Advertise on ITWeb         Wed, 21 Nov, 10:51:05 AM

Practical Security: Solutions for challenging times
Don't miss out, book your seat today!

Dates: 11 - 13 May 2010

Venue: Sandton Convention Centre

 
DAY 1: 11 May 2009 (Tuesday) - speaker synopsis and biograhies
 
The business of security – Threat horizon 2010 and beyond, legislation (PPI), risk, compliance, standards (PCI), security metrics, social networking, web application security, web services, web 2.0 and more.
 
Keynotes
> The road less travelled: when security meets business
Pat Pather, Director - GSO Security, Standard Bank
> Protecting customers from online threats: The Paypal perspective
Allison Miller, Group Product Manager, Account Risk at PayPal, an eBay company
> Protecting your customers assests: What must you do so that you will not need the NPA
Paul Louw, Deputy Director: Public Prosecutions, National Prosecuting Authority
> From TIA to Google: Modern threats to privacy
Moxie Marlinspike, Independent Computer Security Researcher
Track 1
> The security implications of the PPI bill: an end user's perspective
Ritasha Jethva, Head - Information Privacy, ABSA
> Getting PCI Compliant: The VISA story
Bryce Thorrold
, Country Risk Manager, Africa at Visa
> How to future-proof your compliance program
Kris Budnik
, CSO, Edcon
> The nice thing about standards is that there are so many to choose from
Allen Baranov
, Security Analyst, South African Breweries
> Security Metrics in Action
Tony Stephanou, CSO, T-Systems
Track 2
> The state of information security: how today's trends are likely to affect the future of security
Tony Olivier, Manager, GSO Strategy and Architecture, Standard Bank;
Helaine Leggat, Senior Corporate Legal Advisor, Chetty Law:
Matt Erasmus
, Host: PubCast: SecFault, DiscussIT
> Threat Horizon 2010 and beyond: Information security-related threats of the future
Simon Leech
, Technical Director EMEA, Tipping Point
> Making mobile security work for the business: Strategies to limit risk and protect your mobile assets
Nader Henein, Security Advisory, BlackBerry Security Group, Research In Motion
> Can turing prevent man-in-the-middle attacks on Online Banking?
Dr. Frans Lategan,
Security Consultant, ABSA
> Why business needs to have security and IT control frameworks in place
David Volschenk
,
Principal Consultant - IT Risk and Security Services, Ernst & Young
Justin Williams
, Senior Manager, Ernst & Young
Track 3
> Web security: Patching is obsolete
Saumil Shah, CEO and Founder, NetSquare Solutions
> From Web 2.0 to Threats 2.0
Stephan Tanase, Senior security researcher, Kaspersky Labs
> Abusing and leveraging intelligence from Social Media Platforms
Nitesh Dhanjani
, Senior Manager, Ernst & Young
> Built in, not bolted on: web application security done right
Paul van Woudenberg & Theo van Niekerk
, ThinkSmart Information Systems and Security
> A consistent security model for web services
Dominique dHotman
, Manager: Enterprise Architecture, Ooba

Keynotes

The road less travelled: when security meets business
Pat Pather, Director - GSO Security, Standard Bank
Many CISOs struggle to articulate the value of their security programs and justify the security budget to business and executive management, even more so during economic downturns. Information Security practitioners are obliged to remain current with changes in technology, legislation, the threat landscape and the evolving social implications if they are to effectively manage risk. In this regard, Information Security has a responsibility to both align to business requirements, guide them to new possibilities, and enable them to succeed.
In this talk Pat Pather explores the do's and don'ts of creating a strategic security program and examines strategies to align security with the business. He will hare his views on managing security in tough economic times, whilst ensuring you meet compliance requirements AND service demands of the business.

Key learning points:

Strategies to align security with the business
Adopting a risk-based approach in the interests of business: not everything has to be safeguarded at all costs. Be prepared to bend when it serves the business well
Identifying and highlighting opportunities to improve the business through effective risk management
Articulating risk in business terms
Planning for agility

BIO: Pat is the Director of the Standard Bank Global Security Office, responsible for providing Information Risk and Information Security services wherever Standard Bank has a presence. Pat came to this via audit and forensics, which provided him with a unique perspective to the problem, and positioned him well to direct the establishment of the e-Crime team, and ultimately to take over the entire gamut of Information Security services.
Pat is in the unique position of having to globalise what has, until now been a localised service, in a organisation traversing political, cultural and language boundaries on 5 continents. His team knows him as committed, focused and quick to address issues, while still taking the time to think strategically about the way forward. He believes one wins in the Information Security discipline by staying ahead of both the criminals and the competition, and has repeatedly initiated activities which were subsequently followed by the industry at large.


