Texas Regional Infrastructure Security Conference

Breakout Session Descriptions

Monday, April 21

The Role of the Federal Government in the Cyber Security Landscape of Today

Art Conklin
"What is the role of the US Government with respect to CyberThreats" - with 85% of the infrastructure controlled by private firms – is it regulatory, is it legal, is it like DoD where they actively do things - what should the government provide? The diverse nature of today’s IT landscape and threat environment means that the simple solutions of the previous network layer threat landscape are no longer effective. With 85% of the critical infrastructure owned, and operated by private parties, and with an increasing level of international based threat vectors, coupled with the increasing importance of the Internet on out national economy leads us to the present, the need is high, but the will is confused and the ability is limited. This talk examines the confluence of these elements that is leading to the perfect storm opportunity.

Why Technology has failed to Solve Security Problems

Doug Landoll
An incredible array of security technology is available to solve many technological security problems, from insecure code, to rogue users, to unencrypted sensitive data. But without the proper pre-requisites implementing security technology can be as effective as dropping a seedling in the desert sands. Proper planning can ensure that security technology is well integrated into the organization and achieves business objectives. Based on recently completed research a set of pre-requisites has been developed to guide security technology integration. This planning includes the following elements: Foundations (basic information security program elements that must be in place in order for any technology effort to move forward), Considerations (specific information security threats that must be addressed within the conduct of the established business mission), and Preparations (activities that must be performed prior to installing and configuring a specific technology product).

Wireless LAN Security: What Hacker’s Know That You Don’t

Kent Woodruff
Wireless technology is exploding in popularity. Businesses are not only migrating to wireless networking, they are steadily integrating wireless technology and associated components into their wired infrastructure. The demand for wireless access to LANs is fueled by the growth of mobile computing devices and a desire by users for continual connections to the network without having to “plug in.” This explosion has given momentum to a new generation of hackers who specialize in inventing and deploying innovative methods of hijacking wireless communications. Hackers armed with MDK2, Aircrack-ng, Karma phishing attacks, Scapy, and other new tools are launching attacks on networks that a year ago were said to be unbreakable. Another challenging and widespread issue is the increase in rogue wireless devices like soft APs, wireless-enabled laptops, and neighboring wireless networks that may bleed over, combining hostile rogues with friendly or unconnected devices.

However, wireless LANs can be secured with a thought-out plan and proven layers of security. This discussion will provide best practices to network executives and security managers on how to confidently deploy and secure their wireless network and protect against security threats, rogue devices, and policy violations.

PKI for PCI Compliance and Beyond

Karen Reinhardt
The requirements for authentication and encryption mandated by Payment Card Industry (PCI) standards, Sarbanes Oxley (SOX), and other privacy laws have lead many businesses to either introduce or expand a Public Key Infrastructure (PKI) in their IT environment. However, while the demand for PKI is clear, what is not clear to many is how to best meet this demand. PKI is not a “one size fits all” solution. There are a number of options available. Should your company go with a managed service such as Verisign or Entrust or does an “in-house” PKI solution make more sense? If an “in-house” solution is best, what does that involve? What are PKI best practices and what will the auditors expect? This presentation seeks to help provide guidance on how to decide what approach makes sense for various types of business depending on size and requirements and to introduce the attendees to PKI best practices.

Protecting Confidential Information – When Physical Security is Simply Not Enough

Joe Krull
Fences, cameras, locks and guards. These basic resources used to form the backbone of security defenses an organization needed to protect its sensitive information. However, as today we are all so reliant on computers, e-mail and voice communications over data networks, its’ no longer necessary for an attacker to even visit an organizations’ facilities to steal their most sensitive information. This presentation will describe several ingenious ways that attackers can obtain sensitive information from anywhere around the globe – with little or no risk of being caught. This presentation will also provide examples of recommended defenses and strategies.

Social Engineering – Protecting the Enterprise

Rob Kraus
Observe your organization from the eyes of an attacker. Bypassing physical security measures to gain unauthorized access isn’t just for secret agents. Even with all of the security products, policies and procedures organizations put in place to mitigate threats, there are still vulnerabilities these organizations typically leave unaddressed. Social Engineering is often an overlooked part of many organization's security goals. Simple steps can be followed to reduce the risk of threats from becoming reality. We will be discussing the most common social engineering threats identified by security analysts, and mitigation techniques to reduce the risks of these threats being realized.

Black Box Vs. White Box: App Testing Strategies

John Dickson
Competing approaches for application security testing have pros and cons. This presentation will look at and discuss a number of security assessment strategies including white box testing, black box testing, static analysis and dynamic analysis.

