The slide deck used on 11/21/19. There are four parts to this talk; housekeeping (establishing credibility with the audience), the meat (our information security language problem and our solution), the dream (securing America), and the call to action (get your free S2Org and S2Me risk assessments).
The title is "Cybersecure Schools, Parents, and Kids. The talk was delivered to ~250 people attending the summit. Tackling information security at school and at home requires us to agree to and apply the fundamentals. The S2Org is helping schools become more secure, and the S2Me is helping at home.
Security is a large topic and so full of jargon that it can be hard to know where to get started when thinking about it. Threat Modeling gives you a framework to help you start building security policies.
In this talk, Dan Hardiker, CTO at Adaptavist, will cover what a security model is, when and why it's useful, what its main components are (assets, actors, and vectors), and how they interact. We'll build a basic threat model, enable you to apply these to your systems, and give you references for further learning.
Business-Critical Backup: Preparing for a DisasterNetWize
Here is a brief presentation on the importance of having a backup and recovery plan for your electronic data, especially planning for that recovery in the event of a natural or man-made disaster.
WANTED – People Committed to Solving our Information Security Language ProblemSecurityStudio
The presentation shared with the Greater KC ISACA chapter on 11/14/19. The talk starts with housekeeping, then progresses into the heart of our language problem before ending with the dream to secure America. The talk was very well received, and now you can use it however you wish.
TITLE: WANTED – People Committed to Solving Our Information Security Language Problem, the presentation given at the inaugural BSides Harrisburg Conference on October 2nd, 2019.
We need to get on the same page as an industry if we stand any hope of getting this right. It starts with understanding and agreeing to fundamentals, including the terminology we use.
WANTED - People Committed to Solving Our Information Security Language ProblemEvan Francen
Our industry has plenty of problems to solve. The language we use shouldn’t be one of them, and now it’s not. SecurityStudio, a Minnesota-based security SaaS company committed to solving information security problems for our industry has developed a common, easily-understood information security risk assessment that’s comprehensive, foundational, and completely free for all to use.
Today, more than 1,500 organizations are speaking the language. We invite you to do the same.
The title is "Cybersecure Schools, Parents, and Kids. The talk was delivered to ~250 people attending the summit. Tackling information security at school and at home requires us to agree to and apply the fundamentals. The S2Org is helping schools become more secure, and the S2Me is helping at home.
Security is a large topic and so full of jargon that it can be hard to know where to get started when thinking about it. Threat Modeling gives you a framework to help you start building security policies.
In this talk, Dan Hardiker, CTO at Adaptavist, will cover what a security model is, when and why it's useful, what its main components are (assets, actors, and vectors), and how they interact. We'll build a basic threat model, enable you to apply these to your systems, and give you references for further learning.
Business-Critical Backup: Preparing for a DisasterNetWize
Here is a brief presentation on the importance of having a backup and recovery plan for your electronic data, especially planning for that recovery in the event of a natural or man-made disaster.
WANTED – People Committed to Solving our Information Security Language ProblemSecurityStudio
The presentation shared with the Greater KC ISACA chapter on 11/14/19. The talk starts with housekeeping, then progresses into the heart of our language problem before ending with the dream to secure America. The talk was very well received, and now you can use it however you wish.
TITLE: WANTED – People Committed to Solving Our Information Security Language Problem, the presentation given at the inaugural BSides Harrisburg Conference on October 2nd, 2019.
We need to get on the same page as an industry if we stand any hope of getting this right. It starts with understanding and agreeing to fundamentals, including the terminology we use.
WANTED - People Committed to Solving Our Information Security Language ProblemEvan Francen
Our industry has plenty of problems to solve. The language we use shouldn’t be one of them, and now it’s not. SecurityStudio, a Minnesota-based security SaaS company committed to solving information security problems for our industry has developed a common, easily-understood information security risk assessment that’s comprehensive, foundational, and completely free for all to use.
