Speaker Room A Speaker Room B Speaker Room C Speaker Room D Keynote Hall Lunch Room 7:00 Registration, Exhibition, and Breakfast Buffet CAPTURE THE FLAG | LOCKPICK VILLAGE | LOCKPICK CHALLENGE 8:30 Keynote Speaker : Marc Hoit – University Campus: A Microcosm of the Future 9:20 Exhibition 9:30 Keynote Speaker : Tom Limoncelli – You Suck At Time Management (but it ain’t your fault!) 10:20 Exhibition and Tom Limoncelli Book Signing Governance, Risk & Compliance Professional Development Data and Endpoint Security Physical Security Diamond Sponsor Sessions 10:30 Srini Kolathur - How to Secure DB Infra Using Best Practices for Risk Mitigation, Compliance, Audit and Assessment Beth Wood – Leading By Example/ Building Effective Teams Ron Stamboly – Authentication of Personal Mobile Devices Jon Welborn – Introduction to Lockpicking $/&'+( 11:20 Exhibition 11:30 Sandy Bacik – Building a Lasting IT GRC Policy Architecture Garion Bunn – Winning in Business and Life Michael Sutton – Corporate Espionage for Dummies Jon Welborn – High Security Locks "% !./0*)1 Hans Enders – Reinventing Dynamic Test- ing: Real-Time Hybrid 12:15 Lunch Buffet and Exhibition Penetration Testing / SNA Cloud and Virtual Security Security Strategy and Architecture Applications and Development Diamond Sponsor Sessions 1:30 Ryan Linn – Progression of a Hack Ron Stamboly – Managing Risk, Liability and Compliance in the Cloud Jim Murphy – Information Security Doesn’t Just “Happen”! Steve McKinney – Enabling the Business with Security Metrics #,&0*.- David Duncan – Key Trends in Removable Device Security 2:15 Exhibition and Ryan Linn Book Signing %#$*(%(# !"'&) 2:30 Matt Cooley – Web Application Social Engineering Vulnerabilities Mark Hinkle – Crash Course on Open Source Cloud Computing Jonathan Norman – Anatomy of an Attack Phillip Griffin – Making Fat Messages Available: Binary XML Encoding Dwayne Melançon Shahab Nayyer Steve McKinney 3:30 Keynote Speaker: Lenny Zeltser – Knock, Knock! How Attackers Use Social Engineering to Bypass Your Defenses 4:20 Exhibition 4:30 Announce Winners of Lockpick Challenge and Capture the Flag (Keynote Hall) 5:00 Chapter and Sponsor Giveaways, must be present to win (Keynote Hall) OCTOBER 20, 2011
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Speaker Room A Speaker Room B Speaker Room C Speaker Room D Keynote HallLunch Room
7:00 Registration, Exhibition, and Breakfast Buffet
CA
PT
UR
E TH
E FLAG
| LOC
KP
ICK
VILLA
GE | LO
CK
PIC
K C
HA
LLENG
E
8:30 Keynote Speaker : Marc Hoit – University Campus: A Microcosm of the Future
9:20 Exhibition
9:30 Keynote Speaker : Tom Limoncelli – You Suck At Time Management (but it ain’t your fault!)
10:20 Exhibition and Tom Limoncelli Book Signing
Governance, Risk & Compliance
Professional Development
Data and Endpoint Security
Physical SecurityDiamond SponsorSessions
10:30
Srini Kolathur - How to Secure DB Infra Using Best Practices for Risk Mitigation, Compliance, Audit and Assessment
Beth Wood – Leading By Example/ Building Effective Teams
Ron Stamboly – Authentication of Personal Mobile Devices
Jon Welborn – Introduction to Lockpicking
$/&'+(
11:20 Exhibition
11:30
Sandy Bacik – Building a Lasting IT GRC Policy Architecture
Garion Bunn – Winning in Business and Life
Michael Sutton – Corporate Espionage for Dummies
Jon Welborn – High Security Locks
"% !./0*)1 Hans Enders – Reinventing Dynamic Test-ing: Real-Time Hybrid
12:15 Lunch Buffet and Exhibition
Penetration Testing / SNA
Cloud and Virtual Security
Security Strategy and Architecture
Applications and Development
Diamond SponsorSessions
1:30Ryan Linn – Progression of a Hack
Ron Stamboly – Managing Risk, Liability and Compliance in the Cloud
Jim Murphy – Information Security Doesn’t Just “Happen”!
