2012 Central Ohio InfoSec Summit May 17 & 18 2012 Hosted By: Central Ohio ISSA Co-Sponsored By: Central Ohio ISACA, (ISC)2, InfraGard & OWASP Please join us on May 17th and 18th, 2012 for the fifth annual Central Ohio InfoSec Summit. This event will be a superb venue for education, collaboration, and networking. Join information security practitioners and executives from throughout the region as we bring together the leaders in our profession for two days of intense lecture and study across various tracks. You will choose from highly technical, technical, management, and executive level sessions, as we tackle the latest industry trends, issues, and solutions. Attendance at this event will qualify an individual for 14 CPE’s. The summit will be held in the same location as last year, Hyatt Regency, Downtown Columbus. Highlights include: Keynote presentations from nationally renowned speakers – Howard Schmidt, Richard Clarke, Curtis Levinson, Rob Rachwald and William Hagestad to name a few Breakout sessions from top practitioners in the industry covering latest trends and issues in the field. Exhibitor showcase featuring leading security products and services Full agenda coming soon Pricing: Early Bird Price of $75.00 for: ISSA, ISACA, ISC(2), OWASP, or InfraGard Members - Expires at Midnight on April 30th -- Full Price $175.00 after April 30th for all attendees. For more details, please visit the Central Ohio ISSA website @ http://www.centralohioissa.org/?page_id=936 Last year’s Summit attracted over 300 individuals and sold out. To Register, Please use the following link: http://centralohioissa.com/registration/eventregistration?regevent_action=register&event_id=11 Address Sponsorship Inquiries to info@centralohioissa.org InfoSec Summit 2012 – Agenda Thursday, May 17, 2012 Sponsor Booth Setup/lunch 9:00 - 11:30 Registration / Sponsor Time 11:30 - 1:00 Keynote 1 Richard Clarke 1:00 - 2:00 Break 1 Executive 1 Panel Discussion 2:15 -3:00 Technical 1 Brian Prince 2:15 - 3:00 Adv Technical 1 David Mortman 2:15 - 3:00 Break 2 Executive 2 Lisa Hodkinson 3:15 - 4:00 Technical 2 Steve Ocepek 3:15 - 4:00 Break 3 Keynote 2 Rob Rachwald Adv Technical 2 Tom Eston 3:15 - 4:00 4:15 - 5:15 Break 4 Keynote 3 Bill Hagestad 5:30 - 6:30 Reception 6:30 - 9:00 Friday, May 18, 2012 Keynote 4 Howard Schmidt 8:00 - 9:00 Keynote 5 Jay Jacobs 9:00 – 10:00 Break 1 Executive 3 Tsbouris & Menur 10:15 – 11:00 Technical 3 Rohyt Belani 10:15 – 11:00 Adv Technical 3 Mick Douglas 10:15 – 11:00 Break 2 Executive 4 Bill Lisse 11:15 – 12:00 Technical 4 Brent Huston 11:15 – 12:00 Adv Technical 4 Jason Montgomery 11:15 – 12:00 Lunch 12:00 – 1:00 Executive 5 Tom Kellerman 1:00 - 1:45 Technical 5 Lisa Peterson 1:00 - 1:45 Adv Technical 5 Phil Grimes 1:00 - 1:45 Break 3 Executive 6 Jerod Brennen 2:00 - 2:45 Technical 6- Troy Vennon 2:00 - 2:45 Adv Technical 6 Dave Kennedy 2:00 - 2:45 Break 4 Executive 7 Panel Discussion 3:00 – 3:45 Technical 7 Clark Cummings 3:00 – 3:45 Break 5 Keynote 6 Curtis Levinson 4:00 - 5:00 Adv Technical 7 Aaron Bedra 3:00 – 3:45 Speaker Bios and Abstracts Howard A. Schmidt-Special Assistant to the President and Senior Director for Cyber Security, Office of the President Howard A. Schmidt has had a distinguished career spanning more than 40 years in defense, law enforcement, and corporate security. He is an expert in the areas of computer security, cybercrime, critical infrastructure protection and business risks related to cyber security. He has long been a leader in the creation of public and private partnerships and information-sharing initiatives. Mr. Schmidt was formerly the President and CEO of the Information Security Forum, a nonprofit international consortium that conducts research and develops best practices in information security, risk management and critical infrastructure protection. He has held executive roles in the private sector including Vice President and Chief Information Security Officer at eBay Inc. and Chief Security Officer (CSO) for Microsoft Corporation. Mr. Schmidt's government service has included assignments at the White House, the Federal Bureau of Investigation and the Air Force Office of Special Investigations (AFOSI). At the White House, he was appointed as the Vice Chair of the President's Critical Infrastructure Protection Board and Special Advisor for Cyberspace Security. He served as Chief Security Strategist for the United States CERT Partners Program for the National Cyber Security Division. Mr. Schmidt also was a supervisory special agent and director of the AFOSI Computer Forensics Lab and Computer Crime and Information Warfare Division. Prior to that, he led the computer forensics team for the FBI at the National Drug Intelligence Center. His military career includes active duty tours with the U.S. Air Force, service in the Arizona Air National Guard as a computer/communications specialist and in the U.S. Army Reserves as a Special Agent, Criminal Investigation Division where, until his retirement from the reserves, he served with the computer crime investigations unit. He has testified as an expert witness in federal and military courts in the areas of computer crime, computer forensics and Internet crime. Before working at the FBI, Mr. Schmidt was with the Chandler, Arizona Police Department. Mr. Schmidt has held leadership roles in various non-profit professional organizations including the Information Systems Security Association, (ISC)2 and was the co-founder and first president of the Information