How AI, OpenAI, and ChatGPT impact business and software.
Triangle InfoSecon Conference program 2011
1. OCTOBER 20 , 2 0 11
Lunch
Speaker Room A Speaker Room B Speaker Room C Speaker Room D Keynote Hall
Room
7:00 Registration, Exhibition, and Breakfast Buffet
8:30 Keynote Speaker : Marc Hoit – University Campus: A Microcosm of the Future
9:20 Exhibition
9:30 Keynote Speaker : Tom Limoncelli – You Suck At Time Management (but it ain’t your fault!)
CAPTURE THE FLAG
10:20 Exhibition and Tom Limoncelli Book Signing
Governance, Risk Professional Data and Endpoint Diamond Sponsor
Physical Security
& Compliance Development Security Sessions
Srini Kolathur - How
to Secure DB Infra Beth Wood – Ron Stamboly –
Jon Welborn –
Using Best Practices Leading By Example/ Authentication of
10:30 Introduction to $/&'+(
for Risk Mitigation, Building Effective Personal Mobile
Lockpicking
Compliance, Audit Teams Devices
|
and Assessment
LOCKPICK VILLAGE
11:20 Exhibition
"% !./0*)1
Sandy Bacik – Michael Sutton – Hans Enders –
Garion Bunn –
Building a Lasting Corporate Jon Welborn – Reinventing
11:30 Winning in Business
IT GRC Policy Espionage for High Security Locks Dynamic Test-
and Life
Architecture Dummies ing: Real-Time
Hybrid
12:15 Lunch Buffet and Exhibition
|
Penetration Cloud and Security Strategy Applications and Diamond Sponsor
LOCKPICK CHALLENGE
Testing / SNA Virtual Security and Architecture Development Sessions
Ron Stamboly – #,&0*.-
Jim Murphy – Steve McKinney –
Ryan Linn – Managing Risk, David Duncan –
Information Enabling the
1:30 Progression Liability and Key Trends in
Security Doesn’t Business with
of a Hack Compliance in Removable Device
Just “Happen”! Security Metrics
the Cloud Security
2:15 Exhibition and Ryan Linn Book Signing %#$*(%(# !"'&)
Phillip Griffin –
Matt Cooley – Mark Hinkle – Dwayne Melançon
Jonathan Norman – Making Fat
Web Application Crash Course on
2:30 Anatomy of Messages Available: Shahab Nayyer
Social Engineering Open Source Cloud
an Attack Binary XML
Vulnerabilities Computing Steve McKinney
Encoding
3:30 Keynote Speaker: Lenny Zeltser – Knock, Knock! How Attackers Use Social Engineering to Bypass Your Defenses
4:20 Exhibition
4:30 Announce Winners of Lockpick Challenge and Capture the Flag (Keynote Hall)
5:00 Chapter and Sponsor Giveaways, must be present to win (Keynote Hall)
2.
3. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
WELCOME
The Raleigh ISSA Chapter welcomes you to the seventh annual Triangle InfoSeCon.
We are very pleased you joined us today. Our conference goal: offer you a convenient way to learn more about the state of
Information Systems Security (ISS) today, right here in central North Carolina. Our selected speakers offer you a balanced and
broad program. The Raleigh ISSA Chapter especially thanks all the speakers and our conference sponsors, without whom this
event is not possible. Please visit our sponsors in the exhibit area to learn about the latest in ISS products and services. Enjoy
the conference. Please fill out the feedback forms. Your response is important. We strive to improve each year.
McKimmon Center InfoSecon Conference Layout (not to scale)
3
4. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
ABOUT THE ISSA
This conference is brought to you by the Raleigh Chapter of
the Information Systems Security Association. The ISSA is an
international professional organization aimed at providing edu-
cational forums, publications and peer interaction opportunities
that enhance the knowledge, skill and professional growth of its
members. The Raleigh Chapter became an official ISSA chapter
in February 2003. We meet on the first Thursday of every month
at the McKimmon Center on the campus of NC State University.
You can find out more about the chapter at http://raleigh.issa.org.
If you would like to get on our announcements email list, please
send an email to board@raleigh.issa.org.
New This Year!
Lockpick Village: Stop by the Lockpick Village and try your hand at picking various locks,
from handcuffs to padlocks, door locks and more. Sponsored by the FALE Association of Locksport
Enthusiasts (FALE), there will be games, demonstrations, and hands-on workshops for attendees to
learn, play and share their experiences. Lockpick sets will be available for purchase for $20.
Capture the Flag: Think you have 1337 skilz? Stop by the Capture the Flag event and prove it!
Pit your hacking skills against the server, collecting as many flags as you can. Each participant will
be scored based on the number of flags captured within the time limit. The winner will be
announced at the end of the conference.
