Click on a session title to be taken to the corresponding session description.
Preconference sessions | May 7
Morning
Cloud Computing Risk Assessment and Assurance | Sailesh Gadia
IT Risk Assessment: Why You Need to Know What You Don’t Know | Michael Stead and Jeffrey Locketz
Afternoon
Integrating NIMS and ICS into your BCP | Fred Klapetzky
IT Consumerization – iPad’ing the Enterprise or BYOMalware? | Barry Caplin
World Tour of Privacy Legislation | Jay Cline
Keynotes
May 8
The Failure of Risk Management | Douglas Hubbard
May 9
Mobile & Social: A Transformation | Jon Gordon
Conference sessions | May 8
Morning
Cloud Computing in Healthcare: Key Security and Privacy Issues | Rebecca Herold
From American Frontlines to Assembly Lines: U.S. Innovation & Competition in a Global Robotics Revolution | Andrew Borene
Grafting PCI into Healthcare Compliance | Chris Secrest
Hacking Trust: Compromising the Human Machine | Steven Fox
New School Risk Management: Theory Driven Practice | Alex Hutton and Jay Jacobs
Risk Management – Beyond the Smoke & Mirrors | Evan Wheeler
Solving Data Breach Points of Egress with Analysis | Chris Andrews
Software Security Goes Mobile | Jacob West
The Ethics of Engagement and Trust | Chad Weinstein
The Genie’s Out of the Bottle: BYOD Policies That Work | Jeff Schmidt
Using Social Media in a Crisis: Understanding the Tool | Heather Guse
Afternoon
2012 Data Breach Investigations Report (DBIR) | Wade Baker
Are We There Yet? Information Security Grows Up | Christopher Veltsos
Assessing Your Mobile Applications | Stephen Kerns
Behavioral Security Modeling | John Benninghoff and Karl Brophey
Digital Identities | Chris Buse & Jim Steinwand
Discussing Security with (Non-Security)Management | Tom Cocchiarella
Fearing the Auditor More Than the Hacker | Al Kirkpatrick and David Flora
Free & Open Source Software (FOSS) in the Enterprise | Lynn Estes
How to Speak Like a Human Being | David Mann
Keys to Building a Successful Vulnerability Management Program | Michael Kelly
Impostors, Insiders and Intruders: Mitigating the Threat from Within | Dr. Jarret Brachman
Millennials at Work: New Risks or Strong Assets? | Rodnie Williams
PCI Myths and Mistakes | Brian Serra
Physical Security on the Front Lines | Deviant Ollam
Practical Measures for Measuring Security | Chris Mullins
Pragmatic Cloud Security | David Mortman
The Downfall of the BC Professional: Setting Up a Personal Plan to Quit Bad Habits and Shine at Your Organization | Frank Perlmutter
There is no Bigger Data Than Your Big Security Data | Marc Maiffret
What to Do When Your Management Doesn’t Want to Complete a BIA | Fred Klapetzky
Conference sessions | May 9
Morning
500 days in the Cloud | Ryan English
Back to Basics: Pragmatic Risk Management For the 99% | Ben Tomhave
Cyber Crime: They Will Not Stop for Lunch | Robert Cameron
Enough on Mobile Problems, What About Solutions? | Yan Kravchenko
Holistic and Flexible Risk Management | Kevin Thompson
New More Relevant Examinations to Former SAS 70 Audits | Jeffrey Locketz
Order from Chaos: Building a Crisis Management Program | Bryan Strawser
Reverse engineer the flag – Taking hacking to the classroom | Aaron Wampach
Scenario Analysis: Moving Beyond Penetration Testing | Matt Hynes and Steve Currie
Security Issues With an International Perspective | Al Kirkpatrick and David Flora
Security: Don’t forget the people! | Ron Woerner
Seeing through the Clouds: Tactics to Deal with Limited Cloud Visibility | Mike Rothman
Winning Presence for Make-or-Break Moments | Dean Hyers and Pete Machalek
Afternoon
#*%! my CISO Says | Barry Caplin
10 Information Security Principles to Live (or die) By | Evan Francen
Cloud Computing 101 | Kevin Riggins
Darts, Dice, and Monte Carlo | Miles Edmundson
Enterprise Vulnerability Management: Trends and Guidance | Ryan Wakeham and Seth Peter
Examining the Chinese Cyber Warfare Threat | William Hagestad II
New Federal Business Continuity Guidelines | Erik Pakieser, MnCEM, CBCP
People Online: Security, Privacy and Reputation @the Office and @Home | Meghan Wilker and Nancy Lyons
Principles of Patrolling for Information Security | Patrick Tatro
The Internals of Identity-theft Attacks | Ryan Naraine
Unbelievable, Now I Need to Secure the Application? | Robert Sullivan
What’s Hot & What’s Not: Screening & Security | Mary Poquette
#*%! my CISO Says | Barry Caplin
Many CISOs come from more of a technical, rather than a business, background. However, we need to be able to communicate with senior management, business-area leaders and users who may often not be technologists. In this talk we will look at some of the common topics CISOs need to cover and discuss how to rephrase the messages to better reach a business-oriented audience. We will discuss: How to think about security risks in a way business personnel do; How to translate technical security topics into more business-friendly language; and How to reach a broader audience with the information security message. Barry Caplin’s bio.