Steve McKinney – Enabling the Business with Security Metrics
#,&0*.- David Duncan – Key Trends in Removable Device Security
2:15 Exhibition and Ryan Linn Book Signing %#$*(%(# !"'&)
2:30
Matt Cooley – Web Application Social Engineering Vulnerabilities
Mark Hinkle – Crash Course on Open Source Cloud Computing
Jonathan Norman – Anatomy of an Attack
Phillip Griffin – Making Fat Messages Available: Binary XMLEncoding
Dwayne Melançon
Shahab Nayyer
Steve McKinney
3:30 Keynote Speaker: Lenny Zeltser – Knock, Knock! How Attackers Use Social Engineering to Bypass Your Defenses
4:20 Exhibition
4:30 Announce Winners of Lockpick Challenge and Capture the Flag (Keynote Hall)
5:00 Chapter and Sponsor Giveaways, must be present to win (Keynote Hall)
O C T O B E R 2 0 , 2 0 1 1
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
3
The Raleigh ISSA Chapter welcomes you to the seventh annual Triangle InfoSeCon. We are very pleased you joined us today. Our conference goal: offer you a convenient way to learn more about the state of
Information Systems Security (ISS) today, right here in central North Carolina. Our selected speakers offer you a balanced and
broad program. The Raleigh ISSA Chapter especially thanks all the speakers and our conference sponsors, without whom this
event is not possible. Please visit our sponsors in the exhibit area to learn about the latest in ISS products and services. Enjoy
the conference. Please fill out the feedback forms. Your response is important. We strive to improve each year.
McKimmon Center InfoSecon Conference Layout (not to scale)
WELCOME
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 11
This conference is brought to you by the Raleigh Chapter of
the Information Systems Security Association. The ISSA is an
international professional organization aimed at providing edu-
cational forums, publications and peer interaction opportunities
that enhance the knowledge, skill and professional growth of its
members. The Raleigh Chapter became an official ISSA chapter
in February 2003. We meet on the first Thursday of every month
at the McKimmon Center on the campus of NC State University.
You can find out more about the chapter at http://raleigh.issa.org.
If you would like to get on our announcements email list, please
New This Year! Lockpick Village: Stop by the Lockpick Village and try your hand at picking various locks,
from handcuffs to padlocks, door locks and more. Sponsored by the FALE Association of Locksport
Enthusiasts (FALE), there will be games, demonstrations, and hands-on workshops for attendees to
learn, play and share their experiences. Lockpick sets will be available for purchase for $20.
Capture the Flag: Think you have 1337 skilz? Stop by the Capture the Flag event and prove it!
Pit your hacking skills against the server, collecting as many flags as you can. Each participant will
be scored based on the number of flags captured within the time limit. The winner will be
announced at the end of the conference.
Don’t forget to turn in your feedback forms! Conference drawings are made from completed returned conference feedback forms and requires at
least 12 sponsor “stamps” and your legible name to be eligible. Sponsor door prizes and give-a-ways
are drawn from attendees' collected business cards directly. All drawings are at 5:00 pm and you
must to be present to win.
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
9:30 Tom Limoncelli Time Management Guru, Author, Blogger, and System Administrator
Tom is an internationally recognized author, speaker, and system administrator. His books
include The Practice of System and Network Administration (Addison-Wesley) and Time
Management for System Administrators (O'Reilly). He received the SAGE 2005 Outstanding
Achievement Award. He works in NYC and blogs at TomOnTime and
EverythingSysadmin.com.
Keynote Topic: You Suck At Time Management (but it ain't your fault!)So much to do! So little time! Security people are pulled in so many directions it is
impressive anything gets done at all. The bad news is that if you work in security then
good time management is basically impossible. The good news is that it isn't your fault.
Tom will explore many of the causes and will offer solutions based from his book,
“Time Management for System Administrators” (Now translated into 5 languages.)
KEYNOTE SPEAKERS
5
8:30 Marc HoitVice Chancellor for IT and CIO, North Carolina State University
Marc Hoit is the Vice Chancellor for Information Technology and the Chief Information
Officer (CIO) for North Carolina State University (NCSU) in Raleigh, North Carolina.
He began his role as the Vice Chancellor for Information Technology in September
2008. Since arriving, he has worked to develop an IT Governance Structure, Strategic
Operating Plan and launched a number of key foundational projects that will
improve efficiency and effectiveness of IT on campus. He previously held numerous
administrative positions at the University of Florida including Interim CIO, Director
of Student PeopleSoft Implementation, the Associate Dean for Academic Affairs
Administration and the Associate Dean for Research in the College of Engineering.
He is a Professor in the Civil, Construction and Environmental Engineering Department.
