Acknowledgement to country and didgeridoo welcome with elder Gnar

eSafety Commissioner Julie Inman Grant outlines the world-leading work being done by her specialist investigative teams in tackling online abuse types, including disrupting the production and distribution of child sexual abuse material and abhorrent violent material. With a forward-looking focus and commitment to collaborative approaches, eSafety is leading by example in finding ways to harness innovation and cooperation to effect positive outcomes for vulnerable citizens in the online world.

Book signing with Dr Karl & Kevin Mitnick

Cyber security is a shared responsibility that forms a critical element of our national interest and economic prosperity. This shared responsibility is why consultation is a cornerstone of the development of Australia’s 2020 Cyber Security Strategy. The Australian Government is exploring how best to support market-led cyber security outcomes, shape and focus use of its cyber capability, and foster a cyber-smart community that makes informed consumer decisions. Action that focuses on speed, scale and impact is key to Australia keeping pace with worsening cyber threats and ensuring a secure foundation for our economy and community into the future. Hear about the new Strategy’s development to date and its nation-wide call for views

It takes one to know one. People are the weakest link. They can be manipulated or influenced into unknowingly helping hackers break into their organization’s computers. You’ll learn how easily you can be an unsuspecting victim who can be manipulated into handing over the keys to the kingdom if you haven't done so already. In this engaging and demonstration-rich experience, Kevin Mitnick illustrates how a hacker’s thought process works and how they ply their tradecraft. You just might realize that you—like almost everyone else on the planet—have a misplaced reliance on security technology, which has now become ineffective against a motivated hacker using a technique called "social engineering." Kevin is uniquely qualified to take you inside the mind of a hacker, as it takes one to know one. He was once the FBI’s Most Wanted, although he never stole for profit or damaged systems. He is the most elusive computer break-in artist in history because he hacked into the NSA and more than 40 major corporations just for the fun and adventure. Kevin is `now a trusted security consultant to Fortune 500 companies and governments worldwide, and he leads the world’s top security penetration testing team and they maintain a 100 percent successful track record of being able to penetrate the security of any system they are paid to hack into using a combination of technical exploits and social engineering. Kevin is the worldwide authority on social engineering and constantly improves and updates this highly effective and acclaimed "security awareness" presentation that illustrates the latest threats and risks most people don’t even know exist. You’ll learn how to detect manipulation and take steps to protect yourself and your organization. Gain the power to think defensively.

Wrap Up

Pre Dinner Social Event

Block Party

Critical Infrastructure organisations are increasingly targeted by threat actors. Based on lessons learned leading incident response for Oil and Gas companies in the Middle East, how can you improve your processes to protect Critical Infrastructure organisations. How do you manage communication, integrate with Emergency processes?

Remediation is a crucial step when recovering from an incident. Proactively implementing security controls and hardening an environment doesn’t need to wait until AFTER an incident has occurred. The presenter will detail common remediation strategies that are used when responding to breaches, in addition to risk-reduction methods that align to proactively applying a remediation strategy. This session will detail common remediation strategies that are used when responding to breaches – in addition to risk-reduction methods that align to proactively applying a remediation strategy.

Machine Intelligence plays a growing role in our lives. Today, machines recommend things to us, such as news, music and household products. They trade in our stock markets, and optimize our transportation and logistics. They are also beginning to drive us around, play with our children, diagnose our health, and run our government. How do we ensure that these machines will be trustworthy? This talk explores various psychological, social, cultural, and political factors that shape our trust in machines.

What are the places where credentials are stored? It is that easy to reveal them? Wherever and whenever you enter your password in the password field, there is at least one mechanism that must know it to use it later for the designed purpose. What is the risk to experience identity theft in the typical infrastructure? Could we rely on the identity in the cloud? Do cached credentials bring any danger? Can we just extract them and crack the password or use the value to do the pass the hash attack? One thing is for sure: Paula and her team made a DPAPI world discovery where they have reverse-engineered this mechanism to tell you right now how it works and if it is safe. Paula will demonstrate the technology weaknesses in credential security and specific misused actions within the operating system. You will learn the unexpected places your passwords reside, how the password attacks are performed, the typical paths where credentials can be leaked and how to prevent these by implementing various solutions. This session will be demo heavy!

As organizational Cyber Security practices get increasingly sophisticated and robust, attackers are shifting their focus. 2018 was dubbed by many Cyber institutions as the year of the supply chain attack, with Symantec citing a 78% increase from the previous year, and predictions that this will continue to grow. Getting a handle on your organization's supply chain can be a mammoth task, with the security posture and practices of these other parties being outside of your control. So how do you gain assurance over your supply chain and reduce the risk to your organization? Follow HBF through their journey in establishing supply chain risk management from the ground up. Including radical transparency on their challenges faced, and the systems, tools and processes that were employed to deliver meaningful change and a more sustainable future.

Vulnerable software gets built and shipped all the time. If it’s your job to either commission or oversee a software project, this talk is for you. Myth: software developers prioritise security as a matter of course. Fact: in the software world, security must be requested by the customer, and applicable security frameworks require significant expertise to apply correctly. Ergo, you’ll need to insist security is a priority and be armed with enough knowledge to ask the right questions. Come along to this talk to get a frank view of some of the biggest pitfalls in the software development industry and how to avoid ending up with a security lemon.

Privacy on the Internet is long dead. In the age of Surveillance Capitalism, the only "choice" left to avoid compromising one's privacy is to stay off the web entirely. The modern web experience is built on the same underlying technologies that site owners exploit for tracking and spying. Javascript, XML-HTTP-Requests, Cookies, HTML5 Canvas - these tools facilitate both rich user experience, and detailed user tracking. How can users retain some semblance of control over their browsing experience? Tools like ad blockers, cookie managers, and script blockers are no longer just for IT geeks, they are a necessity. Want to see what the web looks like when users try to reassert control though? Too often it is broken, barely functional, or just a blank page. This is what the Web has come to - an awkward Mexican stand-off. When privacy conscious users try to block or limit intrusive web technologies, site owners would rather break their sites than let those people use them without tracking. Big sites rely on their pull to coerce users into disabling their defences rather than lose access, a tactic that sadly often works. What more can we do to fight back?

There is an increasing acknowledgement of the importance of security awareness training in reducing cyber security incidents. As technical security controls have matured and become more sophisticated, cyber adversaries including criminals and nation-states have focussed their efforts on exploiting the human factor which is significantly cheaper and more efficient than investing in a technology “arms race”. While the focus on cyber security awareness is an obvious positive, many security awareness programs are still run rather ineffectively. This creates significant challenges including struggle to justify investments in awareness initiatives and worse, creating an overwhelmed or apathetic user base. This session will highlight the poor practices that afflict security awareness programs and discuss practical ways of creating effective programs through a combination of defined objectives, measurements, stakeholder analysis and consistent messaging. The session will also discuss the importance of moving beyond general security awareness to a holistic security culture.

Often it is weaknesses and vulnerabilities in the human part of our information security that compromises our information security. People, maliciously or through simple human error, are a weakness in our defences. Technology is central to identifying potential human threats and weaknesses, but information security is not just an issue of technology. Our language betrays how we see people, we talk about ‘social engineering’, ‘patching the human’, and building the ‘human firewall’. The sense is that we are wiring the human into the machine as just we would another technology component. In doing so, we limit the capacity and capability of the most adaptable part of our organisation and build the foundations for a compliance culture. More policy, procedure, process, risk management and technology are unlikely to ‘fix the problem’. The way forward is to see the people and culture of our organisations as the source resilience and adaptability in information security. There is a need to re-position people as a strength in a resilient information security system. We need a more complete cultural, behavioural, and organisational approach.

