Security OPUS
Information Security Conference
October 2-5, 2010
Andrea Hoy - ISSA CISO BootcampTraining is closed

ISSA CISO Seminar is an intense, three-day security seminar discussing best practices for security management. We will delve into critical skills for security leadership and strategic planning in the corporate environment. Topics of discussion will be tailored to address your specific needs and interests. Registration is limited to provide for an optimal environment for open discussion.

During this event, we will address how to navigate corporate structures and financial and public relations challenges. You will garner the skills to be better prepared when handling communication land mines, budget pitfalls, and shortages in labor and resources. As each challenge is considered, we will explore tactics and strategies to overcome them.

Areas covered in this course include:

  • Roles and functions of a CISO
  • How a CISO/CISM can best fit in an organization and why
  • Defining responsibilities with HR, legal, and the CIO
  • How to implement security policies and procedures that are actually meaningful and effective
  • What the Board of Directors wants to hear from you
  • How to develop a financial strategic plan in a fast-changing technology environment
  • Staffing when trained security personnel are limited
  • Managing vendor relationships
  • The art of communicating during emergencies
  • Getting and maintaining executive support for continued success
  • How to handle Sarbanes-Oxley Requirements
  • How to handle SB1386
  • War stories and lessons learned from the Front Lines

Who Should Attend

  • CISOs (Chief Information Security Officers)
  • CSOs (Chief Security Officers)
  • CISMs (Chief Information Security Managers)
  • IT Security Managers

Day 1: Defining Yourself as the CISO
Going Up!
  • Where does the CISO fit into the organization best and why?
  • Pros and cons of reporting to the :
  • Trends in the CISO roles and responsibilities
  • How to negotiate the job opportunity
  • What is MICP and what do I need to know about it before accepting a CISO role
  • The organizational chart
  • Actual responsibilities
Going Down!
  • Responsibility overlaps
  • Where do the CISO roles and responsibilities overlap with other organizations
  • How to handle those relationships
  • Why establish these relationships early
Don't Throw Technology Where Policy Isn't: Policies, Procedures, Standards, Guidelines and Processes

Day 2: Finance for the CISO (or even CIO/CSO)
  • Budgets
  • Strategic planning and implementation
  • "How to Make a 5 Year Strategic Plan when the Technology Changes in 6 Months"
  • Staffing: the importance of certification versus hiring to fill
  • Vendor relationships
  • Mock budget and review
  • How to get and keep executive support

Day 3: Responding to "Emergencies" or "How to Communicate When You Really Don't Want To"
Communication
  • How to handle the press
  • How to handle the "ups"(the members of the Board of Directors)
  • How to handle the "downs" (frantic IT admins, regional managers, HR)
  • Pre-break announcement of a possible problem that may need your attention
"Goodies"
  • Reference URLs
  • Links to more information regarding topics covered
  • War stories and lessons learned


Lurene Grenier - Architecture & ExploitationTraining is closed

This class is meant to teach exploitation from the ground up in a way that few other classes do: beginning with a firm grounding in concepts of computer architecture. This way, exploitation is built on a real understanding of what's taking place, rather than a blind reliance on fuzzing which leaves a student with little in the way of applicable skills.

Subjects covered in depth include:

  • the basics of computer architecture
  • assembly
  • machine code
  • compilation, linker/loader basics
  • implementation of the stack
  • the fundamentals of function and system call flow
  • Stack based exploitation

With this firm grounding in hand, the student can make real use of these skills, quickly applying and learning new and increasingly advanced exploitation techniques in a short period of time.

At the end of the class, the student should be able to:

  • Reverse engineer basic programs easily
  • Write C from supplied assembly
  • Guess how a given C program will be compiled
  • Quickly develop exploits for stack based vulnerabilities from black box binaries
  • Easily trace and debug any program

This class is best suited to those who have no interest in learning script kiddie scan-and-shoot exploitation, but have a real interest in learning how to find vulnerabilities and write custom exploits.

This is a 101 class and does not require prior exploitation skills. It will be fast paced and attendees should be prepared to learn years worth of knowledge in two days.

Prerequisites: None

Lurene Grenier is a senior security researcher for a SourceFire and is currently working on the Metasploit 3 framework, primarily in the areas of shellcode encoding and exploit development. She has published papers on a variety of topics including C code auditing, frustrating disassemblers, and an early analysis of the unpatched Microsoft RPC memory exhaustion flaw.

Day to day she works heavily with Microsoft products, reverse engineering userland and kernel space binaries for the purpose of vulnerability research and development. Also, she chops.

Jose Avila - Creative web protocol attacksTraining is closed

This 2 day, hands on training course will take the developer / security analyst through the security behind web services. The course will not only explain how the attacks work in detail, but will also offer students hands on experience at performing the different attacks, so they may better understand how they work, and a result better protect against them. The material will touch base on Conventional web attacks, such as Cross Site Scripting, SQL injection, Arbitrary command execution, XPath injection, filter evasion and much more... (*cough* 0day *cough*). More advanced topics will jump into other protocols such as XMLRPC and SOAP.

