Conference Program
2009 Cyber Threat Trends and Predictions
Rick Howard, Director, iDefense Security Intelligence, VeriSign, Inc
Track: Threat
session Open: Yes
iDefense presents the latest trends in Cyber Warfare, Cyber Espionage, Cyber Terrorism, Cyber Hactavism and Cyber Fraud. It then attempts to predict some important Cyber Security Disruptors; technologies and procedures coming down the pipe that will fundamentally change how we all protect the enterprise.
A Vendor Approach to Secure Software Development: Addressing Vulnerability in the Product Development Lifecycle
Reeny Sondhi, Senior Manager of Product Security Assurance, EMC Corporation
Track: Mitigation
Session open: Yes
This session will address the steps a leading IT infrastructure provider is taking to ensure that security is a vital part of its product development process. The session will also review resources available in the public and private domain to help software security teams apply a similar approach to their software development process.
Specifically, participants will be taken through the following:
-- The implementation of a product security policy which guides product development teams and is a common reference for product organizations to benchmark product security against market expectations and industry best practices
-- A role-based security engineering curriculum to train new and existing engineers on job-specific security best practices and how to use relevant resources
-- A security development lifecycle process that overlays security on standard development processes for achieving a high degree of compliance with the above referenced product security policy
-- A security architecture with a set of software, standards, specifications and designs for common software security elements such as authentication, authorization, audit and accountability, cryptography and key management using state-of-the art IT security technology
--A product security response center that defines and enforces the organization’s vulnerability response policy to minimize risk of exposure to customers
ActiveX Vulnerability Mitigation with Dranzer
Will Dormann, Vulnerability Analyst
CERT/CC
Track: Vulnerability
Session open: Yes
Attackers frequently target client-side vulnerabilities. With Microsoft Windows systems, Internet Explorer is a common target. Web browsers are constantly handling untrusted data, and a flaw in a web browser can result in the execution of malicious software as the result of viewing a web page. Internet Explorer is especially vulnerable due to its support of ActiveX technology. A vulnerability in an ActiveX control can put Internet Explorer at risk, which gives the browser a very large attack surface.
The CERT/CC has publicly released Dranzer, which is a tool for detecting vulnerabilities in ActiveX controls. Dranzer can be useful to system administrators because not only will it indicate the ActiveX controls that are installed on a system, but also it will indicate which controls are flawed. It does not simply check against a list of known-bad controls, but rather it will perform live tests of the controls present on a system. By disabling vulnerable ActiveX controls, system administrators can minimize the attack surface of Internet Explorer and help protect against zero-day vulnerabilities.
This presentation will discuss the risks of ActiveX and demonstrate how Dranzer can be used to protect systems.
Agencies Point of View of Trusted Internet Connections (Panel Discussion)
Panelists: tbd
In November 2007, OMB announced the Trusted Internet Connections (TIC) Initiative to optimize individual agency network services into a common solution for the Federal government. The TIC effort maps to the Comprehensive National Cybersecurity Initiative (CNCI) #1. This initiative has the following objectives:
- Reduce and consolidate the number of external access points, including connections to the internet; and
- Ensure that all external connections are routed through an OMB-approved TIC.
20 Agencies have been identified as TIC Access Providers (TICAPs) and are authorized two locations at their agency to provide managed TIC services to customers internal to their Department. Other Agencies that are seeking TIC services may acquire them through GSA’s Networx Program.
This presentation addresses the challenges that agencies are facing as they comply with the TIC Initiative. The panel will consist of members from the TIC Program Management Office, three TICAP agencies, and one agency seeking TICAP services. The members will discuss the trade off between standing up a TICAP and acquiring TIC services through the Networx contract. They will discuss governance, management, and technical challenges associated with TIC implementation. The panel will review TIC performance metrics and highlight some of the 51 critical technical capabilities.
All Source Cyber Threat Analysis - An Intelligence Challenge
Casey Dunlevy, BAE Systems, Inc.
Technical Director, Strategic Cyber Sec Programs
Track: Threat
Session open: Yes
This presentation outlines an approach for U.S. Government Departments and Agencies to perform integrated technical and all-source analysis of cyberspace threats to U.S. national security interests. It takes an all-hazards approach with a primary focus on the development of a viable integrated analytic capability against man-made threats, including the potential for predictive I&W analysis. The concepts put forth are founded on tried and true analytic techniques long practiced as part of the Intelligence Process.
Application Whitelisting: Defending an Application Environment
Tom Murphy
Bit9, Inc.
Chief Strategist
Track: Mitigation
Session open: Yes
Whether it’s classified defense information or taxpayer records, government agencies are bound by law and their commitment to the public to keep confidential information private. Recent news on cyber spies repeatedly hacking critical design data in the U.S. Joint Strike Fighter project raises an important question: as government continues to become more Web-focused, how secure is our information?
Standards such as the Federal Information Security Act (FISMA) were put in place to provide federal agencies with a uniform set of information systems processes. To meet these standards, agencies at the federal, state and local level are turning to application whitelisting as a proactive approach to protect their organization’s endpoints. Providing IT staff with greater visibility over what applications are executing within their networks makes them better equipped to enforce the use of authorized applications and prevent the installation or execution of malicious, illegal and unauthorized software that creates vulnerabilities and enables attacks. A well-managed application environment is also less expensive to operate, saving valuable taxpayer dollars when it matters most. As the Senior Strategist for the company that pioneered the concept, Bit9’s Tom Murphy is well qualified to discuss whitelisting’s emerging role within government agencies.
Backwards Security Models
Michael Montecillo, Principal Analyst, Enterprise Management Associates
Track: Attack & Detection
Session open: Yes
Firewalls, Intrusion Prevention Systems, Network Behavior Anomaly Detection Systems, End-point security...and still attacks are slipping through the cracks! This session will take a look at some popular methods for attacking environments and how those attacks are bypassing current security countermeasures. The session will primarily focus around application attacks and why what most organizations are doing to defend their applications just isn't enough. The session will focus around what those attacks are and how attackers can simply alter their methods to defeat most security countermeasures available. Next some necessary steps to protect organizations are discussed. The session will end with an overview of how to respond to application incidents when they occur.
Botnet Detection and Defense
Aaron Shelmire, CERT
Rhiannon Weaver, CERT
Track: Attack & Detection
Session open: Yes
Botnets have been and continue to be one of the most significant threats to cybersecurity. We discuss the general characteristics of botnets and defensive strategies against them, and discuss or studies of Conficker and other network malware in more detail to explore emerging trends in botnets.
In November of 2008, the Conficker worm began spreading through a pair of vulnerabilities for which patches had been available for several months. Over the following months the resulting botnet was improved by its authors by adding interesting communications features. First, the “domain flux” technology included in the original version was enhanced, and peer-to-peer communications were added to make it ever more resilient.
We will explore how effective some of these botnet command and control (C&C) methods are, methods to detect them, and measurements of “botnet’s size”.
Botnet Hunter - Detecting Infected Systems Using Network Dialog Correlation
Phil Poras
Track Vulnerability
Session Open: Yes
Malware is employing a variety of strategies to circumvent and disable classic network and host-based defense technologies. In response, the research community is devising new ways to model and diagnose modern malware infections based on a variety of behavioral patterns. One such behavioral infection diagnosis strategies is called network dialog correlation, which is embodied in the free Internet release of BotHunter. BotHunter is a passive network analysis system designed to correlate the two - way communication flows between vulnerable computers and external hackers. It develops an evidence trail of data exchanges that match a state-based infection sequence model. BotHunter tracks the underlying key interactions that most commonly occur when a PC is infected by a malicious software application, such as adware, spyware, viruses, worms, and botnets. This talk will present the dialog correlation strategy in the context of tracking modern Internet malware infections inside real world computer networks.
DEVELOPING AN INTELLECTUAL PROPERTY PRACTICE
Marc Miller, Trial Attorney, Computer Crime and Intellectual Property Section, Criminal Division, Department of Justice
Matthew J. Bassiur, Trial Attorney, Computer Crime and Intellectual Property Section, Criminal Division, Department of Justice
Candina Heath, Assistant United States Attorney, Northern District of Texas
Wesley L. Hsu, Assistant United States Attorney, Central District of California
Robert Kern, Assistant United States Attorney, Northern District of Ohio
This panel will feature experienced CHIP attorneys who will discuss various aspects of developing an intellectual property practice in districts of all sizes. The panel members will address obtaining case referrals and continuing interaction with rights owners. Panel members will relate how to identify, train and work with federal, state and local agents interested in investigating intellectual property cases. The panel will also share effective methods for managing multi-district cases. Lastly, the panel will illuminate regularly used referenced materials, go-bys and common issues encountered in IP cases.
Breakout A
Tracking the Elusive Cybercriminal
Adam J. Bookbinder, Assistant United States Attorney, District of Massachusetts
Michael J. Stawasz, Senior Counsel, Computer Crime, Computer Crime and Intellectual Property Section, Department of Justice
This presentation will focus on several of the methods by which cybercriminals hide their true identity and location and then address the law enforcement techniques available to attempt to defeat them. Specifically, we will talk about how criminals often use proxy servers to hide their IP addresses, and we will discuss how getting a search warrant to use an FBI Network Investigative Technique (NIT) can sometimes successfully identify the originating IP address and locate the perpetrator. We will also discuss a less well-known method criminals are using to hide – hacking a cable modem and an ISP so that they can spoof not just their IP address but also their MAC address. And we will focus on a recent case study in which a hacker was able to stymie law enforcement for months with this technique, until the agents and the ISP whose network he was hacking worked together to successfully identify him.
International Intellectual Property and IPLEC Updates
Christopher S. Merriam, Assistant Deputy Chief, Computer Crime and Intellectual Property Section, Criminal Division, Department of Justice
Matthew A. Lamberti , Assistant United States Attorney, Northern District of California
Christopher P. Sonderby, Attaché for U.S. Department of Justice, United States Embassy in Bangkok
The Intellectual Property Law Enforcement Coordinators from Bangkok, Thailand and Sofia, Bulgaria will provide an update on recent international issues and discuss practical steps for obtaining evidence abroad and prosecuting cases involving international aspects. In addition, it will cover the challenges and opportunities of investigating and prosecuting intellectual property offenses in the international environment.
