Sessions

Nous sommes ravis de présenter nos invités pour les sessions du GoSec2020. Comme vous le verrez-ci-dessous, nous avons une grande sélection d’experts et de spécialistes de l’industrie qui s’exprimeront sur un large éventail de sujets, notamment l’audit et la gouvernance, la gestion des risques, la recherche et la sécurité opérationnelle.

Inscrivez-vous au GoSe et vous aurez accès à toutes ces sessions. Revenez souvent pour consulter les mises à jours en cours.

Keynotes

Ethical Hackers and the Amygdala

Ethical Hackers and the Amygdala

Sixty percent of hackers don’t submit vulnerabilities due to the fear of out-of-date legislation, press coverage, and companies misdirected policies. This fear is based on socially constructed beliefs that the amygdala processes. This talk focuses on how to increase public awareness in order to change legislation to support ethical hackers, ending black hoodie and ski mask imagery, and encourage organizations to support bilateral trust within their policies.

Learn more about Chloé Messdaghi...
Hacker-Powered Data: The Most Common Security Weaknesses and How to Avoid Them

Hacker-Powered Data: The Most Common Security Weaknesses and How to Avoid Them

As software dependence grows and data volumes swell to new highs, security teams often see a deluge of incoming vulnerabilities from scanners, pen tests, and bug bounty programs. Using eight years of never before seen data from 1,800+ bug bounty programs and over 160,000 valid vulnerabilities found, this talk offers a focus for security teams based on analysis of what hackers actually exploit in the wild and what companies actually value. Attendees will discover common weaknesses such as Violation of Secure Design Principles, Information Disclosure, Denial of Service, VPN and Cryptographic Issues, and how attackers could exploit these prevalent vulnerabilities. Walk away with insights into the most common security weaknesses to better defend against them.

Learn more about Miju Han...
Let us have a VERY frank conversation…

Let us have a VERY frank conversation…

Information Security is at a painful point in its development. It has failed to deliver on many of its promises. It has held itself up as the savior to businesses and has spectacularly failed to deliver. The industry is rife with misinformation, marketing hype and false promises, how DO we navigate through this, what and how do we see the woods for the trees AND how (as an industry) do we regain trust from those charges we have so far failed to protect?

This is going to be a series of blunt statements, followed by some home truths on what AND how we have to fix our industry. How we leave security behind and talk risk, how we collaborate AND change our approach and language when dealing with businesses AND how we change the symmetry and focus from one of attack to asymmetric defense. What and how we do that will be discussed.

Learn more about Chris Roberts...
Incident Response Lessons Learned From the Front Lines

Incident Response Lessons Learned From the Front Lines

At any moment, day or night, your organization can be victimized by devastating cybercrime. You can’t predict when cyberattacks will happen, but you can use proactive incident response to quickly mitigate its effects or prevent them altogether. It's essential to have an effective security program which includes incident response to protect your organization.

How prepared are you?

Information security success relies on people, policy, process and product however, we are only as strong as our weakest link.

Please join this session to hear from Daniel Wiley our Head of Incident Response where we will discuss lessons learned from the front lines and how you can prepare, respond, and mitigate risks.

Learn more about Daniel Wiley...

Sessions

No Privacy without Security

No Privacy without Security

We are collecting and generating data at an unprecedented rate and there is no end to it. The volume, velocity and variety of data collected, transmitted, and stored is associated with numbers that hardly anyone fathoms. What is a quintillion? A lot of data! While a lot of companies still struggle with basic security, they now get run over by privacy. The GDPR in Europe has caused a landslide of privacy legislation left, right and center. A good example is the CCPA. In addition, a lot of existing privacy legislation is not well understood or even known. A lot of what privacy is most concerned about can be met by good old-fashioned security controls. So let’s see what the marriage between security and privacy looks like in an day to day operational program.

Learn more about Sabine Lainer...
Le droit à l’expectative de vie privée en matière criminelle et technologies de l’information : enjeux et état de la situation en 2020

Le droit à l’expectative de vie privée en matière criminelle et technologies de l’information : enjeux et état de la situation en 2020

La notion d’expectative de vie privée en droit criminel a évoluée de manière importante au courant des dernières décennies. Auparavant associée presque qu’uniquement au domicile d’une personne, les sphères de notre vie privée se retrouvent dorénavant dans un monde numérique en constante évolution ce qui représente un défi important pour les organisations policières, mais aussi pour toute organisme (collège, université, entreprise privée, etc.) qui découvre que des infractions criminelles sont commises à partir de son infrastructure.