Protecting customers from online threats: The Paypal perspective
Allison Miller,
Group Product Manager, Account Risk at PayPal, an eBay company
New platforms and tools deployed via the web attract innovation, foster collaboration, and for many of us -- have changed our lifestyles (how we communicate, socialize, and pay for things). At the same time we're seeing these same technologies used as attack vectors -- with end-users being the target of choice. In this talk we'll discuss threats and attacks targeting end users such as social engineering, credential theft, malware, spam & abuse -- and the resulting problems like account takeovers, botnet activity, privacy leaks, and identity theft. We will look at some recent case studies where customers have been targeted to answer some key questions: What are the downstream impacts of these attacks on individual customers? Does the presence of known vulnerabilities or "safety gaps" have an effect on the reputation of the service provider in economic terms?

BIO: Allison is a Group Product Manager on the Global Risk Management team at PayPal. In her role, she is responsible for developing controls that help protect PayPal’s 78 million active accounts worldwide from abuse by fraudsters. Allison is responsible for defining and implementing the company’s customer identity strategy as it relates to validating and protecting customers’ personal and financial information. Before joining PayPal, Allison led Visa International’s assessment and risk mitigation design for new consumer and e-commerce products as Director of Product and Technology Risk. She has degrees from Berkeley (MBA) and UPenn (BS, Economics).


Protecting your customers assets: What must you do so that you will not need the NPA
Paul Louw, Deputy Director: Public Prosecutions, National Prosecuting Authority
In this talk, Paul Louw (formerly with the Scorpions and now the NPA), takes a closer look at exactly where law enforcement in South Africa is at now, with some ideas of how we can improve their effectiveness, as well as the growing importance of public/private partnerships between banks and law enforcement. He will share overview of the crime threat SA business has faced since 2005, focusing on the current problem of "business on-line fraud" where the banks and/or their clients were bleeding millions during 2009. He will also draw a comparison between SA's current state of affairs and the USA where Pres Obama's strong focus on information security prompted last year's “clean slate” review of the effectiveness of legislation, strategic plans and more.

Key points for discussion include:

The crime threat SA business has faced since 2005
Law enforcement in South Africa in 2010
SA vs the US: A global perspective on effective legislation
What can be done to improve the effectiveness of SA's law enforcement
Pro-active investigations to combat cybercrime
The use of financial information as an investigative tool

BIO: Paul, who is a prosecutor by trade, has been in the business of investigating/prosecuting internet related fraud since 2005, working closely with the banking sector. His relationship with the banks actually started during 2001 (back in the days of the Scorpions) when he was asked to investigate various cases of advance fee fraud where transnational organised groups high-jacked the corporate identity of SA Banks, The SA Reserve bank and government Departments in order to defraud unsuspecting victims abroad. Paul has basically spent the last decade to protect these institutions' corporate identity.


From TIA to Google: Modern threats to privacy
Moxie Marlinspike, Independent Computer Security Researcher
A lot has changed since discussions around digital privacy began. The security community won the war for strong cryptography; anonymous darknets that presumably make the eradication of information impossible have been successfully deployed, and much of the communications infrastructure has been decentralised. These strategies were carefully conceived while planning for the most dystopian visions of the future imaginable, and yet somehow they've fallen short of delivering us from the most pernicious privacy threats today. Rather than a centralised state-backed database of all our movements, modern threats to privacy have become something much more subtle, and perhaps all the more sinister. This talk will explore these evolving trends and discuss some interesting solutions in the works.

Key points for discussion:

The evolution of modern threats to privacy
A look at interesting solutions that are in the works

BIO: Moxie carries out independent research into computer security. His published research tends to deal with secure protocols, particularly SSL/TLS. He does security consulting and penetration testing and offers training on designing secure protocols. He is the author of the sslstrip tool presented at Black Hat DC 2009, which demonstrates how HTTPS Web sites are vulnerable to a man-in-the-middle attack if the connection starts out as a HTTP connection before being redirected to HTTPS, as is nearly always the case. He is also the author of sslsniff, a general purpose SSL/TLS man-in-the-middle attack tool that was originally written to exploit the BasicConstraints vulnerability that he published in 2002.