At the end of the 2 day training course students will walk away with the knowledge of how various web attacks work, and will be able to better assess application security.

  • Web Applications
  • SQL Database Servers
  • General python knowledge is beneficial

What to bring:

  • Laptop
  • Browser
  • Open Mind

Who should take this course: Anyone interested in developing, or auditing web services.

Jose Avila is a security analyst and software engineer based out of Arizona. Currently Jose leads development for UltraDNS's Managed Internal DNS service, and also does security research and training for ONZRA. Prior to joining ONZRA, Jose spent a vast amount of time improving the intelligence and capabilities of web application fuzzers, and giving lectures at various universities hoping to bring security awareness to future developers.

*-->
Michael Dahn & David M. Zendzian - Business / IT & PCI Compliance

With the growing number of regulations requiring disclosure of compromised information, more and more businesses and their support staff are required to add more and more security related activities to their daily jobs.

Across the board regardless of industry, companies that handle credit card information are required to comply with the PCI Data Security Standard. There is lack of understanding among many companies about how to adhere to these new requirements.

This course will map the Information Security, IT Services and Business functions of your company to the required Payment Card Industry Data Security Standards and Security Audit Procedures / Questionnaires.

This understanding will help you reduce implementation costs and provide you with a list of options and tools for how to develop a compliant business strategy.

This two day course will provide Business & IT solutions through examination of:

Day 1

  • What, Why, How of PCI
  • This presentation outlines the history of PCI, what the benefits of compliance are, what the risks are of non-compliance, and how to think about PCI compliance to obtain cost effective and secure results.
  • Business & PCI
  • Legal Liability
  • Legal liability is the number one question on peoples' minds throughout the organization. This presentation outlines a risk model based on likelihood and threat by assigning real dollar amounts to the potential impact. Also discussed will be how to limit liability through third-party relationships and what to include in business contracts.
  • PCI Audit Checklist
  • This presentation outlines PCI from an internal auditor's perspective. It will outline a list of requirements, discuss scoping and sampling, explain compensating controls, and provide a recommended framework from which to perform a successful compliance audit.
  • Project Managing PCI Compliance
  • Compliance can get out of control if not managed properly. This presentation reviews several methods of project management and outlines the best way to track assignments, gather information about cardholder data, and prepare work papers for the auditor.
  • Tools to make your staff PCI ready
  • Organizational structure
  • Compliance as a business process, not yearly scramble. Building PCI & other company compliance requirements into the business process, then the yearly validation of those processes becomes a document and project management task, not a constant restructuring and it keeps staff working on their normal tasks (of which the audit / validation is part of) and not a distraction from normal working procedures.
  • Training - Training is the most common method of educating staff and providing new knowledge to the rest of their team.
  • Budget - Properly budget for security operational charges, be it new staff, tools (annual maintenance) or outsourced provider. Without the proper staff or tools compliance becomes difficult to manage.
  • Documentation: Policies, Procedures, Operational Checklists, Designs, Approvals Change Control records and Audit Validation
  • Everyone has policies these days, and PCI is not the only standard that requires it of businesses. How can policies be created to solve business need and provide compliance with other possible regulatory requirements while keeping to something that is useable (i.e. used) by staff and contractors / vendors.
  • What procedures can do to standardize build and operational practices. What procedures are required for PCI requirements. How to map procedures to defined standards
  • What are operational checklists. How do checklists provide validation for PCI & other audits. What are minimum requirements that checklists need for auditors.
  • Tools / Forms / Automation techniques
  • Case Studies
  • Security Architecture
  • Network Architecture
  • (what is the scope of the audit, what is the cardholder environment) Network segmentation can be the most difficult non-requirement there is in PCI. This presentation walks the line and explain what 'is' and 'is not' permitted under PCI. Topics will include VLAN placement, firewall requirements, and remote access methods.
  • Scoping & Sampling
  • Remote access and two factor requirements
  • Wireless, why it is such a concern, controls and available technology (including case studies)
  • Server Architecture
  • While we could probably have a section on security architecture and cover network & servers together, there are many common server items that are addressed by PCI. What are the most common headaches, difficult platforms to monitor / provide security solutions (mainframe, legacy equipment).
  • Specific considerations for administering corporate environment.
  • Virtualized environments, SAN, etc.

