Select Presentations Available Now

---

Stop. Think. Connect.

People cannot value security without first understanding how much is at risk. Therefore, the Federal government should initiate a national public awareness and education campaign. . . . This campaign should focus on public messages to promote responsible use of the Internet and awareness of fraud, identity theft, cyber predators, and cyber ethics
--White House Cyberspace Policy Review June 2009

Stop. Think. Connect. is a national public awareness effort to guide the nation to a higher level of Internet safety by challenging the American public to be more vigilant about practicing good "cyber hygiene." It will persuade Americans to see Internet safety as a shared responsibility–at home, in the workplace, and in our communities–and demonstrate that shared responsibility by bringing together a coalition of federal, state and local government, as well as private sector partners.

The creation of Stop. Think. Connect. was the result of an intensive collaborative effort over the past year from the Online Consumer Security and Safety Messaging Convention, an effort organized by the National Cyber Security Alliance (NCSA), the Anti-Phishing Working Group (APWG), key industry leaders, government agencies, and nonprofits.

Led by the Department of Homeland Security, the ultimate goal of Stop. Think. Connect. is to raise awareness among the American public about the need to strengthen cybersecurity–and to generate and communicate new approaches and strategies to help Americans increase their safety and security online.

Sessions

June 7, 2011

Cyber Summit

1:50pm – 2:50pm
Cyber Security Education and Awareness: How to Stay Safe Online
Panelists: Aimee Larsen Kirkpatrick, National Cyber Security Alliance; Thomas D. Smith, NYS Office of Cyber Security, Nasir Memon, PhD, Polytechnic Institute of New York University and Kristina Dorville, U.S. Department of Homeland Security

This Cyber Summit panel of education experts will discuss the efforts in NYS and nationally to advance the education and awareness of our students from Kindergarten through higher education. The nation is in need of technically aware cyber safe citizens to contribute to the protection of their information online and on their computing devices. The national Stop. Think. Connect. campaign is one effort underway to securing our homeland. Federal, State, and local government and education officials have a shared responsibility to promote a healthy cyber eco-system and to protect themselves and their families at home, work, and school.

3:00pm – 4:00pm
Our Shared Responsibility: Protecting Your Community through Public/Private Sector Partnerships
Panelists: InfraGard Albany's FBI Coordinator, Special Agent Marc Promutico; Reg Harnish, Tag Solutions; Richard Rees, EMC Consulting; Eric Brohm, Verizon Business; Larry Kovnat, Xerox; Deborah Snyder, NYS Office of Temporary and Disability Assistance; Thomas D. Smith, NYS Office of Cyber Security

The Cyber infrastructure is the backbone of commerce and technology. It no longer just supports governments and businesses but in many cases drives them. The Cyber Summit will focus on opportunities and vulnerabilities and promote discussion on how public and private sector officials can leverage technology to best serve the citizens of New York State and work together to increase awareness and preparedness to defend against cyber attacks.

Protecting Information

1:50pm – 2:50pm
Protecting Citizen Information and the Public's Trust: A Call to Action For State and Local Government
Mike Klepper
AT&T Consulting Solutions
Intermediate
Programmers, IT Directors, Network Administrators, System Administrators, Information Security Professionals, Executives, CIOs, Non-Technical Managers, Technical Staff, Web Developers

Organizations rely on data. However, organizations rely on applications to collect, process, and transform that data into information used to achieve business goals. These applications, which are the gateway to critical information assets such as Personally Identifiable Information (PII), Healthcare records, or payment card data, are under consistent and sophisticated attack.

Today, web and mobile applications comprise an ever-increasing percentage of the overall application portfolio. Adoption of web-based or mobile application solutions are a method for state and local governments to better serve their customers while at the same time reducing their cost structure. While the public sector has many of the same compliance challenges faced by private businesses, there are unique considerations when dealing with state and local governments. In order to protect constituent data, preserve the public trust, and ensure the uninterrupted delivery of critical services measures must be taken to review application assurance within the infrastructure. As such, application security must be a core objective of any information security program.

