2012 Central Ohio InfoSec Summit

quarterceladonMobile - Wireless

Dec 10, 2013 (4 years and 5 months ago)


Central Ohio
InfoSec Summit

May 17 & 18 2012

Hosted By: Central Ohio ISSA

Sponsored By: Central Ohio ISACA,

InfraGard & OWASP

lease join us on May 17th and 18th, 2012 for the fifth annual Central Ohio InfoSec Summit.

his event

be a
superb venue for education, collaboration, and networking. Join i
practitioners and executives

from throughout the region as we

together the leaders in our profession for two days of intense lecture and
study across various

tracks. You will choose f
m highly technical, technical, management, and executive level
as we tackle the

latest industry trends

, and solutions

Attendance at this event will qualify an
individual for 14 CPE’s. The summit will be hel
d in the same location as last year, Hyatt Regency, Downtown

Highlights include

Keynote presentations from nationally renowned speakers

Richard Clarke
, Curtis Levinson, Rob

and William Hagestad

to name a few

Breakout sessions from

in the industry covering latest trends and issues in the

Exhibitor showcase featu
ring leading security products

and services

Full agenda coming soon


Early Bird Price of $75.00 for: ISSA, ISACA, ISC(
2), OWASP, or
InfraGard Members

Expires at Midnight on
May 5

Full Price $175.00 after
May 5

for all attendees.

For more details, please visit the Central Ohio ISSA website @

year’s Summit attracted over 300 individuals and sold out.

To Register,

Please use the following link:


Address Sponsorship Inquiries to

InfoSec Summit 2012


Thursday, May 17, 2012

Sponsor Booth Setup/lunch



Registration / Sponsor Time



Keynote 1

Richard Clarke



Break 1

Executive 1

Panel Discussion


Technical 1

Brian Prince



Adv Technical 1

David Mortman



Break 2

Executive 2

Patrice Bordon



Technical 2

Steve Ocepek



Adv Technical 2

Tom Eston



Break 3

Keynote 2

Rob Rachwald



Break 4

Keynote 3

Bill Hagestad






Friday, May 18, 2012

Keynote 4




Keynote 5

Jay Jacobs



Break 1

Executive 3

Tsbouris & Menur



Technical 3

Rohyt Belani



Adv Technical 3

Mick Douglas



Break 2

Executive 4

Bill Lisse



Technical 4

Brent Huston



Adv Technical 4

Jason Montgomery






Executive 5

Tom Kellerman



Technical 5

Lisa Peterson



Adv Technical 5

Phil Grimes



Break 3

Executive 6

Jerod Brennen



Technical 6

Troy Vennon



Adv Technical 6

Dave Kennedy



Break 4

Executive 7

Panel Discussion



Technical 7

Clark Cummings



Adv Technical 7

Aaron Bedra



Break 5

Keynote 6

Curtis Levinson



Speaker Bios and Abstracts

Richard A. Clarke is an internationally
recognized expert on security, including
homeland security, national security, cyber security, and counterterrorism. He is
currently an on
air consultant for
ABC News

and teaches at Harvard's Kennedy School
of Govern

Clarke served the last three Presidents as a senior White House Advisor. Over the
course of an unprecedented 11 consecutive years of White House service, he held
the titles of:


Special Assistant to the President for Global Affairs


National Coordi
nator for Security and Counterterrorism


Special Advisor to the President for Cyber Security

Prior to his White House years, Clarke served for 19 years in the Pentagon, the Intelligence Community,
and State Department. During the Reagan Administration, he

was Deputy Assistant Secretary of State
for Intelligence. During the Bush (41) Administration, he was Assistant Secretary of State for Political
Military Affairs and coordinated diplomatic efforts to support the 1990

1991 Gulf War and the
subsequent secur
ity arrangements.

As a Partner in Good Harbor Consulting, LLC, Clarke advises clients on a range of issues including:


Corporate security risk management


Information security technology


Dealing with the Federal Government on security and IT issues



In a Special Report by Foreign Policy Magazine, Clarke was chosen as one of

The Top 100 Global Thinkers of 2010.

