17th Annual New York State
Cyber Security Conference

9th Annual Symposium
on Information Assurance


June 3 - 4, 2014
Empire State Plaza, Albany, NY

Solving the Security Puzzle


Tuesday - June 3, 2014


11:00am-11:50am (Ethic CLE Credit)

Recent Attacks on the Third Party Rule Creates Greater Risk of Allegations of Eavesdropping and Illegal Searches and Seizures


Stephen Treglia

Absolute Software Corporation

Beginning in January, 2012, wth U.S. Supreme Court Justice Sonia Sotomayor's concurring opinion in United States v. Smith, a generation-long practice of not requiring law enforcement to utilize a warrant when communicated information is shared with a third party has been brought increasingly into question. Growing public awareness of the kinds of information that can be collected as a result of online activity has generated a demand for a legal response to shield this information from law enforcement acquisition by less than probable cause and court supervision. Moreover, the awareness Edward Snowden has brought to the public of the actions of the National Security Agency in monitoring communications has significantly heightened the rhetoric on both sides of the battle. As a result of this growing pressure, courts decisions have started weighing on both sides of this issue turning what had once been a very bright-line standard into a muddy slope that becomes slipperier and slipperier. This lecture will analyze a series of court cases decided since Smith, along with unrelated legislative attempts to similarly alter the legal landscape, to demonstrate how truly tenuous this once clear-cut and definitive rule has become.

1:00pm – 1:50pm (CLE Credit)

The Executive Order on Cybersecurity and the Impact on Industry and Government

Robert Mayer


Exactly one year following the release of the February 2012 Executive Order: Improving Critical Infrastructure Cybersecurity,  the National Institute of Standards and Technology (NIST) released their Cybersecurity Framework which has spurred significant activity across the cybersecurity landscape.  In addition, the Department of Homeland Security recently rolled-out their Critical Infrastructure Cyber Community C³ [pronounced C-Cubed] Voluntary Program which it too was required to develop as part of the 2012 Executive Order.. The Communications Sector is working to adapt the framework for the broadcast, cable, wireline, wireless, and satellite industries within the current FCC Communications Security Interoperability and Reliability Council (CSRIC) .  Many enterprises have begun to incorporate this new framework into their risk management processes  This presentation will provide an overview of some of the major activities and accomplishments to date and the opportunities and challenges for all stakeholders going forward. With the Framework becoming the basis for voluntary use by many private and public-sector entities, this presentation will help participants understand the impact of these developments on policy, regulation, markets and business operations.

2:10pm – 3:00pm

Cyberbullying and the Police Response: The Bullet Doesn't Fit the Gun

Kathy Macdonald

Global Cyber Security Courses

As Internet use increases, so have cybercrimes, cyber-conflict, cyber-risk and the devastating effects of cyber bullying. Law enforcement is facing an uphill battle when responding to the unprecedented global increase in a broad range of technological crime. Should the public lower their expectation of law enforcement’s ability to respond to every form of cyber-related crime?   
Could cyber bullying instead be dealt with in the schools or handled by family? What role should websites and apps play when their platforms contribute so heavily to the problem? This presentation will discuss the role of law enforcement in battling cyberbullying and how the community could work more cooperatively with law enforcement to combat this growing problem.

3:20pm – 4:15pm

Retaliatory Hacking: Legitimate Corporate Defense?

Ronald I. Raether, Jr.

Faruki Ireland & Cox P.L.L

The presentation discusses the most common of the various types of affirmative defense and retaliatory hacking activities, the possible legal and practical risk associated therewith, and viable alternatives that financial institutions may consider.

Mobile Security


BYOD: A Big Piece to Solving the Security Puzzle

Aaron J. Williams


Mobile security has evolved from a traditional Mobile Device Management targeted towards Corporate Owned devices to a model supporting an increasingly BYOD (individually owned devices) adoption. The challenges have increased and the liability of separation between privacy and protecting corporate data has grown for companies. This presentation will outline the criterion to address these challenges and provide a framework for incorporating your business operations for the secure mobile workplace while maintaining the employee’s personal privacy and experience.