10 Information Security Principles to Live (or die) By | Evan Francen
As information security professionals we sometimes lose focus on the basic “rules of the game”. In our zeal to protect information we tend to forget that we operate within constraints, and when we fail to operate within these constraints we end up doing more harm than good. We will explain the ten information security principles that all information security professionals must live (or die) by: 1. We don’t work well in a bubble; 2. Information security isn’t an IT issue; 3. People are the most significant risk; 4. “Compliant” doesn’t mean “secure”; 5. Businesses are in business to make money; 6. There’s no common sense in information security; 7. “Secure” is relative; 8. Information security doesn’t always have to be a cost-center; 9. Information security isn’t a one size fits all solution; 10. There’s no “easy button.” Evan Francen’s bio.
2012 Data Breach Investigations Report (DBIR) | Wade Baker
Join Verizon and our globally recognized security experts to hear what we’ve learned by analyzing the data breaches that continue to plague organizations worldwide. Our findings are contained in the 2011 Data Breach Investigations Report which includes contributions, in data and expertise, of the United States Secret Service (USSS) and the Dutch National High Tech Crime Unit (NHTCU). Together, we had the privilege and challenge of examining over 700 new data compromise incidents since our last report. Wade Baker’s bio.
500 Days in the Cloud | Ryan English
We’ve spent the past 500 days running a cloud service testing applications for security vulnerabilities. This ranged from government applications used by our troops overseas to ecommerce applications, from software that runs manufacturing plants or energy facilities to software that helps access health records. During this time, we’ve learned a lot about setting up and managing a cloud service to scan applications, and about the threats that exist in the software that surrounds us. In the process, we’ve also generated a wealth of metrics on the security of real-world applications, and gained unique insights into how to use these metrics. As a result, we know what vulnerabilities are the most prevalent. We know which industries tend to have the most secure software. We can rate the security of the most common open source packages. We can predict, based on the type of application (java, externally facing, finance application), how many vulnerabilities per line of code there will be. We can compare the effectiveness of different testing techniques (static versus dynamic analysis). We can see what threats are most prevalent in mobile applications. Ryan English’s bio.
Are We There Yet? Information Security Grows Up | Christopher Veltsos
Information Security has finally been granted a seat at the table, so now what? Why did infosec get such visibility? How do we earn the attention given to us? What does the current state of threats look like and how can we appropriately convey the importance of those threats to best manage risks? If 2011 was the year of the breach, what can we learn from the major breaches to keep our organizations safe? Information security has definitely matured in the past decade, but are we catching up or falling behind? Christopher Veltsos’s bio.
Assessing Your Mobile Applications | Stephen Kerns
Mobile applications have become more prevalent in the business world and are being introduced with the security issues similar to other applications. Businesses are purchasing and developing these applications without any method to test or validate that best practices have been followed. In the presentation we will review a process to conduct security testing of mobile applications for commonly found vulnerabilities: Broken Authentication, Injection Flaws, Improper Error Handling, Information Leakage, Insecure Communications, Insecure Cryptographic Storage, Backdoor Identification and Failure to apply server-side controls. Stephen Kerns’ bio.
Back to Basics: Pragmatic Risk Management For the 99% | Ben Tomhave
If you’ve spent any time investigating how to build or mature a risk management program, then you’ve likely had at least one moment where your eyes have crossed and you’ve thought “who would ever do this?” Much of the current literature comes to us from the financial services sector, but very little of it seems to translate well to other industries; especially not to the more than 99% of U.S. employer firms who qualify as small businesses. This situation begs the question: Just what can and should organizations be doing? This presentation will demonstrate how to make pragmatic use of risk analysis in any business and discuss how to scale risk management practices while still having a positive impact. Ben Tomhave’s bio.
Behavioral Security Modeling | John Benninghoff and Karl Brophey
This will be an updated version of AppSec USA 2011 presentation. John will release the BSM white paper at Secure360. Behavioral Security Modeling (BSM) describes interactions between information and people in terms of socially defined roles and expected or desired outcomes. Differences between the desired outcomes and the actual outcomes of the information systems that implement the interactions introduce security vulnerabilities. BSM allows these vulnerabilities to be anticipated and managed by comparing expected outcomes to the actual outcomes of proposed information systems, allowing for more predictable systems, and better decisions about security design. A practical example will be demonstrated by applying the approach to the tokenization of credit card numbers. John Benninghoff’s bio. Karl Brophey’s bio.
Cloud Computing 101 | Kevin Riggins
This session is geared towards an audience that has heard of cloud computing, but doesn’t have a good understanding of exactly what that means. It will focus on providing a very clear and understandable base of knowledge around cloud computing, the different models of delivery and service, security issues that should be considered and how they might impact your business. It will draw on industry accepted sources like NIST documents, Jericho Forum concepts and Cloud Security Alliance guidelines. Kevin Riggins’s bio.
Cloud Computing in Healthcare: Key Security and Privacy Issues | Rebecca Herold
Cloud computing has drawn a great deal of attention as a way to reduce IT costs in healthcare. But are the companies that offer cloud computing well-prepared to meet the HIPAA privacy and security requirements? Join Rebecca for this session, where you’ll gain an in-depth understanding of issues relevant to all healthcare organizations, including: Working with cloud vendors to address key information security and privacy compliance issues; Strategies for satisfying HIPAA privacy and security legal requirements “in the cloud”; The impact of the pending modifications to the HIPAA privacy and security rules, in addition to the HITECH Act rules. Rebecca Herold’s bio.
