PREDAVATELJI NA KONFERENCI INFOSEK 2009
Poleg domačih strokovnjakov bomo gostili tudi tuje-evropske predavatelje, strokovnjake za področje informacijske varnosti.
Gunnar Porada, EX-HACKER and Senior IT-Security Consultant, Germany/Switzerland
KEYNOTE SPEAKER
How to hack the Fingerprints in the Passports of EU, Visa-Request of USA?
How several bank accounts could be hacked?
“…shows live how to attack the biometric fingerprint like it’s used in million of EU-Passports and USA-Visa. Additionally shows how Webserver could be hacked just with the webbrowser.”
Predavanje bo na sporedu prvi dan konference 19. novembra 2009.
CV Gunnar PoradaSasa Aksentijevic, Saipem Croatia (ENI), Croatia
Intricacies of integral security in upstream oil and gas sector
In this lecture special emphasis will be given on project nature of upstream oil and gas sector resulting in challenges to structured integral security function. Main traits of such projects are execution in difficult areas under erratic conditions, always interchanging project hierarchy and matrix structures, need to balance between capex and opex expenditures of business units and project cost centers and fast track projects. Major factors contributing to activities of disaster recovery, business continuity and technical security measures will be outlined with proposal for creation of a consistent integral security mode and explanation and proper positioning of role of CSO (Chief Security Officer) within organization`s structure.
Forensic computer crime proceedings of ICT court experts and legislative requirements - Croatian experience
The procedure of forensic computer investigation Criminal and other legal proceedings involving computer forensics and investigation in front of court of law will be explained in details along with the role of police, investigation center, court and judge in charge and their relation to ICT court expert activities. Furthermore, a new legislation regulating the work of court experts, passed in summer of 2008, that nominates also involvement of ICT court experts from EU will be explained along with details about education path along with major difficulties and problems ICT court experts experience in their daily work.
Daniel J Blander, Infosecuritylab Inc., California, USA
Security Governance - current trends in management and oversight
The evolution of Security and Risk Management has progressed considerably since the days when a “Firewall” was considered Security. Today’s trends involve a greater focus on Risk Management as a corporate function that extends well beyond computers and IT, and extends into the Board Room, into business operations, and is inclusive in its needs. This talk will discuss new models of governance and oversight, new roles that have been taken up by Chief Security Officers, how the process of inclusion has raised awareness and participation in the Security and Risk Management process, and how new operational models have strengthened company’s resilience.
The talk will discuss new models of governance that include stakeholders from multiple areas of the business, approaches to awareness that create higher levels of participation and success, methods to improve efficiencies in security operations, and organizational structures that include key risk management personnel in the process.
How to Promote Security Awareness at Your Company
You have tried to convince management that Security Awareness is important but they do not seem to listen, and your budget is always being cut. How do you overcome these problems? Is Security Awareness important? What can you do to make your company Security Aware?
This presentation will discuss different techniques and approaches to help you succeed in convincing management that Security Awareness should be an important part of your Information Security Management System. It will discuss ways to overcome the objections and hurdles you face in establishing your program. It will also teach you ways to make your Security Awareness program a success with your employees.
Leveraging Managed Security Services for Cost and Operational Efficiency
Imagine: Your security team is available to design new controls, work with your development teams to develop security requirements, and can still provide twenty-four hour a day monitoring of your network and systems security.
Imagine: Your security team can go on holiday, and you still feel secure.
Managed Security Services will allow you to maintain a key element of your Information Security Management System – your ability to detect, analyze and respond to security incidents. Like an armed guard at your gate, this service helps protect you by monitoring and analyzing logs, firewalls, and intrusion detection systems twenty-four hours a day, three-hundred-sixty-five days a year. The service also analyzes and prioritize incidents for you through advanced correlation techniques, and provides a periodic report of incidents and potential weaknesses. This service provides these capabilities at a cost that is significantly less than the cost of maintaining a twenty-four hour a day security team, and frees your exhausted security team from the tedious and time consuming task of log analysis and reporting.
During this talk we will show examples of how this service works, what types of information and reporting you would see, and examples of how this service has saved time and money for companies around the world.
Alexandru Gherman, IBM Internet Security Systems, Romania
Security management - ISMS - ISO27001 Why implement? How to prepare to sustain a successfull audit implementation
Some day maybe we all will need to comply with ISO27001 - Information Security Management System. Which would be the advantages of a good implementation of a such information security management system, and what would Auditors look for when you will call them to register your certification.
