IMI Security Symposium - Abstracts
"Application Security through a Hacker's Eyes"
Speaker: James Walden
View Presentation Materials
Hackers are increasingly bypassing firewalls and other traditional protection mechanisms by attacking your applications. This talk will show the techniques hackers use to discover the attack surface of your applications, reverse engineer their functionality, and craft exploits to make money by stealing data. Reverse engineering techniques discussed will focus on those applicable to web applications, including source code auditing and fuzz testing. Additionally, the talk will cover how current application trends are impacting security, including how technologies like AJAX are increasing the attack surface of your web applications.
"Computer Forensics - Response from Law Enforcement"
Speaker: Douglas Roden
Computer systems and technology place the world at our fingertips. Cyber space has no national boundaries. What is your organization doing to protect your intellectual property from cyber criminals and ensuring the safety of your employees? “Computer Forensics – Response from Law Enforcement” focuses on the necessary procedures that should be followed from the moment a cyber intrusion is discovered on your network. Learn about the preservation of critical evidence, the computer forensic examination process and the local resources for you to “get connected” and “be prepared”.
"Hackers, Crackers, Bots, Malware and Phishers - Oh my!"
Speaker: Patrick Gray
The Internet threat landscape has shifted. What used to be a playground for hackers, crackers and script kiddies, is now a borderless abyss of organized crime fueled by financial gain. Cisco's Patrick Gray, a twenty-year veteran of the FBI and Senior Security Strategist will explore the current threat landscape by highlighting the newest cyber criminals and examining the latest tactics employed by these predators. Gray will address how spammers, phishers, worm writers and hackers interact with this new crime element and how we can prepare our infrastructures to stave off these relentless attacks and protect our critical business assets. Additionally, Gray will touch on chatter in the underground and threats to our critical infrastructures including voice and wireless networks.
"Information Security ROI"
Speaker: Frank Braun
View Presentation Materials
"How to comply with HIPAA regulations without impacting patient outcomes"
Speaker: Dean Smith
View Presentation Materials
The Health Insurance Portability and Accountability Act was passed in Congress with the intent of allowing health insurance to travel with a person regardless of job or location. It was also intended to reduce paper and improve insurance claim processing. It has become much more with the addition of the security rules and has daily implications for the delivery of healthcare. The security of Patient Health Information (PHI) is a vital responsibility for not only a security officer, but everyone who comes in contact with this information. This presentation will provide helpful information about the decision-making process when requests for information are received from regulatory, insurance payers, physicians, and other interested parties. What are the parameters to approve, modify, or deny the request? Who can approve or deny a request? What elements of a request should cause an employee to question the request?
"Managing Software Security Risks Using Application Threat Modeling"
Speaker: Marco M. Morana
View Presentation Materials
Application threat modeling is the systematic and strategic methodology for identifying threats to the application environment, the vulnerabilities that can be exploited by these threats and the countermeasures to mitigate them. Risk modeling is the process to rank and prioritize the risks posed by such threats that is the probability that such threats might exploit the vulnerabilities to cause a business impact. Through a prioritized list of threats risk managers can make risk management decisions such as which threats should be prioritized for mitigation with countermeasures. When applying threat modeling during software development lifecycle (SDLC) applications can be created secure by design, development and deployment since threats identified before the application reaches production could be mitigated by implementing secure architecture, following secure coding standards and validating the application resilience to threats and vulnerabilities with use and abuse test cases and ethical hacking assessments. The intent of this presentation is to give security practioners in different role and specialty an overview of threat modeling as tactical security assessment activity to identify security design flaws in applications and as strategic security risk management activity to manage software security risks within and outside the SDLC.
“New Regulations & Compliance Issues: How to Stay One Step Ahead”
Speaker: Blair Semple
View Presentation Materials
Encryption is quickly becoming a widespread consideration in the deployment of many Enterprise Storage Systems. However, Storage Security is so much more than simply encryption. Blair Semple, CISSP-ISSEP, Storage Security Evangelist with NetApp, will review the storage security market as well as the issues and regulations that are driving it (HIPAA, PCI, SB1386, etc.). He will then delve deeper into the various vulnerabilities in Storage infrastructures and review the emerging standards and technologies that combine to form a comprehensive, Defense-in-Depth Storage Security Strategy.
“No Phishing Allowed”
Speaker: Charles Frank & Laurie Werner
View Presentation Materials
This presentation describes the current impact of phishing on computing. We present educational tools that train employees and students to recognize phishing emails and discuss the effectiveness of those tools. Finally, the talk evaluates potential solutions to the phishing problem.