Today, more than 1,500 organizations are speaking the language. We invite you to do the same.
WANTED – People Committed to Solving our Information Security Language ProblemEvan Francen
The information security industry is broken. It's our duty to fix it, and it starts with getting on the same page. The model isn't broken, but our application is. How do we apply the basics and fundamentals on a wider scale? It starts with defining a common language and a common approach. Next, make it all free.
www.thinair.com
Concern about insider threats are rampant. Disgruntled employees that have access to sensitive data are common. When a breach does occur how do you identify which computers were involved in the breach? This session, originally held at Techno Security & Digital Forensics Conference, will discuss some of the major pain points of an insider threat investigation and how to mitigate them. We’ll also review three different case studies that occurred at Google, Palantir and the DOD.
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?dianadvo
Concern about insider threats are rampant. Disgruntled employees that have access to sensitive data are common. When a breach does occur how do you identify which computers were involved in the breach? This session will discuss some of the major pain points of an insider threat investigation and how to mitigate them.
Presentation delivered to the Minnesota Counties Computer Cooperative (http://mnccc.org/) on October 30, 2019. The talk was given by SecurityStudio's CEO, Evan Francen and focused on how local governments play a role in protecting all of us.
WANTED – People Committed to Solving our Information Security Language ProblemSecurityStudio
Presentation deck delivered to the Rochester ISSA chapter members as part of the SecurityStudio Roadshow on November 7th, 2019. This presentation explains the language problem we're fighting in the information security industry and contains a realistic call to action for all of us.
Cloud security expert Tricia Pattee discusses where to get the most bang for your security buck. Topics covered include:
-The five most common security mistakes
-Top six areas of security spend
-How to maximize budget – and minimize risk
-Hidden cloud security costs
This presentation was delivered to Minnesota manufacturing CEOs who attended the April 2019 Enterprise Minnesota event. Manufacturing companies face real information security threats that they need to prepare for.
NIST Cybersecurity Framework is a good starting point for many enterprises to harden their security posture against advanced threats. In this webinar, we will share the major take-aways from the framework. More importantly, we will explain the 5 critical factors in implementing cybersecurity defense, and how to handle them with best practice.
ISACA talk - cybersecurity and security cultureCraig McGill
PwC's talented senior cybersecurity and infosec manager Ross Foley recently gave a great talk on the growing importance of security culture within infosec. Here are the slides to help raise awareness of this issue.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
More Related Content
Similar to ISSA-OC and Webster University Cybersecurity Seminar Series Presentation
WANTED – People Committed to Solving our Information Security Language ProblemEvan Francen
The information security industry is broken. It's our duty to fix it, and it starts with getting on the same page. The model isn't broken, but our application is. How do we apply the basics and fundamentals on a wider scale? It starts with defining a common language and a common approach. Next, make it all free.
www.thinair.com
Concern about insider threats are rampant. Disgruntled employees that have access to sensitive data are common. When a breach does occur how do you identify which computers were involved in the breach? This session, originally held at Techno Security & Digital Forensics Conference, will discuss some of the major pain points of an insider threat investigation and how to mitigate them. We’ll also review three different case studies that occurred at Google, Palantir and the DOD.
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?dianadvo
Concern about insider threats are rampant. Disgruntled employees that have access to sensitive data are common. When a breach does occur how do you identify which computers were involved in the breach? This session will discuss some of the major pain points of an insider threat investigation and how to mitigate them.
Presentation delivered to the Minnesota Counties Computer Cooperative (http://mnccc.org/) on October 30, 2019. The talk was given by SecurityStudio's CEO, Evan Francen and focused on how local governments play a role in protecting all of us.
WANTED – People Committed to Solving our Information Security Language ProblemSecurityStudio
Presentation deck delivered to the Rochester ISSA chapter members as part of the SecurityStudio Roadshow on November 7th, 2019. This presentation explains the language problem we're fighting in the information security industry and contains a realistic call to action for all of us.