Breakout B
Tracking Devices
Mark Eckenwiler, Associate Director, Office of Enforcement Operations, Criminal Division, Department of Justice
This session explores the legal issues concerning the installation and use of physical tracking devices. It begins with an overview of the two key Supreme Court decisions in the area, Knotts and Karo. The session then proceeds to a discussion of the different types of tracking devices, and the considerations in determining whether use/installation requires court authorization. Finally, the session covers the procedural requirements of the 2006 tracking device amendments to Rule 41 of the Federal Rules of Criminal Procedure.
Case Study: Using CHIP Tools in an Unauthorized E-mail Access Case: United States v. Mendte
Michael L. Levy, Assistant United States Attorney, Eastern District of Pennsylvania
This will be a case study of an investigation into the unauthorized access into the e-mail accounts of another person. It will illustrate the use of subpoenas, pen/trap orders, and search warrants.
Changes in Malware Delivery
Christopher Jordan
, VP Network Intelligence, McAfee
Track: Mitigation
Session Open: Yes
During this economic downturn, cybercriminals are becoming financially more aggressive. Data breaches are at an all-time high and government agencies are feeling the impact. Because our infrastructure is not designed to prosecute those responsible for a large percentage of cyber incidents, cyber criminals are executing more severe attacks and getting away with them.
There are steps that can be taken to protect against this problem. Mr. Jordan can discuss these processes, providing examples and specific steps government agencies can take today to improve their defenses. For example, when an agency’s network is breached, the first step in preventing future attacks is pinpointing how the breach occurred and determining the extent and impact of the breach. The government is turning to near real-time network forensics to capture and analyze network events in order to locate the source of the attack. Many of these tools, like audit logs, provide factual evidence that can stand up in a court of law, supporting the prosecution of cybercriminals while minimizing and addressing the issue.
This session will focus on current cyber threats, their potential impact on government networks and the network forensic tools being used to prevent such attacks and support prosecution of these cybercriminals.
CHOOSING YOUR TARGETS: Prioritizing Security Objectives in Tough Times
James Strieber
Strieber Consulting
Principal
Track: Reflection
Session open: Yes
This presentation and follow-on discussion session will cover the vital area of managing security organizations, specifically resetting plans and priorities during a challenging time for many organizations: economic crisis, budget cuts, and an unprecedented level of threats from external sources.
The session will first provide a short review of current security organization and industry challenges (staff distracted and/or reduced, vendors merging, more vulnerable technologies, high level of attacks from individuals and organized groups). Discussion will continue with some management approaches to avoid (chasing fad technologies at the wrong end of the Gartner hype cycle, irrational status quo expectations, etc.) and some likely high general priorities to pursue (attention to execution of 7x24 basics, data-on-the-move, the security organization’s duty to guard the organizations perimeter, etc.).
Next, some history of security priorities from inside to outside will be followed by factors driving external threats as priorities (cloud computing, data breach statistics, reasonable safeguard obligations, etc.). The discussion will address seven more specific examples of priorities that should be common to most security organizations, recognizing the need for communication and consensus with the broader organization.
As with any discussion of management and planning, the presentation will include some humor and some opinion, but it will better develop attendee’s thoughts on prioritizing, and conclude with an opportunity for questions and comments from session attendees.
Cloud Computing Risks and Associated Mitigation Strategies
Ovie Carroll, Director of the Cybercrime Lab at U.S. Department of Justice Computer Crime and Intellectual Property Section
Derek Gabbard, Co-Founder of Looking Glass Cyber Solutions
Nils Puhlmann, Co-founder of the Cloud Security Alliance
The relative success of risk mitigation strategies is defined by the ability to properly identify, characterize, and ultimately assess threats. The adoption of ("public") cloud solutions is characterized by the customer's total reliance on the security policies enforced by external service providers. Without sufficient visibility into their supporting infrastructure, how can IT managers optimally assign scarce resources to minimize elements of uncertainty associated with escalating instances of cybercrime? As adoption of cloud-centric solutions is gaining momentum, there are several critical security components that deserve careful consideration - many of which are being glossed over in the interests of compelling cost savings.
During this session, Civitas will present the distinct risks unique to cloud architectures, and will offer a framework for analyzing those risks by detailing critical security dimensions specific to the cloud. Civitas will then open the discussion up to a panel of leading cloud security experts from government, industry, and the IT community. Panel members will aim to: (1) explore competing models used by independent, third-party auditors to validate critical security controls; (2) define forward-looking properties of cloud service offerings that address emerging customer concerns; (3) share a consensus opinion on what data ultimately does and does not belong in the cloud; and (4) propose sensible risk mitigation approaches for current cloud computing models.
.
Cross Sector Cyber Security Coordination
Panelists:
Brian Willis, President, IT-ISAC
Tom Wills, CISSP, SOC Manager, FS-ISAC
John Sabo, Immediate Past Chair, ISAC Council
Bob Dix, Vice President of Government Affairs and Critical Infrastructure Protection, Juniper Networks
Jenny Menna, DHS, NCSD
Track: Reflection
Session Open: Yes
This panel session, with representatives from the ISAC Council and DHS, will examine how the critical infrastructure sectors responded collectively to the Conficker threat. This session will highlight actions of individual sectors, and will detail cross sector coordination and response, including how lessons learned from previous incidents and exercises were incorporated.
Cyber Exercises: A View from the Trenches on What We've Found, Where We're Headed, and the Lead Up to Cyber Storm III
Brett Lambo, Director of the Cyber Exercises Program, Department of Homeland Security, National Cyber Security Division (NCSD)
This panel is comprised of Federal, state, and private sector representatives with experience and expertise in cybersecurity exercises. The panel will discuss and answer questions about their experiences and current developments with respect to state, sector, and national cyber exercise efforts. The group will discuss the Cyber Storm exercise series, including past findings, and how these findings, along with other state, federal, and sector efforts, contribute to the ongoing development of cyber response capabilities - ultimately to be exercised again in Cyber Storm III in September 2010.
Deep Packet Inspection for Government Information Assurance Network Portection
Joel Ebrahimi, Solutions Engineer, Bivio Networks
Track: Threat
Session open: Yes
Now more than ever, government agencies have a need to fully understand and manage who is on the network, what users are doing and the resources to which they have access. Faced with a new generation of network threats, government IT managers are finding that traditional perimeter security tools leave their networks exposed to threats from outside and inside the agency.
It is not enough simply to respond to cyber threats. Agencies must get ahead of the curve by creating a policy-centric network that effectively identifies and neutralizes potentially malicious threats before they have the chance to inflict harm. The challenge has been and continues to be how best to reconcile effective network security policy with the goal of deploying a secure common communications platform that supports information sharing within and between agencies.
Deep packet inspection (DPI), a technology that allows significantly greater understanding of and control over network traffic, is the answer. DPI gives unprecedented visibility into all network traffic to identify and remedy security vulnerabilities like viruses, data leakage and unauthorized access without sacrificing network speed or performance.
The audience will learn about current and anticipated information assurance and network threats; the limitations of today's technology solutions; and how agencies can best take advantage of DPI technology for information security and assurance.
Defending Against The New Generation of Application Threats
Lee Klarich, Vice President of Product Management, Palo Alto Networks
The information threats targeted at today's enterprise networks are very different than those impacting enterprises 10 years ago. Now, more than ever before, these threats are targeting applications - especially the new generation of Internet applications so pervasive on today's enterprise networks. Attackers largely motivated by money are finding clever ways to exploit vulnerabilities in legitimate business applications, as well as personal and consumer applications.
Traditional enterprise security infrastructures (including legacy firewalls and intrusion prevention systems) have not adapted to these changes and, therefore, are unable to provide protection at the boundary of the Internet and corporate network. Consequently, most IT organizations are blind to the essential elements enterprises need to make appropriate policy decisions - applications, users, and content.
This session will include a discussion of emerging application threats, provide insight into why traditional network security products can't control them, and offer advice on what organizations can do about this problem going forward. Attendees will learn:
- Specific examples of how modern attacks and threats work within and across applications
- How existing security infrastructure is ill-equipped to defend organizations against modern threats
- How organizations can address this issue - by simplifying security infrastructure, not just "adding more stuff"
This panel will discuss the Department of Defense's innovative pilot program to increase the security of the Defense Industrial Base's networks.
Panelists:
Steven D. Shirley
Guy Copeland CSC
Victoria Morgan ASD NII
Mischel Kwon
Panelists:
Colby DeRodeff, Arcsight
Don Cohen, Treasury
Andy Ogielski, Renesys
Oliver Friedrichs, Immunet
Jason P. Hoffman, CISO, Kaiser Permanente
Track: Vulnerability
Session Open: Yes
Your enterprise relies on the Internet to stay connected with dozens of counterparts and suppliers, big and small. When they have Internet problems, you do too. Panelists will be security leaders who protect large government ecosystems as well as private sector experts who will review techniques and technologies for monitoring their (and your) partners' Internet presence, as well as your own, to provide a richer definition of critical end-to-end service availability.
Effectively Using CHIP and Non-CHIP Tools to Investigate/Prosecute Identity Theft and Related Charges
Sean Hoar, Assistant United States Attorney
Richard Goldberg, Assistant United States Attorney
Mitch Dembin, Assistant United States Attorney
Robin Taylor, CHIP Coordinator
This panel discussion will address effective techniques - both conventional and technologically sophisticated - to investigate and prosecute identity theft-related cases. This panel will draw from the combined experiences of CHIP Coordinators who also serve as their district Identity Theft Point of Contact. Panelists will discuss the necessity of utilizing both conventional and technologically sophisticated investigative techniques to identify defendants, determine the scope of conduct, organize case information, track and seize assets, and present evidence in court. If you handle identity theft-related cases, whether they emanate from network intrusions, trade secret theft or credit card fraud, you will not want to miss this session.
Evolving National Cyber Security Strategies
Amit Yoran, Chief Executive Officer
NetWitness Corporation
Track: Reflection
Session Open: Yes
This session provides an overview of the evolution of cyber attack and exploitation methodologies directed at U.S. Government agencies up to the present and looking forward within the next three to five years. The session also offers concrete recommendations regarding required cyber strategy, public policy changes, and technology standards needed for the public and private organizations to cope effectively with the changing threat landscape.
