Triangle InfoSecon Conference program 2011

Speaker Room A Speaker Room B Speaker Room C Speaker Room D Keynote HallLunch Room

7:00 Registration, Exhibition, and Breakfast Buffet

CA

PT

UR

E TH

E FLAG

| LOC

KP

ICK

VILLA

GE | LO

CK

PIC

K C

HA

LLENG

E

8:30 Keynote Speaker : Marc Hoit – University Campus: A Microcosm of the Future

9:20 Exhibition

9:30 Keynote Speaker : Tom Limoncelli – You Suck At Time Management (but it ain’t your fault!)

10:20 Exhibition and Tom Limoncelli Book Signing

Governance, Risk & Compliance

Professional Development

Data and Endpoint Security

Physical SecurityDiamond SponsorSessions

10:30

Srini Kolathur - How to Secure DB Infra Using Best Practices for Risk Mitigation, Compliance, Audit and Assessment

Beth Wood – Leading By Example/ Building Effective Teams

Ron Stamboly – Authentication of Personal Mobile Devices

Jon Welborn – Introduction to Lockpicking

$/&'+(

11:20 Exhibition

11:30

Sandy Bacik – Building a Lasting IT GRC Policy Architecture

Garion Bunn – Winning in Business and Life

Michael Sutton – Corporate Espionage for Dummies

Jon Welborn – High Security Locks

"% !./0*)1 Hans Enders – Reinventing Dynamic Test-ing: Real-Time Hybrid

12:15 Lunch Buffet and Exhibition

Penetration Testing / SNA

Cloud and Virtual Security

Security Strategy and Architecture

Applications and Development

Diamond SponsorSessions

1:30Ryan Linn – Progression of a Hack

Ron Stamboly – Managing Risk, Liability and Compliance in the Cloud

Jim Murphy – Information Security Doesn’t Just “Happen”!

Steve McKinney – Enabling the Business with Security Metrics

#,&0*.- David Duncan – Key Trends in Removable Device Security

2:15 Exhibition and Ryan Linn Book Signing %#$*(%(# !"'&)

2:30

Matt Cooley – Web Application Social Engineering Vulnerabilities

Mark Hinkle – Crash Course on Open Source Cloud Computing

Jonathan Norman – Anatomy of an Attack

Phillip Griffin – Making Fat Messages Available: Binary XMLEncoding

Dwayne Melançon

Shahab Nayyer

Steve McKinney

3:30 Keynote Speaker: Lenny Zeltser – Knock, Knock! How Attackers Use Social Engineering to Bypass Your Defenses

4:20 Exhibition

4:30 Announce Winners of Lockpick Challenge and Capture the Flag (Keynote Hall)

5:00 Chapter and Sponsor Giveaways, must be present to win (Keynote Hall)

O C T O B E R 2 0 , 2 0 1 1

T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1

3

The Raleigh ISSA Chapter welcomes you to the seventh annual Triangle InfoSeCon. We are very pleased you joined us today. Our conference goal: offer you a convenient way to learn more about the state of

Information Systems Security (ISS) today, right here in central North Carolina. Our selected speakers offer you a balanced and

broad program. The Raleigh ISSA Chapter especially thanks all the speakers and our conference sponsors, without whom this

event is not possible. Please visit our sponsors in the exhibit area to learn about the latest in ISS products and services. Enjoy

the conference. Please fill out the feedback forms. Your response is important. We strive to improve each year.

McKimmon Center InfoSecon Conference Layout (not to scale)

WELCOME

T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 11

This conference is brought to you by the Raleigh Chapter of

the Information Systems Security Association. The ISSA is an

international professional organization aimed at providing edu-

cational forums, publications and peer interaction opportunities

that enhance the knowledge, skill and professional growth of its

members. The Raleigh Chapter became an official ISSA chapter

in February 2003. We meet on the first Thursday of every month

at the McKimmon Center on the campus of NC State University.

You can find out more about the chapter at http://raleigh.issa.org.

If you would like to get on our announcements email list, please

send an email to [email protected].

ABOUT THE ISSA

New This Year! Lockpick Village: Stop by the Lockpick Village and try your hand at picking various locks,

from handcuffs to padlocks, door locks and more. Sponsored by the FALE Association of Locksport

Enthusiasts (FALE), there will be games, demonstrations, and hands-on workshops for attendees to

learn, play and share their experiences. Lockpick sets will be available for purchase for $20.

Capture the Flag: Think you have 1337 skilz? Stop by the Capture the Flag event and prove it!

Pit your hacking skills against the server, collecting as many flags as you can. Each participant will

be scored based on the number of flags captured within the time limit. The winner will be

announced at the end of the conference.

Don’t forget to turn in your feedback forms! Conference drawings are made from completed returned conference feedback forms and requires at

least 12 sponsor “stamps” and your legible name to be eligible. Sponsor door prizes and give-a-ways

are drawn from attendees' collected business cards directly. All drawings are at 5:00 pm and you

must to be present to win.