Day 2

  • Encryption
  • Gartner lists encryption as the most difficult to attain requirement of PCI. This presentation explains how organizations big and small leverage different encryption methods to comply with PCI. Discussed topics include: file-level encryption, column-level encryption, key management and rotation, encryption algorithms, and when to use which encryption technique.
  • What needs to be encrypted and what doesn't? Not only programmers and project managers need to be concerned with identifying and protecting data. It is up to everyone to watch for and protect corporate & PCI data appropriately.
  • Key management, why is it so difficult! What need to be managed and how can this be accomplished.
  • Audit Logging (including FIM/IDS)
  • Audit logging may sound simply and blase but it can be complex in large environments. This presentation will outline the requirements and then clarify the intent behind the audit log requirements of PCI. It will also discuss file integrity monitoring, intrusion detection systems, and how to tie them all together.
  • Vulnerability Scanning and Penetration Testing
  • Engaging a qualified external scan vendor is a key requirement of PCI. This presentation discusses the compliance differences between scanning, penetration testing, and what you can do to reduce costs and better prepare yourself for this audit. Discussed topics include: scan vendors, internal vs. external scanning, what constitutes a penetration test, and tools for doing your own internal scanning.
  • SDLC vs. PABP
  • Companies may have an SDLC process but they do not always understand the line between PCI and Payment Application Best Practices (PABP). This presentation explains the differences and the key things you need to know about PABP in order to complete your compliance audit. Also discussed is security testing of Internet facing applications and what future PCI requirements may include.
  • Patch Management / Configuration Management
  • o Many companies feel constricted by the PCI patch management requirements and never document their configuration management process. This presentation discusses the intent behind the patch management requirements and how to better meet compliance. Discussed topics include: patch and configuration compliance, and proper documentation.
  • Panel Discussion / Q & A - People from all levels of the PCI Industry

Michael Dahn is known throughout the payment card industry as a thought leader and a subject matter expert. He has performed hundreds of PCI security assessments, worked with Visa and MasterCard on the continued development of the standard, and trained all information security consultants globally who perform PCI audits.

Mr. Dahn created and executed the development and internal rollout of the Discover Information Security Compliance (DISC) program for Discover Card. He also contributes regularly to the continued development of the PCI and payment application guidelines. He has been published in several news articles and TV spots on information security, sits on the national board of directors for InfraGard, and is pursuing a Masters Degree from Norwich University.

David M. Zendzian (dmz) is a Visa Certified Qualified Data Security Professional (QDSP) and a Qualified Payment Application Security Professional (QPASP) with over 15 years of IT and Security experience. He has performed security assessments and provided technical and security solutions to companies at all levels of their growth, from startup to established fortune 50 Corporations.

David is a published author and experienced speaker who is acknowledged for his technical, security and business expertise. He has worked within many diverse industries including: Transportation, Financial Services, Health Care, Telecommunication, Internet Services and Software Development.

Mr. Zendzian is an active supporter and developer of Open Source projects. He is currently a Debian developer and creator/developer/contributor to several wireless and security projects including: F.I.R.E. (Forensics & Incident Response Environment, not active), NoCat/AirInter.net (Wireless hotspot & commercial interface) and Carte (Inverse Distance Weighted mapping of wireless networks on satellite images).

Jonathan Taylor - Penn Testing 101

Ever wonder how your company's networks and computes look to a would-be intruder? Been doing contract work, but would like to learn a clean, repeatable penetration testing methodology? Unlike a simple assessment, a penn-test delivers real evidence of risk without the unsavory impacts of an actual intrusion. It's time to assume the role of the bad guy that your company or customer fears, and see just how far they could get. This hands-on technical class will teach you a clean methodology for performing a network penetration test, from obtaining the permission you need, to getting root and to delivering the report and presentation. It is intended for those with experience in networking, computers, and the basics of good security that need to know where to start.

Bring your own computer with Windows 2000 or better, or Linux kernel 2.6 or better. You will need VMWare Server, and at least 512mb of ram. Pre-built vmware images needed for class will be provided.

Jonathan Taylor has been performing contract and internal Penn tests and security assessments on healthcare and health insurance companies for 8 years. He has competed with Digital Revelation in various hacking competitions since 2001 (There better known as Temtel), pwnd the prize in 2001 and 2002. The methodology taught is his own; developed over the years.

Get a grasp on Wi-Fi (in)securityTraining is closed

Wireless LANs have been widely deployed in the past few years, simultaneously introducing an explosion of security issues and unique vulnerabilities, the majority of available wireless networks not being properly secured.

This comprehensive course offers an up-to-date, in depth presentation of state of the art Wi-Fi penetration and protection techniques. Wondering how to pentest and assess a Wi-Fi network security ? Wondering how to really secure a Wi-Fi access ? This mix of theoritical aspects and practice is targeted to thoses with network knowledge and experience are eager to fully understand Wi-Fi security. Although not required, technical skills will help getting the most out of this course.

At the end of this two days training course, students will have gained a complete overview of Wi-Fi security issues, along with sufficient knowledge and know-how to deploy and assess wireless networks.

Equipment needed: you will have to bring your laptop, capable of running your own copy of BackTrack v1.0 Final CDROM, with a compatible wireless adapter.