Aaron Bedra
Fraud Detection on the Fly and on a Budget

Running a major application on the internet that deals in redeemable vouchers is
full of surprises. While most of the consumers enjoy the benefits of discounts
offered at Groupon, a

trival amount
of people attempt to take advantage and
break the rules. Join Aaron as he walks through the inception of a fraud detection
system built in a matter of hours to combat fraudulent users. You will see how easy
it can be to build a simple fraud detection engin
e and plug in the rules needed to
help you combat fraudulent users.

Aaron is a senior engineer at Groupon where he
helps teams design and code security focused software. Aaron works as a technical
lead, speaker, and author. Aaron is a frequent contributor

to the Clojure language and is the author of
“Rails Security Audit”, a co
author of “Programming Clojure 2nd Edition”, and a co
author of the
upcoming "Practical Software Security" book.

Bill Hagestad
Nation State Conflict in the 21



State conflict in the 21st Century has evolved and morphed from being
purely kinetic and physical as represented by a variety of low and medium
intensity wars to one in which we are all now involved as unwilling participants.
The current battlefield is th
e digital realm where there is little distinction
between combatants and non
combatants. Traditionally there are laws of armed conflict in the physical
world yet in this new world of cyber warfare no such digital rules of engagement exist. The "Rise of a
ybered Westphalian Age"should be a pre
requisite for all information security professionals and during
Bill Hagestad's session as he will take conference delegates on a tour of various nation state cyber
warfare preparedness activities and the seemingly en
dless paradigm which is now known as cyber
warfare in the 21st century.

Lieutenant Colonel Hagestad, USMCR (ret), has a Master’s of Science in
Security Technologies from the College of Computer Engineering, University of Minnesota and a
Bachelor of Arts i
n Mandarin Chinese. He also holds a second Master’s of Science in the Management of
Technology from the Carlson School of Management, University of Minnesota. His military experience
spans more than 27 years; enlisting in the United States Marine Corps in
1981 and having served in
numerous command posts, before retirement.


is an internationally recognized subject matter expert on the Chinese People’s Liberation Army and
Government Information Warfare. He advises international intelligence organizati
ons, military flag
officers, and multi
national commercial enterprises with regard to their internal IT security governance
and external security policies. He currently speaks both domestically and internationally on the Chinese
Cyber Threat.

Bill is the
author of "21st Century Chinese Cyber Warfare" published 1 March 2012 by IT

in Ely, Cambridgshire, United Kingdom. This treatise on the People's Republic of China
electronic and information warfare is available from either IT Governance


or @ Amazon.com via

Brent Huston
Detection in Depth :: Changing the PDR Focus

This talk will cover the need for multiple layers of detection in the organization,
provide a fram
ework for planning, implementing and managing multiple layers of
detection and give insights into real world examples of the approach. The speaker
will detail a variety of tools and techniques that can be used to implement
detection in depth and provide a
maturity model for organizations seeking to move
to a more data & threat
centric rational approach. Nuance detection techniques will be explained that
reduce overall data event amounts and significantly enhance the signal to noise ratio of detections. The
speaker has experience building, customizing and managing these deployments across vertical industries
and varying sizes/complexity/maturity levels of organizations. A robust Q&A session will follow.

Brent Huston is the Security Evangelist and CEO of
MicroSolved, Inc. MSI is a leading provider of
application security assessments, penetration testing and HoneyPoint security products including the
latest addition, HoneyPoint Wasp, for securing Windows PC desktops. Since 1992, MSI has been
providing secur
ity services to organizations ranging from small businesses, financial institutions, e
commerce/telecommunications, manufacturing, education and government agencies, as well as
international corporations. Mr. Huston, a Senior Member of ISSA, is an accompli
shed international
speaker, a regularly quoted information security visionary and the author of various security tools,
books and articles published around the world.