The 7 Mistakes of Security Log Analysis

Dr. Anton Chuvakin
Corporate regulations as well as the desire to keep confidential information safe and sound have led enterprises to turn to logging and analysis of log data from a variety of sources to provide a continuous fingerprint of everything that happens within the security perimeter. However, there are several common pitfalls that companies encounter when trying to complete this necessary and important process.

This presentation will cover operational security challenges that organizations face when deploying log and alert collection and analysis infrastructure, highlighting the top 7 most common mistakes, including not storing logs long enough to comply with government regulations, not preserving the forensic quality of logs, and only looking for known 'bad records.'" Then, the session will dive into how to avoid these and other mistakes and what logging challenges organizations could face in the future and should be prepared for. In addition, Anton will give tips and tricks for how government users can best utilize various logs files (generated from a variety of sources, including systems, applications, and security devices) to gain the most value.

Cultivating Willing Security Policy Compliance in the Enterprise

Paul Williams
An organization’s employees can either be its weakest link or its greatest alley in its information security defense strategy. This session outlines simple but practical ways to install a culture of willing security policy compliance among an organization’s workforce. Through use of better methods of communicating security policies in the organization and better training and auditing techniques, willing employee compliance can be significantly increased and the organization’s information security posture improved.

Open the Door, Close the Deal – Using Persuasive Questions

Margaret E. Anderson & Harvey Nusz
To sell upper management on a new project or program, you need to be persuasive. To win cooperation from your colleagues or subordinates, you want to be persuasive; inspired, agreeable people go that extra mile that makes an entire team excel. The most persuasive professionals listen more than they talk. When they do speak, they use questions more than statements to draw out the right stuff to listen to. A persuasion expert will dissect real life success stories of an IT security, governance and compliance professional who uses her methods, showing why and how his questions persuaded others. You’ll learn different types of questions, as well as how and when to ask each type. Through a participative exercise, you’ll gain the practice that turns knowledge into skill you can take away and use immediately.

Tuesday, April 22

Computer Security: Myths and Mistakes

Mark “Simple Nomad” Loveless
Between security consultants, trade magazines, security mailing lists, software and hardware vendors, and yes even speakers at a conference, it is difficult to know for sure who to trust and where to place issues on the priority list. Everyone has either something to sell or something to gain by having you follow their opinion. While in many cases the hard sell of product or service “A” to prevent security disaster “B” is viable, but is it really that important to your organization right now? Not only will some common myths and mistakes be discussed, but reasons pro and con for each will be discussed. Go to your next vendor pitch or consultant meeting armed and ready to shoot some holes in a few industry myths. Warning: this will be a technical discussion, as the myths will often get shot down via technical means.

The Secure Enterprise: Meeting the Security Challenge by Transforming IT Management

Bill Mann
In an increasingly complex and interconnected world, users of Information Technology encounter a proliferating array of risks and opportunities. Bill Mann will lead a wide-ranging exploration of the ways in which IT Management is evolving to help users protect their data and assets and realize the full benefits of technology. He will demonstrate how Identity & Access Management and other critical management solutions can help users meet current and emerging security challenges. Join Bill to discover how the ongoing transformation of IT Management as a discipline will revolutionize the way we work and live in an IT-enabled world.

Combating Industrial Espionage in Chaotic Times

Ronald Mendell
The theft or compromise of intellectual property (IP) and sensitive information constitutes a quiet threat to our economy and to our technological leadership. Knowledge as capital is a trend that will continue to grow in the twenty-first century. In order to protect knowledge assets, information security professionals need to be able to identify them. Once identified and classified, those assets require vulnerability analysis to uncover attack paths that can lead to compromise. When compromises occur, professionals also need tools for detecting those incidents and for follow-up investigations.

Texas Licensing of Computer Forensic and Security Consultants

Ernesto Rojas
The session will cover the new requirements set forth on HB2833, passed by the 2007 Texas legislature, and signed into law on June 2007. The law became effective September 1, 2007 and the enforcement period began on January 1, 2008. The program begins with background information on the law and the reasoning for its enactment. We will cover licensing requirements, penalties for hiring unlicensed consultants and/or practicing without a license, and methods of determining whether the person hired is properly licensed to do the work. In addition, the continuing education and other licensing requirements will be highlighted.

