post view

Meeting Location

TASK meets the last Wednesday of Every Month 6:00 pm to 9:00 pm (with a few exceptions). Our next meeting is located at 55 John Street, Toronto, ON. Meeting room is the Rotunda (On main floor, just past elevators).

[sc_events_calendar]

No September TASK: See You at SecTor 2022 / BSidesTO

Some of Canada’s best cybersecurity events are nearly here, and we hope to see you at both!

SecTor 2022

MTCC | October 5 & 6 | https://sector.ca

Use discount code TASK2022 now to save $100 on your ‘all-access’ Full Conference Pass or use it to score a FREE SecTor Expo Pass!

We’ll have a TASK booth at SecTor so be sure to swing by and say hello!

Register https://sector.informatech.com/2022/

BSidesTO

Toronto Metropolitan University | October 8 | Find out more: https://www.bsidesto.ca/

Be sure to register before you attend to network, engage, learn, and get out to support your local IT security community!

See you there,
The TASK Steering Committee

Posted in Events.

August TASK / How to Approach a Critical Security Blind Spot

Wednesday 31-August-2022 // 6:00 – 7:30 PM
Meeting Location: Virtual – Register


August TASK (Virtual)

Speaker: Raphael Arakelian
Topic: How to Approach a Critical Security Blind Spot: IoT / OT

Learn hands-on (virtually, but highly interactive live demos) how IoT / OT security works. Canada is getting serious about protecting critical infrastructure – a lot of which is comprised of devices that we aren’t as comfortable with as we should be coming from the IT world. In this month’s session, Raphael Arakelian from PwC will provide unique and highly-informative virtual tours / demos of their OT & IoT Security Lab simulations. The facility is comprised of several live simulations of industrial systems with integrated security tools. Lean about the industrial processes, OT / IoT devices, as well as several pre-configured cybersecurity attacks. The list below provides a high-level description of the simulations:

  • Mining: Coal feeding system, transporting coal across two conveyor belts
  • Oil & Gas: Transportation and storage of oil in a midstream refinery with multiple tanks
  • Rail Transport: Operation and monitoring of a train, transiting our downtown Toronto
  • Utilities: Electrical grid model, simulating power generation, transmission, distribution, and consumption
  • Warehousing: Inspection and scanning of boxes as well as a sorting facility
  • Manufacturing: Robotic arm, sorting and inspection

Raphael will also be sharing some of the challenges and lessons learned in setting up the IT and OT infrastructures of a lab environment.

Raphael Arakelian is a Manager in the ‘OT & IoT Security Team’ at PwC Canada. He is the national lead of PwC Canada’s ‘OT Monitoring Implementation Services’. He also manages PwC’s flagship ‘OT & IoT Security Lab’, located in Vaughan, Ontario. Raphael holds his bachelor’s and master’s degrees in chemical engineering form the University of Toronto. He is passionate about the intersection between engineering and cybersecurity.


Don’t forget to register for the webinar now (free) to ensure you get access on the night: https://us06web.zoom.us/webinar/register/2016553255015/WN_Os9I5hC3Tpu552GJWubG4Q

We look forward to see you all then,
The TASK Steering Committee

Posted in Events.

No July TASK

We were unsuccessful in getting you the right speakers this month, so we’ve cancelled our July TASK event.

Stay tuned, we’ll be back in August with something great!

Until then,
TASK Steering Committee

Posted in Events.

June TASK / Software Composition Analysis

Wednesday 29-June-2022 // 6:00 – 7:30 PM
Meeting Location: Virtual – Register


June TASK (Virtual)

Speaker: Magno Logan
Topic: Knowing your apps and software supply chain: Intro to Software Composition Analysis

Software supply chain has become a hot topic – and open-source software security has become a big challenge. One part of the toolset to manage and secure the software supply chain is Software Composition Analysis. The forerunners of this toolset takes us back to the early 2000s in different forms to indicate security verifications on open-source components. With a great deal of progress in SCA capabilities, It is the process of identifying and listing all the components and versions present in the code and checking each specific service and looking for outdated or vulnerable libraries that may impose security risks to the application. In this session you’ll learn about:

  • How SCA tools work and how can they help identify and remediate open-source libraries used in a codebase
  • How these tools work and the main pieces of information that these tools rely on, such as the application manifest, vulnerability data sources, and dependency metadata
  • How these tools can check for legal issues regarding the use of open-source software with different licensing terms and conditions

Magno Logan works as an Information Security Specialist and Senior Threat Researcher for Trend Micro. He specializes in Cloud, Container, Application Security Research, Threat Modelling, and Red Teaming. In addition, he has been tapped as a resource speaker for numerous security conferences around the globe. He is the JampaSec Security Conference and the OWASP Paraiba Chapter founder, and an active member of the CNCF Security TAG team.


