Keynote Speakers:

Dr. Eugene Schultz

CTO at Emagined Security, previous manager of an information security practice and national incident response team, and retired professor of computer science at University of CA at Berkeley.  Gene is the author/co-author of a book on Unix security, another on Internet security, a third on Windows NT/200, a fourth on incident response, and the latest on intrusion detection and prevention.  He is the former Editor-in-Chief of Computers and Security (2002-2007), is an associate editor for Network Security, is a SANS instructor and member of SANS NewsBites, has co-authored the 2005 & 2006 Certified Information Security Manager preparation materials, and is on the technical advisory board of three companies.  He has received numerous industry and academic awards and has even provided expert testimony before committees in the US Senate and House of Representatives.

Insider Attacks: The How’s, Why’s, and What to Do’s

An insider attack is intentional misuse by individuals who are authorized to use computers and networks. Insider attacks result in more financial and other loss than another other type of attack. Worse yet, detecting insider attacks is one of the most difficult tasks facing information security professionals, but an increasing amount of information about the nature of these attacks and strategies that inside attackers use, and ways of both preventing these attacks and/or limiting the damage that they can cause is becoming available. Based on this information, this talk describes the major types of risk resulting from the insider attacks, major types of insider attacks and motives for these attacks, appropriate information security policy provisions relevant to insider risks, how to better predict and detect insider attacks, and how to respond appropriately when insider attacks occur.

John Strand

Back by popular demand!!  SANS professor and technical guru extraordinaire, John Strand, joined us again this year to share more of his in-depth technical knowledge and rock-n-roll personality.   John currently teaches the SANS GCIH and CISSP classes, and is a key player in their local mentor program.  His extensive experience in computer security and education encompasses the areas of intrusion detection, incident response, vulnerability assessment/penetration testing, specialized multi-level security solutions, security architectures, program certifications and accreditation.  Whew!  But that's not all.  He holds a Masters degree from Denver University, where he is also a professor.  Amazingly, he still finds 'spare time' to write loud rock music and make futile attempts at fly-fishing.

Paul Asadorian wrote on his blog -

"While all of the presentations got rave reviews, one of the keynote speeches was particularly interesting. John Strand gave a keynote speech titled "The Internet is Evil". Most of us know that the Internet is evil, but John wants us to do something about it. He challenges us to think differently about defense, question how much, if any, Internet access your users should have. He also brings up a good point about the perceptions of users. Many believe that the average user is not knowledgeable about computers, when in reality they are using anonymizing proxies to bypass corporate web filtering. John then went on to identify two areas of "security" that need improvement. I put "security" in quotes, because it's a false sense of security that the following provide:

• Anti-virus - John points out a new service that allows you to upload your binary and have it encoded by several different programs, then review a report of which Anti-virus engines caught it, and which ones did not. You can find more information on the PolyPack web site.
• SSL - SSLStrip is a tool that tricks the user into running a connection over HTTP instead of HTTPS. You can watch a video demonstration of this tool in action to get a better idea how it works. John then goes on to show how this could be combined with attacks against BGP to intercept traffic without having to be on the same subnet as your victims.

John then went on to cover defensive techniques that work, such as using firewalls not only to restrict outgoing access, but also to enable the built-in firewall on all of your hosts (especially desktops). The other interesting idea he presented was to treat your user desktop subnets as hostile. I know this may sound like a radical idea, but if the users are accessing the Internet and exposing their systems to malicious code, it's best to treat them as if they are already infected with malware. I've used this tactic when developing security strategies for universities and it works quite well."

Breakout Session Speakers:

Speaker: Lee Kushner is President of LJ Kushner and Associates, LLC, an executive search firm dedicated to the Information Security industry and its professionals.  Since 1996, he has provided career management guidance to industry professionals at all skill levels.    He is a regular presenter on topics that include career planning, interview preparation, and employee recruitment and retention.   He is the co-founder of www.infosecleaders.com, a career advice resource for information security pros.

Topic: The Seven Habits of a Successful Information Security Career Manager - Due to the growth of the information security industry and the popularity of our profession, future competition for information security leadership roles will intensify.  As the number of qualified information security professionals grow, it will become increasingly more difficult to accomplish your long term career goals and objectives.   To succeed in the information security employment market of the future, you can no longer be “good,” you will have to be “better.”