Learning Objectives:
This session provides GFIRST5 attendees:
- A brief historical review of the evolution of cyber attacks and exploitation techniques directed at U.S. Government agencies, up to the present.
- Informed predictions regarding future trends in cyber threats during the next three to five years, and what can be expected in various emerging technology areas.
- A discussion of the limitations of current public policy relative to current and future threats, and specific recommendations regarding what can be done to improve security strategy, policy and technology standards.
Evaluating the Trustworthiness of Third Party Threat Feeds
Eddie Schwartz, Chief Security Officer, NetWitness Corporation
Track: Threat
Session Open: Yes
Many USG agencies have built network threat intelligence models to defend against botnets, dynamic DNS, nation-sponsored and organized crime groups and other advanced threats. These models rely heavily upon the integration of 3rd party threat data feeds from organizations such as SANS, Symantec, SRI, Shadow Server, Verizon, Spamhaus, and other open, closed, and commercial sources.
Demonstrating significant analysis of various threat data providers and fusing this data with live network traffic, this session presents original research into the breadth, depth, accuracy and reliability of the various threat feeds, and their respective trustworthiness and usefulness relative to situational awareness, trend analysis, and the incident response process.
Examining the Nexus of Cyber Crime, Cyber Warfare and Stealth Malware
Ashar Aziz, Founder and CTO, FireEye, Inc.
Track: Attack & Detection
session open: Yes
The continuing success of stealthy, Web-borne malware and botnets as the weapon of choice for today’s sophisticated hackers indicates even the most well-protected networks are vulnerable to cyber attack. Cyber crime is a major underground activity, funding myriads of highly lucrative yet illegal business models and costing legitimate organizations billions of dollars both in terms of lost revenue as well as theft of products and services. Meanwhile, cyber warfare is emerging as an effective military tactic to disrupt and disable enemy operations. To disarm cyber criminals and cyber terrorists, security efforts must focus on stealth malware. Stealth malware is the primary method used to infect and compromise millions of public and private PC systems and organize them into armies of bots or botnets that execute elaborate and elusive cyber crime and cyber warfare schemes. Stealth malware is increasingly sophisticated, spreading through vulnerabilities in widely used end-system software, such as operating systems, browsers and mainstream applications. To prevent unauthorized infiltrations, organizations must first understand the malware infection cycle, and take protective measures at every step. This session examines the nexus of cyber crime, cyber warfare and stealth malware. Attendees will learn how to detect, defend against, and mitigate discovered Web malware and botnet infiltrations.
FBI Cyber Division Update
Shawn Henry
Assistant Director
The head of the FBI Cyber Division will provide an update on recent investigations involving computer and related crimes around the country. He will also discuss recent investigative issues on these cases.
Federal Legislative Outlook on Cyber Security
Shannon Kellogg, Director of Information Security Policy, Office of Government Relations,
EMC Corporation
Track: Reflection
Session open: Yes
In this session, a leading national voice on cyber security policy and regulatory issues will update the audience on a range of congressional proposals intended to strengthen federal information security and critical infrastructure security.
Shannon Kellogg, Director of Information Security Policy for EMC Corporation’s Office of Government Relations, will take participants through federal legislation and other national regulatory developments that can impact federal agencies, businesses and consumers for years to come. Kellogg, who serves on the CSIS Commission for Cyber Security, will also explore the recommendations made by the Commission to the administration in an effort to craft a comprehensive strategy to improve cyber security in federal systems and in critical infrastructure. He will also shed light on which of the recommendations have been successfully implemented thus far, and which ones are likely to be considered in the months ahead and also discuss other legislative developments.
FIGHT CLUB - Advanced Sensor Data Fusion & Correlation
Panelists:
Tim Belcher, CTO, NetWitness Corporation
Paul Green, CEO, G2 Incorporated
Sean McAllister, Chief of Enterprise Sensor Grid Management, DISA
Charles Nelson, Division Chief for Engineering & Integration, Vulnerability Analysis & Operations Group (VAO), NSA
Track: Attack & Detection
Session Open: Yes
The on-going challenges facing Computer Network Defenders (CND) range from rapidly growing data volumes, the increased difficulty of finding the "actionable" nugget of information, coupled with the difficulty of leveraging the best and brightest across the community of CND analysts. A unique approach is being jointly developed by the NSA and DISA to better address these challenges across the DoD and bridge the gap between intrusion analysis research and DoD Cyber analysis operations. The approach involves building a secure community data center environment that strives to enhance network sensing technologies, expand analyst access to broad network metadata sets, further explore new analytic techniques, while also capitalizing on the power of broad community expertise. Remember, if this is your first time with FIGHT CLUB - you have to get in the game!
Finding the Cyber Cops
Panelists: David Perry, Trend Micro: Stacy Arrunda, FBI
Track: Threat
Session Open: Yes
If your car is stolen, your local police department knows just what to do. What if your bank account is stolen? Are the criminals local? Are they even inside the USA? Do your local police have guidelines to preserve evidence on your pc? Do they know how to help you trace down your money? Do they even have advice for you on how to reclaim your identity?
The last mile of cyber crime investigation needs some immediate help. Join a panel with Trend Micro's Director of Education David Perry , FBI Special Supervisory Agent Stacy Arruda, and representative attorneys, law enforcement personnel and other cybercrime experts to discuss the efforts to arm your local police in a cyber world. More than just a discussion, this is a long overdue call to action.
The focus of the panel discussion is on how local police departments represent a critical yet underdeveloped and under- resourced critical asset in battling cybercrime. The participants will initially discuss what heretofore have the traditional roles and responsibilities of local law enforcement agencies. They will then examine how the growth of cyber crime is dramatically impacting their traditional roles as the officials and first responders on the spot, with an entire new genre of sophisticated crime to deal with, requiring significant investment in manpower, training, technology, equipment and investigative techniques. The session will detail the kinds of cybercrimes crimes police departments now must contend with, and how, without significant assistance they could threaten to overwhelm them. The panel will then make recommendations on ways to arm local law enforcement officials with the tools and techniques to make their position of the last mile in cyber crime investigation an effective and productive one, and stress the reasons why this is a matter of national urgency.
Federal Desktop Core Configuration (FDCC) and Security Content Automation Protocol (SCAP) and Security Configuration Management (SCM) Best Practices
James Hansen, Director Product Management, Security and Compliance, BigFix
Track: Mitigation
Session open: Yes
When it comes to specific IT guidelines for regulatory compliance, mandates like HIPAA, SOX and GLBA are notoriously vague and open to interpretation. This results in uncertainty, inconsistency, and downright panic for IT security teams when it’s time for the audit. Clearly, more direction is needed.
Unlike other regulatory standards, the FDCC (Federal Desktop Core Configuration), maintained by NIST and mandated by the OMB, provides highly detailed direction on the security configuration of all desktops within the networks of federal agencies. IT security staff from federal and commercial organizations attending this sessions will be provided: 1) A detailed overview of FDCC and SCAP 2) how some federal agencies are managing their FDCC projects 3) how organizations can benefit from adopting the standard and 4) best practices for implementing and assessing against FDCC - at low cost, with rapid roll-out.
From Technology to Information Sharing: The Latest Strategies to Combat CyberSecurity Threats
Peter Allor, Senior Security Strategist
Thomas Cross, Manager of IBM ISS S-Force Advanced Research Team, IBM Internet Security Systems
Track: Threat
Session open: Yes
The threats that federal IT security experts face in safeguarding their environments are always increasing in their frequency and complexity. Attackers constantly adapt their techniques to bypass new security measures. What do computer criminals know and where are they targeting their latest attacks? And how can public and private organizations work together to systematically coordinate countermeasures to stop these constant cyber threats?
Come hear the latest information about all aspects of threats that affect Internet security at federal agencies, including vulnerabilities and cyber-threats -- ranging from SQL vulnerabilities in web applications to automated browser exploit toolkits to omnipresent spyware.
In addition, you will also hear information on how key public and private leaders are exchanging information on these burgeoning threats through the IT-ISAC, an organization that provides a mechanism for law enforcement, government officials (including the Intelligence Community) and private industry to coordinate information on online vulnerabilities and countermeasures designed to prevent them.
This presentation is specifically designed to help security experts at large federal enterprises understand the changing nature of both the threat landscape and the relative skills of the next generation of hackers - their motivation, their tactics and what might be done to mitigate their constant attacks.
Got Security? An Overview of the DHS Federal Network Security Branch
Panelist: tbd
The Federal Network Security (FNS) Branch addresses the need for a single, accountable focal point for achieving Cybersecurity throughout the federal enterprise. The creation of FNS is in response to multiple policy mandates, directives, and legislative acts. FNS was formed in 2008 to coordinate management and execution of the Information Systems Security Line of Business (ISSLOB) and the Trusted Internet Connection (TIC) Initiative outlined in OMB Memo 08-05 also known as CNCI #1. FNS has evolved into four distinct program areas focused on:
- Providing a holistic approach to government network security
- Addressing common challenges faced by all agencies
- Designing, implementing and maintaining solutions that address the Cybsersecurity needs of federal agencies
While each agency maintains responsibility for the operations and security of their internal networks, FNS will reduce duplication of individual agency efforts; increase the baseline security of federal government networks; provide enhanced capabilities for small and micro agencies; and ensure the long term prevention of attacks against the federal enterprise by assisting agencies with implementation and compliance management of Information Systems Security policies and guidelines. This presentation given by FNS Executives will highlight the Branch’s mission, goals and priorities in helping agencies address Cybersecurity issues.
David Ross, Principal Consultant, MANDIANT
Track: Attack & Detection
Session open: Yes
The Advanced Persistent Threat (APT) is an adversary whose primary goal is to simply remain on your network until the time comes that they want something you have. Toward this end, they have become masters at hiding in plain sight. Once a network is infiltrated, they spread across systems using valid credentials. Their lines of communication are scattered across seemingly random hop points and their tools are regularly modified so no one signature can find them all. These characteristics and the fact of how quickly they replenish their numbers of occupied systems quickly turns traditional Incident Response and Remediation tactics into a circular game of whack-a-mole. As responders take systems off-line, the attackers move to using new tools that avoid detection.
