| Stream A - Technical & Topical |
| 2A - 4A: New Technology Challenges - Cloud Computing, Social Networking, Virtualisation & Location-based Services |
| 5A - 6A: The Latest in Cyber Attacks - The theory and reality of technical attacks and defences |
| |
| Stream B - Management & General Interest |
| 2B - 4B: New Management Strategies - Ownership, Risk Management & Control Frameworks |
| 5B - 6B: Overcoming Management Challenges - Influence, motivation & making the right security management decisions |
| |
Stream S - SABSA World Congress |
| 2S - 4S: Making SABSA Happen - How to get project approval, make it happen and the reality of roll-outs large and small. |
| 5S - 6S: SABSA Integration & Alignment - Delivering SABSA Security Benefits with TOGAF, FEA & DODAF. |
| |
Stream P - Plenary Sessions |
1P & 7P: Plenaries |
| 2A |
“You're Where?” What You Need to Know about Offering Location-based Services to the World |
Andrew S. Townley |
Ten years after location-based services were going to be “the next big thing,” services like Foursquare, Gwalla and others have finally appeared on the scene, allowing mobile phone users to voluntarily share their location with others. Far from the advertising-centric vision originally planned and illustrated by the film Minority Report, the majority of these users are interested in location-based services in order to connect with other people. This drive was famously illustrated by the impromptu Hilton hotel lobby party at the South by Southwest conference earlier in the year—a party facilitated largely by a combination of the Foursquare and Twitter services as large numbers of people “checking in” prompted even more people to get out of bed to come down and join the fun. The bottom line: people don't want to miss something fun or cool.
While the practical and business uses of these services are still being explored, the business potential beyond advertising for these services can't be ignored. If you offer goods or services to the general public, you should already be thinking how you can leverage this distinctly human trait to your advantage. However, before you get too far down the road with interesting ways to capture and use this information, there are important legal, privacy and risk management topics you need to understand and address.
This session will primarily focus on helping you understand:
The current crop of location-based services, including who is offering them, where they're based, what information they capture, how they manage user consent and ways this information can be used beyond the original service
The legal requirements of capturing, managing and sharing location information in various parts of the world
Privacy considerations of location-based services
Following this discussion, we will turn the tables and briefly look at how widespread use of these services impacts both the individual customer as well as those who might be responsible for keeping them safe.
| 3A |
Modern Day Threats and Defenses for Virtualisation, Cloud Computing and Social Networking |
Don Smith |
The explosive popularity of virtualisation, cloud computing and social networking services has created a rich foundation for new and successful cyber attacks. Organisations are rapidly adopting the use of these services to save money, increase efficiency, and in the case of social networking, build corporate brands. Cybercriminals have caught on and are always looking of ways to exploit new technologies for financial gain.
With the advent of stricter compliance and regulatory laws affecting most, if not all, industries significantly, managing cyber risk to your organisation is becoming more and more critical especially as new and emerging technologies are adopted and deployed. Confidential information about customers, trade secrets or other intellectual property is always at risk.
This presentation explores the threats targeting virtualisation, cloud computing and social networking services and why cybercriminals are taking on these platforms as their next victims. In addition, we’ll look at ways of mitigating your risk if your organisation is considering the use of these new platforms.
Everyone's doing it - friends, family, colleagues, celebrities, political leaders, and corporates are using Social Networks to spread the word whatever the word is.
From a starting position of sceptic dis-approval, through research, observation and a little navel-gazing, this presentation shows how one anti-social, slightly paranoid, techno-weenie learned to stop worrying and embrace the Social Network paradigm.
This presentation looks at individual and corporate use of Online Social Networks, from an Information Security perspective.
We'll talk about the phenomenal success, continued growth, what's new and what we've seen before:
- Explore what Social Networks are and where they came from - why some succeed, and more fail
- Show a little bit of trend analysis - and where you can find out more
- Look at the three common characteristics of all Social Networks
- Look at those who embrace Social Networks, and those who reject them
- Consider the bind between Social Networks and mobile devices and what the future may hold
- Consider the monetary value of Social Networks based on the data you choose to give away
- Discuss information security and privacy concerns - Privacy does not exist in the world of Social Media
- Present arguments for and against Social Networks with some real world examples
- Talk about some personal and corporate horror stories and some of the great success stories too
- Ask the question - "What ever happened to the work/life balance?"
- Suggest some guidelines for usage of Social Networks - for individuals and corporate users
And we'll finish up with some crazy guess-work and wild speculation.
Where good practice security measures should protect sufficiently against untargeted attacks, targeted attacks are more difficult to protect against. Those who do target an organisation are searching for weaknesses to exploit. When sufficiently motivated, they will eventually succeed in doing so.
Knowing the other and knowing oneself, in one hundred battles no danger.
Not knowing the other and knowing oneself, one victory for one loss.
Not knowing the other and not knowing oneself, in every battle certain defeat.
Already over 2500 years ago, Sun Tzu realised the importance to know the enemy. The more current Common Criteria also recognises the existence, not necessarily the importance, of the enemy by means of a placeholder in their general model for the so-called threat agents. However threat agents as such are interestingly enough seldom considered in the identification of risk mitigating security measures.