Having lived and worked in Hong Kong as a cybersecurity leader, Claire Pales had responsibility for delivering the first cyber security strategy and cultural change program for a regional energy company with operations in Hong Kong, Australia, India and joint ventures in China. In this session, Claire provides advice and thoughts on being an international and a local CISO across multiple organisations - what works, what doesn't and some tips for CIOs and aspiring CSO / CISOs.

There is a category of insider threat that has so far been under explored. This is the ‘everyday insider threat’, where people are committing small breaches of security policy, are aware that they are doing it but are not intending it to have a detrimental effect on the organisation. Motivations for these actions have, until now, not been explored in detail and yet the impact of these small breaches can have a disproportionate impact on an organisation. This talk will explore how current security research relies both explicitly and implicitly on rational choice models to explain employee behaviour. An examination of rational choice theory and behaviour change demonstrates that while this delivers effective interventions in some instances there is significant evidence to demonstrate exceptions to the applicability of the theory. The talk will move on to examine social loafing (including the sucker effect and the free rider effect) as an explanation for the everyday insider threat. Finally, a range of recommendations for interventions will be identified that focus on identifiability, feedback and evaluation; personal involvement of employees; social facilitation and group cohesiveness and morals, ethics and self-concept maintenance.

In a world where cyber security incidents are increasing in volume and in some cases complexity, simple and practical advice is essential to help small medium businesses in Australia stay ahead of the curve and understand how they can take responsibility for adopting foundational controls, creating a cyber aware and resilient culture within their organisations and ultimately becoming champions in their local communities by sharing their knowledge.

The Northern Territory Government’s cyber security journey has driven culture change across government, to transition cyber security from being seen as a handbrake to crash mitigation and an enabler in delivering digital transformation. This solutions-focused model has been recognised locally and nationally for providing improved cyber and information security across government and in challenging hospital environments to support service delivery.

Planning and responding to security incidents often includes detailed instructions and guidance on the appropriate and practical actions required to mitigate the organisation's exposure. Yet these actions must be undertaken by humans, humans who may be under extreme pressure. Individual responses during any crisis can be dramatically different and lead to additional negative outcomes. This session addresses some behavioral archetypes and alternative planning and management techniques that can minimise potential consequences.

Enterprises today must deal with the ever-intensifying threat of security vulnerabilities. From identifying potential attack vectors and susceptible systems, to deploying the required mitigation, time is a key factor to the outcome of a security event. The patching of security vulnerabilities in an enterprise network is complicated by the monolithic nature of network operating systems and must be balanced against the need to maintain a stable production environment. Enterprise networks are often comprised of multiple infrastructure platforms with a diverse feature set, and mitigating threats through network operating systems software upgrades can be both resource and time consuming. To address this problem, we developed a vendor agnostic automation framework which performs full regression testing, reporting, and automated software upgrades. This certification and deployment framework (otherwise known as NetDevOps) has reduced the time to certify and deploy network operating system code by 90% (weeks to days), thereby reducing an enterprise’s exposure to attacks due to security vulnerabilities for which vendors have provided a fix.

Many intrusion detection systems (IDSs) have been developed to protect and defend a system against insider attacks. Although the coreidea of an IDS is a reactive mechanism, it might not be effective for the intrusions which have already existed in the system by agile and intelligent attackers. Therefore, intrusion prevention systems (IPSs) have been developed to thwart potential attackers and mitigate the impact of the intrusions before the penetration. In this session, we would introduce two proactive mechanisms to achieve intrusion prevention in an Internet-of-Things (IoT) network. One is cyber deception, a proactive approach in cyber defence which adds an extra layer of defence onto the traditional security solutions. We could deploy simulated decoy IoT devices in the system to interact with attackers thus diverting the attackers from real devices. Another one is moving target defence (MTD), an emerging technique aiming at constantly changing the attack surface of the networks to increase the attack complexity. We could change the configuration of IoT system to increase the attack complexity thus confusing the attackers.

Over the past few years, application delivery has shifted from large-scale systems implementation to an ongoing collaboration between software development and IT teams. DevOps makes this shift possible by bringing business, development and operations teams together to streamline development and improve communication and collaboration, with a focus on applying more automated processes. Developing applications that are secure to the fullest extent possible “requires the right kind of top-down mindset from leadership to developers”. Getting DevOps teams to adopt security best practices often requires a cultural shift that starts at the top of the organization. It is important that we think about focusing on the culture. We need to have a culture where the IT teams could really lean on the security Teams in order to build true resilience in the organisation.

Businesses seek to transfer some of their cybersecurity risks to third parties through cyber-insurance. When Mondelez incurred $100m in expenses and losses recovering from the NotPetya ransomware attack, its cyber-insurer Zurich, refused to payout due to an ‘act of war’ exclusion within the cyber-insurance contract. As the parties ask a judge to decide who should bear the losses, is your business exposed to more risk than you realise? This session will explain to non-lawyers important information about a court case that may fundamentally re-shape the cyber-insurance market.

As our industry matures rapidly in the face of ever-advanced threats, the strategic CISO must seek to establish a pipeline of talent with the diverse range of skills required to tackle the threat actors. The ‘human factor’ in security is traditionally considered a weak spot, but with foresight and planning, the human factor within a security team can be its greatest strength.

Privacy by Design is a buzzword that sounds great but also remains shrouded in misunderstanding. In this session, participants will learn some practical advice around privacy by design and how building in privacy can help build trust with consumers.

Privacy by Design is a buzzword that sounds great but also remains shrouded in misunderstanding. In this session, participants will learn some practical advice around privacy by design and how building in privacy can help build trust with consumers.

Every new technology and platform has the ability to enable an abuser. It can also be our best weapon against them. Women and girls make up the overwhelming majority of victims trafficked for sex. The average age of a trafficked victim is only twelve years old. As technology advances we have the opportunity to use it for good or for evil. Why are people all over the world paying adults to force children to perform sexual acts in front of an online camera for their sexual pleasure and entertainment? Why are people having sex with children? Why do they get away with it? I am here to enlighten you on how you can be the change. How you can use a minimal amount of your time and skills to save 1 or more persons and change a generation. Through one positive choice of action by using your cybersecurity and other technology skills you can be the difference. Let’s be dedicated to ending child sex trafficking and the sexual exploitation of children. Let us not stop until every child, can just be a kid.

In the last few years, we have seen a number of classified documents leaked from Wikileaks. This includes the data dump from the CIA's entire hacking arsenal, which has been named Vault 7. The presenter sought to implement an attack capability based on information available to the public to see whether an individual could glean enough information to build their own cyber espionage tool.

Magecart is an umbrella term given to at least a dozen cybercriminal groups that are placing digital credit card skimmers on compromised e-commerce sites at an unprecedented rate and with frightening success. Magecart has gone from relative obscurity to dominating international headlines and ascending to the top of the e-commerce industry's public enemy list. WIRED named Magecart in its the list of ""Most Dangerous People on the Internet on 2018"". Responsible for recent high-profile breaches of global brands Ticketmaster, British Airways, ABS-CBN, Vision Express and Newegg, in which its operatives intercepted hundreds of thousands of consumer credit card records with CVV2 codes. Magecart is only now becoming a household name. However, its activity isn’t new and points to a complex and thriving criminal underworld that has operated in the shadows for years. In this session we’ll cover the evolution of the groups from 2015 to the present day, detailing the current tactics and techniques used to compromise website JavaScript and ultimately, the consumers of thousands of e-commerce sites.

