CISA, CISM, CISSP-ISSMP, Principal Consultant, Birchtree Consulting
The Business Case for Security
Security programs are strategic investments with a high impact across the organization. They compete with other projects for resource and funding. Presenting a convincing business case is essential in order to move a security program forward. Yet, making a financial case it is not an easy task. While calculations of ROSI (Return on Security Investment) were popular for a while, a more risk based approach is often in order that focuses on relative merits rather than absolute returns. This approach can be summarized into a logical process to determine the exposure, affordable funding and priority for an organization.
AT&T Labs, Inc.-Research
Passwords and PINs are used everywhere these days. The engineers who design our security systems have four decades of advice on the deployment and use of passwords. A lot of this advice is appropriate only for outdated threat models. Many new proposals are interesting, but seem unlikely to be successful in the real world.
I will attempt to update the advice with the hope that if things don't become more secure, at least they may become easier to use.
Counsel, Crowell & Moring
Internal and external security requirements to communication service providers and intermediaries. Is Europe asking too much?
Providers of electronic communications and online services are increasingly subject to security requirements imposed by the national and European legislators. These requirements are both external (network stability and protection against intrusions) and internal (preventing abuse of the network or services by the users and subscribers).
The presentation aims at giving an overview of and critically analyzing the various security-related legal requirements imposed on a European level. A number of cases will be discussed in order to illustrate the practical impact of the EU legislation.
President, DRA Enterprises, Inc., BigFix Executive Advisory Board
Lessons from Defending Cyberspace - The Challenge of Addressing the Cyber Risk – for law enforcement, enterprises, nations, and the global community
- Objective: promote thinking and discussion about the lessons that should be learned from the cyber wars; about how to enhance the preparedness and improve the strategic approach, of all levels of government, including law enforcement, of the owners and operators of the critical infrastructure, and of the other major institutions in our society.
- Key stakeholders who run or benefit from the information infrastructure - governments, critical infrastructure operators, and private organizations - must learn the lessons from past disasters like Hurricane Katrina and the terrorist attacks of September 11, 2001, to ensure that cyber preparedness is a national, regional, and local priority for partnership between government and the private sector, and that prioritization of effort and resources is based on a risk management model involving stakeholders.
- Governments and global companies should work together domestically and internationally to:
- collaborate on the assessment of cyber risk and the coordination and prioritization of risk reduction efforts;
- facilitate law enforcement cooperation and strategic contributions to risk reduction that goes well beyond the current paradigm;
- prioritize and leverage spending on research and development;
- and share information and collaborate more effectively regarding cyber incident respond, recovery, preparedness, and analytical capabilities.
Security Officer, Intralot SA
Designing federated identity management architectures for addressing the recent attacks against online financial transactions.
The emergence of Internet applications that involve financial transactions, such as e-auctions, online gaming, e-banking and e-commerce, has provided enhanced user service provision, as well as a ground for the successful deployment of online attacks. This presentation presents the most recent techniques for implementing attacks against online financial transactions and proposes an architectural framework based on federated identities for addressing the problem.
Head of Sourcing, Ericsson, Istanbul Turkey
Mobile Devices: A Roadwarriors Guide to IT Security.
Moore’s law has driven more computing power into our pocket today than fit into a 1970’s 5 story building. As a result many IT users carry significant amounts of their business-critical information around with them. While this evolution has created a dynamic mobile working environment, which enables the ability to initiate & receive phone calls and voice messages, send & receive emails and instant messages, access an intranet, surf the Internet, and access business applications as well as make physical proximity a non-issue, it has also created huge opportunities for enterprise data loss and security breaches. The goal of this session is to outline the kinds of risks that exist for mobile communication devices including smart phones, personal digital assistants (PDAs) (e.g. Blackberry, Treo, Palm, pocket PCs), flash drives, memory sticks, and other radio frequency (RF) and USB devices as well as some easily implemented countermeasures useful for mitigating the risks driven by mobile device use.
Information Security Group, Royal Holloway, University of London
Identity management systems - where are they going?
A significant number of identity management systems have been proposed in recent years, including Liberty, CardSpace, OpenID and Shibboleth. However, it is far from clear how the different systems will interoperate, not least because of varying objectives and differing uses of fundamental technologies (e.g. SAML). In this talk the functioning and scope of a selection of such systems will be reviewed, and challenges for possible interoperation will be highlighted.