This briefing, explores new ways to find the APT and scope the occupation of your network to allow remediation to be as effective as possible. Through Edge Case, Differential and Reverse Signature Analysis it is possible to identify the APTs presence by looking for “how” they are instead of “what” they are. Although it is possible for their tools to have seemingly infinite combinations of traits that cause them to blend into the noise, there are only a handful of persistence methods from which they can choose. By looking at the problem from this new perspective, you can see nails standing up everywhere “waiting to be hammered down."
Josh Goldfoot, Trial Attorney
CCIPS
Assuming no technical knowledge on the part of the audience, this class acquaints prosecutors with the fundamental workings of the Internet, sufficient to help understand key investigative techniques, the reliability of evidence, and the nature of some Internet-specific crime. The class covers networks, Internet Service Providers, IP addresses and routing, servers, domain names, e-mail, the Web, peer-to-peer networks, instant messaging, File Transfer Protocol, and basic hacking.
Ideas and Lessons Learned In Building a World-Class CIRC
Roland Cloutier, Vice President, Chief Security Officer, EMC Corporation
Track: Attack & Detection
Session open: Yes
EMC’s newly constructed world-class Critical Incident Response Center (CIRC) is the company’s security hub that monitors a network supporting 40,000 people worldwide, 400 sales offices and scores of partners in more than 60 countries. Established with best practices developed by RSA, the security division of EMC, the CIRC supports global log aggregation of more than 1,000 security devices and 45,000 end nodes in over 500 sites. Dedicated analysts who continually monitor for security vulnerability in the network can quickly identify and respond to threats protecting critical information as it flows through the organization.
As organizations grapple with the increasing complexity of information and the nature of risk within their organizations, many have either built CIRCS or are considering establishing centers to manage their security operations. In this presentation, EMC will share the best practices it applied to building and operating its state-of-the-art CIRC. Mr. Cloutier will examine five keys areas to address when establishing and operating a CIRC: facility, people, technology, procedures, and measurements. Critical factors will include: designing the layout of a CIRC, identifying the skills needed by personnel, defining and monitoring policies, measuring compliance, and continually improving an organization’s approach to security through lesson learned in CIRC operations. Any individual seeking a blueprint for building and successfully operating a world-class Critical Incident Response Center should attend this session.
Improving Infrastructure Security and Situational Awareness: Lessons from the Front
Roland Cloutier, Vice President, Chief Security Officer, EMC Corporation
Track: Attack & Detection
Session open: Yes
The CSO of a major multinational corporation with 40k employees, thousands of business partners and tens of thousands of customers will discuss the overarching strategies, approaches, and lessons learned for detecting and mitigating information security threats in real time.
Roland Cloutier of EMC Corporation will draw on years of experience in the public and private sector to discuss what he has learned in architecting multi-layered systems to detect, analyze and respond to cyber attacks. Roland will share his views on best practices and common oversights, and what actionable information is most valuable to an organization in real-time incident response.
This session will touch on:
- How organizations can protect their complex, growing digital networks with greater efficiency for both security and compliance needs
- The importance of reducing response time to security incidents in order to improve an organization’s ability to mitigate cyber threats
- Best practices for enhancing IT security through better threat identification and information risk management
Industrial Control Systems (ICS) Vulnerabilities Analyzed from a Data Set of over 100 Security Assessments of Critical Infrastructure
Jonathan Pollet
Red Tiger Security
Principal Consultant
Track: Vulnerability
Session open: Yes
The ability for a Critical Infrastructure facility to conduct its mission relies on the effectiveness and availability of the following key functions:
1. IT / Technical Systems
2. Physical Security
3. Utility Services / Facilities
4. Effective Personnel
5. Situational Awareness
6. Emergency Management
These functions are often tested or assessed independently, such as when the IS group performs a cyber security assessment, or when the Physical Security team assesses the capability of the guards, gates, and physical security. The problem with assessing these functions separately is that the organization misses cross-function interdependencies. With the convergence of IP protocols, many times the physical security functions require the information systems networks to be available. The information systems also require physical protection. The information systems and physical security systems have environmental requirements, which require that the engineering, facilities, and HVAC controls are operational. All of these functions require the availability of utility power, water, and other key outside provided services. The ability of the facility's security team to have situational awareness of potential threats to the facility also helps the team avoid potential incidents. If an incident does occur, then the Emergency Management functions will be put to the test to quickly contain the incident, limit the impact on the facility's operations and personnel, and restore the system to normal operations.
The most effective method for assessing the readiness of a Critical Infrastructure Protection Program is to evaluate all of these critical functions together using an "All Hazard Approach" to rate the readiness of the facility to effectively manage these critical functions.
This presentation equips the session attendees with a framework for assessing the readiness of a Critical Infrastructure Protection Program, and provides key insight and lessons learned from prior CIP assessments.
Information Technology Sector Baseline Risk Assessment (ITSRA)
Robert B. Dix, Jr., Vice President, Government Affairs & Critical Infrastructure Protection, Juniper Networks, Inc.
Scott Algeier, Executive Director, IT-ISAC
Patrick T. Beggs, Director, Critical Infrastructure Protection – Cyber Security Program, National Cyber Security Division, U.S. Department of Homeland Security
Homeland Security Presidential Directive-7 (HSPD 7) established a national policy for federal departments and agencies to identify and prioritize United States critical infrastructure and key resources (CIKR) and to protect them from attack. HSPD-7 identified Communications and IT as distinct sectors and assigned oversight to Department of Homeland Security (DHS). DHS’ National Cyber Security Division (NCSD) serves as the Sector Specific Agency for the IT sector and the National Communication System (NCS) serves as the lead DHS entity for the Communications Sector. Specifically, HSPD-7 charges DHS with maintaining an organization—NCSD—to serve as a focal point for the security of cyberspace and to facilitate interactions and collaborations between and among federal departments and agencies; state, local and tribal governments; the private sector; academia; and international organizations. The NCSD mission includes: analysis, warning, information sharing, vulnerability reduction, and risk assessment.
The NIPP provides the unifying structure to integrate the existing and future critical infrastructure protection (CIP) efforts into a single national program. Under the NIPP, each of the CIKR sectors developed and is implementing a Sector Specific Plan (SSP) that details the application of the overall NIPP risk management framework to its sector. In addition to the infrastructure protection responsibilities articulated in the NIPP, the Homeland Security Act of 2002 established the following specific CIKR protection roles and responsibilities for DHS: developing a comprehensive national plan for securing the CIKR of the United States; providing crisis management in response to attacks on critical information systems; and providing technical assistance to the private sector and other government entities on emergency recovery plans. In particular, this means coordinating with federal agencies to provide specific warning information and advice about appropriate protective measures and countermeasures to state, local, tribal, and nongovernmental organizations.
The IT Sector Baseline Risk Assessment (ITSRA) is an all-hazards risk assessment that provides an evaluation of the IT Sector’s threats, vulnerabilities, and consequences and informs the development of strategies to mitigate sector-wide risks. Public and private sector partners collaboratively produced the assessment under the National Infrastructure Protection Plan’s (NIPP) sector partnership framework, and the IT Sector will use the assessment to inform research and development (R&D) resource allocation and to develop and deploy innovative and flexible protective measures to enhance the security of their organizations, which further enhances the resiliency of the critical IT Sector functions.
Public and private sector security partners have an enduring interest in assuring the availability of the IT Sector’s infrastructure—namely, its critical IT Sector functions. The IT Sector’s market-based environment enables rapid innovation and drives investments in security to meet customers’ changing needs and promote the resilience of the IT Sector. Prevention and protection through risk management, situational awareness, response, recovery, and reconstitution efforts are most effective when full participation of public and private sector security partners exists; such efforts suffer without the full participation of either partner.
The purpose of this presentation is to provide the audience with an overview of the results of the ITSRA, which will include a discussion about the approach taken to assess risk at a national- or sector-level as well as the next steps associated with mitigating and managing risk across the IT Sector.
Insiders Beware: New Technologies and Techniques to Reveal the Insider Threat
Cary Moore, Senior Enterprise Consultant, Guidance Software
Track: Threat
Session open: yes
Government agencies need to recognize the gravity of the insider threat. Gartner states that 70 percent of unauthorized access to systems is committed by insiders. By utilizing new cyber security technologies and techniques, incident response can be automated and streamlined. Learn how to determine hash values of live processes and gain the ability to search for those processes across your global enterprise. Leverage the capability to find USB devices across your enterprise to see where they are floating to or even if they are authorized. Taking it even further, you can now integrate the results of the scans to quickly identify threats not seen by your anti-virus software and leverage new malware attribution techniques that leaps ahead of entropy to determine if new attacks are related to previous attacks.
Intelligence Report from the Online Criminal Underground: Latest Threats & Challenges
Seth Geftic, Senior Manager, Identity Protection and Verification, RSA, The Security Division of EMC
Track: Threat
Session open: Yes
A large international online business successfully utilizes a proven supply chain, offers profitable services and technologies, and provides customer support. Unfortunately, this advanced entity is the global online criminal underground, where fraudsters collaborate and achieve common goals. Like the legitimate world, members of this nefarious entity build trust through delivering goods and services, and reputation can be the difference between success and failure. Organized cyber crime acts as a virtual ground zero for malicious activity where the most advanced attacks are born and successfully served up to unsuspecting Internet users and their computers.
This session will shed light into the tools and techniques being used by these cyber-criminals in the online criminal underground:
- Learn how to become a successful online fraudster using Fraud-as-a-Service to make it easier and faster to spread malicious crimeware
- Discover other methods, such as social engineering, that cyber-criminals use in order to infect user's machines and why they are so effective
- Understand the links between online attacks against the public sector compared to online banking portals
- Find out how ordinary citizens get recruited as “mules”
- Learn about the sale of stolen credentials such as Social Security Numbers
Henry M. van Goethem
ManTech Security and Mission Assurance
Executive Director, Cyber Defense Division
Track: Attack & Detection
Session open: Yes
This presentation will provide in-depth examples of several real-world network intrusions targeting large enterprise networks that have occurred in the past 18 months. It describes the intricate details of the tools used to target internal users and penetrate the network and provides a breakdown of the tools used to establish command and control access to the users’ computer systems. Next, it dissects the intruder’s utilities for conducting lateral movement across the network and the methodology used by the intruders for data gathering & exfiltration. Finally, recommendations for mitigation techniques will be provided that will help organizations defend themselves against these types of attacks that target their users.
