2nd annual iia/isaca hacking conference - chapters site · pdf filewe welcome you to the 2nd...

2nd Annual IIA/ISACA Hacking Conference

True Security Countermeasures

&

Internal Audit’s Virtual Vector

Summit West

500 West Madison Street (Ogilvie Train Station)

Downtown Chicago | Illinois

October 27th & 28th

Welcome!

We welcome you to the 2nd Annual IIA/ISACA Hacking Conference sponsored by

the Chicago Chapter of the Institute of Internal Auditors and the Chicago Chapter

of ISACA! Today’s sessions is titled “True Security Countermeasures and Audit’s

Virtual Vector”. Our goal was to present a two day event that contains the most

real world hands-on application of Hacking knowledge and skills that can be

applied to the Internal Audit/IT Audit/IT Security world.

By the end of this course, you will have a significantly greater appreciation for the

IT security landscape and how it impacts your organization. The combination of

professional practice information technology experts and the broad landscape of

IT vulnerabilities presented at this conference will increase the operational,

financial and IT auditor’s skill sets to integrate not only information technology

auditing technique, as well as, develop awareness of one of the most significant

changes in the risk profile of businesses today.

Thank You to Our Sponsors

We would like to warmly thank our sponsors!

Platinum

Gold

Course Outline

DAY 1: Tuesday, October 27, 2015

8:00 – 8:30

Registration and Continental Breakfast

8:30 – 9:20 Cyberthreat Landscape

Eric Brelsford, Special Agent, FBI

9:35 – 10:25

Global Honeypot Trends

Elliott Brink, Sr. Associate, RSM McGladrey

10:50 – 11:40

Tracking and Responding to Global

Cybercrime

John Bambenek, Sr. Analyst, Fidelis Cybersecurity

11:50 – 12:30 LUNCH

12:40 – 1:30

Using Passive DNS to Uncover Network and Server Parasites

Alan Clegg, Sales Engineer Farsight Security, Inc.

1:45 – 2:35

The Secretive Zero-Day Exploit Market

Adriel T. Desautels, Partner & CEO, Netragard, Inc.

2:50 – 3:40

Assessing Risk in a Breached World

Chris Gerritz, CEO & Co-founder, Infocyte, Inc

3:55 – 4:45

Internal Audit Considerations for Cybersecurity Risks Posed by Vendors

Joseph Kirkpatrick, Managing Director, KirkpatrickPrice

Course Outline

DAY 2: Wednesday, October 28, 2015

7:30 – 8:00

Registration and Continental Breakfast

8:00 – 9:30

CISO Panel: Perspectives on addressing today’s security challenges

Tina LaCroix-Hauri, President, Bradford Garrett Group

Waqas Akkawi, CISO, SIRVA Worldwide

Kevin Novak, CISO & IT Risk Officer, Northern Trust

Michael Phillips, EVP & CISO, Rosenthal Collins Group

Richard Rushing, CISO, Motorola Mobility

9:35 – 10:45

CryptoLocker Ransomware Variants:

Learn How to Protect Against Them

Ryan Nolette, Sr. Threat Researcher, Bit9

11:00 – 12:00 Software Security Metrics

Neil Bahadur, Managing Consultant, Cigital

11:50 – 12:30 LUNCH

1:00 – 2:00

Forensics for Auditors

Inno Eroraha, Chief Strategist, NetSecurity Corp.

2:15 – 3:15

Welcome to the Internet of Insecure

Things

Chandler Howell, Director of Engineering Nexum

3:30 – 4:30

A New Approach to Audit your Company’s Threat & Vulnerability Management Program

Paul Hinds, Managing Director, PWC

Stephen Asamoah, Senior Consultant, PWC

Sessions at a Glance: Day 1

Session 1: Cyber Threat Landscape

8:30 AM – 9:20 AM

In this session, the Federal Bureau of Investigation (FBI) will provide their unique view of cyber threats, addressing who the attackers are, their objectives, and how to best prepare for attacks. As Sun Tzu famously said: "If you know the enemy and know yourself you need not fear the results of a hundred battles." The FBI will provide insight that can help organizations understand and respond to our common enemies in the cybersecurity space. Eric Brelsford, Special Agent – Criminal & National Security Cyber Investigations, FBI Chicago Division SA Brelsford began his career with the FBI in 2003 in Milwaukee where he started investigating cyber crimes. In 2006, SA Brelsford transferred to Chicago where he has continued to focus on cyber-crime investigations. During this time, SA Brelsford has been the lead investigator on a variety of cyber investigations including data breaches, cyber extortion, financial account takeover, malware distribution, botnet operations, and denial of service attacks. Prior to joining the FBI, Agent Brelsford worked in the private sector performing computer & information security consulting. Agent Brelsford is currently assigned to a criminal computer intrusion squad.