Don’t forget to register for the webinar now (free) to ensure you get access on the night: https://us06web.zoom.us/webinar/register/2016553255015/WN_Os9I5hC3Tpu552GJWubG4Q

We look forward to see you all then,
The TASK Steering Committee

Posted in Events.

May TASK | Toolkits for Better Security, Without Technology

Wednesday 25-May-2022 // 6:00 – 7:30 PM
Meeting Location: Virtual – Register


May TASK (Virtual)

Speakers: Fernando Montenegro & Peter Maddison
Topic: Toolkits for Better Security, Without Technology

Security is a frustrating field of constant change where it’s difficult to wrap our arms around security operations let alone all the other aspects of this vast profession. In this session, you’ll learn about key frameworks to help contextualize security challenges and solve problems more effectively. We won’t cover the usual CIS, NIST, ISO and other security frameworks. Instead the focus will be on showing you how to apply frameworks from outside of security to our field.

This talk will introduce different mental models and frameworks that can be useful to a security practitioner in multiple scenarios. This is where thinking about models such as Four Eyes, Cynefin Framework and Wardley Mapping can assist. In this session we’ll begin to address:

  • How we can frame the larger picture so that we can map out a security strategy (or a career strategy)
  • How to diagnose what kinds of problems we’re dealing with and the scope of them
  • How to more consistently deliver the outcomes we’re trying to achieve – and understand why things aren’t working / how to approach fixing them

Let’s arm ourselves with the ability to understand problems in order to solve them faster. We’ll present several frameworks during this month’s TASK with the offer that if you would like a deeper dive, we can setup knowledge sharing sessions outside of this TASK meeting.


Fernando Montenegro is a security technologist, currently an industry analyst at Omdia, the industry research arm of Informa Tech. He focuses on analyzing market trends and providing strategic advice on topics related to modern security markets: cloud security, endpoint security and others. His previous experience includes pre- and post-sales technical roles and consulting roles with vendors in enterprise security. He has worked with organizations in Canada, Latin America, and the US. His areas of interest include security economics – particularly behaviour economics – data science, including machine learning, and cybercrime. He holds a bachelor’s degree in Computer Science and industry certifications. He is based in the Greater Toronto Area.

Peter Maddison has been in the business of building high-performance teams and automating everything worth automating for the past couple of decades. A technologist, he has worked in a variety of disciplines, from operations to architecture to program management. With a career emphasis within financial services he has helped multiple large banks design and implement DevOps strategies with specific attention to the cultural challenges that can arise. Engagements include introducing models to align risk and control practices with the pipeline to production and identifying meaningful and appropriate measures. Peter works closely with compliance, audit, security, and architecture teams to build alignment and design processes to reinforce change.


This months TASK is proudly sponsored by Optiv

Optiv is a security solutions integrator, delivering end-to-end cybersecurity solutions that transform the way security is approached and consumed. Optiv develops an in-depth understanding of our clients’ environments, leverages the efficiencies of cloud economics for modernized on-demand security services, and creates business-aligned solutions that are designed to deliver the clarity and assurance our clients need to effectively manage organizational risk. Optiv’s approach optimizes and rationalizes existing infrastructure and operations to ensure the right balance of tools, processes and compliance and reporting capabilities. This enables clients to build a sustainable risk-centric foundation for implementing proactive and measurable security programs.

For more information about Optiv, please visit us at www.optiv.com.

Enter to win a $150 Amazon Gift Card: https://taskmay2022meeting.splashthat.com/


Don’t forget to register for the webinar now (free) to ensure you get access on the night: https://us06web.zoom.us/webinar/register/7216528588139/WN_bqM6p88FTeaFzhnoLlXYCw

We look forward to see you all then,
The TASK Steering Committee

Posted in Events.

