Risk management

Ihor Malchenyuk, Head of Customer Solutions at Cossack Labs, spoke at the CYBERSEC FORUM/EXPO 2023 panel “Investments in Cybersecurity in the CEE Region.”

Ihor discussed cybersecurity challenges in the CEE region, such as the growing number of malware and ransomware attacks, the increased focus on users/people and endpoints, the rising cost of data breaches, the expansion of privacy regulations, and cyberwarfare against mission-critical applications and critical infrastructure assets.

The main conclusion—a lot of pressure from a very dynamic threat landscape, lessons learned from current cyber warfare, and legislation to encourage businesses to practise healthy cyber hygiene create a market opportunity for cooperation between governments and businesses to address the challenges.

Why cryptocurrency wallets security is not about blockchain but about application security and user education? What crypto wallets and banking apps have in common? Are they as secure as banking apps? In her new talk, Julia goes into details, risks and threats of crypto wallets, design concerns and implementation issues, and gives practical advice for developers who want to make their apps more secure.

In his talk for the OWASP Zhytomyr community, Artur uncovers solutions to practical security issues every security engineer faces. The mobile application landscape is constantly changing – developers use new frameworks, Google demands new requirements and security features. Artur demonstrates the latest setup of a lab environment for security testing of Android apps. He uses it to illustrate how different apps implement specific OWASP MASVS requirements — like certificate pinning or root protection. Artur shows where to look to spot the missing security controls.

Julia talks about US encryption export regulations - what they mean, which applications they affect, and what developers should do.

End-to-end encryption doesn’t guarantee privacy and/or security of your data. Your favourite application can use e2ee and sell data to someone at the same time. Anastasiia explained the relationship between security, privacy and encryption, and how different encryption approaches protect users data from various events or threats.

Anastasiia gave a small hardcore cryptographic session and covered usable cryptography and the scenarios which can help app developers to right up their ship in case of cryptography or data security tools misuse. Get in details why boring crypto is actually better than “fun” crypto.

Eugene talked about implementing sophisticated defences in constrained environments: ranging from protecting massive power grid SCADA networks to improving end-to-end encryption in small mobile applications. Technological stack doesn’t matter if you focus on the risk assets and design defences around asset lifecycle.

In this talk, Eugene tried to cross the bridge between modern DevOps/SRE practices, systems architecture design and traditional security/risk management. It is driven by lessons learnt from building systems the modern way in high-risk environments with high reliability and security demands, drawing from the experience of protecting governmental secrets, critical infrastructure and preventing banking fraud at scale..

We all know how open source is useful. In this talk, Eugene describes the obvious and not very obvious risks that open source brings with it and what are the practical consequences. Learn what you need to pay attention to when selecting components for your new spacecraft to protect it from exploding during takeoff.

An in-depth technical inquiry about cryptography in a wider context: how it helps to narrow more significant risks to controllable attack surfaces, enables efficient and elegant risk management, and how tools and algorithms sit in a broader context of managing infrastructure-wide risks associated with handling the sensitive data.

Our CTO’s talk about the classic and emerging threat models, a proper understanding of security risks, perception of technical infrastructures ranging from idealistic to realistic, and adopting stronger techniques in the face of the vanishing perimeter and the (sadly) lowering standards of security tools and overall quality of the produced software.