Triangle InfoSecon Conference program 2011
-
date post
19-Oct-2014 -
Category
Technology
-
view
624 -
download
0
description
Transcript of Triangle InfoSecon Conference program 2011
Speaker Room A Speaker Room B Speaker Room C Speaker Room D Keynote HallLunch Room
7:00 Registration, Exhibition, and Breakfast Buffet
CA
PT
UR
E TH
E FLAG
| LOC
KP
ICK
VILLA
GE | LO
CK
PIC
K C
HA
LLENG
E
8:30 Keynote Speaker : Marc Hoit – University Campus: A Microcosm of the Future
9:20 Exhibition
9:30 Keynote Speaker : Tom Limoncelli – You Suck At Time Management (but it ain’t your fault!)
10:20 Exhibition and Tom Limoncelli Book Signing
Governance, Risk & Compliance
Professional Development
Data and Endpoint Security
Physical SecurityDiamond SponsorSessions
10:30
Srini Kolathur - How to Secure DB Infra Using Best Practices for Risk Mitigation, Compliance, Audit and Assessment
Beth Wood – Leading By Example/ Building Effective Teams
Ron Stamboly – Authentication of Personal Mobile Devices
Jon Welborn – Introduction to Lockpicking
$/&'+(
11:20 Exhibition
11:30
Sandy Bacik – Building a Lasting IT GRC Policy Architecture
Garion Bunn – Winning in Business and Life
Michael Sutton – Corporate Espionage for Dummies
Jon Welborn – High Security Locks
"% !./0*)1 Hans Enders – Reinventing Dynamic Test-ing: Real-Time Hybrid
12:15 Lunch Buffet and Exhibition
Penetration Testing / SNA
Cloud and Virtual Security
Security Strategy and Architecture
Applications and Development
Diamond SponsorSessions
1:30Ryan Linn – Progression of a Hack
Ron Stamboly – Managing Risk, Liability and Compliance in the Cloud
Jim Murphy – Information Security Doesn’t Just “Happen”!
Steve McKinney – Enabling the Business with Security Metrics
#,&0*.- David Duncan – Key Trends in Removable Device Security
2:15 Exhibition and Ryan Linn Book Signing %#$*(%(# !"'&)
2:30
Matt Cooley – Web Application Social Engineering Vulnerabilities
Mark Hinkle – Crash Course on Open Source Cloud Computing
Jonathan Norman – Anatomy of an Attack
Phillip Griffin – Making Fat Messages Available: Binary XMLEncoding
Dwayne Melançon
Shahab Nayyer
Steve McKinney
3:30 Keynote Speaker: Lenny Zeltser – Knock, Knock! How Attackers Use Social Engineering to Bypass Your Defenses
4:20 Exhibition
4:30 Announce Winners of Lockpick Challenge and Capture the Flag (Keynote Hall)
5:00 Chapter and Sponsor Giveaways, must be present to win (Keynote Hall)
O C T O B E R 2 0 , 2 0 1 1
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
3
The Raleigh ISSA Chapter welcomes you to the seventh annual Triangle InfoSeCon. We are very pleased you joined us today. Our conference goal: offer you a convenient way to learn more about the state of
Information Systems Security (ISS) today, right here in central North Carolina. Our selected speakers offer you a balanced and
broad program. The Raleigh ISSA Chapter especially thanks all the speakers and our conference sponsors, without whom this
event is not possible. Please visit our sponsors in the exhibit area to learn about the latest in ISS products and services. Enjoy
the conference. Please fill out the feedback forms. Your response is important. We strive to improve each year.
McKimmon Center InfoSecon Conference Layout (not to scale)
WELCOME
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 11
This conference is brought to you by the Raleigh Chapter of
the Information Systems Security Association. The ISSA is an
international professional organization aimed at providing edu-
cational forums, publications and peer interaction opportunities
that enhance the knowledge, skill and professional growth of its
members. The Raleigh Chapter became an official ISSA chapter
in February 2003. We meet on the first Thursday of every month
at the McKimmon Center on the campus of NC State University.
You can find out more about the chapter at http://raleigh.issa.org.
If you would like to get on our announcements email list, please
send an email to [email protected].
ABOUT THE ISSA
New This Year! Lockpick Village: Stop by the Lockpick Village and try your hand at picking various locks,
from handcuffs to padlocks, door locks and more. Sponsored by the FALE Association of Locksport
Enthusiasts (FALE), there will be games, demonstrations, and hands-on workshops for attendees to
learn, play and share their experiences. Lockpick sets will be available for purchase for $20.
Capture the Flag: Think you have 1337 skilz? Stop by the Capture the Flag event and prove it!
Pit your hacking skills against the server, collecting as many flags as you can. Each participant will
be scored based on the number of flags captured within the time limit. The winner will be
announced at the end of the conference.