Don’t forget to turn in your feedback forms!
Conference drawings are made from completed returned conference feedback forms and requires at
least 12 sponsor “stamps” and your legible name to be eligible. Sponsor door prizes and give-a-ways
are drawn from attendees' collected business cards directly. All drawings are at 5:00 pm and you
must to be present to win.
5. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
KEYNOTE SPEAKERS
8:30 Marc Hoit
Vice Chancellor for IT and CIO, North Carolina State University
Marc Hoit is the Vice Chancellor for Information Technology and the Chief Information
Officer (CIO) for North Carolina State University (NCSU) in Raleigh, North Carolina.
He began his role as the Vice Chancellor for Information Technology in September
2008. Since arriving, he has worked to develop an IT Governance Structure, Strategic
Operating Plan and launched a number of key foundational projects that will
improve efficiency and effectiveness of IT on campus. He previously held numerous
administrative positions at the University of Florida including Interim CIO, Director
of Student PeopleSoft Implementation, the Associate Dean for Academic Affairs
Administration and the Associate Dean for Research in the College of Engineering.
He is a Professor in the Civil, Construction and Environmental Engineering Department.
He received his B.S. from Purdue University and his M.S. and Ph.D. from University of
California, Berkeley. Dr. Hoit is the Co-Principal Investigator, along with Chapel Hill and
SAS, for the North Carolina Bio-Preparedness Collaborative (NCB-Prepared) Grant from
the Department of Homeland Security (DHS) and the development of DIGGS, an
international XML schema for transferring transportation information. His structural
engineering research involves the computer program, FB-MultiPier, which analyzes
bridge pier, superstructure and pile foundations subjected to dynamic loading.
Keynote Topic: University Campus: A Microcosm of the Future
Dr. Hoit will present how a university campus is a petri dish for innovation, future
trends and disruption for IT and how it affects services, purchasing and planning.
9:30 Tom Limoncelli
Time Management Guru, Author, Blogger, and System Administrator
Tom is an internationally recognized author, speaker, and system administrator. His books
include The Practice of System and Network Administration (Addison-Wesley) and Time
Management for System Administrators (O'Reilly). He received the SAGE 2005 Outstanding
Achievement Award. He works in NYC and blogs at TomOnTime and
EverythingSysadmin.com.
Keynote Topic: You Suck At Time Management (but it ain't your fault!)
So much to do! So little time! Security people are pulled in so many directions it is
impressive anything gets done at all. The bad news is that if you work in security then
good time management is basically impossible. The good news is that it isn't your fault.
Tom will explore many of the causes and will offer solutions based from his book,
“Time Management for System Administrators” (Now translated into 5 languages.)
5
6. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
GOVERNANCE, RISK, & COMPLIANCE
10:30 (A) How to Secure Database 11:30 (A) Building a Lasting IT GRC
Infrastructure Using Best Practices for Policy Architecture
Risk Mitigation, Compliance, Audit Sandy Bacik
and Assessment Sandy Bacik, author and former CSO,
Srini Kolathur, Vinay Bansal, & Jim Tarantinos has over 15 years direct development,
implementation, and management
Srini Kolathur, CISSP, CISA, CISM,
information security experience in the
MBA is a result-driven IT project manger
areas of Audit Management, Disaster
with Cisco Systems. Srini has several
Recovery/Business continuity, Incident
years of experience in helping companies
investigation, Physical security, Privacy, Regulatory
effectively comply with regulatory
compliance, Standard Operating Policies/Procedures,
compliance requirements including
and Data Center Operations and Management. With an
SoX, PCI, HIPAA, etc. Srini believes
additional 15 years in Information Technology Operations.
and advocates best practices-based security and compliance
program to achieve business objectives. Also, Srini Abstract: With industries moving toward a governance and
maintains a free collaborative web portal for managing risk culture, the IT and enterprise policy architecture needs
IT best practices and audit plans at Checklist20.com. to be updated to align with the enterprise goals of IT
Governance. Some may discover that they have all the
Abstract: IT governance and strategy are critical to an
pieces spread throughout the current organization, but
organization's success. Key to the risk assessment and audit
do not know how to proceed to ensure their IT and
plan process is breaking down the IT Universe into smaller
security policies and processes fit into their enterprise
more manageable sub-components. Databases play a major
governance architecture.
role in the increasingly complex global business processes
and IT universe. A best practice-based assessment to
evaluate risks uses an 80-20 rule. This allows to eliminate
all the low-hanging fruit by leveraging expertise from
around the world and helps organizations quickly achieve
its desired business objectives at the optimum cost. We
will specifically focus on how to leverage database best
practices for building effective risk assesment approaches
and to build audit plans to comply with different
compliance programs including S-ox, HIPAA, PCI-DSS
and EU data privacy.
