21st Annual New York State Cybersecurity Conference

This year I attended the 21st Annual New York State Cybersecurity Conference (apparently this is something to brag about since it was done several times) in Albany, New York.  Not only were the keynotes interesting and to a certain extent enlightening, the sessions were helpful and the people were interesting. 

Some things change, while others stay the same ...

Last year, for the 20th NYSCSC/AISA conference, there were some problems - especially for a tech conference.  The Egg, where the conference is held, was constructed when Nelson Rockefeller was Governor of the state, over 40 years ago.  The conference center still has few electrical outlets, so few that they have set up charging stations for people to recharge their various electronics since NONE of the conference rooms have more than a handful of electrical outlets. 

Last year there was no Wi-Fi either, apparently due to the prohibitive cost.  Although this year there was Wi-Fi, it was so poorly advertised (not at all) that you had to know someone in order to get the password.  I only knew there was Wi-Fi and what the password was, because the gentleman sitting next to me told me when he saw me trying to connect by tethering to my phone.

This year they had an app for the conference.  It was an excellent addition, easy to use and helped to keep you on track.  Unfortunately, the information about the app wasn't sent out until several days before the conference. Registration was another SNAFU. I registered for the NYSERNet conference, which takes place at the beginning of October, a couple of months ago, while the registration for this conference that was 6/5-7 didn't even open until several weeks before the conference date.

NOTE: The information herein reflects my personal opinion about the sessions I attended and the Keynote addresses.

The Keynotes (one a day)

The keynote addresses were for the most part excellent.  Informative, thought provoking, and interesting.  The first day's speaker, Steven Spano, said many things, but the most interesting to me was that those who take chances, which may or may not succeed, should be rewarded.  

The hardest speaker to understand was also extremely interesting.  He was difficult to understand, mostly because he was an academic, V.S. Subrahmanian - a professor at Dartmouth.  He was the ASIA's keynote speaker, and their sessions tend to be a lot more theoretical (last year the most interesting/thought-provoking ASIA seminar I went to was a graduate thesis on using images/video for encryption).  This was interesting in that it was about the formulas he and his group had developed to better forecast outbreaks like Wannacry.

Session 1, Day 1

The first session I chose was titled "Where have we been - Where are we going?"  Which was presented by Michael Corby, who said last year that he was one of the creators of the CISSP. (Certified Information Systems Security Professional) He was excellent last year and very good this year.  

Session 2, Day 1

Michael Singer from AT&T presented "Cybersecurity Best Practices and Expectations for the Future."  He was one of many people who emphasized ID and Access management, virtualization, and vulnerability management.  Michael had an interesting take on the "edgeless enterprise," the concept in which there are no legacy systems.  AT&T refers to it as E2.

Session 3, Day 1

"Why its time to rethink your access management strategy" was presented by Timothy Till, from Identity Automation. Not surprisingly he spoke a lot about Identity Access management and how automation of this task is more secure.

Session 4, Day 1

"Thinking differently: Protecting the Public, Employees, Educators and the Supply Chain through DMARC,"  was a very good session by Denis Ryan, of Proofpoint, all about DMARC. This was a high-end treatment of DMARC (Domain-based Message Authentication, Reporting, and Conformance), but during the Q&A a lot of technical information came out.  

Session 1, Day 2

"The 2018 Verizon Data Breach Investigation Report (DBIR): Understanding the Threats you Face," was, not surprisingly, presented by Verizon in the person of Christopher Novak. Chris was an excellent speaker (if you get a chance to hear him - take it) and made me want to read the parts of the report he had not presented (I admit to liking to read these anyway).  I liked one of his analogies very much. He said clicking on phishing is akin to holding the door open.

Session 2, Day 2

Andrew Dolan from the Multi-State ISAC (MS-ISAC) and Princess Young from the Department of Homeland Security (DHS) and who is responsible for the National Cybersecurity Awareness Month (NCAM), gave this session titled, "Cybersecurity 101."  Andrew spoke for most of the time and Princess spoke for about 15 minutes at the end.  They were both excellent speakers and had a lot of good advice, suggestions, and practical policies/tools. They were not only funny, but also had a lot of excellent advice. Princess spoke about the STOP. THINK. CONNECT campaign.  They both spoke about cyber best practices.

Session 3, Day 2

Raj Goel brought social justice/indifference to the fore with his talk on Cyber Defense 101: Be the Third Little Pig.  It came down to do everything you can to help those around you who are not as "Cyber-aware."

Session 4, Day 2

This last session of the day was presented by Peter Chestna, Devops.com. It was titled, "Not a free lunch - Managing your open source risks."  He had some great statistics.  For instance, he said that more than 90% of the code that goes into various off the shelf products, is open-source. And the biggest problem with open-source is that it is constantly tweaked to fix security issues, and these tweaks may never see your installation of some third-party application that uses that open source library.  

Then, even if one knows about the updates, implementing them can be more than challenging. Not only might updating a library break something further down the line, but it may do things like void your software vendors' agreement with you to troubleshoot the application(s). Peter illustrated how one library could affect literally thousands of applications that depend on each other.

Day 3

The third day was an after conference choice of sessions. Some went from 9-3:30, while other went from 9-12:00. The one I attended happened to be one of the shorter ones.  It was billed as a "Local Government Cybersecurity Toolkit."  There was a lot about the Center for Internet Security (CIS) and the various free tools they have available. 

The CIS-CAT (CIS-Configuration Assessment Tool) utility and the Top 20 were addressed by the respective people behind them. There was a lot of good information, although they did leave out things like you would need certain prerequisites in order to run some of their tools. (Java for instance and some legacy GPOs would need to be downloaded - IMHO, this should have been put all together into a single download).

The take-away

All-in-all the conference was both enlightening and interesting. I not only learned information from the talks, but also from the vendors.  There was plenty of time to go around to each vendor and check out whatever they were hawking. Some of the vendors provided very handy swag. For instance, Symantec had a book with a pen that was useful for taking notes and Cisco gave away a very nice hot drink cup. One of the more interesting items solved a problem I never realized I had,    You use this by plugging it into the USB you are going to charge your device from and then plug your device into it. Why? It apparently does NOT allow any data to traverse the connection, therefore preventing someone either putting malware onto your phone or syncing it while you are charging it.

Something else to worry about.

If you enjoyed this article, don't forget to give it a thumbs up by clicking the thumb icon below to the bottom left.  In this way, I can tell which articles people enjoy and which topics they would like to hear more about.