Register for NEACS 2016
US Department of Justice – Panel Discussion with participants from FBI, DHS and Secret Service
The U.S. Department of Justice, Bridgeport Regional Office, is hosting a panel discussion of various law enforcement officials such as the FBI, Secret Service and Homeland Security. This panel promises to bring interesting, relevant and current topical information and sound advice for dealing with the host of issues encountered each day by security, governance, compliance and other professionals.
Our panel moderator is Vanessa Richards, Assistant U.S. Attorney for the Department of Justice, Connecticut Division.
The U.S. Department of Justice, Bridgeport Regional Office, is hosting a panel discussion of various law enforcement officials such as the FBI, Secret Service and Homeland Security. This panel promises to bring interesting, relevant and current topical information and sound advice for dealing with the host of issues encountered each day by security, governance, compliance and other professionals.
Our panel moderator is Vanessa Richards, Assistant U.S. Attorney for the Department of Justice, Connecticut Division.
Practical Solutions on Ways Organizations Can Manage Vendor Cybersecurity Risks
Andy Ellsweig, CPA, CITP, CGEIT
Director RSM US LLP
Andy Ellsweig, CPA, CITP, CGEIT
Director RSM US LLP
Due to increases in privacy rules and regulations, organizations are required to implement effective third party risk management and monitoring procedures. As many organizations have recently found, preventing breaches and securing the personally identifiable information (PII) held on customers, employees and vendors becomes more challenging as organizations increasingly outsource key functions or move to cloud providers. As more and more critical functions are being outsourced, banks are learning there is a high level of risk and uncertainty associated with choosing the right third party providers.
Attend this session and learn…..
- Best practices for performing third party risk assessments
- How to pick the right tool(s)
- Design an ongoing cybersecurity management program for assessing vendors based on risk
- Conducting ongoing cybersecurity assessments on a regular schedule
- Contractual considerations outlining Cybersecurity requirements for key vendors
- Using Cyber insurance to mitigate risk
Due to increases in privacy rules and regulations, organizations are required to implement effective third party risk management and monitoring procedures. As many organizations have recently found, preventing breaches and securing the personally identifiable information (PII) held on customers, employees and vendors becomes more challenging as organizations increasingly outsource key functions or move to cloud providers. As more and more critical functions are being outsourced, banks are learning there is a high level of risk and uncertainty associated with choosing the right third party providers.
Attend this session and learn…..
- Best practices for performing third party risk assessments
- How to pick the right tool(s)
- Design an ongoing cybersecurity management program for assessing vendors based on risk
- Conducting ongoing cybersecurity assessments on a regular schedule
- Contractual considerations outlining Cybersecurity requirements for key vendors
- Using Cyber insurance to mitigate risk
Current trends in Ransomware
Mike Money, CIPP
Director for Protiviti's Information Security & Privacy Practice
Mike Money, CIPP
Director for Protiviti's Information Security & Privacy Practice
Director for Protiviti's Information Security & Privacy Practice
The onslaught of Ransomware continues in 2016. Incidents of ransomware rose by nearly 26% 2015 to 2016 YoY - (FBI.gov - Ransomware on the Rise, April 2016)
Most common victims are hospitals and government entities - (Business Insider - The Hacked Hollywood Hospital Is Not Alone, February 2016)
As noted in the first quarter of 2016, the FBI reported that organizations paid more than $209 million to ransom data as opposed to $24 million in all of 2015. Recent headlines expose real risks and the trends demonstrate that there will continue to be a huge increase in the volume of ransomware.
The presentation has three components:
- Trends: Why has ransomware takeoff as the current fraud of choice, statistics, ramifications of paying the ransom or not, law-enforcement advice, and how much does it cost to purchase ransomware.
- Actions: should you pay, how do you prevent, and steps to recover if you are hit with ransomware.
- Ransomware: Protiviti will demonstrate how actual ransomware works – demonstration will include code review, crypto components, and will be an actual ransomware in a case study.
