Cyber Security Risk Management 

Gary Gaskell, Infosec Services

Tech Level: Low

There is a great diversity of opinion on where and how best to protect information systems. It is common for so-called “experts” to disagree, sometimes quite fervently. To obtain a clear and consistent view of a sound security control environment, the best practice approach is to apply risk management decision making processes. Good risk management ensures that no weak links in the (security) chain are overlooked and the most important issues are made a priority. It also demonstrates to your business executives why your security program makes business sense.

Risk management is not rocket science, but it is a significant departure from the traditional control and vulnerability based approaches to cyber security design and information security management. This tutorial provides practical information and tools to help you conduct an effective information security risk assessment and implement a risk based security plan to manage security for your organisation. 

At this tutorial you will be provided with the skills and techniques to assess and evaluate the priority of cyber security risks. This involves translating the risks into your information into a business context for your senior management. This tutorial will assist technologists and IT managers to determine their work priorities and to enhance their credibility with senior management. The tutorial includes a workshop that develops a risk assessment for a hypothetical situation.

Social Engineering - Practical Red Teaming Lessons from the Field ** Join the Red Team **

Chris Gatford, Deloitte

Tech Level: Low - Medium

Deloitte will illustrate during our tutorial case studies from our field testing of Social Engineering Methodology. Examples in which we have video and audio will be presented of various techniques in action. As well as several hands on labs with some of the tools utilised during physical testing. 

The tutorial will demonstrate how the team has infiltrated and extracted the most sensitive information from organisations (who have engaged Deloitte) around Australia. 

The tutorial will delve into the mechanics of the attacks and how it was successful in exploiting the target. 

Techniques which will be illustrated to allow attendees to understand the methods used as well as the why they work at almost all organisations. 

These include:

In-Person Elicitation Techniques 

- Physical Security Control Bypassing 

- Communication based attacks 

- How to build a Security Awareness Training Program 

For the common attack methods we will also present countermeasures which would have prevented all of the techniques from being successful. 

Deloitte will provide real work policies and controls that have been implemented to protect against these attacks which have been field proven in organisations. 

The tutorial will make use of printed material, presentations, live demonstrations and video footage of Social Engineering exercises being executed.