Don’t forget to turn in your feedback forms! Conference drawings are made from completed returned conference feedback forms and requires at
least 12 sponsor “stamps” and your legible name to be eligible. Sponsor door prizes and give-a-ways
are drawn from attendees' collected business cards directly. All drawings are at 5:00 pm and you
must to be present to win.
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
9:30 Tom Limoncelli Time Management Guru, Author, Blogger, and System Administrator
Tom is an internationally recognized author, speaker, and system administrator. His books
include The Practice of System and Network Administration (Addison-Wesley) and Time
Management for System Administrators (O'Reilly). He received the SAGE 2005 Outstanding
Achievement Award. He works in NYC and blogs at TomOnTime and
EverythingSysadmin.com.
Keynote Topic: You Suck At Time Management (but it ain't your fault!)So much to do! So little time! Security people are pulled in so many directions it is
impressive anything gets done at all. The bad news is that if you work in security then
good time management is basically impossible. The good news is that it isn't your fault.
Tom will explore many of the causes and will offer solutions based from his book,
“Time Management for System Administrators” (Now translated into 5 languages.)
KEYNOTE SPEAKERS
5
8:30 Marc HoitVice Chancellor for IT and CIO, North Carolina State University
Marc Hoit is the Vice Chancellor for Information Technology and the Chief Information
Officer (CIO) for North Carolina State University (NCSU) in Raleigh, North Carolina.
He began his role as the Vice Chancellor for Information Technology in September
2008. Since arriving, he has worked to develop an IT Governance Structure, Strategic
Operating Plan and launched a number of key foundational projects that will
improve efficiency and effectiveness of IT on campus. He previously held numerous
administrative positions at the University of Florida including Interim CIO, Director
of Student PeopleSoft Implementation, the Associate Dean for Academic Affairs
Administration and the Associate Dean for Research in the College of Engineering.
He is a Professor in the Civil, Construction and Environmental Engineering Department.
He received his B.S. from Purdue University and his M.S. and Ph.D. from University of
California, Berkeley. Dr. Hoit is the Co-Principal Investigator, along with Chapel Hill and
SAS, for the North Carolina Bio-Preparedness Collaborative (NCB-Prepared) Grant from
the Department of Homeland Security (DHS) and the development of DIGGS, an
international XML schema for transferring transportation information. His structural
engineering research involves the computer program, FB-MultiPier, which analyzes
bridge pier, superstructure and pile foundations subjected to dynamic loading.
Keynote Topic: University Campus: A Microcosm of the FutureDr. Hoit will present how a university campus is a petri dish for innovation, future
trends and disruption for IT and how it affects services, purchasing and planning.
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 11
6
GOVERNANCE, RISK, & COMPLIANCE
10:30 (A) How to Secure DatabaseInfrastructure Using Best Practices forRisk Mitigation, Compliance, Auditand AssessmentSrini Kolathur, Vinay Bansal, & Jim Tarantinos
Srini Kolathur, CISSP, CISA, CISM,
MBA is a result-driven IT project manger
with Cisco Systems. Srini has several
years of experience in helping companies
effectively comply with regulatory
compliance requirements including
SoX, PCI, HIPAA, etc. Srini believes
and advocates best practices-based security and compliance
program to achieve business objectives. Also, Srini
maintains a free collaborative web portal for managing
IT best practices and audit plans at Checklist20.com.
Abstract: IT governance and strategy are critical to an
organization's success. Key to the risk assessment and audit
plan process is breaking down the IT Universe into smaller
more manageable sub-components. Databases play a major
role in the increasingly complex global business processes
and IT universe. A best practice-based assessment to
evaluate risks uses an 80-20 rule. This allows to eliminate
all the low-hanging fruit by leveraging expertise from
around the world and helps organizations quickly achieve
its desired business objectives at the optimum cost. We
will specifically focus on how to leverage database best
practices for building effective risk assesment approaches
and to build audit plans to comply with different
compliance programs including S-ox, HIPAA, PCI-DSS
and EU data privacy.
11:30 (A) Building a Lasting IT GRCPolicy Architecture
Sandy Bacik
Sandy Bacik, author and former CSO,
has over 15 years direct development,
implementation, and management
information security experience in the
areas of Audit Management, Disaster
Recovery/Business continuity, Incident
investigation, Physical security, Privacy, Regulatory
compliance, Standard Operating Policies/Procedures,
and Data Center Operations and Management. With an
additional 15 years in Information Technology Operations.
Abstract: With industries moving toward a governance and
risk culture, the IT and enterprise policy architecture needs
to be updated to align with the enterprise goals of IT
Governance. Some may discover that they have all the
pieces spread throughout the current organization, but
do not know how to proceed to ensure their IT and
security policies and processes fit into their enterprise
governance architecture.
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
10:30 (B) Leading By Example /Building Effective TeamsBeth Wood, North Carolina State
North Carolina State Auditor Beth A.