Session 2: Global Honeypot Trends

9:35 AM – 10:25 AM

Many of my computer systems are constantly compromised, attacked, hacked, 24/7. How do I know this? I've been letting them. This talk will cover over one year of my research running several vulnerable systems (or honeypots) in multiple countries including the USA, mainland China, Russia and others. We'll be taking a look at: a brief introduction to honeypots, common attacker trends (both sophisticated and “script kiddie”), brief malware analysis and the statistical analysis of attackers based on GeoIP. Are there differences in attacks based on where a system is located based on GeoIP? Different attackers use different tactics. As part of this presentation, we will discuss the tactics that have been seen in use on these systems. Elliott Brink, Sr. Associate, RSM McGladrey Elliott Brink (@ebrinkster) is an Information Security Senior Associate for RSM based out of Chicago, IL with 4 years experience in the industry. He specializes in internal/external pentesting, web application testing, and social engineering engagements. Elliott has been involved in penetration tests domestically and internationally for fortune 500 companies to organizations with less than 10 employees and manages the penetration testing lab for RSM. He has spoken on this topic as well as others at several information security conferences such as DefCon, GrrCon, etc.


Session 3: Tracking & Responding to Global

Cybercrime

10:50 AM – 11:40 AM

Every week we hear about another major breach or another malware campaign that is defrauding business and consumers’ millions. Very rarely do we here of successful investigations and prosecutions. This talk will focus on investigating cybercriminals across the globe and some tools and techniques for participants to implement in their own organizations. Most malware uses DNS or Domain Generation Algorithms to allow for communication back to the attacker. By reverse engineering those means of communication, it becomes possible to create near-time intelligence to track those adversaries as they move around the Internet. This talk will discuss how to create such surveillance as well as discuss the possibilities of deception and counterintelligence inherent in this kind of tracking. John Bambenek, Fidelis Cybersecurity John is a Sr. Threat Analyst at Fidelis Cybersecurity and an incident handler within the Internet Storm Center. He has been in security for 15 years researching security threats. He is a published author of several articles, book chapters and a book. He has contributed to IT security courses and certification exams. John has participated in many incident investigations spanning the globe, most recently part of Operation Tovar which successfully ended Gameover Zeus and Cryptolocker.


Session 4: Using Passive DNS to Uncover

Network and Server Parasites

12:40 PM – 1:30 PM

Malicious actors may create and operate unauthorized web sites on corporate IT networks and servers. These parasitical sites use corporate resources to host an insider's own home/startup business. Unauthorized sites may also host "otherwise-unhostable" content such as malware, phishing sites, pirated software repositories, online child abuse materials, or extremist/terrorist content. Passive DNS is the perfect technical tool for finding these unauthorized sites. In this talk we'll explain how passive DNS lets an audit team find out what company IP addresses have been used during the period being audited, and for what domains. Alan Clegg, Sales Engineer Farsight Security, Inc. Alan’s focus over the last 10 years is technical training. Alan has trained professionals through the Internet Systems Consortium, InfoBlox, Info2Intel, and other organizations. Primary focus areas are DNS, HHCP, and IPv6. Alan has experience as a UNIX Administrator, technical support engineer, and other roles throughout his career. Alan has extensive experience with computer security issues and trends, having dealt with compromised hosts, denial of service mitigation, and documented and assisted in the implementation of network systems best common practices.


