Topic: IT Assurance Across System Boundaries

(Registration Below)

IT administrators and security experts face a daunting challenge assuring information security and privacy across numerous interconnected systems, many of which they may not exercise authority over.  These integrated entities, such as vendor applications and industrial control systems, are housed both on-premise and in the cloud.  In this presentation, David will outline the challenge of providing security assurance across system boundaries, show some examples of breaches across system boundaries, and explore risk management techniques for dealing with this seemingly intractable problem.

Speaker: David Trepp, M.S., Partner, IT Assurance

A technology entrepreneur since 1989, David has led over 1,300 comprehensive information security penetration test engagements for satisfied customers across all major industries throughout the United States and abroad. He has given dozens of presentations to audiences nationwide, on a variety of information security topics. David, a US Army veteran, is founder and CEO of Info@Risk (now BPM), a leading comprehensive penetration test firm. David has worked in information security with banking, law enforcement, government, healthcare, utilities, and commercial organizations since 1998.  When not at work testing security controls, David exercises his risk management skills as an avid rock climber and long-distance cyclist.

IT Assurance Across System Boundaries 

Thu, May 14, 2020, 7:00 PM – 9:00 PM PDT

Add to Calendar

1. Click the link to join the webinar at the specified time and date:

2. Choose one of the following audio options:

TO USE YOUR COMPUTER’S AUDIO:
When the webinar begins, you will be connected to audio using your computer’s microphone and speakers (VoIP). A headset is recommended.

–OR–

TO USE YOUR TELEPHONE:
If you prefer to use your phone, you must select “Use Telephone” after joining the webinar and call in using the numbers below.
United States: +1 (914) 614-3221
Access Code: 660-163-974
Audio PIN: Shown after joining the webinar

About BPM: Our Member Meeting Sponsor!

The BPM Information Security Assessment team (formerly Info@Risk), has worked with all types of organizations throughout the United States. A large percentage of the Information Security Assessment team’s clients are repeat customers, with many of our relationships stretching back nearly to our beginning in 1998. We attribute these enduring relationships to three facts:

• our clients value the depth and comprehensive quality of our work
• our clients recognize that to truly manage risk, an unbiased assessment and remediation plan are a priority when choosing a vendor
• our clients seek a partnership with their impartial assessment vendor to guide them in making informed, risk-based decisions for their organization

BPM’s Information Security Assessment team provides thorough and comprehensive information security assessments so they can make informed, confident risk-based decisions best suited for their organization. We are proud of the work we have done and are confident our references will support this pride.

Our assessment-focused services include:

• Comprehensive Penetration Test
• Targeted Application Penetration Test: Web/Mobile/Client-Server
• Targeted Wireless Penetration Test
• Stand-Alone Penetration Test, e.g. email Test, Social Engineering Test, Physical Security Test, etc.
• Password Audit
• Firewall Ruleset Review
• Configuration Review
• Vulnerability Assessment
• Infosec Program Review
• IT General Controls Audit
• Infosec Risk Assessment
• Infosec Training
• Social Engineering Awareness
• Leadership/Governance

Canceled – Postponed.

Due to impacts on our board and volunteers from the COVID19 outbreak, we are unable to go forward with chapter activity.

Please be on the lookout for a series of online meetings.

We look forward to inviting Rafae Bhatti to another event.

Cybersecurity and CCPA, Looking at Legal Implications affecting Cyberthreat management and response

Meet Rafae Bhatti, Data protection leader and licensed CA attorney

Location Online – Link to be emailed to attendees.

Location: Oracle 5805 Owens Dr, Pleasanton, CA 94588, Time: 7:00 to 9:00 PM

Title: Cyber-laundering

Meet Faranak Firozan, Security Incident Response| Investigation| Scrum| Post Mortem| SQL| Anti Money Laundry| KYC| Internal Abuse| CAMS | GISF

Abstract: Among different types of financial crimes facilitated by the Internet, money laundering stands out due to the diverse methods criminals use to legitimize ill-gotten profits. The criminal practice of money laundering in cyberspace through online transactions has been
termed as cyber-laundering. One of the important concepts for launderers are to avoid detection from law enforcement, and the Internet has opened a large window of opportunities for them.
In this talk, we review a couple of malware attacks via email case studies, statistics on source of revenue for cybercriminals, and industry defenses against the most damaging
cyberattacks.
Learning Objectives:

• How criminals are making their money (through which cybercrime type),
• How much they are making, and what are the consequences to organizations,
• How do we stop this by discussing
  • Industry defenses against Business Email Compromise
  • Defenses against Data Breaches
  • Defenses against Ransomeware

With roughly 44% of the $1.5 trillion of cybercrime funds coming from preventable activity (good security postures), not only the cybersecurity is necessary to protect the businesses, but also required to prevent money from getting into the hands of criminals.
Let’s learn from current trends and prevent this money from being stolen.

