In this 1,5 hour session, chaired and organised by ENISA, two members of the Awareness Raising (AR) Community will share their experiences and views on the “people” aspects of information security. The AR Community was launched in early 2008 on the initiative of ENISA. The overall aim of the AR Community is to build and develop a co-operation platform for Information Security professionals who have a particular interest in and focus on the human factor, or “people” aspects, of information security.
CISM, CISSP, CEO InfoSecurityLab Inc.
Inclusion and Empowerment: How Participation and Awareness Influence Security
The constant struggle for security professionals is ensuring that those around them understand the need for risk management, and good security practices. It would seem a simple exercise to create this understanding, yet as every security professional can tell you, it is not an easy task. Why is it difficult to establish such an understanding, and how can we overcome these challenges? This talk will present some simple models of security awareness, training, and participation that have demonstrated positive improvements in organizations’ security. These simple models focus on the concepts of inclusion, participation, simplification, and applicability. A significant shift occurs in the organization’s security culture by utilizing these concepts in the development of an Information Security Management System. The talk will discuss how these concepts can affect Security Governance, Business Operations, and User Awareness Education. Real case studies will be mentioned as examples of how these concepts can create a culture of security and awareness through Inclusion, Participation, and Empowerment of the User.
Social Networking and Media: Friend or Foe
According to research by Nielson, Social Networks have exceeded eMail in popularity and account for almost 10% of all internet activity. This new medium strikes fear into the hearts of security experts and company executives alike. Despite these fears many organizations ranging from retail companies, banks, and government agencies have subscribed to social networks as a way to communicate with their customers, and create unique experiences. What are the risks to organizations of social networking mediums, and what can they do to protect against them? This talk will present a list of key risks that must be addressed when including Social Networking in your company’s business and services, and how to make use of Social Networking without jeopardizing your information security, productivity, or the customer’s experience. Topics will include data leakage and disclosure, legal implications of using social networks, and how to address concerns of worker productivity. Real examples of challenges, and successes will be presented to highlight the risks.
LL.M., MBA, Executive Director, Ernst & Young AB
Cost Benefit Analysis of Information Security Initiatives: Obtaining support and funding from senior management in private organizations
Security professionals struggle with the fact that costs associated with information security incidents can have large components which are difficult to quantify. This is not to say that organizations have to make their information security decisions with a complete lack of quantified value. Quite to the contrary, in the manner of any investment request, there are often numerous opportunities to collect security metrics in order to measure the effectiveness of information security investments, as for any investment request.
Senior Research Associate, ETH Zurich
The Dynamics of (In)Security - What's the story of 30,000 vulnerabilities discovered in the past decade?
We examine the security ecosystem, consolidating many aspects of security that have hitherto been discussed only separately.
Based on a quantitative analysis of 30,000 vulnerabilities disclosed over the past decade we quantify the systematic gap between exploit and patch availability. This analysis provides a metric for the success of the "responsible disclosure" process, the prevalence of the commercial markets for vulnerability information and highlight the role of security information providers (SIP), which function as the "free press" of the ecosystem.
Assistant Manager, Advisory Services, PricewaterhouseCoopers Malta
Web Application Security Auditing - What, Why and How
Web applications pose some of today’s most serious information security and compliance threats, yet organizations still fail to understand the need (and the cost) to effectively secure such applications. This presentation focuses on the 'What', 'Why' and 'How' questions on Web Application Security Auditing by examining the main aspects of Web Applications, and the key steps to auditing the security of Web Applications by identifying and addressing Web Application vulnerabilities. The audit will help you determine the ability of Internet-based threats to compromise and adversely affect the functioning of such Web Applications.
Executive Director, Institute for Information Security, University of Tulsa
Security Strategies in an Interconnected World
Global business and industry, government even society itself cannot function if major components of our critical infrastructure are degraded, disabled or destroyed. This presentation will address the challenges involved in securing interconnected critical infrastructure assets, in particular, corporate networks and process control (SCADA) networks used for oil and gas, water treatment and electric power distribution.
Topics of discussion will include the need for security standards and guidelines, security engineering and testing, embedded systems security, digital forensics, and the ongoing and continued need for cyber security education and training.
Security Empowerment Consultant, Idrach Ltd
Empowering sounds that the most natural and easy thing in the world to do. Give staff the information and skills required to carry out their work in a secure way, and provide support. But we should not kid ourselves, it is not natural, and it is not easy. It requires a totally different approach than traditional security awareness, there are fewer directives from ‘on high’ and everyone (yes everyone) in the organization will need to be involved. This talk will take a look at some of the perceived, or anticipated, risks, which can deter organizations from taking the security empowerment route. It will then look at the case for taking the risk, learning as you go and developing safer, more resilient, business operations. “Empowering is scary - it is like leaving your child at university for the first time. You hope you have brought them up to look after themselves and that they are wise enough to do the right thing, and to get help when they need it. But then you remember how much notice you took of your parents- and what you got up to……………”
Principal, KMHenry and Affiliates Management Inc.
