Gunnar Porada, EX-HACKER and Senior IT-Security Consultant, Germany/Switzerland
How to hack the Fingerprints in the Passports of EU, Visa-Request of USA?
How several bank accounts could be hacked?
“…shows live how to attack the biometric fingerprint like it’s used in million of EU-Passports and USA-Visa. Additionally shows how Webserver could be hacked just with the webbrowser.”
Presentation will be the first day of the conference 19th of November, 2009.
Sasa Aksentijevic, Saipem Croatia (ENI), Croatia
Intricacies of integral security in upstream oil and gas sector
In this lecture special emphasis will be given on project nature of upstream oil and gas sector resulting in challenges to structured integral security function. Main traits of such projects are execution in difficult areas under erratic conditions, always interchanging project hierarchy and matrix structures, need to balance between capex and opex expenditures of business units and project cost centers and fast track projects. Major factors contributing to activities of disaster recovery, business continuity and technical security measures will be outlined with proposal for creation of a consistent integral security mode and explanation and proper positioning of role of CSO (Chief Security Officer) within organization`s structure.
Forensic computer crime proceedings of ICT court experts and legislative requirements - Croatian experience
The procedure of forensic computer investigation Criminal and other legal proceedings involving computer forensics and investigation in front of court of law will be explained in details along with the role of police, investigation center, court and judge in charge and their relation to ICT court expert activities. Furthermore, a new legislation regulating the work of court experts, passed in summer of 2008, that nominates also involvement of ICT court experts from EU will be explained along with details about education path along with major difficulties and problems ICT court experts experience in their daily work.
Daniel J Blander, Infosecuritylab Inc., California, USA
Security Governance - current trends in management and oversight
The evolution of Security and Risk Management has progressed considerably since the days when a “Firewall” was considered Security. Today’s trends involve a greater focus on Risk Management as a corporate function that extends well beyond computers and IT, and extends into the Board Room, into business operations, and is inclusive in its needs. This talk will discuss new models of governance and oversight, new roles that have been taken up by Chief Security Officers, how the process of inclusion has raised awareness and participation in the Security and Risk Management process, and how new operational models have strengthened company’s resilience.
The talk will discuss new models of governance that include stakeholders from multiple areas of the business, approaches to awareness that create higher levels of participation and success, methods to improve efficiencies in security operations, and organizational structures that include key risk management personnel in the process.
How to Promote Security Awareness at Your Company
You have tried to convince management that Security Awareness is important but they do not seem to listen, and your budget is always being cut. How do you overcome these problems? Is Security Awareness important? What can you do to make your company Security Aware?
This presentation will discuss different techniques and approaches to help you succeed in convincing management that Security Awareness should be an important part of your Information Security Management System. It will discuss ways to overcome the objections and hurdles you face in establishing your program. It will also teach you ways to make your Security Awareness program a success with your employees.
Leveraging Managed Security Services for Cost and Operational Efficiency
Imagine: Your security team is available to design new controls, work with your development teams to develop security requirements, and can still provide twenty-four hour a day monitoring of your network and systems security.
Imagine: Your security team can go on holiday, and you still feel secure.
Managed Security Services will allow you to maintain a key element of your Information Security Management System – your ability to detect, analyze and respond to security incidents. Like an armed guard at your gate, this service helps protect you by monitoring and analyzing logs, firewalls, and intrusion detection systems twenty-four hours a day, three-hundred-sixty-five days a year. The service also analyzes and prioritize incidents for you through advanced correlation techniques, and provides a periodic report of incidents and potential weaknesses. This service provides these capabilities at a cost that is significantly less than the cost of maintaining a twenty-four hour a day security team, and frees your exhausted security team from the tedious and time consuming task of log analysis and reporting.
During this talk we will show examples of how this service works, what types of information and reporting you would see, and examples of how this service has saved time and money for companies around the world.
Alexandru Gherman, IBM Internet Security Systems, Romania
Security management - ISMS - ISO27001 Why implement? How to prepare to sustain a successfull audit implementation
Some day maybe we all will need to comply with ISO27001 - Information Security Management System. Which would be the advantages of a good implementation of a such information security management system, and what would Auditors look for when you will call them to register your certification.
I'll be presenting easily and concise, all the necessary mandatory requirements we will need to fulfill in order to pursue a certification, putting all the pieces of the puzzle together.
In Hacking - latest threats, stats, and an ethical hacking show
Presenting latest trends of threats and attacks, statistics about most spread attacks and techniques which are tried recently in order to reach the users. In the end live exploits will be presented, from the Blackhat point of view and how could some network/host controls could prevent these attacks happening.
Very interesting we'll be seeing too how to implement a virtual honeypot lab in order to analyze and monitor malware behavior.
CV Alexandru Gherman
Zubair Khan, Tranchulas, Pakistan
Biometrics and Privacy Invasion
Biometric authentication systems solve some of the problems with passwords by using physical biological features of a person to identify them (e.g., fingerprint, eye/retina scan, facial recognition, etc.).
