ISE United Kingdom and Ireland Executive Forum Global and Thought Leadership Topics

Date: Thursday 27 September 2007

Park Lane Hotel
37-39 Brick Street
London W1J 7BX, United Kingdom
Tudor Rose Room
Scheduled Time: 14:30 - 17:00

Guest Host Moderator

	Michael J. Assante Infrastructure Protection Strategist / Business Manager, National & Homeland Security Idaho National Lab (INL) ISE Midwest Awards 2005 Finalist Biography>
	Aaron Turner, CISSP, CISM Cyber Security Strategist, National & Homeland Security Idaho National Lab (INL) Biography >

Defending Security - Protecting Businesses and Customers from the Next Generation of Threats

Protecting information in 2007 and beyond requires a budget, sophisticated processes, skillful awareness, and proactive means to combat the foreseeable threats associated with new and emerging IT technology.

All businesses - global enterprises, government agencies, financial and academic institutions, and even local shops - are vulnerable to potential data breaches, wireless hacking, mobile virus attacks, insider violations, and flaws in new software. The damage caused by these types of threats are often widely publicized and can destroy an organization's reputation as well as expose millions of people to identity fraud.

To help combat the war on IT security threats, governments have revised laws, mandated audits, modified standards and policies, and implemented regulations to which businesses are required to comply. These regulations and laws have added even more challenges for the IT security professionals already demanding business strategy.

In an interactive format, the global speaker will share methods and insights to solutions to combat the next generation of IT security threats. Topics to be discussed include:

• How to raise awareness of threat management with executive teams.
• How organizations are addressing issues around identity theft and phishing to protect customer information and brand identity
• How other areas of your company can work together to ensure that its IT environment is secure for customers, partners, and suppliers
• Effective methods for protecting customer data in systems that you have limited access to or do not own
• Implementing automated processes to manage and archive data
• Protecting sensitive customer and company information to meet regulatory requirements for reporting and disclosure
• Ensuring compliance with industry standards

Back to Top

Mobile and Wireless Security: Enforcing Endpoint Security for a Growing Mobile Workforce

While businesses grow in a competitive international marketplace, and as customers and employees become more remote, IT leaders find it necessary to provide additional online services to accommodate customer satisfaction that is closely tied to trust and loyalty. These services also allow employees to improve productivity while working away from their desks.

Mobile and wireless technology has enabled employees and customers to connect to corporate networks on a daily basis using laptops, cell phones, smartphones, PDAs, thumb drives, and other hand held computer devices. Users can download or upload any file from most mobile devices. Although end users may deploy safeguards against viruses and other potential exploits, they are not diligent in updating these safeguards.

As exciting new features continue to transform mobile devices into cameras, MP3 players, videos, and banks, so has the temptation for hackers to produce newer mobile threats, such as mobile keyloggers, snoopware and more recently text messaging, Bluetooth, and Wi-Fi access attacks.

Discuss with your peers at this executive roundtable:

• Processes and solutions that you have implemented to deal with endpoint security
• Options that are available to help businesses keep a balance between security and their mobile workforce and customer support
• How to develop and solidify confidence in customers who remotely access networks
• Solutions to ensure end users are updating anti-virus and firewall protection on their mobile devices
• Methods to protecting corporate data as well as increasing visibility and control over managed and unmanaged endpoints

Back to Top

Managing Security Operations: Pros and Cons of Using a Managed Security Service Provider (MSSP)

Securing operations from internal and external threats demands around-the-clock real-time services. These services are required to enhance an organization's information security posture through continuous monitoring and management, expert analysis, compliance reporting and immediate response to potential security threats.

The challenge of securing and managing resources and running a 24/7 environment can be daunting and costly for many organizations. One solution is to employ a managed security service provider (MSSP), which can offer companies low-cost security solutions.

MSSPs have evolved in various ways and can handle system changes, modifications, and upgrades. Some traditional ISPs, noting the increasing demand for Internet security in recent years, have added managed security to their services. A few security vendors have added Internet access, thus becoming MSSPs. Still other MSSPs have come into existence as brand new entities.

Many companies, especially financial services and other highly regulated organizations, require a MSSP to verify that their process is credible and that they have controls in place to provide a consistent, stable, and secure environment. Some companies are reluctant to give up complete security control of their systems and sensitive customer data.

Discuss with your peers at this executive roundtable:

• The considerations, pros, and cons of utilizing a MSSP.
• The advantages and disadvantages to outsourcing parts of your security operations to a MSSP while other parts are managed by internal resources.
• Best practices for delivering integrated event archiving and management, improved compliance reporting, and strong administration
• Solutions that detect and prevent sophisticated online fraud and identity theft attacks from internal and external sources

Back to Top

Supporting Multiple Security Standards and Approaches

As global markets grow and companies span across the continent, so has the need to support multiple and sometimes incompatible security approaches. Manufacturers want to be competitive internationally but in doing so are often required to accommodate global standards and security procedures that frequently conflict with regional and national requirements. How then, can businesses build products that meet one set of standards worldwide and also accommodate different standards for each country.

Gartner states, "IT security directors must take a region- or country-specific approach to the difficult issues of security and privacy policies and that a single global approach will not meet regional or national requirements. Different legal and regulatory environments in various regions and countries make implementing global "one size fits all" security policies complex, difficult and risky. For example, the privacy regulations in the European Union (EU) are far more rigorous than in the United States -and any attempt to use U.S. practices in Europe will likely be disastrous. Enterprise security practices should be deployed on a region- or country-specific basis, and should follow these best practices." Nonetheless, some believe that a global standard would give companies, which operate internationally, a unified approach to address security in their products, services, and customer solutions.