Wood, CPA, is serving her first term as
the state’s elected auditor after more than
a decade of service in training and
research for the office. As Training
Director for the Office of State Auditor,
Beth developed and taught audit courses
for the auditor’s staff, concentrating on the areas of Single
Audit, internal control and sampling. She also coordinated
the State Auditor’s Quality Control Review and provided
research of audit and reporting issues for the audit staff.
She began working with state government in 1993 with
the Local Government Commission (a division of the Office
of the State Treasurer). In that position, she reviewed and
approved audits of local governments prepared by private
CPA firms. Prior to her work with state government, Beth
worked as a cost accountant for Ray-O-Vac Corporation for
three years. She also supervised audits of local governments
and not-for-profit organizations for McGladrey and Pullen
CPAs, a national CPA firm. Beth left the Office of the State
Auditor in 2007 as she began her campaign to become the
first woman elected to the post. While seeking office, she
also taught a variety of courses for the American Institute
of Certified Public Accountants (AICPA) and worked in the
institute’s Professional Ethics Division investigating alleged
substandard audits around the country.
Abstract: Moving from a purely technical role to manage-
ment is very challenging for most IT people. Most people do
not like giving up the hands-on technical work and they also
tend to be more independent. This discussion will deal with
particular challenges faced when moving into a managerial
role and will answer questions such as: How can leaders
learn to assess the strengths of their team members and use
them to get the team working as one unit rather than a
bunch of lone rangers? How can they deal with jealousy
and backstabbing from those not promoted? How can they
anticipate senior management's and the organization's
needs and ensure the team is truly fulfilling the mission?
11:30 (B) Winning in Business and LifeGarion Bunn
Garion Bunn is an award winning
speaker and workshop facilitator who is
a self-driven, results-oriented cultivator
of human potential. His purpose is to
inspire, educate and empower people
and organizations around the globe. His
success strategy is to continually seek
new ways to add value through seminars and workshops
that are leadership centric. Garion is an empathic
communicator and listener.
Garion believes that effective leadership skills are the
most powerful tools in the current day workplace and
marketplace. Leadership excellence is the fast track up
the corporate ladder. Garion helps professionals who
want the zest, energy and power to deliver with passion
and purpose
Abstract: Are you ready for the competition? This keynote
focuses on stirring your enthusiasm and sense of purpose
in daily life. An excited, focused individual is ready to take
on the challenges and triumph in today's fast paced market.
Develop knowledge and skills that will significantly increase
your personal effectiveness and ability to successfully
interact and lead others. This session covers many diverse
and critically important business, interpersonal, and
leadership topics.
PROFESSIONAL DEVELOPMENT
7
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 11
10:30 (C) Authentication of PersonalMobile Devices as Part of an OverallEnterprise Authentication StrategyRon Stamboly, SafeNet; Co-author Maureen Kolb
Mr. Stamboly joined SafeNet in 1996 as a Senior Sales
Engineer responsible for technical presales and sales support
for the entire sales cycle, from evaluation to installation.
Mr. Stamboly's area of expertise includes hardware and
software products covering authorization, access control,
audit, and encryption. Currently, Mr. Stamboly focuses on
supporting the sales of SafeNet's Information Lifecycle
Protection and Cloud computing environments, most
specifically driving SafeNet's market share in cloud computing
security and virtualized environments-securing and controlling
access to cloud applications, along with encrypting virtual
volume and instances. Mr. Stamboly has over 17 years of
experience in the data protection, telecommunications and
networking equipment industries. Additionally, Mr. Stamboly
has extensive experience with networking hardware along
with TCP/IP. Mr. Stamboly graduated summa cum laude with a
Bachelor's Degree in Telecommunication from The State
University of New York Institute of Technology and also
graduated summa cum laude with a Master's Degree from
Pace University in Telecommunications.
Abstract: IT departments are facing challenges from many
users wanting to use their mobile device to access sensitive
corporate information. Clearly, the risk posed by these
scenarios is great. The key issue confronting security staff is
management: ensuring only trusted devices can access
corporate resources, contending with lost devices, managing
security policies, and enabling and monitoring access. Finally,
IT organizations need to establish visibility and control over
what assets can be accessed by and saved onto those
devices. This presentation will discuss implementing unified
authentication schemes, security policies and credentials for
employee-owned end point devices, helping organizations
to enable their workforce while reducing IT management and
administration resources, as well as show how organizations
can centrally and consistently manage all authentication
requirements for local networks, VPNs, SaaS applications,
and virtualized environments.
11:30 (C) Corporate Espionage forDummies: The Hidden Threat ofEmbedded Web Servers
Michael Sutton
Michael Sutton has spent more than a
decade in the security industry conducting
leading-edge research, building teams of
world-class researchers, and educating
others on a variety of security topics.