Technology Information Sharing and Analysis Center. In 2005 , Mr. Schmidt was appointed by the Secretary of Commerce to the Information Security Privacy Advisory Board. He has received numerous awards and recognitions from government and private industry including the CSO Magazine "Compass Award", Baseline Magazine's "The 50 Most Influential People in Business IT" as well as the Federal 100 Award to name just a few. Mr. Schmidt holds a bachelor's degree in business administration and a master's degree in organizational management from the University of Phoenix and holds an Honorary Doctorate in Humane Letters. He is a Certified Information Systems Security Professional and a Certified Secure Software Lifecycle Professional. Mr. Schmidt is a Professor of Research at Idaho State University, Adjunct Professor at Georgia Tech, Information Security Center, and Adjunct Distinguished Fellow with Carnegie Mellon's CyLab and a Distinguished Fellow of the Ponemon Privacy Institute Richard A. Clarke is an internationally-recognized expert on security, including homeland security, national security, cyber security, and counterterrorism. He is currently an on-air consultant for ABC News and teaches at Harvard's Kennedy School of Government. Clarke served the last three Presidents as a senior White House Advisor. Over the course of an unprecedented 11 consecutive years of White House service, he held the titles of: - Special Assistant to the President for Global Affairs - National Coordinator for Security and Counterterrorism - Special Advisor to the President for Cyber Security Prior to his White House years, Clarke served for 19 years in the Pentagon, the Intelligence Community, and State Department. During the Reagan Administration, he was Deputy Assistant Secretary of State for Intelligence. During the Bush (41) Administration, he was Assistant Secretary of State for PoliticalMilitary Affairs and coordinated diplomatic efforts to support the 1990–1991 Gulf War and the subsequent security arrangements. As a Partner in Good Harbor Consulting, LLC, Clarke advises clients on a range of issues including: - Corporate security risk management - Information security technology - Dealing with the Federal Government on security and IT issues - Counterterrorism In a Special Report by Foreign Policy Magazine, Clarke was chosen as one of The Top 100 Global Thinkers of 2010. Aaron Bedra-Fraud Detection on the Fly and on a Budget Running a major application on the internet that deals in redeemable vouchers is full of surprises. While most of the consumers enjoy the benefits of discounts offered at Groupon, a non-trival amount of people attempt to take advantage and break the rules. Join Aaron as he walks through the inception of a fraud detection system built in a matter of hours to combat fraudulent users. You will see how easy it can be to build a simple fraud detection engine and plug in the rules needed to help you combat fraudulent users. Aaron is a senior engineer at Groupon where he helps teams design and code security focused software. Aaron works as a technical lead, speaker, and author. Aaron is a frequent contributor to the Clojure language and is the author of “Rails Security Audit”, a co-author of “Programming Clojure 2nd Edition”, and a co-author of the upcoming "Practical Software Security" book. Bill Hagestad-Nation State Conflict in the 21st Century Nation State conflict in the 21st Century has evolved and morphed from being purely kinetic and physical as represented by a variety of low and medium intensity wars to one in which we are all now involved as unwilling participants. The current battlefield is the digital realm where there is little distinction between combatants and non-combatants. Traditionally there are laws of armed conflict in the physical world yet in this new world of cyber warfare no such digital rules of engagement exist. The "Rise of a Cybered Westphalian Age"should be a pre-requisite for all information security professionals and during Bill Hagestad's session as he will take conference delegates on a tour of various nation state cyber warfare preparedness activities and the seemingly endless paradigm which is now known as cyber warfare in the 21st century. Lieutenant Colonel Hagestad, USMCR (ret), has a Master’s of Science in Security Technologies from the College of Computer Engineering, University of Minnesota and a Bachelor of Arts in Mandarin Chinese. He also holds a second Master’s of Science in the Management of Technology from the Carlson School of Management, University of Minnesota. His military experience spans more than 27 years; enlisting in the United States Marine Corps in 1981 and having served in numerous command posts, before retirement. Bill is an internationally recognized subject matter expert on the Chinese People’s Liberation Army and Government Information Warfare. He advises international intelligence organizations, military flag officers, and multi-national commercial enterprises with regard to their internal IT security governance and external security policies. He currently speaks both domestically and internationally on the Chinese Cyber Threat. Bill is the author of "21st Century Chinese Cyber Warfare" published 1 March 2012 by IT Governance in Ely, Cambridgshire, United Kingdom. This treatise on the People's Republic of China electronic and information warfare is available from either IT Governance @ http://www.itgovernance.co.uk/products/3697 or @ Amazon.com via