SlideShare une entreprise Scribd logo

Triangle InfoSecon Conference program 2011

Travis Barnes
Travis Barnes
TechnologieBusiness
1  sur  24
Télécharger pour lire hors ligne
OCTOBER 20 , 2 0 11 Lunch Speaker Room A Speaker Room B Speaker Room C Speaker Room D Keynote Hall Room 7:00 Registration, Exhibition, and Breakfast Buffet 8:30 Keynote Speaker : Marc Hoit – University Campus: A Microcosm of the Future 9:20 Exhibition 9:30 Keynote Speaker : Tom Limoncelli – You Suck At Time Management (but it ain’t your fault!) CAPTURE THE FLAG 10:20 Exhibition and Tom Limoncelli Book Signing Governance, Risk Professional Data and Endpoint Diamond Sponsor Physical Security & Compliance Development Security Sessions Srini Kolathur - How to Secure DB Infra Beth Wood – Ron Stamboly – Jon Welborn – Using Best Practices Leading By Example/ Authentication of 10:30 Introduction to $/&'+( for Risk Mitigation, Building Effective Personal Mobile Lockpicking Compliance, Audit Teams Devices | and Assessment LOCKPICK VILLAGE 11:20 Exhibition "% !./0*)1 Sandy Bacik – Michael Sutton – Hans Enders – Garion Bunn – Building a Lasting Corporate Jon Welborn – Reinventing 11:30 Winning in Business IT GRC Policy Espionage for High Security Locks Dynamic Test- and Life Architecture Dummies ing: Real-Time Hybrid 12:15 Lunch Buffet and Exhibition | Penetration Cloud and Security Strategy Applications and Diamond Sponsor LOCKPICK CHALLENGE Testing / SNA Virtual Security and Architecture Development Sessions Ron Stamboly – #,&0*.- Jim Murphy – Steve McKinney – Ryan Linn – Managing Risk, David Duncan – Information Enabling the 1:30 Progression Liability and Key Trends in Security Doesn’t Business with of a Hack Compliance in Removable Device Just “Happen”! Security Metrics the Cloud Security 2:15 Exhibition and Ryan Linn Book Signing %#$*(%(# !"'&) Phillip Griffin – Matt Cooley – Mark Hinkle – Dwayne Melançon Jonathan Norman – Making Fat Web Application Crash Course on 2:30 Anatomy of Messages Available: Shahab Nayyer Social Engineering Open Source Cloud an Attack Binary XML Vulnerabilities Computing Steve McKinney Encoding 3:30 Keynote Speaker: Lenny Zeltser – Knock, Knock! How Attackers Use Social Engineering to Bypass Your Defenses 4:20 Exhibition 4:30 Announce Winners of Lockpick Challenge and Capture the Flag (Keynote Hall) 5:00 Chapter and Sponsor Giveaways, must be present to win (Keynote Hall)
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 WELCOME The Raleigh ISSA Chapter welcomes you to the seventh annual Triangle InfoSeCon. We are very pleased you joined us today. Our conference goal: offer you a convenient way to learn more about the state of Information Systems Security (ISS) today, right here in central North Carolina. Our selected speakers offer you a balanced and broad program. The Raleigh ISSA Chapter especially thanks all the speakers and our conference sponsors, without whom this event is not possible. Please visit our sponsors in the exhibit area to learn about the latest in ISS products and services. Enjoy the conference. Please fill out the feedback forms. Your response is important. We strive to improve each year. McKimmon Center InfoSecon Conference Layout (not to scale) 3
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 ABOUT THE ISSA This conference is brought to you by the Raleigh Chapter of the Information Systems Security Association. The ISSA is an international professional organization aimed at providing edu- cational forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members. The Raleigh Chapter became an official ISSA chapter in February 2003. We meet on the first Thursday of every month at the McKimmon Center on the campus of NC State University. You can find out more about the chapter at http://raleigh.issa.org. If you would like to get on our announcements email list, please send an email to board@raleigh.issa.org. New This Year! Lockpick Village: Stop by the Lockpick Village and try your hand at picking various locks, from handcuffs to padlocks, door locks and more. Sponsored by the FALE Association of Locksport Enthusiasts (FALE), there will be games, demonstrations, and hands-on workshops for attendees to learn, play and share their experiences. Lockpick sets will be available for purchase for $20. Capture the Flag: Think you have 1337 skilz? Stop by the Capture the Flag event and prove it! Pit your hacking skills against the server, collecting as many flags as you can. Each participant will be scored based on the number of flags captured within the time limit. The winner will be announced at the end of the conference. Don’t forget to turn in your feedback forms! Conference drawings are made from completed returned conference feedback forms and requires at least 12 sponsor “stamps” and your legible name to be eligible. Sponsor door prizes and give-a-ways are drawn from attendees' collected business cards directly. All drawings are at 5:00 pm and you must to be present to win.
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 KEYNOTE SPEAKERS 8:30 Marc Hoit Vice Chancellor for IT and CIO, North Carolina State University Marc Hoit is the Vice Chancellor for Information Technology and the Chief Information Officer (CIO) for North Carolina State University (NCSU) in Raleigh, North Carolina. He began his role as the Vice Chancellor for Information Technology in September 2008. Since arriving, he has worked to develop an IT Governance Structure, Strategic Operating Plan and launched a number of key foundational projects that will improve efficiency and effectiveness of IT on campus. He previously held numerous administrative positions at the University of Florida including Interim CIO, Director of Student PeopleSoft Implementation, the Associate Dean for Academic Affairs Administration and the Associate Dean for Research in the College of Engineering. He is a Professor in the Civil, Construction and Environmental Engineering Department. He received his B.S. from Purdue University and his M.S. and Ph.D. from University of California, Berkeley. Dr. Hoit is the Co-Principal Investigator, along with Chapel Hill and SAS, for the North Carolina Bio-Preparedness Collaborative (NCB-Prepared) Grant from the Department of Homeland Security (DHS) and the development of DIGGS, an international XML schema for transferring transportation information. His structural engineering research involves the computer program, FB-MultiPier, which analyzes bridge pier, superstructure and pile foundations subjected to dynamic loading. Keynote Topic: University Campus: A Microcosm of the Future Dr. Hoit will present how a university campus is a petri dish for innovation, future trends and disruption for IT and how it affects services, purchasing and planning. 9:30 Tom Limoncelli Time Management Guru, Author, Blogger, and System Administrator Tom is an internationally recognized author, speaker, and system administrator. His books include The Practice of System and Network Administration (Addison-Wesley) and Time Management for System Administrators (O'Reilly). He received the SAGE 2005 Outstanding Achievement Award. He works in NYC and blogs at TomOnTime and EverythingSysadmin.com. Keynote Topic: You Suck At Time Management (but it ain't your fault!) So much to do! So little time! Security people are pulled in so many directions it is impressive anything gets done at all. The bad news is that if you work in security then good time management is basically impossible. The good news is that it isn't your fault. Tom will explore many of the causes and will offer solutions based from his book, “Time Management for System Administrators” (Now translated into 5 languages.) 5
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 GOVERNANCE, RISK, & COMPLIANCE 10:30 (A) How to Secure Database 11:30 (A) Building a Lasting IT GRC Infrastructure Using Best Practices for Policy Architecture Risk Mitigation, Compliance, Audit Sandy Bacik and Assessment Sandy Bacik, author and former CSO, Srini Kolathur, Vinay Bansal, & Jim Tarantinos has over 15 years direct development, implementation, and management Srini Kolathur, CISSP, CISA, CISM, information security experience in the MBA is a result-driven IT project manger areas of Audit Management, Disaster with Cisco Systems. Srini has several Recovery/Business continuity, Incident years of experience in helping companies investigation, Physical security, Privacy, Regulatory effectively comply with regulatory compliance, Standard Operating Policies/Procedures, compliance requirements including and Data Center Operations and Management. With an SoX, PCI, HIPAA, etc. Srini believes additional 15 years in Information Technology Operations. and advocates best practices-based security and compliance program to achieve business objectives. Also, Srini Abstract: With industries moving toward a governance and maintains a free collaborative web portal for managing risk culture, the IT and enterprise policy architecture needs IT best practices and audit plans at Checklist20.com. to be updated to align with the enterprise goals of IT Governance. Some may discover that they have all the Abstract: IT governance and strategy are critical to an pieces spread throughout the current organization, but organization's success. Key to the risk assessment and audit do not know how to proceed to ensure their IT and plan process is breaking down the IT Universe into smaller security policies and processes fit into their enterprise more manageable sub-components. Databases play a major governance architecture. role in the increasingly complex global business processes and IT universe. A best practice-based assessment to evaluate risks uses an 80-20 rule. This allows to eliminate all the low-hanging fruit by leveraging expertise from around the world and helps organizations quickly achieve its desired business objectives at the optimum cost. We will specifically focus on how to leverage database best practices for building effective risk assesment approaches and to build audit plans to comply with different compliance programs including S-ox, HIPAA, PCI-DSS and EU data privacy. 6
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 PROFESSIONAL DEVELOPMENT 10:30 (B) Leading By Example / 11:30 (B) Winning in Business and Life Building Effective Teams Garion Bunn Beth Wood, North Carolina State Garion Bunn is an award winning North Carolina State Auditor Beth A. speaker and workshop facilitator who is Wood, CPA, is serving her first term as a self-driven, results-oriented cultivator the state’s elected auditor after more than of human potential. His purpose is to a decade of service in training and inspire, educate and empower people research for the office. As Training and organizations around the globe. His Director for the Office of State Auditor, success strategy is to continually seek Beth developed and taught audit courses new ways to add value through seminars and workshops for the auditor’s staff, concentrating on the areas of Single that are leadership centric. Garion is an empathic Audit, internal control and sampling. She also coordinated communicator and listener. the State Auditor’s Quality Control Review and provided Garion believes that effective leadership skills are the research of audit and reporting issues for the audit staff. most powerful tools in the current day workplace and She began working with state government in 1993 with marketplace. Leadership excellence is the fast track up the Local Government Commission (a division of the Office the corporate ladder. Garion helps professionals who of the State Treasurer). In that position, she reviewed and want the zest, energy and power to deliver with passion approved audits of local governments prepared by private and purpose CPA firms. Prior to her work with state government, Beth Abstract: Are you ready for the competition? This keynote worked as a cost accountant for Ray-O-Vac Corporation for focuses on stirring your enthusiasm and sense of purpose three years. She also supervised audits of local governments in daily life. An excited, focused individual is ready to take and not-for-profit organizations for McGladrey and Pullen on the challenges and triumph in today's fast paced market. CPAs, a national CPA firm. Beth left the Office of the State Develop knowledge and skills that will significantly increase Auditor in 2007 as she began her campaign to become the your personal effectiveness and ability to successfully first woman elected to the post. While seeking office, she interact and lead others. This session covers many diverse also taught a variety of courses for the American Institute and critically important business, interpersonal, and of Certified Public Accountants (AICPA) and worked in the leadership topics. institute’s Professional Ethics Division investigating alleged substandard audits around the country. Abstract: Moving from a purely technical role to manage- ment is very challenging for most IT people. Most people do not like giving up the hands-on technical work and they also tend to be more independent. This discussion will deal with particular challenges faced when moving into a managerial role and will answer questions such as: How can leaders learn to assess the strengths of their team members and use them to get the team working as one unit rather than a bunch of lone rangers? How can they deal with jealousy and backstabbing from those not promoted? How can they anticipate senior management's and the organization's needs and ensure the team is truly fulfilling the mission? 7