In this talk we will look at the history of security within Mac OSX and how it has evolved over the years, this will involve taking a look at couple of vulnerabilities that have had an affect on the Mac OSX eco system. We will look at various examples of known weaknesses that attackers have taken advantages within the Mac OSX environment to both escalate privileges and maintain persistence, we will then take a look at what Apple has tried to put in place to mitigate those attempts and how some of those mitigations have been bypassed. We will then look at what mechanism Apple has deployed in Mac OSX exploit mitigations making life significantly more complex for attackers turning these bugs into attacks we will look at how these mitigations are making Mac OSX more resilience to cyber attacks in current landscape.

In this talk we will look at the history of security within Mac OSX and how it has evolved over the years, this will involve taking a look at couple of vulnerabilities that have had an affect on the Mac OSX eco system. We will look at various examples of known weaknesses that attackers have taken advantages within the Mac OSX environment to both escalate privileges and maintain persistence, we will then take a look at what Apple has tried to put in place to mitigate those attempts and how some of those mitigations have been bypassed. We will then look at what mechanism Apple has deployed in Mac OSX exploit mitigations making life significantly more complex for attackers turning these bugs into attacks we will look at how these mitigations are making Mac OSX more resilience to cyber attacks in current landscape.

Earlier this year during a high assurance activity for a company we'd discovered a peculiar issue with a Domain Name Server provider that sparked alot of consternation with our client and even internally at the risks of modern DNS providers. Whilst businesses are securing aspects of their organisation within their control, more often than not 3rd party service providers are responsible for introducing risks into the business and DNS hosting solutions are no exception. This talk explores our discovery process of one such bug and its risks, evaluates a selection of DNS service providers within Australia and provides guidance for Australian businesses on securing their DNS infrastructure.

Moving to the cloud and deploying containers? In this talk I discuss both the mindset shift and tech challenges with some common mistakes made in real-life deployments with some real life. We'll also be looking at my ongoing research about how easy (or not) it is to get a container or Kubernetes cluster hacked on purpose.

Software security is usually concerned with issues like buffer overflows, SQLI, integer overflows, format string vulnerabilities, and the usual OWASP top ten catalogue. What's rarely considered is its behaviour in the presence of faults which, combined with security-related code and in particular cryptography that's horribly sensitive to faults, leads to problems when the software is deployed into environments where faults are not only expected but a normal part of operations. This talk looks at situations where faults arise, and the range of software measures that can be used to defend against them affecting security-critical code.

Phishing is likely your SMB’s biggest threat, but what is your IT provider doing to prevent it? For less than $100, this threat can be essentially eliminated on your main accounts with hardware 2FA, so why aren’t more IT providers implementing these solutions? This session is a step by step guide on how you can engage with your IT provider around security. We will walk through how IT providers typically do IT security, and the vendor incentives behind the scenes driving their security decisions. At the end of this session, you will know; • The most common pitfalls SMB fall into when engaging an IT provider. • How IT providers package cyber security services • The questions you need to ask your IT provider

Using Invictus Games as a case study, this presentation will cover what we did and how we secured the Games successfully in six weeks.

Using Invictus Games as a case study, this presentation will cover what we did and how we secured the Games successfully in six weeks.

Security Architecture can have different objectives and function within an Information Security and Risk practice. There are various factors that influence how security architecture is approached including organisational size, industry sector and risk profile. This session will begin with a level-set of the evolving security architect role and the typical activities we have come to expect from this function. A case study will detail a particular practical approach and perspective to strategy, security programs, frameworks and security service catalogues. The session will also discuss some of the challenges such as the disconnect between the CISO, Security Operations and the business, how that manifests itself in the real world, and recommendations on how you might improve these relationships.

Alicia Kozakiewicz will share her story of surviving an Internet luring, abduction, and captivity. While Alicia's experience may be harrowing, her ability to transcend tragedy and dedicate herself to protecting other children is inspiring. She will discuss the aftermath of recovery and the process of reunification. Alicia will provide alternative practices for handling endangered child cases and give unique insight into the phases of abduction, survival, recovery, family reunification, and resilience.

The past decade has seen a growing trend of sharing child abuse images and videos over Internet. Automatic large-scale image and video analyses becomes essential in the investigation of the crimes related with child abuse. In this talk, I will introduce a large-scale clustering system capable of grouping images and videos based on the unique “fingerprint” information of the source cameras used to capture them. By organizing and matching illegal images and videos, this system enables forensic investigators to search for abusers and victims on Internet and build stronger court cases.

We will explore the drivers for automation in cyber security operations before exploring the types of cyber processes ripe for automation. We will finally conclude with strategies or approaches to consider when attempting to incorporate automation into your cyber strategies.

As companies, governments and individuals scramble to protect important data and critical systems such as roads and power supplies from cyber threats, we overlook data sets that are perhaps even more valuable. In a global environment of cyber-attacks, information manipulation and grey-zone cyber conflict aimed at disrupting nations and in particular western democracies, the threat to our national identity assests is real. These assets are the evidence of who we are as a nation - from our electronic land titles and biometric immigration data, to the outcomes of our courts and electoral processes and the digital images, stories and national conversations we are having right now. Anne will explore the value of Australia's identity assests and the consequences of not protecting them now and into the future, and what needs to be done to ensure their safekeeping.

In a world where cyber threats seems to be getting more complex and prolific, this presentation removes the technical jargon and explains what cyber threats really are by identifying actors and motivations to real events, giving the audience a real sense of the challenge that awaits: • It connects cyber events to real actors and geopolitical events reported in the press • Provides a clear view of the real challenge regarding cyber threats, including motivations • Explains how to go about quantifying cyber threats, in a defensible manner • It identifies alleged state sponsored cyber threat actors alleged crimes committed

In November 2018, the Australian Prudential Regulation Authority (APRA) released Prudential Standard CPS 234, making the board of regulated entities accountable for ensuring the adequacy and sustainability of their information security program. The CPS 234 comes into full force in July 2019 with a 12 month extension for third party supplier contracts until July 2020. This standard firmly puts cyber risk management as a business issue demanding business boards to justify the sufficiency of their efforts, beyond adopting best practices in their cyber risk programs. The cyber risk quantification process is the foundation for dimensioning the adequacy of these programs. A structured quantification approach helps to explain the assumptions, data sources and methodologies used in the analysis. This gives transparency to the analysis process, builds confidence in the results and nurtures consensus. While recognised quantification methods for other risk classes (such as Value-At-Risk for modelling financial risks) are available, cyber risk quantification is often done with “gut feeling”. This is due to the rapidly evolving nature of cyber-attack techniques. This presentation explains how to apply the time-tested Open Group Factor Analysis Information Risk (FAIR) framework to assist in developing a mature CPS 234 Readiness program.

Here at PayPal, we understand that modernizing the Information security model in a fast moving enterprise requires both an understanding of the principles that drive the priorities of an organization and a fundamental grasp of the related risk landscape. Simultaneously, utilizing an iterative and strategic approach to tackling that rapidly changing environment requires an organizational design with iteration and impact at its core. In order to tackle these challenges, Information security at PayPal, is adopting a CARTA (Continuous Adaptive Risk and Trust Assessment) methodology to not only rationalize and iterate through the programs, resources, and outputs of the organization, but to culturally shift the mindset of leaders and employees to embrace a dynamic and measured landscape by design.

This session will utilise a case study from the Australian Parliament to outline steps to create a practical cyber security strategy for your organisation. The session will outline key activities that organisations can undertake in the Predict, Protect, Detect and Respond domains to develop a cyber security strategy within an organisation. The session will provide a real-world approach to communicating the strategy to business leaders and provide examples of how the strategy can be operationalised through an integrated program of work.