Providing through Audit and Compliance
This presentation will look at the increasingly important role and benefits of audit in a regulated world. The intent is to make audit an effective and strategic partner in examining, analyzing and improving the organization. Whether approaching an audit from the perspective of the auditor, regulator, or manager, there are many benefits that can be realized through using the audit forum to its true potential. This presentation will challenge the attendees to discover the strengths of a good audit, and how to make every audit a valuable part of the business cycle. Issues to be addressed during the keynote include the Purpose and Future of Audit, the Creation of a Good Auditor, Leveraging the Value of Audit, and Making a Difference – How Compliance and Audit can transform the Business.
Principal & Senior Consultant, Fretwork Technologies
There is no Patch for Stupidity
The Current State of Digital Social Engineering in 2010
It's no secret that the continued success of social engineering accounts for just as many, if not more, breach events in the international economy than traditional theft and hacking. In the interconnected world, organizations spend good money to have the right hardware, software, and services to protect their data against compromise. But do they expend equal resources to combat the weakest link in the information security chain: the human? Do the same organization event know what they are protecting against? The global Internet has facilitated some of the most complex cons of our time, and delivered them with impact that reaches beyond political borders. Pretexting, phishing, baiting ... no matter what the latest attack vector is, social engineering is becoming increasingly complex and you should know what you and/or your organization are up against. This presentation will review the current state of digital social engineering in 2010 and arm yourself with the knowledge of how to combat this elusive enemy.
CGEIT, CISA, CISM, CISSP, ISSAP, GRC, ISO27001 LA, Senior Enterprise Architect, International Experts Team, HP
The Chimera of Information Security
The idea of security in an interconnected world is a chimera. It doesn’t exist and won’t exist except in the imagination of people who want to sell you something. Those who should be concerned (the ordinary people) put their trust in solutions which are mainly technical and which serve to mask the real problems of security. There is no technical solution that cannot be evaded. End-to-end communications’ security works fine as long as you know who you are talking to. In an interconnected world, identity management federation is the current answer to this problem and it works as long as everyone uses it. Just like ‘caveat emptor’ in commerce, the same needs are to be understood by users of the interconnected world. You are not safe and never will be.
The best one can hope for is a trusted third party for e-commerce transactions, who will take the responsibility (the likes of Visa, Amex, etc). The worst scenario is cloud computing of course. This is largely a cure to not known disease but is plagued by a multiplication of the problems since there are no standards, agreements or morals when it comes to connecting the pieces of the clouds – leaving aside the issues of application errors that make a mockery of any security mechanisms.
Meanwhile, the onus is back on the user. Users, together, by refusing to use things that don’t work, can make the difference and make an interconnected world useful.
CEO of Ravenswood Consultants Ltd
Security Metrics: measuring nothing?
If you can’t measure, you can’t manage! Information Security Management is no different, but is a lot more important! Metrics are an effective tool for security managers to understand the effectiveness of various components of their security programs, the security of specific systems, products or processes, and the ability of staff or departments within an organization to address security issues for which they are responsible.
The task of developing a security metrics program may seem daunting to most people, but it need not be. A simple, seven-step methodology can guide development of very simple metrics programs, as well as highly ambitious ones. The purpose of this presentation is to provide an overview of the current state of security metrics as well as suggestions for developing a metrics program. Security Managers need to address several questions; we’ll look at some of the basics:
- Are we more secure today than we were before?
- How do we compare to others in this regard?
- Are we secure enough?
CEng FBCS CISSP CFE, Technical Director, Idrach Ltd
Corporate and Personal Privacy - Your Employees and their Facebook Accounts"
The rapid spread of social networking into the working population has led to a number of difficulties for companies and employees. As well as risks to private information, corporate or personal, the advanced use of Web2.0 in these sites poses a number of technical risks.
The talk will cover the following areas:
- The increasing use and range of social networking sites.
- Segregation of personal and corporate information.
- Employer pitfalls
- Vicarious Liability
- Employment law issues (protection from harassment etc)
- The difficulties of monitoring.
- Specific site issues:
- Facebook applications
- LinkedIn and recruitment agencies.
- Suggest a corporate way forward
- Planned use of social networking
- Acceptable usage policies
- Application-level firewalls.
Chief Auditor, VP Securities A/S
Compliance Audit in Relation to Outsourced Activities
When outsourcing, it is critical that management is aware of the risks/threats and has an overview of the responsibilities involved. These issues have to be defined at the time of establishing RFP (Request for Proposals) and indeed be included in the contract negotiation phase. Risk management and control selection has to be imbedded into the process. Controls should enable the organization to monitor compliance and to support data governance. Auditors need to ensure that the organization has implemented the controls necessary for the management to live up to its responsibilities. In the audit planning and execution, it is essential that the auditor reviews and assesses the organization’s risk management and compliance controls.
MSc, DipBA, CISA, CISM, Education Committee, ISACA Athens Chapter / Compliance Department, ASPIS BANK
ISACA Risk IT Framework based on COBIT
Risk IT is a framework that is based around principles in managing IT risk.