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 DATA AND ENDPOINT SECURITY 10:30 (C) Authentication of Personal 11:30 (C) Corporate Espionage for Mobile Devices as Part of an Overall Dummies: The Hidden Threat of Enterprise Authentication Strategy Embedded Web Servers Ron Stamboly, SafeNet; Co-author Maureen Kolb Michael Sutton Mr. Stamboly joined SafeNet in 1996 as a Senior Sales Michael Sutton has spent more than a Engineer responsible for technical presales and sales support decade in the security industry conducting for the entire sales cycle, from evaluation to installation. leading-edge research, building teams of Mr. Stamboly's area of expertise includes hardware and world-class researchers, and educating software products covering authorization, access control, others on a variety of security topics. audit, and encryption. Currently, Mr. Stamboly focuses on As Vice President of Security Research, supporting the sales of SafeNet's Information Lifecycle Michael heads Zscaler Labs, the research and development Protection and Cloud computing environments, most arm of the company. Zscaler Labs is responsible for specifically driving SafeNet's market share in cloud computing researching emerging topics in web security and developing security and virtualized environments-securing and controlling innovative security controls, which leverage the Zscaler access to cloud applications, along with encrypting virtual in-the-cloud model. The team is comprised of researchers volume and instances. Mr. Stamboly has over 17 years of with a wealth of experience in the security industry. Prior to experience in the data protection, telecommunications and joining Zscaler, Michael was the Security Evangelist for SPI networking equipment industries. Additionally, Mr. Stamboly Dynamics where, as an industry expert, he was responsible has extensive experience with networking hardware along for researching, publishing, and presenting on various security with TCP/IP. Mr. Stamboly graduated summa cum laude with a issues. In 2007, SPI Dynamics was acquired by Hewlett- Bachelor's Degree in Telecommunication from The State Packard. Previously, Michael was a Research Director at University of New York Institute of Technology and also iDefense where he led iDefense Labs, a team responsible graduated summa cum laude with a Master's Degree from for discovering and researching security vulnerabilities in a Pace University in Telecommunications. variety of technologies. iDefense was acquired by VeriSign in 2005. Michael is a frequent speaker at major information Abstract: IT departments are facing challenges from many security conferences; he is regularly quoted by the media on users wanting to use their mobile device to access sensitive various information security topics, has authored numerous corporate information. Clearly, the risk posed by these articles, and is the co-author of Fuzzing: Brute Force scenarios is great. The key issue confronting security staff is Vulnerability Discovery, an Addison-Wesley publication. management: ensuring only trusted devices can access corporate resources, contending with lost devices, managing Abstract: Today, everything from television sets to photo- security policies, and enabling and monitoring access. Finally, copiers have an IP address and an embedded web server IT organizations need to establish visibility and control over (EWS) for device administration. While embedded web what assets can be accessed by and saved onto those servers are now as common as digital displays in hardware devices. This presentation will discuss implementing unified devices, sadly, security is not. Leveraging the power of cloud authentication schemes, security policies and credentials for based services, Zscaler spent several months scanning large employee-owned end point devices, helping organizations portions of the Internet to understand the scope of this threat. to enable their workforce while reducing IT management and Our findings will make any business owner think twice before administration resources, as well as show how organizations purchasing a ‘wifi enabled’ device. We'll share the results of can centrally and consistently manage all authentication our findings, reveal specific vulnerabilities in a multitude of requirements for local networks, VPNs, SaaS applications, appliances and discuss how embedded web servers will and virtualized environments. represent a target rich environment for years to come.
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 PHYSICAL SECURITY 10:30 (D) Introduction to Lockpicking 11:30 (D) High Security Locks Jon Welborn Jon Welborn Jon Welborn is a penetration tester and a Abstract: Great locks are not difficult to come by. This talk co-founder of the FALE Association of will discuss various components of a quality lock as well as Locksport Enthusiasts. FALE came several manufacturers of high-caliber locks. We will discuss together around a shared general specific makes and models of locks that may be beneficial curiosity and persuasion of the public’s in your environments. If nothing else, this talk will open the “right to know”. FALE meets regularly door to the idea that you shouldn’t have to lean on your in the Winston-Salem, NC area and local hardware store to meet your physical security needs. hosts lockpicking villages at various security conferences around the country. http://lockfale.com Abstract: You've locks on your network closet and secure document bin. Great. What if I can open them in 30 seconds or less? Learn the basics about how a lock works and how to compromise commonly used locks. This information isn’t complicated in the least, but in this talk we set out to remove the often practiced “security by obscurity” approach to physical security. 9
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 DIAMOND SPONSOR SESSION (Keynote Hall) 10:30 ORACLE PRESENTATION Mark your calendars for the Eighth Annual Triangle InfoSeCon to be held on Thursday, October 18 2012 at the McKimmon Center. Keynote speakers: Chris Nickerson - Lead Security Consultant for Lares Consulting and Stan Waddell - Executive Director and Information Security Officer, University of North Carolina (UNC) Information Technology Services (ITS)
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 DIAMOND SPONSOR SESSION (Keynote Hall) 11:30 HP / FORTIFY Reinventing Dynamic Testing: Real-Time Hybrid Hans Enders, HP Fortify Hans Enders is a Sr. Solutions Architect for HP Fortify. In his current role, Hans is responsible for demonstrating web application security software and providing solutions to prospective clients for HP Software’s Application Security Center. He has more than 14 years of experience in network administration and security, with the most recent 7 years focusing on web application security testing and software support. Hans acquired the CISSP in 2004 and most recently completed the CISM certification in 2011. Hans is an active member of ISSA, ISACA, OWASP, and a past member of InfraGard of Georgia. Hans has a Bachelor of Science degree in Industrial & Systems Engineering from North Carolina State University and is of applications undergoing DAST and SAST analysis. moderately fluent in Spanish. Outside of his professional This presentation will introduce you to the next career, Hans also enjoys participating with CERT (Community generation of hybrid security analysis — what it is, how it Emergency Response Team) and being a Cub Scout leader. works, and the benefits it offers. It will also address (and Abstract: Over the years, two key techniques have emerged as dispel) the claims against hybrid, and leave participants with the most effective for finding security vulnerabilities in soft- a clear understanding of how the new generation of hybrid ware: Dynamic Application Security Testing (DAST) and Static will enable organizations to resolve their most critical Application Security Testing (SAST). While DAST and SAST software security issues faster and more cost-effectively each possess unique strengths, the "Holy Grail" of security than any other available analysis technology. testing is thought to be "hybrid" -- a technique that combines and correlates the results from both testing methods, maximizing the advantages of each. Until recently, however, a critical element has been missing from first generation hybrid solutions: information about the inner workings and behavior 11
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 PENETRATION TEST / SNA 1:30 (A) Progression of a Hack 2:30 (A) Web Application Social Ryan Linn, Trustwave's SpiderLabs Engineering Vulnerabilities Ryan Linn is a Senior Security Matt Cooley, Symantec Consultant with Trustwave’s SpiderLabs Matt Cooley is an accomplished who has a passion for making security information security practitioner knowledge accessible. In addition to working in IT across multiple industries being a columnist with the Ethical for almost 20 years with over a decade Hacker Network, Ryan has contributed of primary focus on security. At to open source tools including Symantec, Matt has been involved Metasploit, Dradis and the Browser Exploitation with security assessments in the finan- Framework (BeEF). cial sector, government, commercial business, higher Abstract: So you have a firewall, AV, IDS, patch management education, and major ISPs. His primary area of expertise and more. Nobody is getting in. Somehow Fake-AV and is in web application and product penetration testing. malware still rear their ugly heads from time to time, but Abstract: In this presentation, we plan to demonstrate web things feel pretty safe. Others in this same situation are still application vulnerabilities which could be leveraged to making the news. This talk will look at how a single foothold attack end-users of applications. In particular, cross-site can lead to the opening story on the evening news. We will scripting will be used to attack mobile device users. Social look at how a motivated attacker can compromise a patched Engineering Toolkit will be demonstrated to compromise Windows box, escalate privileges on a domain, and get to the systems of fully-patched and protected users. Common data. As each demonstration shows the techniques, we'll talk tricks such as URL obfuscation, URL redirection, and about mitigation strategies and what steps you can take to domain-name manipulation will be used to successfully avoid being a headline. coerce victims into performing tasks from which an attacker would benefit. 12
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 CLOUD / VIRTUALIZATION SECURITY 1:30 (B) Managing Risk, Liability, and 2:30 (B) Crash Course on Open Compliance in the Cloud Source Cloud Computing Ron Stamboly, SafeNet; Co-author Maureen Kolb Mark Hinkle, Citrix Systems Mr. Stamboly joined SafeNet in 1996 as a Senior Sales Mark Hinkle is the Director of Cloud Engineer responsible for technical presales and sales support Computing Community at Citrix Systems for the entire sales cycle, from evaluation to installation. Inc. He joined Citrix as a result of their Mr. Stamboly's area of expertise includes hardware and July 2011 acquisition of Cloud.com. He is software products covering authorization, access control, currently responsible for the success of the audit, and encryption. Currently, Mr. Stamboly focuses on open source cloud computing platform, supporting the sales of SafeNet's Information Lifecycle CloudStack. Previously he was the VP of Protection and Cloud computing environments, most Community at Zenoss Inc., a producer of the open source specifically driving SafeNet's market share in cloud computing application, server, and network management software, security and virtualized environments-securing and controlling where he grew the Zenoss Core project to over 100,000 users access to cloud applications, along with encrypting virtual and 20,000 organizations on all seven continents. He also is volume and instances. Mr. Stamboly has over 17 years of a longtime open source expert and author having served as experience in the data protection, telecommunications and Editor-in-Chief for both LinuxWorld Magazine and Enterprise networking equipment industries. Additionally, Mr. Stamboly Open Source Magazine. Mr. Hinkle is also the author of has extensive experience with networking hardware along the book, Windows to Linux Business Desktop Migration with TCP/IP. Mr. Stamboly graduated summa cum laude with (Thomson, 2006). He is a contributor to NetworkWorld’s a Bachelor's Degree in Telecommunication from The State Open Source Subnet and his personal blog on open source, University of New York Institute of Technology and also technology, and new media can be found at www.socialized- graduated summa cum laude with a Master's Degree from software.com. You can follow him on twitter @mrhinkle. Pace University in Telecommunications. Abstract: Very few trends in IT have generated as much buzz Abstract: Cloud Computing is unquestionably the future of our as cloud computing. This talk will cut through the hype and IT infrastructure and business workloads. Yet the industry is quickly clarify the ontology for cloud computing. The bulk reaching an impasse as organizations have already completed of the conversation will focus on the open source software Proof-of-Concepts and architectural planning to the cloud. that can be used to build compute clouds (infrastructure-as- Internal Data Governance and Compliance requirements have a-service) and the complimentary open source management become the barrier to more organizations moving to the cloud, tools(including those for security) that can be combined and larger organizations converting small test projects to full to automate the management of cloud computing production. The mix of confusion over ownership and liability, environments. The discussion will appeal to anyone who lack of transparency from the cloud provider, an almost com- has a good grasp of traditional data center infrastructure but plete absolution of liability in contracts, and lack of clear is struggling with the benefits and migration path to a cloud guidance on required controls have all contributed to this. This computing environment. By understanding the architecture session will focus on pealing back some of these issues to drive of a cloud compute environment users will be able to apply some clarity and actionability. Cloud is the future, with its ease- their existing security knowledge to the management of a of-use, cost-savings and transparency, but Data Governance and cloud compute environment. Systems administrators and IT compliance requirements have stopped projects due to confu- generalists will leave the discussion with a general overview sion on risk/liability. Presentation will focus on driving clear of the options at their disposal to effectively build and areas of trust, ownership, and liability-cover audit and contrac- manage their own cloud computing environments using tual aspects of working with CSPs -identifying new controls free and open source software. 13 needed to move to the cloud and will end with PCI 2.0.