Mobile for Education: Getting It Right the First Time

Eric Green

Mobile Active Defense

It's amazing how different education is for managing and securing mobile - but it sure is. Learn the importance of and how to build requirements from experience with the largest school district in the US among others. Understand device limitations as well as many device characteristics that are helpful for education that many (including the device manufacturers) are unaware of or don't understand the significance of.

Common pitfalls and wrong turns as well as success stories will be outlined. The goal with this session is to walk out knowing enough that you won't fall into the trap of having some mobile (MDM or otherwise) vendor be the one telling you what you can and can't do - you will have knowledge to both build and achieve your requirements.

Kids are smart, very smart. It's amazing how good they are with technology and getting to what they want even if they are not supposed to. Trick is staying ahead of that with proper security, BUT also using security and management that make it disadvantageous to try to circumvent. Want to know more - come to the session.

Business Need


Security Services Design in the Next-Generation Data Center

Ken Kaminski


The evolving complexity of the data center is placing increased demand on the network and security teams to come up with inventive methods for enforcing security policies in these ever-changing environments. The goal of this session is to provide participants with an understanding of features and design recommendations for integrating security into the data center environment. This session will focus on recommendations for securing next-generation data center architectures which are built for high availability and with asymmetric flows as a norm. Areas of focus include security services integration, firewall design considerations with both large scale physical firewalls dealing with north-south traffic and virtual firewalls focused on east-west server-to-server traffic, and considerations and recommendations for server virtualization including visibility from a threat defense perspective.


The Future of PCI: Securing Payments in a Changing World

Bob Russo

PCI Security Standards Council (SSC)

The presentation will address the following key elements:

  • An overview of the Council and its mission
  • What’s ahead with the new version of the PCI Standards
  • The future of the Council and its impact on the payments landscape
  • How to utilize new PCI SSC resources and training programs to address payment security challenges
  • Ways you and your organization can be more involved with the Council and its initiatives

The Internet of Everything


Emerging Threats in Cyberland: Is the “Internet of Everything” Everything It’s Cracked Up to Be?

Matthew Lane

Janus Associates

A look at the “Internet of Everything” including the bad things coming to your organization and home soon.

This presentation takes a serious look at the future and risks of living in a continuous and over connected environment.

In addition to the normal business of running a secure data center, organizations have adapted, with mixed success, to the need for remote providers to maintain the basic building requirements of electric, air, water and life safety systems. Now the refrigerators, vacuums and everything else found in society are ready to join the network as well.

Security polices, controls and resources have stretched to meet the challenge of BYOD, social networks and APT’s.

The security experiences learned in the business environment need to be adapted to the “Internet of Everything” as well.

Emerging Threats in Cyberland will explore the following topics:

  • What is the “internet of everything”?
  • What forces are driving the “internet of everything”?
  • Does the end user really benefit from all of these devices?  If not, who does?
  • The absence of security and privacy protocol standardization within “the internet of everything” and the resultant risks to government entities and businesses.
  • A look at some of the devices and “things”, and the data they collect, who sees the data, and how it might be used and misused.
  • The blurring and disillusion of boundaries between business and personal as a result of “the internet of everything”
  • A study of possible negative scenarios that could result due to data leakage
  • How to protect your organization and yourself from “the internet of everything”

1:00pm – 1:50pm

Securing Everything

Renault Ross


The Internet of Things is forcing government agencies to rethink their IT security strategy and to include security from the beginning. According to Gartner there will be nearly 26 billion devices on the Internet of Things by 2020. This session would explore a strategy to assist these organizations in ensuring security is an enabler to their business drivers, mission and strategic initiatives. The presentation will cover the blueprints for building a solid Security Program across their endpoints, mobile devices and tablets for administrators and users.


Torturing Open Government Data System for Fun, Profit, and Time Travel

Dr. Thomas P. Keenan

Centre for Military and Strategic Studies University of Calgary

I'm from the government and I'm here to help you" takes on a sinister new meaning as jurisdictions around the world stumble over each other to 'set the people's data free'. NYC boasts in subway ads that 'our apps are whiz kid certified' (i.e., third party) which of course translates to 'we didn't pay for them, and don't blame us if somebody got it wrong and the bus don't come.' This session reports on my (and other people's) research aimed at prying out data that you're probably not supposed to have from Open Government Systems around the world. For example, Philadelphia, PA cavalierly posted the past 7 years of political contribution receipts which contained the full names and personal addresses of thousands of people, some of whom probably didn't want that information to be out there in such a convenient form. The entire database was also trivially downloadable as a CSV file and analysis of it yielded some fascinating and unexpected information. Referring back to classic computer science and accounting principles like 'least privilege' and 'segregation of duties' the presentation will suggest some ways to have our Open Data cake without letting snoopy people eat it.


