| G6 |
Identity & Access Management (IAM) Workshop -The Good, the Bad and the Ugly |
Michael Coady |
This IAM workshop session has been developed for business & IT executives at organisations worldwide, particularly those who are still questioning decisions made in the past and struggling to understand how they can derive value from their IAM investment. It brings a practical approach to understanding the intricacies and pitfalls that occur during IAM deployments. This session identifies all that is good, bad and ugly about successful and failed IAM projects. It also covers the financial benefits of
introducing the important Return-On-Negligence ( RON) Model. Providing information, guidelines and COSAC-style interactions, you will learn how to design a customized roadmap for a successful IAM implementation.
- Identify key IAM business drivers
- Recognize the business and financial benefits of IAM
- Identify key stakeholders and learn how to approach them
- Understand how to overcome challenges and obstacles, create acceptance and commitment
- Understand how IAM fits into overall Enterprise management
- Understand how to manage the complete decision making process
- Recognize the key success factors for a successful IAM strategy
- Walk away with valuable materials describing IAM best practices
and practical steps to achieving your goals
Section 1: Business drivers - Productivity, Efficiency & Security Defines IAM, continues by surveying the functional aspects of an IAM strategic solution and explaining the rising need for IAM. This section the importance of IAM by exploring the business drivers behind it.
Section 2: Business and Financial Benefits Starts by describing the business benefits of IAM and continues to discuss financial benefits by introducing the important Return-On-Negligence (RON) model (i.e. the cost of doing nothing). This section defines RON and explains the importance of devising a clear and concise RON tailored to the participants' specific needs. The participants then will have the chance to develop their own RON model.
Section 3: Organizational View - Working Together Maps key stakeholders involved in an IAM implementation and their different agendas. Explains the reasons why each stakeholder might cooperate with or resist the IAM initiative and suggests the right way to approach their often-contradicting agendas. This section gives tips on how to successfully manage the decision-making process.
With over 71 million smartphones sold in 2006 and expectations of a worldwide market of 250 million units by 2010, it is impossible to ignore the business potential of addressing this market with new services. However, based on over 250,000 identity theft complaints in the US for 2006 and the increase of mobile malware, it won't be possible to address this market without adequately dealing with the identity management and authentication challenge. Doing this in a general way across the prominent mobile environments such as J2ME, Symbian OS, Linux and Microsoft Windows Mobile, is a daunting task due to the dizzying differences in device capabilities--specifically in memory, CPU and built-in support for strong encryption and authentication technologies.
Even though the capabilities of these devices increase with each generation, there will still be many older devices on the market or devices which are not running the latest versions of the base software. To adequately address this potential market means to find a way to deal with these differences while still providing appropriate assurance that the human on the other end of the connection is actually who they claim to be.
This presentation will examine some of the issues facing deploying applications which depend on strong authentication for m-commerce, mobile banking and electronic government, present the state of the art in mobile authentication technologies and techniques, and propose a framework leveraging aspects of the US Government's e-Authentication guidelines, PKI, virtual soft tokens and grid computing research. This framework can then be used to gracefully support both older and newer devices with varying capabilities to provide appropriate identity assertion levels to the target application, allowing it to automatically adjust the capabilities it offers to mobile users..
In his best-selling book, The World is Flat, Thomas Friedman tells us that connectivity and a host of innovations and activities have leveled the business playing field to such an extent that individuals in third world countries can reasonably compete with giant multinationals for contracts to provide goods and, especially, services.
OK, but what about information security in this flat world? Is there any? Do we need some? How much? Who decides? Who manages it? How good is it? Does it work the same everywhere? Are there topological bumps in our presumably flat surface? More importantly, what can we do about all this?
We'll answer all your questions and solve all your problems in an hour. If you believe that, then the world probably is flat. For doubters, we'll try to give you an idea of and some realistic approaches for handling things you'll have to address in the near future, if not right now
To a greater degree Information Security has made considerable progress in moving from a "Security" centric model to a "Business" centric model whilst change in Physical Security and other areas of risk within the organisation has lagged behind.
The time has come to take the progress made in Information Security and "Sell" these concepts to other areas within the organisation. The logical extension, as suggested above, is to Physical Security but it could also include records management, document management and organisational risk management.
It is clear that the business driven approach to risk management being taken with Information Security is providing a much boarder risk approach that provides a number of benefits to both the business and security team. These include: enabling business process, being able to quantify the return to the business, increased success of initiatives and greater alignment of security processes with business outcomes and programs.
We can leverage off these gains and benefits by broadening the enterprise wide approach currently being deployed in information security to encompass other disciplines.
The methodologies are flexible and suited to this approach, however there are a range of both obstacles to be overcome.
