|Visit the Information Security Decisions 2007 Web site|
At Information Security Decisions 2007, many of the industry's leading information security experts gathered to share vendor-neutral expertise and proven security strategies. If you couldn't make it to Chicago for this year's event, worry not. Below you can download speaker presentations from a selection of this year's sessions. Feedback on Information Security Decisions 2007 presentations can be submitted via SearchSecurity.com.
Why security should embrace disruptive technologies
Christofer Hoff is Unisys Corp.'s chief architect of security innovation. Prior to Unisys, Hoff served as Crossbeam Systems' chief security strategist, responsible for the company's overall security strategy and product management efforts. Prior to joining Crossbeam, Hoff served as the chief information security officer and director of Enterprise Security Services for WesCorp, a $25 billion financial services cooperative and used his expertise gained as founder and CTO of a national security consulting company which provided services to the Fortune 500 and service provider customers. He is a featured speaker at numerous information security events, holds several security credentials -- including CISSP, CISA, CISM, IAM -- and is an accomplished and accredited technical instructor.
Database security: A Christmas carol
In 2006 there were 335 publicized data breaches in the U.S. With the 5th anniversary of the SQL Slammer worm drawing near, now is a good a time as any to look back on the past of database security. In this presentation, renowned database security expert David Litchfield asks, how far have we come since then and is our data any more secure today? And what of tomorrow? How will our database systems fare in a world of emerging threats? Have we learned our lesson or will we be consigned to the graveyard of statistics?
Building a framework-based compliance program
Compliance is constantly evolving and there are various updates that you need to get your hands around. One way to help deal with the updates and track your progress is by using compliance frameworks such as COSO and COBIT. In this session, compliance guru Richard Mackey, vice president, SystemExperts, helps you build your compliance program based on various frameworks and helps you build a more effective risk assessment program.
Case study: How to map compliance to risk
When you were first faced with the reality of compliance, you spent your time dealing with and interpreting the various regulations, and may have even brought in auditors to help with this often daunting task. Today, the realization is that compliance is an ongoing process that you must tie to your risk management strategy. But how much is all this going to cost? In this session, Jeff Reich, information security officer, CompuCredit, shows you what has worked for his company.
How to navigate regulations in both the U.S. and abroad
There are 51 countries, eight U.S. agencies and 35 U.S. states with privacy laws on the books. Needless to say, figuring out if your organization is adhering to the appropriate privacy regulations is increasingly difficult. The complexity and inconsistencies are forcing companies to approach compliance in a holistic manner. David Mortman, CSO in-residence, Echelon One, offers guidance on tackling compliance with a multidisciplinary approach.
Stop the madness: Key technologies that bring compliance under control
With more than 35 state disclosure laws and new industry regulations, mapping controls to technology is more important than ever. A technology fix for SOX compliance may be different than a solution for PCI. And there's no lack of vendor hype claiming the silver bullet for solving compliance woes. But what technologies really work? Trent Henry, senior analyst, Burton Group, has the answers.
Attacking and defending Web 2.0
The Web is the new fertile ground for researchers and attackers as the old world of single-entity Web sites has given way to Web 2.0 social networks, syndication, mashups and "rich" Web clients. But what does that mean for you, the security professional? It means you better be gearing up to protect your Web environments, including both clients and servers. Pete Lindstrom, senior analyst, Burton Group, provides a strategic structure to how the Web is vulnerable to the nature of attacks from this new Web 2.0 environment.
Why botnets have evolved into your worst nightmare
Everyone is still talking about botnets, yet distributed attack tools were first seen in 1999 and have steadily grown in size and capability ever since. What was once a hobby, and then an annoyance, is now a profitable criminal activity. Breaking into computers has gone from an end in itself, to just the beginning. Today, groups take control of over a million computers at a time and use them for spamming, click fraud, identity theft, and industrial espionage, on top of good old DDoS. In this session, researcher Dave Dittrich University of Washington Center for Information Assurance and Cyber Security explains the key issues and the best defensive measures.
Reality check: Emerging threats in 2008
Financial incentives are encouraging attackers to invest significant money and efforts in powerful techniques designed to breach enterprise defenses. Now that fortune rather than fame drives these attacks, it is critical that to stay several steps ahead of the threat landscape. In this presentation, Lenny Zeltser, information security practice leader at Gemini Systems, explores today's most pressing emerging threats and those you can expect further down the road.
Security in the real world: How Barclays handles insider threats
As head of information risk management at Barclays and 2006 Information Security magazine Security 7 winner, Stephen Bonner explains how Barclays deals with insider threats. Learn what Bonner has discovered and how to adopt Barclay's risk management initiatives for your own organization.
How to lock down data in motion
Founder and managing director of consulting firm Security Constructs, Tom Bowers, demonstrates the vulnerabilities of data in motion. Review the top five techniques on how to best protect your data once it leaves the confines of its archive or storage device.
Creating a proven data protection strategy
Breaches, compliance and the growth of unstructured data leaving an enterprise have fueled the need for data governance policies. By creating a data protection framework, security professionals are able to control valuable data and make more effective use of the assets within a company. Russell L. Jones, principal, Security Services Group, Deloitte & Touche LLP, provides the fundamentals required to create a plan, organize and implement policies and procedures and secure your data.
Hype vs. reality of Windows Server 2008 and Vista: Are they more secure?
The successor to Windows Server 2003 is set to launch this fall. And because Windows Server 2008 (previously codenamed Longhorn) is built on the same code base as Vista, it will contain many of the new security enhancements found in Vista (and perhaps many of the gaps). In this session, Elizabeth Quinlan, technical lead, HynesITe, reviews some of the newest features and the opportunities and challenges these OSes present in terms of implementation.
How SIMs saved the day
Security information management systems automate the process of looking through logs to help produce effective reports, issue alerts and provide a bird's eye view into the network. In this session, Interval International CISO, Sasan Hamadi explains the reasons he opted for SIMs and gives you a frank presentation on the lessons learned so you can avoid the pitfalls he encountered.
Answering the hard questions about network access control (NAC)
This session focuses on nine hard questions that you should be able to answer when trying to integrate NAC into your enterprise LAN. Joel Snyder, senior partner at Opus One, answers these questions:
How to make IDS more useful
Intrusion detection systems (IDS) are not dead, at least not yet. However, pulling an IDS out of the box and plugging it in can be a big waste of money. It takes a solid strategy and careful planning to make the investment pay off. In this session, Joel Snyder, senior partner, Opus One, shows you how to make the most of an enterprise IDS.
Locking down the messaging platform: Exchange 2007
Exchange/Outlook is the email platform of choice for many organizations, but has Microsoft done enough to secure the platform? Beyond the patches, Lee Benjamin, messaging architect, ExchangeGuy Consulting, reviews the ins and outs of the Exchange 2007 security improvements and gives you tips on secure enterprise messaging.
This was first published in November 2007