April TASK: Global Impact of Cyber Ops/Hacking Vendor Security Reports

Wednesday 27-April-2022 // 6:00 – 7:30 PM
Meeting Location: Virtual – Register


April TASK (Virtual)

Speakers: Robert Beggs, Larry Gagnon, Dave McMahon
Topic: The Global Impact of Cyber Ops between Ukraine and Russia

Panelists Robert Beggs (Digital Defence), Larry Gagnon (eSentire) and Dave McMahon (Sapper Labs) will approach the evening with the perspective of military and police specialists, and will provide an overview of new developments in cyber warfare that have emerged in the recent invasion of Ukraine by Russia. An overview of “in theatre” events will be provided to overview the actions of the belligerents and their allies directly against each other, and then will discuss how these actions have “spilled over” in the cyber world, where the conflict has grown in new and unexpected ways.


Speaker: Dr. Wade Baker
Topic: Hacking Vendor Security Reports: When and How to use them

There is a treasure-trove of security research we can use tactically in our daily work and strategically to advance our security programs. Let’s walk through key findings from several new security reports – and even an overarching report that analyzes multiple threat reports. Dr. Wade Baker, the man behind security report greatest hits such as the Verizon DBIR and many others will take us behind the scenes to show how to effectively use these reports in our work. Get good at really understanding what the data is telling us in order to use the flurry of vendor security reports with greater literacy. Here are several reports we’ll have a look at:

  • The “state of the state of” threats (rollup of findings from myriad threat reports)
  • Vulnerabilities and measuring exploitability (deep analysis of actual live assets and vulnerabilities)
  • Security outcomes and success (unique analysis across several thousand organizations

Dr. Wade Baker is a Co-Founder of the Cyentia Institute, which focuses on improving cybersecurity knowledge and practice through data-driven research. He’s also a professor in Virginia Tech’s College of Business, working to prepare the next generation of industry leaders. Prior to this, Wade held positions as the VP of Strategy at ThreatConnect and was the CTO of Security Solutions at Verizon, where he had the great privilege of leading Verizon’s Data Breach Investigations Report (DBIR) research team for 8 years.


Don’t forget to register for the webinar now (free) to ensure you get access on the night: https://us06web.zoom.us/webinar/register/1216504728816/WN_fs7_Uif5QnqQtAtgdOjtzQ

We look forward to see you all then,
The TASK Steering Committee

Posted in Events.

March TASK: Let’s get physical: Breaking in like a pro to take security beyond cyber

Wednesday 30-March-2022 // 6:00 – 7:30 PM
Meeting Location: Virtual – Register


March TASK (Virtual)

Speakers: Karen Ng & Bill Graydon
Topic: Let’s get physical: Breaking in like a pro to take security beyond cyber

Physical security is a critical set of skills cybersecurity pros need to learn. Let’s discover how to break into physical offices, industrial sites and so on in order to identify vulnerabilities. This talk will show tools and techniques to defend in the real world. Particularly as offices across Canada open back up, we need to spot and remediate physical security gaps. What you’ll learn during this talk:

  • Threat modelling in the physical world, and cyber mindsets you need to ditch to do it properly
  • The spectrum of physical vulnerability assessment techniques, culminating in a full red teaming
  • How-to for a “DIY” physical vulnerability assessment / pen test
  • The full process a professional pen test involves, from scoping and intelligence gathering through to execution and follow up
  • Trends in the industry and how COVID has impacted physical security.

Speakers:
Karen Ng
Karen is an analyst at GGR Security, and is one of GGR’s entry team for physical penetration tests. She has a strong interest in physical security, delivering trainings on physical security vulnerabilities to a wide range of audiences. Karen comes from a background in engineering and has extensive experience in major event logistics. She is one of the Village Leads at the Physical Security Village, and works with the rest of the PSV team to teach how to recognize and fix security exploits to the community.