Au courant des dernières années, les tribunaux du pays, notamment la Cour suprême du Canada, ont rendues plusieurs décisions concernant le droit au respect de la vie privée entourant les technologies de l’information. De la saisie du matériel informatique chez un employeur, de captures d’écran d’un compte Facebook ou d’accès à des textos d’une conversation Messenger, les autorités policières doivent souvent agir avec prudence lorsque vient le temps d’entrer en possession de matériel informatique en lien avec une infraction criminelle.

La présente conférence vise à exposer l’état de la situation en 2020 afin d’assister les organismes publics et privés confrontés à de telles situations et déceler les enjeux juridiques futurs qui pourraient mettre en cause l’expectative de vie privée dans le domaine numérique.

Learn more about Maxime Laroche...
L’identité numérique, un pilier de l’écosystème intelligent blockchain

L’identité numérique, un pilier de l’écosystème intelligent blockchain

Les interactions/processus dans le monde numérique sont limitées par le manque de confiance entre les participants. L’identité numérique est l’un des plus vieux problèmes de l’informatique.

Celle-ci est une composition de plusieurs sources d’informations. La finalité, soit l’assemblage de ces attributs virtuels permet de définir une identité numérique unique utilisable à un moment précis. En aucun cas, elle ne devrait être sous l’emprise d’entreprises privées ou permettre une surveillance de masse.

Le consortium W3C est la principale organisation internationale de normalisation pour le World Wide Web. De leurs récents travaux, les identifiants décentralisés jumelés aux attestations numériques vérifiables constituent une avenue de choix pour l’émission de contenus dans le monde numérique.

Ces attestations numériques vérifiables sont donc rattachables à l’identité d’une personne, à l’identité d’un objet connecté, à l’identité d’un bâtiment intelligent, à l’identité d’une ville intelligente, à l’identité d’un réseau de neurones artificiels, etc.

Venez explorer ces nouveaux concepts.

Learn more about Francis Nadeau...
Blue team 101 – analyses, procédures et astuces pour débuter

Blue team 101 – analyses, procédures et astuces pour débuter

Les menaces et attaques sont récurrentes sur les infrastructures. On tente donc de constamment améliorer nos systèmes afin de détecter et de prévenir les attaques. Mais, est-ce que nos analyses et nos procédures sont vraiment orientées vers ces objectifs? On abordera ce sujet via quelques scénarios, qui ont des degrés de maturité différents, basés sur des cas réels observés. Finalement, quelques astuces pour aider les membres du blue teams dans leurs actions quotidiennes.

Learn more about Mathieu Hinse...
Unicode vulnerabilities that could byte you

Unicode vulnerabilities that could byte you

The number of Unicode code points has never stopped growing just like its integration in modern technologies. Web applications you have developed or used are likely to support input and output formatted in UTF-8 character encoding.

In this talk, you will learn about the security implications of encoding conversion. Normalizing a UTF-8 string to ASCII only character has numerous potential side effects. The latest research affecting Unicode will be summarized including the HostSplit attack. The HostSplit attack abuses minor characters conversion to trigger open redirect or Server-Side Request Forgery (SSRF). Aside from normalization, uppercase and lowercase transformations can introduce vulnerabilities. Encoding can be used to circumvent security controls such as Web Application Firewalls. Additionally, punycode is the new representation to support domains with special characters outside of ASCII. This representation can be used to create visual confusion to end users.

While some issues were patched in major software, many risks remain or are likely to resurface. Get ready for a complete summary of everything security professionals should know about Unicode!

Learn more about Philippe Arteau...
Forget your Perimeter: From Phishing Email to Full VPN Compromise

Forget your Perimeter: From Phishing Email to Full VPN Compromise

Like it or not, the perimeter has been a necessary line of defense to protect corporate networks from adversaries. Virtual Private Networks (VPNs) appliances are exposed on that perimeter in order to allow employees or trusted 3rd parties to access the internal network, a growing necessity in current times. But what if that appliance you trust is vulnerable and could be the very vector that leads attackers right in? This presentation summarizes an encounter during a penetration test with such an appliance. We will go over the technical details of two cross-site scripting (XSS), one XML eXternal Entity (XXE) and one command-injection vulnerabilities all affecting the latest Pulse Secure VPN product. We will then integrate them in a realistic attack scenario that demonstrate how an external attacker with only a little bit of OSINT can chain these vulnerabilities to pivot into the internal network from outside.

All the vulnerabilities discovered and discussed in this presentation were responsibly disclosed to the vendor and a 90-day window will have been respected by the time of the presentation.

