Texas Regional Infrastructure Security Conference

2009 Breakout Session Descriptions

Monday – March 23

Phishing 2.0: Breaking Into Wall Street & Critical Infrastructure

Rohyt Belani
This presentation will discuss the evolution of spear phishing from being a means of stealing user identities to becoming a mainstay of organized crime. Today, phishing is a key component in a “hackers” repertoire. It has been used to hijack online brokerage accounts to aid pump'n dump stock scams, and as a means of creating covert channels from compromised user machines to the Internet. During this talk, I will present the techniques used by attackers to execute such attacks and real-world cases that I have responded to that will provide perspective on the impact. This will be followed by a discussion on what works and what doesn’t in building and testing user awareness to thwart such attacks against your organization.

Hacking Through a Firewall

David Lissberger
“Hacking Through a Firewall” shows how vulnerable networks may be compromised and helpful suggestions network administrators and corporate officers should consider to make those environments more secure. The demonstration is presented using only a laptop computer, sound system, PowerPoint presentation, and a projector. The technical level is low-tomedium, so as to be of interest to a general audience of business professionals. The firewall protected network belongs to a fictional company and is one of many in the process of being penetrated by a professional hacker. The audience sees how the hacker collects information on the target, penetrates the firewall, steals critical data, and leaves an easy way to return.

PCI PA DSS: Partners Against Credit Card Fraud

Rafael Rosado
Credit Card fraud continues to be on the rise, which has cost merchants millions of dollars. In recent years, major security breaches were suffered by merchants such as TJX and Hannaford. Organizations that transmit, store and/or process credit card transactions are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). Furthermore, Card Brands such as Visa are requiring merchants that use payment applications developed by third party software developers have these applications certified to comply with the Payment Application Data Security Standards (PADSS). The session will focus on the key security controls that organizations need to implement in order to report compliance against the PCI DSS, with special attention given to web and application development security controls. Additionally, the session will highlight how the PCI DSS requirements correlate to the PA-DSS requirements and provide considerations for merchants and service providers on how to comply with PCI DSS and to application developers on how to comply to PA-DSS.

We got caught with our guard down! Now what? Practical Incident Response Planning

Richard Gasdia
Everyone is familiar with the old adage "Time is money." In the Information Age, data may be just as good. Reports of data compromises and security breaches at organizations ranging from universities and retail companies to financial institutions and government agencies provide evidence of the ingenuity of Internet hackers, criminal organizations, and dishonest insiders obtaining and profiting from sensitive customer information. Whether a network security breach compromising millions of credit card accounts or a lost computer tape containing names, addresses, and Social Security numbers of thousands of individuals, a security incident can damage corporate reputations, cause financial losses, and enable identity theft. To mitigate the negative effects of security breaches, organizations are finding it necessary to develop formal incident response programs. However, at a time when organizations need to be most prepared, many are finding it challenging to assemble a Plan that not only meets minimum requirements, but also provides for an effective methodology to manage security incidents for the benefit of the organization and its customers. In response to these challenges, this presentation will highlight the importance aspects and best practices organizations may consider when developing effective response programs.

Using Proxies to Secure Applications and More

Josh Sokol
This session is a must see for anyone responsible for the security of a web application. It is a demonstration of the various types of proxy software and their uses. We've all heard about Web-Scarab, BurpSuite, RatProxy, or Paros, but how familiar are you with actually using them to inspect for web security issues? Did you know that you can use RatProxy for W3C compliance validation? By the time you leave this presentation, you will be able to go back to your office and wow your co-workers with the amazing new proxy skills that you've acquired.

Data Loss Prevention Solutions & Integrated Tool Suites

Nicholas Wetton
Information is one of a business’s most important assets. Organizations need to deeply understand their information in order to protect sensitive data and comply with regulations. Data Loss Prevention (DLP) solutions help organizations protect and control critical data wherever it is used or stored, significantly minimizing the risks associated with uncontrolled information. DLP delivers a wide range of capabilities giving organizations the ability to effectively address, data leak, misuse and compliance. Many organizations are looking for an integrated suite of products that enables them to proactively manage a broad set of information risks. DLP control points analyze information at the network, endpoint, message server, and data stored on various systems and repositories.

