COSAC 2007 SYNOPSIS OF SESSIONS

Clicking a session code on the timetable page will bring up the relevant session details that are found on this page.

You can use the links below to skip to the day in which you are interested. Click on a speakers name to read his/her bio.


SATURDAY 22nd & SUNDAY 23rd
OPTIONAL PRE-CONFERENCE TRAINING


S1 SABSA Chartered Architect (Foundation) Intensive Study Camp & Examinations David Lynas

Using the internationally-acclaimed SABSA® (Sherwood Applied Business Security Architecture) best practice framework, this intensive study camp facilitated by SABSA co-author David Lynas will combine the two Foundation Level modules of the SABSA Chartered Architect certification programme into two and a half days instead of the five normally required.

Module One "SABSA Information Security Strategy and Planning" (normally 2 full days) provides participants with a comprehensive understanding of the SABSA framework: what it is; how it works; what it delivers. Find out how to use the most proven security architecture design and management processes and how to develop a comprehensive strategy for the creation of a security architecture that genuinely meets the needs of your organisation.

Module Two "SABSA Information Security Service Management" (normally 3 full days) provides a thorough practitioners' exploration of the SABSA Security Service Management framework. Find out how to design, deliver and support a comprehensive security services architecture that provides the overarching method to manage your way through the abundance of diverse standards and security requirements and that integrates fully and seamlessly with your existing IT and business practices.

Content modules for the weekend study camp include:

  • The SABSA Framework;
  • Information Security Strategy;
  • The SABSA Practitioner Guide;
  • The SABSA Security Management Framework;
  • The SABSA Policy and Risk Management Framework;
  • The SABSA Integrated Assurance Management Framework;
  • Security Services Design;
  • Security Services Delivery and Support;
  • Security Services Performance Management;
  • Examination Preparation for Foundation Modules F1 and F2.

The most significant learning outcomes from the comprehensive SABSA competency map utilized for these modules include:

  • Define information security and its role in the modern enterprise;
  • Define architecture and its role in the modern enterprise;
  • Explain security engineering principles, methods and techniques;
  • Describe the SABSA model, architecture matrix, service management matrix, and terminology;
  • Describe SABSA principles, framework, approach and lifecycle;
  • Use business goals and objectives to model information security requirements;
  • Describe methodologies for business case development and enterprise value propositions;
  • Apply key concepts and principles to the design of information security strategy;
  • Define architecture governance, compliance and maintenance processes;
  • Create a business attributes taxonomy;
  • Describe security domain models and explain conceptual business trust models;
  • Use the SABSA method to create an holistic framework for implementing and managing standards relevant to your organisation;
  • Describe the key elements of an effective organisation and decision-making structure for information security including definition of key roles and responsibilities;
  • Explain how to create and maintain plans to implement governance, assurance and compliance frameworks;
  • Describe appropriate policy architecture and determine policy, process and procedure content;
  • Discuss the organisational structures required for effective information security reporting and communications;
  • Explain the key elements and framework required for an effective operational risk programme;
  • Explain how to develop information security awareness culture;
  • Explain the range of approaches and techniques to manage information security processes;
  • Discuss information security related aspects of third party relationships.



MONDAY 24th
COSAC MASTER CLASSES


M1 COSAC International Security Round-Table Forum John O'Leary

September 2007 will see the seventh annual COSAC Forum, a spirited, peer-exchange based, full-day immersion into the COSAC way. We've all had our share of wins and losses in lobbying for and making compromises and actually doing the nuts and bolts of security for our organizations' information resources. We can also look to at least the near future and isolate those issues which will be crucial for our own firms and probably others. Actual experiences, yours and others'; opinions based on sound judgment or grizzled-veteran intuition; what you read; what you heard; organizational folklore, what someone else swore to… are all fair game for the give and take of this one-day roundtable in which experienced security practitioners help and challenge each other via realistic feedback, guidance, encouragement and critiquing based on earned knowledge and the certainty that all participants either have been in similar situations or will be before long.

COSAC always provides some of the best IT security speakers on the planet, and their analyses and recommendations and coping strategies are extremely helpful. However, the chance to compare notes, strategies and techniques with others who are fighting the same political battles, aren't trying to sell you something and are forced to make the same concessions to reality on an everyday basis makes a one-day session like this both different and uniquely valuable. Your cohorts know that some vendor-driven, even executive-driven solutions which appear technically elegant and look really good on paper or a slick Powerpoint can be somewhat clunkier and less agile in operation and be stopped in their tracks by a previously unseen internal political consideration, a change in department personnel, an erroneous parameter setting or the passage of a new law in some venue where you do business.

The essence of these sessions is give and take, therefore, participants must be prepared to discuss topics freely and be willing to contribute to discussions, even have their solutions subject to the scrutiny and analysis of peer review. In the past, the forum's moderator, CSI's John O'Leary, has posted lists of potential topics for the forum and had participants decide what they'd like to discuss, even to the extent of volunteering to give short presentations or start the discussion on some relevant topic. This year's understandably incomplete list of potential topics appears below. Participants are also free to suggest topics at the start of the forum, and experience suggests that people who come to this session are not shy about doing so. Repeat attendees will verify the next statement, one which epitomizes both COSAC and the Forum. The better prepared you are, and the more you put into this session, the more you'll get out of it.