Hacking Carbon: Lessons Learned from an
O/IEC 27001 Implementation

OCLC Online Computer Library Center, Inc., is a global not
profit organization with 23
international offices that support more than 72,000 libraries in 170 countries and
territories to locate, acquire, catalog, lend and prese
rve library materials. OCLC has deployed an in
house developed global cloud Integrated Library Management System to data centers in the United
States, Europe and Australia, and will soon stand
up a data center in Canada. The meet international
security and

privacy requirements, OCLC's leadership chose to implement an ISO/IEC 27001 compliant
information security management system. This presentation describes the business case, project
management, implementation challenges, and audit preparation lessons glean
ed from the ISMS
implementation project.

currently serves as the Corporate Information Security Officer for OCLC and leads OCLC's global
ISO/IEC 27001 Information Security Management System. Bill has over 25 years of information security,
IT audit, a
nd investigative experience in both commercial organizations and the U.S. Government. Bill's
areas of expertise include manufacturing and distribution, financial institutions, critical infrastructures,
healthcare, and software embedded systems. Bill has se
rved as a subject matter expert for a number of
ISACA Audit and Assurance Guides and Computing Technology Industry Association Security+ Exam.

Brian Prince

Lvl 300

Architectural patterns for the cloud

Enough mushy, baby talk about the clo
ud. Let's roll up our sleeves and talk about
some real patterns for how to use the cloud in the real world. Hint: As much as
some vendors want you to think so, it doesn't require you to move everything to
the cloud. Leave with some concrete ways to use the

cloud in your existing world.

Brian H. Prince is a Principal Cloud Evangelist for Microsoft, based in the US. He
gets super excited whenever he talks about technology, especially cloud computing, patterns, and
practices. His job is to help customers stra
tegically leverage technology, and help them bring their
architecture to a super level.In a past life Brian was a part of super startups, super marketing firms, and
super consulting firms. Much of his super architecture background includes building super s
applications, application integration, and award winning web applications. All of them were super.
Further, he is a co
founder of the non
profit organization CodeMash (
). He speaks at

international technology conferences. He only wishes his job didn’t require him to say ‘super’ so
much. Brian is the co
author of “Azure in Action”, published by Manning Press. Brian holds a Bachelor
of Arts degree in Computer Science and Physics from C
apital University, Columbus, Ohio. He is also a
zealous gamer. For example, he is a huge fan of Fallout 3, Portal, and pretty much every other game he

Clarke Cummings
The Pitfalls of Cloud Security

Many organizations today are beginning to adopt
at least some services out of the cloud.

The term has
become so ubiquitous that it regularly makes an appearance in television commercials.

And while many
infrastructure teams in organizations have an easier time of things, the security group is often ta
with additional concerns about how to deal with cloud security.

This presentation will examine some
common risks that often turn into deep pits and how to avoid them.

Curtis K. S. Levinson, CDP
(APT’s), a balanced
approach for survivability and sustainability in the Cyber Realm

Advanced Persistent Threat (APT):

APTs are attacks on US information technology
and telecommunications infrastructure by known nation
state and other bad

These attacks are currentl
y taking the form of Phishing and Spear Phishing
attacks on US assets both government and industry.

Phishing attacks are extremely
difficult to detect and it appears from public sources that a portion of the attacks are
coming from (spoofed) trusted domai
ns, which makes filtering even more difficult.

The primary remedy
to such attacks is a combination of extreme user education/training and comprehensive Business
Continuity Planning and Disaster Recovery (BCP/DR/COOP) implementation.

Users need to be educ
as to what acceptable practices are for eMail messages with embedded URLs and the urgent need to
NOT CLICK on embedded URLs.

Any questions as to the nature of the destination of the embedded URL
MUST be directed to the message author, NOT acted upon
in the eMail note itself.

Since bad things
can, do and will continue to happen, recovery plans, programs and techniques must be up to the task of
restoring critical functions as soon as possible.

The quicker we can recover, the more ineffective the

Mr. Levinson has over 25 years of focused experience in Cyber Security and Information Assurance. He is
a highly experienced risk assessor and technology architect specializing in all phases of the cyber process
including regulatory compliance, policy
formulation, cyber attribution and forensics, risk analysis,
network/system hardening and resilience, implementation, testing, certification and accreditation,
operations, training and managing the cyber aspects of information and telecommunications system
s in
a wide variety of environments. Mr. Levinson has served two sitting Presidents of the United States,
two Chairman of the Joint Chiefs of Staff and the Chief Justice of the United States.
He has been
selected by NATO (North Atlantic Treaty Organizat
ion) to represent the United States as an advisory
subject matter expert on Cyber Defense for the IRCSG (Industrial Resources and Communications
Services Group). This group falls under NATO’s Civil
Military Planning and Support Section, which is
to the Alliance’s common defense and security.