http://www.amazon.com/21stCentury-Chinese-Cyberwarfare-Governance/ Brent Huston-Detection in Depth :: Changing the PDR Focus This talk will cover the need for multiple layers of detection in the organization, provide a framework for planning, implementing and managing multiple layers of detection and give insights into real world examples of the approach. The speaker will detail a variety of tools and techniques that can be used to implement detection in depth and provide a maturity model for organizations seeking to move to a more data & threat-centric rational approach. Nuance detection techniques will be explained that reduce overall data event amounts and significantly enhance the signal to noise ratio of detections. The speaker has experience building, customizing and managing these deployments across vertical industries and varying sizes/complexity/maturity levels of organizations. A robust Q&A session will follow. Brent Huston is the Security Evangelist and CEO of MicroSolved, Inc. MSI is a leading provider of application security assessments, penetration testing and HoneyPoint security products including the latest addition, HoneyPoint Wasp, for securing Windows PC desktops. Since 1992, MSI has been providing security services to organizations ranging from small businesses, financial institutions, e- commerce/telecommunications, manufacturing, education and government agencies, as well as international corporations. Mr. Huston, a Senior Member of ISSA, is an accomplished international speaker, a regularly quoted information security visionary and the author of various security tools, books and articles published around the world. Bill Lisse, CISSP, CISA, CIPP/US, CGEIT, PMP- Hacking Carbon: Lessons Learned from an ISO/IEC 27001 Implementation OCLC Online Computer Library Center, Inc., is a global not-for-profit organization with 23 international offices that support more than 72,000 libraries in 170 countries and territories to locate, acquire, catalog, lend and preserve library materials. OCLC has deployed an inhouse developed global cloud Integrated Library Management System to data centers in the United States, Europe and Australia, and will soon stand-up a data center in Canada. The meet international security and privacy requirements, OCLC's leadership chose to implement an ISO/IEC 27001 compliant information security management system. This presentation describes the business case, project management, implementation challenges, and audit preparation lessons gleaned from the ISMS implementation project. Bill currently serves as the Corporate Information Security Officer for OCLC and leads OCLC's global ISO/IEC 27001 Information Security Management System. Bill has over 25 years of information security, IT audit, and investigative experience in both commercial organizations and the U.S. Government. Bill's areas of expertise include manufacturing and distribution, financial institutions, critical infrastructures, healthcare, and software embedded systems. Bill has served as a subject matter expert for a number of ISACA Audit and Assurance Guides and Computing Technology Industry Association Security+ Exam. Brian Prince – Microsoft-Lvl 300 - Architectural patterns for the cloud Enough mushy, baby talk about the cloud. Let's roll up our sleeves and talk about some real patterns for how to use the cloud in the real world. Hint: As much as some vendors want you to think so, it doesn't require you to move everything to the cloud. Leave with some concrete ways to use the cloud in your existing world. Brian H. Prince is a Principal Cloud Evangelist for Microsoft, based in the US. He gets super excited whenever he talks about technology, especially cloud computing, patterns, and practices. His job is to help customers strategically leverage technology, and help them bring their architecture to a super level.In a past life Brian was a part of super startups, super marketing firms, and super consulting firms. Much of his super architecture background includes building super scalable applications, application integration, and award winning web applications. All of them were super. Further, he is a co-founder of the non-profit organization CodeMash (www.codemash.org). He speaks at various international technology conferences. He only wishes his job didn’t require him to say ‘super’ so much. Brian is the co-author of “Azure in Action”, published by Manning Press. Brian holds a Bachelor of Arts degree in Computer Science and Physics from Capital University, Columbus, Ohio. He is also a zealous gamer. For example, he is a huge fan of Fallout 3, Portal, and pretty much every other game he plays. Clarke Cummings-The Pitfalls of Cloud Security Many organizations today are beginning to adopt at least some services out of the cloud. The term has become so ubiquitous that it regularly makes an appearance in television commercials. And while many infrastructure teams in organizations have an easier time of things, the security group is often taxed with additional concerns about how to deal with cloud security. This presentation will examine some common risks that often turn into deep pits and how to avoid them. Curtis K. S. Levinson, CDP-CCP, CISSP-CAP, CBCP, MBCP, CCSK -(APT’s), a balanced approach for survivability and sustainability in the Cyber Realm Advanced Persistent Threat (APT): APTs are attacks on US information technology and telecommunications infrastructure by known nation-state and other bad actors. These attacks are currently taking