3:00pm – 4:00pm
Challenges of an Effective Information Security Program
James D. Pompilio
InfraGard Albany

Enterprise security is a critical concern on both internal and external levels due to today's volatile business, economic and political environments. Organizations have a tremendous challenge on their hands as they work to protect themselves in the face of increasing complexity, and interconnection brought about by an ever increasing reliance on technology to accomplish their goals. Organizations must also stay mindful of the controls imposed by their regulators and legislators as those parties discover the importance of security and take aggressive steps to hold both companies and their management accountable for the disclosure of non-public personal information (NPPI). Beyond the legal requirements to protect NPPI it is just as important to ensure the protection of other types of sensitive data; intellectual property (IP), trade secrets, etc. that could prove harmful to an organization if purposefully or accidentally disclosed. Last but not least, people risk or human failure is the single largest driver of loss events across the broad spectrum of human activity. Come join the conversation to hear and discuss insight, techniques and tools that can aid in your organization in its quest to create, monitor and maintain and effective information security program.

Cloud Security

1:50pm – 2:50pm
Applying a Holistic Defense-in-Depth Approach to The Cloud (with a Dash of Application Security Thrown In)
Barry Lyons, CISSP,
Northrop Grumman
Intermediate
Programmers, IT Directors, Network Administrators, System Administrators, Project Managers, Information Security Professionals, Computer Forensic Specialists, Auditors, Executives, CIOs, Mainframe Administrators, Non-Technical Managers, Technical Staff, Law Enforcement Personnel, Web Developers

Lyons will present how to secure the Cloud, regardless of Cloud type. It will feature the Northrop Grumman Cyber Security architecture model "The FAN," a layered cybersecurity defensive technology reference model along with "CyCape," a cyber capability reference model. These reference models serve as a baseline for customers to build a secure architecture in the cloud that will keep data safe. Lyons will outline how applying the cybersecurity "Fan" to Hybrid cloud architecture provides a much stronger security environment than would otherwise be possible. The approach is based on years of cybersecurity experience with government customers within the Department of Defense, intelligence community and federal marketplace. Lyons will also discuss how to secure applications in the cloud/data center, using Commercial-Off-The-Shelf solutions (coupled with the right procedures) that will transform once vulnerable applications into bastions of safe, secure IT services.

3:00pm – 4:00pm
Cloudy With the Chance of a Hack
John Weinschenk
Cenzic
Intermediate
IT Directors, Project Managers, Information Security Professionals, Computer Forensic Specialists, Executives, CIOs, Educators, Technical Staff, Web Developers

Cloud computing is a cost effective and efficient way for enterprises to automate their processes. However, organizations need to be aware of the pitfalls of the many cloud-computing solutions out there- one of the main ones being security. Companies should ask the solution provider the security measures used in developing the application and get an independent verification to make sure there are no gaping holes. With over 75% of attacks occurring through the Web, any attack through these applications can lead to leakage of confidential information and embarrassment. This session will highlight the security considerations an organization needs to take into account when adopting cloud computing capabilities.

The goal of this session is to help the audience understand security issues behind cloud computing- specifically those related to web applications. Attendees will learn about the most common types of hacker attacks effecting cloud environments and mistakes organizations make when securing applications. Finally, we will cover approaches to solve the problem and important security questions to ask your cloud provider.

Business Assessment

1:50pm – 2:50pm
Is a Self-Assessment of Security Compliance Feasible?
Michael Corby
M Corby & Associates, Inc.
Non-Technical
IT Directors, Project Managers, Information Security Professionals, Auditors, Lawyers, Executives, CIOs, Mainframe Administrators, Educators

Cost concerns and the constant pressure for maintaining an effective and compliant security program have placed tough obstacles in front of organizations and especially IT departments. In many successful organizations, a self-assessment program has been trued. Some are successful. Some are not. What are the common factors that work and what challenges remain. Overall, is it feasible for us to continue to develop a comprehensive measurement and assessment program or should we just rely on external resources or focused professionals? This session will outline the basics of how an assessment program is structured, managed, deployed, and maintained. Benefits and costs of a self assessment process and how it could fit for different organization styles will be presented and discussed.

