This talk will introduce three types of threats: state-serving, self-serving, and public-serving. It will discuss three types of risk scenarios: theft, destruction, and disclosure. Five "big events" that have happened in security in the last 18 months will be examined.

The presentation will introduce the idea of "incident response as a continuous business process" as a countermeasure, and will discuss two key metrics for measuring the effectiveness of your IR operation.

KEY QUESTIONS

• Why do we need to focus on attackers, not vulnerabilities?
• What are attackers actually doing and how does it differ from what the mainstream is saying?
• What are the basics of implementing an attack-focused security plan?

Cyber risk has become a "bet the business" problem. Many hacked businesses never recover. Others suffer substantial brand and reputation loss, and of course major impacts on the bottom line. With the pervasiveness and severity of attacks on the increase, with national governments unable to adequately protect businesses within its sovereign borders, it falls on leaders to take responsibility to protect their enterprise.

CIOs, CISOs, CSOs can all assist, but ultimately, building a resilient, sustainable cyber-ready organisation requires the leadership of the CEO. Moreover, failure to take ownership of this risk, indeed any failure to investigate risk, poses corporate liability exposure to leaders holding fiduciary responsibilities to others, such as to shareholders. 

KEY QUESTIONS

• What are the risk factors a leader should assess related to cyber security?
• What duties do corporate leaders have in regard to conducting due diligence for cyber security?
• What framework is available to build a cyber-resilient organisation?

The topic will cover international case studies on privacy incidents worldwide. How companies reacted, what regulators did, and what are the lessons learnt from a South African perspective. This will provide insight as to what can be expected from a privacy or information protection regulator, as well as an understanding of the impact of South African privacy legislation.

Six points highlighting the key objectives the talk will meet:

• Who is a privacy officer and what is he/she meant to be doing?
• A comparison of data protection and privacy regulators across the globe.
• An understanding of other jurisdictions that have privacy laws.
• What is the reality that South African organisations will be facing with the Protection of Personal Information law?
• What are the lessons learnt from a global perspective?
• What should your strategy be?

KEY QUESTIONS

1. What is a privacy officer?
2. What will the Information Protection Regulator do?
3. What is the reality that South African organisations will face with the Protection of Personal Information law?

While IT asset disposal is a necessary part of day-to-day operations, do organisations actually dispose of their IT assets properly? We take a look at an experience at a major telco to highlight the risks an organisation is exposed to. In the midst of strategic investments into complex best-of-breed GRC initiatives, a retrospective into the basic building could help ascertain effectiveness of an organisation’s control. In this brief discussion, we look at a telco’s oversight over its IT asset interface with its IT support function.

It is a well-known fact that intruders, like flowing water, will explore the weakest opening, much like a chain with the weakest link. As strong as an organisation’s information security and internal controls are, it takes just the non-effectiveness or non-existence of a control for a vulnerability to be exploited and a breach to occur.

KEY QUESTIONS

1. With POPI imminent, what should you be thinking about in terms of your IT asset disposal vis-à-vis information confidentiality and privacy?
2. How to know if your IT asset disposal is creating a loophole for data breach indemnification, reputation damage, espionage, etc?
3. How do you integrate IT asset disposal with IT service desk: which careful considerations should be taken?

This presentation will investigate some (a few important ones, but surely not all) of the components of the legal and regulatory landscape related to cyber security in SA. These components will be discussed in three categories:

• Those components which exist and which should be complied with – facts.
• Those which have been announced but are still outstanding – promises.
• Those which do not yet exist, but according to the author, should exist – wishes.

KEY QUESTIONS

1. To what extent is government internally committed to IT governance (ITGov) and cyber (information) security governance (CyberInfSecGov)?
2. What dictates how high in a company the 'cyber security buck' stops?
3. What cyber security regulations could help SMEs and ordinary citizens to cyber protect themselves?

Pin pads or payment terminals are widely used to accept payments from customers. These devices run payment applications on top of the device-specific firmware. It should come as no surprise to anyone that these applications and operating systems are just as vulnerable as any other systems when it comes to handling user input.

As the use of chip-and-pin continues to replace the fairly basic magnetic stripe cards, these devices are handling more and more complex information from untrusted sources; namely, the EMV protocol spoken by all major payment smart cards. On top of this, many of these terminals are connected through Ethernet, GPRS, WiFi or phone lines, which add to the overall attack surface.
This presentation will demonstrate how vulnerabilities in payment terminals allow attackers to compromise the terminals through malicious chip-and-pin cards.

KEY QUESTIONS

1. Are widely deployed payment terminals vulnerable to software weaknesses?
2. Could these vulnerabilities be exploited on common pin pads?
3. What is the impact of successful exploitation?

