2012 Central Ohio InfoSec Summit
May 17 & 18 2012
Hosted By: Central Ohio ISSA
Co-Sponsored By: Central Ohio ISACA, (ISC)2, InfraGard & OWASP
Please join us on May 17th and 18th, 2012 for the fifth annual Central Ohio InfoSec Summit. This event will be a
superb venue for education, collaboration, and networking. Join information security practitioners and executives
from throughout the region as we bring together the leaders in our profession for two days of intense lecture and
study across various tracks. You will choose from highly technical, technical, management, and executive level
sessions, as we tackle the latest industry trends, issues, and solutions. Attendance at this event will qualify an
individual for 14 CPE’s. The summit will be held in the same location as last year, Hyatt Regency, Downtown
Columbus.
Highlights include:




Keynote presentations from nationally renowned speakers – Richard Clarke, Curtis Levinson, Rob
Rachwald and William Hagestad to name a few
Breakout sessions from top practitioners in the industry covering latest trends and issues in the field.
Exhibitor showcase featuring leading security products and services
Full agenda coming soon
Pricing: Early Bird Price of $75.00 for: ISSA, ISACA, ISC(2), OWASP, or
InfraGard Members - Expires at Midnight on May 5th
Full Price $175.00 after May 5th for all attendees.
For more details, please visit the Central Ohio ISSA website @ http://infosecsummit.org
Last year’s Summit attracted over 300 individuals and sold out.
To Register, Please use the following link:
http://centralohioissa.com/registration/event-registration?regevent_action=register&event_id=11
Address Sponsorship Inquiries to info@centralohioissa.org
InfoSec Summit 2012 – Agenda
Thursday, May 17, 2012
Sponsor Booth Setup/lunch
9:00 - 11:30
Registration / Sponsor Time
11:30 - 1:00
Keynote 1
Richard Clarke
1:00 - 2:00
Break 1
Executive 1
Panel Discussion
2:15 -3:00
Technical 1
Brian Prince
2:15 - 3:00
Adv Technical 1
David Mortman
2:15 - 3:00
Break 2
Executive 2
Patrice Bordon
3:15 - 4:00
Technical 2
Steve Ocepek
3:15 - 4:00
Break 3
Keynote 2
Rob Rachwald
4:15 - 5:15
Adv Technical 2
Tom Eston
3:15 - 4:00
Break 4
Keynote 3
Bill Hagestad
5:30 - 6:30
Reception
6:30 - 9:00
Friday, May 18, 2012
Keynote 4
TBD
8:00 - 9:00
Keynote 5
Jay Jacobs
9:00 – 10:00
Break 1
Executive 3
Tsbouris & Menur
10:15 – 11:00
Technical 3
Rohyt Belani
10:15 – 11:00
Adv Technical 3
Mick Douglas
10:15 – 11:00
Break 2
Executive 4
Bill Lisse
11:15 – 12:00
Technical 4
Brent Huston
11:15 – 12:00
Lunch
12:00 – 1:00
Adv Technical 4
Jason Montgomery
11:15 – 12:00
Executive 5
Tom Kellerman
1:00 - 1:45
Technical 5
Lisa Peterson
1:00 - 1:45
Adv Technical 5
Phil Grimes
1:00 - 1:45
Break 3
Executive 6
Jerod Brennen
2:00 - 2:45
Technical 6- Troy Vennon
2:00 - 2:45
Adv Technical 6
Dave Kennedy
2:00 - 2:45
Break 4
Executive 7
Panel Discussion
3:00 – 3:45
Technical 7
Clark Cummings
3:00 – 3:45
Adv Technical 7
Aaron Bedra
3:00 – 3:45
Break 5
Keynote 6
Curtis Levinson
4:00 - 5:00
Speaker Bios and Abstracts
Richard A. Clarke is an internationally-recognized expert on security, including
homeland security, national security, cyber security, and counterterrorism. He is
currently an on-air consultant for ABC News and teaches at Harvard's Kennedy School
of Government.
Clarke served the last three Presidents as a senior White House Advisor. Over the
course of an unprecedented 11 consecutive years of White House service, he held
the titles of:
- Special Assistant to the President for Global Affairs
- National Coordinator for Security and Counterterrorism
- Special Advisor to the President for Cyber Security
Prior to his White House years, Clarke served for 19 years in the Pentagon, the Intelligence Community,
and State Department. During the Reagan Administration, he was Deputy Assistant Secretary of State
for Intelligence. During the Bush (41) Administration, he was Assistant Secretary of State for PoliticalMilitary Affairs and coordinated diplomatic efforts to support the 1990–1991 Gulf War and the
subsequent security arrangements.