He received his B.S. from Purdue University and his M.S. and Ph.D. from University of
California, Berkeley. Dr. Hoit is the Co-Principal Investigator, along with Chapel Hill and
SAS, for the North Carolina Bio-Preparedness Collaborative (NCB-Prepared) Grant from
the Department of Homeland Security (DHS) and the development of DIGGS, an
international XML schema for transferring transportation information. His structural
engineering research involves the computer program, FB-MultiPier, which analyzes
bridge pier, superstructure and pile foundations subjected to dynamic loading.
Keynote Topic: University Campus: A Microcosm of the FutureDr. Hoit will present how a university campus is a petri dish for innovation, future
trends and disruption for IT and how it affects services, purchasing and planning.
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 11
6
GOVERNANCE, RISK, & COMPLIANCE
10:30 (A) How to Secure DatabaseInfrastructure Using Best Practices forRisk Mitigation, Compliance, Auditand AssessmentSrini Kolathur, Vinay Bansal, & Jim Tarantinos
Srini Kolathur, CISSP, CISA, CISM,
MBA is a result-driven IT project manger
with Cisco Systems. Srini has several
years of experience in helping companies
effectively comply with regulatory
compliance requirements including
SoX, PCI, HIPAA, etc. Srini believes
and advocates best practices-based security and compliance
program to achieve business objectives. Also, Srini
maintains a free collaborative web portal for managing
IT best practices and audit plans at Checklist20.com.
Abstract: IT governance and strategy are critical to an
organization's success. Key to the risk assessment and audit
plan process is breaking down the IT Universe into smaller
more manageable sub-components. Databases play a major
role in the increasingly complex global business processes
and IT universe. A best practice-based assessment to
evaluate risks uses an 80-20 rule. This allows to eliminate
all the low-hanging fruit by leveraging expertise from
around the world and helps organizations quickly achieve
its desired business objectives at the optimum cost. We
will specifically focus on how to leverage database best
practices for building effective risk assesment approaches
and to build audit plans to comply with different
compliance programs including S-ox, HIPAA, PCI-DSS
and EU data privacy.
11:30 (A) Building a Lasting IT GRCPolicy Architecture
compliance, Standard Operating Policies/Procedures,
and Data Center Operations and Management. With an
additional 15 years in Information Technology Operations.
Abstract: With industries moving toward a governance and
risk culture, the IT and enterprise policy architecture needs
to be updated to align with the enterprise goals of IT
Governance. Some may discover that they have all the
pieces spread throughout the current organization, but
do not know how to proceed to ensure their IT and
security policies and processes fit into their enterprise
governance architecture.
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
10:30 (B) Leading By Example /Building Effective TeamsBeth Wood, North Carolina State
North Carolina State Auditor Beth A.
Wood, CPA, is serving her first term as
the state’s elected auditor after more than
a decade of service in training and
research for the office. As Training
Director for the Office of State Auditor,
Beth developed and taught audit courses
for the auditor’s staff, concentrating on the areas of Single
Audit, internal control and sampling. She also coordinated
the State Auditor’s Quality Control Review and provided
research of audit and reporting issues for the audit staff.
She began working with state government in 1993 with
the Local Government Commission (a division of the Office
of the State Treasurer). In that position, she reviewed and
approved audits of local governments prepared by private
CPA firms. Prior to her work with state government, Beth
worked as a cost accountant for Ray-O-Vac Corporation for
three years. She also supervised audits of local governments
and not-for-profit organizations for McGladrey and Pullen
CPAs, a national CPA firm. Beth left the Office of the State
Auditor in 2007 as she began her campaign to become the
first woman elected to the post. While seeking office, she
also taught a variety of courses for the American Institute
of Certified Public Accountants (AICPA) and worked in the
institute’s Professional Ethics Division investigating alleged
substandard audits around the country.
Abstract: Moving from a purely technical role to manage-
ment is very challenging for most IT people. Most people do
not like giving up the hands-on technical work and they also
tend to be more independent. This discussion will deal with
particular challenges faced when moving into a managerial
role and will answer questions such as: How can leaders
learn to assess the strengths of their team members and use
them to get the team working as one unit rather than a
bunch of lone rangers? How can they deal with jealousy
and backstabbing from those not promoted? How can they
anticipate senior management's and the organization's
needs and ensure the team is truly fulfilling the mission?
11:30 (B) Winning in Business and LifeGarion Bunn
Garion Bunn is an award winning
speaker and workshop facilitator who is
a self-driven, results-oriented cultivator
of human potential. His purpose is to
inspire, educate and empower people
and organizations around the globe. His
success strategy is to continually seek
new ways to add value through seminars and workshops
that are leadership centric. Garion is an empathic
communicator and listener.