David J. Kennedy
Vice President, Chief Security Officer

David J. Kennedy was appointed vice president and chief security officer for
Diebold, Incorporated in October 2011. He is responsible for providing a s
environment for Diebold customers and employees.

Kennedy and his team are
dedicated to the protection of Diebold assets against the evolving and persistent
threats through the establishment and maintenance of a secure infrastructure,
which includes
the design, monitoring and testing of the security controls.
Kennedy joined Diebold in 2010 as a director and regional security
fficer in the
company’s enterprise security organization. Prior to Diebold, Kennedy was a
partner and vice president of consu
lting for an information security consulting firm in the Great Lakes

He is considered a subject matter expert in the information security industry for several Fortune 500 and
Fortune 1000 companies in the United States. Kennedy is a speaker at som
e of the nation’s largest
security conferences, and has participated in other largely renowned speaking and media engagements.
He is a developer on the BackTrack security distribution, and has co
authored several information
security courses and tools, inc
luding The Social
Engineer Toolkit (SET). Kennedy is the founder of
DerbyCon, a large
scale security conference located in Louisville, Ky. He is also the author of the best
selling security book “Metasploit: The Penetration Testers Guide.” Kennedy was a Un
ited States Marine
in the intelligence community, specializing in information security and was deployed on a number of
tours to Iraq and Middle Eastern countries. Kennedy has several industry certifications, including:
Certified Information Systems Securi
ty Professional (CISSP), Offensive
Security Certified Expert (OSCE),
Security Certified Professional (OSCP), SANS General Security Certification (GSEC),
International Organization of Standards 27001 (ISO 27001) and Microsoft Certified Systems Eng

David Mortman

Pragmatic Cloud Security

Last year I talked about the myths and realities of cloud computing security. This year,
we're going to talk about, what you need to do to keep things safe, sane and
operational. You'll walk out with a list of tools to play with and implement in your
environments. This will be a very interactive session so bring your questions.

David Mortman is the Chief Security Architect for enStratus. Most recently he was the
Director of Security and Operations for C3, LLC. Formerly the Chief Information

Officer for Siebel Systems, Inc., David and his team were responsible for
Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with
Siebel's product groups and the company's physical security team and is leadin
g up Siebel's product
security and privacy efforts. Previously, Mr. Mortman was Manager of IT Security at Network Associates,
where, in addition to managing data security, he deployed and tested all of NAI's security products
before they were released to c
ustomers. Before that, Mortman was a Security Engineer for Swiss Bank.
Mr. Mortman is a regular speaker at RSA, Blackhat, Defcon. In the past year, he has presented at RSA,
SourceBoston, Secure360, Sector and BSides San Francisco. Mr. Mortman sits on a va
riety of advisory
boards including Qualys, Lookout and Reflective amongst others. He holds a BS in Chemistry from the
University of Chicago.

Dino Tsibouris and Mehmet Munur
legal issues relating to Mobile Computing,
BYOD, and Social Media.

Dino and M
will focus on the legal risks associated with these technologies
and trends as well as the approaches companies may take to address those risks.
Specifically, the presenters will discuss risks relating to privacy, security, data loss,
discovery and l
itigation holds, and others. The presenters will also offer methods of
addressing those risks through tailored policies and procedures.

Dino Tsibouris is the founding principal of the law firm Tsibouris &

Associates, LLC. His practice
concentrates in the areas of electronic commerce, online financial services, software licensing, and
privacy law. In addition, Mr. Tsibouris' practice includes the implementation of electronic signatures,
records management a
nd information security. He was previously an attorney with Thompson Hine LLP
and a Vice President and Counsel for e
Commerce and Technology at Bank One Corporation (now
JPMorgan Chase). He has conducted CLE and trade association presentations on various e
banking and
commerce matters, and participated in many regulatory and industry task forces addressing new