Architecture of Global Surveillance

Raj Goel

Brainlink International, Inc.

This presentation will discuss the origin of the modern surveillance state and what we can do about it.

Snowden, Anonymous, NSA, FBI, GCHQ, Boeing, China, Cisco, ATT, Verizon, Google, Facebook, GM, Ford, Apple, Amazon, your doctor, spouse, grocer, iPhone, Android, your child's school. What do they have in common? Each and every one is a spy. Individuals, corporations and governments have built the modern surveillance state.

Executive over reach, insufficient planning, systemic flaws, and blind faith in institutions has led to a global panopticon. Our jobs, social interactions and technology have made it extremely easy to become a spy...or a peeping tom. It's much harder not to look, than to look.

App stores, vendors, governments have transmogrified society into the Truman Show. This presentation delves into how we got here, what lessons we have learned, what lessons we have yet to learn, and where we're headed.

Based on 10 years of research, this presentation will delve into history, technology, the Bill Of Rights, EU Privacy Charter, George Orwell and others to discuss the origin and architecture of the modern surveillance state and what we can do about it.

What's the difference between the US & China? US and Russia? Come and find out.

ID a Hack


Why You Are pwned And Don't Know It!

Ben Miller, CEH

Parameter Security

2013 was the year of the hacker. Network breaches made media headlines everywhere you turned. Was your company one of them? If not, did you check all of your systems, metrics, users, and logs to ensure unauthorized access did not occur? Did you find evidence of a breach? Of course not, you are GLBA/HIPAA/PCI compliant! That means you are secure, right? WRONG! In this eye-opening presentation, Ethical Hacker, Ben Miller reviews network baselines, how Trojan activity (which could be on your network RIGHT NOW) is extremely hard to detect if you aren’t properly looking for it. Using tools that are readily available to any wannabe malicious attacker, Miller demonstrates how hiding traffic in home and corporate networks can evade detection. The FUD will be kept to a minimum but the “secret” to protecting your networks will be unveiled.


The FBI Session

Michael Keller



Malware Root Cause Analysis: Don't Be a Bone Head

Corey Harrell

NYS Office of the State Comptroller

Computer users are confronted with a reoccurring issue every day. This happens regardless if the user is an employee doing work for their company or a person doing online shopping trying to catch the summer sales. The user is using their computer and the next thing you know it is infected with malware. Even Hollywood is not immune to this issue as illustrated in the TV show Bones. The most common action to address a malware infection is to reimage, rebuild, and redeploy the system back into production. Analysis of the system to understand where the malware came from is not a priority or goal.

Root case analysis needs to be performed on systems impacted by malware to improve decision making. The most crucial question to answer is how did this happen since it will determine if we were targeted and more importantly what can be done to mitigate this from re-occurring.

In this technical presentation Corey will discuss the root cause analysis process to determine how malware infected a computer running the Windows operating system. The topics will include: why perform root cause analysis, how not to perform root cause analysis, compromise root cause analysis model, attack vector artifacts, and multiple malware infection scenarios.


Your Security Efforts Are Futile: Why an Advanced Attacker Will Always Find a Way in Regardless of the Defenses You Have in Place

Tyler Wrightson

Leet Systems

In this talk Tyler confronts a fact that is staring us all in the face; no matter what defenses are in place any target can be hacked. Tyler will explain how we got to this point, what it means for most organizations as well as what the future will look like. He will discuss the big picture elements as well as some tactical points which lead to this undeniable conclusion. Tyler will review a set of enlightening empirical evidence that points to this fact, as well as cover some of his firsthand experience and relevant stories from his career as a penetration tester. Finishing with thoughts on what the future holds and what will be needed to defend your organization.