Judicial Trends, Developments in the Law of Electronic Evidence
Howard W. Cox, Assistant Deputy Chief, Computer Crime and Intellectual Property Section, Criminal Division, Department of Justice
This presentation will highlight significant case law and other legal issues during the past year concerning searches of computers, electronic evidence, and related issues.
Legal, Technical and Practical Issues In Searching and Seizing Server Farms and Other Large Data Storage Devices
Howard W. Cox, Assistant Deputy Chief, Computer Crime and Intellectual Property Section, Criminal Division, Department of Justice
This presentation will highlight significant case law during the past year and other legal, technical and practical issues concerning searching and seizing evidence from server farms and other large data storage devices.
Legislative & Other CHIP Updates
Richard Downing, Assistant Deputy Chief, Computer Crime and Intellectual Property Section, Criminal Division, Department of Justice
Tyler G. Newby, Trial Attorney, Computer Crime and Intellectual Property Section, Criminal Division, Department of Justice
In the past 12 months, Congress has made a number of legislative changes affecting both computer crime and intellectual property crime. For example, Congress closed loopholes in the Computer Fraud and Abuse Act, making it easier to prosecute identity theft. Congress also enacted the Prioritizing Resources and Organizations for Intellectual Property (“PRO IP”) Act of 2008, amending criminal IP laws to strengthen penalties for certain crimes, harmonize forfeiture and restitution provisions, as well as adding law enforcement resources, among other things. In addition, the rules committee has proposed amendments to Rule 41 relating to the search of computers that will go into effect in December. And the U.S. Sentencing Commission has improved penalties for identity theft (a bit). Experts from the Computer Crime and Intellectual Property Section will explain these changes and what they mean for prosecutors.
Live Incident Response: Memory Analysis
Rob Lee, Principal Consultant, MANDIANT
Track: Threat
Session Open: Yes
Learn how live memory collection and analysis is a game-changing tactic now utilized in effective Incident Response and Mitigation techniques in the past two years. Find out what will replace the tried and true "sysinternals" tools and replace them with capabilities that will convince you memory analysis capabilities are essential for proper incident response. Learn how to use this capability tactically and strategically withing your small organization or your enterprise to help combat sophisticated threats.
Low Hanging Fruit – Mitigating the Most Common Control Systems Vulnerabilities
Sean McGurk, Director, DHS Control Systems Security Program
Track: Vulnerability
Session Open: Yes
The DHS Control Systems Security Program (CSSP) is leading a steadily growing understanding of Industrial Control Systems (ICS) security issues and methods for mitigating current vulnerabilities as well as new technologies and approaches being developed in response to ICS cyber security challenges. CSSP performs cyber security assessments of ICS to help industry improve cyber security in critical infrastructures throughout the United States. Mr. Sean McGurk, Director CSSP, will present the results from 15 ICS assessments performed under the CSSP from 2004 through 2009. Mr. McGurk will describe common assessment findings broken down by categories along with specific examples and recommendations. This presentation will share information on common security problems to allow vendors, public and private asset owners and other responsible stakeholders to identify and mitigate and the most prevalent cyber security issues in their control systems environments.
New Techniques, and Innovations: What Prosecutors Need to Know About Computer Forensics
Ovie Carroll, Chief, Cybercrime Lab, Computer Crime and Intellectual Property Section, Criminal Division, Department of Justice
This presentation will highlight the importance of obtaining RAM during an investigation. Additionally, the presentation will discuss incident response issues and provide an update on recent meetings with members of the Court on forensic issues.
Obtaining Electronic Evidence Provider Series: You Can Hear Them Now: A Conversation with Verizon Wireless About How They Can Assist Law Enforcement
Richard Downing, Assistant Deputy Chief, Computer Crime and Intellectual Property Section, Criminal Division, Department of Justice
Debra Ennis, Associate Director, Verizon Wireless
Are AirCards, retention policies, and tower dumps confusing? Wondering how to get tower location data for your criminal investigation? Members of Verizon Wireless’ Law Enforcement Resource Team will answer your questions about what services they provide, what to expect, and what sort of legal process you should use to get the information you need for criminal investigations. The discussion will also include legal issues related to ECPA and the pen/trap statute.
Obtaining Stored Communications and Records
Josh Goldfoot, Trial Attorney
CCIPS
The Electronic Communication Privacy Act (ECPA) restricts the ability of prosecutors to obtain evidence from Internet companies. This class discusses ECPA and explains the steps prosecutors must take before using compulsory process to obtain stored e-mail, text messages, voice mail, and basic identifying information about the users of the Internet and cell phones.
Obtaining/Using Evidence from Social Networking Sites: Facebook, Myspace, LinkedIn and More
Jenny Ellickson, Trial Attorney
John Lynch, Trial Attorney
From MySpace to Facebook to Twitter, social-networking sites are emerging as an issue in criminal cases. This presentation introduces some key legal issues relating to the widespread adoption of social networking. Topics include: an overview of key social networks; categories of information available and the applicable legal standards and procedures for obtaining such information; issues raised by location-based social networks like Loopt and Brightkite; legal and practical issues that arise from use of social networks by witnesses, jurors, and victims; and challenges presented by the emergence of federated identity and authentication schemes such as OpenID, Facebook Connect, and Google Connect.
Over-the-Horizon Situational Awareness
Panelists:
Phyllis Schneck, McAfee
Rob Pate, Renesys
Tom Kellerman, Core Security
Richard Bejtlich, GE
Jim Christy, DC3 (invited)
Track: Attack & Detection
Session Open: Yes
It's no secret that most of the Internet is beyond our control. When the Internet's critical infrastructure fails, due to attack or natural disaster, ground zero is probably somewhere outside your organization's borders. How can you assess the impact on your stakeholders, and pass on the information they need to make sound policy decisions? Ecosystem, cloud computing, supply chain management, external and insider threats ... no matter how you look at it, there's no such thing as a "local network problem" any more. Working efficiently means working together, and working together means cooperation, coordination, and trust over the all-too-unreliable Internet. Panelists will review situational awareness technologies and sources of information that you can draw on to tell a coherent story in a time of crisis.
Partnering to Meet the Threat
Scott Algeier, Executive Director, IT-ISAC
Randy Vickers, Deputy, Director, US CERT
John Sabo, Immediate Past Chair, ISAC Council and Director, Global Government Relations, CA, Inc.
Cheri McGuire, Principal Security Strategist, Trustworthy Computing, Microsoft Corporation
Tiffany O. Jones, Public Policy and Government Affairs, Symantec Corporation
Track: Attack & Detection
Session Open: Yes
A session co-presented by Scott Algeier, Executive Director of the IT-ISAC, and a US-CERT Representative will detail industry/government operational coordination to address threats to the cyber infrastructure. It will cover how to apply lessons learned from previous incidents enhanced the response to Conficker and touch on specific initiatives that industry and government are partnering on to improve operational coordination, information sharing and collaborative analysis. A key theme of this session will be to highlight the operational successes of the NIPP partnership model in the IT Sector.
Partnering to Protect Critical Cyber Infrastructure with Deep Packet Inspection
Jeff Jamie
Consultant Bivio Networks
Track: Vulnerability
Session Open: Yes
The Comprehensive National Cybersecurity Initiative (CNCI) addresses a long-held concern for federal IT managers: gaps in information assurance and the growing threat such gaps represent to the federal government’s vital data.
CNCI is a multi-year, multi-billion dollar project designed to take a proactive near term as well as long term approach to securing government computer systems against foreign and domestic threats.
CNCI recognizes the role public-private partnerships will play as agencies seek to detect and prevent intrusions in real-time, before they cause significant damage. With the federal government seeking ways to meet the mandated requirements while optimizing budgets and personnel, agencies will look to public-private partnerships for programmable, policy-centric technologies to manage internal and external security threats across multiple agency networks while ensuring the integrity of data.
One such technology, Deep Packet Inspection (DPI), allows more advanced knowledge of and control over data crossing the network. DPI gives unprecedented visibility into all network traffic to identify and remedy security vulnerabilities without sacrificing network speed or performance.
The audience will learn the fundamentals of DPI, as well as how the technology will be a primary component of agency efforts to meet and satisfy the CNCI mandate. The presentation will feature a case study on the use of DPI technology by the Defense Information Systems Agency (DISA).
Presentation on TIC and the TIC Compliance Validation Process
Panelist: tbd
The DHS Federal Network Security (FNS) branch is responsible for validating Federal executive branch agencies’ compliance with the TIC initiative. The TIC compliance validation assessment is referred to as a TIC Compliance Validation (TCV) and its purpose is to measure, using an objective, repeatable and consistent method, the degree of compliance with the TIC Initiative and related OMB directives and guidance, and assist in mitigating identified deficiencies.
The TCV will focus on TIC devices and services and NOC/SOC operations and services and may include sites where TIC Access Provider services or devices are located or where there are backup sites that have daily operational activities. At the end of the TCV process, a determination will be made to designate the TIC as operating at Initial Operating Capability (IOC) or Mature Operating Capability (MOC).
In this session, you will learn about the TCV process components:
- Assessment planning
- Pre-assessment
- Assessment
- Draft report
- Review and feedback
- Final report
FNS representatives in the Compliance & Oversight and Network and Infrastructure Security Architecture Programs will discuss preparation for the pre-assessment and assessment and the meaning of the capability designations, and answer questions on all aspects of the TCV process.
John Strand
Senior Security Researcher, Black Hills Information Security
Track: Threat
Session Open: Yes
Prosecution Initial Request List (PIRL) Update
Martin J. Littlefield , Assistant United States Attorney
Timothy O’Shea, Assistant United States Attorney
Erica O’Neil, Assistant United States Attorney
Ovie Carroll, Director
The presentation will concentrate on recent technical developments/advances in e-media and in forensic capabilities. Presenters will outline how the PIRL List has been modified and provide examples of how it has been utilized over the last year.
Providing Actionable Cybersecurity Information to State & Local Governments
John McCumber, Strategic Programs Manager, Public Sector, Symantec Corporation
Track: Mitigation
Session Open: Yes
Throughout the dot gov community, IT professionals are charged with protecting critical government information resources from both known and emerging security threats. The US-CERT plays a significant role in tracking both threats and technical vulnerabilities. However, turning these recommendations into actionable next steps continues to be a challenge for many state and local government security practitioners.