As a Partner in Good Harbor Consulting, LLC, Clarke advises clients on a range of issues including:
- Corporate security risk management
- Information security technology
- Dealing with the Federal Government on security and IT issues
- Counterterrorism
In a Special Report by Foreign Policy Magazine, Clarke was chosen as one of
The Top 100 Global Thinkers of 2010.
Aaron Bedra-Fraud Detection on the Fly and on a Budget
Running a major application on the internet that deals in redeemable vouchers is
full of surprises. While most of the consumers enjoy the benefits of discounts
offered at Groupon, a non-trival amount of people attempt to take advantage and
break the rules. Join Aaron as he walks through the inception of a fraud detection
system built in a matter of hours to combat fraudulent users. You will see how easy
it can be to build a simple fraud detection engine and plug in the rules needed to
help you combat fraudulent users. Aaron is a senior engineer at Groupon where he
helps teams design and code security focused software. Aaron works as a technical
lead, speaker, and author. Aaron is a frequent contributor to the Clojure language and is the author of
“Rails Security Audit”, a co-author of “Programming Clojure 2nd Edition”, and a co-author of the
upcoming "Practical Software Security" book.
Bill Hagestad-Nation State Conflict in the 21st Century
Nation State conflict in the 21st Century has evolved and morphed from being
purely kinetic and physical as represented by a variety of low and medium
intensity wars to one in which we are all now involved as unwilling participants.
The current battlefield is the digital realm where there is little distinction
between combatants and non-combatants. Traditionally there are laws of armed conflict in the physical
world yet in this new world of cyber warfare no such digital rules of engagement exist. The "Rise of a
Cybered Westphalian Age"should be a pre-requisite for all information security professionals and during
Bill Hagestad's session as he will take conference delegates on a tour of various nation state cyber
warfare preparedness activities and the seemingly endless paradigm which is now known as cyber
warfare in the 21st century. Lieutenant Colonel Hagestad, USMCR (ret), has a Master’s of Science in
Security Technologies from the College of Computer Engineering, University of Minnesota and a
Bachelor of Arts in Mandarin Chinese. He also holds a second Master’s of Science in the Management of
Technology from the Carlson School of Management, University of Minnesota. His military experience
spans more than 27 years; enlisting in the United States Marine Corps in 1981 and having served in
numerous command posts, before retirement.
Bill is an internationally recognized subject matter expert on the Chinese People’s Liberation Army and
Government Information Warfare. He advises international intelligence organizations, military flag
officers, and multi-national commercial enterprises with regard to their internal IT security governance
and external security policies. He currently speaks both domestically and internationally on the Chinese
Cyber Threat. Bill is the author of "21st Century Chinese Cyber Warfare" published 1 March 2012 by IT
Governance in Ely, Cambridgshire, United Kingdom. This treatise on the People's Republic of China
electronic and information warfare is available from either IT Governance
@ http://www.itgovernance.co.uk/products/3697 or @ Amazon.com via
http://www.amazon.com/21st-Century-Chinese-Cyberwarfare-Governance/
Brent Huston-Detection in Depth :: Changing the PDR Focus
This talk will cover the need for multiple layers of detection in the organization,
provide a framework for planning, implementing and managing multiple layers of
detection and give insights into real world examples of the approach. The speaker
will detail a variety of tools and techniques that can be used to implement
detection in depth and provide a maturity model for organizations seeking to move
to a more data & threat-centric rational approach. Nuance detection techniques will be explained that
reduce overall data event amounts and significantly enhance the signal to noise ratio of detections. The
speaker has experience building, customizing and managing these deployments across vertical industries
and varying sizes/complexity/maturity levels of organizations. A robust Q&A session will follow.
Brent Huston is the Security Evangelist and CEO of MicroSolved, Inc. MSI is a leading provider of
application security assessments, penetration testing and HoneyPoint security products including the
latest addition, HoneyPoint Wasp, for securing Windows PC desktops. Since 1992, MSI has been
providing security services to organizations ranging from small businesses, financial institutions, ecommerce/telecommunications, manufacturing, education and government agencies, as well as
international corporations. Mr. Huston, a Senior Member of ISSA, is an accomplished international
speaker, a regularly quoted information security visionary and the author of various security tools,
books and articles published around the world.
