Sneak Peek Into the Top Talks @ CISO Platform Annual Summit, 2014

Turbo Talks

How the Heartbleed bug was found?

Antti Karjalainen discoverer of Heartbleed

The Heartbleed bug was a catastrophic vulnerability in widely used OpenSSL TLS implementation. This talk will give background how the Heartbleed bug was found by Codenomicon. The mechanism that initially detected the vulnerability is presented. It is also discussed what made the Heartbleed bug so severe, and what kind of factors would have mitigated the consequences of the vulnerability.

>> Register Now!

Bitcoin Transaction Malleability - An Insight

Daniel Chechik

The bitcoin network vulnerability had disturbed the huge bitcoin network. Plenty trading websites like Silk Road,MTGox and more have been victim to "Bitcoin Transaction Malleability." This talk will take you through the vulnerability and how exactly it may be exploited.

5 Real ways to destroy business by breaking SAP Applications

Alexander Polyakov 

Do you know where all the critical data of your company is stored? Is it possible for attacker to commit sabotage or espionage against your company by breaking into just one of your business critical systems? And if so - what kind of systems could be under attack? Is it easy to break them? Is it a myth that SAP systems could be accessed only internally? Time has come not only to answer all of these questions. This time the real examples of different attacks on Enterprise Business application systems will be shown, based on eight-year research experience in that field. First of all we will cover all possible business risks related to each end every type of systems such as ERP, SRM, HR, Business Intelligence, PLM’s and Industry solutions so that every high level executive will get the full understanding of what could happen. After that, we will show examples of how easy is it to do such critical actions in different systems by exploiting vulnerabilities and misconfigurations from more business-related - such as Abusing SRM systems - to win the bid, for example. From frauds in HR system and salary-increasing to more technical things, such as drilling into corporate network via SAP Portal or delivering backdoors, which look like official updates via SAP Router. Our presentation will be the first to show real threats for business during those attacks with demo of the most interesting ones, and a guide to avoid them from EAS-SEC.

A journey to protect POS

Nir Valtman Discoverer of Point-of-Sale Vulnerabilities

From Target to other retail chains were all about 'POS'. Point-Of-Sale vulnerability has been at its peak for a while. This talk illustrates the POS vulnerabilities from both retailer and software vendor's perspective. Get an insight into how the POS devices are compromised including difficult methods like memory scraping. This talk will demonstrate the working of POS vulnerability and how threats can be minimized. It will also explain the ways to mitigate the risk while you get the basic concepts and get to know which of these actually work.

Intrinsic Leadership

Deb Maes Neuro-Linguistic Master Practitioner & Trainer

This talk illustrates a new effectiveness model for modern leading, a new method of better HR management and how to harness great potential in your human resources. Learn to harmonize thoughts, emotions and intuition to create coherence between your thinking modalities and become grounded and confident in decision making — emerge a better, human-centric leader. The talk includes the cognitive and emotions aspect.

>> Register Now! 

Cyber Safety in Cars and Medical Devices 

Beau Woods - Creator of IOT Security Framework

We are adopting connecting, computerized technology faster than we are able to secure it. When this technology is integrated into life and safety systems, bits and bytes meet flesh and bone. We must know, not just hope, that devices with the ability to impact human life and public safety are worthy of our trust. Learn how the safety impacts of merging cyber security with cars and automobiles impacts all of our safety. Learn the current state of research and what it tell us about these devices' resilience to accidents and adversaries. Understand why our current approaches to cyber security won't work and, in many cases, will be more dangerous than doing nothing.

The notorious 9 in Cloud Security

Moshe Ferber 

Cloud Computing presents major opportunities and benefits for the organization worldwide. It is scalable, flexible and efficient. But along with those major advantages, comes the threats. Most Cloud Computing threats and risks are well documented, but we are missing information regarding how those threats can be put into practice in the real world, what are the attack vector used and what is the risks and results for those events. In the presentation we will elaborate the notorious nine Cloud computing threats as described by the Cloud Security Alliance, and for each threat we will provide recent examples for known incidents, the attack vectors used and the damage resulted from the incident. By understanding the risks and case studies, we can better prepare our organization for cloud adoption. Among the recent events we will explore: Supply chain attacks, Attacks for Bitcoin mining, Attacks on the management GUI, API manipulation and more. We will talk about recent incidents for such as hack, Buffer and Mongo DB OAUTH credential theft, attacks on Twitter and Microsoft and many more.