To address the critical need for actionable information spanning the largest segment of the public sector IT infrastructure, there is now a requirement for a structured national architecture to collect, filter and disseminate vital threat and vulnerability data. In order to meet this emerging demand, we will present a regional Security Operations Center (SOC) architecture that can greatly enhance the effectiveness of the US-CERT’s security mission.
The purpose of this presentation will be to leverage global intelligence providing threat and vulnerability information through building a comprehensive regional SOC architecture. Symantec experts will also share information gleaned for Symantec’s Global Information Network. The following points will be covered in this discussion:
- Describe the benefits of regional SOCs
- Outline a plan to create a regional SOC
- Discuss the proper architecture for a regional SOC
Public Private Partnerships Coming of Age?
Panelists:
Kathleen Kiernan, Chairman, InfraGard
Ellen McCarthy, President, Intelligence and National Security Alliance (INSA)
Will Pelgrin, Chair, ISAC Council
Track: Reflection
Session Open: Yes
These leaders will discuss the need for the public private partnership in order to support the stability of the U.S. information and communications industry. We must work to together in order to deter, prevent, detect, defend against, respond to, and remediate disruptions and damage to our communications and information infrastructure and ensure capabilities exist to operate in cyberspace in support of national goals, and safeguard the privacy rights and civil liberties of our citizens.
Pursuing Leads in an IP Case: Targets, Evidence and Forfeitures
Marc Miller, CCIPS Trial Attorney
This case presentation will demonstrate how to identify targets, gather evidence and commence forfeiture actions in intellectual property cases. The presentation will address issues arising from having targets and evidence located in multiple jurisdictions. Furthermore, the presentation will explain how to effectively utilize a variety of evidence gathering tools for online cases including subpoenas, 2703(a) search warrants, Rule 41 search warrants and requests pursuant to MLAT. Lastly, the presentation will discuss effective methods of asset forfeiture related to intellectual property cases.
Raising Cybersecurity Awareness: Our Shared Responsibility
Jordana Siegel, Outreach & Awareness Program Director, National Cyber Security Division, DHS
Michael Kaiser,
Executive Director, National Cyber Security Alliance
Tiffany Jones, Director of Government Relations, Americas, Symantec Corporation
All computer users have a responsibility to protect their computers, the networks they use and our national infrastructure by ensuring they engage in safe online practices. Our cyber infrastructure is only as strong as the weakest link. Therefore, we need to work together, everyone doing their part, to protect against cybercrime and other online threats.
This presentation will identify proactive initiatives used by the Department of Homeland Security (DHS) and the National Cyber Security Alliance (NCSA) to educate home users, K-12 students, teachers and administrators, and small and medium businesses. Two initiatives underway include National Cyber Security Awareness Month (NCSAM) and the Cyber Security Awareness Volunteer Education (C-SAVE) program. NCSAM, conducted every October since 2001, is a national public awareness campaign to encourage everyone to protect their computers and our nation’s critical cyber infrastructure. The recently launched C-SAVE program was developed to encourage security professionals to put their knowledge and expertise to work by physically going to local schools and providing lessons educating young people to use the Internet securely and safely.
This session will explore these two awareness initiatives and the broader issues around getting all Americans to protect themselves online.
Refining Security: A Case Study of Public/Private Sector Collaboration in the Oil and Gas Sector
Martha Austin
Institute for Inf. Infrastructure Protection/Dartmouth
Executive Director
Track: Reflection
Session open: Yes
Public-private collaboration has proved effective in numerous sectors from healthcare to finance helping drive innovation by matching government-funded research with real-world needs. The Institute for Information Infrastructure Protection (I3P), a 27-member multi-disciplinary consortium of academic institutions, non-profit research organizations, and national labs, has been collaborating for the past five years with the energy sector, working to enhance the cyber security of operational control systems.
Martha Austin, executive director of the I3P, which is managed by Dartmouth College, proposes to present a paper that describes the I3P’s collaborative approach to cyber security R&D. She will not only describe how the I3P brings a multidisciplinary and multi-institutional approach to its research projects but how it engages stakeholders and end users and integrates technology transfer into the research process. In addition to having an advisory board made up of industry representatives and working with industry associations on outreach, the I3P has collaborated formally with several companies to develop a suite of effective security tools.
Austin will present specific case studies describing the I3P’s collaborative work. One such collaboration involved a pipeline company that worked with the I3P to develop a protocol for assessing cyber risk; another involved a refinery and development of a network-monitoring tool. In describing these case studies, Austin will explain how the I3P and its industry partners were able to draw on each other’s strengths; she will also explain how the collaboration was initiated and developed as well as lessons learned: what worked, what didn’t and how the I3P is continuing to leverage its reputation in the private sector to further its research goals and at the same time meet end user needs."
Root Cause Analysis: What You Find When You Look for It
Jerrold Smith, Principal Consultant, MANDIANT/NASA
Scott Roberts, NASA
John Wang, NASA
Track: Threat
Session OPEN ONLY TO FEDERAL EMPLOYEES/CONTRACTORS.
The NASA network serves as a crossroad for government, military, education, and the private sector. The data on these networks make it an attractive target. Observed attackers vary from the opportunistic to the highly directed, and their techniques range from the mundane to the exotic. In order to capitalize on the knowledge gained from these attacks, in 2008 NASA undertook the ambitious goal of creating a unified, coordinate network security monitoring and incident response capability. Starting with more than a dozen different locations spread across the country, each with their network security staff and own incident response teams, the NASA SOC began operations in December of 2008. Since then, the SOC has identified and reported many vulnerabilities, including several zero day attacks, and has become the central hub for information security operations, coordinating and assisting incident response across the entire agency, as well as coordinating with other government agencies and commercial entities.
During this talk, we will explore the many challenges and corresponding opportunities that come with developing such a comprehensive capability on such a challenging timeline. We will review several of the discovered vulnerabilities, including the processes of discovery, analysis, remediation, and disclosure. We will also discuss the ongoing development of the SOC Advanced Incident Response and Analysis capability and how it is working in conjunction with the NASA incident response community. Finally, we will walk through our implementation of the SOC from planning to present, identifying where we did well, where we could have improved and what the roadmap for the future includes.
Securing Government Data in a Stifled Economy
Josh Shaul, VP Product Management, Application Security, Inc.
Track: Mitigation
Session Open: Yes
In uncertain economic times, it can be difficult to rationalize every component of a government IT budget, and it can certainly be frustrating when management makes cuts to your budget. Attackers are feasting on vulnerable government database applications, as they’re seemingly getting to and then into enterprise database applications with ease.
In any federal agency, the database is one of the most coveted and critical business applications, and it's no wonder that it’s the most frequently breached if not protected. Most often, the difficulty with securing database applications in any enterprise-class organization is determining who owns database security is it the DBA, the CISO/CIO?
Initiatives like The Federal Information Security Management Act (FISMA) are critical to look at as well in determining where priorities lie within your IT organization, and as a guide to engage your management team.
As data is what any attacker is looking to steal, starting with the database is the most practical way to start deploying protections where it counts the most. For mere pennies on the dollars you would spend on other security solutions, organizations can easily and rapidly get on the path to more secure data with the right plan in place.
This presentation will discuss:
- A framework for effectively creating and positioning a data security plan, starting at the database layer.
- A foundation for selling the importance of a solid database security to your management team, and will provide ample evidence to suggest that it’s a cost-effective method of protection compared to securing conduits.
- A further rationale for a cost-effective solution to protect the database layer, as opposed to other options.
Securing the Nation’s Industrial Control Systems Infrastructure
Rick Lichtenfels, Deputy Director, DHS Control Systems Security Program
Track: Mitigation
Session Open: Yes
We’re the government and we’re here to help! The DHS Control Systems Security Program (CSSP) works with industry to develop products and tools that can be used to help secure control systems. Some examples include: A collaborative forum for information sharing between government and industry. Self assessment tools that will show whether you are meeting the intent of published standards (such as CIP, NIST 800-53 and 82, and DODi 8200) and provide a gap analysis that compare your existing security countermeasures with what is recommended for similar environments. A procurement guide for control systems with example language that can be used to purchase systems and maintenance agreements that will build security into the contract process. Multiple recommended practices address topics such as defense in depth, wireless security, forensics plans, common control system vulnerabilities, and many more. CSSP also provides advanced hands-on training including a realistic red team, blue team (attacker/defender) exercise. CSSP Deputy Director Rich Lichtenfels will provide brief descriptions of these products and tools and how you can obtain them.
Security Business Process Re-engineering for Critical Infrastructure
Sean McBride
Director of Analysis
Critical Intelligence
Track: Reflection
Session open: Yes
This presentation, geared towards critical infrastructure asset owners and government stakeholders, makes the case for re-engineering business processes to include security. During the 1990s and 2000s business process re-engineering (BPR) has pushed organizations from people-centric to data-centric operational models. Through the use of recent government and private-sector case studies, the presenters explain how this technological paradigm shift has left security out of business thinking, putting not only the organizations, but societies at risk. The presenters offer three specific near-term tasks to aid critical infrastructure operators and government stakeholders in developing security business processes.
Software Assurance: Mitigating Risks to Improve Incident Management
Joe Jarzombek, Director for Software Assurance
DHS/National Cyber Security Division
Robert Martin
Track: Vulnerability
Session open: Yes
Many enterprises architect their security measurement and management. They are bringing standardization to secure development; vulnerability, configuration, and asset management, as well as threat, intrusion, and incident management and remediation; thus they are able to eliminate duplication and manual activities while providing flexibility and nimbleness in product choice and criteria. With today’s global IT/software supply chain, enterprises must explicitly address security risks posed by exploitable software. Project management, quality assurance, and software development processes should explicitly address software security risks that can be passed from projects to the organization. Software development should be informed by incident management, and incident response can be informed by security measurement. Free resources are now available to assist in security-enhancing project management, risk management, quality assurance, and software testing in managing acquisition, outsourcing and development activities.