The aim of this session is to provide information, thoughts, a working model and conclusions on threat agents and how that knowledge can effectively reduce the likelihood of targeted attacks.
| 6A |
Cyber Scenarios & Reality - Supporting Predicted Cyber Incidents with Past Events |
Richard Stiennon |
“The past is prologue.” ~The Tempest
Scenario planning is an important tool in the realm of cyber security. Stakeholder teams are assembled to create plausible scenarios of possible future threats. Repercussions are predicted to help quantify risk and justify mitigating investments in technology and changes to policy and operations.
In Cyber Scenarios and Reality we examine several cyber security scenarios and demonstrate that they have already occurred. While the incidents covered may affect adjacent or even unrelated industries it is advisable that IT security practitioners and other stake holders are aware of the threats posed by the prior occurrence of these scenarios.
Attendees will have their eyes opened to threats they may have not considered before: malicious software updates, spurious BGP route announcements, state sponsored espionage and DDoS attacks, and insider abuse of back-office systems.
Scenario 1. Collateral Damage from Cyberwar.
The Scenario: Wide spread attacks in conjunction with hostilities between two or more nation states leads to network outages that spread beyond the geo-political participants.
The reality: Hosted websites in Atlanta, Georgia suffer when Russia attacks the country of Georgia. A car dealership in Chechnya goes offline when Russia attacks that country. The Sports Network is mistakenly identified as a CNN property and is taken off-line during Chinese wrath over Tibet.
Scenario 2. Political protestors enlist social media to target attacks.
The scenario: activists enlist social media to spread their message and generate crowd-sourced attacks.
The reality. During the 2009 protests over Iranian election results Twitter users were enlisted in a massive denial of service attacks against government webservers.
Scenario 3. An insider uses privileged access to steal customer data
The scenario: an authorized user gleans credit and financial information and sells it.
The reality: During the mortgage frenzy of 2005-9 an employee of CountryWide absconds with millions of records and sells the data, loaded on USB devices, to a cyber criminal.
Scenario 4. Malicious Software Updates
The scenario: an attacker delivers software updates that surreptitiously enables a back door in critical information systems.
The reality: Over a period of months leading up to the Summer Olympics in Athens, 2004, attackers uploaded components of software to Ericsson phone switches that, when complete, gave them backdoor access which was used to tap the cell phones of 100 officials and diplomats.
During the last days of the Cold War, the US allowed faulty SCADA control software to be stolen by KGB operatives. The result was disastrous and the CIA credits it with the eventual demise of the Soviet Union.
Scenario 5. Hardware backdoors
The scenario: the supply chain of network equipment is subverted to allow the installation of remote command and control capability.
The reality: The Clipper Chip and Huawei incidents.
Scenario 6. Insider abuse
The scenario: an insider uses his knowledge of IT operations to subvert them to his own purposes.
The reality: the multi-billion trading losses at Societe Generale.
Scenario 7. State sponsored spying
The scenario: state sponsored email corruption leads to endangering the lives of employees.
The reality: An infiltration of 1,200 networks of foreign offices and State Department facilities implicates diplomats and knowledge workers.
What will you learn from this presentation?
It is hard to propose a cyber security scenario that has not already occurred somewhere in the world. By becoming cognizant of past incidents you are better armed to think about how these scenarios could play out in your own organization.
| 2B |
It’s MINE! – The ‘Christmas Quality Street Tin’ Problem. (Ownership of Shared Services) |
Jon Colombo |
Shared Services seem like a great idea. Non-competing organisations get together to implement systems. They get to share (reduce) start-up and operational costs. They get to use more sophisticated systems than they can afford individually. Better still they get to share all the base-data, demographics and standing data. More cost savings, and potential for improved, possibly new services. In the public sector, where organisations are not in direct competition, the idea is extremely attractive. Managers love the idea.
In the present economic climate, the savings potential seems to offer a way to ‘shift tin’. Systems integrator’s salesmen love the idea.
Technically Shared Services and Service Oriented Architectures look like a marriage made in heaven. People offer and consume services across a common pool. Technicians love the idea.
It is hardly surprising that the number of examples are mounting inexorably. If you work in or with the public sector you will almost certainly have come across at least talk of them.
At first sight securing shared services should not be a problem. They use standard technologies to solve standard business problems. No issue, right? Wrong.
There is a monster in the cellar, threatening the foundations. Whilst I have not heard it used, some of the business cases could be summed up by Marx; “From each according to his ability, to each according to his need”. In their purest form, shared services try to implement this, and stumble up against the same flaws that made Marxism so hard to implement i.e. human nature, and attitudes to ownership.
Security rests on good governance. Good governance rests on clear ownership. You can not even start to agree the governance unless you understand who owns what. In the world of shared services, even the term ‘Owner’ causes arguments. Add the fact that many of our laws and regulations assume clear hierarchical models which may not be available, and you get a good gnarly problem. The sort of issue that raises discussion and makes a good Cosac topic…
Based on a case study from the UK NHS this session will:
- Explore what the problem is, and why it is so hairy
- Look at the constraints that apply
- Look at how we set about solving them
| 3B |
Effective Decision Making in Information Security – A Practical but Quantitative Approach |
Máirtín O'Sullivan |
In the current economic climate, organisations have been forced to tighten their spending and ensure that unnecessary costs are removed from all aspects of business. Information security is no exception and as such there is an even greater need now to demonstrate that spending on information security is not dead money and that it is of value to the business.
While there is significant research in the area of optimising information security investment, the research is diverse and often conflicting, with both proponents and opponents being fiercely divided.
This session will provide an overview of some of the current methods of optimising information security spending, highlight some of the fundamental problems that are impeding the practical implementation of these methods and investigate some potential solutions to improve decision making within information security investment.
