| Technical Professional Track |
Wednesday Oct 3, 2007 |
Presentation Abstract |
| Registration and Continental Breakfast | 8:00-8:45 | |
|
Intro and Welcome Allen Scalise, Great Lakes Networks |
8:45-9:00 | |
|
Keynote - Evolution of Threats E. Eugene Schultz |
9:00-10:00 |
Security-related threats have changed substantially over the years. The motive to profit from unauthorized activity (and thus to write code and engage in activity that remains as unnoticeable as possible) has become primary. Additionally, information security practices face new risks related to failure to meet a myriad of compliance requirements (SoX, HIPAA, GLBA, and so on). New security technology has, fortunately, emerged to deal with the changing threat and risk landscape and much of it is more user-friendly that ever before, something that often results in more proficient use and a reduced need for extensive training. Event correlation technology is a good example. Powerful event correlation tools that collect, correlate, and store huge amounts of output from network devices, intrusion detection systems, and other sources have greatly simplified and also reduced the cost of threat management. This presentation will describe this as well as other types of security technology as well as the changes in this technology over time to improve the ability to address threats and risks. |
|
The Silent Epidemic - The Rise of Economically Motivated Malware And Targeted Attacks Ryan Sherstobitoff, Panda Security |
10:15-11:30 |
With the recent change in malware dynamics security professionals are faced with the challenge of defending against a new breed of malware designed to remain hidden and undetectable by traditional security solutions. More and more variants are released in hopes to overwhelm anti-virus labs. Bot-Networks are being established to de-fraud users and businesses financially. Highly coordinated targeted attacks against organizations are becoming very popular. Therefore, the Silent Epidemic has begun. In this session users will understand the evolving threat landscape and how to counter-act this new breed. This presention will also include a live demonstration of various financially motivated attacks. |
| Lunch | 11:30-1:00 | |
|
Cross Site Scripting Attacks and Defenses James Kist, Icons, Inc. |
1:00-2:00 |
The talk will be centered around malicious cross site scripting (XSS) attacks, and will go into details about malicious code that can be injected into websites and users' browsers through XSS. Malicious Java Script and VBScript, and malicious XSS associated with browser plugins such as Adobe, QuickTime, and Flash Player will also be covered. Variations on XSS such as Cross-Site Request Forgery and Cross-Site Tracing will be included in the talk. Specific examples such as port scanning of intranets, stealing browser history and key-stroke loggers will be discussed. Advanced topics such as AJAX and XSS worms will also be also be part of the presentation. The talk will also address mitigation techniques for both the server side (proper configuration of web servers, secure programming practices, etc.) and the client side (browser configuration settings, and security-related browser add-ons). |
|
Forensic Evidence and Law Enforcement Randy L. Newcomb, NY State Police Cyber Crime Unit |
2:00-3:00 |
In this session we will discuss the issues and options Systems Administrators and Information Security professionals may encounter when they discover the need for law enforcement assistance.
Presentation to include a discussion of the following, but not limited to: It is hopeful this session will initiate discussion of these important matters, and promote debate. I believe cooperation between the private sector and law enforcement is critical to finding workable solutions while promoting public safety and network security. |
| Break | 3:00-3:30 | |
|
Seven Trends in Networking and Security Richard Stiennon, FortiNet |
3:30-4:30 |
Richard Stiennon, long time industry analyst and now CMO for Fortinet, Inc. takes us through the major trends effecting networking and security. Historical perspectives on speeds, features, standardization, management and even virtualization are extrapolated in to the near term. Security is subsuming networking as the primary concern when determining architectures. |
|
Social Engineering & Network Security Steve Stasiukonis, Secure Network Technologies |
4:30-5:30 |
Case studies explaining numerous ways we have used social engineering to gain access to networks. When we are inside the facility what we look for and what we do.