TRACK 1: Information Security Management

  The security implications of the PPI bill: an end user's perspective
Ritasha Jethva, Head - Information Privacy, ABSA
  In 2009 data privacy and protection was jolted into the limelight because of the Protection of Personal Information Bill. Corporate South Africa suddenly came to realise that their right to collect, store, use, communicate and transmit personal information of customers, clients and business partners were going to be strictly regulated in the future. In this session, Ritasha Jethva will provide practical insight on how the security principle within the PPI Bill will relate to a typical end user within an organisation when it comes to securing employees, customers and stakeholder’s personal information.

Key points for discussion

Practical insight into the Protection of Personal Information Bill
PPI and security: what it means for a typical end-user

BIO: Ritasha is currently the Head of Information Privacy at Absa, where she is accountable for the rollout of a Group wide and National Privacy programme, spanning all local geographic locations as well as all applicable product and service offerings. She also chairs the Privacy Working of South Africa, where she works closely with industry members via the SABS (South African Bureau of Standards) on Privacy issues within SA as well as contributes to the development of SA specific privacy standards and architectures. Previously, Ritasha was a manager within the Enterprise Risk Services division of Deloitte, where she was in charge of the National Privacy & Compliance competency. She holds a BCom (Hons) degree in Informatics is also CIPP certified (Certified Information Privacy Professional).

 
  Getting PCI Compliant: The VISA story
Bryce Thorrold
, Country Risk Manager, Africa at Visa
  What is going on in SA re PCI? What is the actual deadline, will they levy fines are they worried about ZA etc. How have they done their risk-based analysis of ZA and what does not being the US buy us? In this session, VISA's Bryce Thorrold takes a closer look at the payment card industry (PCI) standard and what it means for business in South Africa. The presentation will provide updates from the latest scoping meeting around call centre recordings and end-to-end crypto, as well as how banks currently do/plan to regulate the QSAs in line with GAAP from an independence and ethical perspective. Thorrold will also share how Visa feels charge-backs should be managed if a merchant cannot keep the Primary Account Number (PAN).

Key discussion points will include:

PCI basics and compliance challenges
What PCI compliance means for business in South Africa
Regulating the QSAs in line with GAAP
How charge-backs should be managed

BIO: Bryce and his team are responsible for the management of payment security risk across Africa. Compliance against the PCI-DSS is a key preventative measure against security breaches and is an important area of focus for the team this year. Bryce has been involved in Information Security for many years, and prior to this position, worked at Symantec as a PCI-DSS QSA consultant. He assisted many organizations in the region to understand their current compliance status, unique environment and requirements. He then assisted them in defining their compliance roadmaps, delivering clear project plans and milestones. He holds a B Comm degree in Information Systems and is also a CISSP.

 
  How to future-proof your compliance program
Kris Budnik
, CSO, Edcon
  The holy grail of compliance is a streamlined program that can easily accommodate new mandates and the changing regulatory environment. While CIO's and CISO's routinely list compliance as one of their top areas of concern and burden, a streamlined and comprehensive compliance program can be achieved. In this session, Kris Budnik, CSO of Edcon explores the compliance landscape relative to areas such as technology governance, information security and data privacy.

Key discussion points will include:

The current environment and what may be anticipated in the years to come
Strategies to address all various compliance requirements
How to develop best practices that meet or exceed regulatory requirements
How to plan for the “next wave” of compliance demands

BIO: In addition to his role as CSO of Edcon, Kris is also a Deloitte Risk Advisory Director. He has more than 15 years' experience in Information Technology, 10 years of which he has spent with Deloitte. Kris heads up the security and privacy competency with the Deloitte Risk Advisory Practice and consults on Information Security, Privacy and IT Governance initiatives in the health, finance and retail sectors. Kris specialises in Information Security management and compliance and is backed by a team of legal, technology and governance professionals to offer a holistic “from the boardroom to the network” service to clients. He is an active member of the South African COBIT working committee as well as a member of a multi-national ValIT Steering committee responsible for the review and publication of the ValIT framework defining best practice for IT value management. Most recently he was involved in the drafting of the ValIT Assurance Guide aimed st enabling the assurance professional to include value management as part of the audit cycle.