Threats and Reports


2014 Data Breach Investigative Reports: Ideas and Directions

Chris Novak

Verizon Business

The Data Breach Report is an internationally recognized report that brings together statistics and findings from worldwide investigative response organizations around the globe, as of 2013 there were 19 and more are being added yearly. The contributors include: The Dutch National High Tech Crime Unit, US Secret Service, Australian Federal Police, Irish Reporting and Information Security Service and Police Centrale-crime unit. Chris Novak is Managing principal on the Verizon Investigative Response team and a contributing author to the Data Breach report. He is knowledgeable regarding data breaches, cybercrime and investigations worldwide. In this session Chris will discuss the current DBIR as well as the new approaches and methodologies used to improve it. The 2014 report is expected to look at patterns across industries which should enable a more relevant focus, have additional root cause analysis and have improved information on breach impact and cost.


Rise of the Avengers: Evil, Innovation, and the Battle for the Future of the Internet

Greg Metzler


As a security professional, a scan of recent news headlines can be quite depressing. It seems like the bad guy is running all over the good guys. Retailers, banks, even government agencies are suffering major breaches in security. Money is being stolen. Secrets (both national and corporate) are being revealed. Personal information is exposed.

Boy do we need some heroes...

While the capabilities of individual threat actors has become increasingly sophisticated, and we will certainly dive into emerging threats and their potential (or demonstrated ability) to cause significant damage; the good guys have not been idle. Great threats often spark even greater innovation.

Take heed evil-doers. The good guys are smart people, too- and there are more of us...


2014 Global Security Report

Richard Schenck


Cybersecurity threats are increasing as quickly as businesses can implement measures against them. At the same time, businesses must embrace virtualization and cloud, user mobility and heterogeneous platforms and devices.

They also have to find ways to handle and protect exploding volumes of sensitive data. The combination of business and IT transformation, compliance and governance demands and the onslaught of security threats continues to make the job of safeguarding data assets a serious challenge for organizations of all types—from multinational corporations to independent merchants to government entities.

Today, organizations need not only to understand current trends in security threats but also be able to identify inherent vulnerabilities within existing systems. In the 2014 Global Security Report, Trustwave tested, analyzed and discovered the top vulnerabilities and threats that have the most potential to negatively impact organizations.


Resident Security System for Government/Industry Owned Computers

Dr. Victor Skormin

Bighamton University, State University of New York – SUNY

Slawomir Marcinkowski


Misuse of modern computer systems presents a formidable threat not only to integrity and confidentiality of stored data, but to computer-controlled processes. Nowadays, most industrial, military and government processes are run through dedicated computer systems. Operation of such processes implies that the end user accesses such a process not directly but through a special computer interface by defining required operational regimes, or data to be retrieved, or information to be recorded, or data to be transmitted, etc. Then it is up to the computer to provide the necessary set point values to process controllers, to sample sensors, to perform search, retrieval of the requested data, to operate printers or computer graphics, to locate available communication channels, code and transmit data, etc. Examples go far beyond power plants and rocket launchers. Banking industry, insurance, libraries, data depositories, hospitals utilize their own dedicated computer facilities operating in this fashion. "Dedicated" is the key word - it emphasizes that these computer facilities run only a few preapproved applications and are closed to general public. (In contrast, a university campus computer is open to general public and runs virtually any application.) Attacking dedicated computers offers a highly efficient way to render useless the processes they service and compromise stored information.

We developed a novel cyber security technology intended for computers that run "only a few preapproved applications". It is based on behavioral normalcy profiling and operates on the level of functionalities that provides unambiguous representation of the goals of the particular applications. The approach reliably detects malware and non-malicious applications that are not approved for a particular computer system. Fully operational system prototype enhanced by advanced visualization will be demonstrated.

Wednesday June 4, 2014

Business Need


Credit Card Security and PCI 3.0 – What Do You Need to Know?

Jeremiah Sahlberg

TekSecure Labs, a Division of Tekmark Global Solutions, LLC

PCI 3.0 is here. It took effect on January 1, 2014 and organizations have until January 1, 2015 to get on the new standard.

  • What you need to know about Credit Card Security and PCI 3.0
  • Details of 3.0 and what has changed
  • How do you get ready for the new standard?


Cloud Services and Business Process Outsourcing

Kevin Wilkins

iSecure LLC

Businesses have been outsourcing various processes and services for many years. Recently, IT services and applications have been moved to "The Cloud". What are the benefits and risks in utilizing outside parties vs. direct hires and internal infrastructure? What are some considerations in making a move to The Cloud safely?