Mehmet Munur is an attorney at Tsibouris & Associates, LLC. He concentrates his
practice in the areas of technology law, information
privacy and security, financial
services, and other transactional law. He has experience in banking and card
association regulations, payments, electronic money, and other financial services.
He has worked on both the regulatory aspects and the contractua
l aspects of this
area of the law. Mr. Munur works on the contracts for internet
based services,
including drafting terms of use, privacy policies and other online legal agreements
relating to payments, purchasing, and supplier portals. He also regularly
works with
clients on servicing, financing, payments, and technology outsourcing agreements.
Mr. Munur advises clients on privacy issues, laws, and regulation. More specifically, he advises clients
on issues relating to GLBA, CAN

and HITECH regulations,

and US Department of Commerce Safe Harbor certification and compliance. He also has experience with
Canadian and European privacy laws. Mr. Munur has experience in a variety of other areas including

electronic commerce, payments,
electronic signatures, records retention, data breach incident
response, trademark prosecution and other intellectual property disputes, software licensing and audits,
money laundering laws, Office of Foreign Assets Control and other import
export reg
ulations. In
addition, he also has experience in other areas of the law connected to technology, including drafting
workplace policies relating to social media, records retention and destruction, security incident response
policies, and other policies tha
t touch on technology, security, and privacy areas. Mr. Munur conducts
presentations on security, privacy, and technology issues. He is the current chair for the International
Association of Privacy Professionals KnowledgeNet in Columbus, Ohio. Mr. Munur

graduated from
Capital University law school (J.D., magna cum laude) and is admitted to the Ohio bar. He also graduated
from Ohio Wesleyan University (B.A. cum laude).

Jason Montgomery

is a principal at New Power Security, Inc. (NPS), a security firm
cused on securing critical infrastructure and also contracts as a Cyber Security
Architect/Engineer at American Electric Power (AEP). He focuses on Software &
Application Security programs for the enterprise which evolved out of 15 years of real
world appl
ication development experience and Information Security work. Jason's 15
year career
expands beyond development experience including application building for Fortune 500 companies,
Internet Start
ups, as well as State and Federal Government organizations i
ncluding the Department of
Defense. His concentrations also incorporate server and system hardening, providing security guidance
for developers, penetration testing of software and hardware, and mitigation strategies and have also
designed and programmed c
ustom enterprise applications. Jason is a SANS Author and Instructor with
SANS Institute and has also served on the GIAC Secure Software Programmer (GSSP) Steering
Committee which produced a GIAC Certification for Secure Programming in .NET.

As a principa
l on Verizon’s RISK Intelligence team, Jay Jacobs utilizes VERIS (Verizon
Enterprise Risk and Incident Sharing), the company’s open
source risk research sharing
framework to collect, analyze and deliver risk data to the information security industry.
He i
s also a contributor to the company’s Data Breach Investigations Report series. Prior
to joining Verizon, Jacobs worked as a senior technical architect for Target Corporation, where he
focused on risk management and analysis. Previously, he designed and i
mplemented cryptographic
solutions in medical devices. Jacobs is a

founder of the Society of Information Risk Analysts and
currently serves on the organization’s board of directors. He is also one of the primary authors of the
OpenPERT project, an ope
source Excel plug
in for risk analysis. He is an active blogger, as well as a
published author and co
host on the Risk Hose podcast. Jacobs hold his bachelor’s degree in technology
and management from Concordia University in Saint Paul, Minn.


Information Security Management 101: The Fundamentals

Information security professionals interact with every facet of the business, and the
information security manager is expected to demonstrate the proverbial “mile wide,
inch deep” understandin
g of all things security
related. With the global marketplace
continually expanding, the information security manager is expected to know (and do)
more than ever before. How in the world (pun intended) will you able to cover all the
necessary bases without

burning out or losing your mind? This presentation will teach
you how to do more with less by implementing and maintaining an ISO
based information security
program. Whether you’ve been managing a security team for years, been managing a security team for

days, or aspire to manage a security team in the near future, this presentation will give you the tools
and knowledge you need to be successful in any organization.

By day, Jerod (@slandail) is CTO & Principal Security Consultant with Jacadis, an award
nning security
solutions and services provider. By night, he’s a husband, father, writer, filmmaker, martial artist, and
social media junkie. Jerod has over a decade of IT, infosec, and compliance experience. He spent years
as an Information Security Speci
alist with American Electric Power before moving to Abercrombie &
Fitch. At A&F, Jerod built out and managed the information security program. His team was tasked with
security operations, PCI and SOX compliance, and identity and access management. His app
roach to
infosec has two key tenets: don't be afraid to void warranties, and you shouldn't need to bypass security
to get your work done.