We will propose the use of risk management as the fundamental basis for return on information security investment and that optimal investment is ultimately dependant on the risk appetite of the organisation.
We intend to show how techniques such as Monte Carlo simulations can be easily applied to improve our ability to communicate risk, and reduction in risk, to non-technical business managers.
To support this we will identify some of the problems with the existing rating systems of risk management and will present some of the biases and potential inaccuracies that are inherent in using Subject Matter Experts (SMEs) in estimating risk.
We will also look at some of the approaches that can be used to make SMEs aware of these biases and reduce or account for such problems and will look at how to incorporate the use of Monte Carlo simulations info information security risk assessment to help communicate our level of uncertainty in our estimations.
We will then combine these techniques to demonstrate how to present risks to the business in a format that is meaningful to them, allowing them to make better decisions in relation to information security investments.
While we acknowledge that purely objective quantitative assessment and optimisation of information security investment is impossible, we believe that it always will be and as such, we believe that a need exists to create an approach that accepts this and allows information security practitioners to better communicate our understanding of the risk and benefits to business, while acknowledging our own level of uncertainty in our estimates. We believe our approach provides this to information security practitioners at a practical level that can be utilised easily to improve decision making within their organisations.
We hope that this session will spark debate amongst the proponents and opponents of quantification of information security risk and will generate a lively discussion within such an experienced group as the COSAC attendees.
Additionally, the demonstration of more practical approaches should provide a significant take away from the session, allowing for a significant immediate benefit to be obtained from the presentation.
Note:
The majority of the solutions presented in this session involve the application of ideas proposed by others, such as Doug Hubbard and Sam Savage, to the area of information security. Two of the main sources for this research include Doug Hubbard’s book “The Failure of Risk Management” and Sam Savage’s book “The Flaw of Averages”. However, following extensive research we have found that there appears to be little application of these ideas to the area of information security and as such believe that this brings a unique aspect to the session.
Globally there are over 6300 certifications in place in respect of ISO 27001 (according to the ISO 27001 International User Group figures March 2010) covering over 80 different countries. This presentation will look at what motivates organisations to take on the demands and costs of taking on a management system for information security and whether they are missing a trick.
The premise being put forward is that the majority of organisations have one of two main motivations for certifying to ISO 27001:
- they do it because their client base/industry expects it and the lack of an ISO 27001 certificate will make them less competitive
- they are responding to a specific demand of an existing contract (i.e. they won a contract on the basis that they would achieve certification by a particular date)
The second of these motivations is, in the experience of the presenter, the more common; it also leads to organisations doing as little as possible to satisfy the relevant contractual obligation. In taking this approach misses out on more potential benefits.
ISO 27001 comes complete with a set of 133 controls that the organisations must consider, however it states that this is not an exhaustive list and encourages organisation to add other controls. In reality this very rarely happens and organisations do the minimum required to clear the bar using the ISO 27001 controls.
However; many organisations have other control sets that it implements and often these are managed separately. Top of the list of other control sets are PCI/DSS and Sarbanes Oxley, there are also a number of industry specific controls, for example in health care, banking and gambling.
This presentation looks at the benefits of bringing other sets of controls into the ISO 27001 certification/management system and what we can do as security professionals to encourage and support a more ‘joined up’ approach to meeting the legal, regulatory and contractual obligations of our organisations and clients.
In true COSAC style this session will define the problem (if it exists at all!!) and then discuss what our part is in solving it.
You’re an experienced, competent, battle-scarred security professional. You wouldn’t be at COSAC if you weren’t. But the dragons you’re fighting in 2010 may be mutants. They seem significantly different from those you slew way back in 2009 and the even more distant past. Many are political or organizational and don’t respond to technology. And they multiply fast. Additionally, some of the crusty-winged ancient ones you buried even in the antediluvian 1990’s appear to have resurrected or been reincarnated. Doesn’t that “Weak Password” Dragon know it’s supposed to be dead?
This interactive session will encourage you to share ideas and pick the brains of fellow COSAC delegates. We will outline scenarios that might resemble ones you face every day or will soon face. Then we’ll ask you to bring your own set of experiences and skills to bear on the problems in question. Things you think are simple and straightforward may have tricky components in other organizational settings. An intractable problem for you may be easily solved in a different type of firm. Politics, ethics, the economy, acceptable behavior, corporate culture, mergers and multiple other factors impinge upon what might seem viable solutions. At this session, you’ll get to hear how others would handle your issues and get your chance to enlighten them on how you would bear their burdens. Bring your own “sensitive issue” scenarios, and we’ll address them as time permits.
You know you’re right, so why doesn’t management know it? Attend this session and learn tools and techniques to help management get what you already know.
You’ll learn about Social Engineering (SE) driven by the science of Neuro Linguistic Programming (NLP) and how to utilize these tools to become more persuasive. SE is used by professions who must help people make decisions, rapidly and accurately. More importantly, it’s used to help people say yes, even when they don’t want too! The information taught in this session is seldom available outside of the social science field because of its many powerful uses.
Better yet, you’ll learn and practice techniques that will help you understand yourself, your co-workers and even your family. This session is a full learning experience so you learn the SE skills and then practice the skills. Practice time is included so you fully understand what and how the skill can be applied to your everyday interactions.
