Social Network For Security Executives: Network, Learn & Collaborate
How the Heartbleed bug was found?
Antti Karjalainen discoverer of Heartbleed
The Heartbleed bug was a catastrophic vulnerability in widely used OpenSSL TLS implementation. This talk will give background how the Heartbleed bug was found by Codenomicon. The mechanism that initially detected the vulnerability is presented. It is also discussed what made the Heartbleed bug so severe, and what kind of factors would have mitigated the consequences of the vulnerability.
Bitcoin Transaction Malleability - An Insight
The bitcoin network vulnerability had disturbed the huge bitcoin network. Plenty trading websites like Silk Road,MTGox and more have been victim to "Bitcoin Transaction Malleability." This talk will take you through the vulnerability and how exactly it may be exploited.
5 Real ways to destroy business by breaking SAP Applications
Do you know where all the critical data of your company is stored? Is it possible for attacker to commit sabotage or espionage against your company by breaking into just one of your business critical systems? And if so - what kind of systems could be under attack? Is it easy to break them? Is it a myth that SAP systems could be accessed only internally? Time has come not only to answer all of these questions. This time the real examples of different attacks on Enterprise Business application systems will be shown, based on eight-year research experience in that field. First of all we will cover all possible business risks related to each end every type of systems such as ERP, SRM, HR, Business Intelligence, PLM’s and Industry solutions so that every high level executive will get the full understanding of what could happen. After that, we will show examples of how easy is it to do such critical actions in different systems by exploiting vulnerabilities and misconfigurations from more business-related - such as Abusing SRM systems - to win the bid, for example. From frauds in HR system and salary-increasing to more technical things, such as drilling into corporate network via SAP Portal or delivering backdoors, which look like official updates via SAP Router. Our presentation will be the first to show real threats for business during those attacks with demo of the most interesting ones, and a guide to avoid them from EAS-SEC.
A journey to protect POS
Nir Valtman Discoverer of Point-of-Sale Vulnerabilities
From Target to other retail chains were all about 'POS'. Point-Of-Sale vulnerability has been at its peak for a while. This talk illustrates the POS vulnerabilities from both retailer and software vendor's perspective. Get an insight into how the POS devices are compromised including difficult methods like memory scraping. This talk will demonstrate the working of POS vulnerability and how threats can be minimized. It will also explain the ways to mitigate the risk while you get the basic concepts and get to know which of these actually work.
Deb Maes Neuro-Linguistic Master Practitioner & Trainer
This talk illustrates a new effectiveness model for modern leading, a new method of better HR management and how to harness great potential in your human resources. Learn to harmonize thoughts, emotions and intuition to create coherence between your thinking modalities and become grounded and confident in decision making — emerge a better, human-centric leader. The talk includes the cognitive and emotions aspect.
Cyber Safety in Cars and Medical Devices
Beau Woods - Creator of IOT Security Framework
We are adopting connecting, computerized technology faster than we are able to secure it. When this technology is integrated into life and safety systems, bits and bytes meet flesh and bone. We must know, not just hope, that devices with the ability to impact human life and public safety are worthy of our trust. Learn how the safety impacts of merging cyber security with cars and automobiles impacts all of our safety. Learn the current state of research and what it tell us about these devices' resilience to accidents and adversaries. Understand why our current approaches to cyber security won't work and, in many cases, will be more dangerous than doing nothing.
The notorious 9 in Cloud Security
Cloud Computing presents major opportunities and benefits for the organization worldwide. It is scalable, flexible and efficient. But along with those major advantages, comes the threats. Most Cloud Computing threats and risks are well documented, but we are missing information regarding how those threats can be put into practice in the real world, what are the attack vector used and what is the risks and results for those events. In the presentation we will elaborate the notorious nine Cloud computing threats as described by the Cloud Security Alliance, and for each threat we will provide recent examples for known incidents, the attack vectors used and the damage resulted from the incident. By understanding the risks and case studies, we can better prepare our organization for cloud adoption. Among the recent events we will explore: Supply chain attacks, Attacks for Bitcoin mining, Attacks on the management GUI, API manipulation and more. We will talk about recent incidents for such as Code-spaces.com hack, Buffer and Mongo DB OAUTH credential theft, attacks on Twitter and Microsoft and many more.
More Shadow Walker- The Progression Of TLB-Splitting On X86
Jacob Torrey - Discoverer of TLB-Splitting on x86
This talk will cover the concept of mis-using the hardware (x86 translation lookaside buffer) to provide code hiding and how the evolution of the Intel x86 architecture has rendered previous techniques obsolete and new techniques to perform TLB-splitting on modern hardware. After requisite background is provided, the talk will then move to the new research, the author's method for splitting a TLB on Core i-series and newer processors and how it can again be used for defensive (MoRE code-injection detection) and offensive purposes (EPT Shadow Walker root-kit). This talk will be very high-level but aims to convey the complexities of the hardware and possible attack vectors that can happen at the lowest-levels of an organization's IT infrastructure.