The origins of international law date back to the dawn of trade. Dissimilarly, the origin of the Internet is measured in decades, but not unlike the need for trade, the economic growth and power of the Internet has changed the nature of global commerce and invoked descriptive terms such as the ‘digital economy’ and the ‘Fourth Industrial Revolution’. How do we define cyberspace? Can we disassociate political dogma and leadership personality from the debate on who or what should be controlled in cyberspace? It is clear that a need exists for control of an environment that resembles a virtual real-estate empire that is both multi-stakeholder and yet individualistic, with highly parochial independent and collective legal structures. The incursion of cyber into such defining elements such as our critical infrastructure and our daily lives through IoT begs the question of what we are trying to keep safe, and how do we guarantee that safety or protection. Is this a new or expanded role for FS-ISAC, or the ISAC concept of which there is no native equivalent in the AP region? States are all jockeying new cybersecurity law to suit their own remit. How do we manage the cross-over between state sovereignty and personal or individual rights? The ISAC model is well proven as a PPP intermediary of choice, and yet we are still constrained by nation-state borders and governments that exercise hegemony over collaboration. This presentation will briefly explore how the ISAC model could provide the key for achieving international consensus.

IoT security talks are ever so popular but they are more often than not, mainly theoretical. Following the successful Mirai attack via security cameras, we decided to see if vendors have adapted accordingly. We went online and got a couple of the more popular wireless IP cameras and got research teams cracking. It didn't take long to find some basic risks such as un-encrypted communication and lack of login field validation enforcement. That allowed us to create fake users and hide them quite well. Following these simple findings we were confident that there are many more to come. During this talk we will present our findings and the impact they may have on a user's security. We will show how these devices expose more than just your private video stream but also how these devices can track people, trigger a powerful ransomware attack, and build a powerful bot-net.

Teachers, come along to the Australian Cyber Conference 2019 conference to learn from industry professionals and take part in a specialised professional learning session designed to enable you with the knowledge and learning resources to inspire students to consider cyber security as a future career. Today Australia faces a workforce shortage of 18,000 professionals in the rapidly growing field of cyber security. These professionals will help protect our future economy by ensuring that emerging areas like artificial intelligence, data analytics, robotics and medical technology remain free of cyber threats. Jobs in cyber security are in-demand, well-paying, flexible and rewarding. To inspire the next-generation, the Australian Signals Directorate has sponsored the ASD CyberEXP, a free online program designed to introduce Australian secondary students to career pathways in cybersecurity through the perspective of ASD experts. The PD workshop will provide teachers with background on why all students need to understand cyber security, how to introduce the ASD CyberEXP in the classroom, additional teacher PD opportunities, and related cyber security learning resources and activities for students.

Teachers, come along to the Australian Cyber Conference 2019 conference to learn from industry professionals and take part in a specialised professional learning session designed to enable you with the knowledge and learning resources to inspire students to consider cyber security as a future career. Today Australia faces a workforce shortage of 18,000 professionals in the rapidly growing field of cyber security. These professionals will help protect our future economy by ensuring that emerging areas like artificial intelligence, data analytics, robotics and medical technology remain free of cyber threats. Jobs in cyber security are in-demand, well-paying, flexible and rewarding. To inspire the next-generation, the Australian Signals Directorate has sponsored the ASD CyberEXP, a free online program designed to introduce Australian secondary students to career pathways in cybersecurity through the perspective of ASD experts. The PD workshop will provide teachers with background on why all students need to understand cyber security, how to introduce the ASD CyberEXP in the classroom, additional teacher PD opportunities, and related cyber security learning resources and activities for students.

Reality shows that it is not easy being a chief information security officer (CISO) nowadays, and it never was. Threats are growing everywhere across the technami that spreads in our societies. Both cyber criminals (back hat hackers) and insiders (disgruntled employees) represent high risks to the corporate world. Confidential and personal data is stored in data centers, laptops, mobile devices, cloud services, IoT devices, etc. and the attack surface is continuously growing. How does a new generation CISO tackle new threats, assess company's risks, and communicate smoothly with various teams having different priorities ? In this talk, I will share my journey to become an ethical hacker and CISO, with my takeaways and challenges across the Asia Pacific ecosystem.

Reality shows that it is not easy being a chief information security officer (CISO) nowadays, and it never was. Threats are growing everywhere across the technami that spreads in our societies. Both cyber criminals (back hat hackers) and insiders (disgruntled employees) represent high risks to the corporate world. Confidential and personal data is stored in data centers, laptops, mobile devices, cloud services, IoT devices, etc. and the attack surface is continuously growing. How does a new generation CISO tackle new threats, assess company's risks, and communicate smoothly with various teams having different priorities ? In this talk, I will share my journey to become an ethical hacker and CISO, with my takeaways and challenges across the Asia Pacific ecosystem.

Unless you’re in UI or UX, you may not think about the thousands of interactions you have with your environment every day. Between the subconscious cues you get from a doorknob or the instructions you read in an app, how effectively or efficiently you operate in your environment is enormously impacted by design. Now, what if design nearly turned a preventable problem into a nuclear meltdown? (It almost did!) And what if design could make you and your team more effective attackers or defenders? (It can!) In this talk, Aaron will discuss concepts you can apply in your workspaces to prevent your worst day.

The ICT Security Indigenous diversity challenge is one that should affect us all. By understanding and identifying the barriers that face Indigenous participation we can all work together to provide employment pathways for our First Nations people. Why should this be important to our industry in 2019 and what does success look like? How long will it take to get there and importantly, how do we know when we get there? Where in cyber land are the resources available to organisations who are looking for Indigenous engagement and support.

We’d all be paying $200 for an average cup of coffee in just 10 years from now if inflation increased at the rate of cybercrime. Perturbed by this, four years of gruelling research went into understanding why it continues to spiral out of control despite increased expenditure. What was discovered was disturbing and not what you might expect. As cybersecurity professionals, we are making seven grave mistakes that leave us feeling as though we are losing the battle. That's the bad news. The good news is that with a slight shift in how we look at the problem and think about the solution we can turn these mistakes into winning moments. So let's change the rules, up the game and fight cybercriminals the way we were supposed to. Be the first to learn how the wrong beliefs, thoughts, words, perceptions, approaches, strategies and metrics are giving cybercriminals an unfair advantage and get practical tips you can apply to take your career to a place where you get the recognition you deserve and the budget you only ever dreamed of.

The number of potential sources for generating DDoS attacks has increased significantly with the rapid growth in IoT devices in smart homes. The race between providers of IoT devices and services to be first-to-market has resulted in minimal attention on security, thus making these devices vulnerable to cyber-attacks. Ease of access to such large numbers of rogue IoT devices increases the possibility of generating huge attack traffic volumes that can cripple the defence at the victim’s network perimeters. Research has shown that the most effective way of preventing high volume DDoS attacks is to perform distributed filtering close to the source of traffic. This raises the challenges of how an ISP can detect rogue IoT devices within their networks, and process the large volumes of traffic to detect these rogue devices. In this talk, we will give an overview of this major research challenge and highlight the scalable machine learning techniques that we have developed as the basis for a managed service to detect infected IoT devices and automatically explain and visualise the unusual characteristics of their network traffic. We will demonstrate the effectiveness of these techniques in terms of results on real-life traffic from a home network deployment.