The onslaught of Ransomware continues in 2016. Incidents of ransomware rose by nearly 26% 2015 to 2016 YoY - (FBI.gov - Ransomware on the Rise, April 2016)
Most common victims are hospitals and government entities - (Business Insider - The Hacked Hollywood Hospital Is Not Alone, February 2016)
As noted in the first quarter of 2016, the FBI reported that organizations paid more than $209 million to ransom data as opposed to $24 million in all of 2015. Recent headlines expose real risks and the trends demonstrate that there will continue to be a huge increase in the volume of ransomware.
The presentation has three components:
- Trends: Why has ransomware takeoff as the current fraud of choice, statistics, ramifications of paying the ransom or not, law-enforcement advice, and how much does it cost to purchase ransomware.
- Actions: should you pay, how do you prevent, and steps to recover if you are hit with ransomware.
- Ransomware: Protiviti will demonstrate how actual ransomware works – demonstration will include code review, crypto components, and will be an actual ransomware in a case study.
Access Control Lists so 1900’s Let us move past the 1980’s technology
Jay Ferron
CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM
Jay Ferron
CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM
We’ve been using Access control to protect data for years, but it’s just not working anymore. In this session you will learn about applying conditions to protect data. Think about this, you grant a user permission to the finance share and he, or she, copies data to a non-approved location. Now any user can look at the data. In this session, you will learn how to apply conditions to data so the user can only work and save data where you want them to. You will also be able to limit access based on group membership and Location rules. You will also learn how you can automatically apply encryption rules to data.
We’ve been using Access control to protect data for years, but it’s just not working anymore. In this session you will learn about applying conditions to protect data. Think about this, you grant a user permission to the finance share and he, or she, copies data to a non-approved location. Now any user can look at the data. In this session, you will learn how to apply conditions to data so the user can only work and save data where you want them to. You will also be able to limit access based on group membership and Location rules. You will also learn how you can automatically apply encryption rules to data.
Anatomy of a cyber breach
David P. Trollman | Senior Manager | EY Cybersecurity
Ernst & Young LLP
David P. Trollman | Senior Manager | EY Cybersecurity
Ernst & Young LLP
Ernst & Young LLP
Anatomy of a cyber breach presentation where we walk through the steps external threat actors take to first access and then steal sensitive data from a targeted network.
Today's mega-breaches have a set of key features and control failures in common. EY, leveraging its years of experience investigating cyber breaches and conducting attack & penetration testing, will walk you through the steps an attacker takes to infiltrate, compromise, and steal data from a network. As we walk through the breach, we will help identify key technical and process control failures attackers commonly exploit. We will also discuss our recent experiences from investigations and assessments with our clients. We will wrap up with a discussion around key lessons we are learning from these mega-breaches and what steps organizations should consider to secure their networks from motivated attackers.
Anatomy of a cyber breach presentation where we walk through the steps external threat actors take to first access and then steal sensitive data from a targeted network.
Today's mega-breaches have a set of key features and control failures in common. EY, leveraging its years of experience investigating cyber breaches and conducting attack & penetration testing, will walk you through the steps an attacker takes to infiltrate, compromise, and steal data from a network. As we walk through the breach, we will help identify key technical and process control failures attackers commonly exploit. We will also discuss our recent experiences from investigations and assessments with our clients. We will wrap up with a discussion around key lessons we are learning from these mega-breaches and what steps organizations should consider to secure their networks from motivated attackers.
Cyber Threats and Security Trends: the Role of the Internet of Things (IoT) in the Ever Changing Cyber Landscape
Jason Hunt
Deloitte
Jason Hunt
Deloitte
Jason Hunt is a senior manager in Deloitte’s Advisory practice with more than 10 years of experience working with complex business processes and IT risk and controls. He is a specialist in risk identification and assessment within complex IT environments. Jason has extensive experience with leading security practices. Additionally, he has developed assessment frameworks used in serving large global companies, assessing IT security postures against relevant standards including ISO and NIST.
Jason holds CISSP and CISA certifications. He is a graduate of Guilford College in Greensboro, North Carolina with degrees in Business Management and Computing and Information Technologies. Jason also holds an MBA from the University of Mississippi.
