Schedule – Oct 12th, 2021

Talk slides

Find the talk slides linked in the talk titles. Just klick a title and the download should start.

  • Main Hall

  • Few people will know that Wendy Nather worked in Switzerland before she became one of the most influental CISOs in the world. Wendy is a voice of sense and reason in the industry. In her keynote at Swiss Cyber Storm, she will start with an overview of the problems around supply chain security. Afterwards, she will take a closer look at the troubles that one of the proposed solutions - a Software Bill of Materials - brings about: As we get better at collecting supply chain data, the challenge grows about how to manage it all. As an example, take the Software Bill of Materials (SBOM), which is finally gaining traction as a concept and practice. It’s clear that the potential volume of data generated by SBOMs needs to be standardized, distributed, and managed, ideally in machine-readable formats. But that’s only part of the battle: now organizations must create processes to make use of that data in business and security risk decisions. They can do this by taking lessons learned from threat intelligence and vulnerability management data. “Okay, somebody set us up the SBOM … now what?”
    Supply Chain

  • Over the last years, the collaboration with ethical hackers has become a crucial corner pillar of successful cybersecurity strategies in Switzerland and demonstrated the power to transform organizations far beyond cybersecurity. In this exciting talk, Sandro Nafzger Co-Founder and CEO of Bug Bounty Switzerland, will take you on a journey, share exclusive insights about recent bug bounty adventures and what we all can learn from them.

  • In August, 2021, Apple Inc. announced new technological measures meant to apply across virtually all of its devices under the umbrella of “Expanded Protections for Children”. While child exploitation is a serious problem, and while efforts to combat it are almost unquestionably well-intentioned, Apple's proposal introduces a backdoor that threatens to undermine fundamental privacy protections for all users of Apple products. This presentation will explain the technical and political implications behind Apple’s proposal; if you think that opponents to the proposal are making a big deal out of nothing, you should watch this talk.

  • Philippe de Ryck is a well known trainer for secure software development. Throughout his career he has reviewed a lot of code (and written quite a bit himself). His presentation is a condensed view on pattern and anti-patterns with regards to the use of frameworks and software development in general when you aim for secure code. This talk does not only apply to developers themselves. It's also a talk for security officers and auditors who want to learn what to look out for when reviewing software, namely software that is part of their supply chain.
    Supply Chain

  • Jarrod has been researching credential stuffing for several years. With the continuous stream of leaks with millions of accounts, the prevalent culture of password reuse, the absence of 2FA and the painful headlines around ransomware campaigns that entered corporate networks via stolen accounts makes this work very useful. And very eye opening on top.

  • The life of Chris Kubecka is a life full adventures and she has a compelling way to tell her war stories. At Swiss Cyber Storm, Chris will tell us how she was called in to help protect a nuclear power plant in an attack that involves supply chain risks and many other aspects including some that would also fit a James Bond movie.
    Supply Chain

  • Philipp Amann is the head of Strategy of the European Cyber Crime Center at Europol. In this role he coordinates international cooperation against organised crime, a cooperation that involves Switzerland in a leading role in the Joint Cybercrime Action Taskforce. In his presentation he will tell us about this international cooperation and the Emotet case.

  • Serge Droz wears many different hats with the Chair of in 2019/20 probably being the tallest ones. At Swiss Cyber Storm he will represent ICT4Peace and talk about various initiatives including one that is meant to help with the attribution problem.

  • The advice is: Don't roll your own crypto and more generally rely on existing frameworks instead of your own security routines. But just how good are the existing frameworks and libraries when it comes to security? Would you pick a well known security plugin or rely on built-in framework controls? For her PhD, Ksenia Peguero has investigated many client-side, server-side, and desktop JavaScript frameworks and while there are some promising spots, the sum of her research is quite disconcerting.
    Supply Chain

  • Mario is not shy to pick of controversial topics and to look deeper into conceptual problems. However, he is also known to make bad predictions about the future of the industry, so we are giving him a chance to give use something to cling to for 2022 when the pandemic is over, everything is back to normal and we have found a solution for world peace.

  • Our standing dinner allows everybody to mingle, meet friends and talk about the many interesting talks of the day. Naturally, most of the speakers will still be around, so don't rush off after the last talk.

  • Scenario 1 (Sponsors)

  • Every day, cyber criminals, state sponsored adversaries, and others are trying to exploit systems and networks belonging to all types of organizations.
    In this presentation you’ll get a real-world view from our CrowdStrike experts at the front lines and gain insights that can inform your security strategies in the months ahead. You will get a new look at the most common tactics, techniques and procedures (TTPs) used by adversaries as well as recommendations for defenders looking to better protect their organization from current and emerging threats.

  • 90% of all cyber-attacks start with phishing emails, making them the #1 initial access vector, claims Gartner.
    Conventional two-factor authentication methods such as SMS, Google Authenticator, and RSA tokens offer limited protection only.
    The FIDO2 security standard addresses the problems using a novel challenge-response protocol. The standard is supported by major operation systems and browsers and not only prevents phishing attacks, but also allows for password-less logins.
    Yves Bieri will point out,
    - why SMS and OTP apps do not offer sufficient protection,
    - how the FIDO2 standard is technically implemented and
    - how phishing attacks can be prevented.

    Reasons enough to have your suppliers adopt FIDO2.

  • While we see a large number of active ransomware groups today who use a variety of techniques to penetrate your network, most of the groups share certain properties.
    Focusing on these properties is the most efficient way to ramp up security and counter attacks by these groups. In this talk, we will share what we learned in dozens of Ransomware investigations throughout the last year and provide you with a base to secure your environment better..

