Business Security Abstracts

Top Hats and Nyan Cats: A LulzSec Case Study

LulzSec was one of the most prominent and publicized computer attack groups this year, and most of their attacks were based on vulnerabilities that are easy to find and easy to fix. A timeline of the LulzSec attacks will be examined as a case study; the speaker will present a timeline of major attacks and information releases, and will focus on the group's target selection and preferred attack types. Additional information will be presented regarding LulzSec's portrayal in the wider lay community, and on the related and successor groups that are rising to prominence following LulzSec's so-called retirement from active computer exploitation.

Greg Hartman is Senior Security Engineer at iSecure, LLC, a network security service provider based in Pittsford, NY. His primary role is in vulnerability assessment and testing, and in researching emerging security trends as part of ongoing security awareness. He holds a BS in Computer Science from the Rochester Institute of Technology.

Ten Things You are Doing to Enable Hackers

The world has become a playground for hackers. Organizations large and small, and in every industry continue to be inundated with news of data breaches, threats, and organized cybercrime. While many put forth effort to sustain a secure environment for their critical assets, most organizations are misled by hype, confused by hysteria, or driven by the wrong priorities. We've become our own worst enemies.

Reg Harnish is an entrepreneur, frequent speaker, senior security specialist, and Co-Founder of GreyCastle Security.

With over 10 years of extensive experience in security solutions for Financial Services, Healthcare, and Higher Education organizations, Reg focuses on implementations of ISO and NIST standards ranging from risk management, incident handling, and regulatory compliance to network, application, and physical security. Always bringing a unique perspective to information and physical security, Reg works to promote awareness, establish security fundamentals, and reduce risk for all clients.

As GreyCastle Security's co-Founder and Chief Security Advisor, Reg helps to avoid the hype and hysteria that is commonplace in security today. By helping businesses of all types identify their risks, implement practical solutions combining decades of experience, military-grade standards, and security fundamentals, Reg continues to demonstrate that all businesses can reduce their risk.

Reg attended Rensselaer Polytechnic Institute in Troy, N.Y., and has achieved numerous security and industry certifications. Reg is a Certified Information Systems Security Professional (CISSP) and a Certified Information Security Manager (CISM). In addition, Reg is certified in Information Technology Infrastructure Library (ITIL) Service Essentials, as well as ITIL Lean for Service. Reg is a member of the InfraGard National Members Alliance, the Information Systems Audit and Control Association (ISACA), and the Information Systems Security Association (ISSA). In addition to broad expertise in information security, Reg has achieved numerous physical security certifications, including firearms instruction, range safety, and personal protection.

Reg is a frequent speaker and has presented at prominent events including the NYS Cyber Security Conference, The New York Bankers Association (NYBA), and Symantec Vision, the company's global conference. Reg's successes have been featured in several leading industry journals including Software Magazine, ComputerWorld, and InfoWorld. Reg serves as the Vice President of Education for the Hudson Valley Chapter of ISACA. He also serves on the Advisory Board for ITT Technical Institute, a secondary education institution focused on business technology. Reg was also previously a member of the Board of Directors for the Red Cross of Northeastern New York.

Where is the payoff?

Where is the payoff? is a program to define and use metrics on software security for business users in real life.

Software security is a fundamental strategy for maintaining the overall protection of your environment. This fact is supported by several studies and surveys conducted and/or sponsored by companies interested in selling their services and products to support a more secure environment. Beyond the omnipresent GartnerGroup´s research from 2002 showing that 70% of all cyber-attacks are performed against the application layer, and numbers establishing that 73% of organizations had been hacked at least once in the last 24 months through insecure web applications, there is one question that should be asked by any business decision maker: What should I care about?

General statistics and market reports are great tools to understand how your company should prepare a security strategy and define which actions are required to make it happen; however the period for selling security over fear, uncertainly, and doubt is over. Business people are driven by real numbers where any investment must be supported by a payoff; and to reach these numbers, real metrics with specific models for each organization are required.

This presentation will show how to understand business requirements for software security and answer them with the support of metrics that can be adapted for use in any organization. Through the use of open methodologies and documents provided by OWASP, WASC and CIS, the program proposed gets the requirements under a business perspective, supporting the development of metrics for real life. As a result, the audience will be presented to a vendor-free system to create, feed, and use metrics for software security in their daily activities. Based on the content defined at “The CIS Security Metrics ” with an approach derived for application security, this system is successfully being used at one large Brazilian company (a case study will be presented with sanitized information) and will allow users to:

• Quantify the otherwise unquantifiable application security processes no matter what kind of technology or tools are used in the organization.

• Show trends, cross sectional comparisons within the company or against competitors, and the evolution of the application security initiatives, allowing investment planning and justification for business oriented discussions.

• Provide quantifiable information to support risk management and risk-based decision making on software security, allowing the rational allocation of financial resources to where they really matter to make a more secure organization.