Bill Lisse, CISSP, CISA, CIPP/US, CGEIT, PMP- Hacking Carbon: Lessons Learned from an
ISO/IEC 27001 Implementation
OCLC Online Computer Library Center, Inc., is a global not-for-profit organization with 23
international offices that support more than 72,000 libraries in 170 countries and
territories to locate, acquire, catalog, lend and preserve library materials. OCLC has deployed an inhouse developed global cloud Integrated Library Management System to data centers in the United
States, Europe and Australia, and will soon stand-up a data center in Canada. The meet international
security and privacy requirements, OCLC's leadership chose to implement an ISO/IEC 27001 compliant
information security management system. This presentation describes the business case, project
management, implementation challenges, and audit preparation lessons gleaned from the ISMS
implementation project.
Bill currently serves as the Corporate Information Security Officer for OCLC and leads OCLC's global
ISO/IEC 27001 Information Security Management System. Bill has over 25 years of information security,
IT audit, and investigative experience in both commercial organizations and the U.S. Government. Bill's
areas of expertise include manufacturing and distribution, financial institutions, critical infrastructures,
healthcare, and software embedded systems. Bill has served as a subject matter expert for a number of
ISACA Audit and Assurance Guides and Computing Technology Industry Association Security+ Exam.
Brian Prince – Microsoft-Lvl 300 - Architectural patterns for the cloud
Enough mushy, baby talk about the cloud. Let's roll up our sleeves and talk about
some real patterns for how to use the cloud in the real world. Hint: As much as
some vendors want you to think so, it doesn't require you to move everything to
the cloud. Leave with some concrete ways to use the cloud in your existing world.
Brian H. Prince is a Principal Cloud Evangelist for Microsoft, based in the US. He
gets super excited whenever he talks about technology, especially cloud computing, patterns, and
practices. His job is to help customers strategically leverage technology, and help them bring their
architecture to a super level.In a past life Brian was a part of super startups, super marketing firms, and
super consulting firms. Much of his super architecture background includes building super scalable
applications, application integration, and award winning web applications. All of them were super.
Further, he is a co-founder of the non-profit organization CodeMash (www.codemash.org). He speaks at
various international technology conferences. He only wishes his job didn’t require him to say ‘super’ so
much. Brian is the co-author of “Azure in Action”, published by Manning Press. Brian holds a Bachelor
of Arts degree in Computer Science and Physics from Capital University, Columbus, Ohio. He is also a
zealous gamer. For example, he is a huge fan of Fallout 3, Portal, and pretty much every other game he
plays.
Clarke Cummings-The Pitfalls of Cloud Security
Many organizations today are beginning to adopt at least some services out of the cloud. The term has
become so ubiquitous that it regularly makes an appearance in television commercials. And while many
infrastructure teams in organizations have an easier time of things, the security group is often taxed
with additional concerns about how to deal with cloud security. This presentation will examine some
common risks that often turn into deep pits and how to avoid them.
Curtis K. S. Levinson, CDP-CCP, CISSP-CAP, CBCP, MBCP, CCSK -(APT’s), a balanced
approach for survivability and sustainability in the Cyber Realm
Advanced Persistent Threat (APT): APTs are attacks on US information technology
and telecommunications infrastructure by known nation-state and other bad
actors. These attacks are currently taking the form of Phishing and Spear Phishing
attacks on US assets both government and industry. Phishing attacks are extremely
difficult to detect and it appears from public sources that a portion of the attacks are
coming from (spoofed) trusted domains, which makes filtering even more difficult. The primary remedy
to such attacks is a combination of extreme user education/training and comprehensive Business
Continuity Planning and Disaster Recovery (BCP/DR/COOP) implementation. Users need to be educated
as to what acceptable practices are for eMail messages with embedded URLs and the urgent need to
NOT CLICK on embedded URLs. Any questions as to the nature of the destination of the embedded URL
MUST be directed to the message author, NOT acted upon in the eMail note itself. Since bad things
can, do and will continue to happen, recovery plans, programs and techniques must be up to the task of
restoring critical functions as soon as possible. The quicker we can recover, the more ineffective the
attack.