This presentation argues that the time has come to push for this broader organisational approach to security and risk management based on our current approaches to information security. It looks at: the direct benefits to be gained in a number of disciplines including Physical Security and Records Management; considers the major obstacles this approach is likely to meet; and invites the audience to consider and critique some suggested ways forward.
The subtle intricacies surrounding the control of the use of Live data in test environments seems to have suddenly become one of those things that Information Security folks need to know about. Testers almost always want to make their 'sandpits' just like the real world. To them the solution is simple; swipe the data from production. This idea is anathema to InfoSec folks. They instinctively cringe at the idea. To them, dummy data is the answer - but that in turn frustrates the Testers. Traditionally the answer has been either to ignore the problem, or to mask, anonymise or pseudonymise data in some way.
Current legislative and regulatory data governance pressures mean that ignoring the problem is an approach for only the truly brave. (The sort of bravery usually measured in short planks.) However, masking is in no way an easy option. It is neither as simple as it first seems, nor does it provide everything the testers need.
Given that inadequately tested systems inevitably create information security issues, the poor InfoSec professional is truly caught on the horns of a dilemma - provide what the testers want and breach own policies or don't provide it and still breach them!
As with many such dilemmas, the first step to solving the conundrum is to understand each side's point of view. This session aims to help this process. It looks at:
- Why there is a problem;
- The options available, their capabilities and limitations;
- The test cycle and the needs it drives.
Possible solutions to the dilemma.
| I7 |
What's Going On In There? Managing Risk in Application Development |
John Blackley |
Risk management programmes often focus on asset management - looking at risk from a high level and trying to 'get our arms around' the entire environment. Meanwhile, we have application development teams busy deploying code that might undermine the most rigorous risk management programme.
The answer sounds simple - secure coding practices are common nowadays and widely followed. But, in a global enterprise with in-house developers in many corners of the world and software being purchased and modified in almost every division, how do we identify and keep track of code development? Having done so, how do we use our scant resources to make sure that standards and practices are being followed?
This session demonstrates an approach taken by a global enterprise. In the session we'll look at how and why the approach was developed, what worked (and what didn't) and the results gleaned. As this practitioner consistently describes risk management as a 'value-add', the session will also describe - in clear terms - the value added to security efforts by this approach.
Spyware is considered all programs installing themselves onto a user's computer by stealth, subterfuge, and/or social engineering and whose purpose is to redirect a user's activities or record those activities in a way that reduces a user's privacy, protection or peace of mind. As this threat to privacy continues to grow, more enterprises are taking measures to protect their systems. As a result, the threat landscape is shifting, and individual users are being targeted and attacked more than systems.
In his presentation, Gerhard Eschelbeck will present the industry's most current research on the evolution of spyware and explain the magnitude, breadth and overall impact of this problem. He will provide detailed insight about evolving attack trends - from automated worms to targeting users directly via email and browser, and cite factors that are causing the shift in spyware threats and trends.
This presentation will also reveal specific infection data from spyware audits and will highlight infection rates for systems monitors, Trojans and adware. Gerhard will describe these threats and their propagation strategies as well as expose their infection vectors. Few have been exposed to this level of statistical data associated with spyware - the numbers are staggering.
Gerhard will explain how spyware writers are taking advantage of security flaws and making users a vulnerable target, how end-users and enterprises can assess network vulnerabilities and detect spyware infections, and describe how to implement best practices to protect networks and systems from spyware attacks.
Finally, Gerhard will explain what measures are currently being explored by vendors and state and federal legislation to eradicate the spyware threat, and will offer his expertise about how these measures will evoke changes in the future state of spyware.
More storage, greater network speed, Bluetooth interfaces are components which make today's cell phone more like a notebook than a wireless phone. These features allow for rich sources of information which can be critical in the investigation of a crime. In this session we will look at forensically processing data from the three sources on a cell phone - the SIM card, the phones internal memory, and expansion SD cards.
At the end of the day, how do you know that your security awareness program is effective? Does your audience understand your message? do you have their buy-in? have you changed their behavior? If not, then, you haven't hooked 'em!
Let's face it; security is usually not a very "sexy" subject. It's our job to make it exciting and inviting to all of our audiences. Many security awareness programs provide "one size fits all" solutions or worse yet, only one form of communication or delivery.
This session will incorporate the marketing perspective and let us dive into ways we can hook 'em:
- What works for your audience: From Techs to Execs
- Awareness events: Creativity + WIIFM = Big Impact
- Where the heck do we start? Flowchart and track the steps from A to Z
- The money monster: How to get the most bang for your buck
- Measuring results: Difficult, but not impossible… and the big guys love metrics!
We will discover many facets to not only delivering an effective security message, but also influencing the behavior and perception of our target audiences. You'll also hear a detailed example of how these measures were put into place, for an eye-opening social engineering exercise at a large company.