Eduardo Neves - Working in the Information Security arena since 1998, Eduardo Neves is the Founder and Managing Director of Conviso, a consulting company specializing in professional services for planning, testing, hardening, and management of security controls for corporate applications and referred components on the architecture and network layers. A CISSP in good standing and volunteer for (ISC)2, Eduardo also served as a member for the OWASP Global Education Committee since 2008.

Articles and white papers on Business Continuity, Risk Management, and Application Security are available on line.

The IN’s, AND’s, OUT’s and BUT’s of the world’s first ISO 27001 certification

Do you know who was the first information security consulting firm in the world to obtain an ISO 27001 Certification? Did you know their HQ is in sunny Rio de Janeiro? Instead of Carnival and Samba, this dedicated team of professionals set out to do what no competitors have yet achieved. This pioneering achievement hastened the company’s positioning in the global market as well as legitimized information security throughout Brazil and South America. Ride along with these early adopters and experience their challenges and the realization of an effective information security management system.

James Finn has twenty five year’s experience in security and disaster recovery consulting, managing and delivering enterprise solutions to more than 200 worldwide commercial and government clients.

He has held various management and consulting positions in the information security field including as a worldwide IBM Corporate Auditor for Information Security reporting to the Corporation’s Board of Directors. He is also the founding Principal of both the IBM and Unisys Security Consulting Practices and was Vice President of Risk Management for Modulo.

He has consulted in more than 38 countries in North America, South America, Asia, and Europe on business, technical security, and recovery solutions to assist clients in achieving and maintaining effective governance across the full spectrum of security and business recovery disciplines. James is a Microsoft MSRA trained assessor, a KPMG trained SOX auditor, and also holds Business Continuity certifications.

He is frequently requested as a speaker at international industry conferences, live webcasts, and TV and radio news shows and is the author of over 50 media articles on computer security.

Making Sense of (in)Security

Security is one of those things that is heavily regulated, highly political, and often made into something complex. We've been taught from day one in our careers that risk formulas, bigger picture frameworks, highly paid consultants, C-level decision makers, and the latest security tool/offering will bring us to a security utopia. I'm here to tell you to throw everything you've learned out the window and wrap your minds around how simplistic security really is. In this discussion we'll be walking through the evolution of security - where we were, where we are, and where we are going. Cumbersome process, technology solutions, and complexity have crippled the security industry as we know it. This talk focuses on the issues we face, the direction we’re heading, and the direction we need to go. In normal fashion with the presenter’s style, Kennedy will be demo’ing some cutting edge attack vectors, showing new hacks, and bypassing your latest million dollar technology investment.

David Kennedy is Chief Information Security Officer at Diebold Inc. and creator of the Social-Engineer Toolkit Fast-Track and other open-source tools. He is on the Back|Track and Exploit-Database development team and is a core member of the Social-Engineer podcast and framework. Kennedy has presented at security conferences Black Hat, DEF CON, ShmooCon, B-Sides, and others. He is one of the co-founders of DerbyCon, an information security conference in Louisville, Kentucky, and is a co-author of Metasploit: A Penetration Tester’s Guide, from No Starch Press. Kennedy is supported by his wife, children, and his MacBook Pro.

Mythbusting Network Security Performance

New research has shown that, despite the increasing number of security risks, 90% of IT professionals who responded to a recent survey admitted to trading off security functionality in favor of network performance. As we deploy more complex security devices such as Next Generation Firewalls, the impact on performance becomes increasingly worse. How can we measure these impacts, what should we be asking our vendors, and how do we ensure our infrastructure will be both secure and perform over the long-haul?

Peter Doggart is the Director of Product Marketing at Crossbeam. He brings 15 year’s of product and marketing management experience for international blue-chip companies. Prior to Crossbeam, Doggart held senior positions at 3Com Corporation and founded a networking reseller company in the UK. He holds two patents and a first class honors degree in Electronic, Electrical Engineering from Loughborough University, UK.

Advanced Malware – Designed Especially for You

In the late 1990’s and early 2000’s malware consisted of internet-scale worms created to invade personal computers via email attachments. It was created by hackers looking for notoriety and seldom did lasting damage, mainly clogging systems and crashing networks. As security technology advanced to prevent such attacks on networks, cyber criminals developed ways around the new technological barriers and soon realized that rather than crashing infected computers, it was more profitable to quietly control them and have them serve as platforms for crime. Today advanced malware has evolved into zero-day and highly targeted APT attacks that aggressively evade signature-based Web and email defenses and compromise the vast majority of networks. It is socially engineered to target particular users via one of the multiple devices they use for business and/or personal use so that when they connect to the network daily the malware invades systems via web based vulnerabilities, spear-phishing attacks, and targeted espionage attacks such as Stuxnet.