the form of Phishing and Spear Phishing attacks on US assets both government and industry. Phishing attacks are extremely difficult to detect and it appears from public sources that a portion of the attacks are coming from (spoofed) trusted domains, which makes filtering even more difficult. The primary remedy to such attacks is a combination of extreme user education/training and comprehensive Business Continuity Planning and Disaster Recovery (BCP/DR/COOP) implementation. Users need to be educated as to what acceptable practices are for eMail messages with embedded URLs and the urgent need to NOT CLICK on embedded URLs. Any questions as to the nature of the destination of the embedded URL MUST be directed to the message author, NOT acted upon in the eMail note itself. Since bad things can, do and will continue to happen, recovery plans, programs and techniques must be up to the task of restoring critical functions as soon as possible. The quicker we can recover, the more ineffective the attack. Mr. Levinson has over 25 years of focused experience in Cyber Security and Information Assurance. He is a highly experienced risk assessor and technology architect specializing in all phases of the cyber process including regulatory compliance, policy formulation, cyber attribution and forensics, risk analysis, network/system hardening and resilience, implementation, testing, certification and accreditation, operations, training and managing the cyber aspects of information and telecommunications systems in a wide variety of environments. Mr. Levinson has served two sitting Presidents of the United States, two Chairman of the Joint Chiefs of Staff and the Chief Justice of the United States. He has been selected by NATO (North Atlantic Treaty Organization) to represent the United States as an advisory subject matter expert on Cyber Defense for the IRCSG (Industrial Resources and Communications Services Group). This group falls under NATO’s Civil-Military Planning and Support Section, which is essential to the Alliance’s common defense and security. David J. Kennedy-Vice President, Chief Security Officer David J. Kennedy was appointed vice president and chief security officer for Diebold, Incorporated in October 2011. He is responsible for providing a secure environment for Diebold customers and employees. Kennedy and his team are dedicated to the protection of Diebold assets against the evolving and persistent threats through the establishment and maintenance of a secure infrastructure, which includes the design, monitoring and testing of the security controls. Kennedy joined Diebold in 2010 as a director and regional security officer in the company’s enterprise security organization. Prior to Diebold, Kennedy was a partner and vice president of consulting for an information security consulting firm in the Great Lakes region. He is considered a subject matter expert in the information security industry for several Fortune 500 and Fortune 1000 companies in the United States. Kennedy is a speaker at some of the nation’s largest security conferences, and has participated in other largely renowned speaking and media engagements. He is a developer on the BackTrack security distribution, and has co-authored several information security courses and tools, including The Social-Engineer Toolkit (SET). Kennedy is the founder of DerbyCon, a large-scale security conference located in Louisville, Ky. He is also the author of the bestselling security book “Metasploit: The Penetration Testers Guide.” Kennedy was a United States Marine in the intelligence community, specializing in information security and was deployed on a number of tours to Iraq and Middle Eastern countries. Kennedy has several industry certifications, including: Certified Information Systems Security Professional (CISSP), Offensive-Security Certified Expert (OSCE), Offensive-Security Certified Professional (OSCP), SANS General Security Certification (GSEC), International Organization of Standards 27001 (ISO 27001) and Microsoft Certified Systems Engineer (MCSE). David Mortman –Pragmatic Cloud Security Last year I talked about the myths and realities of cloud computing security. This year, we're going to talk about, what you need to do to keep things safe, sane and operational. You'll walk out with a list of tools to play with and implement in your own environments. This will be a very interactive session so bring your questions. David Mortman is the Chief Security Architect for enStratus. Most recently he was the Director of Security and Operations for C3, LLC. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and is leading up Siebel's product security and privacy efforts. Previously, Mr. Mortman was Manager of IT Security at Network Associates, where, in addition to managing data security, he deployed and tested all of NAI's security products before they were released to customers. Before that, Mortman was a Security Engineer for Swiss Bank. Mr. Mortman is a regular speaker at RSA, Blackhat, Defcon. In the past year, he has presented at RSA, SourceBoston, Secure360, Sector and BSides San Francisco. Mr. Mortman sits on a variety of advisory boards including Qualys, Lookout and Reflective amongst others. He holds a BS in Chemistry from the University of Chicago. Dino Tsibouris and Mehmet Munur-legal issues relating to Mobile Computing, BYOD, and Social Media. Dino and Mehmet will focus on the legal risks associated with these technologies and trends as well as the approaches