As Vice President of Security Research,
Michael heads Zscaler Labs, the research and development
arm of the company. Zscaler Labs is responsible for
researching emerging topics in web security and developing
innovative security controls, which leverage the Zscaler
in-the-cloud model. The team is comprised of researchers
with a wealth of experience in the security industry. Prior to
joining Zscaler, Michael was the Security Evangelist for SPI
Dynamics where, as an industry expert, he was responsible
for researching, publishing, and presenting on various security
issues. In 2007, SPI Dynamics was acquired by Hewlett-
Packard. Previously, Michael was a Research Director at
iDefense where he led iDefense Labs, a team responsible
for discovering and researching security vulnerabilities in a
variety of technologies. iDefense was acquired by VeriSign
in 2005. Michael is a frequent speaker at major information
security conferences; he is regularly quoted by the media on
various information security topics, has authored numerous
articles, and is the co-author of Fuzzing: Brute Force
Vulnerability Discovery, an Addison-Wesley publication.
Abstract: Today, everything from television sets to photo-
copiers have an IP address and an embedded web server
(EWS) for device administration. While embedded web
servers are now as common as digital displays in hardware
devices, sadly, security is not. Leveraging the power of cloud
based services, Zscaler spent several months scanning large
portions of the Internet to understand the scope of this threat.
Our findings will make any business owner think twice before
purchasing a ‘wifi enabled’ device. We'll share the results of
our findings, reveal specific vulnerabilities in a multitude of
appliances and discuss how embedded web servers will
represent a target rich environment for years to come.
DATA AND ENDPOINT SECURITY
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
10:30 (D) Introduction to LockpickingJon Welborn
Jon Welborn is a penetration tester and a
co-founder of the FALE Association of
Locksport Enthusiasts. FALE came
together around a shared general
curiosity and persuasion of the public’s
“right to know”. FALE meets regularly
in the Winston-Salem, NC area and
hosts lockpicking villages at various security conferences
around the country. http://lockfale.com
Abstract: You've locks on your network closet and secure
document bin. Great. What if I can open them in 30
seconds or less? Learn the basics about how a lock works
and how to compromise commonly used locks. This
information isn’t complicated in the least, but in this talk
we set out to remove the often practiced “security by
obscurity” approach to physical security.
11:30 (D) High Security LocksJon Welborn
Abstract: Great locks are not difficult to come by. This talk
will discuss various components of a quality lock as well as
several manufacturers of high-caliber locks. We will discuss
specific makes and models of locks that may be beneficial
in your environments. If nothing else, this talk will open the
door to the idea that you shouldn’t have to lean on your
local hardware store to meet your physical security needs.
PHYSICAL SECURITY
9
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
10:30 ORACLE PRESENTATION
DIAMOND SPONSOR SESSION (Keynote Hall)
Mark your calendars for the Eighth Annual Triangle InfoSeCon to beheld on Thursday, October 18 2012 at the McKimmon Center. Keynote speakers: Chris Nickerson - Lead Security Consultant for Lares Consulting
and Stan Waddell - Executive Director and Information Security Officer,
University of North Carolina (UNC) Information Technology Services (ITS)
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
11:30 HP / FORTIFYReinventing Dynamic Testing:Real-Time Hybrid Hans Enders, HP Fortify
Hans Enders is a Sr. Solutions Architect
for HP Fortify. In his current role, Hans
is responsible for demonstrating web
application security software and
providing solutions to prospective clients
for HP Software’s Application Security
Center. He has more than 14 years of
experience in network administration and security, with the
most recent 7 years focusing on web application security
testing and software support. Hans acquired the CISSP in
2004 and most recently completed the CISM certification in
2011. Hans is an active member of ISSA, ISACA, OWASP,
and a past member of InfraGard of Georgia. Hans has
a Bachelor of Science degree in Industrial & Systems
Engineering from North Carolina State University and is
moderately fluent in Spanish. Outside of his professional
career, Hans also enjoys participating with CERT (Community
Emergency Response Team) and being a Cub Scout leader.
Abstract: Over the years, two key techniques have emerged as
the most effective for finding security vulnerabilities in soft-
ware: Dynamic Application Security Testing (DAST) and Static
Application Security Testing (SAST). While DAST and SAST
each possess unique strengths, the "Holy Grail" of security
testing is thought to be "hybrid" -- a technique that combines
and correlates the results from both testing methods,
maximizing the advantages of each. Until recently, however,
a critical element has been missing from first generation hybrid
solutions: information about the inner workings and behavior
of applications undergoing DAST and SAST analysis.
This presentation will introduce you to the next
generation of hybrid security analysis — what it is, how it
works, and the benefits it offers. It will also address (and
dispel) the claims against hybrid, and leave participants with
a clear understanding of how the new generation of hybrid
will enable organizations to resolve their most critical
software security issues faster and more cost-effectively
than any other available analysis technology.
DIAMOND SPONSOR SESSION (Keynote Hall)
11
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 11
1:30 (A) Progression of a HackRyan Linn, Trustwave's SpiderLabs
Ryan Linn is a Senior Security
Consultant with Trustwave’s SpiderLabs
who has a passion for making security
knowledge accessible. In addition to
being a columnist with the Ethical
Hacker Network, Ryan has contributed
to open source tools including
Metasploit, Dradis and the Browser Exploitation
Framework (BeEF).