The way we type, the things we say, the habits and behaviours we have all build a picture of who we are. Knowing what “normal” behaviour for each of your employees can be powerful knowledge in detecting and stopping advanced cyber-threats. If someone begins writing messages that aren’t typical of their normal tone or personality type, this information could be indicative of a compromised account or insider threat. Using these indicators of compromise, in combination with network indicators and user behaviour analytics, we can gain deeper insight into a difficult threat vector. In this session we will discuss the power of network and user-generated content analysis for improving your security posture.

On occasions, a cyber breach is so serious; an investigation is required to identify its full extent and who is behind the attack. When referring your complaint to police or a civil lawyer, the location of the breach (the cyber crime scene) is reviewed to ensure your scene and evidence management is of a standard acceptable to a court. If it fails this test, your complaint many be difficult to progress. This session will introduce you to the cyber crime scene and how to identify, seize and preserve evidence that can be used to help identify the attacker.

Book signing with Dr Karl & Kevin Mitnick

Historically, incident response has long been considered as an approach to managing the aftermath of security breaches when the incident occurs. Many organizations develop an IR process in the hopes of nothing will ever happens. However, while the tactics and procedures of threat attackers have evolved rapidly, and cost of conducting attacks has become much lower nowadays, it is time to realize that "You Will Eventually be Compromised". In this talk, we aim to discuss the question “Why traditional incident response is not enough?” We will present several real-world case studies, including a case how we helped an organization in Asia to mitigate the severe APT attacks from 4 APT attacker groups they were facing in the past 5 years, and a victim suffering from supply-chain attack. With these cases, we will explain how we transform defence mode from passive to proactive, and share the methodology of intelligence-driven threat hunting. Outline: - TeamT5 Research Introduction - Cyber Espionage Observations in 2019 - Real-world case studies with several cases - How we helped them to deal with and solve the problems - Threat intelligence and proactive threat hunting

Come and see the best of the best battle it out! Five startup founders will show you what they have been working on to disrupt the market. The challenge of the CyberCon Innovation Sandbox is to outline the problem the startup is solving, the solution, and why it matters - in only 3 minutes - to an expert panel of judges. Each founder then faces a further 3 minutes of questions, before the judges vote on which startup has the most promise. Will you agree with their decision? Facilitator: Judy Andersen, CEO Startup VIC Judging panel: Michelle Price, CEO at AustCyber, Kylie McDevitt, Director Emerging Technology and Engineering at ACSC, Alex Woerndle, Deputy Chair of AISA and John Karabin, National Director, Cybersecurity at Dimension Data.

CISOs are notoriously time-poor, and are inundated with new vendor products on a weekly basis. The risk of innovation can be high, and decisions to use new products can come under increasing scrutiny from corporate boards. It’s hard for a startup to compete in this environment. Yet winning those first customer logos is a surefire way to build the credibility - and funding potential - of a startup. What are the factors that will help get (and keep) the attention of a CISO? How can CISOs better equip themselves to be open to startup innovation? Facilitator: Susie Jones, CEO, Cynch Security CISO Panel: Craig Templeton, CISO, REA Group and Kristin Lyons, CISO, Australia Post

A robust startup ecosystem has a healthy mix of courageous and creative founders, supportive corporate customers, VCs keen to invest, and experienced entrepreneurs keen to share their experience. In Australia, we have a fast-growing but fledgling cyber security startup community and we are seeing global success with companies like BugCrowd, ThreatMetrix, Secure Code Warrior and Cloud Conformity. But do we have the right ingredients for ongoing success and growth? What is the one thing which would make a difference to change things up? What does success look like in 5 years? Hear the frank perspectives of a startup founder, an ecosystem builder and a VC on how they rate progress. Facilitator: Kirstin McIntosh, Head of Partnerships, CyRise. Speakers: Jeff Paine, Founder and CEO, ResponSight and Prerana Mehta, Chief of Ecosystem Development, AustCyber and Ulric J. Ferner, Principal at Right Click Capital

The elusive PoC (Proof of Concept) can change the trajectory of a startup. Getting your solution into a business, having access to their data, and using their feedback to iron out kinks to ensure you're solving a real business problem is incredibly important for start up success. With a spotlight on the current AGL and Cydarm Technologies PoC, Samm MacLeod, CISO at AGL, and Vaughan Shanks, co-founder and CEO of Cydarm Technologies, will discuss the ins and outs of securing and running a successful PoC. Facilitator: Dr Omaru Maruatona, CEO and Founder of Aiculus Speakers: Samantha MacLeod, CISO at AGL and Vaughan Shanks, Co-founder and CEO of Cydarm Technologies

This presentation will outline how data governance underpins a successful cyber security program. It presents a case study of the UNSW data governance program and how it fits together with the cyber security, risk and privacy initiatives.

As organisations are building digitally smart asset portfolios to increase their Return on Assets (ROA), gain insights to optimal performance, and enable automation in the Asset, the risks associated with cybersecurity have become an area of focus to asset managers, executive leadership and Boards. While an increasing number of asset managers globally are embracing the disciplines and benefits of ISO 55001 (asset management), technologists are in parallel pursuing ISO 27001 (information security management) to secure digital information. It can present an apparent dilemma of choice in selecting suitable management system to embrace digital assets. This paper explores an integrated approach, the opportunity to seek compliance and certification to both ISO 27001 and ISO 55001 using a Unified Management System covering both standards. This paper also examines how a certified system can operate effectively in a diverse organisational ecosystem.

The Victorian government consists 3 446 public sector bodies, 297 016 employees, 3 404 separate boards with 32 208 board members, $69.5 billion annual revenue and $247 billion in assets. In March 2018 Shane was appointed as the first whole of Victorian government assistant CISO. During this interactive session, Shane will go through key lessons that he has learn in the last 18 months and provide an opportunity to answer questions from the audience on key challenges and direction for the future.

Where the use of tech involves personal data, security is a necessary condition for ensuring privacy... but, on its own, it is not sufficient. This session will identify key elements of privacy protection that are often missed when IoT/ data driven technologies are deployed in society, and will highlight the powerful opportunity for privacy and information security professionals to bridge the gap.

The 2018 update to Australia's Cyber Security Sector Competitiveness Plan highlights the need to develop the cyber security skills of students to address the cyber security workforce gap. The first of its kind in Australia, the Schools Cyber Security Challenges (SCSC) is a collaborative partnership led by the Australian Computing Academy at the University of Sydney, with the support of government and industry. The SCSC teaches Australian high school students foundational skills in cyber security, such as information security, cryptography, network security and application security. These topics are delivered in conjunction with the compulsory Digital Technologies Curriculum being implemented in every state and territory, and also raise awareness of the many opportunities and careers in cyber security across many industries. Employees from ANZ, BT, Commonwealth Bank, NAB and Westpac – from CISOs to graduate analysts – have drawn upon their experiences and expertise to assist with content development, and to ensure that the activities students complete genuinely reflect the many opportunities available to cyber security workers. Two months from launch, the challenges have already been experienced by over 15,000 Australian students. With wider industry involvement in the future, the goal is to have every student in Australian schools engaging meaningfully in cyber security education.

Did you have frustrations about computing at school? Are you worried that Australian kids aren’t learning about cyber security? Want to know how you can help? The introduction of the Digital Technologies curriculum in Australian schools is an opportunity to address these concerns, but many teachers aren’t sure where to start or lack the knowledge and expertise to equip their students with the skills they need. The Schools Cyber Security Challenges (SCSC) have been developed by educators and industry professionals to meet the needs of the Australian Curriculum while developing foundational cyber security knowledge and skills. To have the greatest impact, helping teachers and students nationwide get started with the challenges will be critical. In this think tank session, get hands on with the SCSC activities and the supporting materials designed to make cyber security accessible to all teachers and high school students. Find out what they’re about, experience them yourselves, and learn how you can help teachers deliver them in their classrooms.