 
  The nice thing about standards is that there are so many to choose from
Allen Baranov
, Security Analyst, South African Breweries
  In this session, Allen Baranov will raise the debate about certifications, standards and GRC (governance, risk and compliance) and challenge delegates to engage in a discourse on the relevance of standards. At the end of the talk, attendees will have a good idea of what standards are out there including the current favourites like PCI and ISO, what they are for and how to handle them. Delegates will gain insight into the debates going on at the moment with regards to GRC and relying on standards to drive security.

Key learning points:

The history and philosophy of the various standards driving security
The inside track on current debates around certifications, standards and GRC
From PCI to ISO: what are they for and how to handle them
The relevance of standards in practice

BIO: Allen is an Information Security Analyst for the South African Breweries. He is a CISSP and has a BCom with a major in Information Systems. He is accountable for all the non-SAP systems including servers, desktops and network. He sits on the SABMiller international ISO forum which makes policy decisions for the group. He runs one of the few Information Security Blogs in South Africa.

 
  Security Metrics in Action
Tony Stephanou, CSO, T-Systems
  Information Security measurement is regarded as an essential component of any information security programme, but what metrics should we look at? We could request a standard virus infection report but what does that actually tell us about the state of security on the ground? Similarly, we are told that security awareness activities are important but how do we measure its effectiveness and how does it affect the employee’s on the job behaviour after they undergo awareness training? The problem is that information security is a discipline that does not possess a precise list of techniques for security measurement. The finance discipline, for example, has a concept called “value at risk”, which calculates the amount of money a firm could lose in a day based on historical pricing volatilities. However, no agreement on key indicators for information security exists.
Tony Stephanou will initially examine what is wrong with the way we currently measure and view security and why we need good security metrics. He will then discuss: what makes a good and bad metric, how one can empirically measure security activities using practical methods and measures, how data can be used to convey a meaningful message to organisations and, what effective practices are used by organisations. As well as case studies used throughout the presentation, the discussion will also include the outcome of novel research that was recently conducted.

Key learning points:

What is wrong with the way we currently measure and view security
What makes a good and bad metric
How to measure security activities using practical methods and measures
Using data to convey a meaningful message to organisations
An assessment of effective measurement practices in use today

BIO: Tony is CSO at T-Systems South Africa. Stephanou has worked in the information security industry for over twelve years. Before joining T-Systems he worked for a several well-known international organisations. Stephanou graduated from the University of the Witwatersrand with a Masters degree specialising in information security.


TRACK 2: Emerging Threats / Risk Planning

  The state of information security: how today's trends are likely to affect the future of security
Tony Olivier, Manager, GSO Strategy and Architecture, Standard Bank;
Helaine Leggat, Senior Corporate Legal Advisor, Chetty Law:
Matt Erasmus
, Host: PubCast: SecFault, DiscussIT
  Everyone is talking about compliance testing and data leakage. What's really going on that's pushing the industry in that direction? And - will it work? In this session, experts from Standard Bank, Chetty Law and DiscussIT will candidly discuss how today's trends are likely to affect the future of security. The session on legislative developments relating to Information Security examines burgeoning or “rapidly developing” legislative burdens. Delegates will learn
How risk-based approaches are becoming imperative.
How law can translate to strategy, through an examination of Information Security trends
How to position yourself individually and as corporate entities to deal with issues of dynamic change, ahead of law makers.

Key points for discussion include:

The IT Security Pubcast and why we the team is "qualified" to comment on Information Security trends
The emerging state of technology attacks and defences
The burgeoning legislative burden and how to position yourself individually and as corporate entities to deal with issues of dynamic change, ahead of law makers
The evolving management problem

BIOS:

Anthony has been in IT since 1985, starting as an IT Operator, and at various times fulfilling the role of Network Operator and Analyst, DBA, Programmer, Web Developer and Security Analyst. He graduated with a Bsc. Computer Science, as well as an MBL.
Anthony's current role is that of Head of the Information Security: Africa, in the Standard Bank Global Security Office, directly responsible for the security of 16 countries across the continent.
He is also the co-founder of DiscussIT, the South African Podcast portal, where he participates as Host of the IT Security Pubcast, a podcast dedicated to Information Security practitioners in South Africa.