Bill Graydon
Bill is a principal at GGR Security, where he is involved in the full spectrum of client risk analysis, testing and remediation. He’s passionate about advancing the security field through research, teaching numerous courses, giving talks, and running the Physical Security Village at various cons. He’s received various degrees in computer engineering, security, and forensics and comes from a broad background of experience in physical and cyber security, anti-money laundering, and infectious disease detection.


Don’t forget to register for the webinar now (free) to ensure you get access on the night: https://us06web.zoom.us/webinar/register/4016424420104/WN_lvKIpWPSQrShlJqBmOAfRA

We look forward to see you all then,
The TASK Steering Committee

Posted in Events.

February TASK: Rethinking Vulnerability Management

Wednesday 23-February-2022 // 6:00 – 7:30 PM
Meeting Location: Virtual – Register


February TASK (Virtual)

Panelist Speakers: Stewart Cawthray, Jerry Gamblin, Bryan Whyte, Patrick McNeil
Topic: Rethinking vulnerability management: Expert panel offers new insight on building a better program

There are countless new vulnerabilities that sidetrack security, IT and developer teams. Microsoft alone kept teams busy all year – let alone Log4Shell and tens of thousands of new and existing CVEs. With rapidly expanding attack surface of devices, cloud services and network equipment, there are no shortage of vulnerabilities to chase. On top of this, the software supply chain continues to grow with more dependencies – it’s too easy to grab free packages off GitHub, NPM, Maven Central and so on. Software has eaten the world. Now we deal with the indigestion.

This session is designed to help you put together a program to more easily manage vulnerabilities at your organization.

We’ve invited four experts from different coverage areas to weigh in on this discussion and answer your questions:

Stewart Cawthray, Executive Security Architect, IBM Security Services

Stewart has over 20 years of experience in cybersecurity. Helping many of Canada’s biggest companies tackle cybersecurity issues from Securing their journey to Cloud to responding to incident and minimizing their impact. Stewart blends an understanding of business goals and motivation with architecture and technical skills to find innovative and efficient solutions to technology and cybersecurity challenges.

Jerry Gambin, Director Security Research, Kenna / Cisco

Jerry Gamblin is an influential security researcher and analyst focusing on enterprise network and application security with over 15 years of experience. His research has been presented on numerous blogs, podcasts, and security conferences. When not at work, his personal research focuses on IoT & embedded automotive systems. Check out his talk now available from SecTor 2021 online providing an intro to Risk-based Vulnerability Management: https://sector.ca/sessions/an-introduction-to-risk-based-vulnerability-management/

Patrick McNeil, Director of Solutions Architecture, Rumble.run

Patrick helps his customers discover all the unmanaged and unknown assets on their networks. Prior to Rumble, he developed first party and open source software application security testing programs for large Veracode customers. From his diverse background, Patrick understands the challenges and intersections of software development, networking, operations, and asset management. He has shared his knowledge at a number of conferences, including DEFCON, DerbyCon, BSidesLV, CarolinaCon, CackalackyCon, regional OWASP meetings, and various telecom industry and fraud prevention forums. Patrick enjoys growing his local security community by serving as an organizer, mentor, and speaker wrangler at local conferences. Patrick is also a physical security pentesting consultant and runs a local lockpicking club called Oak City Locksport.

(Patrick’s real bio: Old school full-stack COBOL programmer, original networking gangsta, physical security consultant, #telephreak to the core, Patrick has been slinging code, evaluating product security, finding hidden artifacts, and architecting people out of difficult jams “equalizer style” for over twenty-five years.)

Bryan Whyte, CISSP, Technical Presales Manager, Sonatype

After earning my Masters in Electrical Engineering, I spent over 20 years developing software applications to test hardware such as Torpedoes, Circuit Boards and Digital Subscriber Line (xDSL) modems. During that time I was also able to contribute to the product development for both Embedded and Distributed Enterprise Applications.

In 2015 I joined IBM Security as a Technical Pre-Sales Engineer focused on the AppScan tool suite for Static, Dynamic and Mobile Application Security Testing. After spending a few years in Application Security I decided to expand my Cybersecurity proficiency and became a Certified Information Systems Security Professional (CISSP).

I joined Sonatype in 2019 because the explosive growth of Open Source Software has made Software Composition Analysis a critical aspect of Application Security.

In my free time I enjoy spending time with my wife and two daughters, traveling, sampling craft beers and golfing (poorly).


