| Business
Professional Track |
Wednesday
Oct 28, 2009 |
Presentation Abstract
|
|
Registration and Breakfast Sponsor Exhibits |
7:30-8:30 |
Conference
Center Lobby & Main Conference Center Room
Palm Court |
|
Welcome -
Andrea Cogliati, Ralph Durkee
Allen
Scalise, Peter Spier |
8:30-8:45
|
Main Conference Center Room |
|
Keynote - The Bad Guys Are Winning:
So Now What? - Ed Skoudis,
Senior Security Analyst with InGuardians and SANS Instructor |
8:45-9:45
|
With
the continual release of zero-day exploits, ever-larger-scale botnets,
and rampant spyware, attackers have compromised tens of millions of
machines connected to the Internet. With clever attackers mixing social
engineering, physical attacks, and phishing into their bag of tricks,
their rate of successful penetration is both astounding and depressing.
A central thesis of this talk is that a sufficiently determined (but
not necessarily well-funded) attacker can compromise almost any organization
with an Internet connection. The discussion will first analyze why
this is so. We'll then look at the implications of such an environment
for enterprises. How should information security priorities shift
in light of this evolving threatscape and attack surface? What are
the implications for system administrators, incident response teams,
and even penetration testers? We'll also briefly look beyond the enterprise,
and consider the military and national security issues associated
with emerging threats and attacks. |
|
Break
Sponsor Exhibits |
9:45 - 10:00
|
Conference Center
Lobby
Palm Court |
|
What's Up PCI? -
Peter Spier Fortrex Technologies
|
10:00-11:00
|
A
discussion of Payment Card Industry (PCI) compliance which focuses
on what applies to your organization and both how to prepare for assessment
and how to monitor and manage compliance. Additional detail will be
provided dispelling common misconceptions and defining scope. Finally,
payment application compliance will be reviewed addressing compliant
development and the use of compliant payment applications, services. |
|
The
Sensitive Data Iceberg - Allison
F. Dolan, Program Director, Personally Identifiable Information,
MIT |
11:00 - 12:00 |
With
all the state regulations and potential for federal regulations regarding
personally identifiable information (e.g. SSN), organizations should
understand where they have PII, and what risks might be entailed.
But finding all that PII is not easy - the obvious places, such as
the HR systems, are likely to be just the tip of the iceberg. This
presentation focuses on the processes MIT used and the findings/results
of addressing this issue. |
|
Lunch
Sponsor Exhibits |
12:00-1:00 |
Main Conference Center Room
Palm Court |
| Reducing
Risk Associated with the Storage and Transmission of PII - Henry
Sprafkin, Director of Security Solutions, SunGard Availability
Services |
1:00-2:00 |
Personably Identifiable Information (PII) has become the easiest and
most fruitful target for organized criminals. Identities cam be purchased
in bulk on the Internet anonymously. Whether is Healthcare, Financial,
Employment Records, or Card Holder Data the financial and reputation
of each organization rests with its ability to protect PII and Intellectual
capital. This session will discuss the current threat landscape, risk
based approach to determining appropriate counter measures, as well
as a discussion of important elements that are sometimes overlooked
or under funded (along with some short cuts to accelerate implementation).
|
|
Integrated Identity Compliance Management Enabling Rapid Role-Based
Compliance - David Hochhauser,
VP Security Solution Strategy, CA
|
2:00-3:00 |
Effective security management starts with Identity and Access
Management (IAM) - knowing and controlling who can do what. With
security compliance becoming a main business driver, organizations
have begun to look at compliance and role management as one of
the main components of identity lifecycle management (ILM).