Lisa Peterson

Vendor Risk: Do You Feel Lucky?

l, DO You?

How secure is your data?

That depends in part on the vendors with whom you are
sharing it, and how secure THEY are.

Also on what practices you require them to
implement to keep your data secure.

Learn best practices to rate vendor risk, as
vendor security, and what to do to ensure the security of your assets once you’ve
given access to your vendors.

Lisa Peterson CISA, CISSP has worked in Information Security for 20 years, and is a Security Analyst for
Progressive Insurance.

Her curren
t focus is in governance, risk and compliance.

She is also a part
instructor for Information Security courses at Cleveland State University, and teaches as a SANS

She is a member of

InfraGard and

ISACA; and serves on the board for the Info
rmation Security
Summit and for the Northeast Ohio chapter of ISACA.

Patrice Bordron

, Information Risk Management, Nationwide Insurance

The risk landscape is shifting.

The industry is facing a convergence of three realities
that create the p
erfect storm for information risk management


Attackers and
Their Motivations are Changing, 2) Technology is Rapidly Changing yet 3) Businesses
are Demanding Lower IT Costs.

Uncontrollable forces such as hacktivists and
anonymous bloggers make this a
n unprecedented shift in the risk landscape.
Nationwide anticipated this shift. They matured their processes, tools and
organizational model to be even more effective and efficient at managing this
dynamic risk landscape. Learn about Nationwide's journey
and how they are managing this
unprecedented shift while at the same time enabling business innovation.

Patrice Bordron


of Information Risk Management at Nationwide, an organization ranked 108
on the Fortune 500. One of the largest insurance and financial services organizations in the U.S.,
Nationwide is the sixth largest property and casualty insurer with over 16 million

policies in force, and is
the number one provider of defined contribution plans.
joined Nationwide
in 2000
and has held
many technical and information technology (IT) leadership positions throughout Nationwide’s insurance
and financial services b
has worked in Africa, Europe, and North America and

has held
various IT leadership roles that span Application Development, IT Architecture, Project Management,
and Information Risk Management.


current responsibilities include
leadership and strategic planning for the development,
implementation and execution of Nationwide’s
Enterprise Applications
information risk management
program. This program includes policy, procedures and technologies for Security, Continuity
is the primary IT liaison to Enterprise


He is a member of

the Information Risk Management Governance Leadership Team.

is an avid swimmer and coaches select soccer.

Mick Douglas

Mo dat
a? Mo problems!

Do you run find yourself drowning in the explosive growth in data, logs, and other
sources of information? People simply are not able to keep up

or are we? This
talk will focus on using "smart stats" and other innovative data visualiza
tion tools.
Various tools and techniques will be discussed, culminating in the use of a
Microsoft kinect to explore and interact with relationships inside data cubes.

** Note this talk will require the use of a Microsoft Kinect (I will provide) which will

require about 10 minutes of setup time prior to the start of the presentation. While Mick enjoys and
actively participates in penetration testing, his true passion is defense

tweaking existing networks,
systems, and applications to keep the bad guys ou
t. In addition to his technical work, Mick jumps at
every chance to participate in a social engineering engagement. Mick has a bachelor's degree from The
Ohio State University in Communications. In his spare time, you'll likely find him fleeing all things
electronic by scuba diving, trying in vain to improve his photography skills, and either hiking or camping.

Phil Grimes is a Security Analyst for MicroSolved, Inc.

MSI is a leading provider of application security assessments and penetration
testing. S
ince 1992, they have been providing security services to organizations
ranging from small businesses, financial institutions, e
commerce/telecommunications, manufacturing, education and government
agencies, as well as international corporations. Mr. Grimes

started learning networking and Internet
security as a hobby from AOL in 1996 and has developed his technical skill set independently until
joining the MicroSolved Team in 2009. He is experienced in: application security, penetration testing,
Phone security, and social engineering. He performs assessments for high profile
customers internationally and is an accomplished speaker and presenter for MSI's "State of the Threat"
webinars, CUISPA conferences, the Central Ohio WordPress Podcamp, the Oh
io Society of CPA's, and
ISSA groups.