More from Faranak Firozan https://www.linkedin.com/pulse/neglected-element-human-faranak-firozan/

Save to your calendar

Thank you for being our sponsor this evening, Oracle as our location host and Maze Associates for our supper and the presenter.

About Maze Associates: We are a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. We can help you with implementing new GASB regulations, Tax Planning, or meeting FISMA and NIST compliance guidelines for your systems. Call Us Today!

Website

http://www.mazeassociates.com

Venue is Oracle 5815 Owens Drive Pleasanton, CA 94588

Please arrive at 6:45 – Registration is required – email programs@isc2-eastbay-chapter.org AND conferencedirector@isc2-eastbay-chapter.org to assure we list you for pizza count and we have your name at the door to let you in.

Running a Successful Crowdsourced Security Program: Tips on How to Not Fail: Running A Successful Crowdsourced Security Program_ Tips On How Not To Fail

Scaling application and infrastructure security has been, and continues to be, a problem most organizations tend to face, but often don’t have the resources or bandwidth to tackle effectively. This is a fundamentally human problem. There are plenty of scanners, but we still need people to validate those results and to find the issues that scanners aren’t capable of catching – as well as identifying any exposed attack surface that the automated tools aren’t even covering. Enter the idea of the “crowd.” While crowdsourced security through bug bounties is not a new concept, adoption has only recently begun to pick up. Which is surprising considering there’s tremendous ROI and value to be gained from the crowd-at-large with relatively little effort.

So in what ways can an organization leverage the power of the crowd (which is just a fancy word for a large contingent of humans with highly diverse and creative security skill sets)? And more importantly, how can one do so successfully? That’s what I aim to cover with this presentation. As someone who has been directly involved in the creation, management, and growth of hundreds of crowdsourced security programs, I bring both a ground floor and 30,000 foot view of the current landscape of crowdsourced security. This talk is aimed to help organizations and security teams: a) Realize the value and varying ways they can leverage the crowd (crowdsourcing security has the potential to go well beyond just bug bounties); and b) Provide practical tips for running a successful program, as well as how to grow your program over time. I see a lot of badly managed or under-utilized programs in the wild, and want to help educate the world in terms of what can be accomplished through the power of crowdsourced security (hint: it’s a lot), and how to run a more effective program. 

BugCrowd

Bugcrowd is the #1 crowdsourced security company. More Fortune 500 organizations trust Bugcrowd to manage their Bug Bounty, Vulnerability Disclosure, and Next Gen Pen Test programs. Bugcrowd’s award-winning platform combines actionable, contextual intelligence with the skill and experience of the world’s most elite hackers to help leading organizations identify and fix vulnerabilities, protect customers, and make the digitally connected world a safer place. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at www.bugcrowd.com.

Grant (McCracken)

Currently the Director of Solutions at Bugcrowd, Grant has extensive experience in the crowdsourced security space – having been directly involved with the creation and maintenance of hundreds of crowdsourced security programs over the last few years. An OSCP, with a background in application security, Grant understands the hacker side of security, as well as the necessary logistical components and considerations to take into account when running and managing successful crowdsourced security programs.

(Read More at https://isc2-eastbay-chapter.org/mission-vision-goals/scholarship-and-sponsorship/)

Learn how you secure your APIs and Microservices using Externalized Dynamic Authorization.

Key agenda items

• Covering API security basics
• Avoiding bad security practices
• Overcoming OAuth limitations
• Managing authorization as a microservice

Thanks for sharing the ISC2 EB chapter meeting presentation and the links to more information.

• https://www.axiomatics.com/resources/topics/apis-microservices/
• https://www.axiomatics.com/resources/authorization_kong/
• https://www.axiomatics.com/resources/dynamic-authorization-for-the-apigee-api-gateway/
• https://github.com/ioannis-iordanidis/kong-axiomatics-plugin

About our Speaker: 

Jonas Iggbom, the VP of Sales Engineering at Axiomatics, has over 20 years of experience in product management and technical sales in endpoint security and access control. His expertise lies in encryption technologies, keys, certificates, and SSH, as well as access control solutions for privileged and end user accounts, databases, and applications.