companies may take to address those risks. Specifically, the presenters will discuss risks relating to privacy, security, data loss, discovery and litigation holds, and others. The presenters will also offer methods of addressing those risks through tailored policies and procedures. Dino Tsibouris is the founding principal of the law firm Tsibouris & Associates, LLC. His practice concentrates in the areas of electronic commerce, online financial services, software licensing, and privacy law. In addition, Mr. Tsibouris' practice includes the implementation of electronic signatures, records management and information security. He was previously an attorney with Thompson Hine LLP and a Vice President and Counsel for e-Commerce and Technology at Bank One Corporation (now JPMorgan Chase). He has conducted CLE and trade association presentations on various e-banking and e-commerce matters, and participated in many regulatory and industry task forces addressing new legislation. Mehmet Munur is an attorney at Tsibouris & Associates, LLC. He concentrates his practice in the areas of technology law, information privacy and security, financial services, and other transactional law. He has experience in banking and card association regulations, payments, electronic money, and other financial services. He has worked on both the regulatory aspects and the contractual aspects of this area of the law. Mr. Munur works on the contracts for internet-based services, including drafting terms of use, privacy policies and other online legal agreements relating to payments, purchasing, and supplier portals. He also regularly works with clients on servicing, financing, payments, and technology outsourcing agreements. Mr. Munur advises clients on privacy issues, laws, and regulation. More specifically, he advises clients on issues relating to GLBA, CAN-SPAM, FCRA, FACTA, HIPAA and HITECH regulations, and US Department of Commerce Safe Harbor certification and compliance. He also has experience with Canadian and European privacy laws. Mr. Munur has experience in a variety of other areas including electronic commerce, payments, electronic signatures, records retention, data breach incident response, trademark prosecution and other intellectual property disputes, software licensing and audits, anti-money laundering laws, Office of Foreign Assets Control and other import-export regulations. In addition, he also has experience in other areas of the law connected to technology, including drafting workplace policies relating to social media, records retention and destruction, security incident response policies, and other policies that touch on technology, security, and privacy areas. Mr. Munur conducts presentations on security, privacy, and technology issues. He is the current chair for the International Association of Privacy Professionals KnowledgeNet in Columbus, Ohio. Mr. Munur graduated from Capital University law school (J.D., magna cum laude) and is admitted to the Ohio bar. He also graduated from Ohio Wesleyan University (B.A. cum laude). Jason Montgomery is a principal at New Power Security, Inc. (NPS), a security firm focused on securing critical infrastructure and also contracts as a Cyber Security Architect/Engineer at American Electric Power (AEP). He focuses on Software & Application Security programs for the enterprise which evolved out of 15 years of real world application development experience and Information Security work. Jason's 15-year career expands beyond development experience including application building for Fortune 500 companies, Internet Start-ups, as well as State and Federal Government organizations including the Department of Defense. His concentrations also incorporate server and system hardening, providing security guidance for developers, penetration testing of software and hardware, and mitigation strategies and have also designed and programmed custom enterprise applications. Jason is a SANS Author and Instructor with SANS Institute and has also served on the GIAC Secure Software Programmer (GSSP) Steering Committee which produced a GIAC Certification for Secure Programming in .NET. Jay Jacobs – Cyber Crime Based on forensic evidence collected while investigating some of the largest data breaches in history, Jay Jacobs will present a rare view into the world of corporate cybercrime. Over the last six years, the RISK Intelligence team has investigated and compiled data on over 1300 confirmed breaches. They have helped agencies like the U.S. Secret Service identify and prosecute criminals from all over the world. Their research has been used by thousands of organizations to evaluate and improve their security program. The presentation will discuss the evolution of cybercrime and delve into the people, methods, and motives that drive it today. Jay Jacobs is a Principal with Verizon’s RISK Intelligence team. Jay is a co-founder of the Society of Information Risk Analysts (societyinforisk.org) and currently serves on their board of directors. Jay is one of the primary developers on the OpenPERT project (an open-source Excel plug-in for risk analysis), He is also a blogger, a published author and a co-host on the Risk Hose podcast. Jerod Brennen- Information Security Management 101: The Fundamentals Information security professionals interact with every facet of the business, and the information security manager is expected to demonstrate the proverbial “mile wide, inch deep” understanding of all things security-related. With