BC Winter Security Camp - Conference Schedule
Conference Schedule
March 5, 2026
Higgins Hall 300
8:30 - 9:00
Continental Breakfast and Registration
9:00 - 9:15
Opening Remarks
David Escalante and Michael Bourque (Boston College)
9:15 - 10:00
Lessons Learned from a Year of Penetration Testing
Penetration testing is often misunderstood or treated as interchangeable with vulnerability scanning, limiting its effectiveness. This session shares practical lessons from real‑world penetration testing engagements in higher education environments. Attendees will learn what truly differentiates penetration tests from scans, why pre‑engagement planning matters, and how attackers realistically exploit weaknesses once initial access is achieved. The session emphasizes actionable insights, assumed‑breach testing, and how to use results to strengthen security programs beyond compliance requirements.
Kyle Enlow (REN-ISAC)
10:00 - 10:45
The Zero-Day Deluge: Why Patch-Centric Security is No Longer Enough
The risk and impact of zero-day and near-zero-day vulnerabilities are increasing significantly. This session examines why these risks are surging and why traditional patch-centric defenses are increasingly ineffective. We will share Harvard’s recent experience responding to a major zero-day incident and the challenges it exposed. The discussion will also cover response strategies, risk-reduction approaches, and the role of data minimization in an environment where advance warning can no longer be assumed.
Nathan Hall (Harvard)
10:45 - 11:00
Break
11:00 - 11:45
Managing 3rd Party Vendor Relationships Panel
Managing 3rd party vendor relationships is... complicated. This panel will discuss lessons learned and contemporary strategies in light of the current challenges cybersecurity professionals experience in higher education.
Adam Scaramella (Harvard), Eric Boughton (Fitchburg State), Mike Gioia (Babson), Jeffrey Holman (SNHU)
11:45 - 12:30
Why Passkeys Are the Right Answer—and Still a Nightmare
Passkeys promise phishing-resistant authentication and a future without passwords—but implementing them in higher education is anything but simple. This session walks through the real-world challenges of deploying passkeys in a campus environment, including legacy systems, device diversity, user experience, and institutional constraints. We’ll share what worked, what broke, and what we’d do differently, with practical takeaways for institutions considering phishing-resistant MFA.
Jacob Backon and Mat Cunha (Babson)
12:30 - 1:30
Lunch
1:30 - 2:15
Breaking Up with Your MSSP: Building In-House SecOps with a Small Team
Outsourcing security operations can seem like the only viable option—until it stops scaling. This session tells the story of how we transitioned away from an MSSP and built an effective in-house security operations function with a small team. We’ll cover the drivers behind the decision, the challenges we faced, the tools and processes that mattered most, and lessons learned along the way for higher ed institutions looking to regain visibility, control, and sustainability.
Mike Gioia and Sam Chung (Babson)
2:15 - 2:30
An Abnormal Relationship: Augmenting Email Security with Abnormal AI
After years of laboring constantly to protect campus email inboxes from spam, phishing, and scams, Boston College Collaboration Systems and Security teamed up to procure Abnormal AI. This talk will go over why we made the decision to procure the tool and how it makes email on campus substantially more secure while minimizing the man hours needed to keep inboxes safe.
Christopher Andrews (Boston College)
2:30 - 2:45
Dissecting the Phish: Advanced Investigation Workflows in Google Admin Console
When responding to phishing attacks, it is important to use every tool available! For schools using Google, the Investigation Tool can be pivotal for protecting campus and responding to threats. A live demonstration will walk through responding to a phishing incident using Google's Investigation Tool.
Stephen Jarjoura (Boston College)
2:45 - 3:00
Everything You Never Wanted to Know about Google Cloud Service Account Keys
Google Cloud service account keys are easy to create, difficult to track, and disastrous if leaked. In this short presentation we'll cover: what they are and how they work, ways to increase visibility into keys used by your org, options for reducing the risk of key usage, and finally, better ways forward.
Jordan Bradford (Boston College)
3:00 - 3:15
Break
3:15 - 4:00
AI Lessons Learned the Hard Way
There's tremendous opportunity in AI for many cybersecurity organizations, but there's also a lot of stumbling blocks. This talk will be a discussion of some lessons learned trying to solve real problems our cybersecurity team encounters using generative AI. This talk will not get into specific technical issues but will focus on themes and challenges we've encountered resolving real world problems.
Reid Gilman (Boston Children's Hospital)
4:00 - 4:45
CMMC & NIST 800-171 Panel
If you support research at your university, then you have probably heard about CMMC and NIST 800-171. In this panel we will discuss the current state of protecting research data, current progress and pain points, and where the next year may take security practicioners.