3:00pm – 4:00pm
How to Increase Your Security Without Blowing Your Budget
Ken Michael
Dox Electronics, Inc.
Non-Technical
Computer Forensic Specialists, Educators, IT Directors, Network Administrators, System Administrators, Project Managers, Programmers, Information Security Professionals, Auditors, Lawyers, Executives, CIOs, Mainframe Administrators, Non Technical Managers, Technical Staff, Law Enforcement Personnel, Web Developers

The presentation will show real life scenarios on issues that businesses of all sizes are facing, and will provide simple steps to mitigate their risk. Attendees will come away with a checklist of concepts and potential areas of concern that deal with security and other common problem areas. Areas that will be covered include: "Live" Lock Picking, "Live" Phone Spoofing, New Emerging Threats, Social Engineering, The "Defense in Depth" Model, Current Industry Regulations, Today's Threats: an Executive management perspective versus an IT management perspective, Why you need help from your Management and Key Countermeasures for Executive Management and IT Staff.

Mobile Device Security

1:50pm – 2:50pm
Cyber Trends 2011: From Malware to Mobile
Sam Curry
RSA
Intermediate
IT Directors, Information Security Professionals, Computer Forensic Specialists, Auditors, Lawyers, Educators, Executives, CIOs, Technical Staff, Law Enforcement Personnel

Cybercrime continues to show no signs of slowing down. In fact, 2010 marked a year of new threats and increased sophistication in attacks witnessed around the globe. This session will offer an inside look at what to expect from cybercriminals in 2011 and discuss the top trends in cybercrime we expect to see develop over the next year including: The increased exploitation of mobile devices to commit fraud; the shift of malware targets from the consumer to the enterprise; the development of malware to conduct specialized attacks. In addition, this session will offer a deep dive into the advanced features and functionality of today's malware and real-life examples of the sensitive information it is capturing and how organizations could be at risk.

3:00pm – 4:00pm
There's (Probably) a Hack for That: Practical iPhone Application Security
Brian Reilly
Intermediate

Odds are there's an app for that. From catapulting angry birds to performing critical business functions, iPhone applications have rapidly grown from a "nice to have" to an important part of many organizations' application portfolios. Mobile application development can offer the ease of a web, the robustness of fat clients, and the chrome of "the next big thing" – along with the security challenges and pitfalls of all three. In this presentation, we'll look at some methods, tools, and techniques to assess and help ensure the overall security of iPhone applications. Disclaimer: No birds, angry or cheerful, were harmed during the making of this presentation.

Forensics

1:50pm – 2:50pm
A Confluence of Digital Discoveries
Ken Privette
Digital Evidence Institute
Intermediate
IT Directors, Project Managers, Computer Forensic Specialists, lawyers, executives, CIOs

The digital discovery/forensics community is coming out of adolescence and flowing into a confluence of technologies and disciplines. This is occurring as the amounts of data in our corporate infrastructures continue to exceed our expectations. This direction of confluence will hopefully lead us to a more holistic approach to conducting digital discovery. Whether you are from an e-discovery team, internal investigations team, FOIA/ FOIA-like team, or security team, you will likely depend on a core ability to conduct some form of digital discovery. Along with that tool you want processes to ensure the integrity of the data or evidence you are identifying and possibly a way to share in a distributed review model.

Yes, there are certainly differences in these missions, but there are enough similarities that we might want to give serious consideration to at least having some collaboration between these teams in an organization. At most, you may want to consider a flexible digital discovery architecture that supports several or all of these stakeholders. The benefits can come in many flavors. Software license sharing is one potential savings that first comes to mind. Efficiencies from joint training and creating joint processes may be another set of benefits. Could there be some form of load balancing staff between these teams? Just below the surface there may be even more important reasons to consider a holistic approach to harness this confluence. In this session we will explore these ideas and discuss strategies my colleagues and I have used to create greater efficiencies for digital discovery in government.

