Synopsis of COSAC 2010 sessions will be available soon


COSAC 2009 SYNOPSIS OF SESSIONS

Clicking a session code on the timetable page will bring up the relevant session details that are found on this page.

You can use the links below to skip to the day in which you are interested. Click on a speakers name to read his/her bio.


MONDAY 21st
COSAC MASTER CLASSES


M1 COSAC International Security Round-Table Forum John O'Leary

For the ninth annual COSAC Forum, we offer a full day of experience-based, real-world discussion by seasoned security professionals who regularly enter in the arena and fight the good fight. Sometimes, the discussions will feature brilliant stories of success and victory, sometimes not. But we can all learn from both the wins and the losses, and everyone at a COSAC Forum participates. We don't air dirty laundry, and we're not trying to embarrass anyone, but we often go into details of both successes and failures, always assuming that the discussions stay in the room. It's not just past history, though; we'll try to predict what issues and technologies and management thrusts presage more challenges for we security warriors over the next few years.

One of the primary benefits of the Forum is an early, full immersion into the COSAC way. Participants share information and invariably build on each others' ideas. And rarely does a statement go unchallenged, so the discussions also prepare us to effectively defend our positions back at the firm. There's no scorekeeping, thus no winners or losers. Historically, we've all been willing to share techniques that worked for us and bounce them around to see if they seem reasonable for others. We'll also identify those technologies or practices or implementations that may have looked good on paper or in that Gartner report, but never panned out in the real world of our environments. We'll also try to predict future areas of security concern and see where we match up with other participants. Forum participants have had a good track record in anticipating next year's security concerns, so this part may be especially valuable.

It is an open forum, loosely moderated, but with the emphasis on sharing information. Quintessential COSAC. There's a place for theoretical discussions and projections in discussing future issues, but most of our analysis and interaction is based on actual experiences. Opinions based on sound judgment or been-there, done-that intuition; what you read; what you heard; organizational folklore, what someone else swore to… are all fair game for the give and take of this one-day roundtable. We all seek honest feedback, guidance, encouragement and critiquing based on earned knowledge and the certainty that all participants either have been in similar situations or will be before long.

COSAC is the best security conference on earth, providing some of the best IT security speakers to be found. Their presentations, analyses, recommendations and coping strategies are really helpful. But the chance to compare notes, strategies and techniques with others who are facing the same economic and political situations makes a one-day session like this both different and uniquely valuable.

The essence of COSAC Forum sessions is give and take, therefore, participants must be prepared to discuss topics freely and be willing to contribute to discussions, even have their solutions subject to the scrutiny and analysis of peer review. In the past, the forum's moderator, John O'Leary, has posted lists of potential topics for the forum and had participants decide what they'd like to discuss, even to the extent of volunteering to give short presentations or start the discussion on some relevant topic. This year's understandably incomplete list of potential topics appears below. Participants are also free to suggest topics at the start of the forum, and experience suggests that people who come to this session are not shy about doing so. The better prepared you are, and the more you put into this session, the more you'll get out of it.

Potential Topics for 2009 include:

  • Virtualization
  • Compliance
  • Pandemic Planning
  • Risk management
  • Governance
  • Outsourcing
  • Privacy Issues
  • NAC
  • Data Loss Prevention
  • Security Architecture
  • Disaster Recovery/Business Continuity
  • Identity Management
  • PCI
  • Spam Control
  • Internet Attacks
  • Computer Crime
  • Social Networking Sites
  • Security Budgeting
  • Implementing Wireless Security
  • Security Metrics
  • Security Team Job Descriptions and Requirements
  • Effective Interfacing with Other Groups
  • Social Engineering Defense
  • Incorporating Security into the Business Model
  • Threat Management
  • Getting & Keeping Management Commitment

The list is certainly not all-inclusive. But discussions started at the Forum almost always carry on through COSAC, even through multiple COSACs, and lead to realistic, workable solutions. Keep an open mind, be willing and ready to share techniques and strategies, and come join us.




M2 BUILDING A TEST & EVALUATION RESOURCE IN A VIRTUAL ENVIRONMENT Peter Stephenson

Today's organizations are faced with increasingly slimmed-down budgets and human resources. Security engineers are challenged to test and select new equipment and software to protect the enterprise and are increasingly dependent upon vendors' claims to make purchasing selections. With the push to do more with less, build green computing environments and validate vendor claims, technologies such as virtualization and cloud computing are gaining popularity.

This full day Master Class addresses these issues and offers live demonstrations of how to develop a virtualized sandbox for product testing, system prototyping and new product evaluation. The demonstrations will include step-by-step construction of various types of test environments using the Norwich University Advanced Computing Center Primary Cluster, a VMWare ESX 4-server cluster with 4 dual quad-core processors, 8TM of storage and 256GB of memory.

What this Master Class will cover:

  1. What is virtualization and what does virtualization mean in a test environment? Doing virtualization right.
  2. How is test lab virtualization different from infrastructure or desktop virtualization?
  3. What is cloud computing and is there an application in your organization for an organization-centered "mini-cloud" using a virtualized environment?
  4. Determining your organization's needs
  5. What products are available?
  6. How do you develop a virtual architecture?
  7. How to configure and implement a real system
  8. Building test beds - build-up, tear-down and what to save - cloning
  9. Connecting the virtual world to the physical world - testing appliances
  10. Predicting loading
  11. Implementing security
  12. Building cost estimates and ROI analysis


M3 Architecting Governance Geoff Besko

A key challenge when establishing security programs (or any other type of program, for that matter) is how to address governance of the program and how to effectively integrate it into the organization's existing governance structures. In its most basic form, governance is determining how decisions are made and who has the authority to make them. Many times organizations turn to best practice models for governance but have difficulties actually applying them to their own organization. These models often identify what governance is and why you should be addressing it but fail to give a clear explanation of *how* it should be done.

