When users make a harmful action, cybersecurity professionals believe that the solution is more awareness. This is like saying that if a canary dies in a coalmine, the solution is healthier canaries. When the user fails, it is a failure of the entire system. The problem is not that users cause a loss, but that they can potentially initiate a loss. The solution is to engineer the user out of the process, or at least filter out an attack. When a user is in the position of possibly initiating a loss, you create a user experience and provide awareness to avoid initiating a loss. You anticipate the loss being initiated and put detection and reaction in place. We call this Human Security Engineering.

Security architecture is changing. Zero Trust is a response to accelerating trends that include flexible working, bring your own device (BYOD) and more services moving to the cloud. The increasing complexity of enterprise infrastructure has outpaced legacy methods of perimeter-based network security, which are also insufficient for preventing lateral movement once attackers have breached a network boundary. We need a new security paradigm. “No trust without verification" - removing inherent trust from the network and gaining confidence in users, devices and services - can be challenging to implement in a complex and shifting landscape of people, processes and systems. This session will focus on guiding principles and practical techniques that can be applied to plan your journey to Zero Trust in a complex hybrid environment.

Since 2006, PCI DSS compliance has been required for any company that stores, processes or transmits credit card data. But as networks, payments and applications get more complicated, and security threats increase, so too do the potential PCI solutions. This panel brings some of the smartest and most experienced PCI professionals in the industry to the table. They have seen the best and the worst in the payment industry, and will share the successes to make you effective, and a number of horror stories so you don’t lose your job. The panel will detail a number of eloquent solutions to common PCI issues, and answer pesky problems that are plaguing attendees. No good question will be left behind.

This presentation provides hands-on guidance of resources, methods and techniques available to investigate blockchain-related illicit usage. It also expands understanding of how cryptocurrencies can circumvent the requirements of KYC and AML to support the facilitation of illicit transactions, as well as how to follow the money to locate and possibly block their liquidation.

Data is the digital currency of today. Access to data via APIs can enable digital transformation and at the same time allow malicious attackers to subvert the enterprise software supply chain. This API-focused approach leads to one directive: Enterprises must implement secure APIs to protect the data at all costs. To operate successfully, these secure APIs use a validated identity authorization to scope them to least access while at the same time remaining agile to DevSecOps flows allowing privileged access when needed. This session provides a detailed technical architecture and operations model to use identity access validation and risk response to protect APIs against supply chain and other software subversion attacks against the organization today.

Cyber supply chain risk has become the most discussed topic in late 2020.The increased use of suppliers for various functions in the organization has made this even more important than before and, in this process, there is a loss of visibility of technology that is being integrated into the organization. Recent supply chain attacks and the constant discussion on cyber supply chain risk management raises the most important aspect for organizations - i.e., not evaluating the critical processes and their dependent suppliers and the impact of compromise. The solution to this challenge is by approaching it in two-fold processes (Internal to an organization and external to organization). It is time to integrate cyber supply chain risk management into enterprise risk management.

Recently, data surpassed oil as the world's most valuable asset. Current data protection methods have too many dependencies on systems and networks through which data passes. So far, attempts to solve this problem have not adequately minimized external dependencies. The self-protecting data concept, as a zero trust use case, involves adding protections to data objects to make such objects "self-protecting." The protections would include metadata tags and tamper-awareness and action logic that allows the data object to automatically, or remotely, choose courses of action when a given threat is detected. Artificial intelligence techniques are needed due to the complexity involved with managing numerous data attributes as metadata; the need for autonomous access control, infrastructure independence; and automation of detection, alerting, and response.

The internet of things (IoT) has been a significant advancement in technology, modernizing repetitive tasks, streamlining data collection, and providing new ways to collect, interpret and disseminate information. Numerous industries have benefited from advancements in IoT technology, including healthcare. Medical IoT (MIoT) has deployed several devices, including internet-connected sleep apnea machines, blood pressure regulators, glucose monitors and mobile echocardiogram and heart rate monitors. The advancement in MIoT has revolutionized the treatment of care. Both treatment facilities and patients perform a significant amount of care solutions from their homes, saving the patient time and money. The integration of technology to maintain potential life-sustaining functions within the patients comes with the challenge of ensuring that data integrity and patient safety are not compromised.

Doxing is a term derived from documents, and hence consists of collecting information on an organization or individual through social media websites, search engines, password-cracking methods, social engineering tools and other sources of publicly displayed information. The main purpose of doxing attacks is to threaten, embarrass, harass and humiliate the organization or individual. Various tools are used to perform doxing. Tools such as Maltego visualize an organization’s architecture, which helps determine weak links within the organization. This presentation discusses different ways organizations and employees can be doxed and suggests measures to protect against doxing attacks.