Course Outline:
- State brief history of Social Engineering
- Discuss concepts of Neuro-Linguistic Programming (NLP) and how it is used persuasively
- Why did you make me say That! (SE technique practice session)
- I felt like we know each other forever! (Practice of SE techniques)
You will learn:
- How Social Engineering (SE) work
- How NLP added virility to the SE
- 4 simple methods used to incite people to do what YOU want
- Methods of observation that can clue you into a lie
- SE techniques you can use in writing reports, resumes, ads or even spam that increases your chance of success
- Location of free additional training and resources
Are you convinced SABSA can be of value to your organisation and Risk management strategy? Great! Now, what are your steps to take this to the next level?
Changing your current Risk & Security architecture is one thing, but in order to make it really work, you’ll need to consider a lot more.
With the introduction of SABSA into a major global organisation as a reference, I will demonstrate the do’s and don’ts. Areas covered are:
- Getting original sponsorship and budget;
- Choosing a scope;
- Stakeholder management;
- Project structure;
- Overcoming existing cultural barriers;
- Presenting the results;
- Business benefits demonstrated;
- Moving forward to a strategic enterprise roll-out.
This presentation will be of huge value to those with a current interest in scoping and executing a project to introduce SABSA into any large organisation. It will show the way in which engagement with the real business can be achieved, how the project can be positioned with regard to the business main stakeholders, and how a strategic vision can be derived from a modest 'demonstrator' project.
SABSA is aimed at delivering an end-to-end security framework for enterprise users, and focuses on delivering the traceback to business drivers through is attribute paradigm. Work has also been carried out by de Koening on delivering the SABSA construct at the project level through a tactical process based on project outcomes.
This paper addresses the other extreme use of SABSA, that of using SABSA to assess the national requirements for security. New Zealand is currently setting up its Office of Cybersecurity, and is doing so based on the use of SABSA to describe eGovernment, eSociety, and eCommerce business drivers. From these the policy architecture and national organisational construct have been developed.
A major challenge facing organizations today is the gap between attorneys and IT security professionals which often deprives their environments of effective privacy enhancement solutions. This gap has led to not only a lack of communication between attorneys and IT security professionals, but also to entrenched battlelines being created in both sides. Attorneys and IT security professionals steeped their own nomenclature, talk past each other in trying to create privacy enhancement solutions.
In my presentation I will show how SABSA attribute profiling can help bridge this gap by providing a whole new class of legal privacy attributes. I will show how I have applied a class of legal attributes to Monster.com to demonstrate how bridging the gap between legal professionals and IT security professionals can provide privacy enhancement solutions both the attorneys and security professionals can agree upon and provide a way for them to work together in better cooperation, not competition.
| 5S |
Leveraging SABSA within the United States Enterprise Architecture Frameworks |
Jason Kobes |
Enterprise Architecture frameworks commonly used in the United States have many aspects in common, SABSA aligns with these frameworks to enhance security however, SABSA brings additional benefits . For example: The Federal Enterprise Architecture (FEA) and Department of Defense Architecture Framework (DODAF) both implement activity models to show how organizations and systems operate in the enterprise. These models successfully illustrate the inputs and outputs of a particular activity, as well as simplifying complexity by taking advantage of the concept of black box modeling.
What these models fail to illustrate clearly or provide traceability to is how each activity fulfils a strategic objective of the organization. FEA relies on segmented architecture which if implemented can lead to a whole new kind of stovepipe. I will show in this presentation how SABSA can be used in combination with FEA and DODAF to bridge some of the framework shortcomings, improve traceability of the mission into the activities and segments. I will also show how to successfully integrate security architecture into the framework while enabling the fundamental FEA and DODAF frameworks.
Is the security architecture part of the solution or part of the problem? Some people think that Security architects spend a good deal of effort proving the negative. Ouch! Organizations use Enterprise Architecture to manage IT. How can we make Security Architecture part of the Enterprise Architecture? In this presentation we’ll take a look at the alignment between SABSA and TOGAF which is the subject of an official OpenGroup Working Party during 2010.
TOGAF is an architecture framework that may be used freely. It is owned by The Open Group, an international consortium of over 300 member organizations, with more than 6,000 participants. TOGAF is de facto the standard for Enterprise Architecture. The latest version is TOGAF 9.
However, in the process of developing the Enterprise Architecture with TOGAF 9, Information Security is considered not an asset but a problem. The TOGAF book states: “Security architects spend a good deal of effort proving the negative”. More specific, security is considered an IT ‘problem’ that is solved from an IT point of view and not from a business point of view, in contrast to the Enterprise Architecture which is driven, in all steps, by business requirements.
This is where SABSA comes in. SABSA addresses Information Security from business drivers and requirements, just like TOGAF does with the Enterprise Architecture. This presentation proposes a way to combine the strength of both TOGAF and SABSA. From a SABSA point of view we look at the TOGAF process model as a delivery model for the Security Architecture. From the TOGAF point of view, strong SABSA concepts are described in useful TOGAF language. Bottom line is that if we align TOGAF and SABSA, both parties will benefit.
| 1P |
Deep Threat: Data Security Lessons Learned form the Online Adult Entertainment Industry |
Richard Hollis |
Gross revenues for the online adult entertainment industry exceeded $98 billion dollars last year from transactions conducted over more than 4.2 million websites offering adult content. Every second $3,075.64 is being spent on adult entertainment websites. The annual revenues from this industry alone exceed the top ten online companies in the world combined (Microsoft, Google, Amazon, E-Bay, Yahoo, Dell etc).