Potential Topics for 2007:

  • NAC
  • Privacy Issues
  • Disaster Recovery/Business Continuity
  • Identity Management
  • Spam Control
  • Security Architecture
  • Security Budgeting
  • Implementing Wireless Security
  • Security Metrics
  • Security Team Job Descriptions and Requirements
  • Effective Interfacing with Other Groups
  • Outsourcing
  • Social Engineering Defense
  • Incorporating Security into the Business Model
  • Threat Management
  • IDS vs. IPS
  • Getting & Keeping Management Commitment
  • Patch Management
  • Risk management

The list, of course is not all-inclusive. But discussions started at the Forum tend to carry on through COSAC, even through COSACs, and lead to realistic, workable security solutions. Come join us.




M2 Security Interviews & Interrogations: A Neuro-Linguistics Master Class Justin Peltier
Brad Smith

This one-day COSAC Master Class features scenario-based skill sessions that will help you learn and apply the concepts of Neuro-Linguistic Programming (NLP) to security interviewing and investigation. Seldom taught outside of law enforcement, these skills are valuable when interviewing potential security staff, evaluating staff difficulties, or understanding what vendors are really saying. We'll analyze three different methods of evaluating the "truthfulness" of statements and discuss five responses people make during an interview or interrogation-and how to use these to your benefit.

You'll quickly learn to apply NLP skills by using scripts, role-playing, and practice sessions in conducting interviews and interrogations. You'll also get a feel for being on the other side of the table. Come join us, have fun, and improve your communication with everyone you interact with.

In this course you will:

  • Understand how to use the difference between an interview and an interrogation
  • Participate in scenarios for five computer security situations based on real life events
  • State purpose of and return gained from demonstration of 9 Neuro-Linguistic Programming techniques needed during a security investigation

Takeaways include:

  • Homework practice sheets to improve your skills
  • Review sheets to help you quickly remember your skills



M3 CobiT Master Class for Security Professionals Erik Guldentops

Control Objectives for Information and related Technology (CobiT), helps meet the multiple needs of management by bridging the gaps between business risks, control needs and technical issues. CobiT has been developed as a generally applicable and acceptable standard for good Information Technology security and control practices that provides a reference framework for management, users, and IS auditors, but more importantly, as comprehensive guidance for management and business process owners. The CobiT framework provides a tool for the business process owner that facilitates the discharge of this responsibility.

An extended version, CobiT4.0, was issued in December 2005 and has very recently been updated. All participants should download a free copy from www.isaca.org.

Current updates for CobiT4.1 are adding control practices and assurance steps and using that material for an enhanced Implementation Guide and a new extensive Assurance Guide.

This 1-day workshop will comprise:

  • A short introduction to IT Governance, covering its subjects of alignment, value delivery, risk management and performance measurement. A major element of IT Governance is the adoption of a control framework and CobiT is the internationally accepted standard for that. How IT Governance and CobiT relate will be explained
  • A walkthrough of the CobiT framework and concepts will be performed specifically covering its Control Objectives, Management Guidelines and Maturity Models. This will be illustrated with how this material is being used, and followed with explaining and illustrating the new Control Practices
  • CobiT will then be compared to other standards like ISO17799, ITIL and others. Results of some recent international surveys will help understand how enterprises use CobiT and how mature they are relative to the CobiT Maturity Models. A quick maturity assessment will be performed
  • Other CobiT products such as CobiT Online, CobiT QuickStart, Implementation Guide and the CobiT Security Baseline, will be introduces where time allows
  • Short exercises on IT Governance awareness and on how business goals drive IT goals will be performed. A more elaborate exercise is also part of the program, on determining important control objectives based on business and IT goals and on how to formulate assurance activities for these control objectives. These exercises will focus on Change Management and on Ensuring Systels Security


M4 Security for Mobile Users E. Eugene Schultz

The user computing environment has changed considerably over the last decade because of the increased mobility of users. Mobility poses many security-related challenges (anonymous connections, "always on" connections, cleartext network traffic, wireless networks, and so on), many or most of which are typically not adequately addressed, even though proven solutions exist. Topics covered in this course include:

  • Introduction
  • Vulnerabilities
  • Policies and procedures
  • Securing wireless networks
  • Securing handheld devices
  • Evaluating and auditing security in mobile environments
  • Wrap-up

This course is appropriate for IT security and audit staff and system network administrators. Contains a mixture of technical and non-technical content. A fundamental knowledge of networking and particularly network security would be helpful, but is not necessary.


TUESDAY 25th
SESSIONS



A1 Critical Pathing Attacks Justin Peltier

This session will focus on new techniques for determining the response to attacks on networks. The discussion will focus on taking critical pathing from the medical community and applying the same decision trees to intrusion detection, intrusion prevention, and incident response. This session will look for important events and responses which can move an attack from the high likelihood critical path to a low likelihood critical path. Using the port scan as the critical event, this technique should allow earlier discovery of a skilled attacker as opposed to an unskilled attacker.



A2 A Unique Approach to Attack Trace-Back Dr. Peter Stephenson

The concise description of the mechanisms of cyber attacks is a key element in tracing such attacks. The notion of trace-back of cyber attacks need not be based solely upon logs of attacks or packet header contents. Attacks either are or they are not. If they can exist at all, they will behave in a predictable manner on a very large scale-free network such as the Internet. It is this anomalous behavior, regardless of the specific attack, that allows trace-back of a cyber attack.