Mr. Levinson has over 25 years of focused experience in Cyber Security and Information Assurance. He is
a highly experienced risk assessor and technology architect specializing in all phases of the cyber process
including regulatory compliance, policy formulation, cyber attribution and forensics, risk analysis,
network/system hardening and resilience, implementation, testing, certification and accreditation,
operations, training and managing the cyber aspects of information and telecommunications systems in
a wide variety of environments. Mr. Levinson has served two sitting Presidents of the United States,
two Chairman of the Joint Chiefs of Staff and the Chief Justice of the United States. He has been
selected by NATO (North Atlantic Treaty Organization) to represent the United States as an advisory
subject matter expert on Cyber Defense for the IRCSG (Industrial Resources and Communications
Services Group). This group falls under NATO’s Civil-Military Planning and Support Section, which is
essential to the Alliance’s common defense and security.
David J. Kennedy-Vice President, Chief Security Officer
David J. Kennedy was appointed vice president and chief security officer for
Diebold, Incorporated in October 2011. He is responsible for providing a secure
environment for Diebold customers and employees. Kennedy and his team are
dedicated to the protection of Diebold assets against the evolving and persistent
threats through the establishment and maintenance of a secure infrastructure,
which includes the design, monitoring and testing of the security controls.
Kennedy joined Diebold in 2010 as a director and regional security officer in the
company’s enterprise security organization. Prior to Diebold, Kennedy was a
partner and vice president of consulting for an information security consulting firm in the Great Lakes
region.
He is considered a subject matter expert in the information security industry for several Fortune 500 and
Fortune 1000 companies in the United States. Kennedy is a speaker at some of the nation’s largest
security conferences, and has participated in other largely renowned speaking and media engagements.
He is a developer on the BackTrack security distribution, and has co-authored several information
security courses and tools, including The Social-Engineer Toolkit (SET). Kennedy is the founder of
DerbyCon, a large-scale security conference located in Louisville, Ky. He is also the author of the bestselling security book “Metasploit: The Penetration Testers Guide.” Kennedy was a United States Marine
in the intelligence community, specializing in information security and was deployed on a number of
tours to Iraq and Middle Eastern countries. Kennedy has several industry certifications, including:
Certified Information Systems Security Professional (CISSP), Offensive-Security Certified Expert (OSCE),
Offensive-Security Certified Professional (OSCP), SANS General Security Certification (GSEC),
International Organization of Standards 27001 (ISO 27001) and Microsoft Certified Systems Engineer
(MCSE).
David Mortman –Pragmatic Cloud Security
Last year I talked about the myths and realities of cloud computing security. This year,
we're going to talk about, what you need to do to keep things safe, sane and
operational. You'll walk out with a list of tools to play with and implement in your
own environments. This will be a very interactive session so bring your questions.
David Mortman is the Chief Security Architect for enStratus. Most recently he was the
Director of Security and Operations for C3, LLC. Formerly the Chief Information
Security Officer for Siebel Systems, Inc., David and his team were responsible for
Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with
Siebel's product groups and the company's physical security team and is leading up Siebel's product
security and privacy efforts. Previously, Mr. Mortman was Manager of IT Security at Network Associates,
where, in addition to managing data security, he deployed and tested all of NAI's security products
before they were released to customers. Before that, Mortman was a Security Engineer for Swiss Bank.
Mr. Mortman is a regular speaker at RSA, Blackhat, Defcon. In the past year, he has presented at RSA,
SourceBoston, Secure360, Sector and BSides San Francisco. Mr. Mortman sits on a variety of advisory
boards including Qualys, Lookout and Reflective amongst others. He holds a BS in Chemistry from the
University of Chicago.
Dino Tsibouris and Mehmet Munur-legal issues relating to Mobile Computing,
BYOD, and Social Media.
Dino and Mehmet will focus on the legal risks associated with these technologies
and trends as well as the approaches companies may take to address those risks.
Specifically, the presenters will discuss risks relating to privacy, security, data loss,
discovery and litigation holds, and others. The presenters will also offer methods of
addressing those risks through tailored policies and procedures.
Dino Tsibouris is the founding principal of the law firm Tsibouris & Associates, LLC. His practice
concentrates in the areas of electronic commerce, online financial services, software licensing, and
privacy law. In addition, Mr. Tsibouris' practice includes the implementation of electronic signatures,
records management and information security. He was previously an attorney with Thompson Hine LLP
and a Vice President and Counsel for e-Commerce and Technology at Bank One Corporation (now
JPMorgan Chase). He has conducted CLE and trade association presentations on various e-banking and
e-commerce matters, and participated in many regulatory and industry task forces addressing new
legislation.