Learn more about Jean-Frédéric Gauron
Learn more about Julien Pineault...
On the Shoulder of Giants: Reviving WSUS Attacks

On the Shoulder of Giants: Reviving WSUS Attacks

In 2015, Paul Stone and Alex Chapman presented a novel attack at the BlackHat USA conference. Their talk covered their exploration of the usual enterprise deployment of the Windows Update infrastructure (WSUS) and culminated into the release of WSUSpect-proxy, a tool that allows attackers to inject malicious updates and compromise hosts during a Machine-in-the-Middle (MITM) attack.

Five years later, this tool has been poorly maintained and, even with this threat uncovered, we still see unencrypted WSUS servers in almost all our intrusion testing engagements. This highlights the fact that the threat is largely underestimated. First, its implementation encourages an HTTP-based deployment which is vulnerable by design. Furthermore, even organizations willing to harden WSUS will struggle to achieve a secure deployment since its technical resources and online documentation are lacking. In an effort to nail the coffin once and for all on HTTP-based WSUS, we wanted to dig deeper into the issue and performed CPR on the WSUSpect-proxy tool.

This presentation will cover our research into WSUS, our new twist on the WSUS attack vector, and our revival of the WSUSpect-proxy threat model. Our research resulted in the birth of four different tools covering three different attack scenarios. Scenarios include previously undocumented techniques, while others describe bounty-awarded yet-to-be-disclosed Microsoft 0-days. This talk will bring value to both intrusion testers and defenders by covering both sides of these scenarios, from exploitation to detection and mitigation.

Learn more about Maxime Nadeau

Learn more about Romain Carnus...

Sessions partenaires

Machines making software: paving and maintaining the road with zero trust open source

Machines making software: paving and maintaining the road with zero trust open source

Are we staking our future on a pace we haven’t yet learned to secure?
In a year long collaboration with Gene Kim and Dr. Stephen Magill, we objectively examined and empirically documented software release patterns and cybersecurity hygiene practices across 48,000 commercial development teams and open source projects. Our research uncovered different development and cybersecurity hygiene behaviors across open source software that we categorized as Exemplars, Laggards, Features First, and Cautious.

In this session, I will reveal the insights we uncovered. Attendees will learn which techniques, team structures and release patterns exemplary development teams have been championed at large enterprises and open source project alike. I’ll then share observations of exemplary DevSecOps practices that deliver 50% more commits, release new code 2.4X faster, and remediate security vulnerabilities 2.9X faster.

Finally, I will point toward where these practices will intersect with AI to enable machines to build better applications themselves.

Learn more about Bryan Whyte...
Security in the age of Advanced Persistent Transformation: Fireside Chat

Security in the age of Advanced Persistent Transformation: Fireside Chat

Today, the world is adapting, rethinking, reinvigorating and reinventing every aspect of how we live, work communicate, collaborate, learn, transact business, even socialize. Right now, we are challenging assumptions that have held true for years, decades or even centuries at an accelerating pace and degree of creative disruption never seen before. We are entering a new era of society where advancements and innovation will happen at exponential speeds and where the scope and degree of transformation and progress will be astounding. However, speed and complexity of change itself is now beginning to create unintended consequences, expose new vulnerabilities and become a threat vector of its own.

Join Stan Lowe, Global Chief Information Security Officer of Zscaler and Kevin Magee, Microsoft Canada’s Chief Security Officer as they explore the ongoing history of the security industry, the evolving trends that will shape the future and what we need to do now in order to secure the age of Advanced Persistent Transformation.

Learn more about Stan Lowe
Learn more about Kevin Magee...
A Hackers Dream: Unmanaged Privileges

A Hackers Dream: Unmanaged Privileges

In times of crisis, good security practices are often the first thing to go. Organizations are being forced to revisit their “temporary” remote working policies and tools. An expanding remote workforce can increase your security risk, especially if your IT and Support employees use non-secure remote access tools as temporary measures. Are temporary remote access tools making your organization vulnerable to cyber-attacks?

In this session you will learn:
  • Risks and security considerations related to an extended remote workforce
  • Vulnerabilities posed by remote working tools, such as BYOD and free Shadow IT solutions
  • Practical guide on how to quickly implement and scale strong security protocols to enable long-term remote work
Learn more about Christopher Hills...
Demystifying Privileged Access Management for SMBs

Demystifying Privileged Access Management for SMBs

Analyst firms focus on Fortune 5000 organizations, while typical PAM vendors usually present their own solution as the “definite” PAM. This presentation will focus on what features constitute a PAM while describing a pragmatic maturity scale where SMBs can not only identify where they currently stand, but also identify strategies to advance to the next level.