The industry is also reputed to be the largest purveyor of SPAM, viruses, Trojans, worms, adware and spyware. This fact along with the product it sells and enormous revenue it generates make it an extremely high value target for crackers, fraudsters, organised crime and vigilante groups. And yet, we never hear about a breach to their systems do we? Why is that? What is their secret? What do they know about information security
that other industries don’t?
This interesting presentation is done in a work shop format involving direct interaction with the audience. The presenter entertainingly covers the statistics of the industry and then explains the ten basic information security principles that online adult entertainment providers implement to ensure the integrity of their systems.
The presentation is devoid of product placement, endorsement or any commercial message whatsoever and the approach is designed to demonstrate the reasons behind the principles which they can take back to their organisations. The material is based upon actual case studies and interviews with Directors of online adult entertainment provider companies.
This session will introduce and demonstrate the emerging attack vector of psycosonics. Tracing the historical use of psycosonic weapons forward to their use in current warfare in Afghanistan, you’ll be able to state why these weapons have been so effective.
I’ll show you how psycosonics can create different mental states, and then demonstrate open source software for creating these states. Finally, you’ll learn how to create weaponized MP3 files that can be used not just as a weapon but also a study aid or a hidden calming session. All by simply injecting the appropriate sonic frequency into an MP3 of your choice.
Attend this emerging trend session so you’ll be aware of this attack vector and how you can use it for your own purpose. This is a fun and useful session providing information on an interesting emerging area.
| Stream A - Technical & Topical |
| 9A - 10A: Peripheral Issues - Mobile computing, hand-held devices & portable disk technologies |
| 11A - 12A: Emerging Trends - up-to-the-minute trends in Cloud Computing - the legal & technical perspectives |
| |
| Stream B - Management & General Interest |
| 9B - 10B: External Dependencies & Risks - Managing the harsh realities of smart cards, SCADA & Industrial Control Systems |
| 11B - 12B: Difficult Issues & Learning Lessons - Learning important lessons from history & the thorny issue of screening in Information Assurance |
| |
Stream S - SABSA World Congress |
| 9S - 10S: SABSA Tools & Techniques - SABSA tools & techniques for Governance, Maturity Modelling & Audit |
| 11S - 12S: SABSA for Technical Solutions - Strategic approaches and practical case-studies in deploying SABSA for Cloud Computing, Security Operations & Emergency Response |
| |
Stream P - Plenary Sessions |
8P & 13P: Plenaries |
The user computing environment has changed considerably over the last decade. Mobile computing devices such as laptop computers, smartphones, Bluetooth devices, and personal data assistants (PDAs) are now routinely used not only by “road warriors,” but also by other employees and contractors both within and outside of the traditional workplace. Mobility creates many security-related risks (physical theft, eavesdropping in wireless environments, viruses and worms, anonymous connections, unauthorized connections to mobile devices through exploitation of vulnerabilities, and more), many or most of which are typically not adequately understood, let alone addressed. The fact that business-critical information is often stored on these devices further exacerbates these risks; the fact that mobile applications commonly run on these devices have generally been written without much if any consideration of security proliferates risk even more. Worse yet, information and knowledge concerning mobile applications are scarce. Even fewer people know virtually anything about mobile application security, resulting in these applications running in what is almost always an insecure “out-of-the-box” state. Additionally, iPhones must be “jailbroken” to run certain applications—the consequences for security are not good. This presentation concentrates on the functionality of a range of widely used mobile applications, vulnerabilities and risks associated with these applications, and possible security solutions, if they exist.
After attending this presentation, attendees will be able to:
- Describe the basics of mobile computing functionality
- Enumerate major vulnerabilities in mobile computing environments and the seriousness of each
- Describe the types of mobile applications that are currently being used and how they work
- Describe vulnerabilities in mobile applications and how serious each is
- List and explain the major types of controls that can be used to mitigate risk in mobile computing environments and cost-benefit ratios associated with each
Presentation Methods:
- Lecture (primary)
- Demonstration of mobile applications and their security deficiencies
- Discussion
In this session we take a look at the history of Hacking and Cracking floppy discs / CDs from the 1980's to the present day. This will provide an insight to another world of hacking and cracking techniques from open source to software piracy.
Distribution, applications, sources, code, FAQ's, *.txt, etc. The underground is still out there with a compendium of games for people to download and or purchase from market traders. We will also be looking at the current trends in relation to forensic and security ISO distributions, I bet you know a few I don't know.
TI hope to have time in this session to boot up some of these CD's, so we can get an understanding of what they can do. Why not bring a distribution with you and tell us why it is so great and what you use it for some real COSAC interaction.
| 11A |
COSAC 2010 Cloud Computing Security
- the technical issues, risks and solutions debate |
Simon Pascoe |
This highly interactive session, you will be expected to contribute to the debate, will discuss the technical security issues with cloud technology, current security architectures being proposed and risk mitigation strategies. Note this topic is very relevant and evolving fast - with many of the issues currently unsolved. Let's harness the considerable COSAC intellectual horsepower and experience to identify some answers - and summarise for one of the rump sessions.
This session will focus on how the promise of Cloud computing cannot meet its full potential until legal and security issues are resolved. Issues like venue, jurisdiction, ownership, control are all altered in the cloud.
Cloud computing also raises issues for electronic discovery, privacy, data mining, and other legal concepts. Another issue for cloud computing is the fact that cloud computing removes most of the layers required for layered security. Thus, it removes the ability of companies to conduct audits of "their" data and "their" environment, to segregate their network from that of others (including potential attackers), and to layer security on their network and data.