Garion believes that effective leadership skills are the
most powerful tools in the current day workplace and
marketplace. Leadership excellence is the fast track up
the corporate ladder. Garion helps professionals who
want the zest, energy and power to deliver with passion
and purpose
Abstract: Are you ready for the competition? This keynote
focuses on stirring your enthusiasm and sense of purpose
in daily life. An excited, focused individual is ready to take
on the challenges and triumph in today's fast paced market.
Develop knowledge and skills that will significantly increase
your personal effectiveness and ability to successfully
interact and lead others. This session covers many diverse
and critically important business, interpersonal, and
leadership topics.
PROFESSIONAL DEVELOPMENT
7
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 11
10:30 (C) Authentication of PersonalMobile Devices as Part of an OverallEnterprise Authentication StrategyRon Stamboly, SafeNet; Co-author Maureen Kolb
Mr. Stamboly joined SafeNet in 1996 as a Senior Sales
Engineer responsible for technical presales and sales support
for the entire sales cycle, from evaluation to installation.
Mr. Stamboly's area of expertise includes hardware and
audit, and encryption. Currently, Mr. Stamboly focuses on
supporting the sales of SafeNet's Information Lifecycle
Protection and Cloud computing environments, most
specifically driving SafeNet's market share in cloud computing
security and virtualized environments-securing and controlling
access to cloud applications, along with encrypting virtual
volume and instances. Mr. Stamboly has over 17 years of
experience in the data protection, telecommunications and
networking equipment industries. Additionally, Mr. Stamboly
has extensive experience with networking hardware along
with TCP/IP. Mr. Stamboly graduated summa cum laude with a
Bachelor's Degree in Telecommunication from The State
University of New York Institute of Technology and also
graduated summa cum laude with a Master's Degree from
Pace University in Telecommunications.
Abstract: IT departments are facing challenges from many
users wanting to use their mobile device to access sensitive
corporate information. Clearly, the risk posed by these
scenarios is great. The key issue confronting security staff is
management: ensuring only trusted devices can access
corporate resources, contending with lost devices, managing
security policies, and enabling and monitoring access. Finally,
IT organizations need to establish visibility and control over
what assets can be accessed by and saved onto those
devices. This presentation will discuss implementing unified
authentication schemes, security policies and credentials for
employee-owned end point devices, helping organizations
to enable their workforce while reducing IT management and
administration resources, as well as show how organizations
can centrally and consistently manage all authentication
requirements for local networks, VPNs, SaaS applications,
and virtualized environments.
11:30 (C) Corporate Espionage forDummies: The Hidden Threat ofEmbedded Web Servers
Michael Sutton
Michael Sutton has spent more than a
decade in the security industry conducting
leading-edge research, building teams of
world-class researchers, and educating
others on a variety of security topics.
As Vice President of Security Research,
Michael heads Zscaler Labs, the research and development
arm of the company. Zscaler Labs is responsible for
researching emerging topics in web security and developing
innovative security controls, which leverage the Zscaler
in-the-cloud model. The team is comprised of researchers
with a wealth of experience in the security industry. Prior to
joining Zscaler, Michael was the Security Evangelist for SPI
Dynamics where, as an industry expert, he was responsible
for researching, publishing, and presenting on various security
issues. In 2007, SPI Dynamics was acquired by Hewlett-
Packard. Previously, Michael was a Research Director at
iDefense where he led iDefense Labs, a team responsible
for discovering and researching security vulnerabilities in a
variety of technologies. iDefense was acquired by VeriSign
in 2005. Michael is a frequent speaker at major information
security conferences; he is regularly quoted by the media on
various information security topics, has authored numerous
articles, and is the co-author of Fuzzing: Brute Force
Vulnerability Discovery, an Addison-Wesley publication.
Abstract: Today, everything from television sets to photo-
copiers have an IP address and an embedded web server
(EWS) for device administration. While embedded web
servers are now as common as digital displays in hardware
devices, sadly, security is not. Leveraging the power of cloud
based services, Zscaler spent several months scanning large
portions of the Internet to understand the scope of this threat.
Our findings will make any business owner think twice before
purchasing a ‘wifi enabled’ device. We'll share the results of
our findings, reveal specific vulnerabilities in a multitude of
appliances and discuss how embedded web servers will
represent a target rich environment for years to come.