Cloud Computing Risk Assessment and Assurance – Using a Case Study Approach | Sailesh Gadia
Cloud Computing is one of the key emerging technologies. One of the biggest values that IT audit, security, risk and/or governance practitioners can provide to clients is an understanding of cloud-related risks. Being better at managing emerging technologies and corresponding risks can be crucial in gaining strategic competitive advantage. So, is there an efficient way to gain comfort around internal control at a cloud service provider? This session will provide an understanding of the key risks and exposures in a cloud computing environment; provide tools and techniques for conducting a SOC attestation of cloud computing environments and summarize the findings. Sailesh Gadio’s bio.
Cyber Crime: They Will Not Stop for Lunch | Robert Cameron
The challenges of disrupting the money trail and thwarting affiliate networks: how our ISP’s, credit card companies, and money mules make the world go-around. Plus: evolving attack methodologies, and the mixed motivations of the CIO. Robert Cameron’s bio.
Darts, Dice, and Monte Carlo | Miles Edmundson
An examination of the flaws inherent in the current risk analysis process and the examination of a statistically valid method (Monte Carlo simulations). In short, the common and accepted methodology is based upon personal or “expert” opinion with no measurement of success. Several studies show that people regularly over estimate their abilities and under estimate risks. If this is true, the current, accepted methodology has inherent biases which corrupt any meaningful risk analysis. In short, the existing methodology is little better than throwing darts or rolling dice. Miles Edmundson’s bio.
Digital Identities | Chris Buse and Jim Steinwand
Digital Identities: What are they and why do I need one? Recent activity by the Federal Government, state governments, the National Association of State Chief Information Officers and the President of the United States has driven this question to the forefront, especially identities that pertain to accessing information across borders. We will explain how these disparate organizations are linking together on a national scale with programs such as FICAM, SICAM and NSTIC. And yes, we’ll explain these acronyms, too. The State of Minnesota is working with other states and the Federal Government to become an ID provider of choice for citizens, business partners and employees. We’ll tell you how we are progressing toward that goal, and what we expect will be the outcome.
Discussing Security with (Non-Security)Management | Tom Cocchiarella
Firewalls, A/V, Proxy Servers, Policy, Content Filtering, IDS, IPS, SIEM……what does it all mean to business management? They ask – Why do we spend so much money on all of this? Do we really need all these technologies? Ever get these types of questions? Have you developed techniques to help explain why you need so many products and FTE’s to support them? Came and add some tools to your tool box that can help you develop better ways to communicate to non-IT management about Security! Tom Cocchiarella’s bio.
Enough on Mobile Problems, What About Solutions? | Yan Kravchenko
Mobile remains one of the most talk-about problems with regard to security. While better and less expensive Mobile Device Management (MDM) tools are still being developed, organizations are facing a very real risk that remains largely un-addressed. Some organizations chose to pretend that wireless does not exist, while other added policies that prohibit use of wireless technologies. This presentation will side-step the typical rhetoric of the size of the problem that wireless devices pose, and focus on real-world meaningful solutions that organizations can implement today. This session will provide a de-constructed view of the mobile dilemma, and introduce different techniques by which organizations can stop ignoring mobile and embrace its usefulness along with the risks in a more constructive manner. Yan Kravchenko’s bio.
Enterprise Vulnerability Management: Trends and Guidance | Ryan Wakeham and Seth Peter
Defending organizations against Internet borne malware, advanced persistent threats and application exposures is a complex and increasingly important job within corporate IT environments. In this presentation, NetSPI will review current vulnerability identification and management issues and update the audience on programs and approaches to enhance your information security program. In particular, the following topics will be addressed: Why vulnerability management is important; a formal approach to vulnerability management; and tips on how to ensure your approach to vulnerability management is successful. Security and IT leaders who are responsible for providing the business with a stable and secure IT environment will benefit from this session. Ryan Wakeham’s bio.
Examining the Chinese Cyber Warfare Threat | William Hagestad II
This session will include: Origins, history and composition of the 21st Century Chinese Cyber Warfare threat (cultural, history, linguistics); Hegemonic economic, military, nationalistic and political threads which contribute to ‘war without limits’ – ‘informization’; In depth review of cyber incursion case studies such as Ghost Net, Titan Rain, Night Dragon, Operations Aurora and Shady Rat; Statement of the Rules of Engagement (ROE), Short& Long Terms Recommendations and Conclusions about the 21st Century Chinese Cyber Warfare Threat to energy, gas and water utility companies. William Hagestad’s bio.
Fearing the Auditor More Than the Hacker | Al Kirkpatrick and David Flora
For too many businesses, the goal of their information security program is to pass related audits. This presentation will address the pitfalls of this approach and then provide a roadmap for creating a risk conscious and security aware culture. The session will explain the differences and relationships between information risk management and information security. The session will then provide proved strategies for establishing effective goals and obtaining buy in from the top down. David Flora’s bio.
Free & Open Source Software (FOSS) in the Enterprise | Lynn Estes
Open Source software has become ubiquitous and has reached critical mass. FOSS components or utilities are present or used in nearly every enterprise and increasingly vendors are bundling FOSS components with their software. This adoption and implementation has often outpaced corporate policies, standards, and development guidelines. There may also be security concerns not addressed. This is indicative of a clear lack of understanding regarding licensing and insight into support, responsibilities for modified source, and risk. I will cover many of the common components and bundles and explain available support options. I will also provide a brief overview of OSS licensing and consumer/provider responsibilities in an effort to remove some of the FUD surrounding FOSS usage in a corporate environment. I will also identify resources and recent litigation in an area of emerging law. Lynn Estes’s bio.