Mehmet Munur is an attorney at Tsibouris & Associates, LLC. He concentrates his
practice in the areas of technology law, information privacy and security, financial
services, and other transactional law. He has experience in banking and card
association regulations, payments, electronic money, and other financial services.
He has worked on both the regulatory aspects and the contractual aspects of this
area of the law. Mr. Munur works on the contracts for internet-based services,
including drafting terms of use, privacy policies and other online legal agreements
relating to payments, purchasing, and supplier portals. He also regularly works with
clients on servicing, financing, payments, and technology outsourcing agreements.
Mr. Munur advises clients on privacy issues, laws, and regulation. More specifically, he advises clients
on issues relating to GLBA, CAN-SPAM, FCRA, FACTA, HIPAA and HITECH regulations,
and US Department of Commerce Safe Harbor certification and compliance. He also has experience with
Canadian and European privacy laws. Mr. Munur has experience in a variety of other areas including
electronic commerce, payments, electronic signatures, records retention, data breach incident
response, trademark prosecution and other intellectual property disputes, software licensing and audits,
anti-money laundering laws, Office of Foreign Assets Control and other import-export regulations. In
addition, he also has experience in other areas of the law connected to technology, including drafting
workplace policies relating to social media, records retention and destruction, security incident response
policies, and other policies that touch on technology, security, and privacy areas. Mr. Munur conducts
presentations on security, privacy, and technology issues. He is the current chair for the International
Association of Privacy Professionals KnowledgeNet in Columbus, Ohio. Mr. Munur graduated from
Capital University law school (J.D., magna cum laude) and is admitted to the Ohio bar. He also graduated
from Ohio Wesleyan University (B.A. cum laude).
Jason Montgomery is a principal at New Power Security, Inc. (NPS), a security firm
focused on securing critical infrastructure and also contracts as a Cyber Security
Architect/Engineer at American Electric Power (AEP). He focuses on Software &
Application Security programs for the enterprise which evolved out of 15 years of real
world application development experience and Information Security work. Jason's 15-year career
expands beyond development experience including application building for Fortune 500 companies,
Internet Start-ups, as well as State and Federal Government organizations including the Department of
Defense. His concentrations also incorporate server and system hardening, providing security guidance
for developers, penetration testing of software and hardware, and mitigation strategies and have also
designed and programmed custom enterprise applications. Jason is a SANS Author and Instructor with
SANS Institute and has also served on the GIAC Secure Software Programmer (GSSP) Steering
Committee which produced a GIAC Certification for Secure Programming in .NET.
As a principal on Verizon’s RISK Intelligence team, Jay Jacobs utilizes VERIS (Verizon
Enterprise Risk and Incident Sharing), the company’s open-source risk research sharing
framework to collect, analyze and deliver risk data to the information security industry.
He is also a contributor to the company’s Data Breach Investigations Report series. Prior
to joining Verizon, Jacobs worked as a senior technical architect for Target Corporation, where he
focused on risk management and analysis. Previously, he designed and implemented cryptographic
solutions in medical devices. Jacobs is a co-founder of the Society of Information Risk Analysts and
currently serves on the organization’s board of directors. He is also one of the primary authors of the
OpenPERT project, an open-source Excel plug-in for risk analysis. He is an active blogger, as well as a
published author and co-host on the Risk Hose podcast. Jacobs hold his bachelor’s degree in technology
and management from Concordia University in Saint Paul, Minn.
Jerod Brennen- Information Security Management 101: The Fundamentals
Information security professionals interact with every facet of the business, and the
information security manager is expected to demonstrate the proverbial “mile wide,
inch deep” understanding of all things security-related. With the global marketplace
continually expanding, the information security manager is expected to know (and do)
more than ever before. How in the world (pun intended) will you able to cover all the
necessary bases without burning out or losing your mind? This presentation will teach
you how to do more with less by implementing and maintaining an ISO-based information security
program. Whether you’ve been managing a security team for years, been managing a security team for
days, or aspire to manage a security team in the near future, this presentation will give you the tools
and knowledge you need to be successful in any organization.