9:30 Tom Limoncelli Time Management Guru, Author, Blogger, and System Administrator

Tom is an internationally recognized author, speaker, and system administrator. His books

include The Practice of System and Network Administration (Addison-Wesley) and Time

Management for System Administrators (O'Reilly). He received the SAGE 2005 Outstanding

Achievement Award. He works in NYC and blogs at TomOnTime and

EverythingSysadmin.com.

Keynote Topic: You Suck At Time Management (but it ain't your fault!)So much to do! So little time! Security people are pulled in so many directions it is

impressive anything gets done at all. The bad news is that if you work in security then

good time management is basically impossible. The good news is that it isn't your fault.

Tom will explore many of the causes and will offer solutions based from his book,

“Time Management for System Administrators” (Now translated into 5 languages.)

KEYNOTE SPEAKERS

5

8:30 Marc HoitVice Chancellor for IT and CIO, North Carolina State University

Marc Hoit is the Vice Chancellor for Information Technology and the Chief Information

Officer (CIO) for North Carolina State University (NCSU) in Raleigh, North Carolina.

He began his role as the Vice Chancellor for Information Technology in September

2008. Since arriving, he has worked to develop an IT Governance Structure, Strategic

Operating Plan and launched a number of key foundational projects that will

improve efficiency and effectiveness of IT on campus. He previously held numerous

administrative positions at the University of Florida including Interim CIO, Director

of Student PeopleSoft Implementation, the Associate Dean for Academic Affairs

Administration and the Associate Dean for Research in the College of Engineering.

He is a Professor in the Civil, Construction and Environmental Engineering Department.

He received his B.S. from Purdue University and his M.S. and Ph.D. from University of

California, Berkeley. Dr. Hoit is the Co-Principal Investigator, along with Chapel Hill and

SAS, for the North Carolina Bio-Preparedness Collaborative (NCB-Prepared) Grant from

the Department of Homeland Security (DHS) and the development of DIGGS, an

international XML schema for transferring transportation information. His structural

engineering research involves the computer program, FB-MultiPier, which analyzes

bridge pier, superstructure and pile foundations subjected to dynamic loading.

Keynote Topic: University Campus: A Microcosm of the FutureDr. Hoit will present how a university campus is a petri dish for innovation, future

trends and disruption for IT and how it affects services, purchasing and planning.


6

GOVERNANCE, RISK, & COMPLIANCE

10:30 (A) How to Secure DatabaseInfrastructure Using Best Practices forRisk Mitigation, Compliance, Auditand AssessmentSrini Kolathur, Vinay Bansal, & Jim Tarantinos

Srini Kolathur, CISSP, CISA, CISM,

MBA is a result-driven IT project manger

with Cisco Systems. Srini has several

years of experience in helping companies

effectively comply with regulatory

compliance requirements including

SoX, PCI, HIPAA, etc. Srini believes

and advocates best practices-based security and compliance

program to achieve business objectives. Also, Srini

maintains a free collaborative web portal for managing

IT best practices and audit plans at Checklist20.com.

Abstract: IT governance and strategy are critical to an

organization's success. Key to the risk assessment and audit

plan process is breaking down the IT Universe into smaller

more manageable sub-components. Databases play a major

role in the increasingly complex global business processes

and IT universe. A best practice-based assessment to

evaluate risks uses an 80-20 rule. This allows to eliminate

all the low-hanging fruit by leveraging expertise from

around the world and helps organizations quickly achieve

its desired business objectives at the optimum cost. We

will specifically focus on how to leverage database best

practices for building effective risk assesment approaches

and to build audit plans to comply with different

compliance programs including S-ox, HIPAA, PCI-DSS

and EU data privacy.

11:30 (A) Building a Lasting IT GRCPolicy Architecture

Sandy Bacik

Sandy Bacik, author and former CSO,

has over 15 years direct development,

implementation, and management

information security experience in the

areas of Audit Management, Disaster

Recovery/Business continuity, Incident

investigation, Physical security, Privacy, Regulatory

compliance, Standard Operating Policies/Procedures,

and Data Center Operations and Management. With an

additional 15 years in Information Technology Operations.

Abstract: With industries moving toward a governance and

risk culture, the IT and enterprise policy architecture needs

to be updated to align with the enterprise goals of IT

Governance. Some may discover that they have all the

pieces spread throughout the current organization, but

do not know how to proceed to ensure their IT and

security policies and processes fit into their enterprise

governance architecture.


10:30 (B) Leading By Example /Building Effective TeamsBeth Wood, North Carolina State

North Carolina State Auditor Beth A.

Wood, CPA, is serving her first term as

the state’s elected auditor after more than

a decade of service in training and

research for the office. As Training

Director for the Office of State Auditor,

Beth developed and taught audit courses

for the auditor’s staff, concentrating on the areas of Single

Audit, internal control and sampling. She also coordinated

the State Auditor’s Quality Control Review and provided

research of audit and reporting issues for the audit staff.