Get ready to roll up your sleeves as we apply architectural techniques to design a governance model for a large enterprise model!

This full-day workshop will entail actually applying these techniques to a case study to demonstrate how you can tackle governance modeling in your own organization. Over the course of the workshop we will apply techniques from the Sherwood Applied Business Security Architecture framework and methodology, as well as other architectural and governance techniques, to develop an organizational entity model, an enterprise trust model, a security domain model, a policy architecture, and a security program accountability matrix.

The goal is to provide the audience with practical approaches to tackling their own governance challenges by demonstrating applied modeling techniques and how these models build from each other to provide a comprehensive business-driven governance model.


TUESDAY 22nd
SESSIONS

A1 - A2 : MalWare Revolution & Evolution: Latest & Future Trends & Developments in Malicious Code
B1 - B2: Agility & Cloud Computing Security: Turning the Theory into Leading Edge Practice
C3 - C5: Knowledge, Malice & Culture: Finally Dealing with Social Engineering & Awareness
D3 - D5: The Future of Trusted Systems & the Internet: A Guide to breaking Trusted Computers and what the future holds for the Internet of 'Things'
S1 - S5: The First SABSA World Congress: The Latest Developments & Case Studies
P1 - P2: Plenary Session


A1 The Zeus Evolution Clemens Kurtenbach

Already some years ago malware has evolved with the aim of obtaining economic benefits from their infections, which among other things are the theft of credentials, access to electronic banking accounts or the rental and sale of zombie networks for carrying out DDoS attacks or sending spam. Nowadays, this professionalization is known as 'Malware as a Service'.

The talk is intended to give an idea of the state of the art of today's malware - major players, behavior and institutions involved. The focus will be on one of the main malware families we face today: Zeus / Zbot / Wsnpoem.

Wsnpoem is a banking Trojan active since years which has evolved over the time also by making it increasingly more difficult for researchers and security experts to analyze it. This is done by using different types of encryption methods and hiding techniques, new features (screenshots, execution of binaries...) and changes in the C&C structure.

The presentation aims to give technical information about its evolution including recent changes such as the new process of extracting the encryption key for the configuration files (live demo).

Presented by members of the e-crime S21SEC

The e-crime group is a unit of the dedicated security company S21SEC - on behalf of investigating cases of fraud for organizations, the study of new Internet threats and vulnerabilities, malware collection and analysis, search for stolen data and research of all threats about current cybercrime.



A2 The Conficker Worm, Success Factors & Why You Should Care E. Eugene Schultz

The Conficker (also known as Downadup) worm is the most prolific computer worm the world has ever seen. Since surfacing in November 2008, Conficker and its variants have according to numerous estimates infected more than 11 million Windows systems worldwide (far more than MSBlaster ever infected), and the number is growing daily. The phenomenal success of Conficker comes in the face of a pronounced trend in which fewer and less prolific worms have emerged in recent years, causing experts to pronounce the demise of worms and other types of self-reproducing malware. Conficker has clearly proven these experts wrong. Strangely, this worm's main attack vectors, exploitation of a Windows vulnerability and password guessing, are nothing out of the ordinary. However, Conficker's use of "drones" that scout out domain names for targeting purposes is has proven to be a novel and highly successful mechanism. Additionally, a number of this worm's authors are constantly changing Conficker's functions and mechanisms in ways that the white hat community has not been able to anticipate. The end of Conficker's life is thus nowhere in sight.

Conficker is more than just an interesting piece of malware to analyze, however, Conficker has become so prolific that it is forcing the information security community to re-think the self-reproducing code threat and to re-evaluate currently accepted approaches to countering this type of malware. Given the failure of a considerable proportion of anti-virus software and endpoint security products to stop this worm, vendors, too, have been forced to consider substantial changes in their products. And given the high percentage of systems that were not patched (and still are not patched) for the vulnerability that this worm exploits, the controversy concerning whether Microsoft should be given license to force critical updates into unpatched Windows systems has re-emerged with greater intensity than ever before. This presentation delves into these and additional extremely important issues that the Conficker outbreak has raised, with the goal of facilitating discussions that will help attendees re-evaluate today's self-reproducing code threat and come up with satisfactory solutions for their own information security practices.



B1 Agile Security, Necessity or Mission Impossible Helvi Salminen

Key principles of agile software development were written in the agile manifesto in 2001. Human interaction and collaboration are valued more than strictly defined procedures. The results which meet stakeholders' requirements are more important than comprehensive documentation. Changes are welcome at any stage of the development process - which is often a nightmare in the traditional waterfall development model.

In security management we are still facing the same challenge as software developers did before the "age of agility". Most security management standards and practices are like the waterfall model in software development - well defined but often too rigid to react to the turbulences of modern business environment which requires quick reaction to continuously emerging new challenges. We as security practitioners also have a lot to learn from manufacturing management where the concept of lean manufacturing is widely applied. The concept of agile manufacturing has also been introduced.

Including security in software projects managed with agile methods has also been widely discussed. However, agile security management methods seem to missing in the field. Agility is often seen as gradual erosion of good security - agility and security just cannot coexist. But it is not necessarily so. This paper introduces the concept of agile security management - how to respond to changing business needs at the same time ensuring that security meets the requirements defined in legislation, standards and contracts.



B2 Getting Your Head in the Clouds Andrew Townley

One way or another, cloud computing seems determined to be on your radar. Whether it's your CXO, your customers or even your staff, someone is either going to be asking you about it, doing it, or trying to keep you from knowing they're doing it. You can't afford not to be prepared and understand not only the fundamentals and current definitions of cloud computing, but you also need to be able to get beyond the buzzwords, the hype and the fear, uncertainty and doubt (FUD) presented everwhere from the Wall Street Journal to trade magazines to vendor brochures.