This security-oriented presentation will cover both technical and business oriented considerations when utilizing cloud-based and managed services.


Social Media Considerations for Cyber Security and Crisis Response

Joseph Treglia

Syracuse University

Social media allows for greater information sharing and engagement with citizens and stakeholders by government entities. Still, there is no such thing as a free lunch, pitfalls, conflicts of interest and of course security issues must be addresses so that optimal value can be achieved, and unintended consequences avoided or mitigated. Current problems and approaches to social media are presented for various scenarios.


Running an Effective Information Security Program

Dan Srebnick

Technical Merits LLC

We've heard about cyber risk, defense in depth, data breaches and their inevitability. Is the situation that grim or is there an effective way to manage information security and achieve positive results? Dan Srebnick, retired CISO of New York City shares his thoughts, successes, and challenges after 14 years of running information security in NYC.

User Awareness


Badges, Bombers and Barbarians: 7 New Tactics for Arming Corporate Citizens

Reg Harnish

GreyCastle Security

While some security pundits evangelize the failures of security awareness training and corporate budgets wasted on human security, the rest of us persevere, knowing that awareness is but one part of the security equation. And while glorious triumph may be unrealistic, success is achievable to those that are calculated, rhythmic and committed. But you’re not going to get there with your grandfather’s awareness kit. Join us for a frank conversation on what’s working, what’s not, and 7 new tactics to make your awareness program more effective.


Cyber Security Strategy: Managing your Controls in the Context of Risk

Ben Densham


Organizations often implement multiple controls to address internal cyber security concerns. Many are implemented due to compliance pressures or driven by IT developments and changes. However, cyber breach reports frequently show that many implemented controls are not effective in preventing and detecting malicious activity when it occurs. Is this because they are not up to the job? Is it because they are incorrectly configured? OR is it because the wrong controls have been applied?

We will take a high level look at what is happening within both the threat landscape and the industry at large and ask the question: who is deciding what is to be protected and why within your organization? This question will form the basis for an understanding of the risks that need to be mitigated, the threats to be defended against and the vulnerabilities that should be addressed.

Understanding the right controls to implement and the overall objective is key for all organizations. What should your cyber strategy look like? How should this be governed and implemented? How do you measure the effectiveness of your controls? Ultimately, are you realizing and addressing the real risk to your business?

Incident Response


Death, Taxes and a Computer Incident: Designing Your Incident Response Plan

Tom Sammel

Dell SecureWorks

The average cost of a US data breach is greater than $4.4 million1. Aside from death and taxes, organizations have one more inevitable situation to worry about: a security incident on their computer or network. And when it strikes, you had better be prepared.

If you’ve ever wondered what you would do if your computer network were attacked or your entire website went down, and don’t know, you probably don’t have an effective tried-and-true Computer Incident Response Plan (CIRP).

Having a CIRP in place to help organizations stop the incident and repair the damages as quickly as possible could mean the difference between losing hundreds of dollars and tens of thousands of dollars. And conducting forensics after the incident could let you know who the hacker was and how to prevent future attacks. In this session, attendees will learn

  • What constitutes an “incident”?
  • How to prepare an Incident Response Plan tailored to their organization
  • Which people in the organization need to be involved in the planning and become a member of the Community Emergency Response Team
  • How to decide what systems are most critical to get back online first
  • What the best ways are to stop an incident before it spreads
  • How to conduct a tabletop exercise to test the organization’s ability to respond to an incident.

1 Ponemon Institute, LLC, “Cost of Data Breach Study : Global Analysis”


The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Entire Kill Chain

Jessica Couto


Over the past decade, the volume of malware produced and potentially infecting organizations, has multiplied by orders of magnitude. The scope of the threat, in conjunction with little to no innovation by traditional security vendors has left organizations like yours vulnerable. The time is NOW to expand security infrastructures to include detection and response capabilities that allow you to fully scope, contain and remediate each threat in real-time on your endpoints and servers. Join Bit9 to discuss the emergence of endpoint malware and the new class of security solutions that can detect threats early and across more points in the kill chain.



Encryption, Hashing, and Complexity, Oh My!