More Shadow Walker- The Progression Of TLB-Splitting On X86

Jacob Torrey - Discoverer of TLB-Splitting on x86

This talk will cover the concept of mis-using the hardware (x86 translation lookaside buffer) to provide code hiding and how the evolution of the Intel x86 architecture has rendered previous techniques obsolete and new techniques to perform TLB-splitting on modern hardware. After requisite background is provided, the talk will then move to the new research, the author's method for splitting a TLB on Core i-series and newer processors and how it can again be used for defensive (MoRE code-injection detection) and offensive purposes (EPT Shadow Walker root-kit). This talk will be very high-level but aims to convey the complexities of the hardware and possible attack vectors that can happen at the lowest-levels of an organization's IT infrastructure.

>> Register Now!

Ants and Elephants in the CISO's Office

Paul Raines - CISO, UNDP

I will show how ISO 9001 and ISO 27001 can be used together to deliver business value and demonstrate to executive management and key stakeholders that you are exercising due diligence in protecting your organisation's information assets. The talk will briefly discuss the requirements of the two standards and show how ISO 27001 and ISO 9001 can be used to address both the tactical challenges of information security (the ants) as well as the strategic challenges of delivering business value (the elephants).

Embedding risk assessment into your project workstream

Michael Calderin - Security Officer, Bupa Global Latin America

Position information security more strategically within your organization by managing information risks early in the project lifecycle. A concise Impact Assessment can help you address serious risks at a time when they can be best addressed. Encourage your audience to participate by creating an unobtrusive process that engages the project team and security team and promotes dialog. This has been key in integrating information security into business and IT workstreams and demonstrating that information security personnel can and should be consulted whenever questions arise. With minimal effort, this type of thinking can create major impact for you and your organization.

Application Security Best Practices

Yuval Idan

Cybercrime is rising exponentially and millions of are at risk. Yuval Idan, APAC Technical Director at Checkmarx, will be speaking about today's prominent vulnerabilities and how Source Code Analysis (SCA) can help tackle these issues.The main topics of this talk include: Integrating Security as part of the Software Development Life Cycle (SDLC),  learning how to engage developers in the Security Process and turn them into Champions with the help of a Source Code Analysis Solution (SCA) along with how to identify and fix security vulnerabilities early to significantly reduce costs Yuval will demonstrate live how these goals can be achieved.

>> Register Now!

Actionable Security Intelligence

Derek Manky

Heartbleed, Shellshock are just two of many critical vulnerabilities that are present in hundreds of thousands of embedded devices that are connected to the 'Internet of Things'. This talk will overview embedded vulnerabilities including ones discovered by FortiGuard Labs to shed light on a much larger issue at stake. This review will highlight the state of IoT security moving forward in 2015. Security strategy will be discussed including vendor response (PSIRT) and practical protection measures. Heartbleed has subsided, Shellshock is on stage - but many similar vulnerabilities need to be addressed with priority.

Workshops & Trainings (20-21 Nov)

Fuzz Testing Techniques for Discovering Zero Days

Antti Karjalainen ( discoverer of Heartbleed ) 

The workshop gives an introduction to fuzz testing. Common fuzzing techniques are presented, and it is discussed, what makes a good fuzzer. Different kind of failure modes that can be triggered by fuzz testing are demonstrated with real-world examples. It is also demonstrated, how the triggered failures can be detected automatically by using sophisticated oracles.

Implementing SAP security

Alexander Polyakov ( The father of ERPScan )

An SAP system is the heart of any large company; it enables all critical business processes, from procurement and payment to human resources and financial planning. All of the data stored in ERP systems is of great importance, and any illegal access can mean enormous losses, probably even termination of business processes. Within the last 7 years, SAP security experts have spoken a great deal about various attacks on SAP. Interest in the topic has been growing exponentially. This session will provide practical steps of implementing SAP Security in company from the beginning based on a real case-study in one of the world-lagest airlines.