Rob Rachwald

The Anatomy of A Hacktivist Attack

In 2011, Imperva managed to witness an assault by a hacktivist group, including the
use of social media for communications and, most importantly, their attack

Since hacktivist’s targets are highly variable, anyone can fall victim and
security professionals need to know how to prepare.

This talk will walk through the key stages of an hacktivist campaign, including:


Recruitment and communication:

We show how ha
cktivists leverage social networks to recruit
its members and pick a target.


Application attack:

We detail and sequence the steps hacktivists deploy to take data and bring
down websites.



In this final stage, we shed light on the DDoS techniques dep
loyed to take down

Rob is Imperva’s Director of Security Strategy.

In this role, Rob researches and analyzes hacking trends
as well as data security from a business perspective.

In the past, Rob worked in the early days of e
commerce at Intel,
helping to secure the chip maker’s procurement and supply chain system into one of
the largest

and secure

online transaction systems worldwide.

At Intel, Rob also built a secure
document delivery system for chip designs.

More recently, Rob then managed
marketing and research
for code analysis firms Coverity and Fortify Software.

He is a graduate of UC Berkeley and has an MBA
from Vanderbilt University.

Rohyt Belani

Spear Phishing: The truth behind Night Dragon, Aurora, and APT

This presentation wi
ll discuss the evolution of phishing from being a means of stealing
user identities to becoming a mainstay of organized crime. Today, phishing is a key
component in a "hackers" repertoire. It has been used to hijack online brokerage
accounts to aid pump n
' dump stock scams, compromise government networks,
sabotage defense contracts, steal proprietary information on oil contracts worth
billions, and break into the world's largest technology companies to compromise their

property. During this t
alk, I will present the techniques used by attackers to execute these
attacks, and real
world cases that my team have responded to that will provide perspective on the
impact. I will

then discuss countermeasures that have been proven to be effective and ar
recommended by reputed bodies like SANS and Carnegie Mellon University.

Rohyt Belani is CEO and co
founder of PhishMe, and Adjunct Professor at Carnegie Mellon University.
Prior to starting the PhishMe, Mr. Belani has held the positions of Managing Direc
tor at Mandiant,
Principal Consultant at Foundstone and Researcher at the US
CERT. He is a contributing author for
Osborne's Hack Notes

Network Security, as well as Addison Wesley's Extrusion Detection: Security
Monitoring for Internal Intrusions. Mr.
Belani is a regular speaker at various industry conferences
including Black Hat, OWASP, ASIS, SecTOR, Hack in the Box, Infosec World, TechnoSecurity, CPM, ISSA
meetings, and several forums catering to the FBI, US Secret Service, and US Military. He has wr
technical articles and columns for online publications like Securityfocus and SC magazine, and has been
interviewed for CNBC, CNN, BBC Radio, Forbes magazine, eWeek, ComputerWorld, TechNewsWorld,
InformationWeek, Information Today, IndustryWeek, E
mmerce Times, SmartMoney, and Hacker
Japan. Mr. Belani holds a Bachelor of Engineering in Computer Engineering from Bombay University and
a Master of Science in Information Networking from Carnegie Mellon University.

Steve Ocepek

The Cloud is here to
stay, but like any new technology it has its own
unique set of security concerns. The obvious ones

easier access to data, transfer of
data to third parties

have been fairly well covered,

but as this solution matures we're finding surprising issues th
at urge an even more
cautious approach. This presentation includes real
world findings uncovered by
Trustwave's Incident Response and Application Security teams that remind us that The
Cloud changes everything, especially when things go wrong. In addition

we'll take a hard look at Cloud
infrastructures themselves, their potential weak points, and discuss strategies for choosing a secure
Cloud provider.
An innovative network security expert with an entrepreneurial spirit, Steve Ocepek has
been a driving for
ce in pioneering Network Access Control (NAC) technologies delivering comprehensive
endpoint control for mitigation of zero attacks, policy enforcement, and access management, for which
he has been awarded 4 patents with 1 patent pending.