Helaine is a senior executive with over 18 years experience as an executive director, eight of these, in world class ICT driven business. She holds a Bachelor of Law degree, is a Certified Information Systems Security Professional (CISSP) and is currently undergoing accreditation having passed the Certified Information Security Manager (CISM) exam. She is trained as a Business Analyst, ISO 27001:2005 System Auditor and in CobIT.

Matt is an Information Security professional with interests in malicious code, web application security and intrusion analysis. Matt has run the Durban chapter of the ISGA for over a year giving talks on various topics in Information Security. Started podcasting under the Pubcast:SecFault banner after meeting Tony Olivier at the ITWeb Security Summit in 2009. Participated in Zacon in 2009, South Africa’s first community driven Information Security conference.

 
  Threat Horizon 2010 and beyond: Information security-related threats of the future
Simon Leech
, Technical Director EMEA, Tipping Point
  There is no disagreement in the fact that internet attack vectors have changed considerably over the past couple of years. Attacks have become a lot more dynamic, and an inadequately protected organisation exposes itself to multiple threats, including SQL injection attacks, botnets, network worms, website compromises and browser exploits. This presentation looks at how what TippingPoint’s DVLabs research group has experienced so far this year, and using data retrieved from ThreatLinq, shows how geographic location influences the type of attacks that we see. We will also discuss the importance of a virtual patching approach to network security, and show how an IPS infrastructure can be designed to protect an enterprise’s most important assets.

Key points for discussion:

The dynamic nature of internet attack vectors
How geographic location influences the type of attacks that we see
The importance of a virtual patching approach to network security
How to design an IPS infrastructure to protect an enterprise’s most important assets

BIO: Simon joined TippingPoint in 2007 after spending the previous 10 years in various positions, gaining an in-depth knowledge of Intrusion Prevention Systems and security products in general. He has travelled extensively across Europe, the Middle East, and Africa (EMEA), and is a recognised and respected speaker at seminars across the region on many aspects of security. Within TippingPoint, Simon is responsible for the day-to-day operations of the EMEA sales engineering, consultancy, and training teams, and he provides invaluable guidance to the product development teams on how to address the EMEA market.

 
  Making mobile security work for the business: Strategies to limit risk and protect your mobile assets
Nader Henein, Security Advisory, BlackBerry Security Group, Research In Motion
  BIO: Nader works within the BlackBerry Security Group in an Advisory role, interfacing with security agencies, governmental bodies and strategic enterprise customers. His primary focus is to aid them in understanding the various BlackBerry security countermeasures and the true extensible nature of the solution. Over the past decade, Nader held various positions, working with multiple start-ups, which allowed him to ground his technical education in strong real world business models, producing realistic usable solutions while still maintaining a scalable and secure context.
 
  Can turing prevent man-in-the-middle attacks on Online Banking?
Dr. Frans Lategan,
Security Consultant, ABSA
  Despite increasing complexity and sophistication in the security mechanisms of online banking, phishing attacks (morphed into MITM attacks) are keeping pace. This is nothing less than warfare between criminals and security professionals, and the complexity is reaching a point where it is affecting usability. Regrettably the criminals seem to be the only ones (successfully) focussing on the human component of the security chain. The security professionals keep complaining about unsophisticated users, weakest links and gullibility, whereas the criminals are exploiting these same (human) attributes. It might be time to reverse the roles, and use the human-ness of the users against the criminals by using a form of a Turing test on logon to detect unlawful access. This presentation will focus on several ways this can be achieved, at least in the short term until the next round of this never-ending arms race.

Key points for discussion:

The evolving threat posed by man-in-the-middle attacks
How to turn the human-ness of users against cyber criminals
Exploring the use of a Turing test on logon to detect unlawful access

BIO: Frans is a security consultant with Absa Bank where he works on breaking and improving some of the web application security. Prior to joining Absa he was a System Architect for Discovery Health. Dr. Lategan received his Master’s degree in Mathematics and a Doctorate in Computer Science from Rand Afrikaans University. He has published several academic papers, and his current interests include most aspects relating to computer security, from privacy of information to web application security and social engineering.

