Web? Non-public internet resources requiring login or subscription only services • Dark Web /Dark Web Can only access via TOR
  • 37. Anonymity Tools: The TOR Browser and the Dark Net • Comes configured with Firefox with default privacy, anti-tracking plugins (i.e. https everywhere, noscript) • Several applications can expose your IP ie. Javascript, Torrents • Tor Onion websites – hidden – access only from Tor network • Site owner and visitors cannot be traced • “hidden service protocol” via “onion routing”
  • 38. TOR Network Who’s Using it? Free speech enthusiasts Cybersecurity Professionals Government Officials Good law-sab ing dissident Journalists Oppressed People Policing and legal professionals What can you find there? How to obtain illegal drugs Warez operations Virus creation Anonymous use of bitcoins, Illegal pornography Hacked PayPal accounts How to hire contract killers Sites to expose human rights abuse, political corruption, and government /politician scandals. Deep Web It is what these Deep Web resources and services are eventually used for that define their ethics.
  • 39. Social Engineering 101 • YOU ARE THE TARGET! • Based on the trends • Phishing attacks became more targeted. • Shift from consumer to enterprise targets. • Steady growth in mobile phishing attacks. • Rapid increase in phishing sites using HTTPS • The problem of Business Email Compromise (BEC or whaling) • Spearphishing is the de facto delivery method for APT groups. • Trends in malicious attachments.
  • 40. White, grey and black hatters • Not new terms. • Black hats • Grey Hats • White Hats • Sub type that can fall into any of the above categories: • Script kiddies • Hacktivists
  • 41. Blue, purple and red teams – Corporate view • Red Team • Purple Team – temporary engagement? • Blue Team • Ideally red and blue work in harmony. No need for purple • Goals shared between them: improve the security posture of the organization
  • 42. Your Value as Target • People often do not realize what value they have for an attacker • We have hard time imagining the complex web of connections and interactions we participate in • The complexity muddles our view of the possible connections points • But the data available about you, your connections, your friends and family and their connections to friends and family and organizations et cetera … provide the opportunities for an attacker
  • 43. Draft your value • Check the worksheet • fill in the possible connections • How many companies do you – theoretically – provide access to?
  • 44. Context • Social context and news provide opportunities for an attacker • Check the news worksheet • What kind of messages you may get in your e-mail tempting you to click (and kill everybody)
  • 45. Let’s see this in action • https://phishingquiz.withgoogle.com/
  • 46. The Cybersecurity Profession • Organizational Size, Industry and Maturity Level • Job Roles and Responsibilities • Threats and What Keeps Us Up At Night • How do we stay current or keep up? • What are we/YOU doing about the so-called cybersecurity skills gap?
  • 47. Certifications and Training • Cybersecurity Certifications • ISC2 CISSP • ISACA CISM • ISC2 CCSP • GIAC-GSEC – SANS • Websites: CodeAcademy • Soft Skill development: Debate clubs, Toastmasters, Lunch and Learns, other public speaking opportunities • Certification body official courseware: SANS, ISC2, ISACA, • Cybrary.it • Udemy • LinkedIn Learning • Local Meetup groups: Coding, Dev, Hack, etc.
  • 48. What does a cyber professional do? Types of tasks and activities • Proactive Threat Prevention and Monitoring • Phishing Mitigation and Response • Data Loss Prevention Monitoring • Anti-virus Administration, Management and Response • Security Consults, Vulnerability and Risk Assessments and Reviews Tools and processes - Syslog Querying – bash / grep etc. - Data Analysis, Aggregation and Correlation (Log Monitoring and Analysis) - Host and Network Vulnerability Testing ie. Nessus, Wireshark - Web Application Testing ie. Burpsuite, Acunetix, OWASP Zap Proxy - SIEM Security Information and Event Management Risk assessment, prevention and response
  • 49. How do we stay current and keep up? • Lifelong Learners • Professional Mailing lists and security intelligence sharing • Home Labs • Local Meetups • Online courses • Conferences, webinars, workshops
  • 50. We are our own enemies! The So-Called Skills GAP
  • 51. The so-called Skills Gap • Imposter Syndrome • Certifications or NOT • Entry level options /Certs? • Computer Science/Math backgrounds vs. Arts and Business • Women in IT, Tech, Science and/or Cybersecurity Initiatives • Technology, Coding and Cybersecurity Skills for K-12 • Our existing IT teams are doing security. You are doing security. • We are all doing security and where there are gaps we seek training, knowledge sharing, and job shadowing opportunities.
  • 52. Closing • Please fill in the feedback card for us • Feel free to contact us with questions, suggestions or stories. • THANK YOU
  • 53. Call to Action • Consider your present digital usage and interactions: • Review all of your email and social media accounts, check privacy settings and clean them up. Great resource: https://www.lockdownyourlogin.org/ • Get a Password Manager • Ensure there’s no Password Reuse • Use Two factor or Multifactor whenever it is offered • Don’t save passwords in your browsers or on websites • Only visit sites that use HTTPS but don’t assume they are safe sites. ☺ • Use privacy plugins to prevent tracking and stop scripts from running • Research and consider use of a reliable virtual private network (VPN) client • Consider trying Tor only after you have investigated and explored safe ways to navigate
  • 54. Resources and References • Electronic Frontier Federation (EFF): https://www.eff.org/ • Tor Project: https://www.torproject.org/ (Tor Browser and the Onion Project) • “Tor and the Deep Web: bitcoin, darknet and cryptocurrency in 2017-2018”, by Lance Henderson • “The Dark Web” – Geoff White and Bernard P. Achampong • Dark Net – isn’t what you think. Key to your privacy – Alex Winter (Bill & Ted) –https://www.youtube.com/watch?v=luvthTjC0OI • Have I Been Pwned: https://haveibeenpwned.com • How Secure Is Your Password: https://howsecureismypassword.net/ • Shining a Light on the Encryption Debate (L. Gill, T. Israel, C. Parsons): https://citizenlab.ca/2018/05/shining-light-on-encryption-debate-canadian- field-guide/ • VPN Comparison Chart: https://thatoneprivacysite.net/vpn-comparison- chart/
  • 55. Cont. • Bruce Schneier: Click here to kill everybody. • Morten Rand-Hendriksen: Using Ethics In Web Design • ENISA 2018 • Canadian Cybersecurity 2018 • A. Kottova: Course in Cybersecurity Ethics • https://phishingquiz.withgoogle.com/