The best metric to rate your effectiveness of your security program is dwell time. Simply put, dwell time is the period between the initial compromise of your systems to when you detect the attack. The lower the better. Dwell time is also a key success metric for attackers, but the opposite holds true. Are you doing the right things to reduce attacker dwell time? Where should you start and what measures should you put in place right now?

Sarah is a security professional and has worked in tech for about a decade now, but she had a not-so standard start into the IT industry, and eventually found her way into security. In this talk, Sarah shares how - as a contrary teenager - she definitely didn't do what everyone will tell you to do career-wise but still managed to build a successful security career, and how we need to embrace individuals with non-linear careers to address the skills shortage in cyber.

How the heck did they land that awesome job? - understanding the critical elements for building career success and how a structured approach, including managing up, down, left and right can help you navigate the potential pitfalls of career success.

With cyber incidents ranked at the top of the Allianz Risk Barometer 2019 and around US$600 billion (A$847b) is lost globally to cyber-crime each year, you could be forgiven for assuming that there is a seat reserved for the Chief Security Officer (CISO) in every boardroom. However, despite the increasing risks -and costs in cyber security, and the critical role CSOs hold in an organisation, it is rare for a CISO to have the ear of those who run our largest, and often most vulnerable, companies. Cyber or information security executives are tasked with a tall order protect companies’ assets, mitigate costs associated with stolen intellectual property, halt damage or destruction of proprietary data, avoid disruptions to critical operations, and maintain confidence among customers, investors and employees. This session will discuss how CISOs can elevate their profile and their access to the boardroom and build their management, influencing and stakeholder relations skills. We will discuss the opportunities ahead for CISOs who wish to develop their careers and influence.

Big data is being trialled or used by many businesses to help discover security anomalies or to provide unique insights to detect and respond to security attacks that might not be detected using traditional security tools. However, practical experience has produced varying, and in many cases, unsatisfactory results. The promise hasn't lived up to the hype. This session will discuss real world experience using big data ñ lessons learned, what has worked (and what hasn't), key considerations, and what is needed to get a successful outcome. And how to assess whether your organisation might be ready or suited to using big data to provide a better security outcome

Technology lawyers Alex Hutchens and Will McCullough share their experiences and answer your questions based on their considerable experience dealing with mandatory data breach notification compliance. This will be an interactive session so come prepared to ask all those nagging questions that you’ve had since the law changed in February 2018. We’ll be discussing: • how to know if a breach needs to be notified; • what is meant by serious harm; and • examples (good and bad) of responses to data breaches. Since this session is discussing real world examples, it will be of equal value to those who are aware of the mandatory data breach notification regime and those who are new to it.

Acknowledgement to country and didgeridoo welcome with elder Gnar

Open by Mike Burgess

Computer security is no longer about data; it's about life and property. This change makes an enormous difference, and will shake up our industry in many ways. First, data authentication and integrity will become more important than confidentiality. And second, our largely regulation-free Internet will become a thing of the past. Soon we will no longer have a choice between government regulation and no government regulation. Our choice is between smart government regulation and stupid government regulation. Given this future, it's vital that we look back at what we've learned from past attempts to secure these systems, and forward at what technologies, laws, regulations, economic incentives, and social norms we need to secure them in the future.

New technology, improved processes and broad workforce education are all required for a modern security posture. Adopting a new approach requires cultural change within an organization, but it also requires a diverse set of skills. This presentation is based on the CompTIA Security report and examines: The State of Security New Technology Considerations Building Processes End User Issues Next Steps

Join in this interactive session with American journalist and investigative reporter, Brian Krebs

Join in this interactive session with American cryptographer, computer security professional, privacy specialist and writer, Bruce Schneier.

Book signing with Dr Karl & Kevin Mitnick

MC - Abbas Kudrati

Designing a secure architecture can always be more expensive, time-consuming, and complicated. But does it make sense to cut corners when hackers invent new attacks every day? Taking shortcuts will sooner or later translate to more harm and backfire. Come to the session and learn what mistakes we eliminated when working with our customers.

Privacy and security overlap in so many significant ways. But security experts usually have technology backgrounds, while privacy has traditionally been owned by legal or compliance teams. It can sometimes feel like these two kinds of experts are speaking entirely different languages! 20-year privacy veteran Kasey Chappelle, of eBay, Vodafone, Amex, and now fintech startup GoCardless, guides a workshop where we'll discuss common terminology and complementary skill and explore practical areas where working together makes both programmes stronger, like using cybersecurity and privacy frameworks together for joint reporting, combining threat modelling with privacy by design, building vendor due diligence programmes, and more.

James O’Loghlin is one of Australia’s most respected, entertaining and experienced corporate speakers, corporate comedians and media personalities, best known as the host of over 300 episodes of the much loved The New inventors on ABC TV, and for his witty and entertaining programs on ABC Local Radio. From 2009 to 2014 James hosted Sundays Evenings nationally on ABC Local Radio. From 2004 to 2011 he hosted The New Inventors on ABC TV. From 2002 to 2007 he hosted The Evening Show on 702 ABC Sydney and ABC Local Radio around NSW and the ACT. He has been delighting corporate audiences for over a decade and is equally at home giving keynote speeches on innovation, giving witty after dinner speeches acting as MC for awards nights and conferences and facilitating panel discussions. From corporate and criminal lawyer to stand-up comedian and then media personality and presenter, James has a wealth of experience. It was his role as host of The New Inventors that fuelled James’s interest in innovation, a subject upon which he now regularly gives keynote speeches. In them he shares practical techniques we can all use every day to become more innovative, and discusses ways in which companies can create a culture that encourages innovation. James is also a highly experienced and very entertaining MC, panel facilitator and after dinner speaker. He is a favourite with Australian audiences and event planners, with hundreds of successful live events to his credit. James is the author of seven books including Innovation is a State of Mind – Simple Strategies to be more Innovative in what you do. He has also written How to Balance Your Life and Umm…A Complete Guide to Public Speaking, and he teaches and coaches public speaking. His first novel for children, The Adventures of Sir Roderick the Not-Very-Brave was published in 2014 and won the Speech Pathology Australia award for the best novel for 8 to 10 year olds. His second, Daisy Malone and the Blue, Glowing Stone was published in 2015 and his third will be published in August 201

A critical data security challenge for modern organisations is how to manage supply chain cyber risk, and their potential security exposure due to the third parties connecting into their systems such as upstream service providers, and downstream clients or stakeholders. This session will explore key solutions and trends around supply chain risk assessment, due diligence and governance, incident response, data control strategies, regulatory challenges, and insurance solutions. The aim of the panel is to provide attendees with an end to end understanding of practical steps they can take to better manage supply chain risks within their own organisations. The panel will also explore how developments across the Australia landscape and the wider Asian/Oceania area are influencing the way organisations look at supply chain risk and best practice strategies. The session will leverage the panellist broad background of experiences which cover cyber governance, IT security, incident response, legal, insurance and loss adjustment work both within Australia and internationally. Panel facilitator: James O'Loghlin. Speakers: Ben Di Marco, Cyber Specialist ANZ at Willis Towers Watson, Georgina Crundell, Cyber Security at EY, Timothee Grange, , APAC Managing Director at GM Consultant and John Karabin, National Director Cyber Security at Dimension Data.