This talk will explain security mechanisms in biometric systems. The speaker will discuss security problems in different biometrics and identify why biometrics are not a fool-proof solution to reduce identity theft. At the end we'll demonstrate some of the discussed attacks.
Most people believe that gaining un-authorized access to a computer system is entirely technical. But exploiting vulnerabilities in human nature often helps an attacker to bypass well-planned security measures.
In this talk we will discuss how to identify and combat social engineering attacks. We’ll also talk about psychology of different people in an organization and how it impacts the security. Also we’ll take a look at how social engineering facilitates industrial espionage.
Kjell Kalmelid, Expert in Awareness Raising, European Network and Information Security Agency (ENISA), EU
The ENISA Awareness Raising Community
The AR Community is a subscription-free community open to experts who have an interest in engaging in raising information security awareness within their organisations. The AR Community was launched in February 2008 and is designed to engage with the AR Section of ENISA in its mission to foster a culture of information security, with the aim of supporting the section in its activities.
At the same time, adding value to members is of course an important goal. Up till now, the creation of the AR Community has proved to be a success both for ENISA and the members in this respect. Outcome and activities of the AR Community will be presented in more detail.
CV Kjell Kalmelid
Sanjin Turic, Zira Ltd., Bosnia and Hercegovina
Regional IT Security awareness (Bosnian experience)
In times like these, where cyberspace is part of our everyday lives, IT Security is getting more and more important, not just for enterprises, but for small and medium businesses, and also individuals.
When you ask your management for a budgetshare for security, don't you get the same answer over and over "We have our firewall, it is enough!" or "Noone will attack us, we are not interesting to hackers!". This is the way people look at IT security in the region,
until an attack becomes reality, and money is lost.
In this presentation, we will talk about ways to raise the IT Security awareness in companies, how to show possible impacts of low security levels, how to convert those impacts into cost statistics, and how to find the best cost/efficiency relation within the security budget.
Secure infrastructure design
When it comes to infrastructure design, most of the implementations fail on security. To design a IT infrastructure, does not just mean "Let's just design it to make it work", it means more than that: An IT infrastructure has to be functional in first place, but there are many considerations to be taken when designing:
"How scalable, how fast and how stable will my infrastructure design be? How to implement security and still have all benefits of a fast, scalable and stable infrastructure?"
In this presentation we will talk about all things to be considered while designing a secure infrastructure, that is fast, scalable, efficient and most important - secure.
Richard Mayall, Acuity Risk Management LLP, United Kingdom
Operational Risk – Measuring and reporting on risk across your business
Richard will look at how organisations can address the need to report effectively to senior management in a variety of operational risk areas, including corporate risks, information security risks, project and programme risks, health and safety, quality, etc.
This presentation is subtitled ‘Providing senior executives with the information that they need...’ Richard will explain how in terms of general business reporting, senior executives ARE generally provided with the key information that they need in order to make top-level decisions, and for top-level assurance purposes. However, this is so often NOT the case with operational risk areas such as Information Security!
Richard will show how the variety of data available on risk and compliance management can be practically aggregated and presented more effectively, so that senior management is better informed and better assured.
Information Security Management Systems – What REALLY are the key components of an effective Enterprise Assurance Management system?
An Information Security Management System provides the ‘Assurance’ framework to identify and appropriately secure organisational information assets from security breaches/incidents of confidentiality, integrity and availability.
Many organisations establish an ISMS to become compliant with ISO 27001, the International Standard for Information Security Management.
However, many more are looking simply to:
- Identify their key information assets...the many forms taken by such information and the requirements for protection
- Understand their critical information processing ‘infrastructure’...comprising info systems and networks, internal/external services, physical environments, personnel and third parties
- Assess the key risks to information and supporting infrastructure...using a simple risk management process and risk assessment scheme which is meaningful to the business
- Identify and deploy relevant controls and Standards that both provide an assurance framework and also help to mitigate the key information security risks
- Plan and implement required improvements to controls, to mitigate information security risks
- Provide meaningful risk and controls based reports to meet the needs of senior managers, auditors and other stakeholders.
In this presentation, Richard will highlight the key components of any Assurance Management System, and how these components need to integrate to achieve a complete and effective approach.
To illustrate the important assurance concepts, Richard will use examples from Acuity’s Enterprise Assurance Management solution STREAM. See http://www.acuityrm.com/what-is-STREAM.php
Dave Venman, Sourcefire, England
How to slow down the security treadmill
Keeping up with the bad guys has become a full time job when it comes to security. Every day, new vulnerabilities are reported, and even if your IPS solution is up to date, how do you protect against the 0-day, the virus, or the worm which strikes? This presentation will outline some of the basic problems with any IPS, and how they might be addressed to keep your organisation's IPS as
effective as possible without having to provide inordinate amounts of resource to keep it up to date and properly managed.