Members of the Software Assurance Forum will provide presentations to facilitate discussions addressing the relevance of software security assurance in reducing organizational risk exposure. Panel presentations and discussions will provide a focus to enhance efforts to:
-- Understand the industry-wide implications of standards-based security architectures for measurement and management of enterprise IT security risks.
-- Recognize the importance of security standards for enabling interoperability in security assessment, remediation, threat identification, incident management, system certification, and secure development.
-- Realize how standards can make ground-truth reporting of compliance efforts economical, real-time, and accurate.
-- Obtain real security advantage while responding to OMB mandates on FISMA, FDCC, and S-CAP.
-- Understand and gain access to free software assurance resources for those in acquisition, development, sustainment and support of operations.
Spam Botnetwork Mitigation Strategies & Latest Research & Trends
David Cowings, Sr. Manager of Operations, Symantec Corporation
Track: Mitigation
Session Open: Yes
When considering the potential breadth of damage that can be caused by a botnetwork, one might consider it to be a relief if it’s purpose is sending spam. However the continuing growth in professionalization of spam and phishing as well as the potential monetary gains through the underground economy lead to the true value (the infrastructure of botnets itself). Spam and phishing are performing multiple functions including acting as the gateway for presenting URLs leading to malware downloads which in many cases leads to further developing the botnetwork.
As defenses evolve for botnet detection and remediation the impact will have a higher impact on the revenue of cybercriminals and may lead them towards more drastic and aggressive actions to expand their networks and possibly against those organizations creating the most damage. This isn’t that different to challenges police agencies face with large criminal organizations that impact the community or risks to the government. Instead of focusing on stopping cybercriminals another strategic approach is making operating within our borders more difficult. He will discuss the evolution of spam and the mitigation tactics that have followed as well as the latest threat landscape. He will also discuss several mitigation strategies that focus on reducing the harm of botnetworks while at the same time making it more difficult for them to operate.
Special Issues In Forensics: Exploring the Dynamics of Botnets
Andrew Cruikshank, Assistant General Counsel, Office of General Counsel, Federal Bureau of Investigation, Department of Justice
Jon Bird , Reverse Engineer, Mitre Corporation
Jason Passwaters, Technical Analyst, Harris Corporation
Dara Sewell, CART Unit Chief, Field Office, Federal Bureau of Investigation
As more and more computer systems come online to enhance our lives, businesses, and productivity, the potential of these systems entices criminals. Every computer system connected to the Internet has vulnerabilities and an intrinsic value. Criminals actively seek to exploit systems in order to harness their earning power and potential. These groups of compromised computer (botnets) act in concert to commit financial crimes, cripple legitimate businesses, and spam junk e-mail. This presentation identifies the structure, function, and autonomy of botnets through the analysis of digital data.
Panelists will be provided from the following companies:
McAfee
Symantec Corporation
Verizon
IBM
Track: Threat
Session Open: Yes
Members from large security operations centers from industry will discuss the “state of incident response operations”.
State of the Hack: The Chinese Threat
Rob Lee
Principal Consultant
MANDIANT
Track: Threat
Session Open: Yes
This "straight from the battlefield" presentation will provide case studies that describe in detail the most recent computer security incidents Mandiant has responded to on behalf of the organizations. The three or four anonymous in-depth case studies will be covered about the recent complex hacks against commercial, government, and financial organizations. The talk will go into how the intruders are gaining access, what they are doing, and a discussion of the malware used in the attacks.
The Cybersecurity Challenge - The Evolution to Global Threat Intelligence
Dave DeWalt, President and Chief Executive Officer, McAfee, Inc
President Barack Obama in May announced that cybersecurity has been elevated to a top management priority for the U.S. government. "In today's world, acts of terror could come not only from a few extremists in suicide vests but from a few key strokes on the computer -- a weapon of mass disruption," Obama said in an address.
With the world increasingly going "cyber," how is cybersecurity keeping up? Cybercrime is becoming more organized, dangerous, sophisticated and global. Cybercriminals have little fear of law enforcement, and the gap between crimes and the response is increasing. Countries are arming for cyberwarfare, businesses are overwhelmed with complex security technology and proving compliance while consumers are afraid of losing their identity.
Join McAfee President and Chief Executive Officer Dave DeWalt for a look at where cybercrime is headed and McAfee's vision to keep systems and data secure. DeWalt will discuss where the breakdowns occur and what must happen to break down the barriers that make the current response inadequate. DeWalt will explain the need for multilayered, multicorrelated security with real time visibility, supported by Global Threat Intelligence.
The Ethical Swamp: Learning From The Discovery and Trial Experience Of Our Colleagues . . .
Sean Hoar, Assistant United States Attorney
Robin Taylor, Assistant United States Attorney
This presentation will address recent trends in discovery and trial ethical issues, some of which became headline news this past year. The session will use case studies to analyze how federal prosecutors found themselves in the ethical swampland, adversely affecting both their cases and careers. Participants in this session will be provided a guide to navigate the dangerous waters of disclosure and discovery obligations, and evidentiary issues in trial. If you want to keep your career afloat, you won't want to miss this session.
The Evolution of Incident Response
Kevin Mandia
Over the last 10 years, we have witnessed a shift in the motivation driving the perpetrators of computer security breaches. What was once a purely technical problem that served, at worst, as a nuisance to your organization's IT staff has become both a business issue and an issue of national security.
Through detailed case studies, we discuss the technical and authentic details of computer security incidents that have occurred at large organizations over the last year. We demonstrate how these organizations have been responding to these incidents and the emerging technologies that can assist your organization in responding in a more efficient and effective manner.
The Paper(less) Chase: An Approach to Saving Trees and Organizing Materials from Investigation through Discovery and Trial
Larry Sommerfeld, Assistant United States Attorney
Randy Chartash, Assistant United States Attorney
Joe Panzarella, Litigation Support Manager
Robert Moore, Assistant Director
The Role of Attack-based Metrics and Mission Enablement Key Performance Indicators
Panelist:
Dan VanBelleghem, VP Information Assurance, NCI Information Systems
Tim Henderson, VP and Principal Solution Architect, NCI Information Systems
Track: Reflection
Session open: Yes
Given the unrelenting and sophisticated nature of attacks assaulting government cyber assets, IT Security techniques such as strong perimeter defense, server-hardening and security-focused systems administration remain at the forefront of defending critical cyber assets. However, the diameter of the perimeter continues to collapse resulting in an environment with multiple perimeters that require flexible security architectures. Today’s security environment must effectively balance policy, compliance, security operations, identity and access management and user awareness.
This presentation addresses tactics used by our adversaries, as well as, discusses an overall strategy encompassing agency-level services for providing effective protection. Both real-time situational awareness (attack-based metrics) and key performance indicators measuring agency mission enablement will be presented. This presentation will highlight several security metrics that enable new avenues for quantitative measurement of risk analysis and the effectiveness of Cyber Security expenditures. While technical concepts will be addressed, the presentation is aimed at non-technical senior staff and executive management. This presentation will illustrate an approach for measuring compliance to, and effectiveness of, enterprise policy supported by advanced heuristic analysis. The methods and concepts presented will arm security practitioners with information and techniques needed to successfully present security key performance indicators to both technical and management professionals.
Christopher Buse
Chief Information Security Officer
Track: Vulnerability
Session open: Yes
The State of Minnesota is one of the first states in the nation to develop and deploy an enterprise-wide vulnerability and threat management program. Partnering with higher education, the goal of this program is to continuously assess approximately 150,000 IT assets across all government entities and higher education institutions. Using a centrally managed technology infrastructure and processes based on NIST guidance, Minnesota government entities now can identify, prioritize, and remediate vulnerabilities before they are exploited by hackers. Though still relatively new, Minnesota government entities conduct nearly 30,000 assessments each day and have removed over 28,000 critical vulnerabilities since the inception of the program.
Adam Meyers, Principal, SRA International
Track: Mitigation
Session open: Yes
There are a multitude of tools available to the Computer Network Defender ranging from expensive commercial to open source. In this presentation, two lead cyber analysts will discuss tools which they use to conduct incident response and reverse engineering. The talk will discuss pros, cons, and experiences using the tools. Attendees will leave with a list of tools and a functional knowledge of what they do and where they fit into a comprehensive security program. This is particularly valuable to those interested in expanding program capabilities but don’t have the resources to conduct a comprehensive review on many of the available tool sets. Demonstrations of some tools will be presented.
Top Ten Cell Phone Legal and Evidence Questions & Answers
John Lynch, Senior Counsel and Litigation Coordinator for Computer Crime
Richard Downing, Assistant Deputy Chief, CCIPS
Mark Echenwiler, Associate Director, OEO
Ovie Carroll, Director
What does a prosecutor need to know about locating mobile devices, searching them, and intercepting their communications? Experts from the Computer Crime and Intellectual Property Section and the Office of Enforcement Operations will explore the top ten legal and technical issues that come up when law enforcement seeks to gather this important evidence. Topics will include legal process for obtaining mobile phone location information, challenges in the forensic examination of mobile phones, and issues relating to searches of phones incident to arrest.
Towards a Method of Identifying Common Malware Functions
Ross Kinder, Malware Reverse Engineer, CERT Malicious Code
Track: Threat
Session open: Yes
This presentation will describe recent work identifying common code across a large pool of malware. It is well known that many so-called “unique” malware files are actually recompiled or repackaged versions of relatively fewer source code trees. Reliable techniques to group malware files that share code in common could be very useful in identifying these relationships, as well as connecting related intrusions, prioritizing analysis effort, and identifying trends.
While there has been some excellent work in this space, much is still left to be done. This presentation will identify some simple techniques that have proved to be surprisingly effective in grouping malware. Ross Kinder will discuss a few of the techniques and present the results of applying them to a large pool of malware.
The Role of the ICS-CERT in Vulnerability Mitigation and Incident Response
Rob Hoffman, Program Manager, Idaho National Laboratory
Track: Vulnerability
Session open: Yes
The DHS Control Systems Security Program (CSSP) manages and operates the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in coordination with the US- CERT to provide focused operational capabilities for defense of control system environments against emerging cyber threats.
As a key component of the Strategy for Securing Control Systems, the ICS-CERT leads the effort to achieve the goal of building a long-term common vision where effective risk management of control systems security can be realized through successful coordination efforts.
This presentation will address the capabilities, current efforts and opportunities for interaction with the larger federal and private stakeholder community.