Prior to Axiomatics, Jonas worked as the Director of Product Management at Fox Technologies and as a Product Manager at Check Point Software Technologies, both in California. He also held the position of Senior Sales Engineer/Product Manager at Pointsec Mobile Technologies in Chicago and Sales Engineer at their office in Stockholm, Sweden.

Jonas earned his bachelor’s degree in computer science from the Royal Institute of Technology in Kista, Sweden. Along with his expertise in encryption technologies and access control solutions, Jonas is also knowledgeable in intrusion detection, anti-virus, data leakage prevention, content control, and client virtualization.

Thanks to our topic sponsor: Axiomatics authorization solutions are utilized around the world to share sensitive data securely, meet compliance and minimize data fraud. From our offices in Chicago and Stockholm we serve a global customer base within finance, healthcare, insurance, manufacturing, media, pharma, software/high tech and the public sector. Our dynamic authorization suite for applications, databases, Big Data, APIs and Microservices enables a policy-based approach to access control to protect the most critical assets – on premise or in the cloud. Our product suite is built on Attribute Based Access Control (ABAC) in accordance with National Institute of Standards and Technology (NIST) guidelines. For the US Federal Government, Axiomatics is a member of the CDM program and actively participates in the GSA schedule. Website http://www.axiomatics.com

Session 2: Leon Jiang sharing his analysis of the Capital One Data Breach

8:15 – 8:45

Read More https://www.roostify.com/blog-home/2019/7/31/capital-one-data-breach-step-by-step-analysis

Lessons Learned from Capital One Breach & More

Matt Bouis, Sr. Engineer in Cybersecurity data analytics.

About Cybereason:

Cybereason is the leader in endpoint protection, offering endpoint detection and response, next-generation antivirus, managed monitoring and IR services.
Founded by elite intelligence professionals born and bred in offense-first hunting, Cybereason gives enterprises the upper hand over cyber adversaries.
The Cybereason platform is powered by a custom-built in-memory graph, the only truly automated hunting engine anywhere. It detects behavioral patterns across every endpoint and surfaces malicious operations in an exceptionally user-friendly interface.
Cybereason is privately held and headquartered in Boston with offices in London, Tel Aviv, and Tokyo.

Kindly confirm your attendance for the meeting by June 12th, 2019, along with your preference of pizza (Veg/Non-Veg).

We need to provide the attendee list to our host for badges.

To RSVP please send your name, *ISC2 ID  and the subject line “attending June 13th 2019 meeting” to programs@isc2-eastbay-chapter.org, and conferencedirector@isc2-eastbay-chapter.org.

Oracle 5805 Owens Dr, Pleasanton, CA 94588

Look for the (ISC)2 East Bay Meeting Sign pointing to the entrance of 5805. We meet just inside the main lobby.

*If you are not a member of ISC2 or ISC2 East Bay Chapter, please complete the membership application form and send the application with your notice of intent to attend.  Membership is still free, but we do need to know who you are.

ATTENTION DATE WAS WRONG – is 2nd Thursday May 9th

Location change – 6101 Bollinger Canyon Rd, San Ramon, CA 94583 Room BR1X – 1150

Why CISO’s Fail, in the words of the author, Barak Engel

Information security is now a really big deal, yet we keep screwing it up. Big breaches are in the news every day, and they are only the tip of the iceberg. Security leaders average less than two years in tenure, and job satisfaction – their own, and others’ of their performance – is lower than that of watching paint dry. Fingers go ablamin’, but in security we just end up pointing them elsewhere.

Why? and more importantly, what can we do about it?

Claimed in its origin by many cultures, the ancient saying “The Fish Stinks from the Head” applies to the emerging discipline of information security, just as much as it does to organizational rot and mis-development. Providing a useful guide for an irreverent look at ourselves, the speaker in this open-to-the-audience talk will touch on both the “why” and the “what to do” parts, while doing his best to make you laugh.

Real-life experiences, both amusing and embarrassing, will be shared liberally.

Speaker Bio: Barak Engel is known for having come up with the concept of “virtual CISO” back when security was a four-letter word that no one could spell. He stubbornly insisted, and ultimately developed a consulting practice around it. Almost two decades later his company, EAmmune, develops and manages security programs for organizations, large and small, across all industries. Barak himself has served as CISO for many of them (e.g. MuleSoft), and often for several at once.