She began working with state government in 1993 with

the Local Government Commission (a division of the Office

of the State Treasurer). In that position, she reviewed and

approved audits of local governments prepared by private

CPA firms. Prior to her work with state government, Beth

worked as a cost accountant for Ray-O-Vac Corporation for

three years. She also supervised audits of local governments

and not-for-profit organizations for McGladrey and Pullen

CPAs, a national CPA firm. Beth left the Office of the State

Auditor in 2007 as she began her campaign to become the

first woman elected to the post. While seeking office, she

also taught a variety of courses for the American Institute

of Certified Public Accountants (AICPA) and worked in the

institute’s Professional Ethics Division investigating alleged

substandard audits around the country.

Abstract: Moving from a purely technical role to manage-

ment is very challenging for most IT people. Most people do

not like giving up the hands-on technical work and they also

tend to be more independent. This discussion will deal with

particular challenges faced when moving into a managerial

role and will answer questions such as: How can leaders

learn to assess the strengths of their team members and use

them to get the team working as one unit rather than a

bunch of lone rangers? How can they deal with jealousy

and backstabbing from those not promoted? How can they

anticipate senior management's and the organization's

needs and ensure the team is truly fulfilling the mission?

11:30 (B) Winning in Business and LifeGarion Bunn

Garion Bunn is an award winning

speaker and workshop facilitator who is

a self-driven, results-oriented cultivator

of human potential. His purpose is to

inspire, educate and empower people

and organizations around the globe. His

success strategy is to continually seek

new ways to add value through seminars and workshops

that are leadership centric. Garion is an empathic

communicator and listener.

Garion believes that effective leadership skills are the

most powerful tools in the current day workplace and

marketplace. Leadership excellence is the fast track up

the corporate ladder. Garion helps professionals who

want the zest, energy and power to deliver with passion

and purpose

Abstract: Are you ready for the competition? This keynote

focuses on stirring your enthusiasm and sense of purpose

in daily life. An excited, focused individual is ready to take

on the challenges and triumph in today's fast paced market.

Develop knowledge and skills that will significantly increase

your personal effectiveness and ability to successfully

interact and lead others. This session covers many diverse

and critically important business, interpersonal, and

leadership topics.

PROFESSIONAL DEVELOPMENT

7


10:30 (C) Authentication of PersonalMobile Devices as Part of an OverallEnterprise Authentication StrategyRon Stamboly, SafeNet; Co-author Maureen Kolb

Mr. Stamboly joined SafeNet in 1996 as a Senior Sales

Engineer responsible for technical presales and sales support

for the entire sales cycle, from evaluation to installation.

Mr. Stamboly's area of expertise includes hardware and

software products covering authorization, access control,

audit, and encryption. Currently, Mr. Stamboly focuses on

supporting the sales of SafeNet's Information Lifecycle

Protection and Cloud computing environments, most

specifically driving SafeNet's market share in cloud computing

security and virtualized environments-securing and controlling

access to cloud applications, along with encrypting virtual

volume and instances. Mr. Stamboly has over 17 years of

experience in the data protection, telecommunications and

networking equipment industries. Additionally, Mr. Stamboly

has extensive experience with networking hardware along

with TCP/IP. Mr. Stamboly graduated summa cum laude with a

Bachelor's Degree in Telecommunication from The State

University of New York Institute of Technology and also

graduated summa cum laude with a Master's Degree from

Pace University in Telecommunications.

Abstract: IT departments are facing challenges from many

users wanting to use their mobile device to access sensitive

corporate information. Clearly, the risk posed by these

scenarios is great. The key issue confronting security staff is

management: ensuring only trusted devices can access

corporate resources, contending with lost devices, managing

security policies, and enabling and monitoring access. Finally,

IT organizations need to establish visibility and control over

what assets can be accessed by and saved onto those

devices. This presentation will discuss implementing unified

authentication schemes, security policies and credentials for

employee-owned end point devices, helping organizations

to enable their workforce while reducing IT management and

administration resources, as well as show how organizations

can centrally and consistently manage all authentication

requirements for local networks, VPNs, SaaS applications,

and virtualized environments.

11:30 (C) Corporate Espionage forDummies: The Hidden Threat ofEmbedded Web Servers

Michael Sutton

Michael Sutton has spent more than a

decade in the security industry conducting

leading-edge research, building teams of

world-class researchers, and educating

others on a variety of security topics.