Talk abstract: Role of the Internet of Things (IoT) in the Ever Changing Cyber Landscape
Jason Hunt is a senior manager in Deloitte’s Advisory practice with more than 10 years of experience working with complex business processes and IT risk and controls. He is a specialist in risk identification and assessment within complex IT environments. Jason has extensive experience with leading security practices. Additionally, he has developed assessment frameworks used in serving large global companies, assessing IT security postures against relevant standards including ISO and NIST.
Talk abstract: Role of the Internet of Things (IoT) in the Ever Changing Cyber Landscape
Jason holds CISSP and CISA certifications. He is a graduate of Guilford College in Greensboro, North Carolina with degrees in Business Management and Computing and Information Technologies. Jason also holds an MBA from the University of Mississippi.
Cybersecurity Strategy of Internet of things
Bob Mannarino, Virginia Gambale, Pamela Gupta, Tate Pursell, Sri Muthu
Bob Mannarino, Virginia Gambale, Pamela Gupta, Tate Pursell, Sri Muthu
25 billion objects are already online worldwide, gathering information using sensors and communicating with each other over the internet, and this number is growing, with consumer goods companies, auto manufacturers, healthcare providers, and so many other businesses investing in the new breed of connected devices.
Such devices can help monitor your health, improve safety on highways, and make your home more efficient. When the stakes are so high there is no room for privacy and security flaws. This session will explore the issues and a strategic risk based approach to addressing the issues.
25 billion objects are already online worldwide, gathering information using sensors and communicating with each other over the internet, and this number is growing, with consumer goods companies, auto manufacturers, healthcare providers, and so many other businesses investing in the new breed of connected devices.
Such devices can help monitor your health, improve safety on highways, and make your home more efficient. When the stakes are so high there is no room for privacy and security flaws. This session will explore the issues and a strategic risk based approach to addressing the issues.
Chief Risk Officer Perspective
William Feher, Vice President, Internal Audit and Chief Risk Officer – ITT
William Feher, Vice President, Internal Audit and Chief Risk Officer – ITT
No longer is cyber security the concern of only the Chief Information Security Officer or the Chief Information Officer. Increasingly boards of directors and management teams are turning to their Chief Risk Officer for an independent view of how cyber risk is managed across the enterprise. An important part of the solution is a strong partnership with all of the stakeholders in cyber security. This session will share strategies and success stories.
CISO Panel: VJ Viswananth, Peter Rosario, Anthony Dupree, William Feher, Chris Leigh
No longer is cyber security the concern of only the Chief Information Security Officer or the Chief Information Officer. Increasingly boards of directors and management teams are turning to their Chief Risk Officer for an independent view of how cyber risk is managed across the enterprise. An important part of the solution is a strong partnership with all of the stakeholders in cyber security. This session will share strategies and success stories.
CISO Panel: VJ Viswananth, Peter Rosario, Anthony Dupree, William Feher, Chris Leigh
Cybersecurity litigation, regulation and legislation: Going beyond Cyber insurance
Monique Ferraro
Counsel Cyber Practice
The Hartford Steam Boiler Inspection and Insurance Co.
Monique Ferraro
Counsel Cyber Practice
The Hartford Steam Boiler Inspection and Insurance Co.
The Hartford Steam Boiler Inspection and Insurance Co.
This year has brought a whirlwind of cybersecurity litigation, regulation and legislation. In litigation: Spokeo, Inc. v Robins, P.F. Chang’s v Fed. Ins. Co. & Travellers v Portal. In regulation: In the Matter of LabMD and HHS guidance on ransomware. In legislation: data breach. This session provides a review of the most significant developments that will impact information security professionals.
• Quick abstract: Roundup of recent cybersecurity litigation, regulation and legislation that will affect every IT security practitioner moving forward.
• Session Detail: Working in cybersecurity is challenging for many reasons. One of the challenges has been trying to discern what laws apply and how they will be interpreted. Technology is a rabbit, while the law is a turtle. In the past year, we have seen litigation outcomes, legislation trends and regulatory guidance that will help cybersecurity to predict legal outcomes of their everyday experiences. This session will provide an overview and analysis of recent case law, legislative proposals and enacted statutes and regulatory guidance.