“Preparing for the Information Technology Security Audit”
Speaker: Tiffany Braun
This presentation describes the current impact of phishing on computing. We present educational tools that train employees and students to recognize phishing emails and discuss the effectiveness of those tools. Finally, the talk evaluates potential solutions to the phishing problem.
“Security in a Wireless World”
Speakers: Kelley Ealy, CBTS & Byron Brantley, CinBell
View Presentation Materials
Wireless networks are more powerful, cost-effective, easier to deploy and more in demand than years' past. It is no surprise that it is estimated that by 2012 over 70% of new worldwide voice and data client-to-LAN connections will be wireless. In this presentation, we will explore multiple facets of wireless usage, including the wireless network infrastructure and mobile devices. The discussion will be rounded out with a look at risks, security best practices and emerging technologies in our wireless world.
"Privacy and Security from a National Perspective"
Speaker: Lisa Gallagher
View Presentation Materials
Every day, patient medical data are created, stored, and transferred electronically. Therefore, issues of patient privacy and data security are becoming an industry priority. Topics of this presentation will include: privacy and security challenges in the information sharing environment, current state of privacy, security initiatives within the healthcare industry at the national and state level, and hot privacy and security topics.
“Risk Management in Open Source”
Speaker: Ria Schalnat
View Presentation Materials
Open Source has been around for decades but, until August 2008, legal decisions bolstering their enforceability were non-existent. A recent decision from the Federal Circuit has reinvigorated the debate surrounding open source. How secure is open source code and what risks do you face both as a recipient and a distributor of this open source code. How does the language of the major open source licenses (GPL, Apache, etc.) impact these issues and what steps can your organization take to minimize risk in all three areas.
"Security Education – Training and Awareness"
Speaker: Steve Brown
View Presentation Materials
Security Policies are the most vital component of any company’s Information Security strategy. Without Executive and HR-approved policies in place, any implementation of security technology is only a band-aid. Companies must review their policies and ensure that they have a thorough strategy which conforms to industry best-practices. That strategy is then propagated throughout the organization through Standards, Guidelines and corporate culture.
Any company can put security technology in place, but this doesn’t take into account the interconnection of every piece of technology in the organization, including mobile devices, USB keys, CD-R, laptops, remote access, public-facing web sites/applications, etc. Unless that interconnection is recognized and taken into account through the proper formation, publication and dissemination of Corporate Policy, security will always be an unknown. And in this world of daily increases of threats, a company cannot afford to not implement a broad, sensible and flexible strategy.
Randall will speak about the absolute necessity of having a well-conceived Corporate Policy in place, potential avenues for the implementation of such Policies, and how to train employees to fully understand and participate in the actualization of the Policies through their every-day work activity.
"Security and Ethically Informed Crisis Communication"
Speaker: Greg Deblasio
View Presentation Materials
Issues related to public health are never a stranger to emergency and crisis communication. Policy and procedural messages need to be timely and reliable. Additionally, the integrity of communication plans and messages need to stand up to the scrutiny of ethical standards. This presentation will demonstrate how the application of ethical frameworks help to assure that response to emergency and crisis situations will stand under decision-making review. From that standing, the agency or organization gains security during and following a crisis.
"Security in a Higher Education & Health Care Environment"
Speaker: Doyle Friskney
View Presentation Materials
The role of a public university has not changed with the advent of the internet; the goal is still research and teaching. The internet has added new dimensions to the role of Information Technology, that is to ensure all content is appropriately secured and that all individuals have open access to information. The responsibility is further challenged by the requirements of teaching hospital that wants a complete freedom of knowledge transfer; but acknowledges the rights of a patient to privacy.
This talk will describe the efforts the University of Kentucky has undertaken to ensure it is as secure as it needs to be and to also ensure the university maintains its responsibility as a public university.
"Security Landscape"
Speaker: Frank Molsberry
In this session we will examine some of the macro trends that are impacting security solution architectures. We will present the simplified Dell taxonomy for security and look at the technology landscape in each of these areas.
"With Access Comes Risk"
Speaker: Dave Marcus
With organizations beginning to implement Web 2.0 tools, and adopting traditional consumer technology solutions like YouTube, Instant Messaging, LinkedIn, and virtual worlds like Second life with the promise of wider collaboration and greater connectivity to their customers and communities. However, it also raises new concerns on how to protect company assets - both systems and data - while allowing the adoption of new technologies. Traditional approaches to data and system protection, such as firewalls and other system defense are not adequate protection strategies for tomorrow's technologies. Join David Marcus, Senior Director of Research for McAfee's AVERT Labs to hear a pragmatic approach to both the policy and technical controls needed to protect against the threats of tomorrow.