2017 Phoenix Security & Audit Conference

Agenda

  Go

    • Ballroom Bonus
    • 9:45 AM  -  10:45 AM
      Beyond Ransomware: Impactful Trends
      Ballroom
      WannaCry and Petya were simply the tip of the iceberg and make good news fodder. The real impactful trends are beyond today's headline grabbing ransomware attacks. This presentation will present a number of upcoming, impactful trends organizations of all sizes should be aware and prepared.
      11:00 AM  -  12:00 PM
      Pitfalls of PCI
      Ballroom

      For organizations that process, store, and transmit cardholder data, the security of that information needs to be one of their top concerns. PCI compliance has many barriers to overcome, but there is a short list of pitfalls that can add unnecessary cost and time to any PCI assessment. Based on DirectDefense’s experience, helping clients meet and maintain PCI compliance, the key to PCI success is to address major pitfalls early in the assessment process.

      This talk will cover the common mistakes and pitfalls in a PCI compliance assessment and address the steps to accurately avoid loss of time and money by managing PCI scope, legal liability, fines, loss of business and branding.

      Speakers:
      3:00 PM  -  4:00 PM
      Dark Web Tutorial: How to Use the Dark Web to Enable Proactive Security
      Ballroom

      The Dark Web is a critical resource to help security teams move from a reactive to a proactive posture. Recently, IntSights examined how dark web forums focused on recruiting and collaborating insiders. Though our findings focused on insider threats, our method highlights how examining the Dark Web has become a crucial part of implementing proactive security. In this talk, security researcher Tom will go through:

      • Methods and techniques to uncover critical intelligence to reduce enterprise risk.
      • How to extract intelligence from Dark Web using OSINT WebINT tools and methodologies.
      • How security teams can use threat intelligence to incorporate proactive controls.

      Leveraging this to:

      • Infiltrates the cyberthreat underworld to detect and analyze planned or potential attacks and threats that are specific to our partners.
      • Provides advance warning and customized insight concerning potential cyber attacks, including recommended steps to avoid or withstand the attacks.
      • Delivers in-depth analysis of cyberthreats originating from in-house sources, third-party sources or threat actors. 
      Speakers:

    • Cyber Warfare Range
    • 9:45 AM  -  10:45 AM
      Arizona Cyber Security Atmosphere
      Primrose
      What does the Cyber Security atmosphere look like in Arizona? How is it different from other states. Cyber Security resources that make Arizona unique. Changes, expansions, and movements to make Arizona the Nations Capital for Cyber Security and Cyber the 6th C of Arizona.
      Speakers:
      11:00 AM  -  12:00 PM
      ISSA PHX and the AZCWR – a powerful combination for disruption
      Primrose

      This talk will show how your chapter can engage all segments of the Cyber Security Career Lifecycle® to build the workforce in your community to be better prepared, more broadly experienced, and ready to face the ever-increasing challenges in Cyber by using the Arizona Cyber Warfare Range (AZCWR) as a model.

      The AZCWR was founded in 2014 with a specific mission: Build the critical skill sets of the local workforce using a “live-fire” environment in areas of Computer Network Defense (CND), Computer Network Attack (CNA), Forensics, and Incident Response.

      Speakers:
      3:00 PM  -  4:00 PM
      Open Session Q&A - Open Lab
      Primrose
      Open Session Q&A - Open Lab

    • Data Analytics
    • 9:45 AM  -  10:45 AM
      The IT Risk Environment & Data Analytics
      Chia
      This session will present participants with the types of IT risks that can be addresses with data analytics. Participants will gain an understanding of the costs associated with allowing such risks to go unaddressed. Various types of data analytics tests will be demonstrated using desktop DA applications.
      Speakers:
      11:00 AM  -  12:00 PM
      Big Data, UEBA, and the Future of SIEM
      Chia
      Like the IDS wave that started in 1998, the SIEM wave that began in 2003 has crested. A new one has begun. At the same time, the world of Information Technology has run far ahead of Information Security, into the Cloud. Traditional Information Security has been left behind, puzzled and disconnected from the new realities of busines unbound. In this talk, we will discuss Cloud as a business phenomenon and how it relates to security. We will deal in some depth with how the transition to cloud has affected how and what we attempt to monitor and control our worlds.
      Speakers:
      1:45 PM  -  2:45 PM
      Next Generation Intrusion Detection Systems
      Chia
      Intrusion Detection Systems (IDS) rely on a variety of machine learning techniques, drawing from a variety of domain expertise, data analytics, and real-time algorithms. However, Advanced Persistent Threats (APT) are currently creating new and highly-sophisticated attack vectors requiring an IDS to go well-beyond anomaly detection and other machine learning techniques. Discussed will be the state of academia and industry machine-learning-based IDSs, as well as non-probabilistic IDS techniques for identifying APTs. Also discussed are examples of APT attacks on machine learning algorithms in the context of Governance, Risk, and Compliance (GRC), as consumer-facing algorithms become more and more probabilistic.
      Speakers:
      3:00 PM  -  4:00 PM
      Securing Your Container Workflows
      Chia

