08-Feb-2012

Security Hardening 2012 - part 1

!!! Update February 1st, new topics added !!!

Sequel to the successful Security Hardening Event of October 2011, LSEC and its partners are organizing the follow-up event on February 8th, 2012.

After the successful LSEC Security Hardening event in October 2011, in the week before the 2012 RSA US Conference, LSEC will organize it’s Security Hardening 2012 again in Leuven at the Verizon Business’ Ubicenter. “Security Hardening” means to explore the possibilities of improving the IT and Information Security architectures and systems.

During the seminar, it became obvious that most of the topics were very complementary and gave an interesting viewpoint on how to improve security measures within companies.

Outline

This seminar is mainly intended to companies and government departments already having a security environment, and interested in finding out about new solutions, new approaches and ways to improve their security infrastructure. Security Hardening in this case meant to increase the level of security on different aspects and components of your environment. This would have been be either from a network security perspective, a database and application perspective or increasing the granularity and scope of your data protection technologies. With the hardening was also understood ways and procedures to improve security management as a whole.

All together, we’ve explored how to grow from the typical 80% of managed IT and information security risks to upgrade to 90% or and to understand the complexities, costs and resources necessary to this upgrade path.

Final Program Outline

Security Hardening is a rather wide concept, and leaves a lot of opportunities for various topics, but the idea would be to “bring something new and fresh to Security Officers and related people managing IT Security … “. Both network security, data security, privacy and other topics are very welcome.

9.15 : Welcome & Registration

9.45 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC

Coffee continuously available during the morning.

10.00 :Securing endpoints in the cloud, mobile authentication and encryption to harden the mobile workforce, by Jan Vekemans, Option Mobile Security - Option

Abstract :; Introducing the concept of The Cloudkey®, a token that provides a platform secure mobile access. Cloudkey hardens the authentication and the mobile communication layers, with proven Vasco Digipass authentication with Option’s 3G communications technology to provide an all in one product that simplifies strong, secure access.For situations where secure, highly available internet connectivity combined with authentication: internet and intranet access in government and enterprises, gambling & gaming applications and in applications where Digipass technology has already been deployed and there is a requirement to combine this with 3G communications.

About : Jan Vekemans has been with Option to develop the mobile security Managed Secure Authentication Service. Prior to Option, Jan has been building experience with Vasco, but has been building extensive experience in authentication technologies. He was worked with Genband, being the front runner for EMEA, expanded Netilla to become a household name in IT security. At Vasco, Jan has built channels and motivated teams. Prior to that he has worked with Baltimore Technologies and Xerox Engineering Systems.

10.40 : Intelligent network behavior analysis: qualifying your security events and information and making an evaluated automated evaluation of threats and challenges. Mobile Security Strategies. Hardening your security on the basis of your secrity information, by Gabriel Dusil, Cognitive Security

Abstract : The explosion in cellular usage and mobile commerce will require advanced levels of protection for mobile users, as hackers continue to find vulnerabilities to exploit. As mobile data is expected to grow 16 fold over the next four years, mobile providers are facing new challenges in balancing subscriber ease-of-use, with cyber-security protection.  A dual strategy which includes end-point and infrastructure security should provide robust and cost effective levels of protection.  Network Behavior Analysis is a viable building block to infrastructure security, and helps to protects a collective subscriber base against sophisticated mobile cyber-attacks.

Cognitive Security provides clients with a granular view in their corporate-wide network activities.  This includes visibility into threats that traverse traditional network defenses, and may include sophisticated and unauthorized penetration into sensitive IT assets, targeted malware infections, or strategically motivated black hackers.  Cognitive Security specializes in quickly identifying these attacks, and allowing administrators to quickly mitigate against security breaches.

About : Gabriel Dusil is Vice President at Cognitive Security, a Czech Security technology company. He is expacnding the company's presence across Europe, the USA, and beyond. Before joining Cognitive Security, Gabriel was the Director of Alliances at SecureWorks, responsible for partnerships across Europe, Middle East, and Africa (EMEA).  Previous to SecureWorks, Gabriel worked at VeriSign and Motorola in a combination of senior marketing and sales roles. Gabriel has lectured in security, authentication, and data communications, as well as speaking in several prominent IT symposiums. Gabriel obtained a Degree in Engineering Physics from the University of McMaster, in Canada and has advanced knowledge in Cloud Computing, SaaS (Security as a Service), Managed Security Services (MSS), Identity and Access Management (IAM), and Security Best Practices.

 11.20 : How to protect your data at rest with tape encryption? by Christian Vanden Balck, Oracle Systems EMEA Long Term Storage

Tape encryption, technology of the past or hardening method for archiving?