Insider Threats - Protecting Internal Assets during an Unstable Economy

Rob Kraus
Rising corporate instability during unstable economic times can subject organizations to an elevated level of internal security threats. Proactively managing risk before the onset of economic instability will help prepare and protect your organization from the danger posed to your critical business information by internal threats. During this session we will attempt to identify assets that are appealing to insiders, understand what types of attacks can be executed and how to prepare your organization to minimize attacks before they occur.

Assessing Your Web App Manually Without Hacking It

Robert Hansen & Rob MacDougal
Ever wanted to know how to tell how good or bad you’re doing? This speech will show you how to assess yourself without being a hacker and how to do it in under an hour. No hacking skills required!

Advanced Malware Detection Strategie

Dominique Kilman
Advanced computer attackers know traditional network defense mechanisms (IDS, AV) better than most security engineers implementing these controls. This knowledge allows the attackers to bypass tradition mechanisms for detecting attacks. In order to discover the advanced attackers that are invading networks today, a combined approach that involves all parts of the network must be used. Network data, log data and host-based data must all be analyzed in concert to detect attackers on modern networks. This talk will discuss a method for analyzing data, explore what indicators can be found within the data, and how to correlate this information to form a more robust detection methodology.

Engineering Principles applied to Security

Vern Williams
What can we learn about Information Security from the hard learned lessons of Engineering from the Tacoma Narrows Bridge, the loss of the USS Thresher and other seminal events: 1) Educating other professionals about lessons learned, 2) Changing technology, procedure and policy, 3) Change management, 4) Metrics.

The Importance of Log Management in Today’s Insecure World

Ricky Allen/Randy Holloway
Log management continues to be an operational issue for IT departments around the globe. In an average enterprise, hundreds of gigabytes of log files are generated daily. While the review of these logs is often performed manually or through siloed mechanisms, intrusions continue to occur at an alarming rate. Ultimately, this becomes a nightmare for discovering the root cause of the breach. Proper log management allows companies to retain the log events in a secure, effective manner, while ensuring the data remains in a forensically sound state, meets compliance and satisfies the demands of the auditor. This presentation will address the requirements for log management and introduce recommended practices for the development of a successful log management program.

Pocket protectors, Purple hair and Paranoia: A look in the mind of a geek, a hacker, and an IT Security Professional

Chip Meadows
Have you ever sondered what makes technical people tick? Have you ever audited a geek? Have you ever had to interface with a geek? Do you wonder why your IT Security representative is always pale? Join Chip Meadows as he gives a tour into the mind of these three personas. Come and learn why they are the way they are and how to interact with them.

Tuesday, March 24

Top Website Vulnerabilities: Trends, Business Effects, How to Fight Them

Trey Ford
What’s the difference between network or Web server vulnerabilities and vulnerabilities in custom Web applications, and how do they affect an enterprise? With all the Web security solutions in existence, how are vertical industries faring with vulnerability discovery and remediation efforts? When you look at many of the prominent website hacking incidents, it becomes obvious that website security is becoming increasingly challenging for today’s corporations, and the cause is often not that an attacker took advantage of an unpatched well-known vulnerability, but instead exploited an unknown issue in a custom Web application.

Deep Packet Inspection and the Loss of Privacy and Security on the Internet

Andrew MacFarlane
With new technology like Deep Packet Inspection and new business models being developed by major network operators, it is important that IT Managers and IT Security professionals monitor critical issues that impact user privacy, the freedom of consumers to access the content and applications of their choice and the ability of new online businesses to launch without network owner approval. Since market forces aren’t available to restrain inappropriate behavior by dominant IAP’s (Internet Access Providers), a focused and active role by the IT Managers is increasingly necessary.

Mergers, Acquisitions, Divestitures and Layoff; OH MY!