From American Frontlines to Assembly Lines: U.S. Innovation & Competition in a Global Robotics Revolution | Andrew Borene
This topic concerns the dramatic developments taking place in the field of robotics, and their likely impact in the security and defense arenas. Consider the following: It is estimated that the global robotics industry will create more than one million jobs in the next 5 years. Unmanned air and ground systems are expected to be a one-hundred-billion dollar market. U.S. innovation has created significant strategic military advantages in robotics and unmanned systems technology. Robotics technologies that evolve for defense applications provide civilian applications and business growth downstream. This session will center around these topics as well as a discussion around the following questions: Can the U.S. maintain market leadership and create jobs domestically in this rapidly evolving high tech market? Can the Upper Midwest capture a significant share of the robotics growth in security, defense, and civilian applications such as agriculture and medicine? Andrew Borene’s bio.
Grafting PCI into Healthcare Compliance | Chris Secrest
The Healthcare industry has many regulations that they must adhere to, many which take the entire focus for Compliance. PCI is another, but is overshadowed by the others. As a result PCI catches many off balance and leaves them scrambling. Complicating the process is the continued push for Electronic Medical Records and the convergence of EMR with payment information. Blurring the lines of segmentation this can lead covered entities down a slippery compliance slope. Knowing the pitfalls and the areas is crucial to surviving a PCI assessment without having to spend a fortune for compliance. Successful merging of EMRs with PCI data is possible as long as it’s planned correctly from the start. This presentation will cover the common areas that can lead an organization into non-compliance and how to strike the balance between regulations such as HIPAA/HITECH and PCI. Chris Secrest’s bio.
Hacking Trust: Compromising the Human Machine | Steven Fox
The consulting war stories in this session describe how social engineers leverage information from social networking sites to profile target companies focusing on their employees and customers. Armed with employee names, vocabulary from the corporate lexicon, and recent organizational events, miscreants can gain access to physical and information assets by blending into the corporate culture. Attendees will leave this session aware of how social networking sites can be used to attack an organization by exploiting the perception of trust. The session will arm the users of social networking sites with tips on how they can use these tools productively and securely. Lastly, the session will highlight training and policy strategies that have helped organizations manage the impact of social networking on their operations. Steven Fox’s bio.
Holistic and Flexible Risk Management | Kevin Thompson
There are a lot of different approaches to risk management out there, but some of the best tools only address a single area of risk management such as identifying threats or rating the severity of a single risk scenario. In this session I will present an approach to risk management that combines these techniques to identify risk scenarios, quantify the risk, select controls, report on risk, and keep historical data. This approach is based on developments by Verizon, Intel, and is flexible enough to be very detailed and rigid or abstract and lightweight. Kevin Thompson’s bio.
How to Speak Like a Human Being | David Mann
Through the use of more efficient communication, this session will present useful new ways to increase sales, engage associates, strengthen leadership collaboration and more. In addition, this session builds on David Mann’s popular 2010 session on speaking to non-technical people by diving deeper into that territory, outlining a clear, memorable way to bridge technical comprehension gaps with C-level leaders, board members, and anyone who needs to receive complex information delivered with the ease of a conversation. With a few simple interactive exercises, David will illustrate how to bridge technical comprehension gaps by using images alongside facts and how to use personal stories as a powerful tool. David Mann’s bio.
Impostors, Insiders and Intruders: Mitigating the Threat from Within | Dr. Jarret Brachman
The insider threat is an organization’s worst nightmare. Difficult to detect and prevent, attacks from individuals who obtain authorized access to an organization’s networks, facilities or trust can do far more damage from within than from the outside. This session examines a series of case-studies where adversaries attacked from the inside-out, either because they had acquired legitimate access or dressed the part. Profiled cases include the Oslo shooter/bomber, Anders Breivik, who posed as a police officer before opening fire on the crowd of teenagers he had assembled; attacks by Al-Qaida who used stolen uniforms/identification and fraudulently painted/decaled vehicles to gain access to sensitive facilities; and a review of high profile insider cyber fraud, theft and sabotage cases. The session will conclude by presenting a range of potential tools, processes and best practices to help mitigate the risks and damage from future insider and impostor attacks. Jarret Brachman’s bio.
IT Risk Assessment: Why You Need to Know What You Don’t Know | Michael Stead and Jeffrey Locketz
This session will take you through the ins and outs of an IT risk assessment – why you need to be doing it, what are the benefits, and what does it even look like? Through interactive exercises you will be given an opportunity to apply the concepts against a real life case study. You will learn about methodologies, frameworks and concepts for risk assessment such as those provided by the IT Risk Framework (COBIT), Westerman Four A’s, COSO Enterprise Risk Management (ERM), and Factor Analysis of Information Risk (FAIR). You will be taken through the process from selecting a methodology/framework, setting scope, identifying who to involve, actually get started, how to deliver a final product to management, and what is needed to maintain it going forward. Michael Stead’s bio. Jeffrey Locketz’ bio.