In another clear mark of insanity, he decided to write a book about security management while still actively practicing, rather than from the comfort and safety of retirement. The 2017 book, Why CISOs Fail, keeps getting incredible reviews from those who stumble upon it, delighting Barak every time it happens. It also serves as the inspiration for this talk.

Location: High Performance Computing Innovation Center, Livermore. Driving Directions and important information below.

Time: 7:00 to 9:00 PM

Topic: Lessons learnt while building Zero Trust Networks and iOT Security

Zero Trust Networks are based on the principle of “never trust without verification”. We will discuss some insights and lessons from building Zero-Trust networks. Since Users on Network and Off network will be treated equally, we have to overcome some unique challenges like incorporating SaaS applications into the model. How Zero-Trust Networks helps us meet Compliance requirements.

Meet Nalin Narayanam, Chief Information Security Officer
Intarcia Therapeutics, Inc.

With over 13 years of Security Industry experience in areas like Identity Management,Tokenization, DLP,  and  SIEM, meet Nalin Narayanam, an active contributor in cutting edge Biotech Ingenuity. Hear how Intarcia Therapeutics will allow the world to securely rethink the future of medicine.

Kindly confirm your attendance for the meeting by February 12th, 2019, along with your preference of pizza (Veg/Non-Veg) so that we place orders accordingly.

We need to provide the attendee list to our host for badges.

To RSVP please send your name, *ISC2 ID  and the subject line “attending February 14 2019 meeting” to eric.simmons@isc2-eastbay-chapter.org. If you intend to participate in earning CPE for conference planning, please copy conferencedirector@isc2-eastbay-chapter.org.

*If you are not a member of ISC2 or ISC2 East Bay Chapter, please complete the membership application form and send the application with your notice of intent to attend.  Membership is still free, but we do need to know who you are.

REMINDER: Arrive on time or there will not be anyone to open the door.  We begin door duty at 6:30 and end at 7:00 PM – NO EXCEPTIONS

Industrial Control System Cyber Security Design and Regulation

Presented by Michael Cole, CISSP, CCNP – Control System Cybersecurity Analyst – Turlock Irrigation District

In the previous UTC Journal, Jon Stizel described how Ameren is using the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to improve the maturity of their cybersecurity program with metrics and reporting.  Turlock Irrigation District (TID) has also used the NIST CSF, Energy Sector Cybersecurity Framework Implementation Guidance (ESCFIG) and the Electric Subsector Cybersecurity Capability Maturity Model (ES-C2M2) for its NERC CIP program foundation…

Michael Cole is a Control System Cybersecurity Analyst for the Turlock Irrigation District, where he provides expertise on NERC CIP Standards and Program design. Turlock Irrigation District is a Central California public utility that provides water for irrigation and power to customers in its service area. Michael has a Bachelor of Science in Computer Science, is a Certified Information Systems Security Professional (CISSP), and a Cisco Certified Network Professional (CCNP). Michael has focused on building a NERC CIP Documentation Architecture that is based on the NIST Cyber Security Framework (CSF) and Electric Subsector Cybersecurity Maturity Model (ES-C2M2). The architecture uses the ES-C2M2 cybersecurity domains as an abstraction for Turlock Irrigation District’s NERC CIP Program.

Venue: Optiv at 3875 Hopyard Rd., Pleasanton, CA 94588

Kindly confirm your attendance for the meeting by January 9th, 2019, along with your preference of pizza (Veg/Non-Veg) so that we place orders accordingly.

We need to provide the attendee list to our host for badges.

To RSVP please send your name, *ISC2 ID  and the subject line “attending January meeting” to conferencedirector@isc2-eastbay-chapter.org.

*If you are not a member of ISC2 or ISC2 East Bay Chapter, please complete the membership application form and send the application with your notice of intent to attend.  Membership is still free, but we do need to know who you are.

REMINDER: Arrive on time or there will not be anyone to open the door.  We begin door duty at 6:30 and end at 7:00 PM – NO EXCEPTIONS

Take the elevators to the second floor, take a left, we are all the way at the end of the hallway.

Venue: Chevron World Headquarters

Dinner

RSVP

RSVP to conferencedirector@isc2-eastbay-chapter.org with the subject “Attending October 11th at Chevron building A”. Include your name and ISC2 ID. If you don’t have an ISC2 ID and are not yet a member of our chapter, include the membership application with your email and copy membership@isc2-eastbay-chapter.org

We will be meeting in Building A in room 1020., 6001 Bollinger Canyon Rd, San Ramon, CA 94583. Park in the visitor parking lot and proceed to BLDG A.

Don’t get lost