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 STRATEGY & ARCHITECTURE 1:30 (C) Information Security 2:30 (C) Anatomy of an Attack Doesn't Just “Happen”! Jonathan Norman, Alert Logic Jim Murphy, OMMISS Co-Author Michele Hujber James Murphy, CISSP, ISSMP, GSEC, CISA, Jonathan Norman joined Alert Logic CISM NC DHHS, Office of MMIS Services in 2002 and has held numerous security Jim is the Information Security Architect and operational roles throughout his for OMMISS with 30+ years experience, tenure at Alert Logic. Today, as the predominantly in healthcare IT. He plans Director of Security Research, Jonathan and designs enterprise-wide information manages a team of security researchers security for major development projects, and analysts responsible for monitoring including the claims processing system for Medicaid and the evolving security landscape for new and emerging related plans, and the State Health Information Network. threats. In addition, under his leadership, the Security For the projects, he documents information security and Research team manages complex security incident response technical architecture requirements and reviews security for customers and develops the advanced correlation rules throughout project design and development: regulatory that help Alert Logic solutions better detect and defend compliance, access control, data and network protection, against security threats. Jonathan hold several industry business continuity, operational security, process certifications such as Certified Ethical Hacker, CISSP, documentation and project audit. Jim has written, taught CCSP, and other GIAC certifications. and spoken on information security management, service Abstract: In 2010 the global cybercrime market increased continuity, security auditing and security certification to an estimated 7.5 Billion dollars. Over the past few years, training to diverse audiences. attack sophistication has increased significantly while users Abstract: The pressure is on—security breaches now cost struggle to keep up with new attacks. We have long-passed penalties and lawsuits. Information architectures are the days of bright kids causing mayhem on computer becoming more complex as they adjust to rapid changes in networks. Today's attackers are fast, well-funded, well software and hardware. Privacy professionals are clamoring organized and business is booming. This presentation for eliminating the misuse of protected information. State will take you into the world of cybercrime and give you Attorneys General have been authorized to get in on the an insider's look into how hackers operate and what you act. But, as InfoSec professional understand, security just can do to protect your network. does not happen with the latest policy, technical tool, or extra door lock. Information security managers must take the initiative to coordinate with all levels of the organization to insure business objectives drive the definitions and characterization of protected data, unit leaders understand the responsibilities of the hallway work force, and technical support staff understand the limits of device-alone solutions. InfoSec planning requires tactical and strategic components, and in a sense, never stops. InfoSec professionals must be able to communicate the planning with all levels of the organization in a way that facilitates the collaborative efforts and diminishes the internal barriers. In this presentation, I offer some practical suggestions for getting InfoSec planning into action.
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 APPLICATIONS & DEVELOPMENT 1:30 (D) Enabling the Business 2:30 (D) Making Fat Messages with Security Metrics Available: Binary XML Encoding Steve McKinney, Cisco Systems Phillip H. Griffin, Griffin Consulting Steve has worked at Cisco Systems for Phillip H. Griffin, CISM brings over 15 the past 3 years after graduating from NC years of experience in the information State with a Master's degree. assurance and security profession. Operating as Griffin Consulting, Phil Abstract: Many security scanners will has served as a trusted security adviser, churn out ‘advice’ on the severity of security architect, and consultant with vulnerabilities in your environment. leading corporations including Visa Forwarding that advice to your manager, International, GTE, and IBM. He has acted as committee will likely produce a blank stare and a report that's in the chair, editor, head of U.S. delegation, and rapporteur in trash before you can walk out the door. So, how do you go the development of national and international security from a scanner's advice to wisdom that drives business standards, and currently serves as an ISSA Educational decisions? This talk covers what I have learned from others Advisory Council Member, and on the board of the Raleigh and developed as I started implementing security metrics ISSA Chapter. His experience encompasses numerous for my team within Cisco. We will look specifically at facets of security including authentication technologies, metrics for web applications, but the concepts presented encryption, access control, biometrics, and secure apply to other areas of security. messaging schema. Mr. Griffin has eight patents pending in the area of security, and he has been a speaker at leading security conferences and venues around the world. Abstract: For every XML Schema (XSD) there is an analogous ASN.1 schema that can be used to generate compact, efficient binary message formats, and XML markup instance documents that are equivalent to those based on the initial XML schema. These binary formats are appropriate for use in environments constrained by mobility, limited battery life, storage size, or bandwidth (e.g., wireless communications using hand held devices). Using a binary format for XML messages can make secure protocol messages available in environments where verbose formats prohibit application development. 15
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 DIAMOND SPONSOR SESSION (Keynote Hall) 1:30 IMATION Key Trends in Removable Device Security David Duncan, Business Development Director David Duncan is director of ENCRYPTX Duncan has a Bachelor of Science in international affairs at Imation, a team of research and from the University of Maryland, a Master of Science in development experts focused on advances computer science from Regis University, a Master of Business in data security that protect, encrypt, Administration (MBA) from the University of Colorado, and control, and manage “data at rest.” a degree in Chinese Mandarin Linguistics from the Defense Duncan founded ENCRYPTX, Language Institute, Presidio of Monterey, California. which was acquired by Imation from Abstract: David Duncan, Managing Director of the BeCompliant Corp. in March 2011. ENCRYPTX Security Products Group of Imation Enterprises Prior to founding ENCRYPTX, Duncan was senior vice will present key trends in the field of removable storage president of Tactical Marketing Ventures, a marketing device security. The presentation will cover: current accelerator company for more than 100 technology startups. risk/data loss trends from the latest industry studies, new He also served as vice president of sales and marketing for and emerging threats, regulatory requirements affecting RL Polk, a consumer marketing information company that compliance, vendor initiatives to mitigate these risks includ- was sold to Equifax Corporation. ing hardware, software and operating system developments Previously, Duncan served in marketing and engineering that improve removable device security, and an evaluation leadership positions with Storage Technology Corporation, framework for assessing gaps in your organization Martin Marietta and SRA Corporation. He worked for the National Security Agency as a cryptologist for a number of years and designed and built trusted computer systems for highly classified government programs. 17
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 LIGHTNING TALKS 2:30 (Keynote Hall) The IT Blind Side 2:45 (Keynote Hall) Are you using Dwayne Melançon, Tripwire UDP for reliable transmission? Dwayne Melançon joined Tripwire in 2000 and serves as Shahab Nayyer, Wells Fargo Vice President of the company’s Log Management business. Author is a Senior IT Audit Lead with Wells Fargo & In previous positions at the company, Dwayne has served Company in Charlotte, North Carolina, USA. He holds dual as vice president of Business Development, Professional master degree in Finance and Industrial Engineering with a Services and Support, Information Systems, and Marketing. specialization in IT. Shahab has more than seven years of Prior to joining Tripwire, Dwayne was Vice President of experience in IT Audit and Security and is a CISA, CIA. Operations for DirectWeb, Inc., where he was responsible Shahab is also the President of the ISACA Charlotte Chapter. for product management, logistics, electronic supplier Abstract: UDP (user datagram Protocol) is a widely used integration, customer support, information systems, protocol networking and data transmission. It is used in real infrastructure development, and other business operations. time applications, DNS request reply messages, IP telepho- Before DirectWeb, he ran Pan-European Support for ny, SNMP, Multimedia streaming etc. Due to its nature of Symantec Corporation, managed callcenter operations being a connectionless protocol it's considered very efficient for several of Symantec’s leading product lines, and for short messaging with low bandwidth usage. So these are spearheaded the development of productivity tools and all the good things with UDP, but UDP also is an unreliable processes. In other positions,Dwayne was responsible for protocol which does not guarantee data transfer. With that Symantec’s global Web presence, program management in mind, do we know where all we are using UDP? Are we for the company’s encryption products, and functional using UDP where a reliable transmission is needed? Have integration for mergers and acquisitions. Prior to joining we evaluated the risk of data loss and can we live with it? Symantec, Dwayne spent eight years at Fifth Generation Systems, Inc. where he created an award-winning global support organization, was a software developer, and 3:00 (Keynote Hall) Finding Flags directed the company’s software and hardware Quality During a Lightning Storm Assurance teams. Dwayne is certified on both IT management and audit Steve McKinney, Cisco processes, holding both ITIL and CISA certifications. Steve McKinney has been with Cisco for Prior Speaking Experience: three years after completing his Master's • eFinance World Conference degree at NC State. He was the primary • Frequent speaker at national and regional itSMF, developer for the Capture the Flag contest ISACA, ISSA, and IIA events at the conference this year. Abstract: This presentation will be an overview of the Capture the Flag contest held at the conference. If you tried the contest and didn't complete it or wanted to but didn't have time, drop by, this session is for you. 18
TRIANGLE INFOSECON CONFERENCE • OCTOBER 20 , 2 0 11
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 KEYNOTE SPEAKER 3:30 Lenny Zeltser Security Practice Director, Savvis; Senior Faculty Member, SANS Institute Lenny Zeltser leads the security consulting practice at Savvis, where he focuses on designing and operating security programs for cloud-based IT infrastructure. Lenny’s other area of specialization is malicious software; he teaches how to analyze and combat malware for the SANS Institute. He is also a member of the board of directors for the SANS Technology Institute and an incident handler at the Internet Storm Center. Lenny frequently speaks on information security and related business topics at conferences and private events, writes articles, and has co-authored several books. Lenny is one of the few individuals in the world who have earned the highly- regarded GIAC Security Expert (GSE) designation. He also holds the CISSP certification. Lenny has an MBA degree from MIT Sloan and a computer science degree from the University of Pennsylvania. Lenny writes at blog.zeltser.com and twitter.com/lennyzeltser. More details about his projects are available at http://www.zeltser.com. Lenny says that some of his “books are gradually becoming outdated” but that all of them are listed here. Lenny notes that the “most recent and current volume is CyberForensics. It's a good text.” Keynote Topic: Knock, Knock! How Attackers Use Social Engineering to Bypass Your Defenses Why bother breaking down the door if you can simply ask the person inside to let you in? Social engineering works, both during penetration testing and as part of real-world attacks. This talk explores how attackers are using social engineering to compromise defenses. It presents specific and concrete examples of how social engineering techniques succeeded at bypassing corporate security defenses. Lenny Zeltser will review how attackers have bypassed technological controls by making use of social engineering techniques such as: Starting attacks in the physical world, rather than the virtual Internet: We have spent most of our lives in the physical world, whose norms we know well. As a result, we tend to trust messages that come to us in the physical world more than those in the "virtual" world of the Internet. The talk presents several examples of such scenarios. Targeting attacks through the use of spear phishing and social networks: The talk will explore how attackers may profile victims to include the person or company- specific social engineering elements in an intrusion campaign. 20
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 CONFERENCE COMMITTEE This Conference is only made possible by the incredible efforts of the committee. On behalf of the chapter, sponsors, speakers, and attendees, thank you! President: Brad Hoelscher David Parker Vice President: Robert Martin Michael Rains Nancy Schipon Conference Director: Liyun Yu Andrew Senko Conference Program Director: Mark Whitteker Daniel White Conference Deputy Director: Ramsey Hajj Lorie Wilsher Treasurer: Mark Fontes Rich Woynicz Communication: Peter Hewitt Applications & Development: Operations Director: Robert Pitney Aby Rao, Chair Lisa Lorenzin Sponsor Development: Robert Martin Website Developer: Phillip Griffin Cloud & Virtualization: Nathan Kim, Chair Production Support: Steve Toy Eric Olson Conference Support: Chip Futrel Data & Endpoint: Andre Henry, Chair Program Designer: Rachel Schaub Governance, Risk & Compliance: Sponsor Development Team: Keith Mattox, Chair Frank Chavarria Janet Dagys Sarah Miller Pen Testing / System & Network Auditing: Operations/AV Team: Artem Kazantsev, Chair Dave Balint Rob Breault Physical Security: Glenn Morgan, Chair Robert Brown Professional Development: Matt Bryson Holli Harrison, Chair Frank Chavarria Valdez Ladd Marie Cross Strategy & Architecture: Jim Murphy, Chair Randall Hompesch Eric Hoth Capture the Flag: Steve McKinney, Chair Wenjian Huany Lockpick Village: Charles Hudock Jennifer Jabbusch, Chair Valdez Ladd Jon Welborn Steve McGehee Lightning Talks: Dyana Pearson, Chair Glann Morgan 22
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 NOTES:
TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 SPONSORS The Raleigh ISSA Chapter thanks all of our conference sponsors for their support: Diamond Sponsors: Imation, HP / Fortify Software, Oracle Gold Sponsors: Alert Logic, Carolina Advanced Digital, Inc., Fishnet Security / Sourcefire, Global Knowledge, Tripwire Silver Sponsors: Accuvant / Palo Alto, Cisco, Meru Networks, Qualys, SAS, Tenable Security, Trustwave, Varonis Participating Professional Organizations ASIS, Cyber Patriot, InfraGard, ISAAC, ISACA, ISSA Raleigh Chapter, NCMS, NCSU/CTU, ThinkPink ZTA Breakfast, Lunch, and Break Sponsor: Barbeque Lodge Tote Sponsor: Lord Corp.