Integrating NIMS and ICS into your BCP | Fred Klapetzky
Whatever we may think about NIMS and ICS, it IS here to stay. This interactive session will help us understand the interfaces to ICS and NIMS compliance that many of us will want to include in our programs. If you are a public entity or work with first responders in any way – this is probably required in your program. For private companies, if you have a program established to mesh with an ICS in your area, you will have an easier time communicating and staying informed. Participants should come with familiarity of ICS, NIMS and how they work. This workshop will demonstrate integration points for your plans, so bring your plans and/or your command structure with you. We will go over how to minimize conflict between ITIL based IT plans and NIMS. We will also help develop terminology synchronization for your plans and the ICS – a common issue that can lead to problems communicating. The workshop will provide you with examples and slides to use when “selling” the program to your management team and how to train on the program to all participants. Fred Klapetzky’s bio.
IT Consumerization – iPad’ing the Enterprise or BYOMalware? | Barry Caplin
Companies are increasingly encouraging employees to purchase their own devices such as smartphones, tablets and laptops to use at work according to a recent survey by CIO magazine. The acronyms BYOC and BYOD (Bring Your Own Computer/Device) have become mainstream technology terms. But what does BYOD mean for the enterprise? Can we mix personally owned devices and enterprise workstations/cell phones in our environment? How do we control configuration and data on personal devices? What about malware and other security concerns? What about improper disclosure of private data and intellectual property? And how will staff get work done when they are busy playing Angry Birds? Is BYOD the flavor of the week or is the future of end-user hardware? In this interactive session we will discuss: What is IT Consumerization/BYOD? What are the benefits and concerns? Is there a cost savings? What are the Security concerns – BYOMalware? How do we protect data? And how can I start BYOD in my organization? And yes, you can Bring Your Own Devices to this session! Barry Caplin’s bio.
Keys to Building a Successful Vulnerability Management Program | Michael Kelly
This discussion leads the audience through real life examples of various methods and processes used to operationally manage threats – and ultimately vulnerabilities – all with varying degrees of investment and value returned. Different experiences across diverse industry sectors are brought together to detail the successes and the failures that were encountered when designing and running vulnerability management programs for large and small companies. Case studies highlight: the results of incomplete or untested processes, the pitfalls of inconsistent assessments methodologies, the successes of simple execution, how do tools, processes and people all come together and the importance of executive level partnering and acceptance. Michael Kelly’s bio.
Millennials at Work: New Risks or Strong Assets? | Rodnie Williams
The video gaming, Twitter addicted, Facebook focused, ADD characterized, “Millennial generation”… Are these really the kinds of employees that we want to integrate into our industry? Regardless of your opinion of the newest generation to hit the workplace, Millennials are raising important issues amongst employers today. They present unique challenges with regard to recruiting, hiring, training, and integrating into the culture of information risk management and security functions. So what should our response be? Rodnie is continuously engaged in the topic of Millennials in the workforce, and training them through collaborative efforts. Rodnie Williams’ bio.
Mobile & Social: A Transformation | Jon Gordon
Two major trends are driving change across all sectors of the economy: mobile technology and social media. In his presentation, Jon Gordon will examine the explosive growth of mobile computing/communications technology and social networks such as Twitter, Facebook and Google Plus. He’ll explore the impact of these trends on how we live and work and take a look at how these trends are presenting new security problems. Questions to be addressed include: Where is social media heading? How is it changing the news business and government? How mobile will we go, and is the PC dead? Is “hacktivism” the new activism? Jon Gordon’s bio.
New Federal Business Continuity Guidelines | Erik Pakieser, MnCEM, CBCP
A comparison between the recently unveiled FEMA Business Continuity Guidlines and current industry standards, with discussion about compliance strategy. Historically, “guidelines” eventually become “requirements”. Many of these “guidelines” are already required for businesses who want to contract with the government. Erik Pakieser’s bio.
New More Relevant Examinations to Former SAS 70 Audits | Jeffrey Locketz
Service Organization Control (SOC) reports specifically the SOC 2 and SOC 3 reports address controls at a service organization that relate to operations and compliance. Specifically the controls addressed relate to Security, Availability, Processing Integrity, Confidentiality, and Privacy (the Trust Services Principles and Criteria). SOC 2 and 3 reports demonstrate to organizations customers its compliance with the Trust Services Principles and Criteria. The session will provide information on how an organization can first comply with the Trust Services Principles and Criteria and second obtain a SOC 2 and/or 3 report(s) for the use of its existing and potential customers. Jeffrey Locketz’ bio.
New School Risk Management: Theory Driven Practice | Alex Hutton and Jay Jacobs
Interested in how innovative and progressive risk management programs operate? How (and more importantly, what) forward thinking risk practitioners translate a great idea into a great win for the business? Most security practitioners and even decision makers have an aversion to “theory” and seek out practices, “best” practices. However, establishing a best practice requires an assumption that cause and effect are consistent and the rules never change. The effect of a practice-driven practice is money being wasted in some areas while serious weaknesses go undetected in others. This talk will explore the next generation of risk management in terms of theory-driven practices that will be the future of information security. Alex Hutton’s bio.
Order from Chaos: Building a Crisis Management Program | Bryan Strawser
In today’s chaotic world of reputational challenges for corporations, uprising in the middle east, and disrupted supply chains around the world from natural and man-made disasters, building a sustainable crisis management program is often a challenge. How do you bring stakeholders, leaders, and senior executives in your company together to build strategies and leaders capable of leading your company through a major disruption? How do you gain the resources that you need to prepare and monitor the risks ahead? Hear perspectives on these challenges along with potential solutions for your company in this session. Bryan Strawser’s bio.