Abstract: So you have a firewall, AV, IDS, patch management
and more. Nobody is getting in. Somehow Fake-AV and
malware still rear their ugly heads from time to time, but
things feel pretty safe. Others in this same situation are still
making the news. This talk will look at how a single foothold
can lead to the opening story on the evening news. We will
look at how a motivated attacker can compromise a patched
Windows box, escalate privileges on a domain, and get to the
data. As each demonstration shows the techniques, we'll talk
about mitigation strategies and what steps you can take to
avoid being a headline.
2:30 (A) Web Application SocialEngineering VulnerabilitiesMatt Cooley, Symantec
Matt Cooley is an accomplished
information security practitioner
working in IT across multiple industries
for almost 20 years with over a decade
of primary focus on security. At
Symantec, Matt has been involved
with security assessments in the finan-
cial sector, government, commercial business, higher
education, and major ISPs. His primary area of expertise
is in web application and product penetration testing.
Abstract: In this presentation, we plan to demonstrate web
application vulnerabilities which could be leveraged to
attack end-users of applications. In particular, cross-site
scripting will be used to attack mobile device users. Social
Engineering Toolkit will be demonstrated to compromise
systems of fully-patched and protected users. Common
tricks such as URL obfuscation, URL redirection, and
domain-name manipulation will be used to successfully
coerce victims into performing tasks from which an
attacker would benefit.
PENETRATION TEST / SNA
12
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
1:30 (B) Managing Risk, Liability, andCompliance in the CloudRon Stamboly, SafeNet; Co-author Maureen Kolb
Mr. Stamboly joined SafeNet in 1996 as a Senior Sales
Engineer responsible for technical presales and sales support
for the entire sales cycle, from evaluation to installation.
Mr. Stamboly's area of expertise includes hardware and
software products covering authorization, access control,
audit, and encryption. Currently, Mr. Stamboly focuses on
supporting the sales of SafeNet's Information Lifecycle
Protection and Cloud computing environments, most
specifically driving SafeNet's market share in cloud computing
security and virtualized environments-securing and controlling
access to cloud applications, along with encrypting virtual
volume and instances. Mr. Stamboly has over 17 years of
experience in the data protection, telecommunications and
networking equipment industries. Additionally, Mr. Stamboly
has extensive experience with networking hardware along
with TCP/IP. Mr. Stamboly graduated summa cum laude with
a Bachelor's Degree in Telecommunication from The State
University of New York Institute of Technology and also
graduated summa cum laude with a Master's Degree from
Pace University in Telecommunications.
Abstract: Cloud Computing is unquestionably the future of our
IT infrastructure and business workloads. Yet the industry is
reaching an impasse as organizations have already completed
Proof-of-Concepts and architectural planning to the cloud.
Internal Data Governance and Compliance requirements have
become the barrier to more organizations moving to the cloud,
and larger organizations converting small test projects to full
production. The mix of confusion over ownership and liability,
lack of transparency from the cloud provider, an almost com-
plete absolution of liability in contracts, and lack of clear
guidance on required controls have all contributed to this. This
session will focus on pealing back some of these issues to drive
some clarity and actionability. Cloud is the future, with its ease-
of-use, cost-savings and transparency, but Data Governance and
compliance requirements have stopped projects due to confu-
sion on risk/liability. Presentation will focus on driving clear
areas of trust, ownership, and liability-cover audit and contrac-
tual aspects of working with CSPs -identifying new controls
needed to move to the cloud and will end with PCI 2.0.
2:30 (B) Crash Course on OpenSource Cloud ComputingMark Hinkle, Citrix Systems
Mark Hinkle is the Director of Cloud
Computing Community at Citrix Systems
Inc. He joined Citrix as a result of their
July 2011 acquisition of Cloud.com. He is
currently responsible for the success of the
open source cloud computing platform,
CloudStack. Previously he was the VP of
Community at Zenoss Inc., a producer of the open source
application, server, and network management software,
where he grew the Zenoss Core project to over 100,000 users
and 20,000 organizations on all seven continents. He also is
a longtime open source expert and author having served as
Editor-in-Chief for both LinuxWorld Magazine and Enterprise
Open Source Magazine. Mr. Hinkle is also the author of
the book, Windows to Linux Business Desktop Migration(Thomson, 2006). He is a contributor to NetworkWorld’s
Open Source Subnet and his personal blog on open source,
technology, and new media can be found at www.socialized-
software.com. You can follow him on twitter @mrhinkle.