David Hochhauser, VP of Solution Strategy at CA, will present
an informative seminar focusing on key ILM issues and challenges
facing organizations. David will discuss available best practices
and technologies to help demonstrate identity compliance. Integrated
Identity Compliance Management You will learn how to:
-
Assess Identity Lifecycle Management needs
easily and rapidly
-
Create a role-based model and manage its lifecycle
-
Verify and implement regulatory and business
policies (e.g., SoD) for a role-based and non-role-based privileges
model
-
Integrate certification of user privileges and
roles into the broader Identity Management lifecycle 􀂃
Improve comprehensive management of privileges, roles, and policies
-
Steps to integrate Role and Compliance Management
with automated remediation and provisioning.
|
|
Break |
3:00 - 3:15 |
Sponsor
Exhibits - Palm Court |
|
How to Improve Your Security…For Free! - Stephen
Marchewitz, Chief Strategy Officer, SecureState |
3:30 - 4:30
|
In tough times the level of security threats increases while
funding to address threats isn’t. However, security threats
and worries needn’t affect your bottom line, especially in
an economic downturn.
During this presentation, SecureState will discuss strategic and
tactical ways to improve your security posture as well as ways
to get management to understand the pressure you’re under.
While it’s not always easy, it is possible to build an impressive
security arsenal without spending a cent.
SecureState, a vendor agnostic information assessment and protection
firm, will discuss:
• Building a security program
• How to obtain budget
• Well-regarded Free tools
• Things you may be wasting money on
• How to relay risk
• Other strategies to get the biggest bang for the buck |
|
Attendee Reception & Peer Networking |
4:30 - 6:00
|
Palm Court |
| |
|
|
| Business
Professional Track |
Thursday
Oct 29, 2009 |
Presentation Abstract
|
|
Registration and Continental Breakfast
Sponsor Exhibits |
8:00-8:30
|
Conference
Center Lobby & Main Conference
Center Room
Palm Court |
|
|
8:30-8:45 |
Main Conference Center Room |
CSO Roundtable -
+ Michael Miller, Global Crossing
+ Todd Colvin, Paychex
+ Jack Redfield, Constellation
Brands |
8:45-9:45
|
Conference Center Room |
Introduction of ISO Security Standards with a Comparison to SAS-70
Audits - Joel Cort, Principal,
IT Risk Management, Xerox Information Risk Management
|
9:45-10:45
|
There
are many auditing standards and legislations targeting security. This
presentation will focus and provide information on the ISO 27001 and
27002 Security standards. An overview of the structure and eleven
controls which make up this standard will be presented. Every ISO
27001 discussion must also include some brief historical background
as well as the future strategy for this and other security standards.
The certification process and auditing requirements will be discussed
as well. Finally, armed with this knowledge a high level comparison
of ISO 27001 Security standard will be compared to the information
provided with the SAS-70 audits. |
|
Break
Sponsor Exhibits
|
10:45-11:00
|
Conference
Center Lobby & Palm Court |
Meeting Global Compliance Initiatives While Protecting Your Core
Assets - Mark Trinidad,
Product Manager, Application Security, Inc. |
11:00-12:00
|
Navigating and interpreting global compliance initiatives is a
challenging feat for companies looking to ground those initiatives
in data security practices. It?s increasingly more complex when
database auditing needs to comply with multiple compliance initiatives.
The importance of IT security to ensure, confidentiality, integrity,
and availability of financial data is evident within many sections
of the Sarbanes-Oxley Act, for example. The common threat to SOX
compliance within these sections is unauthorized data deletion,
modification or access. With the integrity of financial data at
stake, companies must focus significant efforts in securing data
at its source - the database.
Other initiatives including European SOX, ISO/IEC 27002, Basel
II and PCI DSS present a challenge to organizations in grounding
a data security strategy in compliance. All have varying levels
of involvement while having differentiating recommendations around
compliance at the database level, which can be an enormous job
for the IT organization.
|
|
Lunch Sponsor Exhibits |
12:00-1:00
|
Main
Conference Center Room
Palm
Court |
Smart Security and Compliance Strategies - Easy Authentication
and Encryption Solutions to Protect Data in Motion and Data at Rest
- Chen Arbel, Director, Authentication
Systems, SafeNet, Inc.
|
1:00-2:00
|
This presentation will focus on Smart Security and
Compliance Strategies for organizations to implement cost-effectively
and efficiently. It will highlight what's new in the world of security
and cybercrime and how recent breaches and scams impact everyone.