The presentation will demonstrate to the audience how to become more effective managers of their own information security career.  Topics that will be covered include career planning, career investment strategies, personal branding, and professional “network” development.  At the conclusion of the presentation, attendees should have the framework for building a career plan that is best suited to their personal career goals.

Speaker: Mike Zusman is a Principal Consultant with the Intrepidus Group. Prior to joining Intrepidus Group, Mike has held the positions of Escalation Engineer at Whale Communications (a Microsoft subsidiary), Security Program Manager at Automatic Data Processing, and lead architect & developer at a number of smaller firms. In addition to his corporate experience, Mike is an independent security researcher, and has responsibly disclosed a number of critical vulnerabilities to commercial software vendors and other third parties. He has spoken at a number of top industry events including Black Hat, CanSecWest, DEFCON, regional OWASP conferences, and also teaches Information Security & Penetration Testing at NYU/Polytechnic University. Mike brings 10 years of security, technology, and business experience to Intrepidus Group. He is a CISSP and an active member of the OWASP foundation.

Topic: Attacking SSL PKI - The last year has been a rough one for SSL PKI. Fraudulently provisioned certificates, MD5 collisions, SSL spoofing attacks, and most recently, attacks against EV SSL. The variety of these attacks shows us how big the attack surface of SSL really is. From crypto attacks to browser design flaws, attackers have choices when it comes to man-in-the-middling SSL protected web sites. This presentation covers one of these vectors: real attacks against CA web sites. While some folks look to CAs for guidance when it comes to conducting secure business on the Internet, the CAs themselves can fall victim to the same attacks consumers look to them for protection against. EV SSL is a step in the right direction, but with a heavy reliance on low-assurance domain validated SSL certificates, can we ever get SSL right?

Speaker: Alex Lanstein, Senior Researcher, FireEye - At FireEye, Alex handles a broad set of responsibilities including product engineering, sales engineering, and security research. Most recently, his security research was published by The Washington Post, PC World, The Register, and Cisco Systems, where he uncovered botnet and Web malware sites associated with McColo Corp. His work was key in taking McColo off the Internet as well as significantly reducing worldwide spam. Prior to FireEye, Alex was founder, owner, and network administrator of an Internet hosting company. His areas of expertise include botnets, malware, network security, and functional binary analysis. Alex has a B.S. in Computer Science from Connecticut College.

Topic: Blocking the Covert Channels Used for Malicious Data Theft - Browser-based computing, mobility and social networking are giving rise to a new breed of threat: stealthy Web-borne malware. Cyber criminals are using the Web as their prime infection vector to take over enterprise and consumer PCs, and embedding malicious code within user-generated content websites, third party ads, and high-traffic web applications.

The fact is today’s threats exploit the inability of “traditional” network protection to provide a unified defense against a cyber criminal who attacks on multiple fronts, from OS exploits, browser attacks, and increasingly, plug-in/widget vulnerabilities.

Companies need “modern” tools that offer both accuracy and advanced detection techniques to prevent the calculated, surgical access and theft of their critical information. Tool Talk attendees will learn:

- The extent of today’s sophisticated Web malware and how it works.
- Key differentiators between data leakage and malicious data theft
- Why traditional solutions are powerless to stop today's insidious threats
- How a new network security tool can foil break-ins and detect future infections
- Real-world results from an organization that is using this new solution.

Speaker: Adrian Crenshaw - Adrian Crenshaw has worked in the IT industry for the last twelve years. He runs the information security website Irongeek.com, which specializes in videos and articles that illustrate how to use various pen-testing and security tools.

Topic: Darknets: Fun and games with anonymizing private networks - This talk will cover the basics of semi-anonymous networks, their use (political dissidence, file sharing, gaming and pr0n), how they were developed and what they mean to organizations. The main focus will be on the Tor, Freenet and anoNet Darknets, their uses and weaknesses.

Speaker: John Pavone is Aspect Security's Acceleration Services Practice Lead, specializing in the enablement of application security within organizations.  John has been an IT professional for over 20 years. In the last 12 years, John has concentrated solely on Information and IT Infrastructure Security.