      Application Development and Delivery is going through a Revolution. Development and Operations(DevOps) are working together and embracing Continuous Integration and Continuous Development(CI/CD). Containers are here to stay and the proliferation of container adoption is pervasive. Are Containers secure? How do you secure this fast paced environment? How do you ensure your not building security holes into your applications? How do I know if I my team is even using containers?

      In our time together, we will go over what containers are, a brief history of containers, the anatomy of a container and then transition into detection of containers, securing the container host, auditing the cloud and securing the containers themselves.

      Speakers:

    • General
    • 8:30 AM  -  9:30 AM
      The Use of OSINT to Identify the Weak Link and Help Mitigate Risks
      Ballroom
      This talk will be an overview of researching techniques utilizing online and open-source databases located on the web. It will cover techniques in locating actionable intelligence and 'hidden' information on a subject's web presence as well as searching social media platforms to identify tweets and Instagram photos and their geo-location. This class is not only for investigative purposes but also to demonstrate the ability to identify information that can be used for social engineering.
      Speakers:
      12:40 PM  -  1:30 PM
      Lunch Keynote - Good (to Bad) to Great - Building (and keeping!) a World Class Audit Organization
      Ballroom
      While the case study is an audit shop, this discussion about organizational transformation is applicable to risk, compliance, and security professionals. With much fanfare, the US House of Representatives established an Office of Inspector General as part of its governance and oversight reforms in its Contract with America. Fast forward ten years to 2004: the office suffered from low employee morale, was disconnected from key stakeholders, and was not prepared for the challenges of the 21st Century. Join the Honorable Theresa Grafenstine as she discusses the key ingredients for (re)building and maintaining a highly effective audit organization. She will provide a proven strategy for developing high-performing teams, providing value-added products, expanding internal audit’s influence, strengthening relationships with key stakeholders, and developing the next generation of leaders.
      Speakers:

    • Governance, Risk, & Compliance
    • 9:45 AM  -  10:45 AM
      Managing a Major Governance Change Initiative
      Desert Star

      Managing a Major Governance Change Initiative: Implementing New Critical Infrastructure Protection Standards across the North American Electrical Grid

      This study examines challenges, cultural changes, organizational structure changes, and resource allocation involved with a major organizational change initiative by multiple electrical sector participants, including utilities, consultants, and regulatory bodies through two surveys implemented in August 2015 and September 2016. The presentation will provide an integrated view of the transition to the new CIP Standards as well as post-implementation reflections by the study participants. The research carried out for this study focused on the implementation of new Critical Infrastructure Protection [CIP] Standards in the North American electrical grid and examined the perspectives of industry participants, consultants, and regulatory and audit personnel. The lessons learned relative to managing a major organizational change initiative associated with Governance, Risk, and Compliance can cross industry sector boundaries and be applied to any major change initiative.

      Speakers:
      11:00 AM  -  12:00 PM
      Compliance in the Cloud
      Desert Star

      Over 97% of organizations have some of their operations in the cloud. As companies move more an more workloads into places like AWS and Azure, it is inevitable that compliance must move to the cloud as well. However, compliance in the cloud is not the same as on-premise. In some ways, compliance in the cloud is simpler than on-premise. Yet, many of the compliance practices in use on-premise, do not translate into cloud environments. In this presentation, we will explore the challenges of building compliant cloud environments. We will discuss common mistakes, myths, and misunderstandings. We will also layout a clear process to make cloud environments compliant. Additionally, we will demonstrate how you can accelerate compliance using cloud services, such as key management and directory services.