PCI Myths and Mistakes | Brian Serra
PCI compliance is a tricky topic. The PCI Security Council revised the Data Security Standard. The PCI SCC is continuing to clarify guidelines and requirements for credit card merchants to become and remain PCI compliant. Since the initial roll out of the PCI standard, a number of significant changes have occurred including an increase in frequency of fines and penalties, a revamp of validation requirements based on merchant status levels, and in some cases, the impact of state legislation affecting additional needed security controls. As the pressure for organizations to become PCI compliant increases, there are a number of common myths and mistakes around this process. Brian Serra, Accuvant PCI Practice Manager, will identify these myths and mistakes and how to address them. Brian Serra’s bio.
People Online: Security, Privacy and Reputation @the Office and @Home | Meghan Wilker and Nancy Lyons
There’s an increasingly blurry line between ‘at work’ and ‘at home’ and that line becomes that much more poorly defined when social media is in the mix. These new ways of communicating introduce a whole new set of risks to personal and professional security and privacy. This session will address those risks and provide a framework for how to think about using social media safely and effectively both personally and professionally. Meghan Wilker’s bio. Nancy Lyons’s bio.
Physical Security on the Front Lines | Deviant Ollam
Last year’s session discussed the nuance and finesse of lockpicking with specialized tools and toward the end, the topic of bypassing techniques was broached, where often no sophisticated or specialized tools are needed! This talk continues where last year’s left off… with a look at some of the more novel ways that people can gain entry using cursory tactics. As always, tactical and military analogies will be employed to make direct connections between INFOSEC and any other engagement where assailants must be kept at bay for as long as possible using the resources you have available. Remember the “Three R’s?” If you don’t, you’ll learn them this time. Deviant Ollam’s bio.
Practical Measures for Measuring Security | Chris Mullins
Security is often a frustrating field for business and IT decision makers. It can be difficult to quantify, difficult to get visibility, and it’s difficult to know when you have “enough”. Do you really need that latest threat feed subscription or state of the art malware protection device? Do you need to add another security analyst to your team? And if so, how can you understand, in business terms, the value these investments bring to the business? This session will explore practical methods for the application of metrics in security to support business decision making, and provide a framework to implement straightforward security metrics, whether inside your wall or at a service provider. Chris Mullins’ bio.
Pragmatic Cloud Security | David Mortman
At last year’s Secure360, I taught about the realities of cloud security as opposed to the hype. This year, I’m going to take things a step further and teach how one can pragmatically deploy to the cloud in a way that takes security, privacy and operational concerns into account without hindering the business. It’s not as hard as it sounds, it just requires leveraging the right people, process and technology and I’ll show you how. David Mortman’s bio.
Principles of Patrolling for Information Security | Patrick Tatro
Army Ranger School is a leading school on developing leaders’ ability to make decisions, adapt to situations, and accomplish the mission. Information Security Professionals face situations that don’t fall under a framework or a standard. I offer a different perspective on how to address the ever changing business requirements Information Security Professionals face. Security frameworks and standards allow us to implement security programs or become “compliant” yet don’t provide the means for making decision on “grey area” issues or trail behind technology. Ranger students are provided with the 5 Principles of Patrolling to assess situations and make decisions. I will present on how Planning, Reconnaissance, Security, Control, and Common Sense can be applied to situations Information Security Professionals face. Patrick Tatro’s bio.
Reverse engineer the flag – Taking hacking to the classroom | Aaron Wampach
Hacking competitions like capture the flag can be a creative and innovative learning opportunities for students. With proper guidance and the constant assurance of ethical well being, instructors can promote a positive environment that teaches and exposes students to ethical hacking. This presentation will discuss the need and the required learning objectives needed to successfully integrate hacking principals within a classroom environment. Aaron Wampach’s bio.
Risk Management – Beyond the Smoke & Mirrors | Evan Wheeler
There has been a lot of published work on how to perform risk assessments and various analysis methods, but they never tell you how to actually build a Risk Management Program from scratch and successfully integrate it into your organization. This session will demonstrate how to build out the core components and successfully integrate it into your environment with minimal resistance. We will discuss the basic building blocks for any good Information Security Risk Management Program including several prerequisites. We will also look at approaches to building this program from scratch and where to focus resources initially. By the end of this session, attendees should have a solid understanding of security risk assessment fundamentals and tools to implement a security risk management program in their own organization. This session will present a proven roadmap. Evan Wheeler’s bio.
Scenario Analysis: Moving Beyond Penetration Testing | Matt Hynes and Steve Currie
Many companies spend a significant amount of time and expense at conducting vulnerability assessments and misguided penetration tests in search of compliance rather than security. The results are usually exactly what could be expected before the exercise starts. During this session, you’ll learn how “Scenario Analysis” will give you real results that you can take to non-IT management to get them to pay attention to the company’s information security posture. You’ll find that this awareness is the first step to obtaining the funding you need to operate your function in line with the threats presented in today’s ever-evolving world. This session is appropriate for all audiences, from hard core technicians to those with limited IT savvy. Matt Hynes’ bio. Steve Currie’s bio.
Security Issues With an International Perspective | Al Kirkpatrick and David Flora
As more and more businesses expand their scope to international sales, distribution, supply chain, processing/servicing, many information risk professionals are caught wondering what they need to know with respect to related challenges. Based on his more than ten years experience working with domestic corporations’ information risk issues with respect to their offshore activities, Mr. Kirkpatrick will share learnings, tip and techniques, along with some humorous stories, that will be helpful to those faced with the new international frontier. David Flora’s bio.