In this session, we describe the first stage of research into a novel approach to the understanding and application of cyber attack mechanics. First, we define exactly what we mean by cyber attack mechanics. Then we view the impact of the attack from the perspective of the Internet. Finally, we show that large, scale-free networks such as the Internet exhibit certain measurable and predictable characteristics such as a fractal topology, preferential attachment and susceptibility to attack without susceptibility to failure. Attendees will learn new ways to analyze complicated attacks using several techniques including link analysis, Colored Petri Nets and attack trees. These three methods will be demonstrated using both commercial and open source tools.

This approach offers the advantage of being able to describe, based upon attack mechanics, an approach to tracing cyber attacks. We show that it is possible, theoretically, at least, to trace an attack over the Internet to its source regardless of the attacker's efforts at obfuscation based, at least in part, upon the behavior of the Internet itself instead of wholly upon the behavior of the attack packets or appearance in logs.



B1 Anatomy of an Incident - An Interactive Workshop Lawrence D. Dietz

All too often incidents are looked at in a sequential and stove pipe manner. Information Security professionals are concerned with the technical aspects of what happened, HR is concerned about employee welfare and retention while the legal department has its own agenda. Employee actions in particular may trigger a myriad of responses that require input and recommendations from different parts of the organizations. Further employee conduct leading to administrative or legal action will no doubt require the collection and analysis of electronic evidence. Actions by competitive companies or ex-employees also may lead to incidents worthy of attention.

This highly interactive session takes a look at all the elements of incidents from discovery and reporting through traditional and cyber investigations and ultimately legal action either criminal or civil. Hypothetical case studies are used to explore to illustrate the incident life cycle to include data forensics and electronic discovery as well as the impact on information technology professionals of the new US Rules of Civil Procedure which mandate early meetings to discuss discovery strategy and production. Role playing will be employed to allow attendees to learn the issues from another functional point of view.



B2 On-Line Contracts - How Computers Can Bind You Mark Rasch

The law of online contracts regulates virtually everything you do. It sets out your ownership of intellectual property, modifies copyright law, and sets the parameters for others use and access to your website or online resources. The online contract dictates what is "authorized" and "unauthorized" and therefore, to a great extent, what is permitted and what is a crime. Online contracts also dictate things like where you can and will be sued, what your damages might be, and what law applies to your website and its contents.

A series of cases have raised the question of whether automated programs like data backup programs, spiders, web crawlers or others can, by their actions, bind you to contract terms you have neither read, nor agreed to. Some websites have language that binds users to their terms and conditions if you merely "visit" the site, or if you copy content from the site. These may include an agreement to allow your activities to be monitored, up to and including agreements to pay licensing fees or royalties for merely viewing content.

This discussion will focus on the future of "clickwrap" contracts, and how they are viewed in different countries.



C1 How To Line Up 27001 Ducks Mike Softley

ISO 27001 has been around for a couple of years now and more organisations are making the decision to certify to this Standard or to commit to formally complying with it. Sometimes that is an internal decision to be able to demonstrate that the organisation takes security seriously; in many cases the market sector an organisation operates in is demanding certification. Whilst many are familiar with the control requirements of this Standard (inherited from ISO 17799), the requirements of an Information Security Management System often come as a bit of a surprise.

In developing an Information security Management System it is very easy for organisations to fall into the trap of creating an overly bureaucratic, cumbersome system that is time-consuming and costly to maintain. In this session the relationship and differences between ISO 17799 and ISO 27001 will be explained. We will then look at what is really required and what is expected in order to successfully certify to ISO 27001. This will involve identifying the components of an Information Security Management System and what each should contain and looking at the Plan, Do, Check, Act continuous improvement model that the certification process uses.

Finally, the certification process will be explained - what to expect, how to deal with the auditor and how long it takes.



C2 Case study of an end-to-end implementation of ISO 27001 in a State Government Agency John Rockwood

Recognizing that similar government agencies and educational institutions are frequent targets for hackers the agency initiated actions to protect its assets. This effort will be culture changing for the agency as it sets to implement an Information Security Management Program (System, ISMS) that will be ISO 27001 certification ready. Presented will be a review of the processes worked through by the agency to select:

  • a security requirements framework that closely aligns with business objectives and requirements
  • a security management methodology that will provide initial and on-going support for the program
  • a risk management methodology for determining a tolerable risk baseline and a assessment framework
  • " development of senior leadership commitment, security roles and responsibilities, security architecture, security budgeting, metrics, policy, building security into the business and the systems development lifecycle

Information security can no longer be ignored by our society. Government and business must work together to build public confidence and trust in the ability of agencies to provide goods and services that the public expects to be predictably available and secure. Included will be a process for mapping results to ISO 27001 and critical success factors for driving the implementation process in a state government agency.



D3 Rootkits: The Ultimate Type of Malware E. Eugene Schultz

Malware is always on the proverbial radar screen of information security professionals, but some types of malware pose considerably higher levels of risk than others. Viruses and worms, which only a few years ago posed high levels of risk, have recently become much more benign. In contrast, rootkits, which originally surfaced only a little over ten years ago, have moved to the forefront of malware-related threats that organizations currently face. This presentation explains what a rootkit is (and also what it is not, covers the ins and outs of rootkits, the relationship between rootkits and security-related risk, how to prevent rootkits from being installed in the first place, and how to detect and recover when rootkits have been installed in victim systems.