Learn more about Maurice Côté...
SASE: New reality and cloud security

SASE: New reality and cloud security

In the last 5 years, the world of IT has moved to the cloud. Business application have moved to the cloud with Salesforce and O365. Storage has moved to the cloud with Box and Dropbox. Our data centers have moved to the cloud with AWS and Azure.

With the pandemic, our employees have moved to the cloud work from a branch office of one called “home”! When everything moves to the cloud, so must cyber security. Only one question remains: What does security in the cloud really look like?

Learn more about Nico Popp...
Lighting it Up – Building Playbook Heat Maps

Lighting it Up – Building Playbook Heat Maps

This talk will discuss the process of building an adversarial playbook using the MITRE ATT&CK framework, based off years of experience through FortiGuard Labs. By understanding the TTPs (Techniques, Tactics, Procedures), the way attackers move, a better defensive (Blue Team) playbook can be built to mitigate threats. This talk will examine how to take this approach one step further to light up campaign tactics using real time data of popular techniques (sightings) to help CxO’s prioritize their Blue Team playbooks.

Learn more about Derek Manky...
The Cloud: Security Threat or opportunity?

The Cloud: Security Threat or opportunity?

As more and more organizations move to the cloud for their essential information services, users are equipped to be more productive than ever. But does this productivity introduce additional risk to your organization? How can you ensure security for information that sits outside your datacenter? In this session, you’ll learn about the benefits that modern cloud computing provides, the additional threat vectors that are exposed and how cloud providers can help you mitigate these risks and more.

Learn more about Jon Rohrich...
A Paradigm Shift in Cybersecurity…Intelligent Network Security

A Paradigm Shift in Cybersecurity…Intelligent Network Security

Cyberattacks are ever evolving, increasingly using automation to morph and elude detection. Add to this an ever-expanding attack surface, rapid growth of both cloud adoption and remote users, and a flood of new, hard-to-secure IoT devices. Clearly, the enterprise threat landscape has never been more challenging.

Traditional manual and reactive security approaches are simply overmatched.

So, how do you proactively manage policy changes, protect devices and stop new threats? You need a radical new approach to network security that can scale faster than manual approaches.

Join us as we share our perspective on why cybersecurity needs a radical new approach - from an “always react” mode to a “proactively protect” mode. Our expert will introduce the radical new ML-based innovations in PAN-OS 10.0 along with a slate of brand new capabilities to help your network security stay ahead of threats.

Learn more about Ashwath Murthy...
A Hitchhiker’s Guide to the 2020 National • Industry • Cloud Exposure Report (NIER)

A Hitchhiker’s Guide to the 2020 National • Industry • Cloud Exposure Report (NIER)

Rapid7 has built upon four years of work measuring the internet for National Exposure Index (NEI) and Industry Cyber Exposure (ICER) reports to create the most comprehensive, modern atlas of internet-facing services to-date. This session will provide an overview of the findings, including a comparison of the internet pre- and post-pandemic, along with a guide for how to digest the 150-page deep-dive into 24 critical internet protocols and services.

Learn more about Tod Beardsley
Learn more about Bob Rudis...
Vulnerabilities in 2020: More to Review, Less Time to Patch

Vulnerabilities in 2020: More to Review, Less Time to Patch

In the first half of 2020, and compared to 2019, there has been an increase in the number of vulnerabilities that organizations need to review and patch on a regular basis, particularly for Microsoft, as demonstrated by trends in numbers of Patch Tuesday disclosures. However, for the last two years, there has also been a decline in the average amount of time between vulnerability disclosure and exploitation. In this session, our researcher will discuss why effective patch prioritization is imperative for enterprises and individual users.

Learn more about David Carver...
The Neighborhood Watch: Using Continuous Monitoring to Increase Visibility and Effectiveness of TPRM programs

The Neighborhood Watch: Using Continuous Monitoring to Increase Visibility and Effectiveness of TPRM programs

Visibility into our vendors' security controls and the effectiveness with which they are operating have been and continue to be some of the major challenges in the world of third party risk. This discussion will cover those struggles, the inherent limitations of the security questionnaire as well as how continuous monitoring tools can be utilized to shed light on the effectiveness of a vendor's security controls.