James L. Antonakos

WhiteHat Forensics

In this session James describes the techniques of encryption and hashing and the complexity of the algorithms that are used for both techniques. Insight into the techniques and complexity provides better understanding of the need for strong encryption keys, why brute force attacks can be successful, and why there is a need for both encryption and hashing.


Business Continuity in the Cyber Security Context

The NYS Forum Business Continuity and Information Security Workgroups

The NYS Forum Panel

You hear the phrase, “Cyber Security”. Cyber Security is protecting connected systems against vulnerabilities. Timely involvement of all business area leadership is crucial. That said, there might be opportunities to better integrate the IT response with the organization’s business continuity program and structure, so that if an event does occur, the organization can provide a timely and coordinated response. How do we obtain clear proof of data recoverability and security? How do we utilize business continuity for logging and backing up data to avoid destruction of evidence while shutting down access? How can we achieve this at a lower cost with more visibility on pricing? After all, cyber security incidents can have business continuity implications and impacts that extend far beyond IT.

This panel session discusses answers to these questions with an overview of the current security landscape, while providing a walkthrough of lessons learned covering additional topics such as contracts, security reviews, and plan development. We will discuss highlights of different actions an organization can take now to better align business continuity and cyber security efforts and increase organizational resilience.


Battling the Snowden Effect: Securing the Management Plane

Brian Ford

Cisco Systems

In the wake of a torrent of sensitive information disclosures by individuals who may have exploited their administrative rights and duties many IT organizations are re-examining how they secure the management plane of their IT infrastructure. This presentation looks at what type of access network administrators have to data that transits their networks and presents a number of solutions that can be used to put controls in place that safeguard data and the integrity of the administrators.


Adaptive Vigilance: Building the Capability to Detect Today’s Threats

Joe Magee

Vigilant by Deloitte

Over the past decade, defending against cyber attacks has become geometrically more complex. As more of society’s core infrastructure has become networked and digitized, electronic data, itself, has become a precious commodity, leading to the development of an increasingly sophisticated underground market in stolen data that has the ability to change rapidly to evade detection. Hackers are aggressively zeroing in on state organizations in an effort to extract the vast amount of citizen data stored in systems. And as more and more critical infrastructure – transportation systems, power distribution, and central communications – are operated through network-connected control systems, we introduce new potential for attacks that can seriously and rapidly impact public health and safety.

Despite the layers of best practices and security controls organizations have installed over the years, perfect security is impossible. Malicious actors shift tactics and procedures very rapidly to circumvent controls, and exploit gaps in our complex environments. While it is essential to be proactive in protecting what we can, it is essential to also invest in monitoring systems that can more effectively detect emerging threats and unusual patterns of activity that may indicate unauthorized activity. In this presentation, Mr. Magee will outline a risk-intelligent, threat-aware method for building detection capabilities that are tightly aligned with an organization’s top risk priorities, and help organizations better adapt to the constant flux of both the threat landscape and the IT environment. He will also address practical considerations for how to build improved capabilities within tight budget constraints.

Info Sec Program


Implementing Security While Under Attack

Michael Corby

CGI Technology and Solutions Inc.

Implementing a reliable security program is a complex undertaking under ideal circumstances. Successful security is exponentially more difficult when faced with the high potential for attack. This can come in the form of attention by criminals, terrorists, political opponents and sometimes unknowingly by unanticipated volume. Partners need to be more carefully selected and timely operational statistics are more crucial. This session will present some proven practices and creative ideas for implementing security with conditions that are less than optimum.


Organizational and Business Issues

Manny Morales

NYS Office of the State Comptroller

With the ever growing threats in Internet breaches and intrusions, the reality of economic struggles within countries, and the skill talent shortage, how can an organization cope in providing a Cyber Security program that can work? If you look on how a business is run, it’s about profit and lost, marketing and creating new ideas, and managing a budget and acquiring talent. A Cyber Security program now needs to take these business issues more into consideration and not just view the issues from an IT perspective. The new economy struggles have changed the global economy, with the Internet being the engine that fuels this economy. The lone hacker will soon be no more. With countries, and organizations looking to either make a profit or a political statement, running your Cyber Security program as an IT entity will no longer meet these challenges. In this session, the speaker will provide a new way of running a Cyber Security program. By looking at this from more of a business prospective, the attendee will learn to run their Cyber Security Program more like a business model, than an IT entity.