By day, Jerod (@slandail) is CTO & Principal Security Consultant with Jacadis, an award-winning security
solutions and services provider. By night, he’s a husband, father, writer, filmmaker, martial artist, and
social media junkie. Jerod has over a decade of IT, infosec, and compliance experience. He spent years
as an Information Security Specialist with American Electric Power before moving to Abercrombie &
Fitch. At A&F, Jerod built out and managed the information security program. His team was tasked with
security operations, PCI and SOX compliance, and identity and access management. His approach to
infosec has two key tenets: don't be afraid to void warranties, and you shouldn't need to bypass security
to get your work done. http://about.me/slandail
Lisa Peterson- Vendor Risk: Do You Feel Lucky? Well, DO You?
How secure is your data? That depends in part on the vendors with whom you are
sharing it, and how secure THEY are. Also on what practices you require them to
implement to keep your data secure. Learn best practices to rate vendor risk, assess
vendor security, and what to do to ensure the security of your assets once you’ve
given access to your vendors.
Lisa Peterson CISA, CISSP has worked in Information Security for 20 years, and is a Security Analyst for
Progressive Insurance. Her current focus is in governance, risk and compliance. She is also a part-time
instructor for Information Security courses at Cleveland State University, and teaches as a SANS
Mentor. She is a member of InfraGard and ISACA; and serves on the board for the Information Security
Summit and for the Northeast Ohio chapter of ISACA.
Patrice Bordron - Director, Information Risk Management, Nationwide InsuranceThe risk landscape is shifting. The industry is facing a convergence of three realities
that create the perfect storm for information risk management – 1) Attackers and
Their Motivations are Changing, 2) Technology is Rapidly Changing yet 3) Businesses
are Demanding Lower IT Costs. Uncontrollable forces such as hacktivists and
anonymous bloggers make this an unprecedented shift in the risk landscape.
Nationwide anticipated this shift. They matured their processes, tools and
organizational model to be even more effective and efficient at managing this
dynamic risk landscape. Learn about Nationwide's journey and how they are managing this
unprecedented shift while at the same time enabling business innovation.
Patrice Bordron is Director of Information Risk Management at Nationwide, an organization ranked 108
on the Fortune 500. One of the largest insurance and financial services organizations in the U.S.,
Nationwide is the sixth largest property and casualty insurer with over 16 million policies in force, and is
the number one provider of defined contribution plans. Patrice joined Nationwide in 2000 and has held
many technical and information technology (IT) leadership positions throughout Nationwide’s insurance
and financial services businesses. Patrice has worked in Africa, Europe, and North America and has held
various IT leadership roles that span Application Development, IT Architecture, Project Management,
and Information Risk Management.
His current responsibilities include risk leadership and strategic planning for the development,
implementation and execution of Nationwide’s Enterprise Applications information risk management
program. This program includes policy, procedures and technologies for Security, Continuity
Management, and Compliance services. Patrice is the primary IT liaison to Enterprise Application
Management. He is a member of the Information Risk Management Governance Leadership Team.
Patrice is an avid swimmer and coaches select soccer.
Mick Douglas- Mo data? Mo problems!
Do you run find yourself drowning in the explosive growth in data, logs, and other
sources of information? People simply are not able to keep up -- or are we? This
talk will focus on using "smart stats" and other innovative data visualization tools.
Various tools and techniques will be discussed, culminating in the use of a
Microsoft kinect to explore and interact with relationships inside data cubes.
** Note this talk will require the use of a Microsoft Kinect (I will provide) which will
require about 10 minutes of setup time prior to the start of the presentation. While Mick enjoys and
actively participates in penetration testing, his true passion is defense -- tweaking existing networks,
systems, and applications to keep the bad guys out. In addition to his technical work, Mick jumps at
every chance to participate in a social engineering engagement. Mick has a bachelor's degree from The
Ohio State University in Communications. In his spare time, you'll likely find him fleeing all things
electronic by scuba diving, trying in vain to improve his photography skills, and either hiking or camping.
Phil Grimes is a Security Analyst for MicroSolved, Inc.
MSI is a leading provider of application security assessments and penetration
testing. Since 1992, they have been providing security services to organizations
ranging from small businesses, financial institutions, ecommerce/telecommunications, manufacturing, education and government
agencies, as well as international corporations. Mr. Grimes started learning networking and Internet
security as a hobby from AOL in 1996 and has developed his technical skill set independently until
joining the MicroSolved Team in 2009. He is experienced in: application security, penetration testing,
mobile/SmartPhone security, and social engineering. He performs assessments for high profile
customers internationally and is an accomplished speaker and presenter for MSI's "State of the Threat"
webinars, CUISPA conferences, the Central Ohio WordPress Podcamp, the Ohio Society of CPA's, and
ISSA groups.