Event Data Management – The Secret Ingredient to a Winning Compliance Plan

Jim Pflaging
Every day, the IT systems and applications your business operates spew out reams of event data records – also known as log data – whenever a time-stamped transaction occurs. This information contains vital knowledge about the vulnerabilities inherent in your architecture, from data on suspicious insider activity to weaknesses that external parties can exploit. This data also captures healthy routine business processes that can verify that your operation is compliant with the latest regulatory statues – information you may have to produce on a dime should an auditor come calling.

Interested in log data management is intensifying as compliance requirement push organizations to tighten IT security and be audit-ready at all times. This session’s speakers will discuss the nature and changing role of log data in today’s business climate and share best practices for incorporation event data management solutions into the compliance process to reduce business risk.

Measuring and Reporting on Security in a Meaningful Way

Vern Williams
Security Metrics is a topic that everyone seems to approach from a different viewpoint. NIST has presented their view and a couple of books have been written and there is Andrew Jaquith's SecurityMetrics.org blog. However, to a lot of practicing professionals in both physical and information security, how to gather and report security metrics is a mystery. What is easy to gather and meaningful to one organization, is a waste of effort and without meaning to another company’s management. Come see what metrics carry a message to management that is relevant and hear what those in the trenches are saying.

Securing the SDLC: A Case Study

Dan Cornell
If an organization wants to repeatably create and deploy secure software, they have to integrate security into their software development lifecycle (SDLC). This presentation will walk through a case study of how a fifty person professional services organization updated their SDLC to address software security concerns in an economically responsible manner.

The presentation will be begin by outlining several industry standard models for integrating security into the SDLC such as Microsoft’s Secure Development Lifecycle (SDL). These will provide a baseline against which SDLC hardening efforts can be judged.

The bulk of the discussion will be based on a point by point explanation of the changes made to people, processes and technology with an emphasis on explaining not just what decisions were made but also the reasoning behind those decisions. In addition, possible alternatives not selected will be discussed along with explanations of organizations where those alternatives may be more appropriate choices. As this is a case study, the focus will be on the practical – what choices did a real organization make in order to increase the security of the applications they were developing without unduly increasing development costs and timelines? Tradeoffs will be analyzed to provide insight into the decision-making process.

Why I don’t use web-app scanners ... all the time.

Robert Hansen
Web application scanners are becoming ubiquitous and have become the center of a serious debate on their merits and abilities. This speech will cover where scanners are useful to your organization and where they need to be supplemented with human intuition and understanding, alike. The speech will cover pitfalls, “gotchas” and the real world dangers of using push button scanners against production environments without a skilled human counterpart.

Securing Social Networks

Edmund Gif Munger
Today’s most popular social networks are built around centralized server architecture, vulnerable to attacks, inflexible and with no means of encrypting user upload and download as information travels through the ether. According to research firm IDC, the social networking market is expected to grow approximately 153% in 2008.

As social networks infiltrate the corporate world, and as residential internet access bandwidth explodes with more and more individual sharing sensitive data via social networks, the risk factors become undeniable and unavoidable, IM (Instant Messaging), VoIP (Voice over Internet Protocol), Video, Web Conferencing, Whiteboard Applications, file sharing and email are suddenly no longer the friendly applications for work and home we’d like them to be. Instead they open Pandora’s Box when it comes to security vulnerabilities, leaving gaping holes for content to be intercepted, violating not only one’s privacy but endangering the intellectual property of entire corporations.

During this presentation, VimetX CTO, Edmund Gif Munger, will discuss the current state of social networking security vulnerabilities and what companies and families can do to effectively combat this growing issue. He will discuss, in detail, available encryption and peer-to-peer SSL VPN solutions around which future social networks could be built upon and what current platforms could migrate to responding to the growing user demand for better security.

Federal Rules of Civil Procedure

Daniel P. White II
The Federal Rules of Civil Procedure were changed by the Department of Justice for Electronically Stored Information for not only how it shall be submitted, but also the rules of engagement for discovery for civil litigation. In 2007, these rules have had a significant effect on the scope and corporate preparation required for litigation, Information Forensics is changing too.

SD3LC – Secure by Design, Development and Deployment Life Cycle

Mano Paul
In the current day and age, the chief drivers for software development projects are meeting business requirements and deadlines. Security is generally an afterthought for software development projects. Incorporating security from inception is more cost effective. This session will address the various security controls and activities associated with each phase of the software development lifecycle (SDLC). The controls and activities include but are not limited to; modeling use/abuse cases, threat modeling, security code review, security testing, etc.

