Live Sessions
Things You Learn the Hard Way from Doing 20 Years of Penetration Testing - Sponsored by Fischer Identity, Gold Partner
Dave Aitel
The Cybersecurity and Privacy Professionals Conference opening general session speaker, Dave Aitel, will discuss long-term risk-mitigation strategies gleaned from decades of penetration testing. He will talk about which information security investments are needed and why, as well as how the landscape has changed over time.
Click here for a message from Fischer Identity, Gold Partner, the sponsor of this function.
Town Hall: Looking to the Future with the EDUCAUSE Strategic Plan
Nicole McWhirter, Helen Norris, John O'Brien
Join EDUCAUSE President and CEO John O'Brien, Board Chair Helen Norris, and Chief Planning Officer Nicole McWhirter in a discussion about the association’s strategic planning process. Engage in this lively session focused on the EDUCAUSE commitment to a member-focused future, and be a part of clarifying and affirming the role EDUCAUSE plays and ensuring that our mission and vision are relevant and responsive to the challenges in a post-pandemic world. Come prepared to tell us what your hopes and dreams are for the future of EDUCAUSE!
Research Privacy: Why IRB Reviews Aren't Always Sufficient
Pegah Parsi
In this session, we will discuss the IRB's role in reviewing research protocols for privacy. Many researchers mistakenly believe that once they have IRB approval their protocol has been reviewed for all compliance matters. However, most IRBs do not conduct in-depth reviews for privacy or security compliance or data ethics. In this session, we will talk about the gaps between IRB reviews and privacy and talk about some potential solutions.
Bridging the Research and Compliance Communities
Lanita Collette
The cornerstones of modern research are collaboration, agility, entrepreneurship, and creativity. Yet institutions increasingly face expanding and rigorous security compliance regimes from both sponsoring agencies and commercial partners. Many universities are struggling to marry new security compliance obligations with active research programs, while avoiding throttling scientific exploration. Achieving this requires shedding historical preconceptions of compliance and security, and a broader understanding of the research mission. This interactive panel explores successes and challenges of Northwestern University and University of California, San Diego when handling research compliance projects. Learn how to cultivate a culture with a shared vision for the research and compliance partnership.
Birds-of-a-Feather (BOFs) Lunch Conversation Topics
Join colleagues to discuss hot topics over the lunch break. You'll be able to network and exchange ideas, insights, and experiences.
Topics:
- Awareness
- Third-Party Risk Assessments
- NIST 800-171
- Privacy
A Whole Lotta BS (Behavioral Science) About Cybersecurity
Lisa Plaggemier, Maren Muxfeld
People often don't do things they know they should, even when they can benefit. What's the reason behind this? Do our strategies of scaring students and faculty into taking precautions about cybersecurity issues actually work? Should our approach to building awareness differ between high school students and college students, or between students and Baby Boomer faculty? New research from the National Cybersecurity Alliance reveals the public's attitudes and beliefs about security, and potential drivers of and barriers to the adoption of secure data security habits. We will share the highlights of this revealing research, and how we can apply such behavioral science insights to develop more effective awareness and behavior change initiatives. In this session, National Cybersecurity Alliance Executive Director Lisa Plaggemier and high school cybersecurity student leader Maren Muxfeld will explore the findings from the organization's annual survey and outline what can be learned when creating awareness programs.
Framework for the Future: Connect Dots and Build Bridges with the New CIS Controls
Cara Bonnett, Randy Marchany
The Center for Internet Security (CIS) Critical Controls got a major rewrite in 2021, reflecting core changes in today's computing and infrastructure environments. This presentation will highlight what’s new in version 8, why it’s well-suited for higher ed, and how two universities are using the updated framework to gain new risk insights and improve security across siloes. The CIS framework maps to a wide range of other formal frameworks (NIST 800-171/CUI, HIPAA, PCI-DSS, among others) and is measurable, specific, and practical to operationalize, which can help identify and prioritize quick wins for tight budgets. Recent research shows that adopting CIS’ basic set of recommendations defends against 78 percent of the most common attack techniques.
FBI, REN-ISAC, and CISA Threat Briefing - Sponsored by Armis
Ted Delacourt, Krysten Stevens, Chris Hild
The threat landscape may seem like more of the same, but new threats are constantly emerging and old exploits are being used in new ways. This session will provide you the freshest information REN-ISAC, FBI and CISA can share. We will discuss threats, trends, and ideas that we can't even imagine at the time of this proposal. You'll leave with a better understanding of specific cyberthreats from around the globe, as well as some insight into the malicious actors' methods, motives, and potential targets in the research and education community.
Click here for a message from Armis, the sponsor of this function.