COBIT evolves around a set of controls that aim to mitigate the IT Risk. The combination of these two methodologies provides the means by which an organization’s top management can effect a comprehensive IT Governance approach in managing and reducing IT risk to an acceptable level. This presentation briefly exhibits these principles. The Risk IT Framework is still in Exposure draft and is expected to be finalized within 2009.
Head of Department, Network Security and Early Warning Systems, Fraunhofer Institute for Secure Information Technology SIT
Security Metrics - No pain, no gain
In the presentation, the motivation for security metrics will be revisited. Different approach for comparative analysis and qualitative measurements will be presented and discussed regarding their applicability and use.
Information Security Management Systems (ISO 27001:2005) auditor, TUV AUSTRIA HELLAS
All you need to know about ISO 27001 in 30 minutes
One of the hot issues in the management of Information Security is the Standard ISO 27001 and the compliance to its provisions. During this half hour, the presentation will walk you through the most important aspects and provisions of the Standard, the road to certification, the relationship between the standard and legal compliance, as well as possible pitfalls and dangers during implementation.
Principal & CTO, Palindrome Technologies
Emerging Cyber Threats and Countermeasures
This session will analyze the top emerging threats that enterprise organizations experience globally including, email phishing, emerging VoIP-phishing, Mobile and Wireless, Web-based services, social networking (e.g., facebook, tripit, twitter), malware and botnets. Real world examples of attack patterns will be examined along with their incentives and financial and operational impact on the targets (e.g., identity theft, ATM and credit card fraud, blackmail). In addition, recommendations and mitigation strategies will be discussed that can help prevent or minimize the impact of these threats.
Services Director, Ether Applications Ltd
Security vs. Social Networking. Trying to find the balance
As Web 2.0 and Social media/networking have grasped people's attention and are becoming an everyday communication tool, it is important for stakeholders in this exciting new era to be able to ensure that these tools aren't misused. During this talk we'll examine how IT security is an enabler for a better and more reliable use of these new communication channels and we'll look into best practices that are being put in place today.
Partner, In.T.Trust S.A.
Data Leakage Prevention: Understanding The Concept
For a person the ability to keep and protect secrets is one of the most valuable character traits. For a company, the capability to keep corporate data confidential is critical. Nevertheless, handling complex and difficult information protection requirements is not at the top of the priority list for companies.
Through this presentation you will see important aspects of how a company can accomplish Data Leakage Prevention (DLP) not only from external threats, but from internal as well. We should mention here that, according to an annual survey carried out by the CSI institute (Computer Security Institute), over 60% of the losses pertaining to breaches of information security for 2007 were caused by leakage of confidential information that occurred within the company.
Generally, when addressing to the many different information protection issues through out a business enterprise, there are often gaps in communication and coordination activities. Successful information protection programs require the viewpoints and goals for information protection within different areas to be complementary and integrated throughout all the enterprise. We will present you the way to protect confidential information belonging to companies and organizations from internal threats, including unauthorized access, leakage and destruction.
CTO and Technical Manager, Inter Engineering
Stop! Identify yourself!
Strong authentication methods for every need
Would you buy a very expensive, heavy weight, tamper proof, front door to protect your house and your family, just to put its key under the front doormat? Probably not! But many organizations are doing just this, by allowing users to put sticky notes with passwords on their keyboard or monitor or otherwise disclose it to others. Millions are spent on protecting access to corporate systems with firewalls, encryption and strictly enforced policies, just to use insecure static passwords. It is commonly agreed that multiple factor authentication is necessary for adequate security, but which method to choose? This workshop demonstrates several modern strong authentication methods and their PROs and CONs, that allow us to protect our most valuable property in today’s internet-connected world, our Identity.
CISA, CISM, IS Auditor, Project Manager, Alpha Bank
Efthimis P. Papanikolaou
IT Auditor, Alpha Bank
End User Computing (EUC) Risk: From Assessment to Audit
What is End User Computing? Several definitions exist, all of them converging to the fact that End User Computing (EUC) is any computing activity developed and / or managed outside a formal and controlled IT environment. EUC refers to a wide range of software applications, spanning from typical office organization software to specialized reporting and data mining tools available to End Users who usually are not trained IT developers.
The risk introduced by the use of End User Computing Applications (EUCAs) is first and foremost an example of operational risk and needs to be addressed by establishing an effective control framework covering among others the areas of Development of Policy & Control Standards, Inventory of EUCAs, Risk Assessment & Mitigation, and Continuous Monitoring.
In this workshop, we will present practical steps to assess the risks of End User Computing Applications from an auditor’s perspective. The intent is to take the audit function a step further, from the trivial and generic reporting on EUCAs risks and weaknesses to a comprehensive and consistent assessment methodology in order to present to the management a complete picture of the organization’s risk exposure. The presentation will be based on specific risk metrics and it will address several practical issues arising during the audit process.
Project Manager , Ether Applications Ltd
Data Masking Best Practices: Does your Organization have Sensitive Data to Protect?
Datamasking deals with the ability of an organization to “mask” production data by transforming them into fake information that can be used in development, testing and training environments without disclosing personal or sensitive information. During this workshop we’ll demonstrate both technical aspects of a datamasking project but also best practices and methodologies that can be used towards this goal.