 
  Why business needs to have security and IT control frameworks in place
David Volschenk
,
Principal Consultant - IT Risk and Security Services, Ernst & Young
Justin Williams
, Senior Manager, Ernst & Young
  The implementation of an information security and risk management framework is seen as the backbone to any successful embedding of information security in an organisation. Yet, with a myriad of generally accepted frameworks out there, the challenge is in being able to embed one (or a customised combination of many) into the organisation - rather than having a comprehensive document that combines and complies to all of the frameworks, but which the organisation simply does not have the maturity and/or will to implement. This presentation explores the key factors to consider and challenges that had to be overcome in order to establish an information security framework for a large federated organisation.

Key points for discussion:

An analysis of benefits and challenges in the implementation of security and IT control frameworks
Best practice approaches for implementing an effective and sustainable information security risk management framework
A broad approach for the development and implementation of an integrated framework, drawing on practical experience
Best practices and regulatory requirements, based on theoretical research and global experiences

BIOS: 

David is a Principal Consultant in the Information Security department of the Information Technology Risk and Advisory Services group at Ernst & Young. With over 20 years experience in IT, IT Risk and Auditing and Information Security, David specialises in consulting around Network Security, IT Risks and Controls, Information Security and Information Security Management and Sarbanes Oxley. He provides consultancy services for local multinational corporates and also travelled extensively for international projects and assignments, having worked in Africa, a number of European countries, the Far East and Australia. David is a Certified Information Systems Security Professional (CISSP) as well as a Certified Information Systems Auditor (CISA).

Justin has worked for Ernst & Young for 17 years, 15 of these in security and risk management and has ongoing responsibility for performing Audit and Risk Assessment work at a number of significant Ernst & Young clients. His experience include, among others, application implementation governance and security assessments for key clients; development and embedding of control frameworks for IT and Process Control environments; and assessment of security and fraud risk within a number of provincial government departments. Justin is a member of the Ernst & Young team responsible for Technology and Security Risk Services and project leader of the teams responsible for the IT internal audit of a number of significant Ernst & Young clients.


TRACK 3: Web/Application Security

  Web security: Patching is obsolete
Saumil Shah, CEO and Founder, NetSquare Solutions
  This talk explores how well-known vulnerabilities and bugs play a key part in creating the attack patterns of tomorrow – the objectives, motives and how all the pieces of the puzzle fit together. The attack patterns of tomorrow have not emerged from new wizardry but are based on inherent weaknesses in the underlying web standards. The time has come to take another look at the fundamental building blocks that deliver our Web applications. Are browsers and protocols capable of delivering secure Web applications? Standards have evolved, but without a focus on application security. In our quest for a slicker Web 2.0, have we compromised on fundamental security principles? Although there is no clear solution in sight, it is time that we start asking for what is really needed. In his talk, Saumil Shah will examine the inherent weaknesses in design and lack of adherence towards standards, rather than just focusing on attacks. The bottom-line is that there is no single fix or patch here. He believes the time has come browser architecture and HTTP to be overhauled to some extent – that is if we want to live in a world of secure web applications and, more importantly, secure web application users.

Key points for discussion include:

The state of web security and what is really needed
The role of well-known vulnerabilities and bugs in creating the attack patterns of tomorrow
A critical look at the inherent weaknesses in the underlying web standards
What is really needed to build secure web applications


BIO: Saumil focus is on researching vulnerabilities with various e-commerce and Web-based application systems, system architecture for Net-Square's tools and products, developing short-term training programmes, providing information security consulting services to Net-Square's clients, ethical hacking and security architecture. He holds a designation of Certified Information Systems Security Professional. Shah has had more than 10 years’ experience with system administration, network architecture, integrating heterogeneous platforms, and information security and has performed numerous ethical hacking exercises for many significant companies in the IT area. Shah is a regular speaker and trainer at security conferences such as BlackHat, RSA, etc. Shah is a co-author of Web Hacking: Attacks and Defence (Addison Wesley, 2002) and is the author of The AntiVirus Book (Tata McGraw-Hill, 1996).