Rob Rachwald- The Anatomy of A Hacktivist Attack
In 2011, Imperva managed to witness an assault by a hacktivist group, including the
use of social media for communications and, most importantly, their attack
methods. Since hacktivist’s targets are highly variable, anyone can fall victim and
security professionals need to know how to prepare.
This talk will walk through the key stages of an hacktivist campaign, including:
1. Recruitment and communication: We show how hacktivists leverage social networks to recruit
its members and pick a target.
2. Application attack: We detail and sequence the steps hacktivists deploy to take data and bring
down websites.
3. DDoS: In this final stage, we shed light on the DDoS techniques deployed to take down
websites.
Rob is Imperva’s Director of Security Strategy. In this role, Rob researches and analyzes hacking trends
as well as data security from a business perspective. In the past, Rob worked in the early days of ecommerce at Intel, helping to secure the chip maker’s procurement and supply chain system into one of
the largest—and secure—online transaction systems worldwide. At Intel, Rob also built a secure
document delivery system for chip designs. More recently, Rob then managed marketing and research
for code analysis firms Coverity and Fortify Software. He is a graduate of UC Berkeley and has an MBA
from Vanderbilt University.
Rohyt Belani- Spear Phishing: The truth behind Night Dragon, Aurora, and APT
This presentation will discuss the evolution of phishing from being a means of stealing
user identities to becoming a mainstay of organized crime. Today, phishing is a key
component in a "hackers" repertoire. It has been used to hijack online brokerage
accounts to aid pump n' dump stock scams, compromise government networks,
sabotage defense contracts, steal proprietary information on oil contracts worth
billions, and break into the world's largest technology companies to compromise their
intellectual property. During this talk, I will present the techniques used by attackers to execute these
attacks, and real-world cases that my team have responded to that will provide perspective on the
impact. I will then discuss countermeasures that have been proven to be effective and are
recommended by reputed bodies like SANS and Carnegie Mellon University.
Rohyt Belani is CEO and co-founder of PhishMe, and Adjunct Professor at Carnegie Mellon University.
Prior to starting the PhishMe, Mr. Belani has held the positions of Managing Director at Mandiant,
Principal Consultant at Foundstone and Researcher at the US-CERT. He is a contributing author for
Osborne's Hack Notes - Network Security, as well as Addison Wesley's Extrusion Detection: Security
Monitoring for Internal Intrusions. Mr. Belani is a regular speaker at various industry conferences
including Black Hat, OWASP, ASIS, SecTOR, Hack in the Box, Infosec World, TechnoSecurity, CPM, ISSA
meetings, and several forums catering to the FBI, US Secret Service, and US Military. He has written
technical articles and columns for online publications like Securityfocus and SC magazine, and has been
interviewed for CNBC, CNN, BBC Radio, Forbes magazine, eWeek, ComputerWorld, TechNewsWorld,
InformationWeek, Information Today, IndustryWeek, E-Commerce Times, SmartMoney, and Hacker
Japan. Mr. Belani holds a Bachelor of Engineering in Computer Engineering from Bombay University and
a Master of Science in Information Networking from Carnegie Mellon University.
Steve Ocepek- The Cloud is here to stay, but like any new technology it has its own
unique set of security concerns. The obvious ones -- easier access to data, transfer of
data to third parties -- have been fairly well covered,
but as this solution matures we're finding surprising issues that urge an even more
cautious approach. This presentation includes real-world findings uncovered by
Trustwave's Incident Response and Application Security teams that remind us that The
Cloud changes everything, especially when things go wrong. In addition we'll take a hard look at Cloud
infrastructures themselves, their potential weak points, and discuss strategies for choosing a secure
Cloud provider. An innovative network security expert with an entrepreneurial spirit, Steve Ocepek has
been a driving force in pioneering Network Access Control (NAC) technologies delivering comprehensive
endpoint control for mitigation of zero attacks, policy enforcement, and access management, for which
he has been awarded 4 patents with 1 patent pending.