D4 Self-Defeating Networks: Using NAC to Hack Aaron Earle

Ask any sales person about Network Admission Control or Network Access Control (NAC) and you will get the common response "greatest thing since sliced bread". Now ask any engineer about NAC and you will get "you need to upgrade this, replace that, and install something on everything" hidden world of NAC. Today NAC is gaining so much steam that the basic concept is subjected to wild interpretation. To make matters worse the industry cannot even agree on what the letters NAC stand for or if the letters should even be NAC and not NAP. So many players and products, so many almost finished standards, and no commonality is the real world of NAC today. Just trying to understand whose product you should buy, are the benefits worth the risk at this point, and is our network even capable of supporting our selected NAC solution is hard enough. Often, after all these time consuming efforts materialize into a viable solution, the real concern about NAC -to keep hackers off your network - becomes a forgotten overlooked item. This session will explore what is out there in relation to NAC, how it works, where the limitations lie, and how hackers can hack your NAC and create a self defeating network.

Attending this session will provide first hand experience and knowledge presented by a non-biased neutral party quick to point out the pit falls and weaknesses of the many current NAC initiatives.



D5 Bringing Down the Bad Guys Simon Gunning

With the high volume of cloned bank / financial service websites on the internet, companies are finding it very frustrating to get the offending sites removed. This session will look at the ins and outs of taking down a cloned site, including dealing with unhelpful ISPs, host providers and IT "bad guys".

The session will include issues related to international boundaries, international law enforcement agencies co-operation, ISP's, domain registrars, and other bodies, and a wide variety of dos and don'ts in relation to the actions taken to remove said sites.

As is normal with a COSAC session of this type, there will be lots of contentious issues, heated debate, and maybe even a few pantomime jeers as Simon delivers his now annual revelations. Your input and knowledge will be a great asset as always in this session.



E3 Information Security Metrics is Coming of Age; Are You Going to be at the Party? Gerry O'Neill

If you can't measure it, how can you prove that it's working? The long-standing challenge of what to measure, how to quantify it, and how to report progress to management … is about to be dealt a helping hand, in the form of an international standard on the subject.

ISO 27004 is the much awaited standard for "Information Security Management - Measurement"; a part of the 27000-family. It is anticipated for publication in early 2008, but is planned to be open for public comment at the time of COSAC 2007.

This session will include a review of the structure of the proposed Standard and will challenge whether it will give us the basis we need to better perform this aspect of our jobs.



E4 The Economics of Risk Management Scott A. Miller

This session will provide an alternative mental model to evaluate the if and how of addressing Risks. In order to do so, this presentation will utilize university-level macro-economics terminology and concepts.

How do we determine what is the right amount of security? When should we accept Risks or reduce them? The framework for making this decision is not unlike any other business decision which organizations are required to make. It is a simply issue of applying Supply and Demand, principles to Risk Management decisions. In the context of Risk Management, it is an issue of cost and benefit. We add/remove security until MC=MR. Alternatively, we increase/decrease our Risk tolerance until MC=MR. But what drives those curves? And were do we stop along them? Or more importantly, when should we? Additionally, we will look at factors which drive the position of those slopes and the 'angle' of those slopes. Session attendees can expect to leave with a more holistic view of how to approach Risk Management using a model more easily understood by senior management.



E5 Less Risk, Higher Value - Sound Good? John Blackley

Information security risk is business risk - easy for people in the security business to comprehend but hard for the people in the 'business' business. This means that the people who are in the best position to make decisions about prioritizing security activities are the ones least likely to understand those decisions. Add to that our everlasting problem of answering "What is the value of security?" and you have two great opportunities for risk management done right.

In this highly interactive session, we'll look at how to make risk management drive the security programme (thereby satisfying a number of regulatory requirements). We'll also examine methods for using the risk management programme to educate and inform the people who make decisions. Metrics, feedback loops and surveys will be demonstrated to show how a risk management program 'done right' demonstrates the value of an information security programme to those outside of the privileged few who actually run the programme.

But be prepared to show and tell. This session's value to you will lie largely in your willingness to contribute ideas and examples from your world. As we go through the elements of an effective information security risk management programme, we'll add-in your thoughts and after the conference is over we'll share the results.



F3 Developing Pragmatic Information Security Strategy Erik Guldentops

This session will describe the steps to go through to identify the business drivers, security risk scenarios, frameworks and analysis methods for designing an enterprise information security strategy and translating that into an improvement plan. The session will show how to:

  • Populate the risk scenarios with significant threats, applicable vulnerabilities and material business impacts
  • Set up a self-assessment to identify the as-is situation
  • Leverage the business drivers to identify to-be positions
  • Identify the gaps and map them to best practices from CobiT and ISO17799

The session will conclude with an example on how this process can be demonstrated in a transparent and measurable manner to executive and line management.