Red teaming in Australia is in limbo. To some, the phrase is purely marketing buzzwords, to others, it can mean any one of a number of things. Without a solid definition, it is difficult for an organisation to ascertain exactly what to expect when they engage a consultancy to deliver a red team, and this needs to change. This talk therefore aims to: • Address the current state-of-play; • Discuss the definition of red-teaming across the international security industry, and what that means for Australia; • The benefits of being on the receiving end of a red team; • Run-through of a typical campaign; and • Outline how an organisation can assess whether or not red teaming is the correct choice given their current posture to inform future security strategy.

IT professionals are in increasing demand and play an integral role in business transformation. Cybersecurity is an emerging area of the IT sector requiring a greater pool of IT talent to meet Australia’s future needs. Barriers to Entry The Chief Scientist of Australia has published research which demonstrates that girls and women face persistent cultural barriers negatively impacting on critical academic subject and career selection. The STEM pipeline loses females at every stage despite there being no innate cognitive difference in results. Barriers Beyond Once women have overcome the barriers to selecting a STEM career, they face systemic and structural impediments to progressing from graduate through to management levels. Annual remuneration surveys by the ICT Professionals Association show entrenched workplace practices resulting in high attrition rates and occupational segregation contributing to the persistent gender pay gap. Increasing the talent pool of the IT work force to prevent skills shortages is a mainstream workforce development issue and involves increasing the STEM pipeline as well as addressing entrenched work place practices which shut out women. There are changes that companies can make which will impact their ability to attract and retain female talent.

For more than 20 years information security and cyber security has been developed from a foundation rooted in traditional warfare. The term firewall dates to 20 B.C. Hundreds of billions of dollars are being invested in cyber security worldwide each year and yet, outcomes are getting worse. Some estimates suggest by 2025, $3 trillion in losses will occur due to cyber crime and fraud. Which should be leading us to ask a very simple question. What if we are doing cyber security all wrong?In this session Richard Bird will share his experiences and discoveries from having run one of the largest identity control functions in the world. Richard believes that the sufficiency and effectiveness of asset-based security and traditional warfare models expired several years ago and that the reason that hackers and nation-state actors are winning is because their methods mimic guerrilla tactics by focusing on people instead of assets. Richard will share a number of thought exercises, use cases and approaches that you will be able to use to begin the process of orienting your own cyber security strategy toward identity-centric security.

It's a too common frustration aired at IT security community functions - that "the boss simply ignores my expert advice". The reality is that often support decisions are required from non-technical managers and executives. If they don't have the technical background with which to evaluate your advice and proposals, they will judge you and your advice using other criteria. This session will describe what a security technologist has learnt about the psychology of decision making and influencing people. The author has never formally studied psychology, but has read widely in order to communicate security risks more effectively. With a little awareness you can better under understand how your 'bosses' make decisions. With this in your tool bag, you can present advice and proposals in a manner that is much more likely to obtain the decisions and support that you're after. The author has been using this information and has seen greatly improved acceptance of advice and risk assessments.

Technologies and their coincidental obligations have brought legal practices under the spotlight as places of business holding distinctly private, personal, proprietary, strategic and privileged information or data. The area of cyber law and litigation remains relatively untested in Australian courts; however the principles of privacy, client rights, duty of care and due diligence are well established. Cyber safety is a fundamental component of modern legal practice and legal practitioners are expected to uphold the highest standards for their client records and data. Legal practitioners have become proxy cyber advice givers for business and individuals and Australia and the Australasian region are moving towardrs holding practitioners accountable where it has been insufficient. Relevant and timely cyber advice will be as pertinent as the specialist legal advice given.

Are Australian businesses prepared to defend against a credential abuse attack?The Kasada teamcoupled their knowledge of the attacks with some innovative research to measure Australia’s attack readiness.

Australia’s new Encryption Law* empowers security agencies and police to require a huge range of technology and communications companies to provide them with “assistance” to help fight crime and terrorism. But the law was rushed through Federal parliament at the end of 2018 and only now is the tech sector waking to the serious implications of the law. This session will give you practical information about:•Who the law will affect: including software companies, data analytics agencies, electronic gamescreators, entities whichsell services using the internet, component and equipment manufacturers and telcos(and everyone in between). •What the agencies can demand that you do –for example, introduce vulnerabilities or spyware into your system or equipment.•Whether you will be compensated for your “assistance”.•How the agencies can demand you cover up what you’ve done.•The substantial penalties for failure to comply.•How the law is already scaring international tech companies away from working in Australia.* Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018.

Companies design cyber security frameworks and work environments around an assumption that people weigh up all available information about processes, policies, procedures, and training before making a decision. However, decision making is far more complex, and traditional training methods, education and incentives are often ineffective. Our research suggests that it is critical to understand how perceptions, behaviours and organisational culture drive cyber related decision making. This approach can inform blind spots within and outside of cyber that can impact strategic outcomes and investment decisions. Our interactive session and case studies will help participants understand how to adapt and operationalise a behavioural approach to manage the human element of cyber.

Drones have been used in terrorism, red team engagements and delivering contraband with little regulation to standardise threat and reaction activities. Its a rapidly developing area which strings together the areas of Software Defined Radio, InfoSec and physical-kinetics into one little, affordable, powerful hovering laptop.Over the past four years I've studied off-the-shelf drones and their strengths, weaknesses, vulnerabilities and vectors of offensive exploitation. I've hacked, hijacked, analysed and investigated their various incidents and involvements. I will introduce you to some of the core concepts to understanding drone security, the various components that are affected and several offensive and defensive measures organisations can undertake

Core banking and financial systems are moving into the cloud. This talk will focus on the strategy, the technology, and the review process that customers use to move their most important systems into the cloud. Regulation plays an important role in defining how these systems must be secure and resilient, and this talk will dive deep into the regulatory context. In this session nib Group will discuss, as regulated insurer, about their preparations to move a System of Record to the cloud - with a specific focus on the platform they built to meet their security, risk and resiliency requirements. Come to this talk to learn what they did, what they learned on the way and hear their guidance on how you could do the same.

What was once a harrowing new experience is now more commonplace but that doesn’t change the fact that presenting to the board or executive teams is a daunting task for security leaders. And, in 2019, superstar security leaders will be expected to go beyond providing a PowerPoint presentation to their boards of directors on the state of security. Principal Analyst Jinan Budge has been speaking to board members and executives in her global travels to better understand how security and risk affects their roles, decisions, and line of questioning for you! She’ll share this unique insight with you and provide her recommendations for effective board communication

Working in a manner similar to people identification through human fingerprint analysis, multimedia forensics through device fingerprint analysis has attracted great attention among researchers, practitioners and law enforcement agencies around the world in recent years. Device information, such as model and serial number, stored in the EXIF are useful for identifying the devices responsible for the creation of the images and videos in question. However, stored separately from the content, the metadata can be removed and manipulated easily. Device fingerprints deposited in the content by the imaging devices provide a more reliable alternative to aid forensic investigations. The hardware or software of each stage in the digital image acquisition process leaves artifacts in the content, which can be used as device fingerprints. This talk will start with a brief introduction to various types of device fingerprints and their limitations. A more focused presentation on the sensor pattern noise (SPN) will be given because of its capability of differentiating individual devices of the same model. SPN’s application to source device verification, source device identification, common source inference, content authentication and source-oriented image clustering will then be presented. A number of real-world forensic cases based on SPN will also be covered.