This session will provide a brief overview of the current cloud computing landscape, including:

  • The different definitions and approaches
  • The claimed business benefits and opportunities
  • The most touted security issues and risks

Following this introduction, we will examine the potential business value, opportunities and risks in more detail to identify the ones that are likely to have a real impact on your organisation. After this session, you should be able to understand:

  • The relationship between cloud computing, virtualisation, Software as a Service (SaaS), SOA and other types of outsourced services
  • Whether cloud computing is a real option for your organisation
  • The unique information assurance and security challenges posed by cloud computing
  • What you can do to prepare yourself and your organisation for evaluating, deploying and leveraging cloud computing services
  • How you can begin to assess the level of enterprise information already being managed externally by such services as Amazon's S3, Google Data, and end-user productivity suites like Google Docs and MS Office Live


C3 The Impact of Culture on the Information Security Program Shannon Donahue

As organizations have increasingly become dependant on information technology to facilitate business operations, information has grown to become an asset critical to an organization's survivability. In order to ensure the protection of information as an asset information security managers have become a common position within organizations. However, information security managers face a myriad of challenges including changing risk profiles, lack of funding, cultural issues and internal and external threats.

The human resources of the organization and the organizational culture which they operate within are critical components to security program success. Culture may dictate patterns by which people behave. The human resources within an organization can choose to follow security policies or choose not to. If strong governance is not in place and senior management does not make it known that information security is a priority for the organization, employees may not bother with security. Insiders are often the top threat to an information security program and account for many unknowns. Organizations must understand the importance organizational culture has on the information security program.

This 75 minute symposium session will focus on understanding the impact that culture has on the success of an enterprise's information security program. There are many different aspects of culture which will be discussed. The session will also present thoughts on how to create an intentional culture which is favorable to the information security program. While making cultural change is often a daunting task it is possible and can have tremendous benefits for the security program and ultimately, the organization.



C4 Knowledge + Malice = Chaos: When Awareness Fails John O'Leary

On Nov. 5, 2008, two Los Angeles traffic engineers, after first pleading not guilty, pled guilty to illegally accessing a city computer. The pair, at work on Aug 21, 2006, used stolen manager ID's to hack one of their traffic computers and sent commands to maliciously modify four signal control boxes at critical intersections. No one was killed, no accidents were even reported, but it took 4 days for LA traffic to get back to its usual semi-controlled, semi-chaotic state.

The plea bargain doled out minimal penalties for this crime, but the mind boggles thinking about possible consequences of similar exploits in the future (see San Francisco, 2008). We'll analyze this incident, ask some questions, and pose some "what if" scenarios. We'll also discuss whether this constituted a failure of security awareness, why the punishment was so miniscule, what other factors (union, LA City culture, etc.) played supporting roles, and how an incident like this and its fallout can be used effectively in an Awareness program. Then we'll tell you the scariest part.

This will be very COSAC, a highly interactive session with much potential for disagreement, varied analysis and lessons learned from real-world experience.



C5 The Elephant Cookbook: Countering Social Engineering Jon Colombo

When I talk to colleagues about this topic, I cannot but help think that this is an 'eating-the-elephant-in-the-room' problem:

Few are willing to admit that there is one there, let alone how large it is

… of those that do, most think it is far too big to tackle, and even if it wasn't they'd not be able to cut the skin

… of those remaining, hardly any know how to slice the elephant, let alone the right way to cook the bits

Just to confuse matters, many of the so-called recipes that do exist, rely on the beneficial properties of snake-oil for their efficacy

At last year's Cosac I introduced compelling evidence that turned the spotlight on the elephant and pointed out some of its vulnerabilities.

This year, I've been looking at slicing strategies, and recipes for the bigger bits. Whilst the Deliah Smith 'Complete Elephant Cookbook' is still some way off, she would probably want to come along to this session to get some hints.

Based on ongoing research into the field, this session aims to push forward understanding of the topic. It will:

Recap the ground covered last year

Look at the reality behind some of the myths that are out there

Propose an overall approach and some techniques that seem to work



D3 Fundamental Components of "Usable" Operational IT Risk Management Systems Michael Legary

Can you make sense of security control monitoring in your organization? Can you determine, visualize or communicate any true point-in-time posture of enterprise security? Can you answer these questions with a straight face?

Our organizations are becoming saturated by function specific information security tools such as SIEM, DLP, IDM, TRA Tools, Automated Vulnerability Assessment and IT Risk Registers. Our organizations' security policies are often driven by compliance with little ability to detect actual harmful events or scenarios impacting the business. Management and executives have no first hand visibility to security issues impacting their areas of responsibility. We have the technology to overcome these challenges and harness the true power of our control infrastructure, but where do we start?

An Operational IT Risk Management system is the first step towards aligning traditional risk management requirements of the organization with the IT controls and decision sub-systems we have littered throughout the organization.

Michael will discuss several key technologies and technical challenges in the building of a usable Operational IT Risk Management System (OITRMS) and provide examples of real world implementation failures. Highlights will be provided regarding key technical developments in this field of research and the major challenges to be resolved. The presentation will be followed by a discussion of the achievable goals of an OITRMS and how it is enabled by technologies already available in our organizations.



D4 The Crazy World of On-line CCTV Simon Gunning

We live in a world of surveillance and the UK has the most CCTV cams deployed in the world. I know there has been a lot of publicity on CCTV, but I would like to explore the other world in this session. We are going to cover the world of the CCTV online, WiFi cams, IP cams that are used as remote surveillance, internal security, office and home monitoring and the crazy world of robot cams that you can travel around your property remotely with.

Who is affected you ask?

Anyone who installs a CCTV camera or any sort that is connected live to the internet.