6
7. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
PROFESSIONAL DEVELOPMENT
10:30 (B) Leading By Example / 11:30 (B) Winning in Business and Life
Building Effective Teams Garion Bunn
Beth Wood, North Carolina State Garion Bunn is an award winning
North Carolina State Auditor Beth A. speaker and workshop facilitator who is
Wood, CPA, is serving her first term as a self-driven, results-oriented cultivator
the state’s elected auditor after more than of human potential. His purpose is to
a decade of service in training and inspire, educate and empower people
research for the office. As Training and organizations around the globe. His
Director for the Office of State Auditor, success strategy is to continually seek
Beth developed and taught audit courses new ways to add value through seminars and workshops
for the auditor’s staff, concentrating on the areas of Single that are leadership centric. Garion is an empathic
Audit, internal control and sampling. She also coordinated communicator and listener.
the State Auditor’s Quality Control Review and provided Garion believes that effective leadership skills are the
research of audit and reporting issues for the audit staff. most powerful tools in the current day workplace and
She began working with state government in 1993 with marketplace. Leadership excellence is the fast track up
the Local Government Commission (a division of the Office the corporate ladder. Garion helps professionals who
of the State Treasurer). In that position, she reviewed and want the zest, energy and power to deliver with passion
approved audits of local governments prepared by private and purpose
CPA firms. Prior to her work with state government, Beth Abstract: Are you ready for the competition? This keynote
worked as a cost accountant for Ray-O-Vac Corporation for focuses on stirring your enthusiasm and sense of purpose
three years. She also supervised audits of local governments in daily life. An excited, focused individual is ready to take
and not-for-profit organizations for McGladrey and Pullen on the challenges and triumph in today's fast paced market.
CPAs, a national CPA firm. Beth left the Office of the State Develop knowledge and skills that will significantly increase
Auditor in 2007 as she began her campaign to become the your personal effectiveness and ability to successfully
first woman elected to the post. While seeking office, she interact and lead others. This session covers many diverse
also taught a variety of courses for the American Institute and critically important business, interpersonal, and
of Certified Public Accountants (AICPA) and worked in the leadership topics.
institute’s Professional Ethics Division investigating alleged
substandard audits around the country.
Abstract: Moving from a purely technical role to manage-
ment is very challenging for most IT people. Most people do
not like giving up the hands-on technical work and they also
tend to be more independent. This discussion will deal with
particular challenges faced when moving into a managerial
role and will answer questions such as: How can leaders
learn to assess the strengths of their team members and use
them to get the team working as one unit rather than a
bunch of lone rangers? How can they deal with jealousy
and backstabbing from those not promoted? How can they
anticipate senior management's and the organization's
needs and ensure the team is truly fulfilling the mission?
7
8. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
DATA AND ENDPOINT SECURITY
10:30 (C) Authentication of Personal 11:30 (C) Corporate Espionage for
Mobile Devices as Part of an Overall Dummies: The Hidden Threat of
Enterprise Authentication Strategy Embedded Web Servers
Ron Stamboly, SafeNet; Co-author Maureen Kolb Michael Sutton
Mr. Stamboly joined SafeNet in 1996 as a Senior Sales Michael Sutton has spent more than a
Engineer responsible for technical presales and sales support decade in the security industry conducting
for the entire sales cycle, from evaluation to installation. leading-edge research, building teams of
Mr. Stamboly's area of expertise includes hardware and world-class researchers, and educating
software products covering authorization, access control, others on a variety of security topics.
audit, and encryption. Currently, Mr. Stamboly focuses on As Vice President of Security Research,
supporting the sales of SafeNet's Information Lifecycle Michael heads Zscaler Labs, the research and development
Protection and Cloud computing environments, most arm of the company. Zscaler Labs is responsible for
specifically driving SafeNet's market share in cloud computing researching emerging topics in web security and developing
security and virtualized environments-securing and controlling innovative security controls, which leverage the Zscaler
access to cloud applications, along with encrypting virtual in-the-cloud model. The team is comprised of researchers
volume and instances. Mr. Stamboly has over 17 years of with a wealth of experience in the security industry. Prior to
experience in the data protection, telecommunications and joining Zscaler, Michael was the Security Evangelist for SPI
networking equipment industries. Additionally, Mr. Stamboly Dynamics where, as an industry expert, he was responsible
has extensive experience with networking hardware along for researching, publishing, and presenting on various security
with TCP/IP. Mr. Stamboly graduated summa cum laude with a issues. In 2007, SPI Dynamics was acquired by Hewlett-
Bachelor's Degree in Telecommunication from The State Packard. Previously, Michael was a Research Director at
University of New York Institute of Technology and also iDefense where he led iDefense Labs, a team responsible
graduated summa cum laude with a Master's Degree from for discovering and researching security vulnerabilities in a
Pace University in Telecommunications. variety of technologies. iDefense was acquired by VeriSign
in 2005. Michael is a frequent speaker at major information
Abstract: IT departments are facing challenges from many
security conferences; he is regularly quoted by the media on
users wanting to use their mobile device to access sensitive
various information security topics, has authored numerous
corporate information. Clearly, the risk posed by these
articles, and is the co-author of Fuzzing: Brute Force
scenarios is great. The key issue confronting security staff is
Vulnerability Discovery, an Addison-Wesley publication.