Network Security Administrator, TEIRESIAS Banking Information Systems
Network Security: Putting Theory into Practice, the Wrong Way
Designing secure networks seems to be a straightforward task, at least from a theoretical point of view. You identify the assets, potential vulnerabilities and threats, you analyze the risk and present the stakeholders with a list of threats, usually sorted by threats’ impact factor, so they can decide on which threats to deal with.
Having said that, implementing a countermeasure can lead into preventing another countermeasure from operating the way it is supposed to; security practitioners’ should not view any specific countermeasure as an integrated solution; it is just part of a solution that must coexist with all other parts, be it security-related mechanisms or others. Furthermore, there are times when a non security-related mechanism is more appropriate to deal with a security need, rather than a security-related mechanism.
The goal of this presentation is to point out some of the most common cases where implementing a countermeasure can lead to other than the desired results or even lead to breaking the operation of another countermeasure, because the countermeasure itself has been viewed as an integrated solution and not just a part of a solution. Although the latter may be obvious, security practitioners tend to neglect it.
MSc Computer Networks & Telecommunications, Technical Director of Greek National Network SYZEFXIS, s-TESTA Coordinator for Greece, Information Society SA.
Greek National Network SYZEFXIS - a secure administrative network
Greek National Network SYZEFXIS is a modern multiservice IP network connecting 4.300 actors of Greek Public Administration. It is a secure infrastructure that guarantees data integrity for every transaction that takes place between any pair of machines. It is supported by a powerful PKI architecture and has a compact and strict security policy. Greek Public Administration, has been using this trusted Network Since late 2005. Millions of transactions are performed every day between citizens and government, government to Government or government to businesses.
IT Director, Vgenopoulos & Partners Law Firm
Information Security and the Enterprise Risk Management process
Risk Management is the process by which Enterprises identify and deal with the factors that may impair their activities, increase the probability of success while at the same time reduce the probability of failure and the uncertainty in achieving their business objectives.
Even though the importance of Information Security in today's highly networked business environment stems from the fact that organizations rely heavily on IT systems to perform their mission, sometimes the relationship between information and business objective is not clearly defined. In this respect IT Risk Management Budgets may either overshoot or undershoot and miss the target.
By regarding Information Security like Safety or Environmental Security as part of the holistic Enterprise Risk Management process, it is suggested that new intangible values are created for the Enterprise affecting Strategic Planning, Budgets, Processes and People.
Managing Director, Odyssey Consultants
Proactive Security Management
- The Threat Landscape
Information security threats are continuously evolving, presenting an ever expanding and moving landscape to which organizations have to respond. In this respect, what used to be effective just 12 months ago is no longer enough or complete to protect organizations from the threats of today and - even less so – those of tomorrow. The most important shift in the characteristic of the threat landscape is the underlying motives of the hackers (internal and external) which no longer reflect the “happy crackers” of yesterday, but focused professionals who are in it for the money through industrial espionage.
- Key Challenges in Security Management
The single most important challenge in security management is neither finding the money, not the existence of mitigation technology. It is in fact the ability to be proactive and execute the intended security policy and related processes in a manner which allows the organization to move away from a fire-fighting approach and instead to try and be ahead of the threat. The component threats and usual failures facing organizations can be usefully examined under the 3 pillars of People – Process - Technology
- Security Log Management and Monitoring - The Untouched Area
Even when organizations have the resources to invest in technology (usual nowadays) and even when the operation of such technology is backed up by documented and effective processes and procedures (less frequent but improving), the capability to execute the intentions of management by its personnel is limited – at best! To understand the extent of the confusion, one needs to begin from the differences between Log Collection vs. Log Management and Monitoring so one can usefully ascertain the available strategies to achieve the organizational goals and be proactive
- Execution Strategies
There are several approaches in executing Log Management and Monitoring, with differing degrees of effectiveness and success in being proactive.
- In-house approaches
- Outsource of log monitoring
- Full outsource of device management
- Mix approach
- Comparative Advantages
There are various comparative advantages and potential pitfalls of each approach, which will be discussed in turn.
Head of Information Security Unit (Security Officer), Societe Generale Group, Geniki Bank
The compliance journey: what, why, and how
- What is “Compliance”
- “Comply” with WHAT?