As usual I hope this will be a fun presentation with a lot of "What if's?" and "Could I" statements from myself and the participants.



D5 Let's Get Physical: The Internet of Things Chris Keay

In the next 2 years the present IP address space - (IPv4) - will reach its capacity. The new Internet currently under development will have enough IP addresses for every human being on the planet to have a personal network the size of today's internet. Why? Because the next internet will connect "things" to other "things". The Internet of Things" will be possible through the use of "smart objects"

Smart objects will enable a wide range of applications that will improve our lives in many areas such as energy management, healthcare, and safety. The recent progress in low-cost embedded devices is about to make the Internet of Things a reality. For this to come true, we must learn from the lessons of the past and adopt a flexible, scalable, efficient and open based networking technology. But most of all we must master IP security.

This presentation looks at the "Internet of Things" and the associated security challenges. In a thought provoking style the presenter will discuss the obvious (and not so obvious) security issues of having your car, cat and oven on the same network. The impact of hacking takes on a whole new significance. Are we as security professionals ready for this challenge? The material will also cover the technology of "smart objects", the use of RFID and GPS technology to network "things". The approach is both philosophical and common sense subject matter invaluable for today's information security professional.



S1 A 2,645,615 Sq Km SABSA Implementation Peter Wolski

Imagine, a court jurisdiction that is 2,645,615 Sq Km in size.

Imagine a place where public servants drive large 4WD not for status but to get to work.

Western Australia is the second largest administrative division in the world with one of the lowest population densities, the people are known as sandgropers and the insects are everywhere.

Establishing a business driven security architecture for an organisation that has developed and grown security at an operational level is challenging enough. When the customer is also an internal IT service provider to multiple other State Government agencies and has multi-sourced its technical responsibilities the project becomes interesting. This case study will outline how these challenges are met and in most cases overcome.

We will delve into the pragmatic approaches to modify the SABSA framework to suit multiple stakeholders that were not beholden to each other. These stakeholders at different times have corresponding, competing and conflicting requirements and drivers.

"This is all very good but what does this mean for me?" is the question stakeholders ask when they are happy to share requirements but would prefer someone else, in this case the internal IT service provider, to pay to achieve the result. The SABSA framework allowed the project team to provide clarity for all stakeholders about requirements from the board to the wiring closet. It helped identify where requirements are achieved and where they are missing. The case study will explain how the cats were herded, and most importantly how to pull all the information together and create a cohesive framework.



S2 A Journey Through Modernisation of ESA at a Leading Bank Kevin Nichols
Ross MacKenzie

Despite advice to the contrary, the journey was made to "modernise" the Enterprise Security Architecture at one of Australia's big four banks. This journey was undertaken to facilitate a merger, position the bank architecturally to meet the challenges of "de-perimitisation" and both contemporary and future threats. All this as well as address the common issues that typically haunt an enterprise trying to fit the brave new world of multi- channelling, application integration, cloud computing and other exotic 3rd party associations into the traditional web based 3 tier reference architecture. Oh and also reduce costs and time to market………..

This session will provide fast and furious run through on how, why, where, what when and to whom the SABSA method (aka the "Matrix") was applied. Layer by layer it will move through the challenges (any references to onions is not required to shed a few tears) such as:

  • Project Scope issues - did we really try to eat an elephant?
  • What are we delivering - the artefact format question. Does it already exist?
  • Who should be doing what - political boundaries and dependencies
  • Closure criteria - how do we know when we get there - what is good enough to move on to the next step
  • So how do you relate this to COBIT? Making it meaningful to everyone else

Along the way some amazing compromises, decisions that while they may either make you laugh or cry, will definitely make you think again!

(Note no IBM reference architectures / product placements used - but be prepared to bring your blue SABSA book)



S3 Developing a Solution Security Architecture using the SABSA Development Lifecycle Pascal de Koning

SABSA is a framework for Enterprise Security Architecture. When developing a security solution the scope is not enterprise-wide, however the SABSA Development Lifecycle still can be very useful in this case.

This presentation gives a practical approach to fill in the Contextual and Conceptual layer of the Solution Security Architecture. This approach:

  • deals with constraints derived from the existing environment, law and regulations, risk management, etc
  • makes use of the well-developed requirements management approaches in software development and references to a very useful method for requirements managent
  • Defines a set of Solution Quality Attributes at the solution level (comparable with the Business Attributes at Enterprise level)

This is still work under construction, so comments and thoughts are more than welcome. Some parts of this approach have been tried in a real world case and have proven their value. These will be shown to illustrate the method.



S4 From Strategy, Over Concept, to Design André Mariën

This session delves into a long standing pain point: errors of omission, exemplified by late problem detection causing delays, irritation and non-compliance. It does not take a theoretical view point: things are as they are. Rather the idea is to find out what the problems really are and what to do about them.

In this case, the nice top-to-bottom, all business driven and linked two-way is the theoretical heaven. But all of security, audit and infrastructure have a parallel circuit to do their job well.

Ignoring these realities will not improve the situation. Rather, integrating their views in the enterprise architecture processes seems not only possible but even highly preferable. Is heaven on earth possible, or not? The proposal suggests we can at least get out of the big heat.

The proposal touches on a difficulty that is inherent: it is suggested that security and audit are not merely controlling bodies, but take on a role as advisory and partner. This trend is clearly present, but we run into a potential governance issue: combining the roles of advisor and controller is dangerous for conflict of interest.

As far as I am aware, there are not yet presentations that attempt to integrate these isolated approaches in their own worlds into larger frameworks like SABSA ®.

Security must be more effective and far better integrated in normal (enterprise) architectural practices.

But that means that the value proposition must be there: if at the end of the ride tests for security and compliance still fail frequently and unpredictably, this proposition is not good enough.