As Vice President of Security Research,

Michael heads Zscaler Labs, the research and development

arm of the company. Zscaler Labs is responsible for

researching emerging topics in web security and developing

innovative security controls, which leverage the Zscaler

in-the-cloud model. The team is comprised of researchers

with a wealth of experience in the security industry. Prior to

joining Zscaler, Michael was the Security Evangelist for SPI

Dynamics where, as an industry expert, he was responsible

for researching, publishing, and presenting on various security

issues. In 2007, SPI Dynamics was acquired by Hewlett-

Packard. Previously, Michael was a Research Director at

iDefense where he led iDefense Labs, a team responsible

for discovering and researching security vulnerabilities in a

variety of technologies. iDefense was acquired by VeriSign

in 2005. Michael is a frequent speaker at major information

security conferences; he is regularly quoted by the media on

various information security topics, has authored numerous

articles, and is the co-author of Fuzzing: Brute Force

Vulnerability Discovery, an Addison-Wesley publication.

Abstract: Today, everything from television sets to photo-

copiers have an IP address and an embedded web server

(EWS) for device administration. While embedded web

servers are now as common as digital displays in hardware

devices, sadly, security is not. Leveraging the power of cloud

based services, Zscaler spent several months scanning large

portions of the Internet to understand the scope of this threat.

Our findings will make any business owner think twice before

purchasing a ‘wifi enabled’ device. We'll share the results of

our findings, reveal specific vulnerabilities in a multitude of

appliances and discuss how embedded web servers will

represent a target rich environment for years to come.

DATA AND ENDPOINT SECURITY


10:30 (D) Introduction to LockpickingJon Welborn

Jon Welborn is a penetration tester and a

co-founder of the FALE Association of

Locksport Enthusiasts. FALE came

together around a shared general

curiosity and persuasion of the public’s

“right to know”. FALE meets regularly

in the Winston-Salem, NC area and

hosts lockpicking villages at various security conferences

around the country. http://lockfale.com

Abstract: You've locks on your network closet and secure

document bin. Great. What if I can open them in 30

seconds or less? Learn the basics about how a lock works

and how to compromise commonly used locks. This

information isn’t complicated in the least, but in this talk

we set out to remove the often practiced “security by

obscurity” approach to physical security.

11:30 (D) High Security LocksJon Welborn

Abstract: Great locks are not difficult to come by. This talk

will discuss various components of a quality lock as well as

several manufacturers of high-caliber locks. We will discuss

specific makes and models of locks that may be beneficial

in your environments. If nothing else, this talk will open the

door to the idea that you shouldn’t have to lean on your

local hardware store to meet your physical security needs.

PHYSICAL SECURITY

9


10:30 ORACLE PRESENTATION

DIAMOND SPONSOR SESSION (Keynote Hall)

Mark your calendars for the Eighth Annual Triangle InfoSeCon to beheld on Thursday, October 18 2012 at the McKimmon Center. Keynote speakers: Chris Nickerson - Lead Security Consultant for Lares Consulting

and Stan Waddell - Executive Director and Information Security Officer,

University of North Carolina (UNC) Information Technology Services (ITS)


11:30 HP / FORTIFYReinventing Dynamic Testing:Real-Time Hybrid Hans Enders, HP Fortify

Hans Enders is a Sr. Solutions Architect

for HP Fortify. In his current role, Hans

is responsible for demonstrating web

application security software and

providing solutions to prospective clients

for HP Software’s Application Security

Center. He has more than 14 years of

experience in network administration and security, with the

most recent 7 years focusing on web application security

testing and software support. Hans acquired the CISSP in

2004 and most recently completed the CISM certification in

2011. Hans is an active member of ISSA, ISACA, OWASP,

and a past member of InfraGard of Georgia. Hans has

a Bachelor of Science degree in Industrial & Systems

Engineering from North Carolina State University and is

moderately fluent in Spanish. Outside of his professional

career, Hans also enjoys participating with CERT (Community

Emergency Response Team) and being a Cub Scout leader.

Abstract: Over the years, two key techniques have emerged as

the most effective for finding security vulnerabilities in soft-

ware: Dynamic Application Security Testing (DAST) and Static

Application Security Testing (SAST). While DAST and SAST

each possess unique strengths, the "Holy Grail" of security

testing is thought to be "hybrid" -- a technique that combines

and correlates the results from both testing methods,

maximizing the advantages of each. Until recently, however,

a critical element has been missing from first generation hybrid

solutions: information about the inner workings and behavior

of applications undergoing DAST and SAST analysis.

This presentation will introduce you to the next

generation of hybrid security analysis — what it is, how it

works, and the benefits it offers. It will also address (and

dispel) the claims against hybrid, and leave participants with

a clear understanding of how the new generation of hybrid

will enable organizations to resolve their most critical

software security issues faster and more cost-effectively

than any other available analysis technology.


11


1:30 (A) Progression of a HackRyan Linn, Trustwave's SpiderLabs

Ryan Linn is a Senior Security

Consultant with Trustwave’s SpiderLabs

who has a passion for making security

knowledge accessible. In addition to

being a columnist with the Ethical

Hacker Network, Ryan has contributed

to open source tools including

Metasploit, Dradis and the Browser Exploitation

Framework (BeEF).