Security: Don’t forget the people! | Ron Woerner
People are and always will be the weakest link in security. If we fail to understand people, we fail to properly implement security controls. Yet, it’s an often overlooked topic within security curriculum and training. You cannot effectively manage security without understanding people. In this session, we will talk about human weaknesses and the best ways to protect and defend against human threats and vulnerabilities. The presenter will discuss the topics of human factors, social engineering, influence, and leadership. This session will discuss why humans must be a part of the security solution and how that can be effectively accomplished. It will include a short segue on social engineering and how humans can be hacked. Lastly, the presenter will discuss the importance of influence and persuasion and how anyone and learn to be an affective security leader and coach. Ron Woerner’s bio.
Seeing through the Clouds: Tactics to Deal with Limited Cloud Visibility | Mike Rothman
One of the key issues in moving infrastructure into the “cloud” is the lack of visibility. In your own datacenter, you can see from Layer 1 on up. In the cloud, not so much. Thus, the cloud requires a different approach to monitoring. Mike Rothman, President of Securosis, will address how security management changes in the cloud, and will discuss tactics to monitor within the areas of the cloud you can see. Mike will discuss the following topics: The (re)importance of patching and configuration management; Monitoring instances (with and without the cloud providers help; Database activity monitoring in cloud-space; Gaining application level visibility (and buddying up to your developers). Mike Rothman’s bio.
Software Security Goes Mobile | Jacob West
Mobile devices and the security risks introduced by the software that runs them are proliferating, especially with the open and fragmented Android ecosystem. This talk scrutinizes challenges faced in securing mobile apps, focusing particular attention on the unique challenges of the Android platform, and contrasts them with legacy and more mature software security initiatives. We discuss how consumerization confounds security efforts, how the mobile app lifecycle makes risk a hot potato, and conclude with the top mobile threats and how to avoid them. Jacob West’s bio.
Solving Data Breach Points of Egress with Analysis | Chris Andrews
Data breaches are becoming more and more common. Claims of fraud, financial tampering, computer crime, employee misconduct and other wrongdoing require corporations, law firms and government agencies to follow digital trails to piece together facts that lead to the truth. During the investigation, it’s important to engage forensic experts who can uncover important facts without compromising the integrity and admissibility of electronic evidence. This session will cover basic forensic analysis of workstations, servers and volatile memory for evidence of unauthorized access and exfiltration of data. Special attention during this session will be given to log analysis, timeline analysis and witness interviews. Chris Andrews’ bio.
The Downfall of the BC Professional: Setting Up a Personal Plan to Quit Bad Habits and Shine at Your Organization | Frank Perlmutter
It’s no secret that BC professionals are losing their jobs every day, while many of our other colleagues continue to wallow in uncertainty. Yes, the economy is partly to blame, but our profession as a whole is extremely susceptible to job loss. And to an extent, we are to blame. Now, more than ever, we must clearly show our value and eliminate the practices that have been plaguing professionals for years. Join this seminar as we discuss expert tips on how to increase your job security by proving your worth to executives and plan users, and eliminate traditional, widespread methods that have led to the downfall of many of our colleagues. Specifically, we will lay out a step-by-step plan to maximize our professional value. Frank Perlmutter’s bio.
The Ethics of Engagement and Trust | Chad Weinstein
Organizational ethics – like security – is too often used only to avoid negative outcomes. And yet, ethical transgressions still make headlines. This presentation will present a more positive view of ethics – ethical leadership – and share how some core concepts and skills can drive real performance gains through improved engagement and trust. Using real-life stories and examples, Chad Weinstein will demonstrate how security professionals can ignite and sustain engagement among team members and play a leading role in building stronger, value-based relationships with customers, vendors, and other stakeholders. This lively presentation will show how ethics and security can go beyond risk management, to become positive investments in the strength of an organization. Participants should come prepared to think, laugh, and learn. Chad Weinstein’s bio.
The Failure of Risk Management | Douglas Hubbard
What is your organization’s greatest risk? Chances are, your biggest risk is that your risk analysis–and therefore your risk management–has some serious flaws and may not be improving decisions at all. Even the most quantitative analysis methods have been found to have systemic–but avoidable–biases and errors. Douglas will review the following problems and how to avoid them. For example:
- While most quantitative models have at least some subjective estimates, research shows that experts are consistently overconfident in their assessments of their own uncertainty.
- Empirical analysis is vastly underutilized in quantitative risk assessments and when it is applied, it tends to be applied to the wrong problem.
- Research shows that there is a strong placebo effect in the use of “structured” methods causing decision makers to feel more confident in their choices, even when the decisions and forecasts were measurably worse.
Douglas will show research collected from a variety of fields that show that 1) quantitative methods work best, 2) but even quantitative methods often have avoidable problems and 3) the growing popularity of “qualitative” methods will make us feel better about decisions without actually improving them (or even making them worse). Douglas Hubbard’s bio.
The Genie’s Out of the Bottle: BYOD Policies That Work | Jeff Schmidt
With the proliferation of smartphones & other mobile devices in today’s workplace, organizations continue to wrestle with security challenges inherent in allowing mobile access to corporate data. While benefits of the “bring your own device” (BYOD) concept are recognized ñ increased productivity/responsiveness, communications anywhere/anytime – myriad security issues, including risk of security leaks, data breaches/loss, noncompliance, infrastructure control — are keeping countless executives awake at night. The session will outline security/technical challenges of a BYOD approach, how to determine if a BYOD program is right for your business. It will also highlight proactive BYOD strategies that work, what to include (& pitfalls to avoid) in creating BYOD policies, how to implement BYOD programs that protect organization’s assets but enable employees to benefit in today’s mobile world. Jeff Schmidt’s bio.