This session will focus on how to re-establish security protocols and authentication to be able to make full effect of the benefits of cloud computing.
In 1996, thousands of people worldwide were involved in the next big thing: the rollout of the Mondex unaccounted stored value card. The momentum seemed unstoppable. The stakes were huge. However, less than a year later, four people on three continents were tirelessly working behind the scenes - first to close, then to expose - what they saw as the fatal flaw in the security architecture of the system.
For the first time, banking security consultant Tom Trusty publicly reveals the real reasons behind why he was so compelled to oppose the stored value smart card project being implemented at the bank he was working for.
You will also hear about the anonymous tip-offs, secret private investigations, legal threats, publicity agencies and the whole ugly story that was unfolding behind the scenes of the Mondex project, as one of the world’s largest companies bears down hard on a lone banking insider who refused to ignore the emerging security threat.
Several methods of reverse engineering smart card programming will be outlined. However, this will not be a highly technical session for electronics enthusiasts. Instead, this session will show how business drivers influence security in the real world of large multinational banks, and what happens when security governance is not up to scratch. To permanently retire the ‘we carefully vet and can trust our staff fully’ security model, two first hand, real-life examples of insider fraud by banking computer programmers responsible for ATM security are also outlined: one in which DES keys were reverse engineered from a ‘secure’ system, and one where the bank’s programmers set out to obtain a competitor bank’s PIN keys.
Industrial Supervisory Control And Data Acquisition (SCADA) and automation systems, originally built with assumptions of isolation, are now at risk as control networks integrate with corporate networks and SCADA vulnerabilities become widely known. New security standards offer interoperable protection from attacks - this session will demonstrate standards-based options to protect control networks and meet regulatory requirements.
Industrial control systems were designed and built with a primary focus on performance, availability and reliability - not security. As these systems integrate with corporate networks (and become indirectly connected to the Internet) and their vulnerabilities become more widely known, they are exposed to a variety of threats, from general network probes and denial of service attacks to custom malware that specifically target their components and protocols,
A new generation of standards-based security offerings lets operators defend their control system networks using the same technology that protects telecommunications, banking, and other critical IT infrastructure. The general principles are the same: keep outsiders out, keep insiders honest, keep an eye out for trouble, and keep communications open, clear, and fast - especially during emergencies. Open standards originally designed to enable intelligent, responsive NAC solutions are leveraged by security solutions specifically designed to protect control system environments.
This design focus is critical because industrial control systems operate under constraints that are not applicable in most IT environments; reliability and performance are - and must be - considerations that take precedence over security. Service disruptions, whether caused by an attack or by the systems put in place to protect from attack, can lead to anything from power outages to containment breaches to human injury and even death. Those considerations must be foremost in any attempt to apply security measures to existing control systems or include security in the design of a new system.
This talk will describe a range of attacks that affect control system networks and their potential consequences; describe open standards from the Trusted Computing Group that enable communication and interoperability between disparate security technologies that can be used to protect control system networks; address the additional challenges posed by applying security technologies from the IT world in a control systems environment; and demonstrate attacking and disabling a Programmable Logic Controller (PLC) running an industrial process in a process control network, then how standards-based network security components provide isolation and protection for the vulnerable system.
This session will discuss whether students admitted into Information Assurance programs should be screened for criminal background. The paper begins with a survey of other academic disciplines that screen their students including law, medicine, nursing, and counseling. The paper continues with a survey of occupations that require licensure that is not available to candidates with criminal backgrounds.
This paper will have obvious value to educators and schools that have or are considering starting an Information Assurance program. Companies that hire the graduates of these programs to run their security programs will also find value in learning of the ethical components and screening of these graduates. There have been no comparable studies done on screening IA students even though other sensitive academic disciplines screen their students. This paper presents the current state of the practice in screening IA students which has not been presented elsewhere. Surveys were returned by at least 20 of the Centers of Academic Excellence documenting their screening practices.
The research behind this paper was undertaken to begin the national and international discussion on screening IA students. Input from the industry is needed to guide educators as they develop screening policies. The conference session would be an excellent platform for beginning this discussion and collecting viewpoints of industry practitioners. The presentation would consist of a presentation of the research behind the paper and a frank discussion of industry needs. If the audience is large enough, the participants would be split into smaller groups to encourage discussion and collection of opinions and requirements.
New IA programs are being formed every year and more schools in the United States are applying for the Center of Academic Excellence designation by the national Security Agency. The admission requirements for these programs need to be created and altered before more applicants with criminal backgrounds receive education in the tactics and techniques of Information Assurance.
Among the distinguishing characteristics of a long-term, successful IT security professional are continued learning and a constant search for examples of achievements (and failures) to learn from. Way back in the late 1930’s and early 1940’s the British (and a few Americans) at Bletchley Park, an old mansion about 50 miles outside London, broke multiple supposedly unbreakable German encryption codes, primarily those created for the also “uncrackable” Enigma machines. A highly dedicated group of unconventional warriors worked ungodly hours to unravel the codes and kept their efforts secret from even their closest friends and relatives. They succeeded, and their work is thought to have shortened the War by up to two years and saved countless lives.