Enterprise security architecture is the right vehicle: there is a need to build an organization and processes that make this happen, and that is far more important that new checklists, blueprints or controls.

The author expects to be challenged on many aspects of this proposal. The main positive feedback would be a confirmation that practitioners agree that this may be the root cause for some persistent problems, and that the solution direction is promising. He is also very keen on discussing the possible approaches to come to a better integration of the existing practices and to use the experience that is likely to exist in the COSAC audience.



S5 Business Enablement - A Systems Integrator's Perspective David Baker

Do you encounter problems when trying to get support for security projects?

Is your security framework not quite meeting its risk management objectives and losing understanding or popularity within the business?

Looking for innovative ways to use security architecture principles before the framework exists?

In this session, David intends to cover some well trodden ground with what he hopes will bring some fresh ideas for people who are in these situations. By recapping on the key principles of a security architecture framework, new ways of both positioning the value of the framework itself, and value of identifying and tracing business enablement objectives may become obvious.

Working for the Australian security line of business of Dimension Data, a global systems integrator, David specialises in the medium to large enterprise space across multiple commercial and government sectors. Dealing with a multitude of customers places David in a unique position to witness the success and failure of security projects under many scenarios, where different business drivers, risk appetite and budget capacity are constantly evaluated. This has both enabled and driven David and his colleagues to create innovative ways to engage with clients with these differing requirements, in a flexible but repeatable manner.

Session Topics

Promoting security architecture as a business enablement tool

  • Traceability & Flexibility - two essential focal points of SABSA
  • Sizing security architecture development
  • Successfully introducing architecture early in the IT maturity cycle

Using business enablement objectives

  • Representing positive gain/business enablement
  • Should we create enablement objectives for existing controls?
  • When to use enablement objectives

How do we use SABSA as a system integrator - Case Studies

  • Examples of when we use SABSA principles in a typical SI engagement
  • Driving increased revenue


P1 Witness for the Prosecution Lynn Griffin

Imagine your organisation has been the victim of a crime, a large scale fraud perpetrated over years. You make a complaint to the police and then what?

This talk will consider how corporate complainants are dealt with by the English criminal law and some practical steps you can take in the hope of making the process as painless as possible.

  • How will the police react to your complaint?
  • What can you expect of them and what will they expect in return?
  • Taking control - identifying the right person to make the statement.
  • Gone fishing - disclosure to the defence and what it will mean for your company in reality.
  • The trial process - what is it like giving evidence and how can you prepare?
  • The sentencing process - do you have a say, will you get compensation?


P2 Experiencing Crisis: Crisis Management, Murder Mystery Style Mike Softley
Jon Colombo

Whilst most COSAC papers are interactive, few deliberately set out to make the audience do the work. This is an exception. Come along to get a real feel for what it is like to be at the centre of a corporate crisis. Inspired by the court-case scenario during last-year's COSAC, we'll be going one stage further - this time the delegates will be the actors. Structured like a 'murder mystery evening' the session will work through a crisis management scenario. Groups of delegates, acting as 'crisis teams' will respond to a situation as it develops.

We don't want to give too much of the plot away, but we can say that:

  • this will not be the usual bomb/fire/flood scenario
  • it should make you think, demonstrating some common pitfalls
  • it should spark debate and hopefully decisions (albeit in a simulated situation)
  • it should be fun!

By the end of this experience participants (there will be no passengers!) will appreciated that:

  • The Crisis Management Part of BCP ain't simple - there are some common traps.
  • Rehearsals can and should be both fun and useful
  • BCP isn't just about physical disasters



WEDNESDAY 23rd
SESSIONS

E6 - E7: Cyber Crime & Cyber War: An in-depth analysis of crimeware fingerprinting & a guide to surviving cyberwar
F6 - F7: Disruptive Technologies: Coping with the ever-changing world of new technologies
G8 - G9: Advances in Securing Technical Developments: Everything you need to know about real-world developments in digital signatures & NAC
H8 - H9: Data Loss & Identity Theft: A step-by-step guide to the issues, resolutions & strategies
S6 - S9: The First SABSA World Congress: The Latest Developments & Case Studies
P3 - P4: Plenary Sessions


E6 Crimeware Fingerprinting Joseph Ponnoly

Botnets or networks of hijacked or zombie computers are the No. 1 Internet security threat today as they bypass traditional network security mechanisms. Bots (or automated malicious software agents) planted on host computers lie low taking over PCs or stealing data or credentials without the owner's knowledge. Malicious botnets are controlled by underground cyber criminals who use crimeware to steal identity or to commit financial crimes. The proceeds fuel the underground cyber economy.

The empirical study by the author, provides a holistic view of crimeware and crimenet operations, referred to here as crimeware fingerprinting. The study reveals distinguishing characteristics of crimeware behavior and crimenet operations that target banking, financial systems and ecommerce. The motivations and profiles of the crimenet operators behind crimeware are indicated and these may help to control crimeware and crimenet behavior. The study has focused on crimeware targets, attack vectors, payloads, modus operandi or attack methods, criminal profiles and malicious websites.

This study can lead to creation of a model for effective defenses against crimeware particularly banking trojans. Crimeware fingerprinting is the first step towards designing effective defensive mechanisms that would counteract crimenet bot-based attacks. Relevant areas for further research would include crimeware exploiting browser vulnerabilities and web services, defenses against attacks against authenticated sessions, identifying and controlling subterfuge behavior of trojans and server controlled polymorphic trojans and design of real time defenses against trojan attacks.