DATA AND ENDPOINT SECURITY
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
10:30 (D) Introduction to LockpickingJon Welborn
Jon Welborn is a penetration tester and a
co-founder of the FALE Association of
Locksport Enthusiasts. FALE came
together around a shared general
curiosity and persuasion of the public’s
“right to know”. FALE meets regularly
in the Winston-Salem, NC area and
hosts lockpicking villages at various security conferences
around the country. http://lockfale.com
Abstract: You've locks on your network closet and secure
document bin. Great. What if I can open them in 30
seconds or less? Learn the basics about how a lock works
and how to compromise commonly used locks. This
information isn’t complicated in the least, but in this talk
we set out to remove the often practiced “security by
obscurity” approach to physical security.
11:30 (D) High Security LocksJon Welborn
Abstract: Great locks are not difficult to come by. This talk
will discuss various components of a quality lock as well as
several manufacturers of high-caliber locks. We will discuss
specific makes and models of locks that may be beneficial
in your environments. If nothing else, this talk will open the
door to the idea that you shouldn’t have to lean on your
local hardware store to meet your physical security needs.
PHYSICAL SECURITY
9
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
10:30 ORACLE PRESENTATION
DIAMOND SPONSOR SESSION (Keynote Hall)
Mark your calendars for the Eighth Annual Triangle InfoSeCon to beheld on Thursday, October 18 2012 at the McKimmon Center. Keynote speakers: Chris Nickerson - Lead Security Consultant for Lares Consulting
and Stan Waddell - Executive Director and Information Security Officer,
University of North Carolina (UNC) Information Technology Services (ITS)
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
11:30 HP / FORTIFYReinventing Dynamic Testing:Real-Time Hybrid Hans Enders, HP Fortify
Hans Enders is a Sr. Solutions Architect
for HP Fortify. In his current role, Hans
is responsible for demonstrating web
application security software and
providing solutions to prospective clients
for HP Software’s Application Security
Center. He has more than 14 years of
experience in network administration and security, with the
most recent 7 years focusing on web application security
testing and software support. Hans acquired the CISSP in
2004 and most recently completed the CISM certification in
2011. Hans is an active member of ISSA, ISACA, OWASP,
and a past member of InfraGard of Georgia. Hans has
a Bachelor of Science degree in Industrial & Systems
Engineering from North Carolina State University and is
moderately fluent in Spanish. Outside of his professional
career, Hans also enjoys participating with CERT (Community
Emergency Response Team) and being a Cub Scout leader.
Abstract: Over the years, two key techniques have emerged as
the most effective for finding security vulnerabilities in soft-
ware: Dynamic Application Security Testing (DAST) and Static
Application Security Testing (SAST). While DAST and SAST
each possess unique strengths, the "Holy Grail" of security
testing is thought to be "hybrid" -- a technique that combines
and correlates the results from both testing methods,
maximizing the advantages of each. Until recently, however,
a critical element has been missing from first generation hybrid
solutions: information about the inner workings and behavior
of applications undergoing DAST and SAST analysis.
This presentation will introduce you to the next
generation of hybrid security analysis — what it is, how it
works, and the benefits it offers. It will also address (and
dispel) the claims against hybrid, and leave participants with
a clear understanding of how the new generation of hybrid
will enable organizations to resolve their most critical
software security issues faster and more cost-effectively
than any other available analysis technology.
DIAMOND SPONSOR SESSION (Keynote Hall)
11
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 11
1:30 (A) Progression of a HackRyan Linn, Trustwave's SpiderLabs
Ryan Linn is a Senior Security
Consultant with Trustwave’s SpiderLabs
who has a passion for making security
knowledge accessible. In addition to
being a columnist with the Ethical
Hacker Network, Ryan has contributed
to open source tools including
Metasploit, Dradis and the Browser Exploitation
Framework (BeEF).
Abstract: So you have a firewall, AV, IDS, patch management
and more. Nobody is getting in. Somehow Fake-AV and
malware still rear their ugly heads from time to time, but
things feel pretty safe. Others in this same situation are still
making the news. This talk will look at how a single foothold
can lead to the opening story on the evening news. We will
look at how a motivated attacker can compromise a patched
Windows box, escalate privileges on a domain, and get to the
data. As each demonstration shows the techniques, we'll talk
about mitigation strategies and what steps you can take to
avoid being a headline.
2:30 (A) Web Application SocialEngineering VulnerabilitiesMatt Cooley, Symantec
CONFERENCE COMMITTEEThis Conference is only made possible by the incredible efforts ofthe committee. On behalf of the chapter, sponsors, speakers, andattendees, thank you!
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 1 1
NOTES:
T R I A N G L E I N F O S E C O N • O C T O B E R 2 0 , 2 0 11
SPONSORS
The Raleigh ISSA Chapter thanks all of ourconference sponsors for their support: