Rohyt Belani
This presentation will discuss the evolution of spear phishing from being a means of stealing user identities to becoming a mainstay of organized crime. Today, phishing is a key component in a “hackers” repertoire. It has been used to hijack online brokerage accounts to aid pump'n dump stock scams, and as a means of creating covert channels from compromised user machines to the Internet. During this talk, I will present the techniques used by attackers to execute such attacks and real-world cases that I have responded to that will provide perspective on the impact. This will be followed by a discussion on what works and what doesn’t in building and testing user awareness to thwart such attacks against your organization.
David Lissberger
“Hacking Through a Firewall” shows how vulnerable networks may be compromised and helpful suggestions network administrators and corporate officers should consider to make those environments more secure. The demonstration is presented using only a laptop computer, sound system, PowerPoint presentation, and a projector. The technical level is low-tomedium, so as to be of interest to a general audience of business professionals. The firewall protected network belongs to a fictional company and is one of many in the process of being penetrated by a professional hacker. The audience sees how the hacker collects information on the target, penetrates the firewall, steals critical data, and leaves an easy way to return
Rafael Rosado
Credit Card fraud continues to be on the rise, which has cost merchants millions of dollars. In recent years, major security breaches were suffered by merchants such as TJX and Hannaford. Organizations that transmit, store and/or process credit card transactions are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). Furthermore, Card Brands such as Visa are requiring merchants that use payment applications developed by third party software developers have these applications certified to comply with the Payment Application Data Security Standards (PA DSS). The session will focus on the key security controls that organizations need to implement in order to report compliance against the PCI DSS, with special attention given to web and application development security controls. Additionally, the session will highlight how the PCI DSS requirements correlate to the PA-DSS requirements and provide considerations for merchants and service providers on how to comply with PCI DSS and to application developers on how to comply to PA-DSS.
Richard Gasdia
Everyone is familiar with the old adage "Time is money." In the Information Age, data may be just as good. Reports of data compromises and security breaches at organizations ranging from universities and retail companies to financial institutions and government agencies provide evidence of the ingenuity of Internet hackers, criminal organizations, and dishonest insiders obtaining and profiting from sensitive customer information. Whether a network security breach compromising millions of credit card accounts or a lost computer tape containing names, addresses, and Social Security numbers of thousands of individuals, a security incident can damage corporate reputations, cause financial losses, and enable identity theft. To mitigate the negative effects of security breaches, organizations are finding it necessary to develop formal incident response programs. However, at a time when organizations need to be most prepared, many are finding it challenging to assemble a Plan that not only meets minimum requirements, but also provides for an effective methodology to manage security incidents for the benefit of the organization and its customers. In response to these challenges, this presentation will highlight the importance aspects and best practices organizations may consider when developing effective response programs.
Josh Sokol
This session is a must see for anyone
responsible for the security of a web application. It is a demonstration of the
various types of proxy software and their uses. We've all heard about Web-Scarab,
BurpSuite, RatProxy, or Paros, but how familiar are you with actually using them
to inspect for web security issues? Did you know that you can use RatProxy for
W3C compliance validation? By the time you leave this presentation, you will be
able to go back to your office and wow your co-workers with the amazing new proxy
skills that you've acquired.
Nicholas Wetton
Information is one of a business’s most
important assets. Organizations need to deeply understand their information in
order to protect sensitive data and comply with regulations. Data Loss Prevention
(DLP) solutions help organizations protect and control critical data wherever it
is used or stored, significantly minimizing the risks associated with
uncontrolled information. DLP delivers a wide range of capabilities giving
organizations the ability to effectively address, data leak, misuse and
compliance. Many organizations are looking for an integrated suite of products
that enables them to proactively manage a broad set of information risks. DLP
control points analyze information at the network, endpoint, message server, and
data stored on various systems and repositories.
Rob Kraus
Rising corporate instability during unstable
economic times can subject organizations to an elevated level of internal
security threats. Proactively managing risk before the onset of economic
instability will help prepare and protect your organization from the danger posed
to your critical business information by internal threats. During this session we
will attempt to identify assets that are appealing to insiders, understand what
types of attacks can be executed and how to prepare your organization to minimize
attacks before they occur.