Abstract: So you have a firewall, AV, IDS, patch management

and more. Nobody is getting in. Somehow Fake-AV and

malware still rear their ugly heads from time to time, but

things feel pretty safe. Others in this same situation are still

making the news. This talk will look at how a single foothold

can lead to the opening story on the evening news. We will

look at how a motivated attacker can compromise a patched

Windows box, escalate privileges on a domain, and get to the

data. As each demonstration shows the techniques, we'll talk

about mitigation strategies and what steps you can take to

avoid being a headline.

2:30 (A) Web Application SocialEngineering VulnerabilitiesMatt Cooley, Symantec

Matt Cooley is an accomplished

information security practitioner

working in IT across multiple industries

for almost 20 years with over a decade

of primary focus on security. At

Symantec, Matt has been involved

with security assessments in the finan-

cial sector, government, commercial business, higher

education, and major ISPs. His primary area of expertise

is in web application and product penetration testing.

Abstract: In this presentation, we plan to demonstrate web

application vulnerabilities which could be leveraged to

attack end-users of applications. In particular, cross-site

scripting will be used to attack mobile device users. Social

Engineering Toolkit will be demonstrated to compromise

systems of fully-patched and protected users. Common

tricks such as URL obfuscation, URL redirection, and

domain-name manipulation will be used to successfully

coerce victims into performing tasks from which an

attacker would benefit.

PENETRATION TEST / SNA

12


1:30 (B) Managing Risk, Liability, andCompliance in the CloudRon Stamboly, SafeNet; Co-author Maureen Kolb

Mr. Stamboly joined SafeNet in 1996 as a Senior Sales

Engineer responsible for technical presales and sales support

for the entire sales cycle, from evaluation to installation.

Mr. Stamboly's area of expertise includes hardware and

software products covering authorization, access control,

audit, and encryption. Currently, Mr. Stamboly focuses on

supporting the sales of SafeNet's Information Lifecycle

Protection and Cloud computing environments, most

specifically driving SafeNet's market share in cloud computing

security and virtualized environments-securing and controlling

access to cloud applications, along with encrypting virtual

volume and instances. Mr. Stamboly has over 17 years of

experience in the data protection, telecommunications and

networking equipment industries. Additionally, Mr. Stamboly

has extensive experience with networking hardware along

with TCP/IP. Mr. Stamboly graduated summa cum laude with

a Bachelor's Degree in Telecommunication from The State

University of New York Institute of Technology and also

graduated summa cum laude with a Master's Degree from

Pace University in Telecommunications.

Abstract: Cloud Computing is unquestionably the future of our

IT infrastructure and business workloads. Yet the industry is

reaching an impasse as organizations have already completed

Proof-of-Concepts and architectural planning to the cloud.

Internal Data Governance and Compliance requirements have

become the barrier to more organizations moving to the cloud,

and larger organizations converting small test projects to full

production. The mix of confusion over ownership and liability,

lack of transparency from the cloud provider, an almost com-

plete absolution of liability in contracts, and lack of clear

guidance on required controls have all contributed to this. This

session will focus on pealing back some of these issues to drive

some clarity and actionability. Cloud is the future, with its ease-

of-use, cost-savings and transparency, but Data Governance and

compliance requirements have stopped projects due to confu-

sion on risk/liability. Presentation will focus on driving clear

areas of trust, ownership, and liability-cover audit and contrac-

tual aspects of working with CSPs -identifying new controls

needed to move to the cloud and will end with PCI 2.0.

2:30 (B) Crash Course on OpenSource Cloud ComputingMark Hinkle, Citrix Systems

Mark Hinkle is the Director of Cloud

Computing Community at Citrix Systems

Inc. He joined Citrix as a result of their

July 2011 acquisition of Cloud.com. He is

currently responsible for the success of the

open source cloud computing platform,

CloudStack. Previously he was the VP of

Community at Zenoss Inc., a producer of the open source

application, server, and network management software,

where he grew the Zenoss Core project to over 100,000 users

and 20,000 organizations on all seven continents. He also is

a longtime open source expert and author having served as

Editor-in-Chief for both LinuxWorld Magazine and Enterprise

Open Source Magazine. Mr. Hinkle is also the author of

the book, Windows to Linux Business Desktop Migration(Thomson, 2006). He is a contributor to NetworkWorld’s

Open Source Subnet and his personal blog on open source,

technology, and new media can be found at www.socialized-

software.com. You can follow him on twitter @mrhinkle.