>> Register Now!

Defending Online Attacks on Cloud Instances

Nir Valtman ( Discoverer of Point-of-Sale Vulnerabilities ) & Moshe Ferber ( Cloud Security Entreprenuer )

"Cloud instances lifecycles is changing. Instances can launch up, process hug amounts of data and terminate, and al within range of minutes."

This life cycle makes traditional security processes such patches, vulnerability scanning, hardening and forensics impossible due to lack of maintenance time. New methods must be adapted in order to cope with those challenges.Our idea is a technical live demo. For each part of the cloud instance lifecycle (instaling, launching, procesing, terminating) we show the atacking surface and how we implement the new automated security procedures (automatic patches, encryption of volume storage, automate configuration, log alerting, provisioning encryption keys) in order to reduce the atack surface and eliminate risk." 

Overview of Harwdware Level Security

Jacob Torrey ( Discoverer of TLB-Splitting on x86 )

In this workshop, a brief summary will be provided on the current state-of-the-art in kernel and hypervisor-level attacks and defenses and how the cat-and-mouse game that is on-going in this field can impact your organization. After reviewing the threat landscape, the discussion will move to mitigation strategies and how to fold defending against these types of attacks into existing business models. A holistic view of the adversary model targeting OS and hypervisors will be provided and ranked against other common threats. The audience should leave this workshop with a better understanding of what is possible, what is common and what they can or should do to protect their organizations.

Building an Incident Management Program

Paul Raines ( CISO @UNDP,ex-OPCW )

The workshop will cover the ABCs of putting together an information security incident response team (ISIRT). It will cover the basics of being able to protect, detect, respond and learn from incidents. Based on industry best practices and the lessons learned from experience, the workshop will provide practical advice on how to develop an effective ISIRT with even limited resources.

>> Register Now!

Mobile Security

Nilanjan De(CTO,IVIZ), Devesh Bhatt(Prominent Security Researcher)

This talk will explain the mobile security architectures for various platforms. It will take you through the attack surfaces and how they vary based on the security architecture of each platform. Next get to learn the basics of building secure apps and testing mobile apps along with the tools and technologies for its implementation.


Top Technical Talks
  • How the Heartbleed bug was found?
  • Elliptic key cryptography
  • Hacking Cars, Elevators, Home Automation Systems
  • Hacking Traffic System and Public Infrastructure
  • Summarizing the best research around the world
  • Breaking Cryptography using CPU sound
  • Recent Security Flaws in SDN
  • Deep dive into DDOS mitigation
  • OS-INT to secure your organization
  • Deep Inside big data Analytics
  • Inside machine learning: What’s possible and what’s not?

Top Security Management Sessions
  • Technology evaluation checklist for various technologies (Vulnerability Management, SIEM, IAM, DLP, BYOD, GRC … total 20 Domains)
  • Top ways by which SIEM implementation fails
  • Top ways by which IAM fails
  • Building Security metrics and scoreboards
  • Daily, weekly and monthly checklist for a CISO
  • Incident handling checklist: How to respond to a hack?
  • GRC and Risk Management workshop
  • Building a Security maturity model
  • Security Metrics and Analytics Dashboard
  • Incident collaboration across industry
  • BYOD/Mobile security technology taxonomy
  • Managing board: The CISO way
  • How to manage the risks of the role of CISO?
  • Sharing failures.. (I fail therefore I am)

Top Leadership Sessions
  • The science of building and breaking habits
  • Entrepreneurship basics for a CISO
  • Stress Management using the power of language
  • Ten ways to build your professional brand
  • Start with a why: The art of convincing
  • Top TED Talks for CISOs
  • Happiness: Most recent researches and discoveries
If you have any feedback on the topic please leave your comment below or email

Views: 545

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform



CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by Yogesh Nov 19. 2 Replies

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

[Please Suggest] Corona Virus: Security advisory for work from home

Started by CISO Platform. Last reply by Bhushan Deo Mar 20. 12 Replies

(question posted on behalf of a CISO member)Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?Continue

Tags: #COVID19

Follow us

Contact Us


Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service

/* */