In this presentation FireEye senior security researcher, Alex Lanstein, will discuss how advanced malware has outpaced enterprise security technology to target the individual user and, as a result, infect the enterprise’s vital infrastructure. He will detail in-depth malware-related data breaches and explain the security gap that exists in enterprise security architecture today that allows these attacks to be successful. He will also cover the distributed infrastructure that must be implemented to combat this modern cyber-warfare.

Alex Lanstein - At FireEye, Alex handles a broad set of responsibilities including product engineering, sales engineering, and security research. Most recently, his security research was published by The Washington Post, PC World, The Register, and Cisco Systems, where he uncovered botnet and Web malware sites associated with McColo Corp. His work was key in taking McColo off the Internet as well as significantly reducing worldwide spam. Prior to FireEye, Alex was founder, owner, and network administrator of an Internet hosting company. His areas of expertise include botnets, malware, network security, and functional binary analysis. Alex has a B.S. in Computer Science from Connecticut College.

Implementing an Incident Response Process With Teeth

.Most mature Infosec organizations have an Electronic Incident Response Process of some sort, and many are well-founded upon best practices that have existed for years. Even with decent processes in place, however, real-time IR engagements can still be painful experiences for those involved, plagued with miscommunications, disorder, preventable mistakes, and/or poor decision making that ultimately drives the duration and cost of responding through the roof. How your IR process is actually implemented makes a big difference! This presentation will drill into the root causes for why most IR processes lack the “teeth” necessary to promote fast, accurate, balanced, and authoritative responses, and demonstrate tactics that can be directly applied to help guarantee improved handling of incidents from the time of initial response to full follow-through! The material is suitable for Infosec professionals at all levels, technical or managerial.

Del Russ is currently employed as a Senior IT Security Analyst at Xerox Corporation, where he has been involved in numerous Information Security programs since 2001. Mr. Russ founded Xerox Information Management’s Computer Forensics Program in 2005, and the Xerox Electronic Incident Response Program (EIRP) which he managed from 2007-2010. He has participated directly in the handling of hundreds of electronic security incidents, at all levels of complexity and severity. Del’s other expertise is in Threat Management programs and solutions, including Network Based Vulnerability Scanning (NBVS) , Data Leak Protection (DLP), Intrusion Detection Systems (IDS), Log Monitoring Systems (LMS), and other related areas. Prior to entering the Information Security field, he spent ten years in Software Engineering and IT Consulting, primarily with Computer Science Corporation (CSC). Mr. Russ holds a Bachelor of Science Degree in Computer Science from the State University of New York at Buffalo, and a Minor study in Psychology. He holds GCFA and CISSP professional certifications.

CyberVigilantes: How Security Researchers Are Hurting the Business of Hacking

The table has recently been turned on hackers. C&C servers have been exposed and players in the hacker industry have been arrested. This is only the tip of the iceberg as security practitioners -- and law enforcement -- have understood the need for a security approach that puts the heat on the hacking industry. This development has given much insight into hacker activity including technical innovations and shifts in business models. Most importantly, studying the hacker world helps security teams apply and tune defenses.

This talk will answer:
- What are the methods deployed by the security community used to tap into hacker activity?
- What attack campaigns have been unearthed?
- What are the technologies hackers are using, and what are their business models?
- What can security teams gain from this research in order to apply the necessary security controls?

Noa Bar Yosef is a senior security strategist at Imperva. In this role Noa researches and analyzes the trends in the threat landscape. She is a frequent contributor to different security magazines, comments on security-breaking news, and is regularly invited to speak at industry events. Currently, Noa writes a bi-weekly column on hacker trends and techniques for SecurityWeek. Previously, she held the position of a senior security researcher for Imperva’s Application Defense Center. While at the ADC, Noa conducted research on database and Web application vulnerabilities. She holds a MSc degree (specializing in information security) from Tel-Aviv University.

Why Software is Still Insecure

Software security tools and training have been available for years. Why do most organizations still produce insecure software? Why do organizations' software security initiatives stall? The answer lies in how and when they adopt security tools, not simply if they do. This session discusses a 10-year research study and creation of an Application Security Maturity Model for organizations to adopt.

Ed Adams is a software executive with successful leadership experience in various-sized organizations that serve the IT security and quality assurance industries. As CEO of Security Innovation, Mr. Adams applies his security and business skills, as well as his pervasive industry experience in the software quality space, to direct application security experts in helping organizations understand the risks in their software systems and develop programs to mitigate those risks.

Mr. Adams founded the Application Security Industry Consortium, Inc. (AppSIC), a non-profit association of industry analysts, enterprise technologists, and security leaders established to define cross-industry application security metrics and best practices. The non-profit eventually morphed into SAFECode at which point Mr. Adams became more engaged with other industry initiatives, including OWASP.

Mr. Adams is on the board of the National Association of Information Security Groups (NAISG) as well as the Massachusetts North Shore Technology Council (NSTC.)