F4 The Security Strategy End-Goal: What if You Had It All? John Ceraolo

Often times practitioners are focused on the day to day or their current project load for the year. But our roles have always been that we need to move with the business and enabling their strategy beyond our own. Yet many in our field will tell you repeatedly "I need more staff" or "my budget is not what it should be". This session's answer to that is "Alright, here you go - now what?". As business professionals we must show a strategy that is aligned to the organization, with measurable benefits and value-add. We'll explore what it would be like to have everything you wanted - money, staff - and ask you - "Are you successful now? Is it everything you thought it would be?". Before you go believing that money and resources will solve all of your problems, we will show you that they are all worthless without a plan - and a plan is pointless if it stands alone outside of your business. Come into this session with a budget and resource request, but be prepared to show why you deserve it and how revenues will grow. Here is a chance to make your case, in the most difficult landscape imaginable - in front of your COSAC peers!



F5 Strategic Roadmapping & Planning for Security, Risk Management & Governance - a Refresh Gerry O'Neill

The environment in which we do business is extremely complex and unrecognisable from that in which we operated just a decade ago. And it's getting more challenging. We have a constant battle keeping abreast of emerging issues and threats to our organisations, and trying to convince our senior executives that we are pointing their attention at the things which really matter. How can we constantly be sure that this is the case, in such a volatile environment?

A Masterclass at COSAC 2006 took a detailed look at the range of developments and change factors which affect the world in which we do business, particularly the changes arising from legal and regulatory developments, social and political changes and events, business and market trends, and technological advances and innovations. From these developments the group identified those that are likely to present as key drivers for our organisations, and tried to assess their implications for the way we operate, and the required response.

This session will build on that work and perform a refresh for the changes currently occurring, and attempt to establish a 'rolling benchmark' of the things which are exercising the COSAC audience. As these are highly participative sessions, they will be of interest to all attendees, not just those revisiting last year's session. Please bring an informed and open mind, and your presenter will do the rest!



PS1 It's not about the technology Jim Gamble

My input will challenge the commonly held view that child abuse on the internet is more about technology and the harm it can cause than people. My position is built on a foundation that acknowledges the neutrality of technology and the fact that posting or sharing images via the internet is a simple symptom of deviant behaviour, the responsibility for which lies with the motivated child abuser. The challenge for industry therefore is not the threat of new law but the demand for new thinking and demonstrable corporate social responsibility that inhibits offending behaviour and better protects the young and vulnerable in the environments they create. The bottom line for industry is what cost will they bear in the future if they fail to engage a 'safer by design' approach today?



PS2 Issues of the Day Hot Topic Forum John O'Leary

An extremely important and highly valuable aspect of COSAC is the Open Forum that follows the main stream of symposium sessions. All COSAC participants have the opportunity to submit questions, challenges or ideas throughout the day and real-time during the forum. Issues will be addressed openly by all of the day's presenters and participants.

Facilitated by John O'Leary, Director of Education at Computer Security Institute, today's forum aims to solve your problems and develop your ideas in any area discussed during COSAC or indeed for any topic not included in the main COSAC programme.




WEDNESDAY 26th
SESSIONS



G6 Identity & Access Management (IAM) Workshop -The Good, the Bad and the Ugly Michael Coady

This IAM workshop session has been developed for business & IT executives at organisations worldwide, particularly those who are still questioning decisions made in the past and struggling to understand how they can derive value from their IAM investment. It brings a practical approach to understanding the intricacies and pitfalls that occur during IAM deployments. This session identifies all that is good, bad and ugly about successful and failed IAM projects. It also covers the financial benefits of introducing the important Return-On-Negligence ( RON) Model. Providing information, guidelines and COSAC-style interactions, you will learn how to design a customized roadmap for a successful IAM implementation.

  • Identify key IAM business drivers
  • Recognize the business and financial benefits of IAM
  • Identify key stakeholders and learn how to approach them
  • Understand how to overcome challenges and obstacles, create acceptance and commitment
  • Understand how IAM fits into overall Enterprise management
  • Understand how to manage the complete decision making process
  • Recognize the key success factors for a successful IAM strategy
  • Walk away with valuable materials describing IAM best practices and practical steps to achieving your goals

Section 1: Business drivers - Productivity, Efficiency & Security Defines IAM, continues by surveying the functional aspects of an IAM strategic solution and explaining the rising need for IAM. This section the importance of IAM by exploring the business drivers behind it.

Section 2: Business and Financial Benefits Starts by describing the business benefits of IAM and continues to discuss financial benefits by introducing the important Return-On-Negligence (RON) model (i.e. the cost of doing nothing). This section defines RON and explains the importance of devising a clear and concise RON tailored to the participants' specific needs. The participants then will have the chance to develop their own RON model.

Section 3: Organizational View - Working Together Maps key stakeholders involved in an IAM implementation and their different agendas. Explains the reasons why each stakeholder might cooperate with or resist the IAM initiative and suggests the right way to approach their often-contradicting agendas. This section gives tips on how to successfully manage the decision-making process.



G7 Meeting Real-World Mobile Identity Management Challenges Andrew Townley

With over 71 million smartphones sold in 2006 and expectations of a worldwide market of 250 million units by 2010, it is impossible to ignore the business potential of addressing this market with new services. However, based on over 250,000 identity theft complaints in the US for 2006 and the increase of mobile malware, it won't be possible to address this market without adequately dealing with the identity management and authentication challenge. Doing this in a general way across the prominent mobile environments such as J2ME, Symbian OS, Linux and Microsoft Windows Mobile, is a daunting task due to the dizzying differences in device capabilities--specifically in memory, CPU and built-in support for strong encryption and authentication technologies.