Cloud security expert Tricia Pattee discusses where to get the most bang for your security buck. Topics covered include:
-The five most common security mistakes
-Top six areas of security spend
-How to maximize budget – and minimize risk
-Hidden cloud security costs
This presentation was delivered to Minnesota manufacturing CEOs who attended the April 2019 Enterprise Minnesota event. Manufacturing companies face real information security threats that they need to prepare for.
NIST Cybersecurity Framework is a good starting point for many enterprises to harden their security posture against advanced threats. In this webinar, we will share the major take-aways from the framework. More importantly, we will explain the 5 critical factors in implementing cybersecurity defense, and how to handle them with best practice.
ISACA talk - cybersecurity and security cultureCraig McGill
PwC's talented senior cybersecurity and infosec manager Ross Foley recently gave a great talk on the growing importance of security culture within infosec. Here are the slides to help raise awareness of this issue.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
3. ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
I do a lot of security stuff…
• Co-inventor of SecurityStudio®, S²Score, S²Org, S²Vendor,
S²Team, and S²Me
• 25+ years of “practical” information security experience
(started as a Cisco Engineer in the early 90s)
• Worked as CISO and vCISO for hundreds of companies.
• Developed the FRSecure Mentor Program; six students in
2010/500+ in 2018
• Advised legal counsel in very public breaches (Target, Blue
Cross/Blue Shield, etc.)
Solving our Information Security Language Problem
AKA: The “Truth”
AKA: The “Preacher”
4. UNSECURITY: Information Security Is Failing. Breaches Are Epidemic.
How Can We Fix This Broken Industry?
Published January, 2019
Solving our Information Security Language Problem
5. IMPORTANT!
Before I get started…
• The World Health Organization states that over 800,000
people die every year due to suicide, and that suicide is the
second leading cause of death in 15-29-year-olds.
• 5 percent of adults (18 or older) experience a mental illness
in any one year
• In the United States, almost half of adults (46.4 percent) will
experience a mental illness during their lifetime.
• In the United States, only 41 percent of the people who had a
mental disorder in the past year received professional health
care or other services.
• https://www.mentalhealthhackers.org/resources-and-links/
6. A simple CTF challenge in Robby’s Memory.
qr fbir ygdblcg yafr erodkganc hbd oneqrde oe yb ygr zrcannanc bh ygr kbefbe.
oe qr kgoncrj pwonre qoayanc hbd yafr yb kbfr onj cby bhh ygae powr zwlr jby hbd o
kbefak zwans bh on rmr,
qr kolcgy o cwafper bh ebfryganc jrrprd / fbdr fronanchlw ygon oneqrde; pldr zrolym:
glfonaym.
qgawr eyaww kopyaioyrj onj rnygdowwrj zm ygae jaekbirdm,
qr zoes an bld lybpao, ydmanc yb fosr ygance hoad onj rtlow,
eb ah qr qrdr yb jrpody onj cry zoks bn zbodj bld oadpwonr onj yafr hanowwm kofr yb cry
le,
qr qblwj goir frfbdare zwaeehlw rnblcg yb woey le lnyaw bld nrvy oddaiow onj cair ygrf
yb
ygr hlyldr, hbd ydlwm mbl snbq grd, zly ah nby, a oeeldr mbl, egr oweb goe o zrolyahlw
eblw.
-dbzzm onjdrq qowwrnzrdc zdocc mbld hwoc ae drfrfzrdancwbeygoksrde
One way to get a free book.
Solve this and email me; efrancen@securitystudio.com.
7. Resources & Contact
Want to participate?
Want to partner?
Want these slides?
LET’S WORK TOGETHER!
• Email: efrancen@securitystudio.com
• @evanfrancen
• @StudioSecurity
#S2Roadshow
• Blog - https://evanfrancen.com
• Podcast (The UNSECURITY Podcast)
9. You know we have an
language problem in
our industry, right?
