Day One
9:30 - This morning's keynote address from Boston Police Detective Steven Blair focused on internet and fraud crimes. Detective Blair highlighted two cybercrime cases he cracked through good old-fashioned detective work.
First, he detailed how a fraudulent Bridal Show scammed thousands of would-be convention goers out of money. A scammer in Pennsylvania advertised a Bridal Show here at the Hynes Center, but no such show was ever on the books. Brides paid registration fees through a PayPal link, which went into an account the scammer set up. In partnership with PayPal, BPD tracked the IP address and found the scammer in Pittsburgh. When they raided the place, the woman was setting up another scam Bridal Show in Dallas. The remarkable part? The woman didn't even finish high school. She perfected her scamming skills through practice.
Second, Det. Blair walked us through a bust of a highly-educated scammer who took advantage of the OneFund set up to compensate victims of the Boston Marathon Bombings. Her elaborate scheme was broken up through hours and hours of photo and video review from the aftermath of the bombing. She claimed she was injured but wasn't. Det. Blair and his team busted her, she pleaded guilty, but—get this—the judge wouldn't put her in jail and only gave her probation.
Then, Det. Blair turned to current cybercrime trends he's seeing at BPD. It's probably something you're used to hearing about - phishing schemes through corporate email. Hackers are spoofing email addresses and convincing CFOs to wire money into fraudulent accounts. Det. Blair warned that we're all focused on protecting our network with our firewalls, but email is the easiest way for bad guys to compromise the enterprise. Security Awareness Training has never been more important - even for the C-Level executives. In one case, Det. Blair noted the bad guys executed the financial scam by sending from a spoofed email account that was one letter off from the CEO's legitimate email.
11:30 - It is standing room only in Esmond Kane's session on "The Future of Security." Kane is the Deputy CISO at Partners HealthCare. Kane is detailing which elements of cybersecurity will be vital for a successful InfoSec program in the next few years. (It's so packed in there, even we can't get a seat). Let us know what your takeaways were and we'll track down Esmond and bring you an interview with him shortly.
Noon - Okay, we talked with Esmond Kane right after his session. 140 SecureWorld Boston Attendees piled into the room to hear Kane talk about The Future of Security. We asked him why he thinks that session was such a draw, and what is the future of cybersecurity. Listen for yourself as he breaks it down for SecureWorld News.
12:45 - It's always nice to have some entertainment during lunch. Today, Radware's Ben DesJardins is talking about why privacy is not a right. And beyond that, you barely even know what kind of privacy you're giving up (seriously, did you read the terms and conditions during your last software update?). Especially with a free product. DesJardins explains why you're actually the product!
1:15 - Practitioners are talking, and attendees are listening! The Panel "After the Hack" is packed! Optiv's Dawn-Marie Hutchinson hit a home run with her analogy on fighting ransomware. She likened it to having a hole in the boat and just dumping water instead of trying to fix the hole. She mentioned that once you're a CryptoLocker victim, you're more likely to be hit again. She recommended finding and investing in people who can fight the bad guys - but it'll probably be hard to find them. The unemployment rate for cybersecurity is now estimated at -5%.
Then, Kyle Wilhoit with Trend Micro previewed a report he's releasing on his research into the technology terrorists are using. As he summed it up, the bad guys are really bad at security. Take a listen!
Continue following our real-time reports from SecureWorld Boston here: #SWBOS16
3:00 - Last session of the day, then Happy Hour! We sat in on Steven Beaudrot's (Fresenius Medical Care) session (sorry about the phone ringing in there, Steve!). He focused on communicating risk. A couple things Steve said really resonated. First, "The most dangerous risk is the uncommunicated one." Isn't that the truth? Then, he talked about treating all of the stakeholders in your company as customers. From legal to engineering.
Then, Steve went through the common feeling we all have when we walk into a new job. What if your network sucks? The way he suggests we deal with this (so as to not discount any of the hard work anyone put into building that network in the first place. Steve's advice: Seek to understand; have empathy, not sympathy; assign ownership to empower, not to punish; get some skin in the game; remind them, they are your customer!