Even though the capabilities of these devices increase with each generation, there will still be many older devices on the market or devices which are not running the latest versions of the base software. To adequately address this potential market means to find a way to deal with these differences while still providing appropriate assurance that the human on the other end of the connection is actually who they claim to be.

This presentation will examine some of the issues facing deploying applications which depend on strong authentication for m-commerce, mobile banking and electronic government, present the state of the art in mobile authentication technologies and techniques, and propose a framework leveraging aspects of the US Government's e-Authentication guidelines, PKI, virtual soft tokens and grid computing research. This framework can then be used to gracefully support both older and newer devices with varying capabilities to provide appropriate identity assertion levels to the target application, allowing it to automatically adjust the capabilities it offers to mobile users..



H6 Security in a Flat World John O'Leary

In his best-selling book, The World is Flat, Thomas Friedman tells us that connectivity and a host of innovations and activities have leveled the business playing field to such an extent that individuals in third world countries can reasonably compete with giant multinationals for contracts to provide goods and, especially, services.

OK, but what about information security in this flat world? Is there any? Do we need some? How much? Who decides? Who manages it? How good is it? Does it work the same everywhere? Are there topological bumps in our presumably flat surface? More importantly, what can we do about all this?

We'll answer all your questions and solve all your problems in an hour. If you believe that, then the world probably is flat. For doubters, we'll try to give you an idea of and some realistic approaches for handling things you'll have to address in the near future, if not right now



H7 Leveraging Information Security for Business-Centric Convergence Michael Hirschfeld

To a greater degree Information Security has made considerable progress in moving from a "Security" centric model to a "Business" centric model whilst change in Physical Security and other areas of risk within the organisation has lagged behind.

The time has come to take the progress made in Information Security and "Sell" these concepts to other areas within the organisation. The logical extension, as suggested above, is to Physical Security but it could also include records management, document management and organisational risk management.

It is clear that the business driven approach to risk management being taken with Information Security is providing a much boarder risk approach that provides a number of benefits to both the business and security team. These include: enabling business process, being able to quantify the return to the business, increased success of initiatives and greater alignment of security processes with business outcomes and programs.

We can leverage off these gains and benefits by broadening the enterprise wide approach currently being deployed in information security to encompass other disciplines.

The methodologies are flexible and suited to this approach, however there are a range of both obstacles to be overcome.

This presentation argues that the time has come to push for this broader organisational approach to security and risk management based on our current approaches to information security. It looks at: the direct benefits to be gained in a number of disciplines including Physical Security and Records Management; considers the major obstacles this approach is likely to meet; and invites the audience to consider and critique some suggested ways forward.



I6 Myths of Our Times - Testing Anonymisation Jon Colombo

The subtle intricacies surrounding the control of the use of Live data in test environments seems to have suddenly become one of those things that Information Security folks need to know about. Testers almost always want to make their 'sandpits' just like the real world. To them the solution is simple; swipe the data from production. This idea is anathema to InfoSec folks. They instinctively cringe at the idea. To them, dummy data is the answer - but that in turn frustrates the Testers. Traditionally the answer has been either to ignore the problem, or to mask, anonymise or pseudonymise data in some way.

Current legislative and regulatory data governance pressures mean that ignoring the problem is an approach for only the truly brave. (The sort of bravery usually measured in short planks.) However, masking is in no way an easy option. It is neither as simple as it first seems, nor does it provide everything the testers need. Given that inadequately tested systems inevitably create information security issues, the poor InfoSec professional is truly caught on the horns of a dilemma - provide what the testers want and breach own policies or don't provide it and still breach them! As with many such dilemmas, the first step to solving the conundrum is to understand each side's point of view. This session aims to help this process. It looks at:

  • Why there is a problem;
  • The options available, their capabilities and limitations;
  • The test cycle and the needs it drives.

Possible solutions to the dilemma.



I7 What's Going On In There? Managing Risk in Application Development John Blackley

Risk management programmes often focus on asset management - looking at risk from a high level and trying to 'get our arms around' the entire environment. Meanwhile, we have application development teams busy deploying code that might undermine the most rigorous risk management programme.

The answer sounds simple - secure coding practices are common nowadays and widely followed. But, in a global enterprise with in-house developers in many corners of the world and software being purchased and modified in almost every division, how do we identify and keep track of code development? Having done so, how do we use our scant resources to make sure that standards and practices are being followed?

This session demonstrates an approach taken by a global enterprise. In the session we'll look at how and why the approach was developed, what worked (and what didn't) and the results gleaned. As this practitioner consistently describes risk management as a 'value-add', the session will also describe - in clear terms - the value added to security efforts by this approach.



J8 The State of Spyware: Protect Your Network from Evolving Spyware Trends Gerhard Eschelbeck

Spyware is considered all programs installing themselves onto a user's computer by stealth, subterfuge, and/or social engineering and whose purpose is to redirect a user's activities or record those activities in a way that reduces a user's privacy, protection or peace of mind. As this threat to privacy continues to grow, more enterprises are taking measures to protect their systems. As a result, the threat landscape is shifting, and individual users are being targeted and attacked more than systems.

