Third Party Risk (3PR) conversations have been center-tile on Buzzword Bingo cards for a few years now, but the way most firms approach 3PR hasn’t been effective at quantifying the risk a third-party provider actually presents. With several damaging software supply chain breaches in the course of a couple of months, executives are trying to understand how we got into this mess, and how we get out of it. There’s a lot wrong with how we strive to attain that understanding, typically reduced to handing vendors a spreadsheet groaning under the weight of baseline technology configuration questions written in the 1990s by accountants so that auditors may assess security – thus reducing “trust” to a checklist almost entirely unrelated to trustworthiness.
What is the way forward? How can we ask better questions that give us answers that are proxies for how much an organisation cares about trust and security? This talk proposes a new path forward, and a ten-question sample so you can get started.
The co-host (with Chris Swan) of the Tech Debt Burndown Podcast, Nick Selby is Chief Security Officer of Paxos Trust Company. Formerly Selby served as Director of Cyber Intelligence and Investigations for the NYPD, where he led efforts to establish investigative standards for cybercrimes. He was a Texas police detective investigating fraud and Child Sexual Abuse Material (he now serves as a reserve officer investigating CSAM cases). Since 2009, Selby has worked as a cybersecurity incident responder. A frequent contributor to newspapers including the Washington Post and the New York Times, Selby is co-author of Cyber Survival Manual: From Identity Theft to the Digital Apocalypse and Everything in Between; In Context: Understanding Police Killings of Unarmed Civilians; Blackhatonomics: Understanding the Economics of Cybercrime; and was technical editor of Investigating Internet Crimes.
Ken Munro – Aviation Security 101
Ken is a security entrepreneur and industry maverick that has worked in infosec for over 15 years. After studying Applied Physics he tried his hand in the hospitality industry but soon discovered a talent for hacking, persuading a till to print out mortgage amortisations. He went on to cut his teeth in the anti-virus industry before founding SecureTest, a penetration testing business that quickly established a reputation for delivering high spec services using a boutique business model. NCC Group recognised the value of the proposition and acquired SecureTest in 2007. But Ken had found his calling and his penchant for pen testing saw him set up Pen Test Partners in 2010 which now boasts some of the best ethical hackers in the business, each of whom has a stake in the firm.
April C Wright – Supply Chain Unchained: How To Be A Bad SaaS
April C. Wright is a hacker, author, teacher, and community leader who has been breaking, making, fixing, and defending the security of global critical communications and connections for over 25 years. She is an international speaker and trainer, educating and advising on matters of privacy and information security with the goal of safeguarding the digital components we rely on every day. April has held roles on defensive, operational, adversarial, and development teams throughout her career and is currently a Senior Application Security Architect. Her book, “Fixing An Insecure Software Life Cycle” was published by O’Reilly. She is an occasional co-host for the SecurityWeekly family of webcasts, and has spoken and contributed to numerous worldwide security conferences of all sizes and for the US Government and industry organizations such as OWASP and ISSA. She has started multiple small businesses including a non-profit and a photography studio. April Is the DEF CON Groups Global Coordinator, and co-founded the local Boston hacker group, “DC617”. She volunteers and supports a number of organizations and causes, such as (ISC)2, EFF, and The Innocent Lives Foundation. April has collected dozens of certifications to add capital letters at the end of her name, almost died in Dracula’s “secret staircase” while visiting Romania, and once read in The Onion that researchers at the University of North Carolina released a comprehensive report in 2014 confirming her status as the “most significant and interesting person currently inhabiting the earth”, and it was on ‘teh internet’ so it must be true.
Hardware hacking is a fun and interesting area of information security – but where do you get started? In this talk, I’ll cover the basic techniques you need to get started looking at the Internet of Things and finding your first vulnerabilities. From unpacking firmware to finding serial consoles on devices! Andrew Tierney
Andrew leads the hardware team at Pen Test Partners. He covers all systems that aren’t general purpose computers: IoT, phones, cars, ships, planes and industrial control. On the offensive side, he has spent many years reverse engineering, researching and finding vulnerabilities in these systems. On the defensive side, he takes the knowledge gained from research and advises companies on how to build secure products. This ranges from the nitty-gritty of securing devices against physical attack, through to developing complete connected platforms that make use of defence-in-depth so that they can stay secure through the entire lifecycle of the product. He trains people how to attack and defend hardware, with customers ranging from medical device manufacturers through to police forensics teams. A core team of consultants spend their time working on hardware. A portion of this time is security research – buying products with the goal of finding vulnerabilities. Sometimes these issues are light-hearted – a Bluetooth-enabled doll called Cayla is often used as a demo. But other times these vulnerabilities can have wide-reaching, severe impact, such as when they found that networks of millions of child-tracking watches allowed any child to be tracked and spied on.