Recommandé

Wall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itWall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itMessiernl
 
Vol13 no2
Vol13 no2Vol13 no2
Vol13 no2fphart
 
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...Anup Narayanan
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human errorAnup Narayanan
 
Sprx Npo
Sprx NpoSprx Npo
Sprx Npodogpower
 
Spr Xmobile Npo Contectual Broadcasting
Spr Xmobile Npo Contectual BroadcastingSpr Xmobile Npo Contectual Broadcasting
Spr Xmobile Npo Contectual Broadcastingdogpower
 
Invitation
InvitationInvitation
Invitationwendyking63
 
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010graywilliams
 

Recommandé

Wall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itWall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itMessiernl
 
Vol13 no2
Vol13 no2Vol13 no2
Vol13 no2fphart
 
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...Reducing Security Risks Due to Human Error - Information Security Summit, Kua...
Reducing Security Risks Due to Human Error - Information Security Summit, Kua...Anup Narayanan
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human errorAnup Narayanan
 
Sprx Npo
Sprx NpoSprx Npo
Sprx Npodogpower
 
Spr Xmobile Npo Contectual Broadcasting
Spr Xmobile Npo Contectual BroadcastingSpr Xmobile Npo Contectual Broadcasting
Spr Xmobile Npo Contectual Broadcastingdogpower
 
Invitation
InvitationInvitation
Invitationwendyking63
 
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010graywilliams
 
Itm ppt daniel-prefinal ii
Itm ppt daniel-prefinal iiItm ppt daniel-prefinal ii
Itm ppt daniel-prefinal iixtina87_05
 
Privacy - Principles, PrimeLife and Identity Mixer - Thomas Gross
Privacy - Principles, PrimeLife and Identity Mixer - Thomas GrossPrivacy - Principles, PrimeLife and Identity Mixer - Thomas Gross
Privacy - Principles, PrimeLife and Identity Mixer - Thomas GrossThomas Gross
 
Itm ppt daniel-prefinal ii
Itm ppt daniel-prefinal iiItm ppt daniel-prefinal ii
Itm ppt daniel-prefinal iixtina87_05
 
The Trajectory Of DRM Technologies
The Trajectory Of DRM TechnologiesThe Trajectory Of DRM Technologies
The Trajectory Of DRM TechnologiesGiantSteps Media Technology Strategies
 
Cloud computing due diligence WTF?
Cloud computing due diligence WTF?Cloud computing due diligence WTF?
Cloud computing due diligence WTF?Security BSides London
 
Product/Market Fit - Twists and Turns
Product/Market Fit - Twists and TurnsProduct/Market Fit - Twists and Turns
Product/Market Fit - Twists and TurnsDavid Jones
 
Exploring the future of the IT industry and the next generation CIO
Exploring the future of the IT industry and the next generation CIOExploring the future of the IT industry and the next generation CIO
Exploring the future of the IT industry and the next generation CIOJessvin Thomas
 
Hawaii Pacific GIS Conference 2012: Disaster Management and Emergency Respons...
Hawaii Pacific GIS Conference 2012: Disaster Management and Emergency Respons...Hawaii Pacific GIS Conference 2012: Disaster Management and Emergency Respons...
Hawaii Pacific GIS Conference 2012: Disaster Management and Emergency Respons...Hawaii Geographic Information Coordinating Council
 
In the social, mobile and cloud era, what does it take to be an Information P...
In the social, mobile and cloud era, what does it take to be an Information P...In the social, mobile and cloud era, what does it take to be an Information P...
In the social, mobile and cloud era, what does it take to be an Information P...John Mancini
 
Lets go to asia 2
Lets go to asia 2Lets go to asia 2
Lets go to asia 2Ross Bye
 
Udl
UdlUdl
Udlprimrose54
 
Cine
CineCine
CineCheloValenzuela
 
Fail panitia
Fail panitiaFail panitia
Fail panitiaAb-Dullah Yusof
 
EYOilGas_Unlocking the potential_FINAL_June2013
EYOilGas_Unlocking the potential_FINAL_June2013EYOilGas_Unlocking the potential_FINAL_June2013
EYOilGas_Unlocking the potential_FINAL_June2013Seelan Naicker
 
Lenny zeltser social engineering attacks
Lenny zeltser social engineering attacksLenny zeltser social engineering attacks
Lenny zeltser social engineering attacksTravis Barnes
 
Itbi
ItbiItbi
ItbiVenkata Krishnaprasad
 
Anggota kelompok
Anggota kelompokAnggota kelompok
Anggota kelompokshintaaddiah
 
Marc hoit University Campus - Microcosm of the future
Marc hoit University Campus - Microcosm of the futureMarc hoit University Campus - Microcosm of the future
Marc hoit University Campus - Microcosm of the futureTravis Barnes
 
Janet M. Russeau's Presentation for EDIM 510
Janet M. Russeau's Presentation for EDIM 510Janet M. Russeau's Presentation for EDIM 510
Janet M. Russeau's Presentation for EDIM 510jmrusseau
 
Animales
AnimalesAnimales
Animalesmayfernan
 
Mobile Apps from TYPO3
Mobile Apps from TYPO3Mobile Apps from TYPO3
Mobile Apps from TYPO3Bodor László
 
Women’s art
Women’s artWomen’s art
Women’s artPaul Alonzo
 

Contenu connexe

Tendances

Itm ppt daniel-prefinal ii
Itm ppt daniel-prefinal iiItm ppt daniel-prefinal ii
Itm ppt daniel-prefinal iixtina87_05
 
Privacy - Principles, PrimeLife and Identity Mixer - Thomas Gross
Privacy - Principles, PrimeLife and Identity Mixer - Thomas GrossPrivacy - Principles, PrimeLife and Identity Mixer - Thomas Gross
Privacy - Principles, PrimeLife and Identity Mixer - Thomas GrossThomas Gross
 
Itm ppt daniel-prefinal ii
Itm ppt daniel-prefinal iiItm ppt daniel-prefinal ii
Itm ppt daniel-prefinal iixtina87_05
 
Product/Market Fit - Twists and Turns
Product/Market Fit - Twists and TurnsProduct/Market Fit - Twists and Turns
Product/Market Fit - Twists and TurnsDavid Jones
 
Exploring the future of the IT industry and the next generation CIO
Exploring the future of the IT industry and the next generation CIOExploring the future of the IT industry and the next generation CIO
Exploring the future of the IT industry and the next generation CIOJessvin Thomas
 
In the social, mobile and cloud era, what does it take to be an Information P...
In the social, mobile and cloud era, what does it take to be an Information P...In the social, mobile and cloud era, what does it take to be an Information P...
In the social, mobile and cloud era, what does it take to be an Information P...John Mancini
 

Tendances (9)

Itm ppt daniel-prefinal ii
Itm ppt daniel-prefinal iiItm ppt daniel-prefinal ii
Itm ppt daniel-prefinal ii
 
Privacy - Principles, PrimeLife and Identity Mixer - Thomas Gross
Privacy - Principles, PrimeLife and Identity Mixer - Thomas GrossPrivacy - Principles, PrimeLife and Identity Mixer - Thomas Gross
Privacy - Principles, PrimeLife and Identity Mixer - Thomas Gross
 
Itm ppt daniel-prefinal ii
Itm ppt daniel-prefinal iiItm ppt daniel-prefinal ii
Itm ppt daniel-prefinal ii
 
The Trajectory Of DRM Technologies
The Trajectory Of DRM TechnologiesThe Trajectory Of DRM Technologies
The Trajectory Of DRM Technologies
 
Cloud computing due diligence WTF?
Cloud computing due diligence WTF?Cloud computing due diligence WTF?
Cloud computing due diligence WTF?
 
Product/Market Fit - Twists and Turns
Product/Market Fit - Twists and TurnsProduct/Market Fit - Twists and Turns
Product/Market Fit - Twists and Turns
 
Exploring the future of the IT industry and the next generation CIO
Exploring the future of the IT industry and the next generation CIOExploring the future of the IT industry and the next generation CIO
Exploring the future of the IT industry and the next generation CIO
 
Hawaii Pacific GIS Conference 2012: Disaster Management and Emergency Respons...
Hawaii Pacific GIS Conference 2012: Disaster Management and Emergency Respons...Hawaii Pacific GIS Conference 2012: Disaster Management and Emergency Respons...
Hawaii Pacific GIS Conference 2012: Disaster Management and Emergency Respons...
 