This year has brought a whirlwind of cybersecurity litigation, regulation and legislation. In litigation: Spokeo, Inc. v Robins, P.F. Chang’s v Fed. Ins. Co. & Travellers v Portal. In regulation: In the Matter of LabMD and HHS guidance on ransomware. In legislation: data breach. This session provides a review of the most significant developments that will impact information security professionals.
• Quick abstract: Roundup of recent cybersecurity litigation, regulation and legislation that will affect every IT security practitioner moving forward.
• Session Detail: Working in cybersecurity is challenging for many reasons. One of the challenges has been trying to discern what laws apply and how they will be interpreted. Technology is a rabbit, while the law is a turtle. In the past year, we have seen litigation outcomes, legislation trends and regulatory guidance that will help cybersecurity to predict legal outcomes of their everyday experiences. This session will provide an overview and analysis of recent case law, legislative proposals and enacted statutes and regulatory guidance.
Security certifications CISSP, CISA, CISM, CRISC, CIA or CRMA
Marguerite McCarthy
President ISACA NY Chapter
Marguerite McCarthy
President ISACA NY Chapter
Certifications play an important part in gaining professional credibility. This talk will help you make a decision on which certification will help you attain the level of expertise you seek.
Certifications play an important part in gaining professional credibility. This talk will help you make a decision on which certification will help you attain the level of expertise you seek.
NEACS
Program Schedule
The Importance of Being Vulnerable: vulnerable networks, vulnerable apps, and vulnerable APIs
Mordecai Kraushar , CISSP, PCI DSS QSA.
Director of Audit,CipherTech
Mordecai Kraushar , CISSP, PCI DSS QSA.
Director of Audit,CipherTech
Many organization focus on defending their networks and their applications. This presentation will review frameworks and projects that intentionally showcase how not to do it, and discuss the many benefits of such projects.
Topics of discussion and some light demos will include:
· Testing network and application scanners (products)
· Testing network and application scanners (people)
· Testing source code analysis tools
· Examining code that allows the vulnerabilities
· Testing of network and application firewalls
· Testing of IDS/IPS systems
· Reviewing evidence left by attacks
· Have fun and generate interest in the field
Many organization focus on defending their networks and their applications. This presentation will review frameworks and projects that intentionally showcase how not to do it, and discuss the many benefits of such projects.
Topics of discussion and some light demos will include:
· Testing network and application scanners (products)
· Testing network and application scanners (people)
· Testing source code analysis tools
· Examining code that allows the vulnerabilities
· Testing of network and application firewalls
· Testing of IDS/IPS systems
· Reviewing evidence left by attacks
· Have fun and generate interest in the field
Looking For A Job In a “0% Unemployment” Industry
Sean Henry
VP of Staffing, CyberSN
Sean Henry
VP of Staffing, CyberSN
VP of Staffing, CyberSN
With a reported unemployment rate in cyber security of zero percent, one might assume that no one has trouble finding their dream job in our industry. That is not the case: job seekers still face tremendous struggles navigating the interviewing and hiring processes, and companies have challenges finding candidates with necessary skills that also fit their budgets. Join Sean Henry, VP of Staffing Services of cyber security staffing company CyberSN, for a discussion about what we can do to be more effective when hiring and recruiting, common interview mistakes, and tips for making the job searching process shorter and less painful.
With a reported unemployment rate in cyber security of zero percent, one might assume that no one has trouble finding their dream job in our industry. That is not the case: job seekers still face tremendous struggles navigating the interviewing and hiring processes, and companies have challenges finding candidates with necessary skills that also fit their budgets. Join Sean Henry, VP of Staffing Services of cyber security staffing company CyberSN, for a discussion about what we can do to be more effective when hiring and recruiting, common interview mistakes, and tips for making the job searching process shorter and less painful.
Continuous Application Security at Scale with IAST and RASP
Jon Seidman
Contrast Security, Inc.
Jon Seidman
Contrast Security, Inc.
Contrast Security, Inc.
SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.
SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.