  • Third-party providers often play a role in today's IT infrastructures. When on-premises solutions are used, the hardware and the base operating system are often managed centrally by the internal IT team. Third-party applications, however, are maintained and configured by an external provider. In such cases, the external provider often has administrative access to some company's servers, which leads to technical risks that should be taken into account.
    This talk will address several attacks targeting the Windows Active Directory based on common Windows server configurations that can be performed by a third-party provider with such access rights. Moreover, further recommendations on how to harden such a setup and mitigations will be provided.

  • After several attempts to implement a central access management were met with limited success, Julius Bär decided to take an unconventional approach and implement a custom solution that ignores some common notions of how an IAM system must look like.
    Getting business on board, reducing the tasks of the central implementation team and leveraging the knowledge and manpower of the application teams whose access rights are controlled by the IAM system enabled bringing applications and access rights to the new IAM system in an unprecedented speed, with more than 800 applications with 1000s of access rights and dozens of custom connectors being onboarded in the space of just two years.

  • Security teams want to get rid of monotonous investigation tasks. They need to respond faster to incidents and increase productivity by automated workflows for any security use case. Could tools for Security Orchestration Automation and Response really help? Based on customer cases we will explain why they decided to use SOAR and which are the benefits they identified so far. We will also take a critical look at potential risks and show how you need to protect yourself and your supply chain.

  • A lot can happen when you expose IT systems to hackers. In this short talk, Florian will draw from his experience managing bug bounty programs for the clients of Bug Bounty Switzerland, give insights into vulnerabilities of today’s internet-exposed systems and what you can expect when collaborating with incredibly talented hackers to secure the security posture of your organization.

  • Are you curious how Switzerland's future cyber talents fared competing against 20 other countries at the European Cyber Security Challenge? Miro Haller, coach of the ECSC team, will give first hand experiences of the ECSC 2021 in Prague. He will guide through the highly competitive profession of today’s CTF landscape, touching on the topics of the team selection, the training and the final event. Afterwards, the team trainer Anthony Schneiter walks you through a challenging exploitation CTF challenge that our participants had to solve. Drop by and get to know the ECSC team 2021!

  • Our standing dinner allows everybody to mingle, meet friends and talk about the many interesting talks of the day. Naturally, most of the speakers will still be around, so don't rush off after the last talk.

  • Scenario 2

  • Trey Herr is the director of the Cyber Statecraft Initiative at the Atlantic Council think tank. Launched in the fall of 2019, the Atlantic Council’s Cyber Statecraft Initiative’s Breaking Trust project seeks to catalog software supply chain intrusions and identify major trends and implications from their execution. This talk will present an update to, and analysis of key trends from, the largest public dataset ofsoftware supply chain attacks and disclosures.
    Supply Chain

  • When creating new Virtual and Cross Reality worlds, the industry makes the same mistakes all over again: Security and Privacy are only an afterthought. Yet there is a small organization, that grows louder and louder: The Cross Reality Safety Initiaitve ( promotes these topics and challenges the big tech companies behind XR. Founder Kavya Pearlman will roll out the full width of the problem for us.

  • Patrick works for a Government organisation in Australia. Building and supporting software used in the delivery of public services. Everything from public infrastructure management through to interagency disaster management response and recovery ops. He was recently struggling with how to manage software supply chain risks at scale. And attacked the problem with a bigger focus on Software Bill of Materials. He works on the OWASP CycloneDX SBOM Standard that complements the existing OWASP Dependency-Track software.

  • SOCs are often flooded with false positives. Desiree analysed the problem and published papers and a poster on how false alarms can be classified in a structured approach and using these classifications to directly create process steps to improve the situation. This talk is focusing on how improving Integrity and Configuration Compliance monitoring can be integrated in processes directly. We also cover on how we can use this information to improve our reports.

  • This is a talk that replaces Sanija Ametis presentation about legal aspects of supply chain security. Unfortunately, Sanija fell sick and can not attend the conference.

  • Supply chain attacks and Software Bill of Materials (SBOM) topics have been dominating security news for the past few years. Supply chain threat and associated risks are especially concerning in the context of critical infrastructures where most equipment evolved historically and carries lots of legacy code and software architectures. In this talk Marina examines memory allocation, PLC programming practices, and user APIs in relation to library of functions which are used to create control logic. She will show how current PLC software designs open the door to automated enumeration of PLC control logic, identification of key infrastructure configuration and process control variables, and allow for automated development of targeted attack payloads in an arbitrary facility. Additionally, allocated but unused memory can be applied to the establishment of covert C2 channels, from which attackers are afford with the ability to execute data exfiltration and high-precision cyber-physical attacks on previously inaccessible network segments. To keep the story realistic and interesting, Marina formulates a threat scenario around an assumed industrial network architecture with advisable security measures, including the integration of network monitoring and segregation from the Internet via firewalls. She will then conclude the talk with stating an obvious challenge of outdated software design practices in “modern” control equipment and outline the importance of secure network architectures as critical compensating security control.
    Supply Chain

  • Merry Ember Mou is an engineer at Zoom who works on end-to-end encryption for Zoom meetings. Integrating E2EE into an existing widely-used system has required particular consideration of architectural constraints and product requirements. This talk will highlight some of the design and implementation objectives and challenges from the initial release in October 2020. In addition, they will describe the next phases of improvements to E2EE, which include building a user-friendly notion of identity that is externally auditable and backed by a trusted third-party identity provider. With each phase, Zoom aims to make verifying meeting participants' identities (the "ends" of E2EE) as intuitive as possible.

  • Our standing dinner allows everybody to mingle, meet friends and talk about the many interesting talks of the day. Naturally, most of the speakers will still be around, so don't rush off after the last talk.