In the social, mobile and cloud era, what does it take to be an Information P...
In the social, mobile and cloud era, what does it take to be an Information P...In the social, mobile and cloud era, what does it take to be an Information P...
In the social, mobile and cloud era, what does it take to be an Information P...
 

En vedette

Lets go to asia 2
Lets go to asia 2Lets go to asia 2
Lets go to asia 2Ross Bye
 
EYOilGas_Unlocking the potential_FINAL_June2013
EYOilGas_Unlocking the potential_FINAL_June2013EYOilGas_Unlocking the potential_FINAL_June2013
EYOilGas_Unlocking the potential_FINAL_June2013Seelan Naicker
 
Lenny zeltser social engineering attacks
Lenny zeltser social engineering attacksLenny zeltser social engineering attacks
Lenny zeltser social engineering attacksTravis Barnes
 
Marc hoit University Campus - Microcosm of the future
Marc hoit University Campus - Microcosm of the futureMarc hoit University Campus - Microcosm of the future
Marc hoit University Campus - Microcosm of the futureTravis Barnes
 
Janet M. Russeau's Presentation for EDIM 510
Janet M. Russeau's Presentation for EDIM 510Janet M. Russeau's Presentation for EDIM 510
Janet M. Russeau's Presentation for EDIM 510jmrusseau
 
Mobile Apps from TYPO3
Mobile Apps from TYPO3Mobile Apps from TYPO3
Mobile Apps from TYPO3Bodor László
 
Marketing Strategy in Periods of Economic Crisis
Marketing Strategy in Periods of Economic CrisisMarketing Strategy in Periods of Economic Crisis
Marketing Strategy in Periods of Economic CrisisDiogo Seborro
 
Health, stress, and coping
Health, stress, and coping Health, stress, and coping
Health, stress, and coping Paul Alonzo
 

En vedette (15)

Lets go to asia 2
Lets go to asia 2Lets go to asia 2
Lets go to asia 2
 
Udl
UdlUdl
Udl
 
Cine
CineCine
Cine
 
Fail panitia
Fail panitiaFail panitia
Fail panitia
 
EYOilGas_Unlocking the potential_FINAL_June2013
EYOilGas_Unlocking the potential_FINAL_June2013EYOilGas_Unlocking the potential_FINAL_June2013
EYOilGas_Unlocking the potential_FINAL_June2013
 
Lenny zeltser social engineering attacks
Lenny zeltser social engineering attacksLenny zeltser social engineering attacks
Lenny zeltser social engineering attacks
 
Itbi
ItbiItbi
Itbi
 
Anggota kelompok
Anggota kelompokAnggota kelompok
Anggota kelompok
 
Marc hoit University Campus - Microcosm of the future
Marc hoit University Campus - Microcosm of the futureMarc hoit University Campus - Microcosm of the future
Marc hoit University Campus - Microcosm of the future
 
Janet M. Russeau's Presentation for EDIM 510
Janet M. Russeau's Presentation for EDIM 510Janet M. Russeau's Presentation for EDIM 510
Janet M. Russeau's Presentation for EDIM 510
 
Animales
AnimalesAnimales
Animales
 
Mobile Apps from TYPO3
Mobile Apps from TYPO3Mobile Apps from TYPO3
Mobile Apps from TYPO3
 
Women’s art
Women’s artWomen’s art
Women’s art
 
Marketing Strategy in Periods of Economic Crisis
Marketing Strategy in Periods of Economic CrisisMarketing Strategy in Periods of Economic Crisis
Marketing Strategy in Periods of Economic Crisis
 
Health, stress, and coping
Health, stress, and coping Health, stress, and coping
Health, stress, and coping
 

Similaire à Triangle InfoSecon Conference program 2011

Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Dale Butler
 
[CLASS 2014] Palestra Técnica - Diego Bernal
[CLASS 2014] Palestra Técnica - Diego Bernal[CLASS 2014] Palestra Técnica - Diego Bernal
[CLASS 2014] Palestra Técnica - Diego BernalTI Safe
 
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Kyle Lai
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04Kyle Lai
 
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...cVidya Networks
 
MISA Ontario Cloud SIG - Waterloo program_apr1112
MISA Ontario Cloud SIG - Waterloo program_apr1112MISA Ontario Cloud SIG - Waterloo program_apr1112
MISA Ontario Cloud SIG - Waterloo program_apr1112MISA Ontario Cloud SIG
 
The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Cyber Security for the Military and Defence Sector 2013
Cyber Security for the Military and Defence Sector 2013Cyber Security for the Military and Defence Sector 2013
Cyber Security for the Military and Defence Sector 2013Dale Butler
 
Cloud security and cyber security v 3.1
Cloud security and cyber security v 3.1Cloud security and cyber security v 3.1
Cloud security and cyber security v 3.1CloudExpoEurope
 
RISEconf 2015 UNOFFICIAL Schedule
RISEconf 2015 UNOFFICIAL ScheduleRISEconf 2015 UNOFFICIAL Schedule
RISEconf 2015 UNOFFICIAL ScheduleShota Shinogi
 
F-Secure Security Threat Report, H1 2012
F-Secure Security Threat Report, H1 2012F-Secure Security Threat Report, H1 2012
F-Secure Security Threat Report, H1 2012F-Secure Corporation
 
Big data, security, and the cloud
Big data, security, and the cloudBig data, security, and the cloud
Big data, security, and the cloudPano Xinos
 

Similaire à Triangle InfoSecon Conference program 2011 (17)

Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012
 
[CLASS 2014] Palestra Técnica - Diego Bernal
[CLASS 2014] Palestra Técnica - Diego Bernal[CLASS 2014] Palestra Técnica - Diego Bernal
[CLASS 2014] Palestra Técnica - Diego Bernal
 
Maximizing Security Training ROI
Maximizing Security Training ROIMaximizing Security Training ROI
Maximizing Security Training ROI
 
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04
 
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
 
MISA Ontario Cloud SIG - Waterloo program_apr1112
MISA Ontario Cloud SIG - Waterloo program_apr1112MISA Ontario Cloud SIG - Waterloo program_apr1112
MISA Ontario Cloud SIG - Waterloo program_apr1112
 
The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Cyber Security for the Military and Defence Sector 2013
Cyber Security for the Military and Defence Sector 2013Cyber Security for the Military and Defence Sector 2013
Cyber Security for the Military and Defence Sector 2013
 
Cloud security and cyber security v 3.1
Cloud security and cyber security v 3.1Cloud security and cyber security v 3.1
Cloud security and cyber security v 3.1
 
Workshop presentation Kielce Technology Park 9 Nov 2011
Workshop presentation Kielce Technology Park 9 Nov 2011Workshop presentation Kielce Technology Park 9 Nov 2011
Workshop presentation Kielce Technology Park 9 Nov 2011
 
RISEconf 2015 UNOFFICIAL Schedule
RISEconf 2015 UNOFFICIAL ScheduleRISEconf 2015 UNOFFICIAL Schedule
RISEconf 2015 UNOFFICIAL Schedule
 
Bmit meet theexperts_2013
Bmit meet theexperts_2013Bmit meet theexperts_2013
Bmit meet theexperts_2013
 
F-Secure Security Threat Report, H1 2012
F-Secure Security Threat Report, H1 2012F-Secure Security Threat Report, H1 2012
F-Secure Security Threat Report, H1 2012
 
vFS3 - Detailed Agenda
vFS3 - Detailed AgendavFS3 - Detailed Agenda
vFS3 - Detailed Agenda
 
Wax Switch
Wax SwitchWax Switch
Wax Switch
 
Big data, security, and the cloud
Big data, security, and the cloudBig data, security, and the cloud
Big data, security, and the cloud
 

Dernier

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 

Dernier (20)