Zero Trust It's a Concept, Not a Product
Joel Rosenblatt
We have all been getting email from vendors selling the latest and greatest security product—Zero Trust. The problem is that you cannot buy zero trust, you have to build it. My talk will explain what it really is and how you can create a zero trust environment.
Learn by Doing: Recognizing Student Accomplishments in Security Operations Center
Doug Lomsdalen, Jon Vasquez
People often don't do things they know they should, even when they can benefit. What's the reason behind this? Do our strategies of scaring students and faculty into taking precautions about cybersecurity issues actually work? Should our approach to building awareness differ between high school students and college students, or between students and Baby Boomer faculty? New research from the National Cybersecurity Alliance reveals the public's attitudes and beliefs about security, and potential drivers of and barriers to the adoption of secure data security habits. We will share the highlights of this revealing research, and how we can apply such behavioral science insights to develop more effective awareness and behavior change initiatives. In this session, National Cybersecurity Alliance Executive Director Lisa Plaggemier and high school cybersecurity student leader Maren Muxfeld will explore the findings from the organization's annual survey and outline what can be learned when creating awareness programs.
Cybersecurity and Privacy Kahoot! The Online Trivia Game
Join us for a fun 30 minutes of competitive trivia based on pop culture and privacy and security trends! You won't have to download anything to play. All you need is your laptop and your cellphone with a solid Wi-Fi connection to play the game. Get ready to test your knowledge and have a great time!
On-Demand Sessions
Security Recommendations for Science DMZs
Mark Krenz
A Science DMZ is a special network architecture designed to improve the speed at which large science data transfers can be made. They have become a common solution to the issue of busy academic networks causing slowdowns or failures of large data transfers. A new paper published by Trusted CI on the security of Science DMZs provides an overview of this type of network architecture, summarizing the current best practice cybersecurity risk mitigations as well as providing additional security recommendations. This session is a brief introduction to the Science DMZ concept and presents an overview of the mitigations documented in the paper.
This Job Feels Just Right: Finding Your Niche in Cybersecurity
Krysten Stevens, Amy Starzynski Coddens, Caroly Ellis
Daily we hear about the need for cybersecurity talent, and yet we also hear stories about people at all levels who are not always able to find their fit. They include graduates trying to get their foot in the cyber door; to mid-level professionals with technical and non-technical skills looking to cybersecurity for a new career path; and seasoned leaders looking for a change. Is the issue the applicants, or is it the unchanged system they are trying to enter? In this session, we will address how applicants and hiring managers can move beyond the typical hiring process, start building up our cybersecurity resources, and enhance the makeup of our most valuable assets—our teams.
We’ve Had a Ransomware Attack, Now What? GTCC’s Survival Story & How to Thrive After an Attack
Ron Horn, Kimberly Johnson
If you’ve been following any of the headlines out there today, you’ve seen the rapid growth of ransomware attacks. Despite an increase in focus on tracking, targeting, and disrupting ransomware, the volume of attacks has not seemed to decline, with a new ransomware attack estimated to happen every 11 seconds. In the last two years that included over 2,500 individual schools. In 2020, one of those schools was Guilford Technical Community College (GTCC). Join this session to hear from GTCC’s Associate Vice President and CIO Ron Horn as he shares his experience of surviving a ransomware attack and how he continues to thrive after. Ron will share how his team detected the ransomware and their six-month journey to recover from it. He’ll talk about what it was like after the attack, including the improvements he’s since made to his cybersecurity program, and the hurdles he’s had to overcome to keep his cyber insurance. As it’s often said when it comes to ransomware attacks, “it’s not a matter of if, but when.” This is your chance to share your experiences and work together to share best practices on how to survive and thrive after an attack.
XR Security, Privacy, Safety, and Ethics Considerations in Higher Education
Didier Contis
This session provides an overview of critical XR security, privacy, safety, and ethical challenges that the higher education community will likely face in the short- to medium-term future. Drawing from the experiences with XR adoption at our respective institutions, as well as from collaborating with external advocacy groups—e.g., the XR Safety Initiative (xrsi.org) and the Immersive Learning Research Network’s (iLRN) Champions in Higher Education for XR (CHEX) consortium—the presenters will offer insights and recommendations for navigating these challenges in the context of XR adoption in the teaching and learning environment. We will discuss critical security and privacy considerations when initiating and supporting XR initiatives and projects on campus. We will share the existing regulatory frameworks that impact XR learning experiences, with an emphasis on data privacy and security requirements. Our main intent is to encourage participants to engage with the broader higher education community and other relevant organizations to advocate on behalf of students (whether with vendors or policy makers) and support the development of an ethical framework of best practices for XR learning experience design and XR device and software procurement and management.