Abstract: Very few trends in IT have generated as much buzz
as cloud computing. This talk will cut through the hype and
quickly clarify the ontology for cloud computing. The bulk
of the conversation will focus on the open source software
that can be used to build compute clouds (infrastructure-as-
a-service) and the complimentary open source management
tools(including those for security) that can be combined
to automate the management of cloud computing
environments. The discussion will appeal to anyone who
has a good grasp of traditional data center infrastructure but
is struggling with the benefits and migration path to a cloud
computing environment. By understanding the architecture
of a cloud compute environment users will be able to apply
their existing security knowledge to the management of a
cloud compute environment. Systems administrators and IT
generalists will leave the discussion with a general overview
of the options at their disposal to effectively build and
manage their own cloud computing environments using
free and open source software.
CLOUD / VIRTUALIZATION SECURITY
13
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 11
1:30 (C) Information Security Doesn't Just “Happen”!Jim Murphy, OMMISS
James Murphy, CISSP, ISSMP, GSEC, CISA,
CISM NC DHHS, Office of MMIS Services
Jim is the Information Security Architect
for OMMISS with 30+ years experience,
predominantly in healthcare IT. He plans
and designs enterprise-wide information
security for major development projects,
including the claims processing system for Medicaid and
related plans, and the State Health Information Network.
For the projects, he documents information security and
technical architecture requirements and reviews security
throughout project design and development: regulatory
compliance, access control, data and network protection,
business continuity, operational security, process
documentation and project audit. Jim has written, taught
and spoken on information security management, service
continuity, security auditing and security certification
training to diverse audiences.
Abstract: The pressure is on—security breaches now cost
penalties and lawsuits. Information architectures are
becoming more complex as they adjust to rapid changes in
software and hardware. Privacy professionals are clamoring
for eliminating the misuse of protected information. State
Attorneys General have been authorized to get in on the
act. But, as InfoSec professional understand, security just
does not happen with the latest policy, technical tool, or
extra door lock. Information security managers must take the
initiative to coordinate with all levels of the organization
to insure business objectives drive the definitions and
characterization of protected data, unit leaders understand
the responsibilities of the hallway work force, and technical
support staff understand the limits of device-alone solutions.
InfoSec planning requires tactical and strategic components,
and in a sense, never stops. InfoSec professionals must be
able to communicate the planning with all levels of the
organization in a way that facilitates the collaborative efforts
and diminishes the internal barriers. In this presentation,
I offer some practical suggestions for getting InfoSec
planning into action.
2:30 (C) Anatomy of an AttackJonathan Norman, Alert LogicCo-Author Michele Hujber
Jonathan Norman joined Alert Logic
in 2002 and has held numerous security
and operational roles throughout his
tenure at Alert Logic. Today, as the
Director of Security Research, Jonathan
manages a team of security researchers
and analysts responsible for monitoring
the evolving security landscape for new and emerging
threats. In addition, under his leadership, the Security
Research team manages complex security incident response
for customers and develops the advanced correlation rules
that help Alert Logic solutions better detect and defend
against security threats. Jonathan hold several industry
certifications such as Certified Ethical Hacker, CISSP,
CCSP, and other GIAC certifications.
Abstract: In 2010 the global cybercrime market increased
to an estimated 7.5 Billion dollars. Over the past few years,
attack sophistication has increased significantly while users
struggle to keep up with new attacks. We have long-passed
the days of bright kids causing mayhem on computer
networks. Today's attackers are fast, well-funded, well
organized and business is booming. This presentation
will take you into the world of cybercrime and give you
an insider's look into how hackers operate and what you
can do to protect your network.
STRATEGY & ARCHITECTURE
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
1:30 (D) Enabling the Business with Security MetricsSteve McKinney, Cisco Systems
Steve has worked at Cisco Systems for
the past 3 years after graduating from NC
State with a Master's degree.
Abstract: Many security scanners will
churn out ‘advice’ on the severity of
vulnerabilities in your environment.
Forwarding that advice to your manager,
will likely produce a blank stare and a report that's in the
trash before you can walk out the door. So, how do you go
from a scanner's advice to wisdom that drives business
decisions? This talk covers what I have learned from others
and developed as I started implementing security metrics
for my team within Cisco. We will look specifically at
metrics for web applications, but the concepts presented
apply to other areas of security.
2:30 (D) Making Fat MessagesAvailable: Binary XML Encoding Phillip H. Griffin, Griffin Consulting
Phillip H. Griffin, CISM brings over 15
years of experience in the information
assurance and security profession.
Operating as Griffin Consulting, Phil
has served as a trusted security adviser,
security architect, and consultant with
leading corporations including Visa
International, GTE, and IBM. He has acted as committee
chair, editor, head of U.S. delegation, and rapporteur in
the development of national and international security
standards, and currently serves as an ISSA Educational
Advisory Council Member, and on the board of the Raleigh
ISSA Chapter. His experience encompasses numerous
facets of security including authentication technologies,
encryption, access control, biometrics, and secure
messaging schema. Mr. Griffin has eight patents pending
in the area of security, and he has been a speaker at
leading security conferences and venues around the world.