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 

Triangle InfoSecon Conference program 2011

  • 1. OCTOBER 20 , 2 0 11 Lunch Speaker Room A Speaker Room B Speaker Room C Speaker Room D Keynote Hall Room 7:00 Registration, Exhibition, and Breakfast Buffet 8:30 Keynote Speaker : Marc Hoit – University Campus: A Microcosm of the Future 9:20 Exhibition 9:30 Keynote Speaker : Tom Limoncelli – You Suck At Time Management (but it ain’t your fault!) CAPTURE THE FLAG 10:20 Exhibition and Tom Limoncelli Book Signing Governance, Risk Professional Data and Endpoint Diamond Sponsor Physical Security & Compliance Development Security Sessions Srini Kolathur - How to Secure DB Infra Beth Wood – Ron Stamboly – Jon Welborn – Using Best Practices Leading By Example/ Authentication of 10:30 Introduction to $/&'+( for Risk Mitigation, Building Effective Personal Mobile Lockpicking Compliance, Audit Teams Devices | and Assessment LOCKPICK VILLAGE 11:20 Exhibition "% !./0*)1 Sandy Bacik – Michael Sutton – Hans Enders – Garion Bunn – Building a Lasting Corporate Jon Welborn – Reinventing 11:30 Winning in Business IT GRC Policy Espionage for High Security Locks Dynamic Test- and Life Architecture Dummies ing: Real-Time Hybrid 12:15 Lunch Buffet and Exhibition | Penetration Cloud and Security Strategy Applications and Diamond Sponsor LOCKPICK CHALLENGE Testing / SNA Virtual Security and Architecture Development Sessions Ron Stamboly – #,&0*.- Jim Murphy – Steve McKinney – Ryan Linn – Managing Risk, David Duncan – Information Enabling the 1:30 Progression Liability and Key Trends in Security Doesn’t Business with of a Hack Compliance in Removable Device Just “Happen”! Security Metrics the Cloud Security 2:15 Exhibition and Ryan Linn Book Signing %#$*(%(# !"'&) Phillip Griffin – Matt Cooley – Mark Hinkle – Dwayne Melançon Jonathan Norman – Making Fat Web Application Crash Course on 2:30 Anatomy of Messages Available: Shahab Nayyer Social Engineering Open Source Cloud an Attack Binary XML Vulnerabilities Computing Steve McKinney Encoding 3:30 Keynote Speaker: Lenny Zeltser – Knock, Knock! How Attackers Use Social Engineering to Bypass Your Defenses 4:20 Exhibition 4:30 Announce Winners of Lockpick Challenge and Capture the Flag (Keynote Hall) 5:00 Chapter and Sponsor Giveaways, must be present to win (Keynote Hall)
  • 2.
  • 3. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 WELCOME The Raleigh ISSA Chapter welcomes you to the seventh annual Triangle InfoSeCon. We are very pleased you joined us today. Our conference goal: offer you a convenient way to learn more about the state of Information Systems Security (ISS) today, right here in central North Carolina. Our selected speakers offer you a balanced and broad program. The Raleigh ISSA Chapter especially thanks all the speakers and our conference sponsors, without whom this event is not possible. Please visit our sponsors in the exhibit area to learn about the latest in ISS products and services. Enjoy the conference. Please fill out the feedback forms. Your response is important. We strive to improve each year. McKimmon Center InfoSecon Conference Layout (not to scale) 3
  • 4. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 ABOUT THE ISSA This conference is brought to you by the Raleigh Chapter of the Information Systems Security Association. The ISSA is an international professional organization aimed at providing edu- cational forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members. The Raleigh Chapter became an official ISSA chapter in February 2003. We meet on the first Thursday of every month at the McKimmon Center on the campus of NC State University. You can find out more about the chapter at http://raleigh.issa.org. If you would like to get on our announcements email list, please send an email to board@raleigh.issa.org. New This Year! Lockpick Village: Stop by the Lockpick Village and try your hand at picking various locks, from handcuffs to padlocks, door locks and more. Sponsored by the FALE Association of Locksport Enthusiasts (FALE), there will be games, demonstrations, and hands-on workshops for attendees to learn, play and share their experiences. Lockpick sets will be available for purchase for $20. Capture the Flag: Think you have 1337 skilz? Stop by the Capture the Flag event and prove it! Pit your hacking skills against the server, collecting as many flags as you can. Each participant will be scored based on the number of flags captured within the time limit. The winner will be announced at the end of the conference. Don’t forget to turn in your feedback forms! Conference drawings are made from completed returned conference feedback forms and requires at least 12 sponsor “stamps” and your legible name to be eligible. Sponsor door prizes and give-a-ways are drawn from attendees' collected business cards directly. All drawings are at 5:00 pm and you must to be present to win.
  • 5. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 KEYNOTE SPEAKERS 8:30 Marc Hoit Vice Chancellor for IT and CIO, North Carolina State University Marc Hoit is the Vice Chancellor for Information Technology and the Chief Information Officer (CIO) for North Carolina State University (NCSU) in Raleigh, North Carolina. He began his role as the Vice Chancellor for Information Technology in September 2008. Since arriving, he has worked to develop an IT Governance Structure, Strategic Operating Plan and launched a number of key foundational projects that will improve efficiency and effectiveness of IT on campus. He previously held numerous administrative positions at the University of Florida including Interim CIO, Director of Student PeopleSoft Implementation, the Associate Dean for Academic Affairs Administration and the Associate Dean for Research in the College of Engineering. He is a Professor in the Civil, Construction and Environmental Engineering Department. He received his B.S. from Purdue University and his M.S. and Ph.D. from University of California, Berkeley. Dr. Hoit is the Co-Principal Investigator, along with Chapel Hill and SAS, for the North Carolina Bio-Preparedness Collaborative (NCB-Prepared) Grant from the Department of Homeland Security (DHS) and the development of DIGGS, an international XML schema for transferring transportation information. His structural engineering research involves the computer program, FB-MultiPier, which analyzes bridge pier, superstructure and pile foundations subjected to dynamic loading. Keynote Topic: University Campus: A Microcosm of the Future Dr. Hoit will present how a university campus is a petri dish for innovation, future trends and disruption for IT and how it affects services, purchasing and planning. 9:30 Tom Limoncelli Time Management Guru, Author, Blogger, and System Administrator Tom is an internationally recognized author, speaker, and system administrator. His books include The Practice of System and Network Administration (Addison-Wesley) and Time Management for System Administrators (O'Reilly). He received the SAGE 2005 Outstanding Achievement Award. He works in NYC and blogs at TomOnTime and EverythingSysadmin.com. Keynote Topic: You Suck At Time Management (but it ain't your fault!) So much to do! So little time! Security people are pulled in so many directions it is impressive anything gets done at all. The bad news is that if you work in security then good time management is basically impossible. The good news is that it isn't your fault. Tom will explore many of the causes and will offer solutions based from his book, “Time Management for System Administrators” (Now translated into 5 languages.) 5
  • 6. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 GOVERNANCE, RISK, & COMPLIANCE 10:30 (A) How to Secure Database 11:30 (A) Building a Lasting IT GRC Infrastructure Using Best Practices for Policy Architecture Risk Mitigation, Compliance, Audit Sandy Bacik and Assessment Sandy Bacik, author and former CSO, Srini Kolathur, Vinay Bansal, & Jim Tarantinos has over 15 years direct development, implementation, and management Srini Kolathur, CISSP, CISA, CISM, information security experience in the MBA is a result-driven IT project manger areas of Audit Management, Disaster with Cisco Systems. Srini has several Recovery/Business continuity, Incident years of experience in helping companies investigation, Physical security, Privacy, Regulatory effectively comply with regulatory compliance, Standard Operating Policies/Procedures, compliance requirements including and Data Center Operations and Management. With an SoX, PCI, HIPAA, etc. Srini believes additional 15 years in Information Technology Operations. and advocates best practices-based security and compliance program to achieve business objectives. Also, Srini Abstract: With industries moving toward a governance and maintains a free collaborative web portal for managing risk culture, the IT and enterprise policy architecture needs IT best practices and audit plans at Checklist20.com. to be updated to align with the enterprise goals of IT Governance. Some may discover that they have all the Abstract: IT governance and strategy are critical to an pieces spread throughout the current organization, but organization's success. Key to the risk assessment and audit do not know how to proceed to ensure their IT and plan process is breaking down the IT Universe into smaller security policies and processes fit into their enterprise more manageable sub-components. Databases play a major governance architecture. role in the increasingly complex global business processes and IT universe. A best practice-based assessment to evaluate risks uses an 80-20 rule. This allows to eliminate all the low-hanging fruit by leveraging expertise from around the world and helps organizations quickly achieve its desired business objectives at the optimum cost. We will specifically focus on how to leverage database best practices for building effective risk assesment approaches and to build audit plans to comply with different compliance programs including S-ox, HIPAA, PCI-DSS and EU data privacy. 6
  • 7. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 PROFESSIONAL DEVELOPMENT 10:30 (B) Leading By Example / 11:30 (B) Winning in Business and Life Building Effective Teams Garion Bunn Beth Wood, North Carolina State Garion Bunn is an award winning North Carolina State Auditor Beth A. speaker and workshop facilitator who is Wood, CPA, is serving her first term as a self-driven, results-oriented cultivator the state’s elected auditor after more than of human potential. His purpose is to a decade of service in training and inspire, educate and empower people research for the office. As Training and organizations around the globe. His Director for the Office of State Auditor, success strategy is to continually seek Beth developed and taught audit courses new ways to add value through seminars and workshops for the auditor’s staff, concentrating on the areas of Single that are leadership centric. Garion is an empathic Audit, internal control and sampling. She also coordinated communicator and listener. the State Auditor’s Quality Control Review and provided Garion believes that effective leadership skills are the research of audit and reporting issues for the audit staff. most powerful tools in the current day workplace and She began working with state government in 1993 with marketplace. Leadership excellence is the fast track up the Local Government Commission (a division of the Office the corporate ladder. Garion helps professionals who of the State Treasurer). In that position, she reviewed and want the zest, energy and power to deliver with passion approved audits of local governments prepared by private and purpose CPA firms. Prior to her work with state government, Beth Abstract: Are you ready for the competition? This keynote worked as a cost accountant for Ray-O-Vac Corporation for focuses on stirring your enthusiasm and sense of purpose three years. She also supervised audits of local governments in daily life. An excited, focused individual is ready to take and not-for-profit organizations for McGladrey and Pullen on the challenges and triumph in today's fast paced market. CPAs, a national CPA firm. Beth left the Office of the State Develop knowledge and skills that will significantly increase Auditor in 2007 as she began her campaign to become the your personal effectiveness and ability to successfully first woman elected to the post. While seeking office, she interact and lead others. This session covers many diverse also taught a variety of courses for the American Institute and critically important business, interpersonal, and of Certified Public Accountants (AICPA) and worked in the leadership topics. institute’s Professional Ethics Division investigating alleged substandard audits around the country. Abstract: Moving from a purely technical role to manage- ment is very challenging for most IT people. Most people do not like giving up the hands-on technical work and they also tend to be more independent. This discussion will deal with particular challenges faced when moving into a managerial role and will answer questions such as: How can leaders learn to assess the strengths of their team members and use them to get the team working as one unit rather than a bunch of lone rangers? How can they deal with jealousy and backstabbing from those not promoted? How can they anticipate senior management's and the organization's needs and ensure the team is truly fulfilling the mission? 7