Session 5: The Secretive Zero-Day Exploit

Market

1:35 PM – 2:35 PM

The secretive zero-day exploit market and zero-day exploits themselves are both misunderstood and misrepresented. Zero-day exploits are dual purpose tools that take advantage of existing vulnerabilities in software. Zero-day exploits are valuable from the intelligence, law-enforcement, and even corporate defense perspective. As a former zero-day exploit broker Desautels will discuss the realities behind the zero-day exploit market, what zero-days are and aren’t, and how they can be used. He will also discuss why he supports regulation but is against the Wassenaar arrangement as it stands today. The zero-day market is a necessity and zero-days are here to stay. Adriel Timothy Desautels, Partner & CEO, Netragrd, Inc Netragard specializes in the delivery of realistic threat, protective penetration testing services. Adriel is the architect behind most of Netragard’s services. Adriel is well known for his efforts towards building an ethical, legitimate and legal 0‐day exploit market. Adriel ran Netragard’s 0‐day Exploit Acquisition Program (EAP) from 1999 through summer of 2015.


Session 6: Assessing Risk in a Breached

World

2:50 PM – 3:40 PM

Network intrusions have spiked in recent years resulting in millions in financial losses, theft of intellectual property, and exposure of customer information. The groups responsible for these high profile attacks are organized and are able to persist in your network without detection for months, even years. Yet even with the threat of undetected compromise and zero-day attacks, today’s risk and vulnerability assessments are still focused on answering questions we already know the answer to (i.e., “Can you be hacked?”). In this session, Chris will: discuss the shortfalls of today’s network assessments for use in enterprise risk measurement, and, the need for new assessment approaches that answer more critical questions (i.e. Are you hacked right now?)

Chris Gerritz, CEO & co-founder of Infocyte Chris is a developer of proactive cyber security solutions focusing primarily on breach discovery. Chris is a pioneer in defensive cyberspace operations having served as initial cadre of the U.S. Air Force’s elite Defensive Counter Cyber (DCC) practice. From a decade of military service, Chris draws on both leadership and deep technical experience serving in various roles such as cryptographic systems maintainer, cyber warfare officer and Air Force pilot. Prior to co-founding Infocyte, Chris served as the Air Force Computer Emergency Response Team (AFCERT)'s first Chief of DCC Operations.


Session 7: Internal Audit Considerations for

Cybersecurity Risks Posed by Vendors

2:50 PM – 3:40 PM

Understanding the threat posed by vendors to your organization

Identifying and quantifying vendor risks

Recommended security measures for vendor risk management

Onboarding and offboarding control objectives

Example audit programs for three common vendor types

How to move beyond the test of non-disclosure agreements to stronger tests that confirm control effectiveness

Recommendations for identifying and mitigating cybersecurity risks

Strategies to evaluate business impact from common vendor types

Joseph Kirkpatrick, Managing Director, KirkpatrickPrice Joseph holds CISA, CGEIT, CRISC and QSA certifications as a certified specialist in data security, IT governance, and regulatory compliance. He has delivered auditing and security assessment services for more than 14 years. Joseph, Managing Partner of KirkpatrickPrice, serves clients and stakeholders who are seeking to understand compliance and regulatory requirements by helping them navigate the complex world of data security.


Session 1: CISO Panel – Perspectives on

addressing today’s security challenges

8:00 AM – 9:30 AM

In this session, top Chicagoland Chief Information Security Officers will answer questions on a range of topics including:

Security Trends

Threat Landscape

Data Security

What success looks like for security leadership Panelists will address the above topics and then receive questions from the audience. CISO Panel Moderator: Tina LaCroix-Hauri, President & Co-Founder, Bradford Garrett Group, Inc. Tina leads the CISO Advisory Services Practice. As the first executive level Information Security leader hired by both Discover Financial Services (DFS) and Aon Corporation, Tina understands the diverse skill set needed to lead as a global CISO. Tina sits on the Industry Advisory Board of the Masters of Science in Information Technology in the McCormick School of Engineering of Northwestern University where she is also an Adjunct Professor – Risk Management.


Session 1: CISO Panel – Perspectives on

addressing today’s security challenges

8:00 AM – 9:30 AM

Panelists: Waqas Akkawi, CISO, SIRVA Worldwide Waqas is responsible for SIRVA’s information security program, operations, and delivering information security and privacy protection value to clients globally.

Kevin Novak, CISO & IT Risk Officer, Northern Trust Kevin is CISO and a member of the Northern Trust Corporate Risk Group. He is responsible for the security of Company and Client information and for the management of information technology risks across Northern Trust's global business. Kevin joined Northern Trust in August 2011.