management: ensuring only trusted devices can access
corporate resources, contending with lost devices, managing Abstract: Today, everything from television sets to photo-
security policies, and enabling and monitoring access. Finally, copiers have an IP address and an embedded web server
IT organizations need to establish visibility and control over (EWS) for device administration. While embedded web
what assets can be accessed by and saved onto those servers are now as common as digital displays in hardware
devices. This presentation will discuss implementing unified devices, sadly, security is not. Leveraging the power of cloud
authentication schemes, security policies and credentials for based services, Zscaler spent several months scanning large
employee-owned end point devices, helping organizations portions of the Internet to understand the scope of this threat.
to enable their workforce while reducing IT management and Our findings will make any business owner think twice before
administration resources, as well as show how organizations purchasing a ‘wifi enabled’ device. We'll share the results of
can centrally and consistently manage all authentication our findings, reveal specific vulnerabilities in a multitude of
requirements for local networks, VPNs, SaaS applications, appliances and discuss how embedded web servers will
and virtualized environments. represent a target rich environment for years to come.
9. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
PHYSICAL SECURITY
10:30 (D) Introduction to Lockpicking 11:30 (D) High Security Locks
Jon Welborn Jon Welborn
Jon Welborn is a penetration tester and a Abstract: Great locks are not difficult to come by. This talk
co-founder of the FALE Association of will discuss various components of a quality lock as well as
Locksport Enthusiasts. FALE came several manufacturers of high-caliber locks. We will discuss
together around a shared general specific makes and models of locks that may be beneficial
curiosity and persuasion of the public’s in your environments. If nothing else, this talk will open the
“right to know”. FALE meets regularly door to the idea that you shouldn’t have to lean on your
in the Winston-Salem, NC area and local hardware store to meet your physical security needs.
hosts lockpicking villages at various security conferences
around the country. http://lockfale.com
Abstract: You've locks on your network closet and secure
document bin. Great. What if I can open them in 30
seconds or less? Learn the basics about how a lock works
and how to compromise commonly used locks. This
information isn’t complicated in the least, but in this talk
we set out to remove the often practiced “security by
obscurity” approach to physical security.
9
10. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
DIAMOND SPONSOR SESSION (Keynote Hall)
10:30 ORACLE PRESENTATION
Mark your calendars for the Eighth Annual Triangle InfoSeCon to be
held on Thursday, October 18 2012 at the McKimmon Center.
Keynote speakers: Chris Nickerson - Lead Security Consultant for Lares Consulting
and Stan Waddell - Executive Director and Information Security Officer,
University of North Carolina (UNC) Information Technology Services (ITS)
11. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
DIAMOND SPONSOR SESSION (Keynote Hall)
11:30 HP / FORTIFY
Reinventing Dynamic Testing:
Real-Time Hybrid
Hans Enders, HP Fortify
Hans Enders is a Sr. Solutions Architect
for HP Fortify. In his current role, Hans
is responsible for demonstrating web
application security software and
providing solutions to prospective clients
for HP Software’s Application Security
Center. He has more than 14 years of
experience in network administration and security, with the
most recent 7 years focusing on web application security
testing and software support. Hans acquired the CISSP in
2004 and most recently completed the CISM certification in
2011. Hans is an active member of ISSA, ISACA, OWASP,
and a past member of InfraGard of Georgia. Hans has
a Bachelor of Science degree in Industrial & Systems
Engineering from North Carolina State University and is of applications undergoing DAST and SAST analysis.
moderately fluent in Spanish. Outside of his professional This presentation will introduce you to the next
career, Hans also enjoys participating with CERT (Community generation of hybrid security analysis — what it is, how it
Emergency Response Team) and being a Cub Scout leader. works, and the benefits it offers. It will also address (and
Abstract: Over the years, two key techniques have emerged as dispel) the claims against hybrid, and leave participants with
the most effective for finding security vulnerabilities in soft- a clear understanding of how the new generation of hybrid
ware: Dynamic Application Security Testing (DAST) and Static will enable organizations to resolve their most critical
Application Security Testing (SAST). While DAST and SAST software security issues faster and more cost-effectively
each possess unique strengths, the "Holy Grail" of security than any other available analysis technology.