Abstract: For every XML Schema (XSD) there is an
analogous ASN.1 schema that can be used to generate
compact, efficient binary message formats, and XML
markup instance documents that are equivalent to those
based on the initial XML schema. These binary formats are
appropriate for use in environments constrained by
mobility, limited battery life, storage size, or bandwidth
(e.g., wireless communications using hand held devices).
Using a binary format for XML messages can make secure
protocol messages available in environments where
verbose formats prohibit application development.
APPLICATIONS & DEVELOPMENT
15
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
17
DIAMOND SPONSOR SESSION (Keynote Hall)
1:30 IMATIONKey Trends in Removable Device SecurityDavid Duncan, Business Development Director
David Duncan is director of ENCRYPTX
at Imation, a team of research and
development experts focused on advances
in data security that protect, encrypt,
control, and manage “data at rest.”
Duncan founded ENCRYPTX,
which was acquired by Imation from
BeCompliant Corp. in March 2011.
Prior to founding ENCRYPTX, Duncan was senior vice
president of Tactical Marketing Ventures, a marketing
accelerator company for more than 100 technology startups.
He also served as vice president of sales and marketing for
RL Polk, a consumer marketing information company that
was sold to Equifax Corporation.
Previously, Duncan served in marketing and engineering
leadership positions with Storage Technology Corporation,
Martin Marietta and SRA Corporation. He worked for the
National Security Agency as a cryptologist for a number of
years and designed and built trusted computer systems for
highly classified government programs.
Duncan has a Bachelor of Science in international affairs
from the University of Maryland, a Master of Science in
computer science from Regis University, a Master of Business
Administration (MBA) from the University of Colorado, and
a degree in Chinese Mandarin Linguistics from the Defense
Language Institute, Presidio of Monterey, California.
Abstract: David Duncan, Managing Director of the
ENCRYPTX Security Products Group of Imation Enterprises
will present key trends in the field of removable storage
device security. The presentation will cover: current
risk/data loss trends from the latest industry studies, new
and emerging threats, regulatory requirements affecting
compliance, vendor initiatives to mitigate these risks includ-
ing hardware, software and operating system developments
that improve removable device security, and an evaluation
framework for assessing gaps in your organization
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 11
2:30 (Keynote Hall) The IT Blind SideDwayne Melançon, Tripwire
Dwayne Melançon joined Tripwire in 2000 and serves as
Vice President of the company’s Log Management business.
In previous positions at the company, Dwayne has served
as vice president of Business Development, Professional
Services and Support, Information Systems, and Marketing.
Prior to joining Tripwire, Dwayne was Vice President of
Operations for DirectWeb, Inc., where he was responsible
for product management, logistics, electronic supplier
integration, customer support, information systems,
infrastructure development, and other business operations.
Before DirectWeb, he ran Pan-European Support for
Symantec Corporation, managed callcenter operations
for several of Symantec’s leading product lines, and
spearheaded the development of productivity tools and
processes. In other positions,Dwayne was responsible for
Symantec’s global Web presence, program management
for the company’s encryption products, and functional
integration for mergers and acquisitions. Prior to joining
Symantec, Dwayne spent eight years at Fifth Generation
Systems, Inc. where he created an award-winning global
support organization, was a software developer, and
directed the company’s software and hardware Quality
Assurance teams.
Dwayne is certified on both IT management and audit
processes, holding both ITIL and CISA certifications.
Prior Speaking Experience:
• eFinance World Conference
• Frequent speaker at national and regional itSMF,
ISACA, ISSA, and IIA events
2:45 (Keynote Hall) Are you usingUDP for reliable transmission?Shahab Nayyer, Wells Fargo
Author is a Senior IT Audit Lead with Wells Fargo &
Company in Charlotte, North Carolina, USA. He holds dual
master degree in Finance and Industrial Engineering with a
specialization in IT. Shahab has more than seven years of
experience in IT Audit and Security and is a CISA, CIA.
Shahab is also the President of the ISACA Charlotte Chapter.
Abstract: UDP (user datagram Protocol) is a widely used
protocol networking and data transmission. It is used in real
time applications, DNS request reply messages, IP telepho-
ny, SNMP, Multimedia streaming etc. Due to its nature of
being a connectionless protocol it's considered very efficient
for short messaging with low bandwidth usage. So these are
all the good things with UDP, but UDP also is an unreliable
protocol which does not guarantee data transfer. With that
in mind, do we know where all we are using UDP? Are we
using UDP where a reliable transmission is needed? Have
we evaluated the risk of data loss and can we live with it?
3:00 (Keynote Hall) Finding FlagsDuring a Lightning StormSteve McKinney, Cisco
Steve McKinney has been with Cisco for
three years after completing his Master's
degree at NC State. He was the primary
developer for the Capture the Flag contest
at the conference this year.
Abstract: This presentation will be an
overview of the Capture the Flag contest
held at the conference. If you tried the contest and didn't
complete it or wanted to but didn't have time, drop by, this
session is for you.