 
  From Web 2.0 to Threats 2.0
Stephan Tanase, Senior security researcher, Kaspersky Labs
  Web 2.0 applications are known to have become increasingly popular among internet users, being accessed nowadays not only from PCs, but also from mobile phones and other intelligent devices such as gaming consoles or household entertainment systems. This trend is very unlikely to come to an end soon. More and more “classic” websites are shifting towards web 2.0 concepts, start-ups are all about web 2.0 and new users are adopting the web 2.0 life style every day: they collaborate and socialize, creating content that is now flexible and mobile. New technologies (both hardware and software) are being developed to sustain this evolution, opening a virtual Pandora’s Box of new threats and attacking techniques.
 
What exactly is web 2.0?
Why does web 2.0 attract malware authors?
How did malware spread over the internet before web 2.0 and how is it different now?
What are the new attack vectors created by web 2.0 technologies?
What social engineering tactics emerge over the web 2.0 concepts?
How dangerous is the combination of human & technological vulnerabilities?
Are web 2.0 attacks more efficient?
How difficult it is to protect ourselves?
How are web 2.0 threats going to evolve?

BIO: With a strong web development experience and a solid passion for online security, Stefan joined the Kaspersky Lab team in 2007. By combining his online experience with the information security field, he actively participates in the research and development of new technologies, protecting internet users against the new threats.
Stefan specializes in web application security, web-based threats and malware 2.0. He is involved in the development of several innovative research projects, ranging from databases of malware samples or honeypots for analyzing new attacks to web scanning crawlers that continuously monitor the web space to identify and neutralize the latest threats.
As a member of Global Research and Analysis Team, Stefan publishes analytical articles on hot information security topics on threatpost.com and viruslist.com, Kaspersky Lab portals that inform and educate the public about viruses, hackers and spam. Also, Stefan often participates as speaker at major worldwide security conferences, such as Virus Bulletin, RSA or AVAR.

 
  Abusing and leveraging intelligence from Social Media Platforms
Nitesh Dhanjani
, Senior Manager, Ernst & Young
  The goal of this presentation is to raise consciousness on how the new paradigms of social communication bring with it real risks, as well as marketing and economic advantages. It will expose how voluntary and public information from new communication paradigms such as social networking applications can enable you to remotely capture private information about targeted individuals. Topics of discussion will include:
Hacking the psyche: Remote behaviour analysis that can be used to construct personality profiles to predict current and future psychological states of targeted individuals, including discussions on how emotional and subconscious states can be discovered even before the target is consciously aware. Techniques on how individuals may be remotely influenced by messaging tactics and how criminal groups and governments may use this capability. Reconnaissance and pillage of private information, including critical data that the victim may not be aware of revealing, and that which may be impossible to protect by definition. Case study on how social platforms are the next-generation operating systems and how a security defect can lead to a compromise of the victim's data.

BIO: Nitesh is a well-known security researcher, author, and speaker. Nitesh is currently senior manager at Ernst & Young, where he advises some of the largest corporations around the world on how to establish enterprise-wide information security programs and solutions. Nitesh is also responsible for evangelising brand new technology service lines around emerging technologies and trends such as cloud computing and virtualisation. Prior to his current job, Nitesh was senior director of application security and assessments at a major credit bureau, where he spearheaded brand new security efforts into enhancing the enterprise SDLC, created a process for performing source code security reviews and threat modelling, and managed the Attack & Penetration team. Nitesh is the author of Network Security Tools: Writing, Hacking, and Modifying Security Tools (O'Reilly) and HackNotes: Linux and Unix Security (Osborne McGraw-Hill). He is also a contributing author to Hacking Exposed 4 (Osborne McGraw-Hill) and HackNotes: Network Security. Dhanjani has been invited to talk at various information security events such as the Black Hat Briefings, RSA, Hack in the Box, Microsoft Blue Hat, and OSCON.
 
  Built in, not bolted on: web application security done right
Paul van Woudenberg & Theo van Niekerk
, ThinkSmart Information Systems and Security
  Most of the money thrown at securing systems misses the weak spots. Huge amounts are spent securing infrastructure while web applications are left exposed. It is a crisis that is largely ignored.
Software development teams, under pressure to deliver features and meet deadlines, often respond to concerns about the security of their web applications by commissioning a last-minute security assessment and then desperately attempt to address only the most glaring findings. They may even simply throw up a web application firewall to mitigate the threats. Such bolted-on solutions are not long-term answers to web application security. Instead, we advocate a built-in approach. We will show that by weaving security into the software development life cycle, and using mature resources for security coding standards, toolkits and frameworks such as those from OWASP, development teams can consistently produce secure systems without dramatically increasing the development effort or cost.
To support this notion, we will talk through a production application built in this way, describing security in the development process and the design. We will work through code extracts showing how the OWASP resources such as the Development Guide and the Enterprise Security API (ESAPI) were used.