- Common Area of Various Standards
- WHY I must comply? Questions to ask yourself before you start
- The Geniki Bank experience in Compliance: HOW we started?
- The challenges in Compliance Journey
- Guiding principles for Success.
IT Security Manager, OTE SA
IT Security Role in SOX Compliance
Much has been said on the importance of the Sarbanes-Oxley act and Internal Controls in general, but little on the significant role that I.T. plays in this area. Specific relevance of the Act to information security has to do mostly to INTEGRITY of financial information and since I.T. plays a vital role in internal control, systems, data and infrastructure components are critical to financial reporting.
To this extend this presentation will give an overview on the design and effectiveness of IT General Controls, with specific emphasis on controls in or around Information Security.
Expert in Network Security Policy, ENISA
Social Networks - information security at the digital coctail party
Online Social Networking Sites are now among the most visited websites globally. They collect and organise huge amounts of personal data and provide tools for managing that data. In fact, without us noticing, they have become a very important component of the identity management landscape. The talk will explain the results of ENISA's study on "Security Issues and Recommendations for Online Social Networks".
- What benefits does SN offer to end-users and businesses?
- What dangers do users enterprises need to be aware of and what policies can help to protect them?
- How are Social Media evolving and what implications does this have for information security?
Vice President of Strategy & Product Management, Passlogix Inc.
Synergies between Enterprise Single Sign-On and other identity management technologies
Enterprise single sign-on is often seen as a point solution to solve users' frustrations with having too many passwords. Although it does indeed solve this problem very well, it also solves many additional problems especially when used in conjunction with provisioning systems, role-based access control systems and strong authentication infrastructure. These problems include user provisioning, heuristic role definition, compliance with segregation of duties and access rights management requirements, management of system accounts and other shared accounts and using strong authentication beyond network logon. This speech takes an unbiased approach to explore how and why these technologies can work together to provide more compelling and useful identity management solutions for the enterprise.
Principal Partner & CTO, Palindrome Technologies
Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures
This session will focus on threats, vulnerabilities and attacks associated with VoIP/NGN security and provided effective countermeasures to consider when deploying VoIP networks. Details on various attacks and vulnerabilities from field experience will be presented in order to demonstrate the associated risk that an organization may be exposed to including enterprise (i.e. banks) and telecommunication carriers. Furthermore the session will outline mechanisms to deter attacks and provide approaches to managing security in VoIP networks cost effectively.
Security Strategist, Microsoft Corporate
Defining and forcing policies for Network Access Authentication
Network Policy and Access Services allows organizations to provide local and remote network access and to define and enforce policies for network access authentication, authorization, and client health using Network Policy Server (NPS), Routing and Remote Access Service, Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP).
Services Director, Ether Applications Ltd
Hacking Techniques and How to Stop Them
During this workshop session we’ll simulate an attacking scenario towards a corporate system and infrastructure. To perform this we’ll use available hacking and attack tools, as well as techniques and exploits used today. During the workshop we’ll take over the roles of the attacker as well as the defending IT department and show defensive techniques that can be used to protect the environment. This workshop targets to demonstrate the traits of attacks and to pinpoint that even small tricks can provide excellent protections solutions. Attendees will discover what actions an attacker will take in order to break the security of an infrastructure and how to minimize the cost of a security breach.
Professional Services Manager, Besecure
The insider threat – Deploying secure corporate networks over insecure networks
The theme of the workshop is the deployment of secure corporate Virtual Private Networks and enforcement of global security policies across all sites of an enterprise versus other traditional insecure connectivity ways such as MPLS and leased lines to protect from insider threats. Target audience of this workshop is any organization with remote office / branch office sites and remote users.
Channels System Engineer, Cisco
Cisco Advanced Endpoint Security
The presentation covers 2 Cisco Security products: NAC & CSA
- The Cisco NAC - Network Admission Control allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. It identifies whether networked devices such as laptops, desktops and other corporate assets are compliant with a network's security policies, and it repairs any vulnerabilities before permitting access to the network.
- The Cisco Security Agent security software provides threat protection for server, desktop and Point-of-Service (POS) computing systems.
Global Product Marketing Manager, Panda Security
Protecting Online Transactions Against Malware
During this session we will demonstrate how a Man in the Browser (MitB) attack works and how to protect your site against it. We will describe how these types of attacks work, and we will perform a practical demonstration, were we will see how malware is capable of stealing user’s credentials. After, we will provide tools that can provide protection against these attacks, demonstrating how they work. In Summary, attendees will discover how a malware attack against a website works and how to prevent it.