the global marketplace continually expanding, the information security manager is expected to know (and do) more than ever before. How in the world (pun intended) will you able to cover all the necessary bases without burning out or losing your mind? This presentation will teach you how to do more with less by implementing and maintaining an ISO-based information security program. Whether you’ve been managing a security team for years, been managing a security team for days, or aspire to manage a security team in the near future, this presentation will give you the tools and knowledge you need to be successful in any organization. By day, Jerod (@slandail) is CTO & Principal Security Consultant with Jacadis, an award-winning security solutions and services provider. By night, he’s a husband, father, writer, filmmaker, martial artist, and social media junkie. Jerod has over a decade of IT, infosec, and compliance experience. He spent years as an Information Security Specialist with American Electric Power before moving to Abercrombie & Fitch. At A&F, Jerod built out and managed the information security program. His team was tasked with security operations, PCI and SOX compliance, and identity and access management. His approach to infosec has two key tenets: don't be afraid to void warranties, and you shouldn't need to bypass security to get your work done. http://about.me/slandail Lisa Hodkinson-Vice President, Information Risk Management, Nationwide Insurance Lisa Hodkinson is vice president of Information Risk Management at Nationwide, an organization ranked 108 on the Fortune 500. One of the largest insurance and financial services organizations in the U.S., Nationwide is the sixth largest property and casualty insurer with over 16 million policies in force, and is the number one provider of defined contribution plans. Lisa joined Nationwide as a programmer and has held many technical and information technology (IT) leadership positions throughout Nationwide’s insurance and financial services businesses. Her current responsibilities include enterprise leadership and strategic planning for the development, implementation and execution of Nationwide’s information risk management program. This program includes policy, procedures and technologies for Security, Continuity Management, Compliance and Cyber Investigation/Forensics capabilities. Lisa is the primary IT liaison to Enterprise Risk Management, Office of Compliance and Internal Audit. Lisa leads the Information Risk Management Governance Leadership Team and is a member of the enterprise Operational Risk Committee. Lisa earned a Bachelor of Science in Computer Science and Business Administration from The Ohio State University and an MBA in Finance from the University of Dayton. Lisa is a member of Beta Gamma Sigma (business honorary society). Lisa is leading the Cyber-Security School Challenge, sponsored by the Executive Women’s Forum, where Security professionals from Nationwide visit schools and community programs to educate children of all ages on how to stay safe on-line, prevent cyber-bullying, etc. Lisa is a past board member of the Capital Area Humane Society, served as a Big Sister with Big Brothers Big Sisters of Central Ohio, served as an advisor to the Delaware Area Career Center technology program, led the 2005 United Way Campaign for Nationwide Financial and served as an Operation Feed Captain for Nationwide Insurance. Lisa currently serves on the St. Stevan church board and is President of the women’s fellowship. Lisa enjoys breeding, owning and racing standard bred horses as her hobby. Lisa Peterson- Vendor Risk: Do You Feel Lucky? Well, DO You? How secure is your data? That depends in part on the vendors with whom you are sharing it, and how secure THEY are. Also on what practices you require them to implement to keep your data secure. Learn best practices to rate vendor risk, assess vendor security, and what to do to ensure the security of your assets once you’ve given access to your vendors. Lisa Peterson CISA, CISSP has worked in Information Security for 20 years, and is a Security Analyst for Progressive Insurance. Her current focus is in governance, risk and compliance. She is also a part-time instructor for Information Security courses at Cleveland State University, and teaches as a SANS Mentor. She is a member of InfraGard and ISACA; and serves on the board for the Information Security Summit and for the Northeast Ohio chapter of ISACA. Mick Douglas- Mo data? Mo problems! Do you run find yourself drowning in the explosive growth in data, logs, and other sources of information? People simply are not able to keep up -- or are we? This talk will focus on using "smart stats" and other innovative data visualization tools. Various tools and techniques will be discussed, culminating in the use of a Microsoft kinect to explore and interact with relationships inside data cubes. ** Note this talk will require the use of a Microsoft Kinect (I will provide) which will require about 10 minutes of setup time prior to the start of the presentation. While Mick enjoys and actively participates in penetration testing, his true passion is defense -- tweaking existing networks, systems, and applications to keep the bad guys out. In addition to his technical work, Mick jumps at every chance to participate in a social engineering engagement. Mick has a bachelor's degree from The Ohio State University in Communications. In his spare time, you'll likely find him fleeing