Abstract: Very few trends in IT have generated as much buzz

as cloud computing. This talk will cut through the hype and

quickly clarify the ontology for cloud computing. The bulk

of the conversation will focus on the open source software

that can be used to build compute clouds (infrastructure-as-

a-service) and the complimentary open source management

tools(including those for security) that can be combined

to automate the management of cloud computing

environments. The discussion will appeal to anyone who

has a good grasp of traditional data center infrastructure but

is struggling with the benefits and migration path to a cloud

computing environment. By understanding the architecture

of a cloud compute environment users will be able to apply

their existing security knowledge to the management of a

cloud compute environment. Systems administrators and IT

generalists will leave the discussion with a general overview

of the options at their disposal to effectively build and

manage their own cloud computing environments using

free and open source software.

CLOUD / VIRTUALIZATION SECURITY

13


1:30 (C) Information Security Doesn't Just “Happen”!Jim Murphy, OMMISS

James Murphy, CISSP, ISSMP, GSEC, CISA,

CISM NC DHHS, Office of MMIS Services

Jim is the Information Security Architect

for OMMISS with 30+ years experience,

predominantly in healthcare IT. He plans

and designs enterprise-wide information

security for major development projects,

including the claims processing system for Medicaid and

related plans, and the State Health Information Network.

For the projects, he documents information security and

technical architecture requirements and reviews security

throughout project design and development: regulatory

compliance, access control, data and network protection,

business continuity, operational security, process

documentation and project audit. Jim has written, taught

and spoken on information security management, service

continuity, security auditing and security certification

training to diverse audiences.

Abstract: The pressure is on—security breaches now cost

penalties and lawsuits. Information architectures are

becoming more complex as they adjust to rapid changes in

software and hardware. Privacy professionals are clamoring

for eliminating the misuse of protected information. State

Attorneys General have been authorized to get in on the

act. But, as InfoSec professional understand, security just

does not happen with the latest policy, technical tool, or

extra door lock. Information security managers must take the

initiative to coordinate with all levels of the organization

to insure business objectives drive the definitions and

characterization of protected data, unit leaders understand

the responsibilities of the hallway work force, and technical

support staff understand the limits of device-alone solutions.

InfoSec planning requires tactical and strategic components,

and in a sense, never stops. InfoSec professionals must be

able to communicate the planning with all levels of the

organization in a way that facilitates the collaborative efforts

and diminishes the internal barriers. In this presentation,

I offer some practical suggestions for getting InfoSec

planning into action.

2:30 (C) Anatomy of an AttackJonathan Norman, Alert LogicCo-Author Michele Hujber

Jonathan Norman joined Alert Logic

in 2002 and has held numerous security

and operational roles throughout his

tenure at Alert Logic. Today, as the

Director of Security Research, Jonathan

manages a team of security researchers

and analysts responsible for monitoring

the evolving security landscape for new and emerging

threats. In addition, under his leadership, the Security

Research team manages complex security incident response

for customers and develops the advanced correlation rules

that help Alert Logic solutions better detect and defend

against security threats. Jonathan hold several industry

certifications such as Certified Ethical Hacker, CISSP,

CCSP, and other GIAC certifications.

Abstract: In 2010 the global cybercrime market increased

to an estimated 7.5 Billion dollars. Over the past few years,

attack sophistication has increased significantly while users

struggle to keep up with new attacks. We have long-passed

the days of bright kids causing mayhem on computer

networks. Today's attackers are fast, well-funded, well

organized and business is booming. This presentation

will take you into the world of cybercrime and give you

an insider's look into how hackers operate and what you

can do to protect your network.

STRATEGY & ARCHITECTURE


1:30 (D) Enabling the Business with Security MetricsSteve McKinney, Cisco Systems

Steve has worked at Cisco Systems for

the past 3 years after graduating from NC

State with a Master's degree.

Abstract: Many security scanners will

churn out ‘advice’ on the severity of

vulnerabilities in your environment.

Forwarding that advice to your manager,

will likely produce a blank stare and a report that's in the

trash before you can walk out the door. So, how do you go

from a scanner's advice to wisdom that drives business

decisions? This talk covers what I have learned from others

and developed as I started implementing security metrics

for my team within Cisco. We will look specifically at

metrics for web applications, but the concepts presented

apply to other areas of security.

2:30 (D) Making Fat MessagesAvailable: Binary XML Encoding Phillip H. Griffin, Griffin Consulting

Phillip H. Griffin, CISM brings over 15

years of experience in the information

assurance and security profession.

Operating as Griffin Consulting, Phil

has served as a trusted security adviser,

security architect, and consultant with

leading corporations including Visa

International, GTE, and IBM. He has acted as committee

chair, editor, head of U.S. delegation, and rapporteur in

the development of national and international security

standards, and currently serves as an ISSA Educational

Advisory Council Member, and on the board of the Raleigh

ISSA Chapter. His experience encompasses numerous

facets of security including authentication technologies,

encryption, access control, biometrics, and secure

messaging schema. Mr. Griffin has eight patents pending

in the area of security, and he has been a speaker at

leading security conferences and venues around the world.

