2016 Ohio Information Security Conference

In recent years, data breaches have occurred even within prominent organizations such as Target, Home Depot and others . Databases are at the bottom of the security stack and are your last line of defense to protect your valuable and sensitive data. Learn how proper database security provisioning will meet data assurance compliance. 

This offering will discuss the recent evolution of cyber attacks, vital incident response planning, testing and training, implementation of policies & procedures, mitigating and responding to a breach, and, finally, legal standards of care derived from real cases. 

Many organizations do not manage risk in a holistic way. Rather, they maintain silos of risk management activity that often use completely different methodologies, terminology and tools to model and treat risk. Security, Compliance and Business stakeholders are the most cloistered silos seen in the wild. This structure may have worked in the old world when being the person who said “NO” was enough but that is not the case in the age of Bring Your Own Device (BYOD), Cloud Computing and Regulatory Compliance. However, it does provide a unique opportunity for the savvy security professional to bring the silos together by normalizing the way they express, communicate and treat risk. By adopting common risk management metrics, innovative controls and trust management techniques CSO’s and other security practitioners can survive and prosper in the age of Cloud Computing and BYOD. Learn how to gain a holistic view of risk across your organization with the ultimate goal of determining your organization’s appetite for risk and facilitating the cultural move from a “Zero Risk” mentality to a “Risk Resilient” mentality.  In addition to the items listed in the abstract, I will discuss an innovative approach I have been using in the field for several years called Trust Enhanced Risk Management (TERM). 

2-Factor Authentication (2FA) is clearly a best practice for IT security, but moving an organization to this level of security is a huge commitment.  Learn why the University of Dayton made the decision to “go 2FA” and how they approached the planning, implementation and support.  UD is currently in the middle of their roll-out, so you will get very current observations and analysis of the issues and challenges they are facing.

In 2005, ChoicePoint experienced the first security incident involving data. Since then, the term "data breach" has become part of the national lexicon. In this engaging discussion, you will learn the lesson of the past ten years and walk away with sound data governance principles in preparing for WHEN, not IF a breach occurs. 

Straightforward questions such as “How much security is enough for the threat we face?”, “What are our residual risks?”, and “Does this security investment provide benefits worth the costs imposed?” need straightforward answers. Tenet3 will demo metrics useful in answering these questions and provide insights into the associated cybersecurity economics. 

Ask three security people a question, and you will get five conflicting answers.  Ten if the business shows up.  If a Lawyer walks in, you might as well cancel the meeting.  The problem isn’t that any of these people are wrong; the problem is they are all correct, but we need a tool to drive precision to the question and answer, while managing the complex interplay of decisions that are distinct but overlapping.

As the Domain Name System (DNS) plays an indispensable role in a large number of network applications including those used for malicious purposes, collecting and sharing DNS traffic from real networks are highly desired for a variety of purposes such as measurements and system evaluation. However, information leakage through the collected network traffic raises significant privacy concerns and DNS traffic is not an exception. In this talk, we will show a new privacy risk introduced by passively collected DNS traffic. We intend to derive behavioral fingerprints from DNS traces, where each behavioral fingerprint targets at uniquely identifying its corresponding user and being immune to the change of time. We have proposed a set of new patterns, which collectively form behavioral fingerprints by characterizing a user's DNS activities through three different perspectives including the domain name, the inter-domain relationship, and domains' temporal behavior..We have performed extensive evaluation based on a large volume of DNS queries collected from a large campus network across two weeks. The evaluation results have demonstrated that a significant percentage of network users with persistent DNS activities have DNS behavioral fingerprints. 

Logs are everywhere in your environment. They tell you the story of your network: what is happening during every moment of every day, what is working, and what has failed. All too often, we have a tendency to treat logs the same way high school students look at books – boring, archaic sources of information that are only consulted when no other option is available. However, this is not the case – logs are filled with interesting stories and sequences of events – stories that can make our work easier (or at least more interesting). This presentation will focus on making logging interesting, using a variety of stories and personal experience to highlight cases where logs were a key tool in answering questions and solving problems. 

Is there any value behind internal red team testing? YES! Setting up an internal team matures the Information Security program in more ways than you may think. Hiring the right people, finding the right tools, and leveraging the results to drive action make this crucial, let’s discuss. 

Whether it is in response to a security incident, or just general preservation in litigation, it can be costly and time consuming.  When not done correctly, one can find themselves in additional litigation, dealing with sanctions or worse.  Putting a process around litigation allows for an efficient response and something to turn to when things go wrong.  The process involves management, IT and legal.

Human error is responsible for contributing to 95% of security incidents. Technology advances alone will not eliminate this risk. To combat it takes a profound understanding of why human errors continue to occur. Darren will clarify the causes of human error, and give specific recommendations on mitigation strategies.

Wireless sensor networks play a major role in the deployment of smart energy and building automation systems, yet the implications are seldom explored. First, we introduce an open source tool for pen-testing proprietary Z-Wave wireless networks. We then demonstrate rapidly destroying fluorescent lights connected to a wireless automation system. 

GRC systems today promise efficient and effective management of internal, external controls management and compliance with standards & legislative frameworks such as FISMA, HIPAA Meaningful use, SOX, PCI-DSS, NIST RMF and so on. This presentation provides current and target state of GRC for auditors, legal and information security practitioners. 

The risks of social media sites and other abstract tools, such as google hacking, to collect information about Businesses that allow a hacker to plan, design and execute a successful attack against a company.  What you don’t know, in this case, can really hurt you. Understanding the risks of what you publish via social media and other outlets allows you to properly mitigate those risks.

This presentation provides a high level overview of machine and search based analytics.  It covers example scenarios where they may be used to aid security analysts.  People, systems and processes differ between organizations.  These differences make it desirable to tune analytics to reduce noise.