Jim Kates
Many companies are facing organizational challenges and changes due to the economic conditions. These changes are introducing new security issues to once stable environments. There are budget and headcount reductions across the board, yet the risks are in fact increasing. As a result of economic conditions, we are seeing more mergers, acquisitions, divestitures and layoffs. Each has a significant impact on the current security environment. This session will focus on how these type of events can affect your organization and what are some real, not hypothetical, actions you can take if your group finds itself in these unknown waters. We will walk through some of the most common risks and add some that are unusual in nature but just as problematic. Then we will examine actions that you can start planning on today and integrate into that scenario as it becomes more relevant. No organizational changes is completely the same, but understanding key elements, critical paths and common sense will help you better face the time if it does affect your organization. This session will leave you prepared to handle these issues and hopefully provide some levity into the situation.

Cloud Computing Overview and Potential Security Challenges

Josh Zachry & Chandler Vaughn
This session will provide an overview of cloud computing. Included will be some capabilities for businesses and consumers to consider when possibly leveraging a cloud environment for their information technology needs. The session will also address the potential security challenges businesses and consumers could face while using a cloud computing environment.

OWASP Live CD: An open environment for Web Application Security

Matt Tesauro
The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This allows its users to test for various security issues in web applications and web sites. The Live CD also contains documentation and an interactive learning environment to enhance users web application security knowledge. This presentation will cover the current state of the OWASP Live CD as well as the plans for future developments. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or noncommercial use. More information is available at: http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project

The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise

John Dickson
This presentation focuses on how security officers or development leaders can apply a disciplined approach to building internal consensus to build secure software. A five-step process will be laid out that will enable a manager to characterize the landscape, secure management buy-in, baseline the existing risks, set modest goals and attempt to achieve them, and sustain the initiative. Emphasis will be on actionable steps that successful managers have used to drive the adoption of secure software strategies in large organizations.

Beyond New Employee Orientation; building an awareness program for the whole life of an employee

William Tompkins
Today organizations are increasingly recognizing the important role that employees have in protecting the information used for all business functions. It is vital to ensure employees not only understand their responsibilities but that they incorporate basic security habits in their daily routines. You will be presented with ideas that can be used to ensure employees understand their responsibilities the importance of security policies, standards, and procedures. Examples from the awareness program at Teacher Retirement System will be reviewed. These concepts should provide a basis for your organization to build and/or maintain security awareness program that is effective through the whole life of employees.

Securing SharePoint

Dan Cornell
Microsoft SharePoint technologies have become almost ubiquitous as organizations try to encourage collaboration between employees and partners and this increased collaboration is very valuable. However, often SharePoint is deployed in an ad hoc manner without proper attention being paid to security, governance and compliance. These ad hoc deployments allow stakeholders to collaborate, but also expose organizations to risks as sensitive information is loaded into SharePoint without proper protections or auditing.

This presentation looks at several aspects of SharePoint security – infrastructure, administrative, content, and application. Drawing on experiences with a number of organizations, the presentation also runs through approaches SharePoint administrators can take enforce order without erasing the value of SharePoint as a collaboration technology. Attendees will leave with actionable ideas about the steps they need to take before embarking on a SharePoint deployment as well as steps they can take to

Security Policy Architecture: How to fix your current disaster

Doug Landoll
In most organizations information security policies are constructed in response to incidents and audits. The composed set of policies may address many of the recent issues that have challenged the organization, but the policy set lacks organization, completeness, and structure. The results of these unorganized and incomplete policy sets include: confused employees inadvertently violating policy, uncoordinated responses to business partner security questionnaires, lack of accountability and responsibility for key roles, and inefficient security spending. Given that administrative controls are the basis for defining security in the organization, ensuring that the security policies form a consistent, complete, and compliant architecture is the foundation of improving the security program. This presentation will present the “Clean Slate” approach to developing a security policy architecture. The seven (7) step approach will demonstrate how to create a security policy architecture based on a security controls framework and appropriate security requirements. This approach has been successfully applied to commercial and government organizations and resulted in cost savings for each of the organizations.

PCI Compliance – Convert Drudgery Into a Powerful Security Framework

Joseph Krull
Many organizations have been challenged with their initial and ongoing compliance withe the Payment Card Industry (PCI) Data Security Standard (DSS). The DSS, now in it’s third version, isn’t perfect by any sense of the word, but it does offer certain advantages to organizations that need to establish or refresh their security governance, security strategy or security metrics programs. Most security practitioners have overlooked that the DSS is primarily based on ISO 27002 and is a particularly comprehensive framework that can be applied to other types of sensitive data well beyond credit card numbers. This presentation will review the current state of PCI and offer some insights into how the DSS can be effectively leveraged as the basis for an effective security framework. This presentation will also offer suggestions on how a security practitioner can use the DSS to ‘sell’ security to senior management and drive home the importance of protecting sensitive information across the organization.