Key points for discussion include:

Why bolted-on solutions are not long-term answers to web application security
Arguments in favour of a built-in approach to web application security
From theory to practice: Security in the development process and design
Using OWASP resources such as the Development Guide and ESAPI

BIOS:

Paul is a co-founder of ThinkSmart, a focussed software development shop with a range of experience in web application security. After graduating as an Electronic Engineer, Paul moved into software development as a business analyst and architect in the mid-nineties. He acquired a taste for information security on an early web security project in 1997 when he was part of the team that developed a large SA insurer's first web application security framework. It was on this project that he met Theo, with whom he later founded ThinkSmart. Paul has diverse skills in information security, from writing policies a la ISO27001 to designing transaction authentication processes. Paul is at his happiest professionally when bridging the gap between business and technology. He holds an M.Eng from Stellenbosch University, is a CISSP and CSSLP (ISC2 qualifications) and is a member of OWASP.

Theo is a co-founder of ThinkSmart, a focussed software development shop with a range of experience in web application security. Theo is a seasoned software developer with a strong focus on security. He started programming on an Apple ][+ when he was 12 years old. At university his hacker-like curiosity sometimes got him into trouble with the Unix account admins. In 1997 Theo was part of a R&D team exploring new web technologies at a large SA insurer, where his security skills started paying the bills. It's here that he met Paul, with whom he later founded ThinkSmart. This project spawned a product, eThentiGate, an AAA proxy, which was showcased at the 1999 JavaOne conference. At ThinkSmart, Theo helps clients build secure systems from the inside out, focussing on applying OWASP tools and by leading code audits, performing security testing and generally providing web application security thought leadership. Theo holds a B.Econ from Stellenbosch University and is a CSSLP (an ISC2 qualification). He is also an active member of OWASP and a contributor to the OWASP development guide project.

 
  A consistent security model for web services
Dominique dHotman
, Manager: Enterprise Architecture, Ooba
  This session draws extensively on the work done at Ooba (previously MortgageSA), focusing on the organisation's SOA deployment across many different business lines and application types. These webservices are connected both internally and externally to the organisation making insider and outsider threat an area of coverage. The talk will present practical advice on building WS-* compliant software across the board, as well as the application of a consistent security model aimed at ensuring connections with clients and/or business partners in a simple, secure and standards based fashion. It will also touch on WS-* security standards and how Ooba's development lifecycle ensures governance and consistent application.

Key points for discussion:

The Ooba story: SOA deployment across many different business lines and application types
Practical advice on building WS-* compliant software across the board
How to connect with clients and/or business partners in a simple, secure and standards based fashion
How Ooba's development life-cycle ensures governance and consistent application

BIO: Dominique's current role at ooba is manager of Enterprise Architecture, where he is responsible for the various technical teams in the organisation including development, systems administration, data centre facilities and support. His background is predominantly in systems engineering where he has spent the majority of his career building networks and business processing systems to support financial services applications. This low level grounding provided an excellent base when moving, some four years ago, into a more Enterprise Architecture (EA) focused position. As the EA lead at ooba, Dominique has worked with his team to design a comprehensive architecture that supports the complex operating environment of this multifaceted organisation. And have systematically managed the programme of projects that has seen its implementation. Much of the technical work he has been involved in over the past two years has been based in software engineering with the design of core patterns and standards which are used throughout the development environment and lifecycle.

  Click here for speaker synopsis and biographies for day two
 

EVENT SPONSOR

PLATINUM SPONSOR

GOLD SPONSORS

SILVER SPONSORS

BRONZE SPONSORS

DISPLAY SPONSORS

   

BEERFEST SPONSOR

SPONSORS

TECHNICAL ADVISORY COMMITTEE



 

EVENT SPONSOR
SecureData offers extended value-add to customers, resellers and vendors alike. Our multi-centric, best-practice security solutions span the perimeter, network, endpoint, storage application and data protection - all supported by SecureData’s highly skilled technical, product, marketing and sales teams, enabling our partners to deliver high-quality security solutions and services.