Topic: Compliance Strategy and Planning – Building an Effective Application Security Program - Compliance doesn’t make you secure, but a good application security program can ensure your applications are compliant with all major regulations, including PCI, FISMA, SOX, and HIPAA. Application security is no longer a choice. Between increasing number of attacks and regulatory pressures, organizations must demonstrate their capability to secure their applications. Given the staggering number of applications and lines of code already in production, many organizations are struggling to identify a cost-effective and compliant approach to gaining this assurance.

Through a series of case studies and scenarios, John will provide awareness of application security vulnerabilities and verification techniques, compare pros/cons of remediation approaches taken, and provide a practical and tried method in establishing a positive application security program.  A program based on four simple balanced focus areas that leverage people, process, and technology to build the capability to reliably produce secure applications.  Together, these areas with established practiceswill enable your organization to successfully manage, improve and sustain an application security initiative in a cost effective and regulatory compliant manner.

Speaker: Rick Taylor, CISA, Director of Information technology and Internal Audit, Hawkins Company CPAs - Rick Taylor is the Director of the Information Technology and Internal Audit Services at Hawkins Company CPA’s and has been with the company since 2002.  He has more than 24 years’ IT experience with regional accounting firms, national corporations (including AEGON USA and YUM! Brands, Inc.), and over 12 years’ experience at financial institutions, including PNC Bank, Great Financial Bank, and Star Bank.  He has performed system security and compliance audits based on federal regulatory standards, and his vast knowledge and work with network architecture, disaster recovery, product development, and situational analysis have led to innovative and cost-saving solutions for many clients.

Topic: SAS 70 Compliance Auditing

Speaker: Brian Long & John Maynor, PricewaterhouseCoopers LLP - Brian Long has five years of experience with PricewaterhouseCoopers in performing attestations for various manufacturing, health care, and insurance clients.  Brian’s primary responsibilities include evaluating design and operating effectiveness of business and IT processes, evaluating suitability of design of the controls to ensure desired control objectives are met, and implementing new controls based on established risk assessments.  In addition, Brian owns and manages several client relationships in the Louisville office.  Brian also has over 8 years of client service experience, including consulting and process improvement.  Brian is a Certified Information Systems Auditor and Certified Internal Auditor.  

John Maynor is a Manager with 10 years professional experience at PricewaterhouseCoopers and in private industry.  John has proven experience in building security governance practices within diverse industries.  He has developed an Incident Response program for a Fortune 500 enterprise, as well as performed IT controls review and optimization for clients looking to enhance their control environment. Prior to joining PricewaterhouseCoopers, John developed and maintained Information Security programs for Fortune 500 companies, including policy and awareness program development.  Since joining PricewaterhouseCoopers, John has helped a multitude of clients build their Information Security programs.  John is a Certified Information Systems Auditor.

Topic: Emerging Trends in Information Security Compliance - PricewaterhouseCoopers discusses recent regulatory changes and the related impact on information security, with a particular focus on how clients are integrating new information security requirements into their existing compliance programs.

Speaker: Jason Wessel has over 12 years of enterprise security architecture experience as a sec consultant for both large and small to medium sized enterprises. His strength is developing integrated security solutions for complex network environments with numerous custom applications.

Topic: Virtualizing the Security Architecture: Defending Virtual Servers and Applications - Will discuss the push of virtualization in the enterprise and how to use virtualization in a manner that does not compromise the security of the enterprise architecture.  The presentation will cover the following areas:
Drivers that are pushing enterprises to accept virtualization
The impacts and challenges that virtualization has on designing security into enterprise architectures
The new threat vectors virtualization introduces in an enterprises
Defense-in-Depth based strategies for security virtualization in the enterprise

Speaker:  Paul Asadoorian - Paul is the product evangelist for Tenable Network Security, where we writes and produces content to support the Nessus vulnerability scanner in addition to several enterprise products.  Paul is also the host of PaulDotCom Security Weekly (http://pauldotcom.com), a weekly podcast discussing IT security news, vulnerabilities, hacking, and research, including interviews with some of the top security professionals. He is also the co-author of Ultimate WRT54G Hacking, a book dedicated to embedded device hacking and wireless security. Paul's other efforts include a monthly webcast discussing the latest hacking techniques and news, penetration testing, and coaching capture the flag hacking events.

