Security Management Strategies for the CIOAt Information Security Decisions, many of the industry's leading information security
experts gathered to share vendor-neutral expertise and proven security strategies. If you couldn't
make it to this year's event, you can catch up here. Below you can download speaker presentations
from a selection of this year's sessions.
Requires Free Membership to View
Attend free information security events
SearchSecurity.com and Information Security magazine offer many FREE in-person live seminars. Learn how you can attend Information Security Decisions and other events near you.
More
Security For Less Cost: Why Budget Pressures May Be The Least Of Your Worries
Peter Kuper, Partner, In-Q-Tel
Taking his 15 years of Wall Street experience and applying it to the IT security industry, Kuper
will show how the macro-economic scene is indicating a less supportive environment for IT budgets
in the coming years. Wage pressures further challenged by rising inflation is only part of the not
so bright picture; as consumers have been 70% of our economic engine, any continued decline will
weigh on growth which will almost certainly translate to even tighter expense controls at US
companies as well as government agencies. Worse though, is that these same economic conditions will
only further enrich the ranks of the hacker community as the return of the pride has hacktivists
taking up many (or any) causes for "The 99%". Meanwhile, security budgets and investments will be
pressured thus depleting help needed to combat this growing rank.
Cloud
Security: Evaluating Risks within IAAS/PAAS/SAAS
Char Sample, Security Engineer for Carnegie Mellon
CERT
Virtualization technology is the underpinning of any cloud infrastructure and service provider
engagement. As data moves between an enterprise and cloud provider, or between providers’ data
centers, new risks to sensitive enterprise data are introduced. This session will examine each of
the three cloud computing service models, IAAS/PAAS/SAAS and the risks associated with each. You’ll
also learn basics on virtualization security and exposures the technology introduces in each of the
service models.
Risk
Management: Why It's Important to Know Your Adversary
Aaron Turner, Co-Founder, N4struct
Until the last 12 to 18 months, it really didn’t matter who was attacking your enterprise. Security
managers wanted to detect attacks, patch vulnerable systems and remain compliant with industry and
federal regulations. That approach isn’t feasible any more. Hacktivism, targeted attacks and APT
have changed the landscape and making it crucial that security managers understand current relevant
attacks and who is behind them in order to prioritize risk, security and compliance management for
their organizations. In this session, you’ll learn why patch and pray doesn’t work anymore, why you
need to know who’s behind attacks and what matters most to your organizations’ security and
compliance efforts.
Cloud
Compliance: Pulling Back the Curtain on Provider Controls
Diana Kelley, Founder, Security Curve
Security and compliance remain the top roadblocks toward widespread adoption of cloud computing.
Enterprises love the cloud for its flexibility, but there often isn’t much leverage in terms of
visibility into a cloud provider’s security controls. This session will examine the issue of
transparency with regard to cloud provider controls. You’ll learn how this impacts an
organization’s compliance and security operations and you’ll hear about standards efforts under way
from the Cloud Security Alliance, the federal government and other standards bodies that address
the issue of transparency and its impact on security and compliance in the cloud.
Network
Infrastructure Under Siege
Char Sample, Security Engineer for Carnegie Mellon
CERT
Last year’s attacks on certificate authorities coupled with the constant threat to SSL
communication and the Domain Name System has put fundamental network and Internet infrastructure
under a harsh spotlight. This session will review recent attacks on CAs and DNS, explain their
potential impact and what you can do about it. In particular, you’ll hear more about the security
of digital certificates and about DNSSEC or DNS Security Extensions, how it’s deployed and what you
need to know as it becomes part and parcel of roots worldwide.
Android
Security Overview
Mike Arpaia, Security Consultant, iSEC
Partners
Android is a Linux platform programmed with Java and enhanced with its own security mechanisms
tuned for a mobile environment. Android aims to combine OS features and file permissions with the
type safe Java language and its familiar class library. The resulting security model is much more
like a multi-user server than the sandbox found on the J2ME or Blackberry platforms.
Mobile platforms are growing in importance, and have complex requirements. This talk will
describe the security model of Android in depth and talk about the way Android deals with complex
requirements. The knowledge gained from this presentation is applicable to device administrators as
well as application developers and will help attendees understand the most pressing security issues
in Android.
PCI
Guidance Check-In
Diana Kelley, Founder, Security Curve
The Payment Card Industry Data Security Standards is in the midst of a three-year quiet period
where no major updates are made to the standard that governs the security of credit card and
payment information. That doesn’t mean the PCI Security Standards Council is sitting still. Various
special interest groups are at work developing guidance for future updates to the standard;
recently guidance was issued on end to end encryption, virtualization and tokenization. In this
session, you’ll get an update on the most recent guidance issued by the PCI SSC and what’s on the
docket for the next rev of the standard.
Mobile
Exploit Intelligence Project
Dan Guido, Co-Founder & CEO, Trail of Bits and
Mike Arpaia, Security Consultant, iSEC
Partners
As organizations look to deploy larger numbers of mobile devices this year, there is widespread
disagreement over which platforms are more secure, what mobile security measures are effective, and
what the greatest risks of these platforms are. At the same time, the mobile malware community is
developing rapidly and several successful attacks have been executed against iOS and Android. In
this talk, we demonstrate an intelligence-driven approach to mobile defense, focused on attacker
capabilities and methods, with data collected from past remote attacks against Android and iOS.
This analysis identifies the means by which exploits are developed and distributed in attacks,
separates defenses that work from defenses that don't, and provides analytical tools that attendees
can use to objectively evaluate the exploitability of mobile platforms. Finally, we use this
empirical data on attacker capabilities to make projections on where mobile malware is headed in
the near to long term.
Security
Data Management: It's All About Visibility
Aaron Turner, Co-Founder, N4struct
In today’s world of targeted and persistent attacks, it’s critical that security managers are able
to articulate security in business terms in order to adequately invest and respond to threats that
matter to the bottom line. To do so, they need a constant feed of network and host intelligence to
understand an enterprise’s IT environment, where the greatest risks lie and what to do about them.
In this session, you’ll get insight on the importance of visibility and intelligence and how to
manage and normalize the security data generated from SIM, log management, network security and
vulnerability assessment tools in order to prioritize your security and compliance efforts.
This was first published in May 2012
Join the conversationComment
Share
Comments
Results
Contribute to the conversation