testing is thought to be "hybrid" -- a technique that combines
and correlates the results from both testing methods,
maximizing the advantages of each. Until recently, however,
a critical element has been missing from first generation hybrid
solutions: information about the inner workings and behavior
11
12. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
PENETRATION TEST / SNA
1:30 (A) Progression of a Hack 2:30 (A) Web Application Social
Ryan Linn, Trustwave's SpiderLabs Engineering Vulnerabilities
Ryan Linn is a Senior Security Matt Cooley, Symantec
Consultant with Trustwave’s SpiderLabs Matt Cooley is an accomplished
who has a passion for making security information security practitioner
knowledge accessible. In addition to working in IT across multiple industries
being a columnist with the Ethical for almost 20 years with over a decade
Hacker Network, Ryan has contributed of primary focus on security. At
to open source tools including Symantec, Matt has been involved
Metasploit, Dradis and the Browser Exploitation with security assessments in the finan-
Framework (BeEF). cial sector, government, commercial business, higher
Abstract: So you have a firewall, AV, IDS, patch management education, and major ISPs. His primary area of expertise
and more. Nobody is getting in. Somehow Fake-AV and is in web application and product penetration testing.
malware still rear their ugly heads from time to time, but Abstract: In this presentation, we plan to demonstrate web
things feel pretty safe. Others in this same situation are still application vulnerabilities which could be leveraged to
making the news. This talk will look at how a single foothold attack end-users of applications. In particular, cross-site
can lead to the opening story on the evening news. We will scripting will be used to attack mobile device users. Social
look at how a motivated attacker can compromise a patched Engineering Toolkit will be demonstrated to compromise
Windows box, escalate privileges on a domain, and get to the systems of fully-patched and protected users. Common
data. As each demonstration shows the techniques, we'll talk tricks such as URL obfuscation, URL redirection, and
about mitigation strategies and what steps you can take to domain-name manipulation will be used to successfully
avoid being a headline. coerce victims into performing tasks from which an
attacker would benefit.
12
13. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
CLOUD / VIRTUALIZATION SECURITY
1:30 (B) Managing Risk, Liability, and 2:30 (B) Crash Course on Open
Compliance in the Cloud Source Cloud Computing
Ron Stamboly, SafeNet; Co-author Maureen Kolb Mark Hinkle, Citrix Systems
Mr. Stamboly joined SafeNet in 1996 as a Senior Sales Mark Hinkle is the Director of Cloud
Engineer responsible for technical presales and sales support Computing Community at Citrix Systems
for the entire sales cycle, from evaluation to installation. Inc. He joined Citrix as a result of their
Mr. Stamboly's area of expertise includes hardware and July 2011 acquisition of Cloud.com. He is
software products covering authorization, access control, currently responsible for the success of the
audit, and encryption. Currently, Mr. Stamboly focuses on open source cloud computing platform,
supporting the sales of SafeNet's Information Lifecycle CloudStack. Previously he was the VP of
Protection and Cloud computing environments, most Community at Zenoss Inc., a producer of the open source
specifically driving SafeNet's market share in cloud computing application, server, and network management software,
security and virtualized environments-securing and controlling where he grew the Zenoss Core project to over 100,000 users
access to cloud applications, along with encrypting virtual and 20,000 organizations on all seven continents. He also is
volume and instances. Mr. Stamboly has over 17 years of a longtime open source expert and author having served as
experience in the data protection, telecommunications and Editor-in-Chief for both LinuxWorld Magazine and Enterprise
networking equipment industries. Additionally, Mr. Stamboly Open Source Magazine. Mr. Hinkle is also the author of
has extensive experience with networking hardware along the book, Windows to Linux Business Desktop Migration
with TCP/IP. Mr. Stamboly graduated summa cum laude with (Thomson, 2006). He is a contributor to NetworkWorld’s
a Bachelor's Degree in Telecommunication from The State Open Source Subnet and his personal blog on open source,
University of New York Institute of Technology and also technology, and new media can be found at www.socialized-
graduated summa cum laude with a Master's Degree from software.com. You can follow him on twitter @mrhinkle.
Pace University in Telecommunications. Abstract: Very few trends in IT have generated as much buzz
Abstract: Cloud Computing is unquestionably the future of our as cloud computing. This talk will cut through the hype and
IT infrastructure and business workloads. Yet the industry is quickly clarify the ontology for cloud computing. The bulk
reaching an impasse as organizations have already completed of the conversation will focus on the open source software
Proof-of-Concepts and architectural planning to the cloud. that can be used to build compute clouds (infrastructure-as-
Internal Data Governance and Compliance requirements have a-service) and the complimentary open source management
become the barrier to more organizations moving to the cloud, tools(including those for security) that can be combined
and larger organizations converting small test projects to full to automate the management of cloud computing
production. The mix of confusion over ownership and liability, environments. The discussion will appeal to anyone who
lack of transparency from the cloud provider, an almost com- has a good grasp of traditional data center infrastructure but
plete absolution of liability in contracts, and lack of clear is struggling with the benefits and migration path to a cloud
guidance on required controls have all contributed to this. This computing environment. By understanding the architecture
session will focus on pealing back some of these issues to drive of a cloud compute environment users will be able to apply
some clarity and actionability. Cloud is the future, with its ease- their existing security knowledge to the management of a
of-use, cost-savings and transparency, but Data Governance and cloud compute environment. Systems administrators and IT
compliance requirements have stopped projects due to confu- generalists will leave the discussion with a general overview
sion on risk/liability. Presentation will focus on driving clear of the options at their disposal to effectively build and
areas of trust, ownership, and liability-cover audit and contrac- manage their own cloud computing environments using
tual aspects of working with CSPs -identifying new controls free and open source software.
13
needed to move to the cloud and will end with PCI 2.0.
14. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
STRATEGY & ARCHITECTURE
1:30 (C) Information Security 2:30 (C) Anatomy of an Attack
Doesn't Just “Happen”! Jonathan Norman, Alert Logic
Jim Murphy, OMMISS Co-Author Michele Hujber
James Murphy, CISSP, ISSMP, GSEC, CISA, Jonathan Norman joined Alert Logic
CISM NC DHHS, Office of MMIS Services in 2002 and has held numerous security
Jim is the Information Security Architect and operational roles throughout his
for OMMISS with 30+ years experience, tenure at Alert Logic. Today, as the
predominantly in healthcare IT. He plans Director of Security Research, Jonathan
and designs enterprise-wide information manages a team of security researchers
security for major development projects, and analysts responsible for monitoring
including the claims processing system for Medicaid and the evolving security landscape for new and emerging
related plans, and the State Health Information Network. threats. In addition, under his leadership, the Security
For the projects, he documents information security and Research team manages complex security incident response
technical architecture requirements and reviews security for customers and develops the advanced correlation rules
throughout project design and development: regulatory that help Alert Logic solutions better detect and defend
compliance, access control, data and network protection, against security threats. Jonathan hold several industry
business continuity, operational security, process certifications such as Certified Ethical Hacker, CISSP,
documentation and project audit. Jim has written, taught CCSP, and other GIAC certifications.
and spoken on information security management, service Abstract: In 2010 the global cybercrime market increased
continuity, security auditing and security certification to an estimated 7.5 Billion dollars. Over the past few years,
training to diverse audiences. attack sophistication has increased significantly while users
Abstract: The pressure is on—security breaches now cost struggle to keep up with new attacks. We have long-passed
penalties and lawsuits. Information architectures are the days of bright kids causing mayhem on computer
becoming more complex as they adjust to rapid changes in networks. Today's attackers are fast, well-funded, well
software and hardware. Privacy professionals are clamoring organized and business is booming. This presentation
for eliminating the misuse of protected information. State will take you into the world of cybercrime and give you
Attorneys General have been authorized to get in on the an insider's look into how hackers operate and what you
act. But, as InfoSec professional understand, security just can do to protect your network.
does not happen with the latest policy, technical tool, or
extra door lock. Information security managers must take the
initiative to coordinate with all levels of the organization
to insure business objectives drive the definitions and
characterization of protected data, unit leaders understand
the responsibilities of the hallway work force, and technical
support staff understand the limits of device-alone solutions.
InfoSec planning requires tactical and strategic components,
and in a sense, never stops. InfoSec professionals must be
able to communicate the planning with all levels of the
organization in a way that facilitates the collaborative efforts
and diminishes the internal barriers. In this presentation,
I offer some practical suggestions for getting InfoSec
planning into action.
15. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
APPLICATIONS & DEVELOPMENT
1:30 (D) Enabling the Business 2:30 (D) Making Fat Messages
with Security Metrics Available: Binary XML Encoding
Steve McKinney, Cisco Systems Phillip H. Griffin, Griffin Consulting
Steve has worked at Cisco Systems for Phillip H. Griffin, CISM brings over 15
the past 3 years after graduating from NC years of experience in the information
State with a Master's degree. assurance and security profession.
Operating as Griffin Consulting, Phil
Abstract: Many security scanners will
has served as a trusted security adviser,
churn out ‘advice’ on the severity of
security architect, and consultant with
vulnerabilities in your environment.
leading corporations including Visa
Forwarding that advice to your manager,
International, GTE, and IBM. He has acted as committee
will likely produce a blank stare and a report that's in the
chair, editor, head of U.S. delegation, and rapporteur in
trash before you can walk out the door. So, how do you go
the development of national and international security
from a scanner's advice to wisdom that drives business
standards, and currently serves as an ISSA Educational
decisions? This talk covers what I have learned from others
Advisory Council Member, and on the board of the Raleigh
and developed as I started implementing security metrics
ISSA Chapter. His experience encompasses numerous
for my team within Cisco. We will look specifically at
facets of security including authentication technologies,
metrics for web applications, but the concepts presented
encryption, access control, biometrics, and secure
apply to other areas of security.
messaging schema. Mr. Griffin has eight patents pending
in the area of security, and he has been a speaker at
leading security conferences and venues around the world.
Abstract: For every XML Schema (XSD) there is an
analogous ASN.1 schema that can be used to generate
compact, efficient binary message formats, and XML
markup instance documents that are equivalent to those
based on the initial XML schema. These binary formats are
appropriate for use in environments constrained by
mobility, limited battery life, storage size, or bandwidth
(e.g., wireless communications using hand held devices).
Using a binary format for XML messages can make secure
protocol messages available in environments where
verbose formats prohibit application development.
15
16.
17. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
DIAMOND SPONSOR SESSION (Keynote Hall)
1:30 IMATION
Key Trends in Removable
Device Security
David Duncan, Business Development Director
David Duncan is director of ENCRYPTX Duncan has a Bachelor of Science in international affairs
at Imation, a team of research and from the University of Maryland, a Master of Science in
development experts focused on advances computer science from Regis University, a Master of Business
in data security that protect, encrypt, Administration (MBA) from the University of Colorado, and
control, and manage “data at rest.” a degree in Chinese Mandarin Linguistics from the Defense
Duncan founded ENCRYPTX, Language Institute, Presidio of Monterey, California.
which was acquired by Imation from Abstract: David Duncan, Managing Director of the
BeCompliant Corp. in March 2011. ENCRYPTX Security Products Group of Imation Enterprises
Prior to founding ENCRYPTX, Duncan was senior vice will present key trends in the field of removable storage
president of Tactical Marketing Ventures, a marketing device security. The presentation will cover: current
accelerator company for more than 100 technology startups. risk/data loss trends from the latest industry studies, new
He also served as vice president of sales and marketing for and emerging threats, regulatory requirements affecting
RL Polk, a consumer marketing information company that compliance, vendor initiatives to mitigate these risks includ-
was sold to Equifax Corporation. ing hardware, software and operating system developments
Previously, Duncan served in marketing and engineering that improve removable device security, and an evaluation
leadership positions with Storage Technology Corporation, framework for assessing gaps in your organization
Martin Marietta and SRA Corporation. He worked for the
National Security Agency as a cryptologist for a number of
years and designed and built trusted computer systems for
highly classified government programs.
17
18. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
LIGHTNING TALKS
2:30 (Keynote Hall) The IT Blind Side 2:45 (Keynote Hall) Are you using
Dwayne Melançon, Tripwire UDP for reliable transmission?
Dwayne Melançon joined Tripwire in 2000 and serves as Shahab Nayyer, Wells Fargo
Vice President of the company’s Log Management business. Author is a Senior IT Audit Lead with Wells Fargo &
In previous positions at the company, Dwayne has served Company in Charlotte, North Carolina, USA. He holds dual
as vice president of Business Development, Professional master degree in Finance and Industrial Engineering with a
Services and Support, Information Systems, and Marketing. specialization in IT. Shahab has more than seven years of
Prior to joining Tripwire, Dwayne was Vice President of experience in IT Audit and Security and is a CISA, CIA.
Operations for DirectWeb, Inc., where he was responsible Shahab is also the President of the ISACA Charlotte Chapter.
for product management, logistics, electronic supplier
Abstract: UDP (user datagram Protocol) is a widely used
integration, customer support, information systems,
protocol networking and data transmission. It is used in real
infrastructure development, and other business operations.
time applications, DNS request reply messages, IP telepho-
Before DirectWeb, he ran Pan-European Support for
ny, SNMP, Multimedia streaming etc. Due to its nature of
Symantec Corporation, managed callcenter operations
being a connectionless protocol it's considered very efficient
for several of Symantec’s leading product lines, and
for short messaging with low bandwidth usage. So these are
spearheaded the development of productivity tools and
all the good things with UDP, but UDP also is an unreliable
processes. In other positions,Dwayne was responsible for
protocol which does not guarantee data transfer. With that
Symantec’s global Web presence, program management
in mind, do we know where all we are using UDP? Are we
for the company’s encryption products, and functional
using UDP where a reliable transmission is needed? Have
integration for mergers and acquisitions. Prior to joining
we evaluated the risk of data loss and can we live with it?
Symantec, Dwayne spent eight years at Fifth Generation
Systems, Inc. where he created an award-winning global
support organization, was a software developer, and 3:00 (Keynote Hall) Finding Flags
directed the company’s software and hardware Quality
During a Lightning Storm
Assurance teams.
Dwayne is certified on both IT management and audit
Steve McKinney, Cisco
processes, holding both ITIL and CISA certifications. Steve McKinney has been with Cisco for
Prior Speaking Experience: three years after completing his Master's
• eFinance World Conference degree at NC State. He was the primary
• Frequent speaker at national and regional itSMF, developer for the Capture the Flag contest
ISACA, ISSA, and IIA events at the conference this year.
Abstract: This presentation will be an
overview of the Capture the Flag contest
held at the conference. If you tried the contest and didn't
complete it or wanted to but didn't have time, drop by, this
session is for you.
18
20. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
KEYNOTE SPEAKER
3:30 Lenny Zeltser
Security Practice Director, Savvis; Senior Faculty Member, SANS Institute
Lenny Zeltser leads the security consulting practice at Savvis, where he focuses on
designing and operating security programs for cloud-based IT infrastructure. Lenny’s
other area of specialization is malicious software; he teaches how to analyze and
combat malware for the SANS Institute. He is also a member of the board of directors
for the SANS Technology Institute and an incident handler at the Internet Storm
Center. Lenny frequently speaks on information security and related business topics at
conferences and private events, writes articles, and has co-authored several books.
Lenny is one of the few individuals in the world who have earned the highly-
regarded GIAC Security Expert (GSE) designation. He also holds the CISSP certification.
Lenny has an MBA degree from MIT Sloan and a computer science degree from the
University of Pennsylvania. Lenny writes at blog.zeltser.com and twitter.com/lennyzeltser.
More details about his projects are available at http://www.zeltser.com.
Lenny says that some of his “books are gradually becoming outdated” but that
all of them are listed here. Lenny notes that the “most recent and current volume is
CyberForensics. It's a good text.”
Keynote Topic: Knock, Knock! How Attackers Use Social Engineering
to Bypass Your Defenses
Why bother breaking down the door if you can simply ask the person inside to let you
in? Social engineering works, both during penetration testing and as part of real-world
attacks. This talk explores how attackers are using social engineering to compromise
defenses. It presents specific and concrete examples of how social engineering
techniques succeeded at bypassing corporate security defenses. Lenny Zeltser will
review how attackers have bypassed technological controls by making use of social
engineering techniques such as:
Starting attacks in the physical world, rather than the virtual Internet: We have spent
most of our lives in the physical world, whose norms we know well. As a result, we
tend to trust messages that come to us in the physical world more than those in the
"virtual" world of the Internet. The talk presents several examples of such scenarios.
Targeting attacks through the use of spear phishing and social networks: The talk
will explore how attackers may profile victims to include the person or company-
specific social engineering elements in an intrusion campaign.
20
22. TRIANGLE INFOSECON • OCTOBER 20 , 2 0 11
CONFERENCE COMMITTEE
This Conference is only made possible by the incredible efforts of
the committee. On behalf of the chapter, sponsors, speakers, and
attendees, thank you!
President: Brad Hoelscher David Parker
Vice President: Robert Martin Michael Rains
Nancy Schipon
Conference Director: Liyun Yu
Andrew Senko
Conference Program Director: Mark Whitteker
Daniel White
Conference Deputy Director: Ramsey Hajj Lorie Wilsher
Treasurer: Mark Fontes Rich Woynicz
Communication: Peter Hewitt Applications & Development:
Operations Director: Robert Pitney Aby Rao, Chair
Lisa Lorenzin
Sponsor Development: Robert Martin
Website Developer: Phillip Griffin Cloud & Virtualization:
Nathan Kim, Chair
Production Support: Steve Toy
Eric Olson
Conference Support: Chip Futrel
Data & Endpoint: Andre Henry, Chair
Program Designer: Rachel Schaub
Governance, Risk & Compliance:
Sponsor Development Team: Keith Mattox, Chair
Frank Chavarria Janet Dagys
Sarah Miller
Pen Testing / System & Network Auditing:
Operations/AV Team: Artem Kazantsev, Chair
Dave Balint
Rob Breault Physical Security: Glenn Morgan, Chair
Robert Brown Professional Development:
Matt Bryson Holli Harrison, Chair
Frank Chavarria Valdez Ladd
Marie Cross
Strategy & Architecture: Jim Murphy, Chair
Randall Hompesch
Eric Hoth Capture the Flag: Steve McKinney, Chair
Wenjian Huany Lockpick Village:
Charles Hudock Jennifer Jabbusch, Chair
Valdez Ladd Jon Welborn
Steve McGehee
Lightning Talks: Dyana Pearson, Chair
Glann Morgan
22