Steve co-founded Wholepoint Corporation in 2001, serving as chief technology officer of a five person
operation in a garage, where he invented patented network security software and devices which played
a key role in positioning the company for mergers with multimillion dollar Mirage Networks in 2004 and
Trustwave in 2008. He has been asked to remain, post-mergers, serving as a senior software consultant
and senior security consultant, and is currently the director of security research. With a reputation for
preventing, intercepting, and resolving malicious attacks from malware, viruses, and worms, Steve has
provided consultative testing, and made recommendations for remediation for Fortune 500 and
government enterprises in financial, credit card processing, educational, healthcare, and high-tech
industries. His testing of network penetration, use of Network Access Control (NAC), Intrusion Detection
Systems (IDS), Intrusion Prevention Systems (IPS), Web Application Firewalls (WAF), Network
Firewalls, and Encryption Solutions enable him to advise on new countermeasures improving security,
saving clients millions of dollars in losses of intellectual property, client data, customer confidence, and
litigation costs. Steve has led the growth of SpiderLabs Security Research Department from 7 to 13
researchers on three teams, more than doubling services providing solutions to meet the needs of
clients worldwide in identifying, preventing, and solving network security threats and problems. He is
known as a trusted resource and problem solver by chief information officers, directors of security, chief
technical officers, chief operating officers, chief executive officers, and military and national security
leaders.
Tom Eston-The Android vs. Apple iOS Security Showdown
Android and Apple mobile devices have taken the market by storm. Not only are
they being used by consumers but they are now being used for critical functions
in businesses, hospitals and more. This trend is expected to continue with the
popularity of mobile devices such as tablets well into the future. In this
presentation we put Android up against Apple iOS to determine which, if any, are
ready for enterprise use. Once and for all we battle the Apple App Store vs.
Android Marketplace, device updates, developer controls, security features and the current slew of
vulnerabilities for both devices. Which platform will emerge the victor? You might find that while the
"tech is hot" the implementation and built in security controls are usually “not".
Tom Eston is the Manager of the Profiling and Penetration Team at SecureState. Tom leads a team of
highly skilled penetration testers that provide attack and penetration testing services for SecureState’s
clients. Tom focuses much of his research on new technologies such as social media and mobile
devices. He develops and improves penetration testing methodologies and works to align them with
industry standards. He is also the founder of SocialMediaSecurity.com which is an open source
community dedicated to exposing the insecurities of social media. Tom is a security blogger, co-host of
the Security Justice and Social Media Security podcasts and is a frequent speaker at security user groups
and national conferences including Black Hat USA, DEFCON, DerbyCon, Notacon, OWASP AppSec and
ShmooCon.
Tom Kellermann-Chief Technology Officer-“Laying Siege to Castles in the Sky: Defense in depth in
2012”.
My presentation will depict the evolution of hacker tactics and the appropriate policies and technologies
to manage cyber risk.
Tom Kellermann is a Commissioner on The Commission on Cyber Security for the 44th Presidency, and
he serves on the board of the International Cyber Security Protection Alliance. In addition, Tom is a
member of the National Board of Information Security Examiners Panel for Penetration Testing, the
Information Technology Sector Coordinating Council, and the ITISAC subcommittee on International
Cyber security policy. Tom is a Professor at American University's School of International Service and is a
Certified Information Security Manager (CISM). Finally, Tom sits on the steering Committee of the
Financial Coalition Against Child Pornography. Tom Kellermann formerly held the position of Vice
President of Security Strategy for Core Security. Prior to his five years with Core Security, Tom was the
Senior Data Risk Management Specialist the World Bank Treasury Security Team, where he was
responsible for cyber-intelligence and policy management within the World Bank Treasury. In this role,
Tom regularly advised central banks around the world about their cyber-risk posture and layered
security architectures. Along with Thomas Glaessner and Valerie McNevin, he co-authored the book "Esafety and Soundness: Securing Finance in a New Age."
Troy Vennon- Mobile Malware: The Rising Tide of Risk
Once targeted mainly at Nokia Symbian-based mobile devices, mobile malware has
grown at a rapid rate over the past few years with the rise of smartphones and
tablets. And not only is the number of threats growing, but they are showing signs of
increasing sophistication and maturity, and adopting new methods of attack. Join
this session to hear the results of a recent report that highlighted the trends and
examples of mobile malware and other threats to mobile devices, as well as
predictions for 2012. The session will conclude with strategies and actions that MIS departments can
take to protect their corporate networks as well as users’ mobile devices.