Our Industry
AI
Blockchain
Penetration Test
Vulnerability
Management
NIST CSF
RiskRisk
Management
Containers
Incident
Management
Cyber
Insurance
Threats
Maturity
Assessment
Malware
Security
Cryptography
Breach
APT
Cybersecurity
BCDR
Malware
Trojan
Spoofing UTM
Phishing
Vishing
DDoS Worm
Botnet ML
Vulnerability
Zero-Day
Layered
Exploit
Threat Actor
Attribution
Kali
OSCP
CISSP
NIST CSF
How many of you
are security people
(my tribe)?
10. You know we have an
language problem in
our industry, right?
Normal
People See
Us Like
AI
Blockchain
Penetration Test
Vulnerability
Management
NIST CSF
RiskRisk
Management
Containers
Incident
Management
Cyber
Insurance
Threats
Maturity
Assessment
Malware
Security
Cryptography
Breach
APT
Cybersecurity
BCDR
Malware
Trojan
Spoofing UTM
Phishing
Vishing
DDoS Worm
Botnet ML
Vulnerability
Zero-Day
Layered
Exploit
Threat Actor
Attribution
Kali
OSCP
CISSP
NIST CSF
11. Why?
Because we
don’t agree on a
language
Their Language
FIX: Fundamentals and
simplification.
Translation/Communication
WARNING – It’s work and
it’s NOT sexy.
Let’s test this…
32. Some truth about information security
It’s relative.
Something insecure at the core will always be insecure.
You can’t manage what you can’t measure.
You can’t manage risk without assessing it.
Complexity is the enemy.
BONUS: Empty spaces always get filled.
33. Some truth about information security
It’s relative.
Something insecure at the core will always be insecure.
You can’t manage what you can’t measure.
You can’t manage risk without assessing it.
Complexity is the enemy.
You cannot build an effective
security program or strategy without
an assessment.
34. Some truth about information security
It’s relative.
Something insecure at the core will always be insecure.
You can’t manage what you can’t measure.
You can’t manage risk without assessing it.
Complexity is the enemy.
You cannot build an effective
security program or strategy without
an assessment.
As much as 90% of
organizations fail to do
fundamental information
security risk assessments.
WHY? Reason #1: Complexity
50. Minnesota is one state
amongst 49 other beautiful
states.
Are you troubled having the U.S. Flag
anywhere near the word “Poor”?
I am.
51. What to do NOW!
By speaking a common language we can work on what really matters (our most
significant risks).
What we’re going to do:
• Keep preaching.
• Work politically.
• Keep improving (by listening). What you need to do:
• Get your free S2Org Assessment and do it!
• Help us preach.
• Help us work politically.
• Help us improve (by talking).
52. What to do NOW!
By speaking a common language we can work on what really matters (our most
significant risks).
What we’re going to do:
• Keep preaching.
• Work politically.
• Keep improving (by listening). What you need to do:
• Get your free S2Org Assessment and do it!
• Help us preach.
• Help us work politically.
• Help us improve (by talking).
What’s the
point?
People are the point!
Information security is not about information or security
as much as it is about people.
People within our industry and people who work with us
are confused and we’re wasting valuable resources.
53. What to do NOW!
We’re looking for partners.
Partners make more money with better
margins.
Customers get better and more
affordable information security.
Our preferred partner in Orange County is
Framework Security! Visit them at
https://frameworksec.com.
54. Your Tasks:
1. Do your S2Org Assessment:
https://app.securitystudio.com/organization/signup
2. Help us preach by telling everyone.
3. Help us politically by telling your leadership.
4. Help us improve by telling us:
• Contact within the tool or here:
https://securitystudio.com/contact/
• Twitter: @evanfrancen or @StudioSecurity
How do we secure America?
Thank you!
The other way to get a free book.
Sign up!