       

      Topics Covered: (1) the challenges of compliance in the cloud, (2) myths of cloud compliance, and (23) building compliant clouds.

       

      Intended Audience: IT Leadership, information security officers (ISO), compliance staff, internal auditors, and GRC practitioners

       

      Take Aways Attendees will learn the following from this presentation:

      • The differences between on-premise and cloud compliance
      • How cloud providers, like AWS, can accelerate compliance
      • Strategies for building compliant, and secure, cloud environments
      Speakers:
      1:45 PM  -  2:45 PM
      Resiliency & Risk Management
      Desert Star
      A value chain is the set of activities an organization performs in order to deliver a product or service for the market. Business resiliency is those strategies, plans and actions to enable the organization to carry out those activities under all circumstances. Both concepts are interdependent in theory but not always in practice. There are many reasons, but the most overlooked include misdirected goals, inconsistent prioritization, the maturity of the organization and readiness to operationalize resiliency, and ineffective risk management. Attend this session to understand how business resiliency can be used to drive real worth across the value chain.
      Speakers:
      3:00 PM  -  4:00 PM
      Risk v Threat: Threat Intelligence Exposed
      Desert Star
      Threat Intelligence is a murky area for information security. While it's important to have, it seems like everyone struggles with how to do it the right way. This session will walk through some ideas about the differences between risks and threats, how that definition can help build your threat intelligence program, and how to best size your program to fit your organization's needs.
      Speakers:

    • Hackers & Threats
    • 9:45 AM  -  10:45 AM
      Asymmetric Attacks Mandate a Credible Cybersecurity Program
      Ocotillo

      Each mission critical system, such as a database or Web application server, may have over 100,000 vulnerabilities that may be exploited. A typical cyber vulnerability assessment discovers over 10% unique open vulnerabilities that can compromise the asset assessed. It takes just one exploit for the Cyber Risk =Disruptive Business Risk! This today translates to a seven or eight figure compliance or breach risk!

      The threat to business today from cyber-attacks is asymmetric. Attack surfaces are increasing. The combination of IoT+DDos cyberattacks will challenge even the best of security defenses.

      To ensure enterprises address this asymmetric threat, businesses must implement a crediblecybersecurity program. The focus of this brief is to examine core elements of an enterprise cybersecurity program. Objective is for attendees to have an actionable checklist to assess and develop a credible cybersecurity program.

      From this brief, you will:

      • Walk thru five core areas of a cybersecurity program
      • Review elements of a credible cybersecurity plan
      • Identify key cybersecurity policies
      • Examine seven critical steps for establishing a comprehensive cybersecurity program
      Speakers:
      11:00 AM  -  12:00 PM
      Dark Web Presentation
      Ocotillo

      We will be covering a range of topics regarding the dark web, including:

      • Defining - WWW, Deep Web, The Dark Web
      • WWW Sites of Interest
      • Credit Card Fraud in the Open
      • Anonymizers - Proxies, VPNs, TOR
      • TOR Hidden Services
      • GRAMS – The evil Google
      • Dark Markets - Drugs, Guns, Malware, Oh my…
      • Hands On Demonstration (Time Permitting)
      • BitCoin
      • Scams
      Speakers:
      1:45 PM  -  2:45 PM
      No Need to WannaCry, When You Have NSA Tools in Your Pocket!
      Ocotillo
      This presentation will go through the analysis of the NSA toolkit release by Shadow Brokers, the WannaCry Ransomware campaign, and finally end with a demonstration of exploiting a vulnerable system leveraging the NSA zero day EternalBlue exploit.
      3:00 PM  -  4:00 PM
      Threat Hunting and How Attackers Evade Network Detection
      Ocotillo
      This session will cover real world examples of how attackers attempt to evade network detection systems and blend in with normal corporate Internet traffic. Additionally, we’ll discuss mitigation strategies to stay one step ahead and detect targeted attackers operating in your network.
      Speakers:

    • Hot Topics
    • 9:45 AM  -  10:45 AM
      Blockchain and Smart Contracts: Hype vs. Reality
      Larkspur
      Some people believe that the technology most likely to have the greatest impact on business, government and the larger society over the next 20 years is the technology that underlies digital currency, like bitcoin. This technology is called blockchain. While there may be some truth as to blockchain’s enormous potential, we also need to recognize the hype vs. reality with potential blockchain applications. In this session, we’ll review some big modern day problems that blockchain applications are currently working to solve. In addition, we’ll review the potential for the use of smart contracts in commerce and the current legal challenges with using them.
      Speakers:
      11:00 AM  -  12:00 PM
      It's Time to Start Testing the Internet of Things
      Larkspur
      The world of the Internet of Things (IoT) keeps growing. Soon IoT will be ubiquitous, and so will their hacks, if we don’t change the way we look at IoT now. Would you buy a device that explodes once every 100 times it is used? Of course not, so why accept the same device if it is susceptible to being hacked at the same rate? Using TUV’s unique DICE methodology one can determine what needs to be addressed in an IoT device and how much effort needs to be performed to secure the device. Security and Safety testing are being blended into one program to secure an Internet that is going to grow 6x the number of currently connected devices overnight. Find out how the industry is (or should) respond to this well understood but difficult threat.
      1:45 PM  -  2:45 PM
      The Rise of BISO (Business Information Security Office)
      Larkspur
      The very existence of information security is to protect the BUSINESS! When the information security organization and professionals lose focus on this key objective, we become irrelevant. BISO is our solution to stay relevant by understanding what business needs and mapping it to what information security can offer. This session would focus on the what, why and how of the BISO. Join me to check out why information security cannot stop at just identifying vulnerabilities or encrypting PII (personally identifiable information) but need to also increase business value while at it.
      Speakers:
      3:00 PM  -  4:00 PM
      Artificial Intelligence in Public Safety: Privacy & Security
      Axon is pioneering the use of Artificial Intelligence in public safety. The potential benefits to public safety organizations and citizens is tremendous. But there are also new security & privacy considerations, including the responsibility to ensure the public interests are served, and these powerful capabilities are not used to erode our freedoms. Come hear how Axon is addressing these thorny issues head-on, while changing the face of public safety.
      Speakers:

    • Info Sec
    • 9:45 AM  -  10:45 AM
      Identity and Access Management – Implications for Cloud Based Computing
      Brittlebush
      Identity and Access Management continues to plague most companies. Cloud computing further complicates an already complex challenge. This presentation will identify the key risks associated with access and the unique challenges companies deal with when faced with utilizing cloud based services. We then look at some alternatives to addressing these challenges.
      Speakers:
      11:00 AM  -  12:00 PM
      IT and Cyber Apprenticeships: Preparing Employers|Preparing Apprentices
      Brittlebush
      The cyber security workforce shortage and how to address it: Apprenticeships aren’t just for the Trades anymore. We will discuss the state of cyber/IT skills workforce, federal government cyber apprenticeships updates, current activities of the Employer Engagement Administration, and the need for hands on experience plus certifications.
      1:45 PM  -  2:45 PM
      Using Agile to Secure an Agile Software Development Lifecycle (SDLC)
      Brittlebush
      Participants will learn how to implement the "Build Security In" principle within the Agile/Scrum development paradigm. Using agile techniques to build processes and tools that are used with each sprint, evolving the security of the application with each step of the development process.
      Speakers:
      3:00 PM  -  4:00 PM
      Law of Requisite Diversity & Discussion Panel
      Brittlebush

      The ability of a team to thoroughly solve a problem is related to the combined total wisdom and experience of the team members. Modern software design requires diverse teams to solve problems of the scale we are now facing

      • Nature does not use monocultures, they are too fragile. No forrest or other eco-system is a monoculture, they are all filled with organisms filling specific niches for redundancy and robustness. We have already seen the cost of onocultures in agricultural settings with various blights and resulting famines.
      • In software, we are trying not just to solve the problem at hand, but the largest possible number of variations of this problem. This is a task too big for a single individual. See the Therac-25 post-mortem as support.
      • The more diversity on your team, the more thoroughly problems can be examined. The more thoroughly they are examined, the more complete the finished product or solution.
      • Diversity is more than just gender or race, it includes socio-economic backgrounds, age, field of research, nationality, locality, etc.
      Speakers:

    • IT Audit
    • 9:45 AM  -  10:45 AM
      Auditing the Identity Access Management Unicorn
      Golden Poppy

      For most of us in the information security world, Identity Access Management (IAM) has always been a magical, even unachievable, concept striving to provide “the right individuals access to the right resources at the right times.” IAM tools promise integrated and holistic security management capabilities including: automated provisioning and revocation of access, linkage to user certification processes, password management, policy enforcement, compliance reporting, and analytics. It literally sounds too good to be true. While this promise is enticing, organizations also find it overwhelming and complex to implement. But once IAM is successfully implemented, the access management paradigm is changes completely.