Robert Hansen & Rob MacDougal
Ever wanted to know
how to tell how good or bad you’re doing? This speech will show you how to assess
yourself without being a hacker and how to do it in under an hour. No hacking
skills required!
Dominique Kilman
Advanced computer attackers know
traditional network defense mechanisms (IDS, AV) better than most security
engineers implementing these controls. This knowledge allows the attackers to
bypass tradition mechanisms for detecting attacks. In order to discover the
advanced attackers that are invading networks today, a combined approach that
involves all parts of the network must be used. Network data, log data and host-
based data must all be analyzed in concert to detect attackers on modern
networks. This talk will discuss a method for analyzing data, explore what
indicators can be found within the data, and how to correlate this information to
form a more robust detection methodology.
Vern Williams
What can we learn about Information
Security from the hard learned lessons of Engineering from the Tacoma Narrows
Bridge, the loss of the USS Thresher and other seminal events: 1) Educating other
professionals about lessons learned, 2) Changing technology, procedure and
policy, 3) Change management, 4) Metrics.
Ricky Allen/Randy Holloway
Log management continues to
be an operational issue for IT departments around the globe. In an average
enterprise, hundreds of gigabytes of log files are generated daily. While the
review of these logs is often performed manually or through siloed mechanisms,
intrusions continue to occur at an alarming rate. Ultimately, this becomes a
nightmare for discovering the root cause of the breach. Proper log management
allows companies to retain the log events in a secure, effective manner, while
ensuring the data remains in a forensically sound state, meets compliance and
satisfies the demands of the auditor. This presentation will address the
requirements for log management and introduce recommended practices for the
development of a successful log management program.
Chip Meadows
Have you ever sondered what makes technical
people tick? Have you ever audited a geek? Have you ever had to interface with a
geek? Do you wonder why your IT Security representative is always pale? Join Chip
Meadows as he gives a tour into the mind of these three personas. Come and learn
why they are the way they are and how to interact with them.
Trey Ford
What’s the difference between network or Web server vulnerabilities and
vulnerabilities in custom Web applications, and how do they affect an enterprise?
With all the Web security solutions in existence, how are vertical industries
faring with vulnerability discovery and remediation efforts? When you look at
many of the prominent website hacking incidents, it becomes obvious that website
security is becoming increasingly challenging for today’s corporations, and the
cause is often not that an attacker took advantage of an unpatched well-known
vulnerability, but instead exploited an unknown issue in a custom Web
application.
Andrew MacFarlane
With new technology like Deep Packet
Inspection and new business models being developed by major network operators, it
is important that IT Managers and IT Security professionals monitor critical
issues that impact user privacy, the freedom of consumers to access the content
and applications of their choice and the ability of new online businesses to
launch without network owner approval. Since market forces aren’t available to
restrain inappropriate behavior by dominant IAP’s (Internet Access Providers), a
focused and active role by the IT Managers is increasingly necessary.
Jim Kates
Many companies are facing
organizational challenges and changes due to the economic conditions. These
changes are introducing new security issues to once stable environments. There
are budget and headcount reductions across the board, yet the risks are in fact
increasing. As a result of economic conditions, we are seeing more mergers,
acquisitions, divestitures and layoffs. Each has a significant impact on the
current security environment. This session will focus on how these type of events
can affect your organization and what are some real, not hypothetical, actions
you can take if your group finds itself in these unknown waters. We will walk
through some of the most common risks and add some that are unusual in nature but
just as problematic. Then we will examine actions that you can start planning on
today and integrate into that scenario as it becomes more relevant. No
organizational changes is completely the same, but understanding key elements,
critical paths and common sense will help you better face the time if it does
affect your organization. This session will leave you prepared to handle these
issues and hopefully provide some levity into the situation.
Josh Zachry & Chandler Vaughn
This session will
provide an overview of cloud computing. Included will be some capabilities for
businesses and consumers to consider when possibly leveraging a cloud environment
for their information technology needs. The session will also address the
potential security challenges businesses and consumers could face while using a
cloud computing environment.