Michael Phillips, EVP & CISO, Rosenthal Collins Group LLC Michael is the Executive Vice President and Chief Information Security Office at Rosenthal Collins Group, LLC. In this capacity, he serves as Co-Executive of the Information Technology Group and senior adviser to the Chairman / CEO, providing insights on various aspects of Operational Risk Management including Information Assurance & Privacy Protection.

Richard Rushing, CISO, Motorola Mobility Richard is CISO for Motorola Mobility and participates in several corporate, community, private, and government Security Council’s and working groups. Activities include setting standards, policies, and solutions to current and emerging security issues.


Session 2: CryptoLocker Ransomware

Variants Are Lurking “In the Shadows”,

Learn How to Protect Against Them

9:35 AM – 10:45 AM

Recently, attackers employing a CryptoLocker variant have been removing volume shadow copies on systems, disallowing the users from restoring those files and then encrypting the files for ransom. If a user cannot recover from backups, he/she is at the attacker’s mercy.

In this technical session, we’ll discuss the ins and outs of shadow copies, reveal how attackers are using them to encrypt files for ransom and then discuss ways you can quickly, and easily, detect and respond to these kinds of attacks.

Ryan Nolette, Sr. Threat Researcher, Bit9 + Carbon Black Ryan draws from intense and active experience in Incident Response (IR), Threat Research, and IT experience to add a unique perspective of technical expertise and strategic vision. Prior to joining Bit9, Ryan was a Technology Risk Analyst for Fidelity Investments, where he was the malware expert for their Cyber Security Group and focused on signature verification and placement for all IPS devices, and provided non‐signature based malware detection and prevention through manual auditing and automated tools. Ryan earned a bachelor’s degree in Information Security and Forensics from the Rochester Institute of Technology.


Session 3: Software Security Metrics

11:00 AM – 12:00 PM

Often, auditors must interpret the instantiation of how a set of "must-do" items are getting done to make sure that they meet the spirit of the person or entity requiring them. These items may come from regulatory, statutory, contractual, business practice, insurance, etc. sources and can be jeopardized by bad software. This session is a journey into how to understand the measurements being used for software security and how they track progress against the must-dos or want-to-dos for your organization. This presentation includes a look at the numerical data that comes from a Software Security Initiative and how to put that information in the context of determining whether your organization is meeting the spirit of the must-do obligations for your organization. Neil Bahadur, Managing Consultant, Cigital Neil has been with Cigital since 2011. Coming from a process automation and penetration testing background, Neil looks at every business process skeptically; paying special attention to exploitable loopholes. Currently performing BSIMM assessments, Neil leads enterprise-scale software security initiatives, injecting security into SDLCs across several verticals including financial, insurance, healthcare and retail. He believes that while organic growth and volunteerism can be useful to get started with process improvement, organizations must perform application security on purpose to be truly successful.


Session 4: Computer Forensic Jujitsu for

Auditors: Conducting Legally Defensible

Forensics Investigations

1:00 PM – 2:00 PM

Whether you are conducting or supporting the investigation of illicit pornography, disgruntled employee, malicious software outbreak, fraud, advanced cyber attack, or other sophisticated zero-day targeted attack launched by China, the investigation primitives are the same. The investigators or supporting casts have to quickly identify and collect the most crucial evidence wherever it may be – laptop, mobile device, server, desktop, network, social media, or in the wild. This session will provide guidance for conducting or overseeing such investigations in a in a forensically-sound and legally-defensible manner, and without preconceived ideas about the guilt or innocence of the subjects. Inno Eroraha, Founder & Chief Strategist, NetSecurity Inno’s main responsibility is to position NetSecurity as “the brand of choice for forensics, security, and training”, by delivering high-quality, timely, and customer-focused solutions. Inno oversees NetSecurity’s day-to-day operations, including the proprietary HANDS-ON HOW-TO® training program and the state-of-the-art NETSECURITY FORENSIC LABS. He leads the execution of NetSecurity’s solutions and helps clients protect, defend, and recover valuable assets from cyber attacks and computer fraud.