Steve co
Wholepoint Corporation in 2001, serving as chief technology officer of a five person
operation in a garage, where he invented patented network security software and devices which played
a key role in positioning the company for mergers with multimillion do
llar Mirage Networks in 2004 and
Trustwave in 2008. He has been asked to remain, post
mergers, serving as a senior software consultant
and senior security consultant, and is currently the director of security research. With a reputation for
preventing, int
ercepting, and resolving malicious attacks from malware, viruses, and worms, Steve has
provided consultative testing, and made recommendations for remediation for Fortune 500 and
government enterprises in financial, credit card processing, educational, hea
lthcare, and high
industries. His testing of network penetration, use of Network Access Control (NAC), Intrusion Detection
Systems (IDS), Intrusion Prevention Systems (IPS), Web Application Firewalls (WAF), Network

Firewalls, and Encryption Solutions
enable him to advise on new countermeasures improving security,
saving clients millions of dollars in losses of intellectual property, client data, customer confidence, and
litigation costs. Steve has led the growth of SpiderLabs Security Research Departme
nt from 7 to 13

researchers on three teams, more than doubling services providing solutions to meet the needs of
clients worldwide in identifying, preventing, and solving network security threats and problems. He is
known as a trusted resource and problem
solver by chief information officers, directors of security, chief
technical officers, chief operating officers, chief executive officers, and military and national security

Tom Eston
The Android vs. Apple iOS Security Showdown

Android and Apple
mobile devices have taken the market by storm.

Not only are
they being used by consumers but they are now being used for critical functions
in businesses, hospitals and more.

This trend is expected to continue with the
popularity of mobile devices such
as tablets well into the future.

In this
presentation we put Android up against Apple iOS to determine which, if any, are
ready for enterprise use.

Once and for all we battle the Apple App Store vs.
Android Marketplace, device updates, developer controls
, security features and the current slew of
vulnerabilities for both devices.

Which platform will emerge the victor?

You might find that while the
"tech is hot" the implementation and built in security controls are usually “not".

Tom Eston is the Manag
er of the Profiling and Penetration Team at SecureState.

Tom leads a team of
highly skilled penetration testers that provide attack and penetration testing services for SecureState’s

Tom focuses much of his research on new technologies such as s
ocial media and mobile

He develops and improves penetration testing methodologies and works to align them with
industry standards.

He is also the founder of SocialMediaSecurity.com which is an open source
community dedicated to exposing the inse
curities of social media.

Tom is a security blogger, co
host of
the Security Justice and Social Media Security podcasts and is a frequent speaker at security user groups
and national conferences including Black Hat USA, DEFCON, DerbyCon, Notacon, OWASP Ap
pSec and

Tom Kellermann
Chief Technology Officer
“Laying Siege to Castles in the Sky:

Defense in depth in

My presentation will depict the evolution of hacker tactics and the appropriate policies and technologies
to manage cyber risk.

om Kellermann is a Commissioner on The Commission on Cyber Security for the 44th Presidency, and
he serves on the board of the International Cyber Security Protection Alliance. In addition, Tom is a
member of the National Board of Information Security Exam
iners Panel for Penetration Testing, the
Information Technology Sector Coordinating Council, and the ITISAC subcommittee on International
Cyber security policy. Tom is a Professor at American University's School of International Service and is a
Information Security Manager (CISM). Finally, Tom sits on the steering Committee of the
Financial Coalition Against Child Pornography. Tom Kellermann formerly held the position of Vice
President of Security Strategy for Core Security. Prior to his five ye
ars with Core Security, Tom was the
Senior Data Risk Management Specialist the World Bank Treasury Security Team, where he was
responsible for cyber
intelligence and policy management within the World Bank Treasury. In this role,
Tom regularly advised cent
ral banks around the world about their cyber
risk posture and layered
security architectures. Along with Thomas Glaessner and Valerie McNevin, he co
authored the book "E
safety and Soundness: Securing Finance in a New Age."

Troy Vennon

Mobile Malware: Th
e Rising Tide of Risk

Once targeted mainly at Nokia Symbian
based mobile devices, mobile malware has
grown at a rapid rate over the past few years with the rise of smartphones and
tablets. And not only is the number of threats growing, but they are showin
g signs of
increasing sophistication and maturity, and adopting new methods of attack. Join
this session to hear the results of a recent report that highlighted the trends and
examples of mobile malware and other threats to mobile devices, as well as
ctions for 2012. The session will conclude with strategies and actions that MIS departments can
take to protect their corporate networks as well as users’ mobile devices.