Abstract : There is a variety of storage possibilities of archiving methods and systems. Depending on the business needs, many companies are still relying on tapes. Those tapes can become a potential risk, if not securely managed. Hardening security of archiving should be considered. The physical loss of tape cartridges containing sensitive data poses a major risk. High-speed data encryption on the tape drive. Oracly Systems through their acquisition of SUN Microsystems, also aquired StorageTek. Oracle hardened the business requirements with Oracle Key Manager (OKM) which centrally authorizes, secures, and manages all of the encryption keys.

 About : Christian has over 19 years of experience in IT, including 7 years of internal IT at Colruyt and 12 years at StorageTek (acquired by Sun Microsystems which was acquired by Oracle). From a PL/1 programmer on IBM mainframe his focus has rapidly evolved to Storage on both IBM mainframe and Open systems. In his current role, Christian is working in an EMEA role supporting the Oracle Long Term Storage business for the BeNeLux and Eastern Europe/CIS clusters. Main topics of interest are hardware encryption on tape, archiving and compliance needs, disaster recovery and green IT.

12.00 : The recent evolution in encryption methods, might be a help in hardening your systems. AES is the standard, but are there other methodologies that could harden your systems and applications? by Vincent Rijmen, Associate Professor, COSIC, KU Leuven

Abstract :.Instead of a regular cocktail and appetizer, this explosive mix of advanced cryptographic evolutions is best served before lunch. The evolution of the encryption methods is an opening theme Vincent uses for the bi-annual COSIC international course. It provides a fast lane into the highway of cryptographic methods and challenges, but also provides a perspective on how easy it could be to break encryption systems in this evolutionary landscape. The reason why also encryption is something to manage, and to harden. 8 digit passwords are a thing of the past, but what is next?

About : Vincent Rijmen is a Belgian cryptographer and one of the two designers of the Rijndael, the Advanced Encryption Standard (AES). Next to other cryptographic hash functions, and block ciphers, he became associate professor (hoofddocent) at KU Leuven, working with the COSIC lab. He did postdoctoral work on several occasions collaborating with Dr. Joan Daemen. One of their joint projects resulted in the algorithm Rijndael, which in October 2000 was selected by the National Institute for Standards and Technology (NIST) to become the Advanced Encryption Standard (AES). Rijmen has been working as chief cryptographer with Cryptomathic. Rijmen was a visiting professor at the Institute for Applied Information Processing and Communications at Graz University of Technology (Austria), and a full professor there from 2004–2007. In 2002, he was named to the MIT Technology Review TR100 as one of the top 100 innovators in the world under the age of 35.

12.40 : buffet lunch

13.40 : Banking Trojans, effective, prolific and unstoppable? A technical dissection and hardening suggestions, by Eddy Willems, G Data Software

Abstract : In the last decades, we have seen an enormous evolution in cyber threats. One of the scarier developments for many internet users in the recent years are banking Trojans. These are specifically targeting them where it hurts the most: in their wallets. And they seem to become more and more effective, if we can believe what we read in the media. But how come these Trojans are so effective and prolific? Aren’t antivirus solutions, which always seem to have malware detection rates of over 98% detecting and stopping them? In this presentation, Eddy Willems, Security Evangelist at G Data, sheds light and how banking Trojans technically work, on how they keep themselves under the radar of the vast majority of all security solutions out there and what can be done to stop them.

About : Eddy Willems studied Computer Sciences at IHB and Vrije Universiteit Brussel. He started working as a Systems Analyst in 1984. He did also some data recovery work in those early days. In 1989 he became interested in viruses because of an incident with the famous AIDS-diskette. From that time on he started to gather information about computer viruses and anti-virus software. In 1991 (from the beginning in Brussels) he became a founding member of EICAR, a European security organisation. Eddy is thé computer virus and malware expert from Belgium.

14.20 : Hardening open-source content management systems: Drupal, Fork CMS and Umbraco, ... by Erwin Geirnaert, Zion Security

Abstract : open source CMS systems have become the most advanced and most popular ways to operate and maintain web communities, both internally and as external websites. Sometimes they serve only a specific part of a company’s web presence, but in many cases they are the central hub for companies that dynamically maintain their web presence. Notwithstanding which platform, or if only components and open sources programming instruments have been used, they need to be maintained and secured. Web vulnerabilities are the most common targets from the outside. A damaged website can cause damage on the public profile of a company or organization, but it could also affect internal operations if it serves as a hub for malware distribution or phishing attacks. An introduction on why and how to harden CMS platforms. Use it to inform your business and marketing departments.

About : Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE security, .NET security and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar,

15.00 : Hardening against Advanced Persistent Threats (APT), how to? Marcel Snippe, RSA the Security Division of EMC

Abstract : Who better than RSA would be able to explain today about the damage that can be caused by APT’s? The SecurID hack in March 2011, according to RSA, resulted  in data that was stolen which could potentially compromise its SecurID tokens. The attack against the RSA network was an example of a new breed of security threat aimed at flying under the radar longer and going after bigger payoffs. An APT attack involves patient, skilled, well-funded attackers going after the really big prize.This attack and other demonstrate why APTs are a growing security concern. Attackers with the skill to bypass network security controls, and the patience to do so over time to avoid overtly suspicious activity that might lead to detection, can eventually achieve major network breaches and data compromise.

About :Marcel Snippe is the manager of the RSA Technology Consultants EMEA North since May 2011. Prior to joining RSA, he was Senior Principal Presales Consultant at Symantec, which he joined in 2006 active in the domain of Data Loss Prevention.

15.40 : coffee break, networking

16.10 : Opening the deep risks of virtual infrastructures and assess them against hardening guidelines, by Aman Bar, the Lancelot Institute

Abstract : During the presentation, the idea is to get access to a remote datacenter. Virtualization technologies provide a great technology to optimize the infrastructure use and provide flexibility in computing. They should be well secured and sometimes the infrastructure is not completely secured.

About : Aman works as training & solutions director in the Lancelot Institute. In addition to his management and consulting activities he regularly travels the globe on speaking and teaching engagements for enterprises to assist them in securing their information assets. Aman is academically qualified in Information Systems, and specializes in Information Systems Assurance, Auditing, Continuity, Recovery and Incidence Response. He is author and co- author of the Virtualization Audit Professional™, Cloud Audit Professional™ and Penetration Testing Professional™ training programs.

16.50 : Remote Access Security, by Rudolf Schucha – Communications Security Consultant – Ultra Electronics - AEP Networks

Abstract : All organizations are coping with challenges of remote access. Whether they are to enable employees access for teleworking, accessing partners for remote services, providing access to webservices or even access to cloud environments. An analysis of the problem will indicate that quite a series of challenges are being posed from technology to people skills. Risks appear to be numerous and the provider and receiver will have to be able to trust each other. With this presentation Mr Sucha will present a comprehensive approach of dealing with the challenge and improving your existing setup.

About : As a former HP/Agilent Network Measurement and Management Consultant of 14 years, Rudolf has been working with a large number of the big companies within the ICT sector as a trusted advisor on how to ensure network security. Rudolf joined AEP Networks (now Ultra Electronics AEP Networks) in September 2010 to add large scale project experience and technical expertise to the growing AEP team. Especially the experience in network management combined with the knowledge in multimedia communication :allow him a really good understanding of the modern and ever growing number of applications which look threatening to the historically grown government and enterprise networks.

17.30 : When business fully understands the challenges of security, an end to end security strategy can be considered. An example from laptop to datacenter, by Antonio Mata Gomez, Oracle

Abstract : The simple question was : what is Oracle doing on information security? There was a simple answer : many things. That has resulted in a series of activities for Oracle to demonstrate their security practice, from db hardening to an end to end perspective. Oracle’s identity management solutions, Oracle applications and the whole cloud offering are only a fragment of the security perspectives of Oracle. As a result, with this concept of an end to end approach, as a case study, it becomes clear what the concept of hardening is all about. It starts from the single data digit, but has to be carried throughout the chain of processing, at light speed or faster and secured.

Case:  Transparency, Accountability and Auditability of high privileged users access is mandatory.

Efficient and consistent User Administration of multiple Databases is becoming more and more important, and is a basic requirement in compliance and auditing discussions. Not only making sure that the right users have access to the right databases at any point in time, but also the traceability of the past and a full view of the lifecycle management and auditability of the high privileged users (eg DBAs) is a key basic compliance requirement in any organization  Compliance is not only a matter of processes and applications, but also the place where the information is stored, is seen as a serious attention point for auditing the compliance, security and risk exposure. Ensuring that the right people at all times have only access to the information they are entitled to, has never been so important.  The user management across these multiple DB instances is often done individually, with manual interventions or using scripts, which is costly, not error free and not well accepted by auditors.

About : Antonio started his career as an Oracle database consultant. Back then IT was more interested in High Availability and Scalability but enterprises started showing a growing interest in protecting their key Business Assets persisted in database management systems. Antonio's expertise was formed through many projects where protecting the database was key in order to guarantee the required security level.In his role of Database Security expert Antonio closely followed up on the Identity & Access Management market trends, which has enabled him to approach security projects from multiple angels.

18.10 : Closing Notes, Reception & Networking

19.00 : Close of Conference

Practical Details