Top Website Vulnerabilities: Trends, Business Effects, How to Fight Them

Trey Ford
Web applications are the top target for attacks. Nine out of 10 have vulnerabilities making them easy targets for criminals seeking to cash in on cyber crime. Enterprises that want to reduce the risk of financial losses, brand damage, theft of intellectual property and legal liability are often unaware that these vulnerabilities exist, and how to prevent them. This lack of knowledge limits visibility into an enterprise’s actual security posture.

During this session, Trey Ford will identify the most prevalent and severe vulnerabilities that attackers are exploiting across the Web, as well as actionable strategies that attendees can use to avoid them. The overarching goal of the presentation is to raise awareness of real-world Web application threats.

Wednesday, April 23

Corporate America’s Biggest Problem

Chip Meadows
Have you ever asked for one thing and been delivered the opposite? This problem exists in corporate America and is really “Corporate America’s Biggest Problem”. In this updated presentation Chip will take a humorous yet serious look at the IT Audit as a basis for showing that communication skills are seriously lacking in today’s business culture.

The Encryption Conniption

Kendall Larsen
The birth of real-time communications such as VoIP, video conference, audio and instant messaging have changed the way people work, conduct business, and communicate with one another. Ina recent report, Nemertes Research discovered that for most of these applications, adoption rates within organizations have exceeded 50%. That research combined with a recent infonetics report forecasting that IP Telephony will be a $49.5 billion opportunity in North America, makes a compelling business proposition for the shift towards P2P networks.

While this opens a window of opportunities, there is also a growing need to ensure that information transferred is fully encrypted, automatic and of government level quality. And the industry’s protocol of choice to enable this is SIP, which can be used for creating, modifying, and terminating communication sessions with one or more participants.

Endpoint Security 2.0: Next Generation Solutions & Why They Are Needed

Daniel M. Teal
Traditional endpoint security solutions are becoming less effective against the constantly changing threats of today. Anti-virus, anti-adware, host IPS, and other solutions have been defeated by skilled attackers and insider threats. This session will review the limitations of current generation products, present new technologies being developed by the security industry, and discuss how next generation solutions can address the ever changing threats organizations face.

The Convergence of Physical and Logical Access Security

Greg Thormbury
Today, the concept of “one employee, one identity, one credential” is more than just talk. It is reality ––– a comprehensive enterprise identity solution that automatically provisions access to logical (applications, databases and networks) and physical (doors) assets. With the number of contract employees growing within every organization there is a corresponding need to a) rapidly provision – grant access to facilities and to all of the logical assets to which they have been given access to ensure productivity, and b) rapidly de-provision - remove access to both physical and logical assets to ensure protection of critical assets and data.

It is also about Compliance. By requiring employees to have their security credentials with them at all times and by requiring that they use their security credential to access all logical assets, an organization can help ensure that workstations are secured when an employee is away from his/her desk.

It is also about emergency response. An employee can rapidly be granted emergency access to critical data and/or facilities until normal operations are restored.

Identity Crackdown!

Rob Allen
Given the latest Department of Homeland Security (DHS) directive companies are starting to lean on the Identity Management systems for verification, validation, and security audits. Typically the anchor for identities within a domestic organization are based on the Social Security Number (SSN) or ‘NationalId’. System of Records have historically stored the SSN in clear text and it is consumed by the organization in clear text. There are two parts to the problem; (1) Validating SSN values, (2) Securing the values within the organization to mitigate further exposure.

“The Department of Homeland Security (DHS) announced tough new rules on August 10th that require employers to fire workers who use false or inaccurate social security numbers. Officials stated the new rules would be backed up by increased raids on workplaces across the country...”

To help solve the problem an organization could utilize a combination of web services, algorithms to hash the sensitive information within an organization to mitigate identity leaks, and capitalize on the SSA validation service. This session will provide a tangible solution for organizations that seek Identity verification, validation and want to provide a tighter security model for their identity solution.

PCI Compliance Can Make Your Organization Stronger and Fitter

Brent Harman
While Windows itself isn’t the beginning or end of PCI compliance, it does contribute a remarkable amount to your overall compliance situation when Windows-based computers are used to store cardholder information, process credit card transactions, or allow access to other servers that do hold credit card data. If your organization processes, stores, or transmits PANs within the cardholder data environment, PCI compliance is a requirement, not an option.

Plus, it just makes it a good business practice to keep data secure, and the same standards should be considered in regards to securing all sensitive data. Adhering to PCI DSS helps companies build a more secure and efficient IT infrastructure and can actually reduce compliance costs in the long run.

• Schedule at a Glance
• Keynote Speakers
• Special Events