Don’t forget to register for the webinar now (free) to ensure you get access on the night: https://us06web.zoom.us/webinar/register/4016424420104/WN_lvKIpWPSQrShlJqBmOAfRA

We look forward to see you all then,
The TASK Steering Committee

Posted in Events.

January TASK: Ethical AI for Security pros: Why it’s important, Why it’s hard, How to do it

Wednesday 26-January-2022 // 6:00 – 7:30 PM
Meeting Location: Virtual – Register


January TASK (Virtual)

Speaker: Stephan Jou
Topic: Ethical AI for Security pros: Why it’s important, Why it’s hard, How to do it

The use of artificial intelligence (AI) for cybersecurity, such as to detect insider threats and advanced attacks, is now an accepted and important tool for our industry. However, at the same time as we are realizing the power of AI, we need to become increasingly aware of its ethical challenges. As security professionals, we are increasingly called on to advise and implement solutions relating to privacy of customers and employees. To illustrate the importance of ethical AI, in June 2021, the Office of the Privacy Commissioner of Canada recently found the RCMP’s use of Clearview AI, a facial recognition company, illegal and a violation of the Privacy Act.

In this session, you will learn:

  • Why It’s Important: Why responsible and ethical AI is critical, including its business advantages
  • Why It’s Hard: The technical challenges associated with responsible AI, including the limitations of standard anonymization techniques
  • How to Do It: Best practices and techniques to implement responsible and ethical AI

Stephan Jou is CTO of Interset, a Micro Focus company, a leading-edge cybersecurity and In-Q-Tel portfolio company that uses machine learning and behavioral analytics. Jou currently leads both Interset and various analytics-related initiatives for Micro Focus’ security division. Previous to Interset, Jou has been at IBM and Cognos where he led the development of over 10 products in the areas of cloud computing, mobile, visualization, semantic search, data mining and neural networks. Jou holds a M.Sc. in Computational Neuroscience and Biomedical Engineering, and a dual B.Sc. in Computer Science and Human Physiology, all from the University of Toronto. He has held advisory positions on NSERC Strategic Networks and is involved in setting goals for NSERC Strategic Research Grant research topics in the areas of analytics and security for Canada, and was an invited participant to represent Canadian industry in 2018’s G7 Multistakeholder Conference on Artificial Intelligence and in 2020’s consultation with the Privacy Commissioner of Canada on regulation of AI for data privacy.


View Stephan’s Slides Here: 2022-01-26 Ethical AI for Security Pros


Don’t forget to register for the webinar now (free) to ensure you get access on the night: https://us06web.zoom.us/webinar/register/4016424420104/WN_lvKIpWPSQrShlJqBmOAfRA

We look forward to see you all then,
The TASK Steering Committee

Posted in Events.

November TASK: Cloud Security Step-by-Step Guide: Updating Your Security Practice

Wednesday 24-November-2021 // 6:00 – 7:30 PM
Meeting Location: Virtual – Register


November TASK (Virtual)

Speaker: Mark Nunnikhoven
Topic: Cloud Security Step-by-Step Guide: Updating Your Security Practice

While the rest of the business has jumped into the push towards cloud, how should your security practice adjust? Architectures, visibility requirements, and data protection needs, among others, are different in the cloud. It can be hard to know where to focus. How can you identify and manage different risks and exposures? There are so many changes, what steps should you take?

In this session, we’ll look at different areas of your security practice, how they shift, and how to prioritize them as your organization moves to the cloud. The goal is to provide a map of your next steps and to highlight what resources can help you not just move your practice to the cloud but improve it at the same time.

Mark Nunnikhoven (@marknca) is a Distinguished Cloud Strategist at Lacework. Mark works with teams to modernize their security practices and to get the most out of the cloud. With a strong focus on automation, he helps bridge the gap between DevOps and security through coaching, writing, speaking, and engaging with the cloud community.


Don’t forget to register for the webinar now (free) to ensure you get access on the night: https://us06web.zoom.us/webinar/register/8916370032671/WN_AnLz9FraTdeQRz6nwh9KpA

We look forward to see you all then,
The TASK Steering Committee

Posted in Events.

Our Sponsors