In September 2010, we’re trying to predict new attacks, address existing vulnerabilities, survive organizational politics, explain threats realistically to managers and users, implement and maintain feasible solutions, break what sometimes seem to be unbreakable behavior patterns and chop our budgets by x percent. Are there things that even grizzled and scar-bearing professionals can learn from the efforts at Bletchley that can carry over to our mission today? We’ll examine what they did and how they did it to find out. Sure, it’s going on 70 years later, but there are possibly surprising parallels and some real lessons for us as we strive to develop and implement effective and workable security countermeasures.
A SABSA Enterprise Security Architecture is not a captured document, but is a living expressionm of security throughout the life of an enterprise. When deploying SABSA into an organisation, the issue of governance begins at the point of collecting business drivers and attributes and continues through to the deployed SABSA Enterprise Architecture. From the start of the SABSA analysis, we have to ask questions such as "How will we capture new security requirements into the model as the enterprise evolves" and "How do we institutionalise an appropriate governance model over the policy architecture we create?" . Having answers to these questions, and having tools to deliver the governance in a way which integrates with a company's existing governance arrangements, is key to success. This presentation looks at the lessons learnt from a fast track analysis of an enterprise which delivered a new governance model for security across the business arm and the enterprise's shared service arm, and demonstrates a tool used to support the fast track assessment and ongoing SABSA-oriented risk monitoring.
| 10S |
SABSA Capability Maturity Model as a Basis for Auditing Enterprise Security Architectures |
David Hafele |
Capability Maturity Models are used by many organizations to measure the level of development and maturation that they have in performing core business processes. Security Architecture is closely aligned with a business’ needs and now has enough history behind it as a discipline to warrant a closer examination into its level of process maturity in different operational environments.
What I am proposing is determining how SABSA’s Capability Maturity Model may be used to evaluate the architectural maturity level of different types of businesses or organizations. In my presentation, I plan on engaging the participants of the SABSA World Conference in exploring how they can leverage SABSA’s Capability Maturity Model to audit organizations so that these organizations may have a more comprehensive understanding of their actual security architecture. These organizations may then leverage this information to be able to strengthen their security posture by understanding more clearly their “As Is” architecture and this will be an excellent input into developing their strategic “To Be” architecture at some future point. For organizations that are highly regulated, this would prove advantageous, since they could prove to the regulators that they have well-defined processes that ensure that they are managing their programs and risk well. Another plus for competitive organizations is that they would be able to attest to the strict architectural and security standards they incorporate in their strategic, operational and tactical processes. In a world full of financial improprieties and gaffs, this could prove to be a marketing competitive advantage to the organization that has well-defined security architectural processes in place.
In summary, I believe that using SABSA’s Capability Maturity Model is a natural development of providing clearly defined metrics to evaluate not only the security posture of an organization, but also the level of completeness of their business processes and architectural maturity. It is my desire to build upon this premise and provide a working model for attaining this goal.
The hot topic of 2010 is seemingly Cloud Computing, and as usual, this emerging technology is a solution looking for a business problem. The concept is that the biggest web business players such as Amazon and Google have huge spare capacity to handle peak loadings, and that they are offering this spare capacity for sale, packaged as a Service (aaS) – except that it is not always spare when those peaks come along. So the question arises – what is the business model that can be built around this concept? And how will trust, risk and security be managed in this emerging environment?
This presentation describes the application of SABSA to create first the business model, then the conceptual trust and risk management models that are required, and finally the logical architecture to implement these concepts using currently available technologies. This will provide a unique view of how business value can be created using the cloud ideas. It will be of particular interest to those with deep experience in information security management who have been looking with some scepticism at cloud computing and its possible future development for real world roll-outs. It should provoke some lively debates amongst those who attend.
| 12S |
Applying the SABSA Approach to Virtual Emergency Operations Center Architecture |
Mary Dunphy |
Enterprise Architecture Initiative: Develop, deploy and secure multi-agency eVOC that share emergency response information. Develop a comprehensive emergency response program for a multi-entity region that provides:
- Operational risks are significantly reduced through remote deployment of the command and control center.
- Visualization to point-of-need, optimized screen layouts, rapid camera search and selection.
- Collaboration on incidents – with all appropriate users having immediate availability of recorded and live event data via secure channels.
- Utilize existing police network also enable disaster recovery and back up capabilities. Also Includes converged technologies rapid deployment.
- Measureable rapid ROI.
- Faster and more effective response to incidents.
- Improved situational awareness- automated distribution and coordination of information and reports.
- On-going cost reduction from analysis of trends (like SLA violations, false alarms).
- Enables convergence of IT and physical security initiatives.
- Extends life of legacy products.
- Platform for integration of additional valuable technologies (such as analytics).
Emergency directors need to share critical data from emergency situations to efficiently respond to emergency needs. These critical data are: Video, Integrated Emergency Response Plans, Centralized Dispatch, Real-time Location of Emergency Personnel.
Implementation Challenges include: Divergent agency goals and SLAs, Differing Architectural Standards, Funding, Coalescing Enterprise Security Rules/Policies.
Application of the SABSA Methodology to establish business driven security outcomes for the following: Audits and Assessment (logical and physical), Architecture and Strategy, Risk Management, Policies and Procedure, System Design,Operations Continuity within the context of crisis management, Training
Demonstration of SABSA model to ensure success and completeness of this large, complex project: Interview of key stake holders, Attribute mapping of business drivers, Reconciliation of each attributes cross-entity, Rules of engagement (multi entity policy mapping), Approval from all involved agencies, Funding approval, Acquisition, Deployment, Training, Validation/Testing, Project Acceptance.