Access Control


Access Granted. But to the Right Person?

Vik Bansal

Deloitte Consulting LLP

States have an obligation to protect citizen data and securely exchange information with others when necessary. In addition, they need to ensure the protection of infrastructure to maintain the required level of citizen services for their health and safety. A fundamental necessity is to identify and authorize access to information and services based on trusted credentials from citizens, employees, and third-party providers. Agencies can better combat potential cyber risks with effective Identity and Access Management framework that supports the agency’s business model. This includes understanding where organizations' digital identities live—in the enterprise, cloud, or siloed services, what they can access, and to which job functions and processes they correspond. Learn how organizations have redefined the path to information to enhance their cybersecurity effectiveness.


Privileged Access Control and Security Strategy

Adam Gray

Novacoast, Inc.

Participants will get an understanding of the current trends that security engineering, security operations and auditors face as it relates to security strategy, automation, and privileged access control (PAC). Topics will include private cloud automation, workload automation, reduced root/admin privilege techniques, and future trends. This session will also cover some of the regulations and reasons for why this move is happening within regulated organizations.

Risk Management


Understanding the Risk Management Framework

Kelley Dempsey

National Institute of Standards and Technology

Risk cannot be eliminated, so we must learn to manage it! This session begins with a short discussion about the National Institute of Standards and Technology (NIST) and the Federal Information Security Management Act (FISMA) before turning to the NIST Risk Management Framework (RMF) itself. The NIST RMF is a comprehensive information security risk management process that is easily adapted to any size or type of organization. The six steps of the RMF and multiple associated guidance-based publications that facilitate RMF implementation will be detailed.


Security Frameworks, Strategies and Mitigation Efforts: Will They Work for You in Lowering Your Risk?

Peter Allor


Of late, governments around the globe are looking to secure not only their environments and citizens, but also critical infrastructures and the private sector supply chains that keep government domains and services provided to the private sector organizations operating on an ongoing, uninterrupted basis. With their priorities fixated on risk, organizations need to focus more on how they are securing their networks by reviewing risk management processes for business operations. Organizations also need to bring in their IT department into this approach as opposed to the best-of-breed point product traditionally used to offset new attacks and vulnerabilities. With this new outlook on strategy, this non-regulatory approach differs from the compliance checklist that many security professionals have used and brings back the focus and strategy of the business, transforming security from a ‘Doctor No’ to an enabler of business. In this standalone talk, Peter Allor will discuss this view and how security professionals can embrace and lead their businesses to a more secure process in the continued evolution of advanced federal threat protection.


Microgrids, Energy, and Cyber Security: What You Need to Know for the Days Ahead

Samuel Chun


The United Sates is becoming one of the global leaders in the ultra-fast growing microgrids market. Microgrids are expected to grow to over $25B and over 5 GW in the near future. What are microgrids? How are they different from traditional power generation, transmission, and distribution? What should IT leaders and security professionals know about this emerging technology? What threats loom ahead? This session will explore microgrids and where security practitioners will likely run into them and the opportunities and threats that they are likely to present to everyone in the near future.


Data Breach Protections: First Step, Risk Assessment

Robert Zeglen and Vince Hannon


When it comes to data breaches, the risks for organizations and individuals have never been higher and prevention remains an elusive goal. From an organization perspective, responsibilities for sensitive customer data continue to grow while at the same time the lines between corporate computing and personal are becoming blurred. Sharing sensitive data with one’s business associates is becoming a requirement for organizational success and client service. Traditional solutions that rely on containment within the corporate network and systems are being challenged thanks to mobile device computing and outsourced systems. Before an organization can be certain they have implemented sufficient controls they must first understand the problem and this starts with a risk assessment. Risk assessments, when done properly, result in an organization understanding the touch points between their business and underlying information systems where breaches can occur.

The first step in protecting against data breaches begins with understanding just how your organization is doing business and what the risks are.

In this talk, NYSTEC will present an overview of how organizations should conduct risk assessments as a first step towards reducing the likelihood of a data breach. NYSTEC will also discuss some recent public breaches, examine the underlying causes and look for patterns that should be influencing organizational risk assessments


Deborah A. Snyder

Acting Chief Information Security Officer


Cyber Security