Session 5: Welcome to the Internet of

Insecure Things

2:15 PM – 3:15 PM

The Internet of Things (IoT) is a term that is showing up more and more and includes a wealth of devices which have frequently been with us for some time, such as medical devices, refrigerators, and even cars, but to which we are now are adding network connectivity and integration with remote systems. Chandler will provide a brief overview and definition of IoT, then examine why security is frequently an afterthought in these devices, the implications of weak IoT security, provide a framework for understanding the implications of these security issues, the provide some guidance on effective Controls and Architectural approaches to manage the risks that these devices are creating.

Chandler Howell, Director of Engineering, Nexum Starting as a humble *NIX Sysadmin, Chandler worked up as a C, perl, Java and eventually Rails coder. Sometime in the mid-90's, Chandler landed in the world of Risk Management & IT Security. Finally having found his place, Chandler has led, built and been a member of security teams for everything from an online dating site to Fortune 500 companies.

Chandler now manages a nation-wide team of approximately 20 Engineers providing Pre- and Post-Sales consulting and Training.


Session 6: A New Approach to Audit your

Company’s Threat & Vulnerability Management

(TVM) Program

3:30 PM – 4:30 PM

The complexity of tools to protect a company’s IT assets continues to grow. What is concerning is that most companies cannot clearly explain the company's IT architecture, what tools are in place to protect these assets and what capabilities these tool possess to mitigate the risks identified. Even more importantly, few organizations can assess if these tools are properly configured and what gaps exist, based on the tools and how they are configured.

Internal Audit needs to be able to articulate the threat vectors that exist in their company and the TVM Program and tools in place, and be able to audit these components to help ensure the risks thought to be addressed are actually reduced.

Paul Hinds & Stephen Asamoah, PwC Paul is Managing Director and leads a cybersecurity, privacy, and IT risk management team. Paul also leads ERP security and control design and implementation teams for SAP, Oracle, and many other similar enterprise solutions. Paul has served as the CAE, IT Audit Director and IT security director for several Fortune 1000 companies. Stephen is a Senior Consultant for PWC’s cybersecurity practice. Stephen held prior positions at BMO Harris Bank as a Security Advisor II, Security Administrator for Affinia and Security Analyst for Community Health Systems.

Thank You

This is the 2nd Annual Chicago Hacking Conference and has been

developed, organized and presented in large part due to the efforts of

Jason Torres and Corbin Del Carlo. I would like to thank both Jason and

Corbin for their extensive efforts in creating this conference to educate

the profession on emerging trends in the IT Security arena. This

conference attracted well over 100 participants in 2014. In 2015, due to

the leadership of Jason, Corbin, and a team of volunteers from both the

IIA and ISACA Chicago chapters, registration has grown to nearly 200

participants. Please join me in providing a thank you for the efforts of

Jason, Corbin and the team for making this a successful new event for the

Internal Audit professional annual events calendar.

Sincerely,

Michael L. Davidson

Vice President of Education

The Institute of Internal Auditors, Chicago Chapter

We recognize the following individuals for their noteworthy efforts:

Jason Torres Corbin Del Carlo

Nathan Anderson Patrick Coffey

Richard Kokoszka Juilee Shinde

Scott Shinners

Our Sponsors

Platinum

McGladrey is committed to helping companies like yours

improve at every turn. Whatever the challenge, we strive to

understand your business and deliver objective advice and

high quality, customized services that help you make more

confident business decisions.

www.mcgladrey.com

Gold

Nexum, Inc. is a cybersecurity and networking company that

builds and secures global networks for organizations across

multiple verticals around the world. In addition to its Chicago

headquarters, Nexum has sales, training and support

presence in Kentucky, Michigan, New Hampshire, Ohio and

Wisconsin as well as the Security and Network Operations

Command Centers (SNOCC) in New Mexico and Illinois.

www.nexuminc.com

ThreatConnect, Inc. provides industry-leading advanced

threat intelligence software and services including

ThreatConnect®, the most comprehensive Threat

Intelligence Platform (TIP) on the market. ThreatConnect

delivers a single platform in the cloud and on-premises to

effectively aggregate, analyze, and act to counter

sophisticated cyber-attacks. Leveraging advanced analytics

capabilities, ThreatConnect offers a superior understanding

of relevant cyber threats to business operations. To register

for a free ThreatConnect account, or to learn more about

our products and services, visit:

www.threatconnect.com

2nd annual iia/isaca hacking conference - chapters site · pdf filewe welcome you to the 2nd...

Documents