A New Standard for Establishing Trust in Cross Domain XHR

Erhan J. Kartaltepe & Ravi Ganesan
The Same Origin Policy (SOP) has severely restricted the class of applications that can be built using the XMLHttpRequest (XHR) object. On the other hand, without the SOP in place, XHR could make all the cross site attacks of the past look rather tame. Current proposals to solve the problem require sites to maintain Access Control Lists (ACL) defining which origination sites they are willing to serve XHR requests from, with the policing done by the user’s browser. These proposals have well-known security limitations. The problem is hardly unsolvable; the trouble is that new cryptographic protocols take years to mature, and the trust infrastructures required would take even longer to shake out. Can we somehow use existing, trusted, cryptographic protocols to solve this problem? Can we use trust infrastructures already in place? The answer to both is yes, and moreover it can be implemented without changing a word in the cross-domain authorization proposal the W3C has proposed. This talk will describe such a new standard and discuss its merits and challenges.

Implementing an Effective Managed Security Services Strategy for Best Results and Maximum Cost-Efficiency

Pierluigi Stella
The presentation is designed to show organizations how to set up and manage outsourced network security services in order to maximize security and minimize costs.

Wednesday, March 25

You Can't Secure What you Aren’t Aware Of

Chad Thiemann
Will discuss the subject of executing a comprehensive due diligence with regard to identifying everywhere organizations store, process and transmit sensitive/confidential data – and the risks associated with not doing so. Key topics, such as, vendor security assessments, removable media security, mobile device security, data classification and data loss prevention tools will be included in this presentation.

Anatomy of an Attack: From Incident to Expedient Resolution

Chris Smithee
See a demonstration of how hackers can easily take advantage of new and widely known exploits to bypass traditional security defenses and penetrate your network core. In today’s complex world of uknown attacks, Chris will help you discover the advantages of using a behavior-based network anomaly detection to detect and mitigate this nefarious behavior in a timely fashion, while providing critical network intelligence for insightful forensics analysis. Learn about the advantages of a behavior-based approach to network security by attending this informational session.

Data Exposed to Third Parties

Matthew Ege
Sharing data with third parties is common practice today. Data becomes “external” through many means, such as outsourcing, joint ventures, reporting on compliance, and business relationships. With your company’s data being touched by so many third parties comes an increased risk of data being shared inappropriately (whether purposefully or not). This presentation will explore how data becomes external, risks of external data, and what can be done to help mitigate this risk.

The Evolution of Identities: Where We Came From and Where We Are Going.

Bryan Whorton
Identity 2.0 - how is this going to solve the federation challenge, mitigate the traditional risks and intrusions of application/data access, and the costly business of storing identities? This presentation will cover the evolution of how organizations currently manage user identities across environments and how it will be simplified with Identity 2.0.

Achieving Competitive Advantage Through Security and Compliance Automation

Brandon Dunlap
In the 1980’s robots and other mechanized technologies brought sweeping changes to manufacturing; improving quality and reducing the need for labor in dangerous or tedious jobs. Similarly, we have seen unprecedented efficiency gains due to information technology across knowledge worker jobs over the past 20 years. Unfortunately, the increased compliance burdens placed on companies since 2000 has outpaced our efforts to find efficiencies in this critical business function. As the future unfolds, those organizations that are able to make better use of technology will be able to find competitive advantages over their competitors as they begin to focus on the streamlining and mechanization of key security and compliance activities.

Critical Infrastructure Protection – Physical and Logical Security Convergence

Greg Thornbury
This session will discuss trends and methods for combining physical and logical security. Best practices and case studies will be presented. How to migrate from existing, stand alone systems to a single, integrated system will be discussed. Costs and Return on Investment examples will be presented from real-world experiences.

• Schedule at a Glance
• Keynote Speakers
• Special Events