I'll be presenting easily and concise, all the necessary mandatory requirements we will need to fulfill in order to pursue a certification, putting all the pieces of the puzzle together.
In Hacking - latest threats, stats, and an ethical hacking show
Presenting latest trends of threats and attacks, statistics about most spread attacks and techniques which are tried recently in order to reach the users. In the end live exploits will be presented, from the Blackhat point of view and how could some network/host controls could prevent these attacks happening.
Very interesting we'll be seeing too how to implement a virtual honeypot lab in order to analyze and monitor malware behavior.
CV Alexandru Gherman
Zubair Khan, Tranchulas, Pakistan
Biometrics and Privacy Invasion
Biometric authentication systems solve some of the problems with passwords by using physical biological features of a person to identify them (e.g., fingerprint, eye/retina scan, facial recognition, etc.).
This talk will explain security mechanisms in biometric systems. The speaker will discuss security problems in different biometrics and identify why biometrics are not a fool-proof solution to reduce identity theft. At the end we'll demonstrate some of the discussed attacks.
Social Engineering
Most people believe that gaining un-authorized access to a computer system is entirely technical. But exploiting vulnerabilities in human nature often helps an attacker to bypass well-planned security measures.
In this talk we will discuss how to identify and combat social engineering attacks. We’ll also talk about psychology of different people in an organization and how it impacts the security. Also we’ll take a look at how social engineering facilitates industrial espionage.
Kjell Kalmelid, Expert in Awareness Raising, European Network and Information Security Agency (ENISA), EU
The ENISA Awareness Raising Community
The AR Community is a subscription-free community open to experts who have an interest in engaging in raising information security awareness within their organisations. The AR Community was launched in February 2008 and is designed to engage with the AR Section of ENISA in its mission to foster a culture of information security, with the aim of supporting the section in its activities.
At the same time, adding value to members is of course an important goal. Up till now, the creation of the AR Community has proved to be a success both for ENISA and the members in this respect. Outcome and activities of the AR Community will be presented in more detail.
CV Kjell Kalmelid
Sanjin Turic, Zira Ltd., Bosnia and Hercegovina
Regional IT Security awareness (Bosnian experience)
In times like these, where cyberspace is part of our everyday lives, IT Security is getting more and more important, not just for enterprises, but for small and medium businesses, and also individuals.
When you ask your management for a budgetshare for security, don't you get the same answer over and over "We have our firewall, it is enough!" or "Noone will attack us, we are not interesting to hackers!". This is the way people look at IT security in the region,
until an attack becomes reality, and money is lost.
In this presentation, we will talk about ways to raise the IT Security awareness in companies, how to show possible impacts of low security levels, how to convert those impacts into cost statistics, and how to find the best cost/efficiency relation within the security budget.
Secure infrastructure design
When it comes to infrastructure design, most of the implementations fail on security. To design a IT infrastructure, does not just mean "Let's just design it to make it work", it means more than that: An IT infrastructure has to be functional in first place, but there are many considerations to be taken when designing:
"How scalable, how fast and how stable will my infrastructure design be? How to implement security and still have all benefits of a fast, scalable and stable infrastructure?"
In this presentation we will talk about all things to be considered while designing a secure infrastructure, that is fast, scalable, efficient and most important - secure.
Richard Mayall, Acuity Risk Management LLP, United Kingdom
Operational Risk – Measuring and reporting on risk across your business
Richard will look at how organisations can address the need to report effectively to senior management in a variety of operational risk areas, including corporate risks, information security risks, project and programme risks, health and safety, quality, etc.
This presentation is subtitled ‘Providing senior executives with the information that they need...’ Richard will explain how in terms of general business reporting, senior executives ARE generally provided with the key information that they need in order to make top-level decisions, and for top-level assurance purposes. However, this is so often NOT the case with operational risk areas such as Information Security!
Richard will show how the variety of data available on risk and compliance management can be practically aggregated and presented more effectively, so that senior management is better informed and better assured.
Information Security Management Systems – What REALLY are the key components of an effective Enterprise Assurance Management system?
An Information Security Management System provides the ‘Assurance’ framework to identify and appropriately secure organisational information assets from security breaches/incidents of confidentiality, integrity and availability.
Many organisations establish an ISMS to become compliant with ISO 27001, the International Standard for Information Security Management.