SHA256 is currently the most secure, widely used cryptographic hash function available (at least until SHA3/Keccak becomes more widespread). It is also a key component of the Bitcoin crypto currency, and more than 7 * 10^20, or more than 700 exa-hashes, have been calculated on a basis which is essentially a differential crypto attack on SHA256.

We discuss the properties of an ideal cryptographic hashing algorithm, and how SHA256 deviates from the expected behaviour of an ideal hash based on the growing database of Bitcoin blocks, which are hashes with particular properties.
Although this does not translate into any practical attack on SHA256, these findings could result in new Bitcoin blocks being found faster than predicted, if this knowledge is being used effectively by an attacker, and is nevertheless a mathematical weakness in SHA256.

KEY QUESTIONS

1. How do you build a distinguisher to reliably distinguish between SHA256 and a true random hash?
2. How are Bitcoin blocks 'found' and new Bitcoins mined?
3. Why has Bitcoin had an impact on password security (specifically why more than ever passwords should not be re-used between sites)?

In this talk, Bob Weiss and Benjamin Gatti will analyse Enigma, the World War II-era Nazi encryption machine.

The encryption theory behind Enigma is covered, including a detailed under-the-hood view of a typical device.
The presentation will be concluded with a demo – using a laptop in an effort to crack an Enigma message.

KEY QUESTIONS

1. How did the Enigma change the course of WWII, cryptography and computing?
2. How did the plasticity of the Enigma's crypto facilitate the largest crypto project in history, and the invention of the first electronic programmable digital computer?
3. How does the Enigma machine hold up to modern attacks and computers?

Enhancements in digital security have come a phenomenally long way from the days of the 'Wild West' of the Web, where anyone with skill seemed to be able to take over any server. Today, servers are much more protected and systems are in place to track, log and alert administrators of even possible attempts.

With that being said, physical security has moved at almost a snail’s pace (at least with regard to implementation), with people still relying on locks, magnetic stripes and RFID. Additionally, it is also accepted that should someone have physical access to your server, they can easily compromise it either by making copies of data, installing malicious software, or taking the physical device with them.

This talk will look at some old and new hardware that make bypassing physical hardware much easier, including the following:

1. Listening to two-way communications with $20 hardware (RTLSDR): What good are your security guards if anyone can 'hear' where they are without them knowing? I will demonstrate listening to two-way radios and other interesting signals with HDSDR/SDR#.
2. Magnetic stripes are often used on access cards to unlock doors depending on access levels. I will demonstrate how magnetic stripes work, as well as how to replay, clone and spoof your own, from bank cards to door swipes.
3. RFID tags: For companies that have 'upgraded' from magnetic stripe technology, a lot have moved to RFID badges to do the same job, yet they often suffer from the same symptoms as above. I will demonstrate copying tags as well as cloning to gain access, including passive RFID and something more complex such as the Mifare range of RFID cards.

The idea with this talk is to make people aware that while having the digital security firmly in place is very important, they should also consider the physical security they currently have.

KEY QUESTIONS

1. What should I be concerned about when it comes to the physical security of my organisation?
2. What tools can people use to breach my physical security and what should I be on the lookout for?
3. What are the implications of using RFID entry tags, simple car and gate remotes, and non-secured two-way radios?

One of the most critical SAP applications in terms of cyber attacks is SAP Portal, which is based on J2EE engine, because it is usually available from the Internet and provides access and connections to other internal SAP and legacy systems.

In this talk, the security architecture of SAP Portal itself and custom applications like iViews will be reviewed, and I will demonstrate how SAP Portal can be attacked. But the main area of the talk will be focused on forensics and finding attack patterns in log traces and other places to understand if it is possible to completely reverse complex attack patterns. Finally, I will look at how attackers can try to hide their attacks and how it is possible to deal with it.
There have been a lot of talks covering attacks, but now we will move to the understanding of how to deal with them in the cyber crime era.

KEY QUESTIONS

1. How can hackers break your SAP Portal applications and access internal resources?
2. How do users securely configure SAP Portal and J2EE Engine?
3. How can companies analyse log reports and traces for identifying and preventing cyber attacks on SAP applications?

This is the era of ‘big data’. The business landscape is being shaped by data as never before. This presentation will focus on how big data can be used in forensic investigations, fraud prevention, incident response, etc.

KEY QUESTIONS

1. Does data matter?
2. Where can I apply data analytics?
3. What does Effective Organisations do?

The approach in this talk is to present a case study, based on an experience with a real-world customer which needed assistance.

This talk will engage the audience in a "how would you solve this?" format. It will reveal what actions the team took and will evaluate the success of the response. This particular case is that of a customer in which everything appeared to have gone wrong – and it tested the team’s abilities to resolve the issue.