E7 Surviving CyberWar Richard Stiennon

The working title of this paper could have been Surviving the Coming Cyber War accept for the fact that various nation states have been engaging in cyber skirmishes and organized industrial and military espionage for at least the past eight years. There are cyber hot spots flaring up all around the globe between networked, industrialized countries and factions that are already causing network outages, loss of commerce, and even loss of command and control during physical attacks. This paper will acquaint the audience with the seriousness of the threat to our modern age of Internet communication and even the risk that cyber warfare exploits may not only be part of the next outbreak of hostilities between super powers but could lead to those outbreaks.

The University of Southern California Marshall School of Business developed a Systemic Security Management Model which explicitly links security with the organization. In addition to the traditional elements of people, process, and technology, the model adds organization design and strategy, and links these nodes with what are identified as tensions. Tensions bond the nodes together forming a dynamic three dimensional view of security.

This presentation is an investigation of the major cyber conflicts that have occurred since May 1, 2001. Among these are Titan Rain, Chinese encroachments on the Pentagon, Whitehall, and the German Chancellery, Russian attacks on Estonia, Ukraine, Lithuania, Georgia, and now Kyrgyzstan as well as the Chinese 50 cent Army, Pakistan vs India, and Hamas vs Israel. The paper will incorporate original research from (name removed) visits to Estonia and Georgia.



F6 What is so Hard about Protecting People's Information Mike Softley

With a seemingly never-ending supply of examples of peoples' information being compromised in vast quantities all around the world - the question that forms the title of this session has to be asked. Various legislation and regulation exists from the EU data protection directive approach through a patchwork of US Federal laws to a growing set of disclosure regulations and laws. There is even a developing management system standard for a personal information management system and NIST have published guidelines (draft at the time of writing). But still the breaches occur.

This session will have two distinct parts. Firstly the presenter will outline at a high level the approaches to the protection of peoples' information across a range of jurisdictions. The second part of the session will be an interactive discussion that aims to assess which of these approaches is/are the most appropriate. More importantly, we will try to establish how we as security professionals can select and implement good practice from around the world into our organisations to try to avoid our companies becoming the next TKMax, HMRC, PA Consulting, UK Ministry of Defence, US Veterans Agency, Monster.com, etc, etc, etc.



F7 Are You Ready for Disruptive Technologies? Nanette Poulios

Web 2.0, cloud computing, mashups, GPS, iphone apps, new client-server models, mobile computing devices, social networking and other technologies are creeping into our business environment. Is this new technology a boon or a bust? Does it disrupt our business or create new processes to enable novel business models. This session will explore how these new technologies affect your business. Also discussed in this session will be the security of these technologies and devices as well as the effect they will have on privacy. The net generation that has grown up in the digital world is now entering the workforce and will insist on using these open technologies. In the near future, businesses will be pressured to follow a more open model. This presentation will discuss some case studies of organizations that have successfully implemented this new open model and implemented new technologies.

Our current security models can be adapted to embrace new technology. This session will explore adapting some current security controls and best practices to allow organizations to safely employ these new technologies. Make sure your organization is prepared to hire the next generation of workers and successfully leap to Web 2.0 technologies.



G8 Security Delusions and the Madness of Crowds Andy Clark

In 1841, Charles Mackay published his book "Extraordinary Popular Delusions and the Madness of Crowds. It studied the psychology of crowds and mass mania throughout history including accounts of classic scams, grand-scale madness, and deceptions. Its title also served as inspiration for James Surowiecki's 2004 book "The Wisdom of Crowds - Why the Many Are Smarter Than the Few and How Collective Wisdom Shapes Business, Economies, Societies and Nations". The latter observes the aggregation of information in groups, resulting in decisions that, he argues, are often better than could have been made by any single member of the group.

But which is the more relevant when we consider crowd behaviour relating to security? In this talk we observe real life examples and consider three perspectives:

  • The forensic investigator - interested in the identification of subjects and the proper collection, preservation, analysis and presentation of evidence
  • The Security engineer - interested in designing and implementing information systems that meet the security requirements of their users
  • The behavioural scientist - interested in investigating the decision processes and communication strategies within and between users of information systems

We present a range of correlated observations of current crowd behaviour that suggests that Mackay may have had more insight into information security than would have been imagined!



G9 NAC in the Trenches: What Works, What Doesn't & Why? Lisa Lorenzin

NAC has developed a reputation for being difficult to understand and complicated to deploy. While this reputation is not entirely undeserved, it doesn't have to be that way! Understanding the challenges it presents, the technologies that underlie it, and strategies that have worked in the real world can help minimize pain, reduce costs and effort, and ensure a successful deployment.

I've personally participated in NAC deployment planning with dozens of customers ranging in size from SME to global Fortune 100 and in vertical from financial to government to healthcare to military-industrial. While in most cases I can't name names, I can certainly provide an overview of the challenges faced (both those spanning all boundaries, and those unique to size or vertical or regulatory requirement) and the strategies that succeeded, as well as what to avoid! Also, I will engage audience members to share their impressions of - and concerns about - NAC, and hopefully even what they've tried and how it went.

At a technical level, we'll discuss available enforcement options (802.1X, network-based, host-based) and where they provide the most benefit (e.g. 802.1X in conference rooms); how to deal with managed, unmanaged, and unmanageable endpoints; identifying and provisioning access to the variety of user communities present in any organization; and how to identify low-hanging fruit - areas where a small amount of effort will produce the greatest results.

At "layer 8" we'll discuss how NAC relates to an organization's security policies and overall business practices, and how to get buy-in from stakeholders who may start off viewing the potential deployment solely as a likely source of disruption, downtime, and confusion.

We'll use these foundations to build a model of a successful deployment process: understanding your environment both technically and politically, identifying your current and future requirements, defining a phased deployment plan, implementing the first phase, re-evaluating the plan based on what you learned in the first phase (because there's always something unanticipated!), completing your deployment process, and maintaining your NAC implementation as your environment grows and changes.