In his presentation, Gerhard Eschelbeck will present the industry's most current research on the evolution of spyware and explain the magnitude, breadth and overall impact of this problem. He will provide detailed insight about evolving attack trends - from automated worms to targeting users directly via email and browser, and cite factors that are causing the shift in spyware threats and trends.

This presentation will also reveal specific infection data from spyware audits and will highlight infection rates for systems monitors, Trojans and adware. Gerhard will describe these threats and their propagation strategies as well as expose their infection vectors. Few have been exposed to this level of statistical data associated with spyware - the numbers are staggering.

Gerhard will explain how spyware writers are taking advantage of security flaws and making users a vulnerable target, how end-users and enterprises can assess network vulnerabilities and detect spyware infections, and describe how to implement best practices to protect networks and systems from spyware attacks.

Finally, Gerhard will explain what measures are currently being explored by vendors and state and federal legislation to eradicate the spyware threat, and will offer his expertise about how these measures will evoke changes in the future state of spyware.



J9 Cell Phone Forensics Justin Peltier

More storage, greater network speed, Bluetooth interfaces are components which make today's cell phone more like a notebook than a wireless phone. These features allow for rich sources of information which can be critical in the investigation of a crime. In this session we will look at forensically processing data from the three sources on a cell phone - the SIM card, the phones internal memory, and expansion SD cards.



K8 Marketing Meets Security Krina A. Snider

At the end of the day, how do you know that your security awareness program is effective? Does your audience understand your message? do you have their buy-in? have you changed their behavior? If not, then, you haven't hooked 'em!

Let's face it; security is usually not a very "sexy" subject. It's our job to make it exciting and inviting to all of our audiences. Many security awareness programs provide "one size fits all" solutions or worse yet, only one form of communication or delivery.

This session will incorporate the marketing perspective and let us dive into ways we can hook 'em:

  • What works for your audience: From Techs to Execs
  • Awareness events: Creativity + WIIFM = Big Impact
  • Where the heck do we start? Flowchart and track the steps from A to Z
  • The money monster: How to get the most bang for your buck
  • Measuring results: Difficult, but not impossible… and the big guys love metrics!

We will discover many facets to not only delivering an effective security message, but also influencing the behavior and perception of our target audiences. You'll also hear a detailed example of how these measures were put into place, for an eye-opening social engineering exercise at a large company.

Each attendee will receive actual examples of marketing ideas and materials, plus a CD with usable files that can be customized to use at your company. You won't want to miss it!



K9 Awareness: Act Like You Get It! Todd Fitzgerald

The choice is ours, to deliver security awareness training the traditional way (boring), or add some excitement to our users lives! The most effective security awareness training happens through totally engaging the audience. We will share ideas for making it fun and relevant. In fact, this presentation will demonstrate a series of interactive techniques for having "fun" that were successfully used by the presenter over the past several years to change the security culture (One case study performed by the presenter was documented in a recent book on Security Awareness Training and will be demonstrated).

Retention is much more likely to happen when the participants are engaged. Each of us has ideas of what 'works' and alternatively what leaves the users mystified and bored. Together we will share our ideas for those key elements and examples of successful awareness programs so that everyone can benefit. Our goal is to end the "boring security presentation" and provide each other with new ideas that we are using to engage the end user.

Areas open for discussion may include:

  • Sharing our LIVELY security awareness presentations
  • Examining the details of producing an effective security awareness program
  • Discussion of topics that can be used to build themes for training
  • Steps and process to build the awareness campaign
  • Adapt ideas to their own organizations
  • Measuring success of the Information Security Awareness program


L8 Who's Good, Who's Bad, and Who's Ugly? Nick Baskett

How can we get a meaningful industry standard Penetration Testing accreditation customers can understand? First there was CHECK for the government sector, but then that got leveraged for the private sector, and subsequently collapsed under the weight of demand, and lack of resources.

Some private companies have tried to establish their own accreditation scheme as a standard. Enter the CEH (Certified Ethical Hacker). Matta has a technical assault course, called Sentinel which tests the technical competency of consultants. And finally we have the new PCI standard, which seems to mix some base level of technical competency with a requirement for CISSP or other auditing (i.e. not technical) skills.

There is talk of CREST as a replacement for CHECK, but little is known as I write this abstract, of what CREST is, or indeed its objectives.

Nick Baskett CEO of Matta will present a symposium of industry views, some facts, and personal opinions about the state of the industry, and what needs to be done to create meaningful technical credentials which the industry can get behind, and the customers in both private and public sector can understand.

Nick will then encourage discussion of the topic, and canvass opinions from the audience. The results of which may be published in an open letter to the industry.



L9 Establishing An Incident Response Team: Lessons Learnt from Setting Up Ireland's CERT Brian Honan

Brian Honan has been working on establishing an independent, trusted and vendor neutral Computer Emergency Response Team to provide services to businesses, organisations and citizens in the Irish Republic. The proposed paper will trace Brian's journey from recognising the lack of a CERT service in Ireland and the need to have one established to the current status with the project.

Through the presentation Brian will highlight the key steps that he recognised as being crucial for anyone else to follow in establishing their own Incident Response Team (IRT), be that at a departmental, company, sector level or larger. The areas Brian will cover will include;

  • Establishing the requirements
  • Engaging and getting stakeholder buy-in
  • Identifying the clients your IRT will serve
  • Identifying the main services
  • Raising Funds
  • Establishing the IRT
  • Delivering your IRT services

At the end of the presentation attendees will have a clearer understanding of some of the hurdles and issues that need to be overcome in order to ensure the success of their IRT.