Each attendee will receive actual examples of marketing ideas and materials, plus a CD with usable files that can be customized to use at your company. You won't want to miss it!
The choice is ours, to deliver security awareness training the traditional way (boring), or add some excitement to our users lives! The most effective security awareness training happens through totally engaging the audience. We will share ideas for making it fun and relevant. In fact, this presentation will demonstrate a series of interactive techniques for having "fun" that were successfully used by the presenter over the past several years to change the security culture (One case study performed by the presenter was documented in a recent book on Security Awareness Training and will be demonstrated).
Retention is much more likely to happen when the participants are engaged. Each of us has ideas of what 'works' and alternatively what leaves the users mystified and bored. Together we will share our ideas for those key elements and examples of successful awareness programs so that everyone can benefit. Our goal is to end the "boring security presentation" and provide each other with new ideas that we are using to engage the end user.
Areas open for discussion may include:
- Sharing our LIVELY security awareness presentations
- Examining the details of producing an effective security awareness program
- Discussion of topics that can be used to build themes for training
- Steps and process to build the awareness campaign
-
- Adapt ideas to their own organizations
- Measuring success of the Information Security Awareness program
How can we get a meaningful industry standard Penetration Testing accreditation customers can understand? First there was CHECK for the government sector, but then that got leveraged for the private sector, and subsequently collapsed under the weight of demand, and lack of resources.
Some private companies have tried to establish their own accreditation scheme as a standard. Enter the CEH (Certified Ethical Hacker). Matta has a technical assault course, called Sentinel which tests the technical competency of consultants. And finally we have the new PCI standard, which seems to mix some base level of technical competency with a requirement for CISSP or other auditing (i.e. not technical) skills.
There is talk of CREST as a replacement for CHECK, but little is known as I write this abstract, of what CREST is, or indeed its objectives.
Nick Baskett CEO of Matta will present a symposium of industry views, some facts, and personal opinions about the state of the industry, and what needs to be done to create meaningful technical credentials which the industry can get behind, and the customers in both private and public sector can understand.
Nick will then encourage discussion of the topic, and canvass opinions from the audience. The results of which may be published in an open letter to the industry.
| L9 |
Establishing An Incident Response Team: Lessons Learnt from Setting Up Ireland's CERT |
Brian Honan |
Brian Honan has been working on establishing an independent, trusted and vendor neutral Computer Emergency Response Team to provide services to businesses, organisations and citizens in the Irish Republic. The proposed paper will trace Brian's journey from recognising the lack of a CERT service in Ireland and the need to have
one established to the current status with the project.
Through the presentation Brian will highlight the key steps that he recognised as being crucial for anyone else to follow in establishing their own Incident Response Team (IRT), be that at a departmental, company, sector level or larger. The areas Brian will cover will include;
- Establishing the requirements
- Engaging and getting stakeholder buy-in
- Identifying the clients your IRT will serve
- Identifying the main services
- Raising Funds
- Establishing the IRT
- Delivering your IRT services
At the end of the presentation attendees will have a clearer understanding of some of the hurdles and issues that need to be overcome in order to ensure the success of their IRT.
Information security professionals spend the whole of the working day keeping the information held by your organisations safe from prying eyes, but what happens when
- A policeman arrives with a warrant to search the premises?
- A witness summons is served on the Chairman/managing director to attend court and to bring documents with him?
- A representative of your company is called for an interview?
- You are a witness in a criminal case and the defence want to come and look at all your documents?
- You are in the witness box and answering the question may reveal everything your company tries so hard to protect?
- Can you refuse to let the policeman take what he wants?
- What options do you have faced with a witness summons?
- Can you refuse to answer questions? Does it depend who is asking them or what they are about?
- Are the defence entitled to see everything?
- " Can you refuse to answer in Court?
The development of user driven W2 applications, data mashing techniques and inadequate information assurance is resulting in a potential information conflagration on a global scale. The extinguisher for this potential inferno is in our hands but its use will need systematic application of all we know used in all phases of information exploitation systems design, development and operation. Bringing together all the disciplines that need to contribute to the generation of a capability that will be able to deal with this new dynamic for insecurity, risk and vulnerability will demand leadership and understanding from a wide range of information based professional communities
This talk will address how rich accessible information aggregation, shortened timescales for application deployment and assured information sharing policies need to coexist in harmony for our information society to avoid early incineration, and will discuss what I see as the critical success factors and actions needed for dealing with this problem in the near future.
The hugely popular COSAC "rump" is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.
Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:
- Electronic submission: Send email to the rump session chair David Lynas at chair@cosac.fsnet.co.uk before 10AM GMT Friday, September 21
- Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday September 26
Submissions should include a requested amount of time for the presentation. An anticipated maximum of five minutes will be allocated for each presentation.