As governments require companies to support incompatible security approaches, the ability to test multiple products that simultaneously support the incompatible approaches is becoming a challenge for IT security professionals. In the case of an emergency for example, which usually occurs early morning in our industry, personnel are often located on different continents in different time zones and struggle to understand multiple standards required to support the situation. Would global standards in this instance be beneficial?

Business, legal and IS organizations should work closely (and consult with their peers) to map regulatory requirements into decisions about how to comply with regional or national security and privacy regulations.

Discuss with your peers at this executive roundtable:

• Global approaches to addressing security standards and their products, services, and customer solutions.
• Standards for Internet and e-mail filtering and encryption deployments on networks.
• Challenges to communicating across time zones, cultures, and geographic boundaries
• How multiple approaches may affect data storage, data loss and retention requirements, and filing of time-sensitive information
• Methods for training, continuing education, and professional development of employees locally or worldwide

Back to Top

Mitigating Risks and Assessing Vulnerabilities in Software and Web Applications

Gartner estimates that 75 percent of attacks on Web security today are aimed straight at the application layer. Web-based attacks can lead to lost revenue, theft of customers' personally identifiable financial information, and non-compliance of government and industry mandates, such as the Payment Card Industry Data Security Standard (PCI) which includes sections specifically dedicated to Web security.

No matter how many firewalls or filtering devices your security solution runs on your infrastructure, the only thing attackers have to do to bring down your network is to take advantage of poor coding in the custom application running on the Web server, which lets the intruder retrieve entire tables of sensitive data. Why was it so simple? Attacks happened on an application level and not on a network level.

One way to mitigate risks and protect the availability, confidentiality, and integrity of your data is to test Web applications for mistakes in application logic, configurations, and software coding.

Although security executives are experts at utilizing network security controls to protect corporate data and assets, including firewalls, intrusion prevention systems, and event monitoring software, they are now required to deal with new attacks that target software and Web application vulnerabilities.

Discuss with your peers at this executive roundtable:

• Which Web applications should be tested and why
• Alternatives to sending sensitive data over the Web
• Security vulnerabilities in software such as poor software development practices, new modes of attacks, application misconfigurations, or unsecured links between systems.
• Using input validation frameworks during development to reduce risks such as Cross-site Scripting.
• Certain Web application threats, such as Remote code execution, SQL injection, Format string vulnerabilities, Cross Site Scripting (XSS), and username enumeration

Back to Top

Inside the Network Perimeter - Protecting Your Data and Network from the Inside

With a defined perimeter becoming blurred if not transparent due to next generation and wireless networking technologies, networks and systems alike have become easily accessible to end users. Wherever end users are and whichever device they are using, the network is where the line of defense must be drawn. These lines of defense are in constant motion as people connect from device to device and network to network, thus altering the typical approach of protecting the network from outside threats to inside threats.

Threats from the inside can come about through sheer ignorance and negligence with the use of company IT resources, or from authorized individuals intending is to commit a crime. Insiders pose a substantial threat because of their knowledge and ability to access employer systems and databases. Remote users may unknowingly infect the corporate network by allowing family and friends to use the company laptop or PC to access the Internet. Regardless of how users connect to the network, whether on site or remotely, your data and network must be protected.

There are various ways of approaching data protection and controlling network access. It can be done at the network, endpoint, user level, or a combination of all three.

Discuss with your peers at this executive roundtable:

• Understanding the risk of the insider threats at your organization
• Solutions for insider attacks from shared and privileged access.
• How to build the business case for deploying solutions to address the threat from the inside
• Sharing of best practices for deploying identity management, anomaly detection, endpoint security, and network access control technologies.
• End user remediation methods
• Discuss balancing vulnerabilities, risk, and costs with operational needs.
• Solutions for insider attacks from shared and privileged access.

Back to Top

Complying with Government Legislation and Regulatory Standards ? Best Practices for Archiving and Protecting Business Data

An unprecedented increase in litigation and government regulations and investigations involving electronic business records has forced enterprises to comply with a plethora of electronic data standards and laws. To avoid fines and in some cases jail time, companies must follow best practice processes to build an IT architecture that will support all legislation requirements.

Complying with new legislation set forth in security standards, such as ISO/IEC 27002, HIPPA, Sarbanes-Oxley Act and Basel II, as well as mandates such as Payment Card Industry Data Security Standard (PCI) for merchants, can be a major challenge to IT security executives. In an effort to meet compliance requirements, many organizations have deployed rudimentary policies with intentions of improving them at a later date. Some security executives are simply unsure what data they should store and how they should store it to comply.

Private and public companies continue to face compelling reasons to find ways to improve their electronic records management standard of performance, and concurrently, find cost-effective solutions to reduce their legal, regulatory, and business risks for the capture, storage, protection, management, and production of their electronic information assets.

Discuss with your peers at this executive roundtable:

• Best practices for the widespread operational changes involved with building a compliant IT infrastructure, such as, policy management, training, analysis, and reporting, while meeting the requirements set forth by government regulations and landmark litigation.
• Archiving and protecting data while maintaining compliance.
• Identifying significant roles, responsibilities, authority, and accountability of the individuals who should carry out the set of regulation guidelines.
• Current data processes and security practices, including networks, facilities, and hardware. What is being stored and backed up on the network and for how long.
• Discovering security gaps and developing a plan to secure them.
• Periodically testing and evaluating the effectiveness and vulnerability of security policies and procedures

Back to Top