Finally, one of the best takeaways: Lose the "knowledge is power" concept! If you hoard knowledge, that doesn't make you the smartest person in the room. Some really good advice to end Day One.
Now, get out there and network! There are a few parties this evening. Snap a photo and share them! Don't forget to tag us #SWBOS16
We'll be back at it tomorrow morning!
Day Two
Good morning! We're back at SecureWorld Boston for Day Two.
7:30 - Things kicked off this morning with the ISSA Chapter Meeting and breakfast, where about 30 attendees met first thing this morning. Then, the InfraGard chapter meeting got underway at 8:30. It was open to all attendees and the turnout was good. About 60 people gathered in the Keynote Theater for the meeting.
8:30 - We had three 8:30 sessions this morning. Mike Corby presented on taking a data inventory as the first step in compliance. Erika Powell-Burson hosted a session on PCI Compliance. And Matthew Karlyn's session on incorporating security and privacy into procurement and contracting drew a nice crowd.
We're gearing up for the Keynote Presentation from Joe Jarzombek at 9:30. He's the former director for software assurance for the U.S. Department of Homeland Security. Joe's session is on enhancing enterprise resilience through software assurance and supply chain risk management. Should be an educational session. We'll be back with an update after the Keynote! Talk to you then!
9:30 - Joe's Keynote did not disappoint. One of the best takeaways from Joe: when your company is breached, you stand up there and say I've been victimized - when really, you're telling the world, "a bad guy wanted to exploit our weakness more than we wanted to find it and patch it." Here are a few more points from Joe Jarzombek (we also shared the video we live streamed from the presentation on our Facebook Page):
11:15 - We sat in on Scott Drucker's session on Identity in Security - How to Know Who's in Your Network. Scott is an engineer with SecureAuth. During the session Scott highlighted why Identity is the new security perimeter. Sure, we have firewalls for network security and solutions for end point security, but none of that does any good if a bad actor gets into your network with valid credentials. So, how can we go beyond MFA to ensure a bad actor who can get in can't make things worse?
Scott talked a lot about the solution of adaptive authentication. And this is important because it allows you to protect identity without sacrificing user experience. One of the techniques he highlighted is device fingerprinting. You can set it up as a measure of authentication, and then assign a risk score when there are elements of that authentication that don't add up. For instance, when setting up the device fingerprinting, everything is measured from IP address to screen resolution to time zone. If someone's time zone is off, that's probably not a big deal - people travel. But if the time zone, resolution, IP address and browser cookie settings have all changed, you may decide the risk score is high and you shut down access immediately. This is a way to ensure your end users can access the network conveniently, but can keep bad actors out if they've entered the network - even with valid credentials.
If you'd like to know more, stop by SecureAuth's booth (413) to talk about some of these techniques. Scott did a really good job of explaining some of these options during his session. And, he offered these sobering statistics to show exactly why we need identity management solutions:
It's almost lunch time! Grab some grub and get ready for the Lunch Keynote from Optiv's Dawn-Marie Hutchinson! #SWBOS16
12:30 - Okay, the lunch keynote was great. Dawn-Marie Hutchinson is a great speaker, and she is passionate about incident response. She walked us through some of the keys to staying ahead of the breach. Really ensuring that you're prepared ahead of time is critical, according to Hutchinson. As she puts it, MSAs can take months for your legal department to execute. Do you really want to be dealing with that while you're managing a breach? No, you should have these relationships established (and nurtured) ahead of time. Know who's on your team, what everyone's role is, and how each player will contribute to the response. Here's a little more from Dawn-Marie:
2:30 - Everyone is in place for Dash for Prizes and CyberHunt. Thanks to everyone who played along through the SecureWorld App!
There are three sessions at 3:00 today (one, unfortunately was canceled due to a speaker emergency). Enjoy! Don't forget to grab your certificate of attendance from registration after 3:00! You'll need it to get your CPE credits from your certifying body!
Another great show coming to a close! We're excited to hit the road and hit Philadelphia next month! There's still time to register, and there are some very limited sponsorship opportunities available.