all things electronic by scuba diving, trying in vain to improve his photography skills, and either hiking or camping. Phil Grimes is a Security Analyst for MicroSolved, Inc. MSI is a leading provider of application security assessments and penetration testing. Since 1992, they have been providing security services to organizations ranging from small businesses, financial institutions, ecommerce/telecommunications, manufacturing, education and government agencies, as well as international corporations. Mr. Grimes started learning networking and Internet security as a hobby from AOL in 1996 and has developed his technical skill set independently until joining the MicroSolved Team in 2009. He is experienced in: application security, penetration testing, mobile/SmartPhone security, and social engineering. He performs assessments for high profile customers internationally and is an accomplished speaker and presenter for MSI's "State of the Threat" webinars, CUISPA conferences, the Central Ohio WordPress Podcamp, the Ohio Society of CPA's, and ISSA groups. Rob Rachwald- The Anatomy of A Hacktivist Attack In 2011, Imperva managed to witness an assault by a hacktivist group, including the use of social media for communications and, most importantly, their attack methods. Since hacktivist’s targets are highly variable, anyone can fall victim and security professionals need to know how to prepare. This talk will walk through the key stages of an hacktivist campaign, including: 1. Recruitment and communication: We show how hacktivists leverage social networks to recruit its members and pick a target. 2. Application attack: We detail and sequence the steps hacktivists deploy to take data and bring down websites. 3. DDoS: In this final stage, we shed light on the DDoS techniques deployed to take down websites. Rob is Imperva’s Director of Security Strategy. In this role, Rob researches and analyzes hacking trends as well as data security from a business perspective. In the past, Rob worked in the early days of ecommerce at Intel, helping to secure the chip maker’s procurement and supply chain system into one of the largest—and secure—online transaction systems worldwide. At Intel, Rob also built a secure document delivery system for chip designs. More recently, Rob then managed marketing and research for code analysis firms Coverity and Fortify Software. He is a graduate of UC Berkeley and has an MBA from Vanderbilt University. Rohyt Belani- Spear Phishing: The truth behind Night Dragon, Aurora, and APT This presentation will discuss the evolution of phishing from being a means of stealing user identities to becoming a mainstay of organized crime. Today, phishing is a key component in a "hackers" repertoire. It has been used to hijack online brokerage accounts to aid pump n' dump stock scams, compromise government networks, sabotage defense contracts, steal proprietary information on oil contracts worth billions, and break into the world's largest technology companies to compromise their intellectual property. During this talk, I will present the techniques used by attackers to execute these attacks, and real-world cases that my team have responded to that will provide perspective on the impact. I will then discuss countermeasures that have been proven to be effective and are recommended by reputed bodies like SANS and Carnegie Mellon University. Rohyt Belani is CEO and co-founder of PhishMe, and Adjunct Professor at Carnegie Mellon University. Prior to starting the PhishMe, Mr. Belani has held the positions of Managing Director at Mandiant, Principal Consultant at Foundstone and Researcher at the US-CERT. He is a contributing author for Osborne's Hack Notes - Network Security, as well as Addison Wesley's Extrusion Detection: Security Monitoring for Internal Intrusions. Mr. Belani is a regular speaker at various industry conferences including Black Hat, OWASP, ASIS, SecTOR, Hack in the Box, Infosec World, TechnoSecurity, CPM, ISSA meetings, and several forums catering to the FBI, US Secret Service, and US Military. He has written technical articles and columns for online publications like Securityfocus and SC magazine, and has been interviewed for CNBC, CNN, BBC Radio, Forbes magazine, eWeek, ComputerWorld, TechNewsWorld, InformationWeek, Information Today, IndustryWeek, E-Commerce Times, SmartMoney, and Hacker Japan. Mr. Belani holds a Bachelor of Engineering in Computer Engineering from Bombay University and a Master of Science in Information Networking from Carnegie Mellon University. Steve Ocepek- The Cloud is here to stay, but like any new technology it has its own unique set of security concerns. The obvious ones -- easier access to data, transfer of data to third parties -- have been fairly well covered, but as this solution matures we're finding surprising issues that urge an even more cautious approach. This presentation includes real-world findings uncovered by Trustwave's Incident Response and Application Security teams that remind us that The Cloud changes everything, especially when things go wrong. In addition we'll take a hard look at Cloud infrastructures themselves, their potential weak points, and discuss strategies for choosing a secure Cloud provider. An innovative network security expert with an entrepreneurial spirit, Steve Ocepek has been a driving force in pioneering Network Access Control (NAC) technologies delivering comprehensive endpoint control for mitigation of zero attacks, policy enforcement, and access