Case studies, walk-throughs of example deployments, and (hopefully) audience participation will give us an opportunity to explore real-world problems and apply the basic principles to specific problems, both common and corner-case.



H8 How to Steal an Identity: A Step-by-Step Guide Richard Hollis

Everyone is talking about identity theft. The Home Office estimated that Britons lost over 1.7 billion last year alone. Why? Why is this crime suddenly so popular? Has it really just come out of nowhere? What exactly is "identity theft"? What information makes up our personal identity and how can it be taken from us? The issue of identity theft is the very essence of information security. As information security professionals there should be no more critical a subject for us to understand and articulate.

This timely presentation is done in a work shop format involving direct interaction with the audience. The presenter actually begins the presentation by using a series of false names, biographies and associated identity cards setting the scene for the subject matter and demonstrating the problem.

The presenter entertainingly covers the statistics of the problem and then explains the three distinct elements of information which make up a person's identity. Once the definition of an identity has been laid out the presenter walks through the exact steps criminals take to obtain the information to commit a fraud. The presentation will include a focussed session on corporate database theft with advice for how to identify and prevent identity theft. The presentation is devoid of product placement, endorsement or any commercial message whatsoever. The approach as personal as the subject matter and designed to "wake up" the listener to this very real threat. The material is based upon the premise that to understand identity theft is to truly understand information security.



H9 Now Where Did I Put That Memory Stick? Lynn Griffin

As information security professionals you spend your working lives protecting data, but in the imperfect world of continuing significant identification data losses it is worth considering some of the potential legal consequences for the individual and the organisation.

This talk will examine areas of the English law that come into play in when identification data is lost including

  • Criminalising identity theft - how does the English criminal law attempt this and is there a better way?
  • The Data Protection Act - is it fit for purpose in the 21st Century?
  • What can you expect from the Information Commissioner's office?
  • Who are the criminals and who are the victims?
  • Will the newly-established National Fraud Strategic Authority (NFSA) really make a difference?


S6 Opportunity Risk Modeling: Enable, Don't Mitigate Geoff Besko

At COSAC 2008, John Sherwood posed the concept of adding value to an enterprise risk management program by taking opportunity into account. As an enterprise architect and management consultant who has more recently become a security and risk management practitioner, acceptance of this approach seemed natural to me. However, it became apparent to me that for most security and risk practitioners this was a new approach and that the popular risk management lore many of us utilize doesn't adequately address this concept.

During this presentation, an approach will be demonstrated for the modeling of risk using business risk management techniques that have been integrated with the SABSA risk modeling approach, as well as other traditional threat and risk assessment methods. A more holistic and integrated risk model will be developed that assesses and mitigates operational risk while also assessing and enabling strategic and business opportunity. This starts with a clear understanding of the business context and identifies how the enterprise security program and architecture can both reduce operational risk but also how it can enable opportunity.

In no way is this proposed modeling approach meant to be definitive. The goal of the presentation is to spark a lively discussion on the topic and to get the participant's thoughts and opinions on the approach and how it can be further improved, while providing a practical approach that they can experiment with.



S7 Mandated Compliance: When Good Ideas Go Bad Charles Cook

Standards, policies, and controls are key to a successful computer security approach. Compliance validation and reporting can play a critical role in helping to ensure these requirements are properly implemented and effective. If you are establishing compliance criteria for a corporate ICT network you will (most likely) have the authority and flexibility to establish that criteria based on your operating environment and corporate risk appetite.

Now imagine you are the national government and tasked with establishing compliance criteria that must be applied to thousands of systems regardless of operating environment and with a risk appetite that changes based on public opinion and reaction. The solution, a single set of controls addressing everything from alternate site requirements to the configuration of Voice Over IP services. At first, the solution appears to have merit. Enter the implementation process; mandate the evaluation of these security controls for all systems and provide mitigation strategies for all areas of non-compliance. Hold on it's going to be a bumpy ride. Next thing you know security personnel throughout the government are spending time and resources to explain why their system, equipped with a single-purpose, proprietary operating system isn't running the latest and greatest antivirus software application.

This session will examine the effect of mandated compliance on the development of an effective security architecture. We will also look at the ripple effects of mandated compliance in the operations, maintenance, and disposition of government systems. Real world scenarios involving budget constraints, risk roles, and the implementation of operational "workarounds" will be presented so conference attendees can share their experience and help forge a way ahead.



S8 Using SABSA to Enhance NIST Jason Kobes

NIST Special Publication 800 Series security guidance provides methods to secure computer systems used in government agencies in the United States. I will show how SABSA can be used within the scope of the NIST 800 guidance to enhance the linkage between security solutions and business requirements.

System risk classification in NIST drives a fixed check list of security requirements which much be either implemented or disregarded. To disregard a requirement one needs to illustrate why. SABSA offers a highly functional method to take the organizations business requirements and link them to the security solutions. By using this in conjunction with the NIST requirements one can clearly show which security solutions are linked to the mission and which security controls have no link to the mission. Further this concept can be used with any checklist method of doing security to enhance the purpose of the control set which is implemented.

The second way SABSA can enhance NIST is to use the concept of enterprise inherent in SABSA by providing enterprise security solutions, or capitalizing on existing solutions in the enterprise. Many of the NIST requirements can be managed at the highest levels of the organization and provide enterprise solutions to the entire organization. SABSA can be used both at the enterprise level and at the individual system level to enhance the overall enterprise.



S9 SABSA as a Delivery Mechanism for Jericho Marco Plas

Jericho is a vision, an idea, the whim of a mad man as some would call it. Most of the whitepapers from the Jericho forum are somewhat vague. It's all about what is coming your way and why, but never about the how. That's where the SABSA model comes in. As former head of the Jericho research team in the Netherlands, Marco Plas will now combine his experience with SABSA and Jericho into a roadmap to Jericho. During this session you will learn about the Jericho design principles, the design principles for the Collaboration Oriented Architecture (COA) and their relation to the SABSA model.