Abstract: For every XML Schema (XSD) there is an

analogous ASN.1 schema that can be used to generate

compact, efficient binary message formats, and XML

markup instance documents that are equivalent to those

based on the initial XML schema. These binary formats are

appropriate for use in environments constrained by

mobility, limited battery life, storage size, or bandwidth

(e.g., wireless communications using hand held devices).

Using a binary format for XML messages can make secure

protocol messages available in environments where

verbose formats prohibit application development.

APPLICATIONS & DEVELOPMENT

15


17


1:30 IMATIONKey Trends in Removable Device SecurityDavid Duncan, Business Development Director

David Duncan is director of ENCRYPTX

at Imation, a team of research and

development experts focused on advances

in data security that protect, encrypt,

control, and manage “data at rest.”

Duncan founded ENCRYPTX,

which was acquired by Imation from

BeCompliant Corp. in March 2011.

Prior to founding ENCRYPTX, Duncan was senior vice

president of Tactical Marketing Ventures, a marketing

accelerator company for more than 100 technology startups.

He also served as vice president of sales and marketing for

RL Polk, a consumer marketing information company that

was sold to Equifax Corporation.

Previously, Duncan served in marketing and engineering

leadership positions with Storage Technology Corporation,

Martin Marietta and SRA Corporation. He worked for the

National Security Agency as a cryptologist for a number of

years and designed and built trusted computer systems for

highly classified government programs.

Duncan has a Bachelor of Science in international affairs

from the University of Maryland, a Master of Science in

computer science from Regis University, a Master of Business

Administration (MBA) from the University of Colorado, and

a degree in Chinese Mandarin Linguistics from the Defense

Language Institute, Presidio of Monterey, California.

Abstract: David Duncan, Managing Director of the

ENCRYPTX Security Products Group of Imation Enterprises

will present key trends in the field of removable storage

device security. The presentation will cover: current

risk/data loss trends from the latest industry studies, new

and emerging threats, regulatory requirements affecting

compliance, vendor initiatives to mitigate these risks includ-

ing hardware, software and operating system developments

that improve removable device security, and an evaluation

framework for assessing gaps in your organization


2:30 (Keynote Hall) The IT Blind SideDwayne Melançon, Tripwire

Dwayne Melançon joined Tripwire in 2000 and serves as

Vice President of the company’s Log Management business.

In previous positions at the company, Dwayne has served

as vice president of Business Development, Professional

Services and Support, Information Systems, and Marketing.

Prior to joining Tripwire, Dwayne was Vice President of

Operations for DirectWeb, Inc., where he was responsible

for product management, logistics, electronic supplier

integration, customer support, information systems,

infrastructure development, and other business operations.

Before DirectWeb, he ran Pan-European Support for

Symantec Corporation, managed callcenter operations

for several of Symantec’s leading product lines, and

spearheaded the development of productivity tools and

processes. In other positions,Dwayne was responsible for

Symantec’s global Web presence, program management

for the company’s encryption products, and functional

integration for mergers and acquisitions. Prior to joining

Symantec, Dwayne spent eight years at Fifth Generation

Systems, Inc. where he created an award-winning global

support organization, was a software developer, and

directed the company’s software and hardware Quality

Assurance teams.

Dwayne is certified on both IT management and audit

processes, holding both ITIL and CISA certifications.

Prior Speaking Experience:

• eFinance World Conference

• Frequent speaker at national and regional itSMF,

ISACA, ISSA, and IIA events

2:45 (Keynote Hall) Are you usingUDP for reliable transmission?Shahab Nayyer, Wells Fargo

Author is a Senior IT Audit Lead with Wells Fargo &

Company in Charlotte, North Carolina, USA. He holds dual

master degree in Finance and Industrial Engineering with a

specialization in IT. Shahab has more than seven years of

experience in IT Audit and Security and is a CISA, CIA.

Shahab is also the President of the ISACA Charlotte Chapter.

Abstract: UDP (user datagram Protocol) is a widely used

protocol networking and data transmission. It is used in real

time applications, DNS request reply messages, IP telepho-

ny, SNMP, Multimedia streaming etc. Due to its nature of

being a connectionless protocol it's considered very efficient

for short messaging with low bandwidth usage. So these are

all the good things with UDP, but UDP also is an unreliable

protocol which does not guarantee data transfer. With that

in mind, do we know where all we are using UDP? Are we

using UDP where a reliable transmission is needed? Have

we evaluated the risk of data loss and can we live with it?

3:00 (Keynote Hall) Finding FlagsDuring a Lightning StormSteve McKinney, Cisco

Steve McKinney has been with Cisco for

three years after completing his Master's

degree at NC State. He was the primary

developer for the Capture the Flag contest

at the conference this year.

Abstract: This presentation will be an

overview of the Capture the Flag contest

held at the conference. If you tried the contest and didn't

complete it or wanted to but didn't have time, drop by, this

session is for you.