  • 8. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 DATA AND ENDPOINT SECURITY 10:30 (C) Authentication of Personal 11:30 (C) Corporate Espionage for Mobile Devices as Part of an Overall Dummies: The Hidden Threat of Enterprise Authentication Strategy Embedded Web Servers Ron Stamboly, SafeNet; Co-author Maureen Kolb Michael Sutton Mr. Stamboly joined SafeNet in 1996 as a Senior Sales Michael Sutton has spent more than a Engineer responsible for technical presales and sales support decade in the security industry conducting for the entire sales cycle, from evaluation to installation. leading-edge research, building teams of Mr. Stamboly's area of expertise includes hardware and world-class researchers, and educating software products covering authorization, access control, others on a variety of security topics. audit, and encryption. Currently, Mr. Stamboly focuses on As Vice President of Security Research, supporting the sales of SafeNet's Information Lifecycle Michael heads Zscaler Labs, the research and development Protection and Cloud computing environments, most arm of the company. Zscaler Labs is responsible for specifically driving SafeNet's market share in cloud computing researching emerging topics in web security and developing security and virtualized environments-securing and controlling innovative security controls, which leverage the Zscaler access to cloud applications, along with encrypting virtual in-the-cloud model. The team is comprised of researchers volume and instances. Mr. Stamboly has over 17 years of with a wealth of experience in the security industry. Prior to experience in the data protection, telecommunications and joining Zscaler, Michael was the Security Evangelist for SPI networking equipment industries. Additionally, Mr. Stamboly Dynamics where, as an industry expert, he was responsible has extensive experience with networking hardware along for researching, publishing, and presenting on various security with TCP/IP. Mr. Stamboly graduated summa cum laude with a issues. In 2007, SPI Dynamics was acquired by Hewlett- Bachelor's Degree in Telecommunication from The State Packard. Previously, Michael was a Research Director at University of New York Institute of Technology and also iDefense where he led iDefense Labs, a team responsible graduated summa cum laude with a Master's Degree from for discovering and researching security vulnerabilities in a Pace University in Telecommunications. variety of technologies. iDefense was acquired by VeriSign in 2005. Michael is a frequent speaker at major information Abstract: IT departments are facing challenges from many security conferences; he is regularly quoted by the media on users wanting to use their mobile device to access sensitive various information security topics, has authored numerous corporate information. Clearly, the risk posed by these articles, and is the co-author of Fuzzing: Brute Force scenarios is great. The key issue confronting security staff is Vulnerability Discovery, an Addison-Wesley publication. management: ensuring only trusted devices can access corporate resources, contending with lost devices, managing Abstract: Today, everything from television sets to photo- security policies, and enabling and monitoring access. Finally, copiers have an IP address and an embedded web server IT organizations need to establish visibility and control over (EWS) for device administration. While embedded web what assets can be accessed by and saved onto those servers are now as common as digital displays in hardware devices. This presentation will discuss implementing unified devices, sadly, security is not. Leveraging the power of cloud authentication schemes, security policies and credentials for based services, Zscaler spent several months scanning large employee-owned end point devices, helping organizations portions of the Internet to understand the scope of this threat. to enable their workforce while reducing IT management and Our findings will make any business owner think twice before administration resources, as well as show how organizations purchasing a ‘wifi enabled’ device. We'll share the results of can centrally and consistently manage all authentication our findings, reveal specific vulnerabilities in a multitude of requirements for local networks, VPNs, SaaS applications, appliances and discuss how embedded web servers will and virtualized environments. represent a target rich environment for years to come.
  • 9. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 PHYSICAL SECURITY 10:30 (D) Introduction to Lockpicking 11:30 (D) High Security Locks Jon Welborn Jon Welborn Jon Welborn is a penetration tester and a Abstract: Great locks are not difficult to come by. This talk co-founder of the FALE Association of will discuss various components of a quality lock as well as Locksport Enthusiasts. FALE came several manufacturers of high-caliber locks. We will discuss together around a shared general specific makes and models of locks that may be beneficial curiosity and persuasion of the public’s in your environments. If nothing else, this talk will open the “right to know”. FALE meets regularly door to the idea that you shouldn’t have to lean on your in the Winston-Salem, NC area and local hardware store to meet your physical security needs. hosts lockpicking villages at various security conferences around the country. http://lockfale.com Abstract: You've locks on your network closet and secure document bin. Great. What if I can open them in 30 seconds or less? Learn the basics about how a lock works and how to compromise commonly used locks. This information isn’t complicated in the least, but in this talk we set out to remove the often practiced “security by obscurity” approach to physical security. 9
  • 10. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 DIAMOND SPONSOR SESSION (Keynote Hall) 10:30 ORACLE PRESENTATION Mark your calendars for the Eighth Annual Triangle InfoSeCon to be held on Thursday, October 18 2012 at the McKimmon Center. Keynote speakers: Chris Nickerson - Lead Security Consultant for Lares Consulting and Stan Waddell - Executive Director and Information Security Officer, University of North Carolina (UNC) Information Technology Services (ITS)
  • 11. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 DIAMOND SPONSOR SESSION (Keynote Hall) 11:30 HP / FORTIFY Reinventing Dynamic Testing: Real-Time Hybrid Hans Enders, HP Fortify Hans Enders is a Sr. Solutions Architect for HP Fortify. In his current role, Hans is responsible for demonstrating web application security software and providing solutions to prospective clients for HP Software’s Application Security Center. He has more than 14 years of experience in network administration and security, with the most recent 7 years focusing on web application security testing and software support. Hans acquired the CISSP in 2004 and most recently completed the CISM certification in 2011. Hans is an active member of ISSA, ISACA, OWASP, and a past member of InfraGard of Georgia. Hans has a Bachelor of Science degree in Industrial & Systems Engineering from North Carolina State University and is of applications undergoing DAST and SAST analysis. moderately fluent in Spanish. Outside of his professional This presentation will introduce you to the next career, Hans also enjoys participating with CERT (Community generation of hybrid security analysis — what it is, how it Emergency Response Team) and being a Cub Scout leader. works, and the benefits it offers. It will also address (and Abstract: Over the years, two key techniques have emerged as dispel) the claims against hybrid, and leave participants with the most effective for finding security vulnerabilities in soft- a clear understanding of how the new generation of hybrid ware: Dynamic Application Security Testing (DAST) and Static will enable organizations to resolve their most critical Application Security Testing (SAST). While DAST and SAST software security issues faster and more cost-effectively each possess unique strengths, the "Holy Grail" of security than any other available analysis technology. testing is thought to be "hybrid" -- a technique that combines and correlates the results from both testing methods, maximizing the advantages of each. Until recently, however, a critical element has been missing from first generation hybrid solutions: information about the inner workings and behavior 11
  • 12. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 PENETRATION TEST / SNA 1:30 (A) Progression of a Hack 2:30 (A) Web Application Social Ryan Linn, Trustwave's SpiderLabs Engineering Vulnerabilities Ryan Linn is a Senior Security Matt Cooley, Symantec Consultant with Trustwave’s SpiderLabs Matt Cooley is an accomplished who has a passion for making security information security practitioner knowledge accessible. In addition to working in IT across multiple industries being a columnist with the Ethical for almost 20 years with over a decade Hacker Network, Ryan has contributed of primary focus on security. At to open source tools including Symantec, Matt has been involved Metasploit, Dradis and the Browser Exploitation with security assessments in the finan- Framework (BeEF). cial sector, government, commercial business, higher Abstract: So you have a firewall, AV, IDS, patch management education, and major ISPs. His primary area of expertise and more. Nobody is getting in. Somehow Fake-AV and is in web application and product penetration testing. malware still rear their ugly heads from time to time, but Abstract: In this presentation, we plan to demonstrate web things feel pretty safe. Others in this same situation are still application vulnerabilities which could be leveraged to making the news. This talk will look at how a single foothold attack end-users of applications. In particular, cross-site can lead to the opening story on the evening news. We will scripting will be used to attack mobile device users. Social look at how a motivated attacker can compromise a patched Engineering Toolkit will be demonstrated to compromise Windows box, escalate privileges on a domain, and get to the systems of fully-patched and protected users. Common data. As each demonstration shows the techniques, we'll talk tricks such as URL obfuscation, URL redirection, and about mitigation strategies and what steps you can take to domain-name manipulation will be used to successfully avoid being a headline. coerce victims into performing tasks from which an attacker would benefit. 12
  • 13. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 CLOUD / VIRTUALIZATION SECURITY 1:30 (B) Managing Risk, Liability, and 2:30 (B) Crash Course on Open Compliance in the Cloud Source Cloud Computing Ron Stamboly, SafeNet; Co-author Maureen Kolb Mark Hinkle, Citrix Systems Mr. Stamboly joined SafeNet in 1996 as a Senior Sales Mark Hinkle is the Director of Cloud Engineer responsible for technical presales and sales support Computing Community at Citrix Systems for the entire sales cycle, from evaluation to installation. Inc. He joined Citrix as a result of their Mr. Stamboly's area of expertise includes hardware and July 2011 acquisition of Cloud.com. He is software products covering authorization, access control, currently responsible for the success of the audit, and encryption. Currently, Mr. Stamboly focuses on open source cloud computing platform, supporting the sales of SafeNet's Information Lifecycle CloudStack. Previously he was the VP of Protection and Cloud computing environments, most Community at Zenoss Inc., a producer of the open source specifically driving SafeNet's market share in cloud computing application, server, and network management software, security and virtualized environments-securing and controlling where he grew the Zenoss Core project to over 100,000 users access to cloud applications, along with encrypting virtual and 20,000 organizations on all seven continents. He also is volume and instances. Mr. Stamboly has over 17 years of a longtime open source expert and author having served as experience in the data protection, telecommunications and Editor-in-Chief for both LinuxWorld Magazine and Enterprise networking equipment industries. Additionally, Mr. Stamboly Open Source Magazine. Mr. Hinkle is also the author of has extensive experience with networking hardware along the book, Windows to Linux Business Desktop Migration with TCP/IP. Mr. Stamboly graduated summa cum laude with (Thomson, 2006). He is a contributor to NetworkWorld’s a Bachelor's Degree in Telecommunication from The State Open Source Subnet and his personal blog on open source, University of New York Institute of Technology and also technology, and new media can be found at www.socialized- graduated summa cum laude with a Master's Degree from software.com. You can follow him on twitter @mrhinkle. Pace University in Telecommunications. Abstract: Very few trends in IT have generated as much buzz Abstract: Cloud Computing is unquestionably the future of our as cloud computing. This talk will cut through the hype and IT infrastructure and business workloads. Yet the industry is quickly clarify the ontology for cloud computing. The bulk reaching an impasse as organizations have already completed of the conversation will focus on the open source software Proof-of-Concepts and architectural planning to the cloud. that can be used to build compute clouds (infrastructure-as- Internal Data Governance and Compliance requirements have a-service) and the complimentary open source management become the barrier to more organizations moving to the cloud, tools(including those for security) that can be combined and larger organizations converting small test projects to full to automate the management of cloud computing production. The mix of confusion over ownership and liability, environments. The discussion will appeal to anyone who lack of transparency from the cloud provider, an almost com- has a good grasp of traditional data center infrastructure but plete absolution of liability in contracts, and lack of clear is struggling with the benefits and migration path to a cloud guidance on required controls have all contributed to this. This computing environment. By understanding the architecture session will focus on pealing back some of these issues to drive of a cloud compute environment users will be able to apply some clarity and actionability. Cloud is the future, with its ease- their existing security knowledge to the management of a of-use, cost-savings and transparency, but Data Governance and cloud compute environment. Systems administrators and IT compliance requirements have stopped projects due to confu- generalists will leave the discussion with a general overview sion on risk/liability. Presentation will focus on driving clear of the options at their disposal to effectively build and areas of trust, ownership, and liability-cover audit and contrac- manage their own cloud computing environments using tual aspects of working with CSPs -identifying new controls free and open source software. 13 needed to move to the cloud and will end with PCI 2.0.