Learn more about JonathanEhret...
SOC Automation: Faster Decision Making and Response

SOC Automation: Faster Decision Making and Response

Security analysts spend two-thirds of their time on triage and investigation. Why then do most security operations teams only automate response? In this presentation, Andy Skrei will share his experience automating the end-to-end security workflow while leading security investigations at one of the world’s largest online retailers and through working with many of the world’s leading organizations while at Exabeam. Attendees will learn about:
  • The productivity benefits of automating the entire SOC lifecycle
  • Ways to reduce the time to answer critical questions
  • How automating triage and investigations leads to quick, accurate resolutions

Learn more about Andy Skrei...
Scanning Isn’t Enough: Measuring true risk with a Risk-Based Vulnerability Management program

Scanning Isn’t Enough: Measuring true risk with a Risk-Based Vulnerability Management program

The threat landscape isn't just changing at blinding speeds, it's expanding into areas and devices that many never considered before. Vulnerability Management (VM) tools have been around for many years, but like any other security function, have had to adapt to account for the scope and scale of the devices security teams are protecting. In this discussion, we'll take a look at some of the challenges security teams are facing when trying to mitigate vulnerabilities across every type of asset out there. We'll also discuss how a risk-based approach to prioritization of vulnerabilities is a real force multiplier for security programs versus traditional VM methodologies. Finally, we'll review a data science driven model for assigning risk, that, even as the threat landscape changes, demonstrates how these approaches can be brought together to answer the right kinds of questions your leaders are asking which will improve your overall security posture and encourage a stronger security culture in your organization.

Learn more about Nathan Wenzler...
Digestible Cybersecurity Knowledge, with ten times the science

Digestible Cybersecurity Knowledge, with ten times the science

Make decisions based on science and evidence, its easier said than done. SERENE-RISC is a Montreal-based, government-funded project that not only makes cybersecurity research available with efficient and free tools, it also provides linkages for business and government to interface with top academics nationwide. We provide hundreds of research summaries that can save you valuable time. To prove our point, this presentation will deliver the research findings from ten important studies from around the world. A low fat presentation with 10 times the science.

Learn more about Michael Joyce...
The Impact of Digital Transformation in the Face of Today’s Threats

The Impact of Digital Transformation in the Face of Today’s Threats

Digital Transformation & the rapid need for supporting remote workers for digital business processes took every industry by storm. This change has presented new risks, unlike what companies have seen before, and has created the greatest loss of visibility for security, auditing and quality control professionals since the emergence of the Internet. As companies continue to adopt new technologies like Google Suite, new ways of defending, evaluating, and delivering effective technical control capabilities are required to succeed in what has come to be known as "the new normal."...
Taking a behavioral approach to security- how to stay one step ahead of your adversaries

Taking a behavioral approach to security- how to stay one step ahead of your adversaries

Join LogPoint’s Jake McCabe as he discusses how thinking about security from the perspective of adversary behavior can help organizations better prepare for, detect, and respond to threats.

Too often, security organizations focus on signatures and IOCs to alert them to threats in their environment, however this myopic focus can often leave them blind to the bigger picture- unable to ‘see the forest for the trees’. By focusing instead on adversary behavior, security teams can make it more difficult for their adversaries to evade detection and they can even begin to predict where their adversaries might strike next.

The MITRE ATT&CK framework is one tool organizations can use to help take a behavioral security posture. The framework can help security teams assess risk, drive informed decisions, and help them to better understand how their adversaries typically behave.

User and entity behavioral analytics (UEBA) provides another avenue by which security teams can take a behavioral approach to security. UEBA complements and improves the fidelity of traditional signature-based detection methods to enable security teams to distinguish adversary behavior from normal behavior. UEBA does so by looking for anomalies or changes in behavior and then analyzing sets of anomalies which together could be indicative of particular adversary techniques.

Jake will discuss how these two approaches to behavioral security can be taken together and how LogPoint can help organizations improve their security posture by helping them take a more behavioral-focused approach to security....
Threat Intelligence and DNS for Rapid Cybersecurity Incident Response

Threat Intelligence and DNS for Rapid Cybersecurity Incident Response

DNS is one of the only foundational IT services with threat intelligence built into the standard. Despite this fact, even advanced cyberteams are not taking advantage of the tremendous capabilities DNS offers to detect and respond to threats. In this discussion, Infoblox will demonstrate how to perform threat detection and rapid response with DNS and why your current DNS infrastructure is susceptible to cybercriminals. ...
Guidance to a well defined Privileged Access Management Program

Guidance to a well defined Privileged Access Management Program

We often see that the challenges associated with implementing a Privilege Access Management (PAM) program are not a result of a lack of technology. In order to have a successful PAM program, you must complement the technology with a well-defined program. Using a prescriptive approach based on three guiding principles, this session will show you how to develop effective and mature privileged access management programs, and articulate the value of the work you’re doing with privileged access management and why it’s important.

Learn more about Michael Harlev...