      The audit of access management must change to be relevant in this changed security paradigm. Processes that were once disjointed and manual will now be integrated and automated, which should change the design of your audit significantly. Instead of performing a series of substantive audit procedures over access approvals, user access certification, employee terminations, and password policies, you should find yourself testing the IAM application controls, IAM configuration and workflow, and the integration of HR systems, directory services, and managed resources. You may even find data analytics from the IAM system are more useful than substantive tests of details.

      This session will be designed to help the attendee create and execute a new access management audit approach. It will help you focus on key system controls you will need to understand and test, legacy audit tests you may want to retire, and analytics you may want to create and monitor. If your organization has implemented the IAM unicorn, this learning session will prepare you to audit it.

      11:00 AM  -  12:00 PM
      Deploying Windows Advanced Auditing – Deploying One Incident Responder’s Wish List of Events
      Golden Poppy
      As an incident responder, I’ve found it to be rare that the victim organization has taken advantage of Windows Advanced Auditing. This functionality was introduced by Microsoft with Server 2008 R2 and Windows 7, and increased the security auditing policy settings from nine to 53. Deploying this policy provides immediate insight into such useful information at process creation and termination, outbound connections to IP addresses by process, targeted monitoring of sensitive files, and command line logging. This presentation will cover a brief history of Windows security auditing, how to take advantage of Windows Advanced Auditing, event ID’s of particular interest, and sample group policy objects (GPO’s) for deployment to client workstations, member servers, and domain controllers.
      Speakers:
      1:45 PM  -  2:45 PM
      Transitioning from ITGC Audits to Cybersecurity Audits
      Golden Poppy
      IT General Control (ITGC) audits are foundational and Big 4/Internal Audit professionals are usually very well versed in ITGC audits – especially in support of SOX and financial reporting. Today, Boards and senior leadership are much more interested in an organization’s cybersecurity posture and controls rather than ITGC posture and controls (especially at public-companies, where ITGCs should be “table stakes” at this point), where many IT auditors have far less experience. This session will offer insights into how auditors who have spent most of their careers focused on ITGCs and foundational IT controls can effectively transition to perform cybersecurity audits.
      3:00 PM  -  4:00 PM
      Governing Your PCI Garden
      Golden Poppy
      Ensuring your company has the proper scope is the first step of PCI compliance. Navigating and governing your “PCI garden” allows for a proper assessment and inventory of PCI assets.
      Speakers:

    • Privacy & Risk
    • 9:45 AM  -  10:45 AM
      Implication of GDPR to US-Based Companies
      Mariposa
      The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). We will cover why companies care about this regulation, what are its risks, and how companies can prepare.
      Speakers:
      11:00 AM  -  12:00 PM
      Recent Developments in Privacy Law
      Mariposa
      This presentation will cover recent laws, regulations, enforcement actions, court decisions and current events impacting data privacy. (I don’t want to be too specific now because of the likelihood that the presentation will address items that have not yet occurred).
      Speakers:
      1:45 PM  -  2:45 PM
      Talking Cars – a Privacy by Design Case Study 10 Years in the Making
      Mariposa
      Millions of cars with tens of millions of lines of code are already on the road talking to servers and very soon, talking to each other. Clearly a lot can go wrong. Adams’ session will address the trade-off between safety, security and convenience as well as the steps that need be taken by the automotive manufacturers before we can trust our cars in the new IoT ecosystem to deliver the promised benefits of connected services.
      Speakers:
      3:00 PM  -  4:00 PM
      IoT Privacy: It's time for the conversation to get real!
      Mariposa
      Since the 1980s, the policy debate around technology and privacy has been transformed. Tectonic shifts in the technical, economic, and policy domains have brought us to a new landscape that is more variegated, more dangerous, and more hopeful than before. We will review real world examples and discuss a wide array of technologies that are achieving mainstream acceptance in such a way that they are jeopardizing privacy. As these technologies come together, we must develop new world policies and procedures to ensure the use emerging solutions within the boundaries of regulatory best practices and protect privacy.
      Speakers:
    Top