PS3 Can You Keep A Secret? Lynn Griffin

Information security professionals spend the whole of the working day keeping the information held by your organisations safe from prying eyes, but what happens when

  • A policeman arrives with a warrant to search the premises?
  • A witness summons is served on the Chairman/managing director to attend court and to bring documents with him?
  • A representative of your company is called for an interview?
  • You are a witness in a criminal case and the defence want to come and look at all your documents?
  • You are in the witness box and answering the question may reveal everything your company tries so hard to protect?
  • Can you refuse to let the policeman take what he wants?
  • What options do you have faced with a witness summons?
  • Can you refuse to answer questions? Does it depend who is asking them or what they are about?
  • Are the defence entitled to see everything?
  • " Can you refuse to answer in Court?
TOP OF PAGE


PS4 Googling While Earth Burns Prof. Brian Collins

The development of user driven W2 applications, data mashing techniques and inadequate information assurance is resulting in a potential information conflagration on a global scale. The extinguisher for this potential inferno is in our hands but its use will need systematic application of all we know used in all phases of information exploitation systems design, development and operation. Bringing together all the disciplines that need to contribute to the generation of a capability that will be able to deal with this new dynamic for insecurity, risk and vulnerability will demand leadership and understanding from a wide range of information based professional communities

This talk will address how rich accessible information aggregation, shortened timescales for application deployment and assured information sharing policies need to coexist in harmony for our information society to avoid early incineration, and will discuss what I see as the critical success factors and actions needed for dealing with this problem in the near future.



PS5 The COSAC Rump Session Facilitated by
David Lynas

The hugely popular COSAC "rump" is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

  • Electronic submission: Send email to the rump session chair David Lynas at chair@cosac.fsnet.co.uk before 10AM GMT Friday, September 21
  • Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday September 26

Submissions should include a requested amount of time for the presentation. An anticipated maximum of five minutes will be allocated for each presentation.



THURSDAY 23rd
OPTIONAL HALF DAY WORKSHOPS


W1 How NOT to Conduct an Investigation Mark Rasch

In this half-day workshop, Mark Rasch will take participants through the lifecycle of an investigation. Along the way we will examine in depth the common and not so common mistakes that are made that have a detrimental impact on the success of the investigation and / or any subsequent proceedings. The outline agenda includes:

1. Determine Goals and Objectives

  1. What am I doing
  2. Why am I doing it
  3. What am I going to do with the results
  4. What is the result I want to achieve

2. What triggered the Internal Investigation?

  1. Notice of Investigation
  2. SEC Inquiry
  3. Grand Jury Subpoena
  4. NSL/FISA Order
  5. Other Agency Investigation
  6. Whistleblower notice/Qui tam action?
  7. Civil complaint
  8. Internal Inquiry
  9. External attack

3. Remember - just because it is an internal CRIMINAL investigation, doesn't mean that YOU committed the crime.

4. Special problems with SMUT

  1. Different classes of porn

5. What is the Document Destruction/Retention Policy

  1. Of company
  2. Of subsidiaries
  3. Of other data custodians
  4. Do you WANT to take extraordinary efforts to suspend

6. Consider a Document Preservation Request

  1. To affiliates, vendors suppliers
  2. To ISP's and others
  3. To Third Parties
  4. Pays to make friends

7. Who is Involved

  1. Legal
  2. IT Department
  3. HR Department
  4. Public Relations/Crisis Communication

8. Private Investigators

  1. Under control of legal department
  2. Hiring and firing decisions
  3. WHO determines goals
  4. WHO determines techniques employed

9. Forensic Investigations

  1. Who you gonna call?
  2. Should be on retainer in advance
  3. Local and Global Reach
  4. Use tools employed by Law Enforcement
  5. Trained, Certified and Testified as experts
  6. Pre-deployed
  7. "cyber-janitors"
  8. To whom to they report?
  9. Who determines IT targets?

10. Forensic Examination

  1. Look for ability to make sense of data once retrieved
  2. Hidden records

11. Biggest Mistakes

  1. Not calling counsel early enough
  2. Guessing
  3. Not having goals
  4. Not having policies
  5. Not agreeing on objectives
  6. Document deletion/spoliation due to bad communication
  7. Nobody in charge
  8. Everybody in charge


W2 Risk? What Risk? The Evolution of a Security Risk Management Programme John Blackley

In 2006, we looked at the creation of a risk management programme in a global enterprise. Driven by regulation (Sarbanes-Oxley, PCI, etc.) executive management of the enterprise backed the creation of a risk management programme. Last year's workshop examined how initial ideas evolved into a framework, methodology and process for measuring and managing information security risk.

Time and circumstances change requirements. After delivery of the initial risk management products, requirements changed and this change in requirements altered the approach to measuring, reporting and managing risk.

This participation-based workshop will reflect on the initial goals and deliverables of the risk management programme. We will then go on to describe why the requirements of the programme changed and how that affected the approach to risk management. Your participation in the programme will allow you to 'shortcut' the process and take back to your company a faster way to arrive at demonstrating the added value that information security risk management brings.



All content on this web site © 2007 COSAC
- All Rights Reserved -