However, many more are looking simply to:
- Identify their key information assets...the many forms taken by such information and the requirements for protection
- Understand their critical information processing ‘infrastructure’...comprising info systems and networks, internal/external services, physical environments, personnel and third parties
- Assess the key risks to information and supporting infrastructure...using a simple risk management process and risk assessment scheme which is meaningful to the business
- Identify and deploy relevant controls and Standards that both provide an assurance framework and also help to mitigate the key information security risks
- Plan and implement required improvements to controls, to mitigate information security risks
- Provide meaningful risk and controls based reports to meet the needs of senior managers, auditors and other stakeholders.
In this presentation, Richard will highlight the key components of any Assurance Management System, and how these components need to integrate to achieve a complete and effective approach.
To illustrate the important assurance concepts, Richard will use examples from Acuity’s Enterprise Assurance Management solution STREAM. See http://www.acuityrm.com/what-is-STREAM.php
Dave Venman, Sourcefire, England
How to slow down the security treadmill
Keeping up with the bad guys has become a full time job when it comes to security. Every day, new vulnerabilities are reported, and even if your IPS solution is up to date, how do you protect against the 0-day, the virus, or the worm which strikes? This presentation will outline some of the basic problems with any IPS, and how they might be addressed to keep your organisation's IPS as effective as possible without having to provide inordinate amounts of resource to keep it up to date and properly managed.
Matej Saksida, S&T Slovenija d.d.
Skrita tveganja računalništva v oblakih in konkretni odgovori nanje
Najnovejša napoved Gartnerja kaže na evolucijo poslovanja, ki jo bo, podobno kot pred časom e-poslovanje, povzročilo računalništvo v oblakih.
Neglede na dejstvo, da računalništvo v oblaku podjetjem prinaša številne prednosti na področju poslovanja, je njihova informacijska varnost še vedno na nivoju Oken iz letu 1999, česar pa seveda ne gre zanemariti. Zakaj ne? Kako vidijo računalništvo v oblaku slovenska podjetja? Kakšna prihodnost se mu obeta?
Vse to boste lahko izvedeli v okviru predavanj, kjer bomo posebej izpostavili štiri najvidnejše ranljivosti računalništva v oblaku in podali priporočila, kako tveganja zmanjšati na sprejemljivi nivo, hkrati pa bomo predstavili rešitev podjetja S&T Slovenija kot odgovor na izzive in ranljivosti sodobnega računalništva v oblaku.
Martin Umek, Banka Slovenije
Informacijska varnost, standardi in usklajenost (Infromation security, standards and compliance)
V okviru predavanja bo predstavljen pomen usklajenosti s standardi informacijske varnosti in podane praktične izkušnje, ki jih je Banka Slovenije pridobila v okviru certificiranja po standardu ISO 27001.
Klemen Mišič, Informacijski pooblaščenec
Elektronski nadzor nad delom zaposlenih
Ali smejo nadrejeni prebirati elektronsko pošto zaposlenih, pregledovati dostope do spletnih strani in sezname dohodnih in odhodnih klicev? Ali imajo zaposleni pravico do zasebnosti na delovnem mestu in ali lahko uporabljajo službena sredstva v zasebne namene? Kako je z zakonsko ureditvijo omenjenih vprašanj in kako s prakso? Na predavanju bomo skušali najti ravnotežje med interesi delavcev in delodajlcev ter pravico do zasebnosti in pravico do lastnine.
Damjan Novak, Banka Slovenije
Zunanji varnostni pregled – Zakaj in Kako!
Predavanje bo najprej posvečeno iskanju odgovora zakaj naj bi sploh opravili zunanji varnostni pregled in celotne priprave pred odločitvijo zanj. Potem pa bodo predstavljene nekatere točke na katere je potrebno paziti pri izbiri izvajalca varnostnega pregleda in praktične izkušnje pridobljene v praksi kot naročnik varnostnih pregledov.
Janja Jedlovčnik, Nova ljubljanska banka d.d.
Implementacija in kontrola notranjih pravil za e-hrambo - primer iz prakse v večji banki
Predavanje obsega predstavitev prakse, kako so se v NLB d.d. lotili izziva elektronskega arhiviranja od priprave notranjih pravil do implementacije same hrambe. V NLB se uporabljata dva centralna e-arhiva, eden je bil razvit v okviru lastnega IT, pri drugem pa NLB d.d. nastopa kot uporabnik storitev zunanjega ponudnika.