Head of Compliance and ID Management of BMC Identity Labs
Slashing Identity Provisioning Costs
A company’s successful achievement of its business goals relies heavily on its deliverables, be they services, products, or both. As each deliverable is the product of a certain process, anything, and most significantly, anyone, capable of adversely affecting the process could pose a risk to attaining business objectives. Because people are the owners of company processes, their respective IT capabilities could expose the business to financial risk. Profiling the user’s IT capabilities becomes therefore an imperative objective, as is the need to verify that IT capabilities are granted and revoked appropriately, so that users possess only the capabilities defined by their required roles. Since identity-related data is scattered across various systems, being able to correlate between the pertinent identity’s “pieces” is critical. Inability to do so may result in a false sense of security and a lacking audit report that fails to surface information that might indicate alarming risks. Management of access rights is not a trivial process. Business agility warrants an approach to access management that supports quick, yet effective and secure, assignment of rights to users. Attaining this objective often calls for a process that may not be easy to implement using programmatic means alone. Furthermore, attaining regulatory compliance objectives warrants a process that attests to the validity of the control-based approach undertaken by the company.
What’s more, many of today’s data centres are grossly over-provisioned. Industry analysts report that server capacity may be over-provisioned by up to 400 percent, resulting in average server utilization rates of only 10 to 15 percent. How does this happen? One major driving factor is that IT has been under intense pressure to meet agreed-upon service delivery levels for critical business applications. To meet this challenge, IT organizations have typically thrown hardware at the problem. Over-provisioning is driving up data centre costs. That brings up another problem. Many data centres are now bursting at the seams. So if your data centre is like many others, you face a dilemma. You have to continue to maintain service at agreed-upon levels, but at the same time, you must reduce costs. Server consolidation, server virtualization, and utility computing technologies can help you meet the challenge. Implementing these technologies, however, involves considerable risk in that they entail major changes to a complex data centre infrastructure. What’s more, the resulting IT environment, although more condensed, is more difficult to manage, because it is much more dynamic.
It is crucial that you put in place effective core management processes to manage the new environment. These processes should include controls for both internal governance and external compliance. Paramount among these processes are those for change and configuration management. Only with effective and verifiable identity management, change management, release management, and configuration management can you make the necessary infrastructure changes while continuing to deliver high quality service, both during and after the changes are made. Lack of effective management can seriously jeopardize the success of your consolidation, virtualization, and utility computing initiatives.
Security Strategist, Microsoft Corporate
Building a Secure and Managed Infrastructure
This session will introduce you to the new Forefront product family. The participant will learn about the rising dangers of malicious software and what Microsoft is doing to decrease the impact. This is done in the Microsoft products such as Windows and Office and through the new Forefront product range. Forefront will provide the means to further reduce the total cost of ownership to manage malware and vulnerabilities in your organization.
In this session we will look at the investments done in the malware protection center. Then we will look into the three classes of the Forefront product family. We discuss the key features and how they work. The classes are:
- Forefront client security (FCS). FCS provides protection for business PCs and servers.
- Forefront Server security for Exchange and Sharepoint. Two products with unique features to better protect the entry points of malware into your organization. We will also discuss the Forefront Server security management console. This one single view on malware cross Forefront server security.
- Forefront Edge protection with two great products. This include ISA Server 2006, which is in the market for many years and Intelligent Application Gateway (IAG), which is a new product launched by Microsoft. We will look into the different scenarios where ISA will be uses opposed to IAG and vice versa.
Principal Sales Consultant, Identity Management SEE, Oracle Hellas
Faster Identity Truth with Role-Based Authorization and Virtualization
The theme of the workshop is to guide the audience through the foundation capabilities and innovations of Oracle Identity & Access Management solutions. Including:
- Oracle Identity Manager using Oracle Virtual Directory as trusted source for reconciliation
- Oracle Identity Manager integration with PeopleSoft for auto-provisioning to target applications
- Automated Role Based Provisioning to iPlanet, AD, Microsoft Exchange.
- User self-service requests/approvals to AD user account and mobile phone resource.
- 6. Detailed operational and historical reports on the total events performed by users.