  • 14. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 STRATEGY & ARCHITECTURE 1:30 (C) Information Security 2:30 (C) Anatomy of an Attack Doesn't Just “Happen”! Jonathan Norman, Alert Logic Jim Murphy, OMMISS Co-Author Michele Hujber James Murphy, CISSP, ISSMP, GSEC, CISA, Jonathan Norman joined Alert Logic CISM NC DHHS, Office of MMIS Services in 2002 and has held numerous security Jim is the Information Security Architect and operational roles throughout his for OMMISS with 30+ years experience, tenure at Alert Logic. Today, as the predominantly in healthcare IT. He plans Director of Security Research, Jonathan and designs enterprise-wide information manages a team of security researchers security for major development projects, and analysts responsible for monitoring including the claims processing system for Medicaid and the evolving security landscape for new and emerging related plans, and the State Health Information Network. threats. In addition, under his leadership, the Security For the projects, he documents information security and Research team manages complex security incident response technical architecture requirements and reviews security for customers and develops the advanced correlation rules throughout project design and development: regulatory that help Alert Logic solutions better detect and defend compliance, access control, data and network protection, against security threats. Jonathan hold several industry business continuity, operational security, process certifications such as Certified Ethical Hacker, CISSP, documentation and project audit. Jim has written, taught CCSP, and other GIAC certifications. and spoken on information security management, service Abstract: In 2010 the global cybercrime market increased continuity, security auditing and security certification to an estimated 7.5 Billion dollars. Over the past few years, training to diverse audiences. attack sophistication has increased significantly while users Abstract: The pressure is on—security breaches now cost struggle to keep up with new attacks. We have long-passed penalties and lawsuits. Information architectures are the days of bright kids causing mayhem on computer becoming more complex as they adjust to rapid changes in networks. Today's attackers are fast, well-funded, well software and hardware. Privacy professionals are clamoring organized and business is booming. This presentation for eliminating the misuse of protected information. State will take you into the world of cybercrime and give you Attorneys General have been authorized to get in on the an insider's look into how hackers operate and what you act. But, as InfoSec professional understand, security just can do to protect your network. does not happen with the latest policy, technical tool, or extra door lock. Information security managers must take the initiative to coordinate with all levels of the organization to insure business objectives drive the definitions and characterization of protected data, unit leaders understand the responsibilities of the hallway work force, and technical support staff understand the limits of device-alone solutions. InfoSec planning requires tactical and strategic components, and in a sense, never stops. InfoSec professionals must be able to communicate the planning with all levels of the organization in a way that facilitates the collaborative efforts and diminishes the internal barriers. In this presentation, I offer some practical suggestions for getting InfoSec planning into action.
  • 15. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 APPLICATIONS & DEVELOPMENT 1:30 (D) Enabling the Business 2:30 (D) Making Fat Messages with Security Metrics Available: Binary XML Encoding Steve McKinney, Cisco Systems Phillip H. Griffin, Griffin Consulting Steve has worked at Cisco Systems for Phillip H. Griffin, CISM brings over 15 the past 3 years after graduating from NC years of experience in the information State with a Master's degree. assurance and security profession. Operating as Griffin Consulting, Phil Abstract: Many security scanners will has served as a trusted security adviser, churn out ‘advice’ on the severity of security architect, and consultant with vulnerabilities in your environment. leading corporations including Visa Forwarding that advice to your manager, International, GTE, and IBM. He has acted as committee will likely produce a blank stare and a report that's in the chair, editor, head of U.S. delegation, and rapporteur in trash before you can walk out the door. So, how do you go the development of national and international security from a scanner's advice to wisdom that drives business standards, and currently serves as an ISSA Educational decisions? This talk covers what I have learned from others Advisory Council Member, and on the board of the Raleigh and developed as I started implementing security metrics ISSA Chapter. His experience encompasses numerous for my team within Cisco. We will look specifically at facets of security including authentication technologies, metrics for web applications, but the concepts presented encryption, access control, biometrics, and secure apply to other areas of security. messaging schema. Mr. Griffin has eight patents pending in the area of security, and he has been a speaker at leading security conferences and venues around the world. Abstract: For every XML Schema (XSD) there is an analogous ASN.1 schema that can be used to generate compact, efficient binary message formats, and XML markup instance documents that are equivalent to those based on the initial XML schema. These binary formats are appropriate for use in environments constrained by mobility, limited battery life, storage size, or bandwidth (e.g., wireless communications using hand held devices). Using a binary format for XML messages can make secure protocol messages available in environments where verbose formats prohibit application development. 15
  • 16.
  • 17. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 DIAMOND SPONSOR SESSION (Keynote Hall) 1:30 IMATION Key Trends in Removable Device Security David Duncan, Business Development Director David Duncan is director of ENCRYPTX Duncan has a Bachelor of Science in international affairs at Imation, a team of research and from the University of Maryland, a Master of Science in development experts focused on advances computer science from Regis University, a Master of Business in data security that protect, encrypt, Administration (MBA) from the University of Colorado, and control, and manage “data at rest.” a degree in Chinese Mandarin Linguistics from the Defense Duncan founded ENCRYPTX, Language Institute, Presidio of Monterey, California. which was acquired by Imation from Abstract: David Duncan, Managing Director of the BeCompliant Corp. in March 2011. ENCRYPTX Security Products Group of Imation Enterprises Prior to founding ENCRYPTX, Duncan was senior vice will present key trends in the field of removable storage president of Tactical Marketing Ventures, a marketing device security. The presentation will cover: current accelerator company for more than 100 technology startups. risk/data loss trends from the latest industry studies, new He also served as vice president of sales and marketing for and emerging threats, regulatory requirements affecting RL Polk, a consumer marketing information company that compliance, vendor initiatives to mitigate these risks includ- was sold to Equifax Corporation. ing hardware, software and operating system developments Previously, Duncan served in marketing and engineering that improve removable device security, and an evaluation leadership positions with Storage Technology Corporation, framework for assessing gaps in your organization Martin Marietta and SRA Corporation. He worked for the National Security Agency as a cryptologist for a number of years and designed and built trusted computer systems for highly classified government programs. 17
  • 18. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 LIGHTNING TALKS 2:30 (Keynote Hall) The IT Blind Side 2:45 (Keynote Hall) Are you using Dwayne Melançon, Tripwire UDP for reliable transmission? Dwayne Melançon joined Tripwire in 2000 and serves as Shahab Nayyer, Wells Fargo Vice President of the company’s Log Management business. Author is a Senior IT Audit Lead with Wells Fargo & In previous positions at the company, Dwayne has served Company in Charlotte, North Carolina, USA. He holds dual as vice president of Business Development, Professional master degree in Finance and Industrial Engineering with a Services and Support, Information Systems, and Marketing. specialization in IT. Shahab has more than seven years of Prior to joining Tripwire, Dwayne was Vice President of experience in IT Audit and Security and is a CISA, CIA. Operations for DirectWeb, Inc., where he was responsible Shahab is also the President of the ISACA Charlotte Chapter. for product management, logistics, electronic supplier Abstract: UDP (user datagram Protocol) is a widely used integration, customer support, information systems, protocol networking and data transmission. It is used in real infrastructure development, and other business operations. time applications, DNS request reply messages, IP telepho- Before DirectWeb, he ran Pan-European Support for ny, SNMP, Multimedia streaming etc. Due to its nature of Symantec Corporation, managed callcenter operations being a connectionless protocol it's considered very efficient for several of Symantec’s leading product lines, and for short messaging with low bandwidth usage. So these are spearheaded the development of productivity tools and all the good things with UDP, but UDP also is an unreliable processes. In other positions,Dwayne was responsible for protocol which does not guarantee data transfer. With that Symantec’s global Web presence, program management in mind, do we know where all we are using UDP? Are we for the company’s encryption products, and functional using UDP where a reliable transmission is needed? Have integration for mergers and acquisitions. Prior to joining we evaluated the risk of data loss and can we live with it? Symantec, Dwayne spent eight years at Fifth Generation Systems, Inc. where he created an award-winning global support organization, was a software developer, and 3:00 (Keynote Hall) Finding Flags directed the company’s software and hardware Quality During a Lightning Storm Assurance teams. Dwayne is certified on both IT management and audit Steve McKinney, Cisco processes, holding both ITIL and CISA certifications. Steve McKinney has been with Cisco for Prior Speaking Experience: three years after completing his Master's • eFinance World Conference degree at NC State. He was the primary • Frequent speaker at national and regional itSMF, developer for the Capture the Flag contest ISACA, ISSA, and IIA events at the conference this year. Abstract: This presentation will be an overview of the Capture the Flag contest held at the conference. If you tried the contest and didn't complete it or wanted to but didn't have time, drop by, this session is for you. 18
  • 19. TRIANGLE INFOSECON CONFERENCE • OCTOBER 20 , 2 0 11
  • 20. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 KEYNOTE SPEAKER 3:30 Lenny Zeltser Security Practice Director, Savvis; Senior Faculty Member, SANS Institute Lenny Zeltser leads the security consulting practice at Savvis, where he focuses on designing and operating security programs for cloud-based IT infrastructure. Lenny’s other area of specialization is malicious software; he teaches how to analyze and combat malware for the SANS Institute. He is also a member of the board of directors for the SANS Technology Institute and an incident handler at the Internet Storm Center. Lenny frequently speaks on information security and related business topics at conferences and private events, writes articles, and has co-authored several books. Lenny is one of the few individuals in the world who have earned the highly- regarded GIAC Security Expert (GSE) designation. He also holds the CISSP certification. Lenny has an MBA degree from MIT Sloan and a computer science degree from the University of Pennsylvania. Lenny writes at blog.zeltser.com and twitter.com/lennyzeltser. More details about his projects are available at http://www.zeltser.com. Lenny says that some of his “books are gradually becoming outdated” but that all of them are listed here. Lenny notes that the “most recent and current volume is CyberForensics. It's a good text.” Keynote Topic: Knock, Knock! How Attackers Use Social Engineering to Bypass Your Defenses Why bother breaking down the door if you can simply ask the person inside to let you in? Social engineering works, both during penetration testing and as part of real-world attacks. This talk explores how attackers are using social engineering to compromise defenses. It presents specific and concrete examples of how social engineering techniques succeeded at bypassing corporate security defenses. Lenny Zeltser will review how attackers have bypassed technological controls by making use of social engineering techniques such as: Starting attacks in the physical world, rather than the virtual Internet: We have spent most of our lives in the physical world, whose norms we know well. As a result, we tend to trust messages that come to us in the physical world more than those in the "virtual" world of the Internet. The talk presents several examples of such scenarios. Targeting attacks through the use of spear phishing and social networks: The talk will explore how attackers may profile victims to include the person or company- specific social engineering elements in an intrusion campaign. 20
  • 21. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
  • 22. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 CONFERENCE COMMITTEE This Conference is only made possible by the incredible efforts of the committee. On behalf of the chapter, sponsors, speakers, and attendees, thank you! President: Brad Hoelscher David Parker Vice President: Robert Martin Michael Rains Nancy Schipon Conference Director: Liyun Yu Andrew Senko Conference Program Director: Mark Whitteker Daniel White Conference Deputy Director: Ramsey Hajj Lorie Wilsher Treasurer: Mark Fontes Rich Woynicz Communication: Peter Hewitt Applications & Development: Operations Director: Robert Pitney Aby Rao, Chair Lisa Lorenzin Sponsor Development: Robert Martin Website Developer: Phillip Griffin Cloud & Virtualization: Nathan Kim, Chair Production Support: Steve Toy Eric Olson Conference Support: Chip Futrel Data & Endpoint: Andre Henry, Chair Program Designer: Rachel Schaub Governance, Risk & Compliance: Sponsor Development Team: Keith Mattox, Chair Frank Chavarria Janet Dagys Sarah Miller Pen Testing / System & Network Auditing: Operations/AV Team: Artem Kazantsev, Chair Dave Balint Rob Breault Physical Security: Glenn Morgan, Chair Robert Brown Professional Development: Matt Bryson Holli Harrison, Chair Frank Chavarria Valdez Ladd Marie Cross Strategy & Architecture: Jim Murphy, Chair Randall Hompesch Eric Hoth Capture the Flag: Steve McKinney, Chair Wenjian Huany Lockpick Village: Charles Hudock Jennifer Jabbusch, Chair Valdez Ladd Jon Welborn Steve McGehee Lightning Talks: Dyana Pearson, Chair Glann Morgan 22
  • 23. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 NOTES:
  • 24. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11 SPONSORS The Raleigh ISSA Chapter thanks all of our conference sponsors for their support: Diamond Sponsors: Imation, HP / Fortify Software, Oracle Gold Sponsors: Alert Logic, Carolina Advanced Digital, Inc., Fishnet Security / Sourcefire, Global Knowledge, Tripwire Silver Sponsors: Accuvant / Palo Alto, Cisco, Meru Networks, Qualys, SAS, Tenable Security, Trustwave, Varonis Participating Professional Organizations ASIS, Cyber Patriot, InfraGard, ISAAC, ISACA, ISSA Raleigh Chapter, NCMS, NCSU/CTU, ThinkPink ZTA Breakfast, Lunch, and Break Sponsor: Barbeque Lodge Tote Sponsor: Lord Corp.