Jan Žorž, go6.si
Ali je lahko "neviden" IPv6 promet varnostna grožnja našemu privatnemu omrežju?
Kaj se nam lahko zgodi, če se ne zavedamo in ne znamo upravljati z IPv6 prometom v naših IPv4 lokalnih omrežjih? V večini primerov IPv6 tunelov konvencionalni firewalli sploh ne zaznajo in kar naenkrat imamo lahko svoje interno omrežje v podjetju na široko odprto. Na milost ali nemilost je prepuščeno čisto vsakemu, ki bi rad vanj pogledal. Na predavanju bomo osvetlili doslej premalo obravnavane in dokaj nepoznane varnostne probleme, ki se pogosto pojavljajo v privatnih omrežjih zaradi nepoznavanja problematike in protokola IPv6 ter kako se tem pastem izognemo.
Janko Šavnik, Hypo Alpe-Adria-Bank d.d.
Strokoven in zakonit forenzični odziv na varnostni incident - teorija in praksa
V predavanju bomo spoznali kaj je potrebno, da so ob varnostnem incidentu postopki računalniške forenzike v organizaciji izvedeni strokovno in zakonito. Standardi in zakonodaja so vedno bolj zahtevni in zato je njihov prenos iz teorije v prakso vsebinsko in tehnično zahteven, vendar ni nemogoč kljub pomislekom nekaterih, ki menijo, da se na tak način postopkov računalniške forenzike ne da izvajati. Kot dokaz in podkrepitev trditve, da je strokovna in zakonita forenzika mogoča, bodo predstavljeni ustrezni primeri.
Matjaž Katarinčič, Smart Com d.o.o.
Standardi na področju informacijske varnosti, njihov pomen in rešitve
Današnja omrežja postajajo čedalje kompleksnejša in vključujejo strojno opremo različnih proizvajalcev. Poraja se vprašanje spremljanja in preverjaja varnosti v takšnem omrežju zlasti, ko število dogodkov, ki jih generirajo naprave, presegajo človeške zmožnosti analiziranja.
V okviru predavanja boste našli odgovore, kako zagotoviti skladnost z varnostnimi standardi, kako na enostaven način preveriti in izluščiti najpomembnejše dogodke, s katerimi se dnevno srečujete, ter kakšne ukrepe za zaščito omrežja je potrebno sprejeti ob morebitnih grožnjah.
Gregor Brezar, Nova ljubljanska banka d.d.
BCP testiranje v NLB d.d., Ljubljana - Priprave in izvedba BCP testiranja v Sektorju za TREZOR in oskrbo z gotovino
V NLB d.d., Ljubljana pripravljamo in izvajamo BCP testiranja od leta 2007. BCP testiranje v Sektorju za trezor in oskrbo z gotovino predstavlja z varnostenga, kot tudi logističnega vidika precejšen zalogaj. V predavanju bomo predstavili potek priprav in izvedbo samega testa.
Nejc Škoberne, Viris d.o.o. in Luka Manojlovič
DNS hacking, Google hacking in še kak hacking
Ste vedeli, da ima 25 % največjih slovenskih podjetij za svoje internetne domene omogočen t. i. »zone transfer«? Ste že brali, da je metoda »DNS cache poisoning« v zadnjem času spet popularna? Ali sploh veste, da spletni strežniki slovenskih podjetij še vedno vsebujejo marsikatero zanimivo informacijo, ki ni ravno javne narave? ÄŒe vas zanimajo posledice zgoraj naštetih dejstev, ki se nanašajo predvsem na slovenski prostor, ne zamudite tega predavanja.
Tine Kejžar in Gašper Krajnik, Evertec Technology d.o.o.
Celovito upravljanje varnostnih dogodkov v kompleksnih IT okoljih
Celovito upravljanje varnostnih dogodkov omogoča izpolnjevanje zahtev po skladnosti s predpisi, kot so PCI, SOX, HIPPA, ipd., kar je še posebej pomembno za finančni sektor. Potrebno je zgraditi avtomatiziran proces za učinkovito identifikacijo vseh dostopov in dogodkov, ki niso skladni z dogovorjeno (predpisano) varnostno politiko in kontrolami.
Ko ste soočeni z vdorom ali zlorabo, želite vedeti kdo, kaj in kdaj se je zgodilo - in to takoj, da lahko pravočasno ukrepate.