3:00pm – 4:00pm
Windows Memory Forensics: Down the Rabbit Hole
James Antonakos
Broome Community College
Intermediate
Programmers, Information Security Professionals, Computer Forensic Specialists, Educators, Technical Staff

This session presents techniques to capture live memory data from a Windows system and process it for relevant forensics information. Techniques to search the captured memory data using regular expressions are covered, as is the nature of protected-mode memory operation, including virtual memory.

ASIA Sessions

1:50pm – 2:50pm
Modeling User/Hacker Behavior
Chair: Kevin Williams, University at Albany, SUNY

Toward Cyber Crime Profiling: Cyber Stalking
Peter R. Stephenson, Norwich University
Richard D. Walter, Writer/Speaker Behavioral Forensics

Invisible Witness Tool for Email Behavior Profiling
Onur Polatcan, MS., VA Medical Center
Sumita Mishra and Yin Pan, Rochester Institute of Technology

3:00pm – 4:00pm
Sensor Network/User Security Chair: Anil Somayaji, Carleton University

Enterprise Mobile Security using Wireless Sensor Network: Extending a Secure Wireless Sensor Network to the Android Smart Phone Platform
Biswajit Panja, Kevin Highley, Priyanka Meharia, Morehead State University

Security of Computer Use Practice: The Case of Ordinary Users Survey
Leon Reznik, Vincent J. Buccigrossi III, Justin Lewis, Asif Dipon, Stafanie Milstread, Nathan LaFontaine, Kenneth Beck, & Holden Silvia, Rochester Institute of Technology

June 8, 2011

Legal Issues

10:10am – 11:10am
2010, A New Direction in Seizing Computer-Generated Communications?
Stephen Treglia
Absolute Software Corporation
Non-Technical
Audience

2010 was arguably the most ground-breaking year in the way the law evolves in looking at the acquisition of computer-generated communication since the manner in which the passing of the USA PATRIOT ACT of 2001 amended the Electronic Communications Privacy Act of 1986. For example, the first electronic communication case to reach the United States Supreme Court, City of Ontario v. Quon, 130 S.Ct. 2619, was decided on June 17, 2010, and was at least as important for what it did not say as much as for what it did.

Federal appellate courts just below the US Supreme Court, however, showed their willingness in 2010, to stray into uncharted waters, receiving approval from those advocating greater privacy in electronic communications at levels previously unseen in the law. Such alterations in the legal landscape place those attempting to interpret the law in this still-evolving area at peril of making honest but deadly misinterpretations.

The speaker will summarize the foundation of law that has existed in this field for the last 25 years, and then demonstrate how the case law in the last year has placed the very foundation on which this law has existed on very shaky ground.

11:30am – 12:30pm
The Trusted Technology Fallacy
Robert Heverly
Albany Law School of Union University
Intermediate
IT Directors, Information Security Professionals, Computer Forensic Specialists, Lawyers, Educators, CIOs, Law Enforcement Personnel

The relationship of law with technology is multi-faceted. Law not only influences and is influenced by technological developments, but is also an intermediary between society and technology in a variety of ways. There are those who, in considering technology's interaction with law, think of it as deterministic. That is, technology determines the outcomes that will result in any given situation. This perspective is often buoyed on the one side by the notion that a technology can "solve" our problems, or on the other by the notion that a technology "causes" our problems. In each case, the technology is viewed as the driving force, a primary determinant of the future direction of society. This is particularly true in the area of Cyber Security: Cyber Security is a "pure" technological problem; how can the solution be anything other than technology?

Yet, Cyber Security related technological implementations in recent years have provided example after example of the Trusted Technology Fallacy in practice. From the clipper chip to TOR, from digital rights management to trusted computing, from quantum encryption to the Internet kill switch, each of these attempts misses the true mark. Technology does not alone create new problems, nor can it "on its own" solve them (whether it played a role in their creation or not). Yet law continues to seek to achieve goals using purely technological solutions. This presentation will define the Trusted Technology Fallacy, and will include a discussion of the implications of the Fallacy for the development of law and legal responses to technological dilemmas in the Cyber Security area. It will then propose a way forward that takes into account the complex and connected nature of problem solving in the information age, with particular note of the implications of this approach for Cyber Security policy and law.

2:40pm – 3:40pm
Trends in Civil Litigation Following Data Breaches
Soo-young Chang
Goldberg Segalla LLP

This presentation will discuss civil lawsuits that have followed in the wake of massive data breaches and the costs of settling or litigating these claims. The costs of failing to secure data may well reach far beyond civil penalties and harm to a business' reputation. We will also examine the incentives that attorneys to commence class action suits against companies despite the courts having dismissed nearly all consumer class action lawsuits.

What You Need to Know

10:10am – 11:10am
The Ten Biggest Mistakes Made by Cyber Security Practitioners
Brian Tillett
Symantec
Intermediate
IT Directors, Information Security Professionals, Technical Staff

This session will cover the ten biggest mistakes made by cyber security practitioners. Come and learn with the "Countdown to Number One," and see if you've made any. Brian certainly has encountered his share. It will be a fun and fast-paced review of these critical problems with a list of symptoms for each. You'll be able to see if these mistakes have affected your areas of responsibility. We will also cover remedies and responses to make your job easier.

11:30am – 12:30pm
Case Studies in Failure
Raj Goel
Brainlink International, Inc.
Non-Technical
IT Directors, Network Administrators, System Administrators, Project Managers, Information Security Professionals, Auditors, Lawyers, Educators, Executives, CIOs, Non-Technical Managers, Technical Staff, Law Enforcement Personnel, Web Developers

Those who fail to learn from the mistakes of their predecessors are destined to repeat them. - George Santayana Starting from this maxim, we will review case studies in failure, trends in enforcement and the costs of breaches. Being optimists (if you're in IT, by definition you're an optimist) we'll also look at success stories and draw constructive lessons from the past, to build a more secure future.

2:40pm – 3:40pm
Public Wi-Fi Hacking Demo
Special Agents Jeff Barrette and Dan Alfin
FBI

Special Agents from the FBI will demonstrate the ease with which an individual can turn their laptop into a Wi-Fi access point and infect machines that connect to it. This demo is not designed to be a how-to for hacking but rather an informative session on the dangers of free Wi-Fi. Agents will demonstrate how, in only a few minutes, an individual can configure their laptop to mimic a free Wi-Fi access point and start preying on unsuspecting users.

What You Need to Do

10:10am – 11:10am
Data Exfiltration Methods using Covert Communication Channels
Jacob Valletta
Rochester Institute of Technology
Advanced
Programmers, Network Administrators, System Administrators, Information Security Professionals, Computer Forensic Specialists, Educators, Technical Staff

Covert channels are channels designed to carry data over mechanisms which were not intended to so. These 'hidden' communication streams are typically seen in data exfiltration by malicious users, as covert channels tend to be very quiet and transparent to intrusion detection equipment. In fact, detecting covert channels is extremely difficult and is a growing concern for systems and network administrators. This presentation will explore a variety of interesting and bazaar covert channels via live demonstrations, and even explore some prototyped methods of detecting covert channels. A basic understanding of both networking and programming concepts is encouraged.

11:30am – 12:30pm
Application Vulnerability Scanning / Testing
Chris Wysopal, Veracode, Inc.
Michael G. Harrison, Metlife

MetLife IT risk team entered into an agreement with a Software as a Service (SaaS) vendor (Veracode, Inc.) to enhance Application Vulnerability Testing (AVT) also referred as application scans. The new AVT model was put in place for a number of reasons including:

• Assist application development teams in building and maintaining secure applications.
• Permit application development teams to incorporate testing/source code reviews during the development process to drive efficiencies (identify and correct root cause during development; rather than retroactively addressing issues).
• Implement a solution that incorporates no additional charge to AD to test an application once or fifty times.
• Leverage the same model for domestic and international operations.
• New solution incorporates minimum security thresholds that all internet applications must achieve prior to migrating applications to the internet.

Discussion will be conducted in two parts:

1. VeraCode team will provide industry prospective on what they are seeing in the industry / trending on future state of vulnerability scanning.
2. MetLife team will share why we moved from an internal scanning process to an outsourced model. As part of the discussions we will cover drivers for moving to the new model, lessons learned, as well as the value added we are seeing from the arrangement.

2:40pm – 3:40pm
Device and User Authentication and Authorization in a Borderless Network World
Ken Kaminski
Cisco Systems
Advanced
IT Directors, Network Administrators, System Administrators, Project Managers, Information Security Professionals, Computer Forensic Specialists, CIOs, Technical Staff

Identity of devices and users and the placing of controls on both according to policy is becoming more and more a critical issue today as networks become deperimeterized and borderless. Mobile devices such as Apple iPhones, iPods, Google Android, and others are proliferating. There is also the push to allow users to bring their own technology into the enterprise for cost and business reasons. All of these trends are driving interest around this topic.

This session will discuss the technologies and standards concerning identity and authorization from a historical perspective of what enterprises have deployed in the past, where they are currently, and what the future will bring. Topics include wired and wireless 802.1x network based authentication, Network Admission Control, and various authorization technologies such as downloadable ACLs, vlan assignment, stateful firewalls, and newer technologies such as hardware based Security Group Tagging. Device Profiling will be tackled in detail including; how are devices profiled? How are authentication controls applied to devices not capable of running an 802.1x agent? How can you be alerted when someone is spoofing a device in order to gain unauthorized access?

Human Factor

10:10am – 11:10am
Once more with Feeling: Exploiting Social and Human Cognitive Biases to take the Cyber Security High Ground
Samuel Chun
HP
Non-Technical
IT Directors, Information Security Professionals, Educators, Executives, CIOs, Law Enforcement Personnel

People, process and technology are widely accepted as the primary cornerstones of an effective security management program. Yet we tend to focus much of our efforts on processes and technologies because they are tangible, predictable and well understood by people in IT. For over half a century social, cognitive, and behavioral scientists have been researching and discovering a vast array of human biases that drive behavior. While this vast arsenal of understanding has been applied in a variety of industries (ever wonder why fresh produce is always to the right of the entry in grocery stores?), it has not been readily tapped as a resource for IT professionals. In this presentation based on published research of the presenter and real life experience, we intend to explore some of these biases such as obedience to authority, learned helplessness, models of stress, and the tripartite model of attitudes and find ways to apply them in the ongoing efforts to enhance security.

11:30am – 12:30pm
Security Awareness 101 - A New Beginning to Basics
Erika Voss & Ken Estes
CGI Federal
Intermediate
IT Directors, Network Administrators, System Administrators, Information Security Professionals, Educators, Executives, CIOs, Non-Technical Managers, Technical Staff, Law Enforcement Personnel

When you have a security incident that disrupts business operations, what is the first thought identified in the after action report? Typically training our employees is where we want to refocus. Let's get back to the basics we say! Most Security Professionals want to remind people of what not to do, but how do you deliver training to employees who aren't security minded? Lately we see more and more inside attacks, how do we improve security for our organization? We have no budget, now what? How do reach the staff? I completed this when I was hired, why do I have to go through it again?

2:40pm – 3:40pm
Insider Threat: Mitigating the threat of malicious insiders
Gerard Johansen
SSC, Inc.
Non-Technical
Information Security Professionals, Computer Forensic Specialists, Educators, Executives

Malicious insiders are a constant threat to the security of organizations. High profile cases such as Wikileaks have shown how motivated insiders can inflect serious damage on an organization. The presentation focuses on who are insiders, how they can damage your organization and what methods can be employed to reduce the risk they will pose. This will be shown through a series of case studies and practical steps to include in your existing or proposed risk management structure.

What You Need to Defend Against

10:10am – 11:10am
The State of Badware
Maxim Weinstein
StopBadware
Non-Technical
IT Directors, Network Administrators, System Administrators, Information Security Professionals, Educators, Executives, CIOs, Non-Technical Managers, Technical Staff, Law Enforcement Personnel

Badware refers to Trojans, spyware, bots, and other software that fails to respect users' choices about how their computers or network connections are used. Badware, which once was an annoyance caused by bored teenagers, is now a multi-billion dollar criminal enterprise that threatens consumers, businesses, and the open Internet. This session will answer the question, "What is the state of badware today?" Perhaps more importantly, it will also answer, "How are the Internet and its constituents evolving (or failing to evolve) to meet this threat?" The presentation will cut through the usual hype and focus on objective data and nuanced analysis. While there will be some technical content, the presentation is intended for anyone interested in learning about the myriad industry, policy, technical, and educational challenges involved in fighting badware.

11:30am – 12:30pm
Data Breach Investigative Report
Eric Brohm
Verizon Business Cybertrust
Intermediate
Programmers, IT Directors, Project Managers, Network Administrators, System Administrators, Information Security Professionals, Computer Forensic Specialists, Auditors, Executives, Technical Staff, Law Enforcement Personnel, Web Developers

Eric Brohm, director of investigative response for Verizon Business Security Solutions, summarizes key report findings and discusses actions enterprises can take to help prevent data breaches. Based on an analysis of hundreds of corporate data breaches, including three of the five largest ever reported, Verizon Business found that nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place. The report also notes that 73 percent of breaches resulted from external sources versus 18 percent from insider threats. Brohm describes several basic actions including planning, implementation and monitoring that can reap big benefits when performed with continual diligence.

2:40pm – 3:40pm
10 Things You're Doing to Enable Hackers
Reg Harnish
Independent Security Consultant
Non-Technical
Intermediate
IT Directors, Network Administrators, System Administrators, Information Security Professionals, Educators, Executives, CIOs, Non-Technical Managers, Technical Staff

The world at large has become a playground for hackers. Organizations large and small, in every industry continue to be inundated by news of data breaches, threats and organized cybercrime. While many put forth effort to sustain a secure environment for their critical assets, most organizations are misled by hype, confused by hysteria or driven by the wrong priorities. In a word, we've become our own worst enemies. Join us as we review the top mistakes, missteps and bad habits that make organizations vulnerable to exploit. We'll also present a refreshing perspective on the challenges that organizations face, and the tactics, techniques and procedures (TTPs) we can use to solve today's issues.

How You Should Assess

10:10am-11:10am
A Case Study: Implementing Continuous Monitoring in Large Decentralized Organizations
John Streufert
US Dept of State
Technical Level
Audience

Since July 2008 the Department of State has been experimenting with enterprise-wide defensive cyber security strategies that issue letter grades to each of their organizations for progress correcting known problems in the previous 24 hours. The tools were built using government off the shelf software code available to anyone that asks. The data protecting personal computers and servers so far has come from Microsoft SCCM, Active Directory and one of several vulnerability/configuration setting scanners which kept initial costs to a minimum.

On a daily basis information from 24 time zones is forwarded to a security data warehouse. Problems are scored typically from 1 to 10 points. The higher the points the worse the risk is considered. All risk points accumulate in a risk account assigned to each of 400 plus cyber separately managed security teams. Teams that concentrate on correcting worst problems first typically record the greatest progress day by day and month by month. Over the first year the Department of State reduced this measurement of risk correcting known problems by a factor of 10 and a factor of 20 by the end of the second year. Results on letter grades lower than a C are presented to both technical and executive management allowing the means to guide organization improvement overall.

This briefing will explore how math and the social sciences can not only improve baseline conditions to defend against attacks on known vulnerabilities but also increase the pace patching coverage. Members of the audience will take home enough information to consider how to building a cyber security program based on careful use of metrics and some change management strategies that have worked in large decentralized organizations. The briefing will conclude with proposed strategies of how government organizations at all levels could work together to deliver security with a higher return on investment using share mechanisms for acquisition and training.

11:30am – 12:30pm
Losing More Toothbrushes and Fewer Diamonds: Effectively Protect your Cybersecurity Critical Assets
Suprotik Ghose
Microsoft Corporation
Intermediate
It Directors, Project Managers, Information Security Professionals, Auditors, Lawyers, Educators, Executives, CIOs, Non-Technical Managers, Law Enforcement Personnel

Threats to IT environments have changed in the last decade as the IT infrastructure has considerably transformed and adopted new computing paradigms. These models have introduced new threat patterns that present new and yet unseen risks to applications, systems and data. This session provides a methodology based on international standards and best practices to access this emerging threat; identifies the risks and provides the basis of developing a relevant information security program.