The Internals of Identity-theft Attacks | Ryan Naraine
Specialized malware aimed at global businesses are being used to hijack sensitive information, including financial data like bank accounts and logins for eBay, PayPal and Amazon.com. In this presentation, Ryan Naraine will provide an in-depth look at the internals of a typical identity-theft attack and identify some basic steps that global corporations can implement to stay protected. Ryan Naraine’s bio.
There is no Bigger Data Than Your Big Security Data | Marc Maiffret
The idea of “big data” has technology vendors and customers alike scrambling to come up with ways to manage the limitless amounts of data being generated by apps, API’s, databases, web services, etc. For orgs with aggressive security and compliance requirements, the security data driving today’s modern threat and risk intelligence (assessments, compliance reports, attack and mitigation data, etc.) is “big data” in itself. In fact, it might be the biggest data in your organization, with regards to its value and impact to operations. It is one thing to collect this data (no small feat, actually), but the real challenge is in making sense of all of this valuable information in an actionable format. This session will discuss the most effective ways that today’s large enterprises are not only managing their big security data, but using it to their advantage in crafting security strategy. Marc Maiffret’s bio.
Unbelievable, Now I Need to Secure the Application? | Robert Sullivan
Your boss just came in and announced your application was compromised, resulting in a data loss incident. The customers have demanded proof that your code is secure! Where do you turn? During this presentation, we will discuss resources to help you understand what secure coding is, what processes can assist you and tools to help move you into the realm of having truly secure code. These are also the same areas that many regulations such as PCI and HIPAA require. By attending this session, you will learn: What secure software development means; What secure development models to follow; What resources are available to continue learning about secure coding; and what needs to be done to secure the code. Robert Sullivan’s bio.
Using Social Media in a Crisis: Understanding the Tool | Heather Guse
The popularity and accessibility of social media has led to its increased use during emergencies. From individuals communicating their status to worried family members, to local government agencies communicating evacuation notices to citizens in the path of wildfires; social media has become a common tool for communicating critical and time sensitive messages. Corporate Communication departments are using social media to provide messaging to customers and stakeholders, allowing them to go beyond the reach of the standard press release. The use of social media in crisis communications and employee communications is powerful, but the ramifications of using it incorrectly could be costly to your company’s reputation. We will review current popular uses of social media in crisis management as well as the limitations that come with this type of communications tool. Heather Guse’s bio.
What to Do When Your Management Doesn’t Want to Complete a BIA | Fred Klapetzky
We’ve all heard it before – We don’t need a BIA, We don’t have time to update our plans. Worst of all, it’s our management team saying it! This session is designed to help us explain, persuade and inform our leadership teams to support the continuity planning process. We’ll take a look at common complaints and equip you with some strategies to counter them and turn the situation around. Bring your issues and complaints – this is an interactive session and everyone should leave better prepared. Fred Klapetzky’s bio.
World Tour of Privacy Legislation | Jay Cline
This session will provide an overview of GAPP – the privacy world’s version of the ISO 27001 framework – and use that reference point to detail how various jurisdictions have legislated on privacy since 1974. Other topics to be discussed include: Generally Accepted Privacy Principles, North American privacy legislation: HIPAA/HITECH and GLBA Privacy Rules, CAN SPAM, COPPA, FCRA/FACTA, Privacy Act 1974, FERPA, and state-level laws; concepts of federal pre-emption and private right of action; Canada’s PIPEDA, provincial laws, and commissioner findings; European privacy legislation: EU directives on data protection, data retention, and electronic communications; Article 29 Working Party key documents; unique member state legislation; U.S.-EU Safe Harbor, model contracts, and binding corporate rules; data-breach notification; Other privacy legislation around the world, outlook, and enforcement. Jay Cline’s bio.
What’s Hot & What’s Not: Screening & Security | Mary Poquette
Background screening generally does not garner much notice on the radar screen of security professionals. It’s not particularly high tech or exciting and is generally assumed to be working. Is it working in your organization? When was it last evaluated? Is it flexible and ready to change given current legislative, regulatory, and societal activity? This session looks at what is new in background screening, what is working, and what is not. It explores new screening tools and trends; examines current legislative, regulatory, and societal activity; presents the practical impact of changing laws and regulations; and provides a 10-point checklist for security professionals to use when examining their programs. Screening employees and contingent workers remains a critical component of any security program. Learn how to maximize your program effectiveness and mitigate risk. Mary Poquette’s bio.
Winning Presence for Make-or-Break Moments | Dean Hyers and Pete Machalek
We all experience them: those “in the spotlight” make-or-break moments where success or failure seems to be entirely on our shoulders. We might be pitching to prospects, up-selling clients, or looking to generate support from our superiors, commitment from our teams, or credibility with an outside group. We feel the pressure of these moments, and don’t know how to consistently handle them with confidence and influence. In this game-changing presentation, we will address this challenge from our unique vantage as filmmakers who specialize in helping performers deliver optimal performance in high-pressure scenarios: A powerful new paradigm for thinking about high-pressure moments, a unique technique for transforming anxiety into excitement and a process for organizing your thoughts. Dean Hyers’ bio. Pete Machalek’s bio.