management, for which he has been awarded 4 patents with 1 patent pending. Steve co-founded Wholepoint Corporation in 2001, serving as chief technology officer of a five person operation in a garage, where he invented patented network security software and devices which played a key role in positioning the company for mergers with multimillion dollar Mirage Networks in 2004 and Trustwave in 2008. He has been asked to remain, post-mergers, serving as a senior software consultant and senior security consultant, and is currently the director of security research. With a reputation for preventing, intercepting, and resolving malicious attacks from malware, viruses, and worms, Steve has provided consultative testing, and made recommendations for remediation for Fortune 500 and government enterprises in financial, credit card processing, educational, healthcare, and high-tech industries. His testing of network penetration, use of Network Access Control (NAC), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Web Application Firewalls (WAF), Network Firewalls, and Encryption Solutions enable him to advise on new countermeasures improving security, saving clients millions of dollars in losses of intellectual property, client data, customer confidence, and litigation costs. Steve has led the growth of SpiderLabs Security Research Department from 7 to 13 researchers on three teams, more than doubling services providing solutions to meet the needs of clients worldwide in identifying, preventing, and solving network security threats and problems. He is known as a trusted resource and problem solver by chief information officers, directors of security, chief technical officers, chief operating officers, chief executive officers, and military and national security leaders. Tom Eston-The Android vs. Apple iOS Security Showdown Android and Apple mobile devices have taken the market by storm. Not only are they being used by consumers but they are now being used for critical functions in businesses, hospitals and more. This trend is expected to continue with the popularity of mobile devices such as tablets well into the future. In this presentation we put Android up against Apple iOS to determine which, if any, are ready for enterprise use. Once and for all we battle the Apple App Store vs. Android Marketplace, device updates, developer controls, security features and the current slew of vulnerabilities for both devices. Which platform will emerge the victor? You might find that while the "tech is hot" the implementation and built in security controls are usually “not". Tom Eston is the Manager of the Profiling and Penetration Team at SecureState. Tom leads a team of highly skilled penetration testers that provide attack and penetration testing services for SecureState’s clients. Tom focuses much of his research on new technologies such as social media and mobile devices. He develops and improves penetration testing methodologies and works to align them with industry standards. He is also the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media. Tom is a security blogger, co-host of the Security Justice and Social Media Security podcasts and is a frequent speaker at security user groups and national conferences including Black Hat USA, DEFCON, DerbyCon, Notacon, OWASP AppSec and ShmooCon. Tom Kellermann-Chief Technology Officer-“Laying Siege to Castles in the Sky: Defense in depth in 2012”. My presentation will depict the evolution of hacker tactics and the appropriate policies and technologies to manage cyber risk. Tom Kellermann is a Commissioner on The Commission on Cyber Security for the 44th Presidency, and he serves on the board of the International Cyber Security Protection Alliance. In addition, Tom is a member of the National Board of Information Security Examiners Panel for Penetration Testing, the Information Technology Sector Coordinating Council, and the ITISAC subcommittee on International Cyber security policy. Tom is a Professor at American University's School of International Service and is a Certified Information Security Manager (CISM). Finally, Tom sits on the steering Committee of the Financial Coalition Against Child Pornography. Tom Kellermann formerly held the position of Vice President of Security Strategy for Core Security. Prior to his five years with Core Security, Tom was the Senior Data Risk Management Specialist the World Bank Treasury Security Team, where he was responsible for cyber-intelligence and policy management within the World Bank Treasury. In this role, Tom regularly advised central banks around the world about their cyber-risk posture and layered security architectures. Along with Thomas Glaessner and Valerie McNevin, he co-authored the book "Esafety and Soundness: Securing Finance in a New Age." Troy Vennon- Mobile Malware: The Rising Tide of Risk Once targeted mainly at Nokia Symbian-based mobile devices, mobile malware has grown at a rapid rate over the past few years with the rise of smartphones and tablets. And not only is the number of threats growing, but they are showing signs of increasing sophistication and maturity, and adopting new methods of attack. Join this session to hear the results of a recent report that highlighted the trends and examples of mobile malware and other threats to mobile devices, as well as predictions for 2012. The session will conclude with strategies and actions that MIS departments can take to protect their corporate networks as well as users’ mobile devices.