SECURITY ISSUES ASSOCIATED WITH CLOUD COMPUTING - FROM A BUSINESS PERSPECTIVE.
Enterprises utilise emerging technologies in order to exploit costs savings and enhance competitive advantages. Cloud computing offers this flexibility and has many examples of proven reduced costs (OPEX and CAPEX). As the recession draws down balance sheets - more and more enterprises find themselves drawn towards the cost savings offered by cloud service providers and cloud computing is increasingly being offered as serious Business IT platform.
This session will discuss the security risks associated with primary cloud services :- IaaS (infrastructure as a service), PaaS Platform as service and SaaS (Software as service) and the security controls within specific (CSP - cloud service provider) vendors architecture. The session will examine the business risks associated with cloud computing, discuss the current advice based upon research BT has performed in this arena and also wider/global thought leadership.
The hugely popular COSAC "rump" is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.
Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:
- Electronic submission: Send email to the rump session chair David Lynas at chair@cosac.fsnet.co.uk before 10AM GMT Friday, September 17.
- Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday September 22.
Submissions should include a requested amount of time for the presentation. An anticipated maximum of five minutes will be allocated for each presentation.
|
| W1 |
Changing Behaviour: Effective & Focused Security Awareness |
John O’Leary |
IT Security professionals with any reasonable amount of experience know that even extensive security programs with large budgets and ever-more-complex technology cannot by themselves assure that valuable and sensitive information will be adequately protected. Information security-related errors tend to trace back to well-intentioned but careless or overburdened employees, and damaging computer crime is too often committed by authorized users. Therefore, employee security knowledge, attitudes and motivations must be critical concerns. Seasoned security types also know that awareness programs really deal with behavior, not just recognition of threats and attitudes toward security. In this half-day session, we’ll focus on improving the security awareness and behavior of all our users, including technicians and executive staff. We’ll provide some practical ideas and techniques for delivering security training, customized according to your audience. We’ll also cover how to plan and execute a program that’s right for your specific organizational environment and budget.
IT security technology is extremely dynamic in nature. Not only do new and improved security technologies constantly emerge, but some technologies become increasingly prevalent, whereas others fall by the wayside. Furthermore, many information security experts believe that we have been using the same basic security measures over the last 20 , and that this is one of the major reasons for the growing gap between actual risk and managed risk. The technology arena is no exception. Because technology is so critical in mitigating information security-related risk, keeping in touch with security technologies (especially new and emerging ones), understanding their real functionality, capabilities, limitations, and potential for improvement despite all the hype that surrounds them, understanding environments and contexts in which they are most likely to be successful, and learning how to develop an effective strategy for deploying and phasing in these technologies is essential.
This workshop will cover four extremely critical security technologies: network security in the 21st century, cloud computing, intrusion prevention, and SIEM technology. The course will present a realistic view of each technology and will then delve into security issues related to each one. The course will also have a futuristic flavor in that it will provide insight into how each technology is likely to evolve over time and why.
The methods of instruction to be used will be lecture segments followed by discussions. A demonstration of one leading intrusion prevention and one leading SIEM (Security Information and Event Management) product will also be given.
Workshop Outline
- Network security in the 21st century
- Cloud computing and virtualization and security
- Intrusion prevention technology
- Security Information and Event Management (SIEM) technology
- Wrap-up
Attendees will learn:
- The major types of current and emerging threats against network security and how the network threat landscape has changed over the last few years
- Major kinds of network security technologies (with an emphasis upon new and emerging technologies), how each can help protect against network attacks, and limitations of each
- How to develop and implement an effective network security strategy
- The nature and benefits of cloud computing, including the types of cloud services that are available
- Security risks in cloud services and available control measures (where they exist)
- Likely future developments in cloud computing and their probable impact upon security
- How to develop an effective strategy for mitigating cloud-related security risk
- The overlap between cloud computing and virtualization security issues
- What intrusion prevention is and how it differs from intrusion detection
- How intrusion prevention systems work
- Strengths and weaknesses of today’s intrusion prevention tools
- How intrusion prevention technology is likely to change in the future
- The range of functionality that SIEM products provide and the potential value of each
- How SIEM technology works
- Downsides of SIEM technology
- How to introduce SIEM technology into an existing IT infrastructure
- How auditors need to approach auditing today’s new and emerging technology deployments
| W3 |
Changing Behaviour: Effective & Focused Security Awareness |
Geoff Besko |
Often when organizations embark on the development of an enterprise security program and architecture, they struggle with moving from the high-level contextual and conceptual architectural elements into the lower layers of the SABSA matrix. Part of the issue is how to systematically translate these conceptual layers into specific services and, ultimately, solutions comprised of processes, people, and technology, while maintain traceability throughout the process.
As part of several projects, we have established a standardized approach to address these issues and to achieve the objective of developing an Enterprise Security Services Catalogue that is traceable back to the original business drivers of the organization and also directs the development of specific solution architectures. This methodology is based on combining techniques from SABSA, ITIL, TOGAF, and control frameworks such as ISO 2700x, COBIT, and PCI DSS to create an integrated enterprise security services view.
During this presentation, the speaker will describe the methods used to create an Enterprise Security Services Catalogue using real examples from various client engagements to demonstrate these techniques. The objective of the presentation is to engage the audience in a dialogue about the practical application of these techniques, how they can be improved, and their applicability within their respective organizations.
|
All content on this
web site © 2010 COSAC
- All Rights Reserved - |