18

LIGHTNING TALKS

T R I A N G L E I N F O S E C O N C O N F E R E N C E • O C T O B E R 2 0 , 2 0 11


KEYNOTE SPEAKER

3:30 Lenny ZeltserSecurity Practice Director, Savvis; Senior Faculty Member, SANS Institute

Lenny Zeltser leads the security consulting practice at Savvis, where he focuses on

designing and operating security programs for cloud-based IT infrastructure. Lenny’s

other area of specialization is malicious software; he teaches how to analyze and

combat malware for the SANS Institute. He is also a member of the board of directors

for the SANS Technology Institute and an incident handler at the Internet Storm

Center. Lenny frequently speaks on information security and related business topics at

conferences and private events, writes articles, and has co-authored several books.

Lenny is one of the few individuals in the world who have earned the highly-

regarded GIAC Security Expert (GSE) designation. He also holds the CISSP certification.

Lenny has an MBA degree from MIT Sloan and a computer science degree from the

University of Pennsylvania. Lenny writes at blog.zeltser.com and twitter.com/lennyzeltser.

More details about his projects are available at http://www.zeltser.com.

Lenny says that some of his “books are gradually becoming outdated” but that

all of them are listed here. Lenny notes that the “most recent and current volume is

CyberForensics. It's a good text.”

Keynote Topic: Knock, Knock! How Attackers Use Social Engineering to Bypass Your Defenses

Why bother breaking down the door if you can simply ask the person inside to let you

in? Social engineering works, both during penetration testing and as part of real-world

attacks. This talk explores how attackers are using social engineering to compromise

defenses. It presents specific and concrete examples of how social engineering

techniques succeeded at bypassing corporate security defenses. Lenny Zeltser will

review how attackers have bypassed technological controls by making use of social

engineering techniques such as:

Starting attacks in the physical world, rather than the virtual Internet: We have spent

most of our lives in the physical world, whose norms we know well. As a result, we

tend to trust messages that come to us in the physical world more than those in the

"virtual" world of the Internet. The talk presents several examples of such scenarios.

Targeting attacks through the use of spear phishing and social networks: The talk

will explore how attackers may profile victims to include the person or company-

specific social engineering elements in an intrusion campaign.

20


President: Brad Hoelscher

Vice President: Robert Martin

Conference Director: Liyun Yu

Conference Program Director: Mark Whitteker

Conference Deputy Director: Ramsey Hajj

Treasurer: Mark Fontes

Communication: Peter Hewitt

Operations Director: Robert Pitney

Sponsor Development: Robert Martin

Website Developer: Phillip Griffin

Production Support: Steve Toy

Conference Support: Chip Futrel

Program Designer: Rachel Schaub

Sponsor Development Team:Frank ChavarriaSarah Miller

Operations/AV Team:Dave BalintRob BreaultRobert BrownMatt BrysonFrank ChavarriaMarie CrossRandall HompeschEric HothWenjian HuanyCharles HudockValdez LaddSteve McGeheeGlann Morgan

David ParkerMichael RainsNancy SchiponAndrew SenkoDaniel WhiteLorie WilsherRich Woynicz

Applications & Development:Aby Rao, ChairLisa Lorenzin

Cloud & Virtualization:Nathan Kim, Chair

Eric Olson

Data & Endpoint: Andre Henry, Chair

Governance, Risk & Compliance:Keith Mattox, ChairJanet Dagys

Pen Testing / System & Network Auditing:

Artem Kazantsev, Chair

Physical Security: Glenn Morgan, Chair

Professional Development:Holli Harrison, ChairValdez Ladd

Strategy & Architecture: Jim Murphy, Chair

Capture the Flag: Steve McKinney, Chair

Lockpick Village:Jennifer Jabbusch, ChairJon Welborn

Lightning Talks: Dyana Pearson, Chair

22

CONFERENCE COMMITTEEThis Conference is only made possible by the incredible efforts ofthe committee. On behalf of the chapter, sponsors, speakers, andattendees, thank you!


NOTES:


SPONSORS

The Raleigh ISSA Chapter thanks all of ourconference sponsors for their support:

Diamond Sponsors:

Imation, HP / Fortify Software, Oracle

Gold Sponsors:

Alert Logic, Carolina Advanced Digital, Inc.,

Fishnet Security / Sourcefire,

Global Knowledge, Tripwire

Silver Sponsors:

Accuvant / Palo Alto, Cisco, Meru Networks,

Qualys, SAS, Tenable Security, Trustwave, Varonis

Participating Professional Organizations

ASIS, Cyber Patriot, InfraGard, ISAAC,

ISACA, ISSA Raleigh Chapter, NCMS,

NCSU/CTU, ThinkPink ZTA

Breakfast, Lunch, and Break Sponsor:

Barbeque Lodge

Tote Sponsor:

Lord Corp.

Triangle InfoSecon Conference program 2011

Technology

Transcript of Triangle InfoSecon Conference program 2011