Matt Tesauro
The OWASP Live CD is a project that
collects some of the best open source security projects in a single environment.
Web developers, testers and security professionals can boot from this Live CD and
have access to a full security testing suite. This allows its users to test for
various security issues in web applications and web sites. The Live CD also
contains documentation and an interactive learning environment to enhance users
web application security knowledge. This presentation will cover the current
state of the OWASP Live CD as well as the plans for future developments. Time
permitting, a live demonstration of the OWASP Live CD will be conducted. The
OWASP Live CD is a project of the Open Web Application Security Project (OWASP)
and is free for commercial or noncommercial use. More information is available
at: h
ttp://www.owa
sp.org/index.php/Category:OWASP_Live_CD_Project
John Dickson
This presentation focuses on how security
officers or development leaders can apply a disciplined approach to building
internal consensus to build secure software. A five-step process will be laid out
that will enable a manager to characterize the landscape, secure management buy-
in, baseline the existing risks, set modest goals and attempt to achieve them,
and sustain the initiative. Emphasis will be on actionable steps that successful
managers have used to drive the adoption of secure software strategies in large
organizations.
Doug Landoll
In most organizations information security policies are constructed in
response to incidents and audits. The composed set of policies may address many
of the recent issues that have challenged the organization, but the policy set
lacks organization, completeness, and structure. The results of these unorganized
and incomplete policy sets include: confused employees inadvertently violating
policy, uncoordinated responses to business partner security questionnaires, lack
of accountability and responsibility for key roles, and inefficient security
spending. Given that administrative controls are the basis for defining security
in the organization, ensuring that the security policies form a consistent,
complete, and compliant architecture is the foundation of improving the security
program. This presentation will present the “Clean Slate” approach to developing
a security policy architecture. The seven (7) step approach will demonstrate how
to create a security policy architecture based on a security controls framework
and appropriate security requirements. This approach has been successfully
applied to commercial and government organizations and resulted in cost savings
for each of the organizations.
Erhan J. Kartaltepe & Ravi Ganesan
The Same Origin
Policy (SOP) has severely restricted the class of applications that can be built
using the XMLHttpRequest (XHR) object. On the other hand, without the SOP in
place, XHR could make all the cross site attacks of the past look rather tame.
Current proposals to solve the problem require sites to maintain Access Control
Lists (ACL) defining which origination sites they are willing to serve XHR
requests from, with the policing done by the user’s browser. These proposals have
well-known security limitations. The problem is hardly unsolvable; the trouble is
that new cryptographic protocols take years to mature, and the trust
infrastructures required would take even longer to shake out. Can we somehow use
existing, trusted, cryptographic protocols to solve this problem? Can we use
trust infrastructures already in place? The answer to both is yes, and moreover
it can be implemented without changing a word in the cross-domain authorization
proposal the W3C has proposed. This talk will describe such a new standard and
discuss its merits and challenges.
Pierluigi Stella
The presentation is designed to show
organizations how to set up and manage outsourced network security services in
order to maximize security and minimize costs.
Chad Thiemann
Will discuss the subject of executing a
comprehensive due diligence with regard to identifying everywhere organizations
store, process and transmit sensitive/confidential data – and the risks
associated with not doing so. Key topics, such as, vendor security assessments,
removable media security, mobile device security, data classification and data
loss prevention tools will be included in this presentation.
Matthew Ege
Sharing data with third parties is common
practice today. Data becomes “external” through many means, such as outsourcing,
joint ventures, reporting on compliance, and business relationships. With your
company’s data being touched by so many third parties comes an increased risk of
data being shared inappropriately (whether purposefully or not). This
presentation will explore how data becomes external, risks of external data, and
what can be done to help mitigate this risk.
The Evolution of Identities: Where We Came From and Where We Are Going.
Bryan Whorton Identity 2.0 - how is this going to solve the federation
challenge, mitigate the traditional risks and intrusions of application/data
access, and the costly business of storing identities? This presentation will
cover the evolution of how organizations currently manage user identities across
environments and how it will be simplified with Identity 2.0.