Ants and Elephants in the CISO's Office
Paul Raines - CISO, UNDP
I will show how ISO 9001 and ISO 27001 can be used together to deliver business value and demonstrate to executive management and key stakeholders that you are exercising due diligence in protecting your organisation's information assets. The talk will briefly discuss the requirements of the two standards and show how ISO 27001 and ISO 9001 can be used to address both the tactical challenges of information security (the ants) as well as the strategic challenges of delivering business value (the elephants).
Embedding risk assessment into your project workstream
Michael Calderin - Security Officer, Bupa Global Latin America
Position information security more strategically within your organization by managing information risks early in the project lifecycle. A concise Impact Assessment can help you address serious risks at a time when they can be best addressed. Encourage your audience to participate by creating an unobtrusive process that engages the project team and security team and promotes dialog. This has been key in integrating information security into business and IT workstreams and demonstrating that information security personnel can and should be consulted whenever questions arise. With minimal effort, this type of thinking can create major impact for you and your organization.
Application Security Best Practices
Cybercrime is rising exponentially and millions of are at risk. Yuval Idan, APAC Technical Director at Checkmarx, will be speaking about today's prominent vulnerabilities and how Source Code Analysis (SCA) can help tackle these issues.The main topics of this talk include: Integrating Security as part of the Software Development Life Cycle (SDLC), learning how to engage developers in the Security Process and turn them into Champions with the help of a Source Code Analysis Solution (SCA) along with how to identify and fix security vulnerabilities early to significantly reduce costs Yuval will demonstrate live how these goals can be achieved.
Actionable Security Intelligence
Heartbleed, Shellshock are just two of many critical vulnerabilities that are present in hundreds of thousands of embedded devices that are connected to the 'Internet of Things'. This talk will overview embedded vulnerabilities including ones discovered by FortiGuard Labs to shed light on a much larger issue at stake. This review will highlight the state of IoT security moving forward in 2015. Security strategy will be discussed including vendor response (PSIRT) and practical protection measures. Heartbleed has subsided, Shellshock is on stage - but many similar vulnerabilities need to be addressed with priority.
Workshops & Trainings (20-21 Nov)
Fuzz Testing Techniques for Discovering Zero Days
Antti Karjalainen ( discoverer of Heartbleed )
The workshop gives an introduction to fuzz testing. Common fuzzing techniques are presented, and it is discussed, what makes a good fuzzer. Different kind of failure modes that can be triggered by fuzz testing are demonstrated with real-world examples. It is also demonstrated, how the triggered failures can be detected automatically by using sophisticated oracles.
Implementing SAP security
Alexander Polyakov ( The father of ERPScan )
An SAP system is the heart of any large company; it enables all critical business processes, from procurement and payment to human resources and financial planning. All of the data stored in ERP systems is of great importance, and any illegal access can mean enormous losses, probably even termination of business processes. Within the last 7 years, SAP security experts have spoken a great deal about various attacks on SAP. Interest in the topic has been growing exponentially. This session will provide practical steps of implementing SAP Security in company from the beginning based on a real case-study in one of the world-lagest airlines.
Defending Online Attacks on Cloud Instances
Nir Valtman ( Discoverer of Point-of-Sale Vulnerabilities ) & Moshe Ferber ( Cloud Security Entreprenuer )
"Cloud instances lifecycles is changing. Instances can launch up, process hug amounts of data and terminate, and al within range of minutes."
This life cycle makes traditional security processes such patches, vulnerability scanning, hardening and forensics impossible due to lack of maintenance time. New methods must be adapted in order to cope with those challenges.Our idea is a technical live demo. For each part of the cloud instance lifecycle (instaling, launching, procesing, terminating) we show the atacking surface and how we implement the new automated security procedures (automatic patches, encryption of volume storage, automate configuration, log alerting, provisioning encryption keys) in order to reduce the atack surface and eliminate risk."
Overview of Harwdware Level Security
Jacob Torrey ( Discoverer of TLB-Splitting on x86 )
In this workshop, a brief summary will be provided on the current state-of-the-art in kernel and hypervisor-level attacks and defenses and how the cat-and-mouse game that is on-going in this field can impact your organization. After reviewing the threat landscape, the discussion will move to mitigation strategies and how to fold defending against these types of attacks into existing business models. A holistic view of the adversary model targeting OS and hypervisors will be provided and ranked against other common threats. The audience should leave this workshop with a better understanding of what is possible, what is common and what they can or should do to protect their organizations.
Building an Incident Management Program
Paul Raines ( CISO @UNDP,ex-OPCW )
The workshop will cover the ABCs of putting together an information security incident response team (ISIRT). It will cover the basics of being able to protect, detect, respond and learn from incidents. Based on industry best practices and the lessons learned from experience, the workshop will provide practical advice on how to develop an effective ISIRT with even limited resources.
Nilanjan De(CTO,IVIZ), Devesh Bhatt(Prominent Security Researcher)
This talk will explain the mobile security architectures for various platforms. It will take you through the attack surfaces and how they vary based on the security architecture of each platform. Next get to learn the basics of building secure apps and testing mobile apps along with the tools and technologies for its implementation.