Using technology (hardware & software) in combination with Social Engineering to compromise a facility. (i.e. SNT was the company the planted USB thumb drives to compromise a credit union) |
| Contributing Sponsors |
  
|
|
| Technical Professional Track | Thursday Oct 4, 2007 | Presentation Abstract |
| Registration and Continental Breakfast | 8:00-8:30 | |
|
Live Malware Attack! Beth Jones, Sophos Labs |
8:30-9:30 |
This talk will feature a live, but entirely self-contained and safe demonstration of a modern malware attack in action. See how hackers have gained access to some of the most precious data out there and gain insight into how the bad guys think and operate. The more you learn about how these attacks are perpetrated, the better you will become at defending your network against them. The talk will also examine some of the tricks and techniques that can be used in a research lab to get even an apparently complex piece of malware to reveal its secrets in a safe environment. We will provide examples of what tools are available in today's security market to help combat these malware attacks. Attendee's will leave with a firm grasp of how these attacks are perpetrated, the tools available to prevent these attacks and how the security industry is banning together to combat the spread of malware. |
|
Phishing 2.0: Beyond Identity Theft Rohyt Belani, Intrepidus Group |
9:30-10:30 | This presentation will discuss the evolution of phishing from being a means of stealing user identities to becoming a mainstay of organized crime. Today, phishing is a key component in a "hackers" repertoire. It has been used to hijack online brokerage accounts to aid pump 'n dump stock scams, and as a means of creating covert channels from compromised user machines to the Internet. During this talk, I will present the techniques used by attackers to execute such attacks and real-world cases that I have responded to that will provide perspective on the impact. |
|
U.S. Secret Service Electronic Crimes Task Force Initiative: A Different Law Enforcement Model for the Information Age Michael Bryant, US Secret Service |
10:30-11:30 |
On October 26, 2001, President Bush signed into law H.R. 3162, the "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act of 2001." As a result, the U.S. Secret Service was mandated by this Act to establish a nationwide network of Electronic Crimes Task Forces that encompasses this philosophy. The concept of the ECTF is unique in that it brings together not only federal, state and local law enforcement, but also prosecutors, private industry and academia. The common purpose is the prevention, detection, mitigation, and aggressive investigation of attacks on our nation's financial and critical infrastructures. The U.S. Secret Service Electronic Crimes Task Forces have grown from the Initial Task Force in New York to currently over twenty Electronic Crimes Task Forces spanning the entire nation. |
| Lunch | 11:30-1:00 | |
|
2007 OWASP Top 10 & Live Web Application Attacks Ralf Durkee, Durkee Consulting, Inc. & Rochester OWASP |
1:00-2:00 |
Web application security vulnerabilities remain by the far the most frequently reported vulnerability category. In spite of wide spread use, and very frequent vulnerabilities, most web applications are still not being securely developed and deployed. The presentation will demonstrate why experts estimate the percentage of vulnerable web application range from 75% to 99%. We will review the 2007 OWASP top 10 web applications security vulnerabilities, and will demonstrate live attacks of a few of the most common and easiest to exploit vulnerabilities. |
|
Security in Software Development Life Cycle (SDLC) Andrea Cogliati, Dollos Srl |
2:00-3:00 |
Information Security is the art and science of ensuring Availability Integrity and Confidentiality (AIC) of information (both personal and business related). So far, IT Security, that is information security in information systems, has been pursued almost entirely by building network and system defenses around existing information systems: security was sole responsibility of system engineers, no blame for software developers. Security professionals can see in every day job that if the software had less security flaws and vulnerabilities, their job would be easier and more effective. Security in SDLC has been studied for more than two decades but only in the last few years it has been effectively practiced by software architects and developers in real world software development projects. In this presentation we will discuss motivations for designing and implementing security in SDLC and benefits that can derive consequently. We'll also present key points to be considered when including security requirements in a software project. Finally we'll describe a formal methodology for designing and implementing secure software with references to existing and proposed standards. |
|
Privacy and Security: An Update from Washington Rodney J. Petersen, EDUCAUSE |
3:00-4:00 |
Concerns about the potential for identity theft resulting from security breaches have led to a number of legislative proposals. Among the proposed Federal solutions are a uniform approach to security breach notification, stronger privacy protections for consumers, limitations on Social Security number use, and more stringent information security requirements. Homeland security directives also call for regular infrastructure protection plans by sectors, including businesses and educational facilities. This session will provide an update on cybersecurity and privacy developments in the Congress and initiatives of executive branch agencies, including the Federal Trade Commission and U.S. Department of Homeland Security. |
| Attendee Reception | 4:00-4:30 | |
| Chapter Sponsor |
|
|
| Honorable Mention |
|
|
|
(All schedules are subject to change) |
||