P3 Bletchley Park Colossus Demonstration -
Breaking Lorenz SZ42 Using Linguistic Depths 		Anthony E. Sale

The breaking of the Lorenz SZ42 cipher in Bletchley Park in the 1940's was a fantastic achievement by mathematicians, linguists, electronic engineers and masses of ordinary people doing extraordinary things.

The vital initial break exploiting German mistakes is a salutary lesson for security today. The early linguistic attacks using "depths" were remarkably effective leading to the development of mathematical methods using the Colossus electronic computers.

It is now possible to demonstrate the breaking using the rebuilt Colossus Mk 2 computer and Tony will show video of this and demonstrate the linguistic "depths" methods developed in the Testery in Bletchley Park. The culmination of this was the abilty to break a cipher text from cipher text only, something modern cryptologists still struggle to achieve!

TOP OF PAGE


P4 The COSAC Rump Session Various

The hugely popular COSAC "rump" is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

  • Electronic submission: Send email to the rump session chair David Lynas at chair@cosac.fsnet.co.uk before 10AM GMT Friday, September 18.
  • Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday September 24.

Submissions should include a requested amount of time for the presentation. An anticipated maximum of five minutes will be allocated for each presentation.



THURSDAY 24th
OPTIONAL HALF DAY WORKSHOPS


W1 Virtualisation & Security E. Eugene Schultz

Few issues in the IT arena are currently treated with more interest and passion than virtualization. Virtualization refers to technologies designed to provide a layer of abstraction between computer hardware systems and the software running on them. By providing a logical rather than a physical view of computing resources, virtualization makes possible many functions, currently the most popular of which is to run multiple operating systems and/or applications on a single physical machine. Virtualization also has many additional benefits; virtualization and computing will continue to converge well into the future.

The security implications of breakthrough technologies are almost never thoroughly understood until well after they are widely implemented; virtualization is no exception. An increasing number of significant security-related risks (each associated with a variety of business risks) in connection with virtualization have been and are still being identified. These risks include ability to defeat "secure isolation," "hyperjacking," unauthorized data capture in virtualized networks, new types of denial of service attacks, and several others. Unmitigated virtualization-related risk can result in substantial business loss and disruption. Because the business benefits of virtualization are also so great, pitting costs versus benefits in the world of virtualization is frequently an unusually difficult task.

This workshop is designed to facilitate learning at the knowledge, comprehension, application and evaluation levels. At the knowledge and comprehension levels, attendees will in an initial 90-minute presentation learn what virtualization is, how virtualization works, major types of virtualization, its many benefits, the kinds and severity of risks that it introduces, the types of administrative and technical controls that can be used for risk mitigation, and how effective each control is. The workshop will then proceed to a moderated discussion focusing on analyzing, evaluating and applying to real-world settings issues such as whether virtualization-related risk is adequately considered during the risk analysis process, how policy, standards and procedures may have to be modified in accordance with changes that virtualized environments typically create, how to make costs versus benefits comparisons, special considerations due virtualization components in "cloud computing," and how virtualization technology is likely to evolve over time and the probable impact upon information security.



W2 SmartGrid Stimulants - Securing Critical National Infrastructure Mike Henson

With the global recession and the political need within the United States for stimulus spending, one of the larger recipients of stimulus money is research of and projects deploying "smartgrid" technologies to better manage the electric grid. While efficiency of the national electric grid is vital to any country, and provides one of the biggest potential gains in productivity for an economy and a great ability to help curb global warming by providing less energy use Federal Energy Regulatory Commission, FERC, has only begun to develop guidelines for smart appliances security and interoperability. As a result, most utilities that are proposing projects for smartgrid funding for 2009 being deployed in 2010 have no security policy or process for integration of smartgrid technology into the electric infrastructure. Given that FERC does not want to delay research or projects it is clearly means that the role of the security professional is going to take on new importance in keeping the grid safe while helping to advance efforts to fight global warming.

Smartgrid technology conjures up many visions for many people, the first phase for most utilities is Advanced Metering Infrastructure, AMI. This is a relatively simple first step for utilities and allows power meters at houses to be IP enabled. Most devices are not tested thoroughly for interoperability and "security through obscurity" appears to be the method of choice for protecting these devices. The devices can be run through wireless, wireline, fiber or BPL technologies. What are the necessary policies to safely deploy AMI? How should these devices be connected? Can an IP network using common infrastructure be sufficiently protected? These are several questions to be discussed.

There is a significant push to integrate AMI and smart appliances into households. With this there is a need for standards for appliances, security for the network and for the appliances. What are the risks to having your neighbor's refrigerator "on the grid"? Can the grid be sufficiently isolated to protect it from the professional cyber attacker or even the curious teenager taking the refrigerator apart? Can the current guidelines be adapted to encompass the new challenges? How can we use a comprehensive method or standard such as ISO17799 to move the smartgrid ahead without putting the electric grid at risk?

During the mini-session we will focus on the gaps between smartgrid ideas and FERC security guidelines for utilities while concentrating on the three questions about AMI. How we as security professionals can help bridge those gaps without building systems and processes that will not meet the future demands of new FERC guidelines when finally completed in 2010 or 2011.

The full session will look at specifics surrounding how to approach the FERC guidelines and use more comprehensive methods. Looking at the broader picture of smart appliances and how it may transform energy conservation assuming it can be effectively secured and managed without putting the public at risk. The focus will go beyond AMI and will look at the issues surrounding the broader questions of the smartgrid in society and in context of ISO17799.



All content on this web site © 2010 COSAC
- All Rights Reserved -