Security is becoming more important everyday, so UMSA in conjuction with our member organizations is expanding our offerings with a specialty focused pre-conference line-up.

Note:  Registration for the full conference is required for most pre-conference events.

Pre-Conference Events

There are several exciting half-day and full-day preconference educational sessions, as well as an (ISC)² exam, being offered on Monday, May 10, 2010, at the St. Paul River Center.

These sessions are presented by select, top-notch practitioners and educators from across the industry, covering topics relevant to today's security environments.  Each session is brought to you through the dedicated efforts and sponsorship of the Upper Midwest Security Alliance or one of member organizations.

Educational Sessions

Secure Audit Logging: How to Build Visibility into your Software for Improved Security and Compliance - Gunnar Peterson, Software Security Expert and Managing Principal at Arctec Group
8:00 AM - 12:00 PM,  $99.00
Session sponsored by AdvanceIT Minnesota

There are many products available in the market designed to help enterprises implement and manage logs for improved security and PCI compliance.  But the problem remains for security, analysts, developers and architects - how to integrate audit logging into their real, production systems?

In this class you will learn to design interfaces to logging APIs, where to hook them into the applications, what type of events to log for and how to make the log messages useful to the responder.

The class examines the following Audit Logging disciplines:

• Introduction - A Day in the Life of a Security Incident
• Audit Logging Goals
• Using Audit Logs for reporting
• Audit Log Event Record Format
• Publishing & Storing Audit Log data
• Integrating the Audit Logger to your application
• What Goes Wrong (and how to fix it)

This half day class is designed for applications developers, architects and security professionals.  Participants will receive handouts and class materials, demonstrations and tools.

Control and Security of Windows - Kevin Nibler, Canaudit
8:00 AM - 4:30 PM,  $99.00
Session sponsored by the Minnesota Chapter of the Information System Audit and Control Association (ISACA)

This seminar provides the participants with an overview of the technology, an understanding of the critical components and the risks associated with the Windows Server operating system. The Canaudit Risk/Control Tables and Windows Server Audit Guide are incorporated into this class to facilitate the participants' first Windows Server Audit.

Who Should Attend:
 This seminar is intended for IT auditors and security staff who desire an understanding of the Windows Server environment and the controls required to secure this environment.

Information Security and Privacy: Where are We Going and How Can We Measure Risk and Success - Rebecca Harold, Rebecca Harold & Associates, LLC
8:00 AM - 4:30 PM,  $49.00
Session sponsored by the Minnesota Chapter of the Information Systems Security Association (ISSA)

Successful information security, privacy and compliance programs require the strategies to be complementary and integrated throughout all of the enterprise-within every business process stage and at every level within the organization. How can companies effectively work to ensure information security, privacy and compliance areas collaborate to make initiatives most successful?  This workshop will highlight and describe the 20 top trend areas where information security, privacy and compliance practitioners must collaborate.  It will then provide practical knowledge and tools that information security, privacy and compliance practitioners must have to address complex privacy and information security issues within the organization, as well as learn how other organizations are handling these privacy and information security challenges.

Attendee takeaways:

• 20 top trend areas where information security, privacy and compliance practitioners need to work together and how to be effective
• How to use metrics and supporting tools valuable to both areas
• Key information about how to perform privacy impact assessments
• About many resources and tools to successfully meet these complex and difficult challenges immediately

10 Essential Steps for Everyone's Business Continuity Program - Fred Klapetzky, Marsh Risk Consulting
1:00 PM - 4:30 PM,  $25.00
Session sponsored by the Business Continuity Planners Association (BCPA)

This interactive workshop is designed to teach attendees the essential components that every business continuity program should have. Fred will work with the attendees to help set direction, next steps, and overall program framework and for those that work with advanced programs, he'll help you be able to self audit your program to ensure completeness. The group will deal with common issues and share suggestions. This session will be valuable to people assigned to create or improve BC programs within their organizations where resources are limited and creativity is essential. Takeaways will include recommendations customized for the individual participant including: tools for setting up realistic timelines, obtaining management support, and motivating business functions to put forth the effort to assist in plan creation.

IT Auditing - Hacking your Network Before the Hackers Do - Randy Romes, Brian Johnson, Chris Knight, LarsonAllen
8:00 AM - 4:30 PM,  $149.00
Session sponsored by the Upper Midwest Security Association (UMSA)

Organizations spend a tremendous amount of effort and resources to secure their perimeter connections to the Internet. In spite of this effort, hackers still find ways to compromise sensitive data.  The SANS 2009 Top Cyber Security Risks report identifies "client side" software vulnerabilites and "Internet facing web site" vulnerabilies as the top two issues organizations face.  This session will look at some common ways that hackers  take advantage of these situations to breach organizations defenses, whether it is the systems that are Internet accessible (Outside - In attacks), or via systems that reach out to access the Internet (Inside - Out attacks).    The session has been updated from previous years with new tools and discussion of recent vulnerability trends.

This is a hands-on session. Participants will be provided with a "hacker" laptop and software tools.  We will demonstrate tools and techniques to identify risks and vulnerabilities, and the participants will try their hand at each set of tools against live systems. The session will conclude with a capture the flag activity designed to reinforce the concepts and provide an opportunity for participants to practice the tools.

Learning Objectives - At the end of this session you will be able to:

• Recognize and understand common hacker attack methods and privilege escalation scenarios
• Effectively use the tools demonstrated during the course to identify vulnerable systems
• Develop audit and hardening procedures to perform on a periodic basis as part of their normal implementation and administration processes

Key Concepts:

• Defense in depth
• Web application vulnerabilities
• Inside-out attack methods
• Default open systems
• Administrative completeness
• Auditing as a continuous improvement mechanism

Security Architecture for System Administrators (morning session) and 20 Critical Security Controls: Planning, Implementing and Auditing (afternoon session) - John Strand, SANS
8:00 AM - 4:30 PM,  $149.00
Session sponsored by the Upper Midwest Security Alliance (UMSA)

Certification Exams

(ISC)² Certification Examination (SSCP, CAP, CSSLP, CISSP, others) - (ISC)² Proctored Exam
8:00 AM - 3:00 PM
Session sponsored by the Minnesota Chapter of the Information Systems Security Association (ISSA)

If you are considering certification of your security knowledge and skill set through an (ISC)² credential, such as the SSCP, CAP, CISSP or others, this is your opportunity to sit for the examination right at the Secure360°^TM conference.

Attendees register and pay for the exam on the (ISC)2 website (no additional conference or preconference registration or fees are required).