Topic: Bob’s Great Adventure: Attacking & Defending Web Applications - We will explore the age old debate between Alice and Bob, learn about the latest web application attacks and tools, and learn about the latest defense.

Speaker: Scott Moulton is president of Forensic Strategy Services, LLC and the lead recovery expert for a data recovery company called My Hard Drive Died.com. Mr. Moulton began his forensic career with a specialty in rebuilding and repairing hard drives for legal cases. Many times while working on a case, Mr. Moulton will be given hard drives that had already failed in an effort to *blame* the opposition or to impede performance and increase the cost to the opposition.

Scott Moulton has successfully rebuilt and performed recoveries for many investigations and has given depositions and testified in many complex cases involving homicide, embezzlement, theft, divorce, child pornography and corporate fraud, among others. Mr. Moulton has also been involved in a precedence setting case about port scanning. In addition Mr. Moulton currently holds a private investigator license in the state of Georgia.

Topic: Advanced Data Recovery Forensic - Every hard drive will die a quick and sudden death sooner rather than later. What happens after that death can be very important to your data and become the deciding factor in its survival. Forensics relies on the data, because without it there is no case. I will display the inner workings of a hard drive in a beautiful animation and discuss the successes and failures in rebuilding a hard drive and recovering the data. I will teach you what to look for and how to accomplish this task on your own so you might be able to recover your own data without sending it to an expensive recovery house. We will delve into the platters and heads to show you when there is a good probability of success. The animated presentations will make it clear how a hard drive works and educates you on the interworking most forensic experts don’t know!

Speaker: Mark Maxey, Principal Consultant – Application Specialist – Accuvant Labs.  Mark is a seasoned security assessor and application designer with over eight years of experience in the field, is a principal consultant with the Accuvant Labs assessment team.  As a principal level consulting resource, Mark’s focus is primarily on application security initiatives including penetration testing, code reviews, secure software design and tool development.  Mark is involved in several open source projects including development of the Interchange e-commerce platform. Mark is an OWASP and WASC project contributor. Mark has also made numerous presentations at security conferences such as ISSA and OWASP with a focus on application security, social engineering and emerging security threats. Mark is a Certified Information Systems Security Professional (CISSP), VISA Qualified Data Security Professional (QDSP), and VISA Qualified Payment Application Security Professional (QPABP)

Topic: Current Threats and Countermeasures - Securing the information assets of an enterprise has never been so important or so  complicated. The past several years have seen a significant increase in the number of security threats and vulnerabilities and significant advancements in attack methodologies with new tools, techniques, and attack vectors being released on a weekly basis. Join Accuvant for a lively, interactive discussion to review the latest in current vulnerabilities and tools for ensuring security. Through presentation and live demonstration, attendees will learn about the latest attacks, tools, and techniques employed by today's hackers, as well as countermeasures that can help protect against these attacks.

Topics of discussion:
- Password security
- Google hacking (data mining)
- Exploit and attack frameworks
- Wireless insecurities (WEP and WPA cracking)
- Application attacks from Information Gathering to SQL Injection
- Physical security (key bumping)
- VoIP hacking and games
- RFID cloning and threats
- Ideas and resources for combating vulnerabilities.

Speakers:  Jim Czerwonka and Jimmy Noll

Mr. Noll, CISSP is the Director of Security Solutions with Systems Design Group. Mr. Noll manages the daily operations of the security practice. He also served as SDG’s senior technology consultant where he spent the last six years focused on information security and network infrastructure design and protection for clients.

Mr. Czerwonka, CISA, CISM, CGEIT is a Compliance Specialist with Systems Design Group. He has significant tactical and management experience as a compliance and audit, information technology, and business process professional. His industry experience includes healthcare, manufacturing, “Big 4” IT audit and management consulting, and financial services

Topic: - Blending business and technical benefits together to achieve an effective and streamlined compliance assessment.

The business considerations of determining where an organization stands with its IT enterprise wide compliance posture from a senior management perspective to the technical professional’s perspective. We will address creating a cost effective and efficient compliance program through the use of technical resources and automated tactical tools to meet senior management’s compliance strategy.