Can you describe your cyber security product or service in one sentence? Are you using plain English when talking to your audience? In this talk, you’ll learn how to simplify your language and craft powerful narratives to ensure your audience has a better understanding of what you offer. Learn what other organisations are doing – both within the cyber security sector and more broadly. What’s working? What’s not working? What can you do to amplify your key messages? Being aware of the way you communicate can have significant benefits. If your customer understands what you offer, they are better engaged. This leads to greater influence, and ultimately, better impact.

In the excitement of providing services and making sales, it can be challenging to consider the risks until it all goes bad and the lawyers are called in, however there is commercial and strategic benefit in considering the legal ramifications of certain actions (or inaction), especially with information and cyber security. Common services such as penetration testing, incident response or malware analysis have the potential to expose individuals and companies to criminal sanctions and personal liability. Knowing and understanding where risks are likely and the worst possible outcomes, can enable you to capitalise on commercial advantages and ensure that the risk management and mitigation approach is appropriate. In this presentation, we will look at the application of Australia’s cybercrime laws, contractual issues which commonly arise and privacy concerns in providing cyber security services.

Turn on breakfast news and chances are you'll hear about the latest data breach. Another database has been dumped and another million people have had their credit card details stolen. How'd they do it? SQL Injection. SQL Injection is a common vulnerability found in websites and mobile applications. I'll introduce you to it, how it works, how to do it yourself and how to fix it. There will be classic hits, select memes and enough info so that when you get home you can take down your own website and make it rain data.

The identification and management of risk is a complex process in any organisation. Assessing security against a control baseline, let alone when combined with ad-hoc security management and investment, can sometimes be as bad as doing nothing. With an increasing degree of business and regulatory requirements and the instant media attention on security failures, a more tailored approach to risk identification and management is vital. We can’t protect everything equally and there must be a balance against organisational risk tolerance and available resources. This should lead us to an important question: how can we appropriately prioritise security needs and provide assurance with confidence? To do this well, we need to look at the entire security posture based on threats and the risks they pose. Through critical asset identification, threat modelling and the utilisation of a tailored risk matrix, organisations can use risk based decision making to prioritise security investment, boost their overall security and better meet their compliance requirements.

Another pen test, another repeat finding. Repeating a process doesn’t often result in an improved or different outcome. More often than not, you may just end up with more of the same - the same vulnerabilities, existing over multiple years, with little overall improvement. But what if we were able to accurately quantify the cost of not remediating a vulnerability and then use this to prioritise remediation? Find out how PwC’s Cyber Security Consulting practice combines Purple teaming and risk quantification activities to rapidly identify security weaknesses and drive prioritised remediation by using risk quantification methodologies

A booming industry with a significant skills gap, students interested in pursuing a career in cyber security are told they won’t have much trouble finding a job when they finish. But this is easier said than done. This talk will look at my journey into my first cyber security role after completing 17 years of study

Learn the most common security misconfigurations that face customers in the cloud, and simple steps you can take to prevent them. We will demonstrate the latest best practices and lessons learnt in automation with a focus on incident response.

Australia’s new Encryption Law* empowers security agencies and police to require a huge range of technology and communications companies to provide them with “assistance” to help fight crime and terrorism. But the law was rushed through Federal parliament at the end of 2018 and only now is the tech sector waking to the serious implications of the law. This session will give you practical information about:•Who the law will affect: including software companies, data analytics agencies, electronic gamescreators, entities whichsell services using the internet, component and equipment manufacturers and telcos(and everyone in between). •What the agencies can demand that you do –for example, introduce vulnerabilities or spyware into your system or equipment.•Whether you will be compensated for your “assistance”.•How the agencies can demand you cover up what you’ve done.•The substantial penalties for failure to comply.•How the law is already scaring international tech companies away from working in Australia.* Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018.

A practical presentation by an experienced commercial and technology lawyer, covering the following themes: • The law requires a holistic approach to cyber resilience. What are your legal obligations to build cyber resilience and respond to attacks? How to stay on the right side of the law (and your stakeholders and shareholders). • Everyone is talking about cyber security but what should you actually do? An overview of practical steps to take to manage actual security, legal liability and reputation.

Security operations centres are becoming large and complex environments, and the existing model of displaying complex data to personnel on hardware screens is reaching both physical and two dimensional limits. In addition, it’s becoming more common for large environments to provide contextually relevant data to personnel with different roles (with different authorisation) and sometimes in a multi-tenanted manner. Physical screen real estate delivered to a fixed location is simply not able to cater for the accessibility of such requirements. Using Virtual Reality (VR) to visualize and enhance complex data, and to present in contextually can help a security analyst identify and respond to threats faster and more intuitively. Further, through the adoption of multi-factor authentication, and remote access, personnel are able to use virtual reality headsets to support accessibility requirements of today’s multi-tenanted environments. In this presentation, Chris and Jared will discuss the innovation being developed within IBM Australia to deliver to these requirements and how customers around the world are driving a new way of interpreting security operations data.

There's a common theme when an Australian business becomes a victim of cyber-crime: they don't know where to go. Do they approach the state police, federal police, the Office of the Australian Information Commissioner (OAIC), Australian Cybercrime Online Reporting Network (ACORN), or go somewhere else entirely? Drawing on his experience working closely with law enforcement departments and legal counsels, Sophos’ Global Solutions Engineer Ben Verschaeren’s ‘You’ve been breached, now what?’ session will provide attendees with the knowledge they need to respond to an incident, including which levels of law enforcement to involve and when.

You use your mad tech skills and knowledge to help protect your company’s information assets. You know how to extract the IOCs (Indicators of Compromise) from the different alerts from your security appliances. You’re also your family’s go-to-person when things go awry with their digital devices. Yet, it feels that it’s a losing battle when it comes to scams and other online shenanigans. You wonder what else you can do to help your loved ones and community. Join Gyle as she talks about scams, the social psychology behind this and how you can be your community’s blue team defender.

Threat intelligence allows organisations to make informed, data-driven security decisions based on today's threats, including how to efficiently address gaps and weaknesses in their existing security posture. This is unlike the traditional, outdated risk assessment methods that companies previously relied on to quantify their risks. Bryan Sartin, Executive Director of Global Security Services from Verizon will demonstrate how businesses can best prioritise and direct resources where they are needed most, while providing executives and board-level members a measurable view of a company's overall risk. Assisting leaders to better understand a company’s security risk will allow them to better manage budget priorities, investment measures, and industry benchmarking.

The practice of Cybersecurity looks to be fast moving on the surface, but in reality it does not change much especially in one key area. We don’t ever seem to get any better at it. Ransomware attacks have increased by 47% since WannaCry in 2017. In Australia, akin to the rest of the world, healthcare – followed by the financial sector – are among the most targeted and vulnerable sectors. This keynote will explore the past, present and future themes of cybersecurity, resilience, skills gaps and why we will always be susceptible to social engineering. It will also provide insights for organisations and cyber professionals for how they can be better prepared.

As the cyber landscape in critical infrastructure evolves and external dependencies grow more complex, managing risks attributable to exploitable software in network-connected devices includes requirements for security and quality with ‘sufficient’ test regimes throughout the software supply chain. The Internet of Things (IoT) is contributing to a massive proliferation of a variety of types of software-reliant, connected devices throughout critical infrastructure. With IoT increasingly dependent upon third-party software, software composition analysis and other forms of testing are used to determine 'fitness for use' and trustworthiness of assets. Standards for measuring and sharing information about software security and quality are used in tools and services that detect weaknesses and vulnerabilities. Test and certification programs provide means upon which organizations use to reduce risk exposures attributable to exploitable software. Ultimately, addressing software supply chain dependencies and leveraging high assurance test regimes enable enterprises to provide more responsive mitigations for cyber-attack surface