Negligent employees, third-party contractors and cybercriminals
continue to undermine security measures. Learn about practical solutions
to lessen exposure and risk.
This presentation will cover:
- What's new and noteworthy in the world of security and compliance
mandates
- Practical and effective tips to enhance your security strategy
- Ensuring remote communications to either Web or other server types
are permitted only to people possessing software or hardware tokens
with corresponding PINs
- Securing data across the connected enterprise, from core to edge,
with 360-degree protection of data at rest, data in transit, and
data in use.
Who should attend?
- Organizations that have remote access employees, business partners
or outsource IT and other administrative functions to third-parties
- Organizations that want to ensure employees who leave the organization
can't access critical systems
- Organizations examining strategies to protect data at rest and
data in motion
|
|
The Laws of Vulnerabilities Research
Version 2.0: Comparing Critical Infrastructure Industries
Jason Falciola,
GCIH, GAWN Technical Account Manager, Qualys
|
2:00-3:00
|
The Law of Vulnerabilities, version 2.0, is the
updated version of the Laws research that was premiered at Black Hat
in 2003. This research exposes findings on patch trends, prevalence,
persistence and exploitability of vulnerabilities within global
enterprise networks for internal and external systems.
What’s new in Laws 2.0? The research now focuses on
6 vertical industries that represent the critical infrastructure
including Finance, Retails, Manufacturing, Healthcare, Energy and
Services. The Laws examines the time-to-patch trends and derives a
half-life period for each of these sectors (Half-life is the period
it takes the industry to patch 50% of the vulnerabilities discovered
after 1st advisory). This provides organizations within each of
these industry sectors a benchmark to compare themselves to when it
comes to patching critical vulnerabilities on their networks; so a
CSO can use this data to ask this questions: are we doing a better
job then the rest of our peers or do we need to ask for more budget
to expedite our patching processes?
The sample data used to derive the 2.0 Laws is
significant and order of magnitude larger than what was used in 1.0
as its based on 80 million IPs scanned in 2008 that discovered 270
million vulnerabilities, out of which 80 million+ vulnerabilities
are critical (severity level 4 or 5). The data is completely
anonymous and can’t be tied back to any specific IP or customer.
This presentation will also closely examine the Conficker worm and
the Windows RPC vulnerability behind and explains how fast the
industry reacted to fix this critical issue and prevent infection
within enterprise networks.
Based on this research we will discuss industry best
practices and the steps your organization should take to implement a
mature vulnerability management program that cost-effectively
reduces risk over time.
|
|
Break
Sponsor Exhibits
|
3:00-3:30
|
Conference
Center Lobby & Palm Court |
|
Keynote - Zen & The Art Of An
Internal Penetration Testing Program - Larry
Pesce, CCNA, GCFA Silver, GAWN Gold, Information Systems
Security, Disaster Recovery and Identity Management at a mid-sized
healthcare organization in New England and co-host for Pauldotcom |
3:30-4:30
|
Larry will discuss why internal penetration testing is so important
and
then identify key components that must exist to create a successful
program:
• Getting Management Buy-In
• Identify The Types Of Testing You Will Perform
• Create A Workflow For Reporting
The presentation also provides several steps and tips for defining
and
developing your internal penetration testing, including:
• Target identification
• Detect OS & Services
• Identify Vulnerabilities
• Exploitation
• Post-Exploitation
• Reporting
The intent is to provide the starting point with a myriad of tips
to guide
your organization to create your own internal penetration testing
program.
|
|
Raffle Drawing &
Attendee Reception
Sponsor Exhibits
|
4:30-6:00
|
Conference Center Lobby & Palm Court |
| |
|
|
|
(All
schedules are subject to change)
|