The question that one must answer is, are organizations oblivious to this emerging new risk paradigm? The answer is that, they are actually not. Some are doing something, but they are not necessarily doing enough and often many are doing the incorrect thing. Financial services companies respond strongly to financial, security, and privacy risks raised by new compliance laws such as SOX, Dodd-Frank, etc., but in many instances they are less responsive to larger, strategic and emerging risks. Major retailers combat credit card fraud but they're sometimes less aggressive about risks to pricing, merchandising, and other systems and strategies which, if compromised, could impact the company.

In other words, awareness and responses to the risks vary across industries and risk categories. In fact, many organizations are not addressing the most serious risks they face. The reason is because the efforts are sometimes driven more by tactical audit report and compliance requirements or sometimes by what is the shiny object that the CIO saw at the last vendor EBC - rather than by specific risks to the business. Here are steps to developing a focused approach: identify your vital assets, conduct a risk-based threat assessment, focus on users and data, and implement cyber threat management. Taking such an approach and developing the right focus are priority tasks that security teams face now, and in the years ahead.

2:40pm – 3:40pm
Managing Virtualization Security Risk and Leveraging Best Practices
Deborah Snyder
NYS Office of Temporary and Disability Assistance

Risk management is a critical function in any organization's information security governance, risk and compliance assurance program. It provides the foundation for determining requirements and informed decision-making about security controls and investments. Despite the benefits, full-blown risk assessments can be costly, labor-intensive and time-consuming, and implementation of technologies driven such as virtualized infrastructure often proceed without adequate security consideration.

From a risk management perspective, extending information security governance, risk and compliance management into today's virtualized data center is a significant for many organizations. The data centers of the 21st century are more real-time than ever, requiring new approaches and new thinking. Organizations need strategies to overcome these constraints, obtain valid risk assessment results efficiently, and take informed, actionable steps to improve security in virtualized environments.

This presentation will include:

• An enterprise risk management framework that aligns with common Capability Maturity Model (CMM) assessments, and meets governance and auditing protocols.
• Key issues facing security managers related to virtualized environments, current advances in technology that make virtual environments more transparent and protected, and how regulations, regulators and auditors are adapting to the virtualization model.
• Divergence of virtualization security and cloud trust. 
• Top security management areas for virtualization security. 
• The need for data classification and data flow and how it defines virtualization architecture.
• Updates in technology capability for security management, and auditing of virtualized environments.
• Opportunities to take advantage of standardization, automation and advanced virtualization techniques to meet security and disaster recovery requirements.
• A State agency "Virtualization Security Risk Assessment" case study that outlined strategies to overcome these constraints and obtain results quickly and efficiently. 

ASIA Sessions

10:10am – 11:10am
Data Privacy Protection Chair: Peter Stephenson, Norwich University

Understanding Data Leak Prevention
Preeti Raman, Hilmi Gunes, Kayacik, Anil Somayaji, Carleton University

Breaching & Protecting a Anonymizing Network System
Jason W. Clark and Angelos Stavrou, George Mason University

11:30am – 12:30pm
Impact of Breaches/Forensics Chair: Damira Pon, University at Albany, SUNY

Framing Effects of Crisis Response: Communications on Market Valuation of Breaches
Manish Gupta, Raj Sjarman, H.R. Rao, University at Buffalo, SUNY

Automatically Bridging the Semantic Gap Using C Interpreter
Hajime Inoue, Frank Adelstein, Matthew Donovan, Stephen Brueckner, Architecture Technology Corporation

2:40pm – 3:40pm
Secure Routing/Education Chair: Raj Sharman, University at Buffalo, SUNY

Protection profile-Based Scenario-Centric Taxonomy of Secure Routing Protocols in Ad hoc Networks
Mohammad Iftekhar Husain and Ramalingam Sridhar, University at Buffalo, SUNY

A Holistic Modular Approach to Infuse Cyber Security into Undergraduate Computing Programs
Trudy Howles, Carol Romanowski, Sumita Mishra, Rajendra Raj, Rochester Institute of Technology