18
LIGHTNING TALKS
T R I A N G L E I N F O S E C O N C O N F E R E N C E • O C T O B E R 2 0 , 2 0 11
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 11
KEYNOTE SPEAKER
3:30 Lenny ZeltserSecurity Practice Director, Savvis; Senior Faculty Member, SANS Institute
Lenny Zeltser leads the security consulting practice at Savvis, where he focuses on
designing and operating security programs for cloud-based IT infrastructure. Lenny’s
other area of specialization is malicious software; he teaches how to analyze and
combat malware for the SANS Institute. He is also a member of the board of directors
for the SANS Technology Institute and an incident handler at the Internet Storm
Center. Lenny frequently speaks on information security and related business topics at
conferences and private events, writes articles, and has co-authored several books.
Lenny is one of the few individuals in the world who have earned the highly-
regarded GIAC Security Expert (GSE) designation. He also holds the CISSP certification.
Lenny has an MBA degree from MIT Sloan and a computer science degree from the
University of Pennsylvania. Lenny writes at blog.zeltser.com and twitter.com/lennyzeltser.
More details about his projects are available at http://www.zeltser.com.
Lenny says that some of his “books are gradually becoming outdated” but that
all of them are listed here. Lenny notes that the “most recent and current volume is
CyberForensics. It's a good text.”
Keynote Topic: Knock, Knock! How Attackers Use Social Engineering to Bypass Your Defenses
Why bother breaking down the door if you can simply ask the person inside to let you
in? Social engineering works, both during penetration testing and as part of real-world
attacks. This talk explores how attackers are using social engineering to compromise
defenses. It presents specific and concrete examples of how social engineering
techniques succeeded at bypassing corporate security defenses. Lenny Zeltser will
review how attackers have bypassed technological controls by making use of social
engineering techniques such as:
Starting attacks in the physical world, rather than the virtual Internet: We have spent
most of our lives in the physical world, whose norms we know well. As a result, we
tend to trust messages that come to us in the physical world more than those in the
"virtual" world of the Internet. The talk presents several examples of such scenarios.
Targeting attacks through the use of spear phishing and social networks: The talk
will explore how attackers may profile victims to include the person or company-
specific social engineering elements in an intrusion campaign.
20
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 11
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 11
President: Brad Hoelscher
Vice President: Robert Martin
Conference Director: Liyun Yu
Conference Program Director: Mark Whitteker
Conference Deputy Director: Ramsey Hajj
Treasurer: Mark Fontes
Communication: Peter Hewitt
Operations Director: Robert Pitney
Sponsor Development: Robert Martin
Website Developer: Phillip Griffin
Production Support: Steve Toy
Conference Support: Chip Futrel
Program Designer: Rachel Schaub
Sponsor Development Team:Frank ChavarriaSarah Miller
Operations/AV Team:Dave BalintRob BreaultRobert BrownMatt BrysonFrank ChavarriaMarie CrossRandall HompeschEric HothWenjian HuanyCharles HudockValdez LaddSteve McGeheeGlann Morgan
David ParkerMichael RainsNancy SchiponAndrew SenkoDaniel WhiteLorie WilsherRich Woynicz
Applications & Development:Aby Rao, ChairLisa Lorenzin
Cloud & Virtualization:Nathan Kim, Chair
Eric Olson
Data & Endpoint: Andre Henry, Chair
Governance, Risk & Compliance:Keith Mattox, ChairJanet Dagys
Pen Testing / System & Network Auditing:
Artem Kazantsev, Chair
Physical Security: Glenn Morgan, Chair
Professional Development:Holli Harrison, ChairValdez Ladd
Strategy & Architecture: Jim Murphy, Chair
Capture the Flag: Steve McKinney, Chair
Lockpick Village:Jennifer Jabbusch, ChairJon Welborn
Lightning Talks: Dyana Pearson, Chair
22
CONFERENCE COMMITTEEThis Conference is only made possible by the incredible efforts ofthe committee. On behalf of the chapter, sponsors, speakers, andattendees, thank you!
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
NOTES:
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 11
SPONSORS
The Raleigh ISSA Chapter thanks all of ourconference sponsors for their support:
Diamond Sponsors:
Imation, HP / Fortify Software, Oracle
Gold Sponsors:
Alert Logic, Carolina Advanced Digital, Inc.,
Fishnet Security / Sourcefire,
Global Knowledge, Tripwire
Silver Sponsors:
Accuvant / Palo Alto, Cisco, Meru Networks,
Qualys, SAS, Tenable Security, Trustwave, Varonis
Participating Professional Organizations
ASIS, Cyber Patriot, InfraGard, ISAAC,
ISACA, ISSA Raleigh Chapter, NCMS,
NCSU/CTU, ThinkPink ZTA
Breakfast, Lunch, and Break Sponsor:
Barbeque Lodge
Tote Sponsor:
Lord Corp.