The State of the Hack – Combating the Advanced Persistent Threat
Wendi Rafferty, Director of Federal Services, MANDIANT
Track: Attack & Detection
Session Open: Yes
This presentation covers the current State of the Hack in conjunction with an in-depth analysis of the Advanced Persistent Threat (APT). The audience will learn both technical and procedural strategies they can immediately employ within their organizations to fight targeted attackers. We will discuss specific threat vectors typically used by the attackers, their methods for moving laterally throughout your network and how they escalate their attacks once your incident response capabilities and remediation attempts have been observed. The case studies presented will describe, in technical detail, the most recent incidents to which Mandiant has responded. We will demonstrate how the intruders gained access; what type of methodologies and malicious software they utilized once inside the victim network and how the organizations remediated these attacks. Last, an in-depth discussion of Mandiant's latest investigative techniques will be covered.
The Web Application Security Crisis
John Weinschenk, President and CEO, Cenzic
Track: Attack & Detection
Session Open: Yes
As the number of cyber attacks from both amateur hackers and organized cyber terrorists is moving to new heights, enterprises have rushed to protect their networks with firewalls, VPNs, and Intrusion Detection Systems (IDSs). However their web applications are often left neglected. According to Gartner, more than 75% of Internet attacks today occur through web applications due to insecure code and a general neglect of application security. Web applications are open by nature so that enterprises can conduct business; however, this openness allows hackers to exploit vulnerabilities and attack databases that store sensitive customer and corporate information.
Though the past several years have witnessed the development of a number of solutions in response to the compounding increases in risk, exposure, and liability, each approach has drawbacks that make it difficult for security executives and QA professionals to determine how to best protect their systems. In this presentation, John Weinschenk, CEO of Cenzic, will discuss the rise of application vulnerabilities and offer his opinion on the critical role of systematic assessment and remediation of these vulnerabilities across enterprise applications. John will also show attacks in action, including SQL Injection and Cross-site scripting, allowing attendees to see first hand how hackers work.
Transforming a Small Information Security Program Called Medicare
Ryan Brewer
Centers for Medicare & Medicaid Services
Chief Information Security Officer
Mike Mellor
Deputy Chief Information Security Officer
Track: Reflection
Session Open: Yes
The Centers for Medicare & Medicaid Services (CMS) is a Federal Agency within the Department of Health and Human Services. CMS’ 2008 Federal Entitlement spending of $670 billion represented a substantial portion (~21%) of the total Government spending. Until the spring of 2008, the CMS Information Security Program was reactive in nature and built on meeting compliance requirements versus enabling business needs.
The Federal Information Security Management Act requires organizations to implement cost-effective information security programs that are risk based. A core requirement of a risked based program is to know on a continuous basis the risk posture of every device on the agency network that processes, stores, or transmits data. The information that is used to determine the risk posture is primarily vulnerability driven. If a system is vulnerable to exploit by an outside attacker; then the confidentiality, integrity, and availability of the system or data are at risk. Other risk factors include the ease of exploitation along with the value of the system and data.
The presentation will outline indirect benefits of the program, lessons learned, and realistic steps that can be mapped to any size program to move from compliance based to cost-effective and risk based.
The Trusted Internet Connection (TIC) and Trusted Inter Connection (TIC) Compliance Validation Process
The DHS Federal Network Security (FNS) branch is responsible for validating Federal executive branch agencies’ compliance with the TIC initiative. The TIC compliance validation assessment is referred to as a TIC Compliance Validation (TCV) and its purpose is to measure, using an objective, repeatable and consistent method, the degree of compliance with the TIC Initiative and related OMB directives and
guidance, and assist in mitigating identified deficiencies. The TCV will focus on TIC devices and services
and NOC/SOC operations and services and may include sites where TIC Access Provider services or devices are located or where there are backup sites that have daily operational activities. At the end of the TCV process, a determination will be made to designate the TIC as operating at Initial Operating Capability (IOC) or Mature Operating Capability (MOC).
Using HUNT Teams to Proactively Identify Advanced Persistent Threats on Your Networks
Stephen Windsor
Booz | Allen | Hamilton
Forensics Lead
Ron Shaffer
Team Leader
Incident Response and Digital Forensics Team.
Track: Mitigation
Session open: Yes
Traditional host and network defenses like firewalls, anti-virus, patching, two-factor authentication, IDS, DMZ, and vulnerability assessments are not sufficient to keep advanced persistent threats out of government, military, and defense industry networks. This presentation demonstrates techniques you can use to proactively and surreptitiously identify advanced persistent threats on your networks. In addition, specialized investigative techniques and the development of clean-strike extraction countermeasures will be discussed.
Using Identity Intelligence to Improve Cybersecurity
Thomas Oscherwitz, Vice President of Government Affairs & Chief Privacy Officer, ID Analytics
Track: Reflection
Session open: Yes
Government and private sector organizations are facing an entirely new genre of identity-related risks with Internet-based transactions. These transactions occur increasingly in real-time, remotely, and among parties who often who have no prior experience with each other. In this unfamiliar environment, what can organizations do to protect themselves from identity based threats and to protect the PII under their control?
This presentation will introduce the audience to a new field - identity intelligence. Identity intelligence relies on the use of advanced analytics to better understand consumer identities and protect against identity-related threats. This presentation will explore some of the more important characteristics of identity intelligence (including robust analytics, data security, and privacy sensitivity). It will also look at the application of identity intelligence to specific cybersecurity threats such as protecting PII, monitoring threats in the on-line channel, and protecting the physical and logical security of credentials.
Using the Vulnerability Response Decision Assistance (VRDA) Framework
Art Manion
CERT
Vulnerability Analyst
Track: Vulnerability
Session open: Yes
The Vulnerability Response Decision Assistance (VRDA) framework is a decision support and expert system designed to help an organization improve the efficiency and effectiveness of deciding how to respond to vulnerability reports. VRDA is descriptive it aims to mimic how an organization actually responds to vulnerabilities and make that knowledge more consistent and widely available. This presentation will describe how accurately VRDA is able to predict real responses using data from trials at three organizations. An implementation of VRDA called KENGINE will be demonstrated. In the trials, KENGINE was used to collect vulnerability report data, generate decision models, predict responses, and record actual responses. Variations between predicted and actual responses may be caused by lack of sufficient or necessary vulnerability data, bias of expert analysts, poor decision logic, or some other factor. Comparisons between different organizations, data sets, and decision models show that VRDA is accurate enough to give practical assistance with vulnerability response, although accuracy varies among individual decisions.
View from the Bench: Cyber & IP Crimes Issues
Randy Chartash, Assistant United States Attorney, Northern District of Georgia
The Honorable Alan J. Baverman, United States Magistrate Judge, United States District Court, Northern District of Georgia
This panel will focus on the judicial perspective on Cyber and Intellectual Property crimes and related search issues. Federal judges from the Northern District of Georgia will address a variety of evidentiary, search, and procedural issues that arise in these types of criminal cases. Topics covered will include search warrants, pre-trial discovery, trial and sentencing issues.
Web 2.0 and Cyber Security: Transparency, Privacy and Trust
Chirag Patel, Sr. IT Specialist, Supreme Court of the United States
Track: Attack & Detection
Session open: Yes
The Obama Administration pledges to re-build public trust in the government by increasing transparency in part by using Web 2.0 technologies.
The tension between privacy, security and trust is created when we have to shift our focus to allowing greater transparency - to allowing information to flow out of our organization using web 2.0 enhanced websites without prejudice, yet maintain surveillance who is asking what, where information is flowing, is the appropriate information flowing to the appropriate people, etc.
Our community will have to learn about the implications of the Privacy Act and the Freedom of Information Act on data created by our security devices. We will have to develop new usage policies for government employees who utilize Web 2.0 technologies as representatives of their agencies. We will have to learn about the privacy impact of persistent cookies and authentication if they are utilized government websites. And we will have to understand the cost to trust of unexpected or improper use of information or repeated data breaches. A breach at one agency reflects on all agencies.
The cyber security community will have to work as one. We need to create a discussion between multiple stakeholders to develop Web 2.0 usage policies, security procedures for log retention, data collections and data analysis. We’ll have to look forward at how FOIA and the Privacy Act will apply to our operations. The public will have to trust the collective cyber security body if they are ever to trust the government
Why Measuring Security is So Difficult? Unraveling the Gordian Knot of Cybersecurity and Internet Infrastructure Metrics
Panelists:
Bob West, Echelon One
Zach Tudor, SRI
Shari Pfleeger, Rand
Jim Cowie, Renesys
Rob Cunningham, MIT/LL
Track: Mitigation
Session Open: Yes
What do we measure and how do we know our security posture is improving? Producing objective and measureable security metrics has always been difficult. This panel of security experts will discuss how to operationalize metrics within our security environment. From interdomain routing, to domain name service, to web services, key parts of your organization's WAN infrastructure are always exposed to public view. Most of us know what we intend to publish, but few are measuring what the public sees. How do you make sure you do what you say and say what you mean? Panelists will describe best practices for formulating sensible policies, and measuring compliance with them, as well as the latest research in the area of security metrics.
Title: Pending
Christopher Jordan, VP Network Intelligence, McAfee
Track: Mitigation
Session Open: Yes
During this economic downturn, cybercriminals are becoming financially more aggressive. Data breaches are at an all-time high and government agencies are feeling the impact. Because our infrastructure is not designed to prosecute those responsible for a large percentage of cyber incidents, cyber criminals are executing more severe attacks and getting away with them.
There are steps that can be taken to protect against this problem. Mr. Jordan can discuss these processes, providing examples and specific steps government agencies can take today to improve their defenses. For example, when an agency’s network is breached, the first step in preventing future attacks is pinpointing how the breach occurred and determining the extent and impact of the breach. The government is turning to near real-time network forensics to capture and analyze network events in order to locate the source of the attack. Many of these tools, like audit logs, provide factual evidence that can stand up in a court of law, supporting the prosecution of cybercriminals while minimizing and addressing the issue.
This session will focus on current cyber threats, their potential impact on government networks and the network forensic tools being used to prevent such attacks and support prosecution of these cybercriminals.
Mailing Lists & Feeds
Get Adobe Reader
US-CERT is part of the Department of Homeland Security