ISE West Executive Forum
Global and Thought Leadership Topics

Thursday, October 18, 2007
W Hotel San Francisco
181 3rd Street
San Francisco, California 94103
415-777-5300

The Industry Room
2:30 PM - 5:00 PM
 

  Download to print ISE West Executive Forum Day 1 Schedule (PDF: 43KB)

Al Kirkpatrick Vice President and Chief Information Security Officer First American Corporation ISE Southeast Awards 2005 Nominee, ISE West Awards 2007 Nominee Biography >

Defending Security - Protecting Businesses and Customers from the Next Generation of Threats Topic 4. Enforcing Authentication - Identities Proven, Breaches Prevented

Guest Host Moderators

	Curtis Coleman, MSIA, CISSP, CISM, ISSAP, ISSMP Senior Director, Global IT Governance Seagate Technology ISE National Awards 2005 Nominee, ISE West Awards 2007 Judge Biography >	Topic 3. Inside the Network Perimeter - Protecting Your Data and Network from the Inside
	Nils Puhlmann, CISSP-ISSMP.CISM Chief Information Security Officer Electronic Arts Biography >	Topic 2. Mitigating Risks and Vulnerabilities in Software and Web Applications
	Kimberly Van Nostern Resident Information Security Executive Executive Alliance ISE Midwest Awards 2005 Winner, ISE Midwest People's Choice Award 2005 Winner Biography >	Topic 1. Mobile and Wireless Security: Enforcing Endpoint Security for a Growing Mobile Workforce

Defending Security - Protecting Businesses and Customers from the Next Generation of Threats

Global Topic Led By: Al Kirkpatrick - Vice President and Chief Information Security Officer, First American Corporation, ISE Southeast Awards 2005 Nominee, ISE West Awards 2007 Nominee

Protecting information in 2007 and beyond requires a budget, sophisticated processes, skillful awareness, and proactive means to combat the foreseeable threats associated with new and emerging Information technology.

All businesses - global enterprises, government agencies, financial and academic institutions, and even local shops - are vulnerable to potential data breaches, wireless hacking, mobile virus attacks, insider violations, and flaws in new software. The damage caused by these types of threats are often widely publicized and can destroy an organization's reputation as well as expose millions of people to identity fraud.

To help combat the war on IT security threats, governments have revised laws, mandated audits, modified standards and policies, and implemented regulations to which businesses are required to comply. These regulations and laws have added even more challenges for the IT security professional's already demanding business strategy.

In an interactive format, a moderator will share methods and insights to solutions against the next generation of IT security threats.

Topics to be discussed include:

• How to raise awareness of threat management with executive teams.
• How organizations are addressing issues around identity theft and phishing to protect customer information and brand identity
• How other areas of your company can work together to ensure that its IT environment is secure for customers, partners and suppliers
• Effective methods for protecting customer data in systems that you have limited access to or do not own
• Implementing automated processes to manage and archive data
• Protecting sensitive customer and company information to meet regulatory requirements for reporting and disclosure
• Ensuring compliance with industry standards

Back to Top

Mobile and Wireless Security: Enforcing Endpoint Security for a Growing Mobile Workforce

While businesses grow in a competitive international marketplace, and as customers and employees become more remote, IT leaders find it necessary to provide additional online services to accommodate customer satisfaction that is closely tied to trust and loyalty. These services also allow employees to improve productivity while working away from their desks.

Mobile and wireless technology has enabled employees and customers to connect to corporate networks on a daily basis using laptops, cell phones, smartphones, PDAs, thumb drives, and other hand held computer devices. Users can download or upload any file from most mobile devices. Although end users may deploy safeguards against viruses and other potential exploits, they are not diligent in updating these safeguards.

As exciting new features continue to transform mobile devices into cameras, MP3 players, videos, and banks, so has the temptation for hackers to produce newer mobile threats, such as mobile keyloggers, snoopware and more recently text messaging, Bluetooth, and Wi-Fi access attacks.

Topics to be discussed include:

• Processes and solutions that you have implemented to deal with endpoint security
• Options that are available to help businesses keep a balance between security and their mobile workforce and customer support
• How to develop and solidify confidence in customers who remotely access networks
• Solutions to ensure end users are updating anti-virus and firewall protection on their mobile devices
• Methods to protecting corporate data as well as increasing visibility and control over managed and unmanaged endpoints

Back to Top

Mitigating Risks and Assessing Vulnerabilities in Software and Web Applications

Gartner estimates that 75 percent of attacks on Web security today are aimed straight at the application layer. Web-based attacks can lead to lost revenue, theft of customers' personally identifiable financial information, and non-compliance of government and industry mandates, such as the Payment Card Industry Data Security Standard (PCI) which includes sections specifically dedicated to Web security.

No matter how many firewalls or filtering devices your security solution runs on your infrastructure, the only thing attackers have to do to bring down your network is to take advantage of poor coding in the custom application running on the Web server, which lets the intruder retrieve entire tables of sensitive data. Why is it so simple? Attacks happened on an application level and not on a network level.

One way to mitigate risks and protect the availability, confidentiality, and integrity of your data is to test Web applications for mistakes in application logic, configurations, and software coding.

Although security executives are experts at utilizing network security controls to protect corporate data and assets, including firewalls, intrusion prevention systems, and event monitoring software, they are now required to deal with new attacks that target software and Web application vulnerabilities.

Topics to be discussed include:

• Which Web applications should be tested and why
• Alternatives to sending sensitive data over the Web
• Security vulnerabilities in software such as poor software development practices, new modes of attacks, application misconfigurations, or unsecured links between systems.
• Using input validation frameworks during development to reduce risks such as Cross-site Scripting.
• Certain Web application threats, such as Remote code execution, SQL injection, Format string vulnerabilities, Cross Site Scripting (XSS), and username enumeration

Back to Top

Inside the Network Perimeter - Protecting Your Data and Network from the Inside

With a defined perimeter becoming blurred if not transparent due to next generation and wireless networking technologies, networks and systems alike have become easily accessible to end users. Wherever end users are and whichever device they are using, the network is where the line of defense must be drawn. These lines of defense are in constant motion as people connect from device to device and network to network, thus altering the typical approach of protecting the network from outside threats to inside threats.

Threats from the inside can come about through sheer ignorance and negligence with the use of company IT resources, or from authorized individuals intending is to commit a crime. Insiders pose a substantial threat because of their knowledge and ability to access employer systems and databases. Remote users may unknowingly infect the corporate network by allowing family and friends to use the company laptop or PC to access the Internet. Regardless of how users connect to the network, whether on site or remotely, your data and network must be protected.

There are various ways of approaching data protection and controlling network access. It can be done at the network, endpoint, user level, or a combination of all three.

Topics to be discussed include:

• Understanding the risk of the insider threats at your organization
• Solutions for insider attacks from shared and privileged access
• How to build the business case for deploying solutions to address the threat from the inside
• Sharing of best practices for deploying identity management, anomaly detection, endpoint security, and network access control technologies
• End-user remediation methods
• Discuss balancing vulnerabilities, risk, and costs with operational needs
• Solutions for insider attacks from shared and privileged access.

Back to Top

Enforcing Authentication - Identities Proven, Breaches Prevented

Authenticating an identity could be a simple assertion, the login ID for a particular computer application, for example and proving that identity is generally something known, like a password; something possessed, like your ATM card; or something unique about your appearance or person, like a fingerprint. Strong authentication will require at least two of these proofs.

With millions of names, addresses, social security and credit card account numbers stolen over the last 18 months, what can be done to thwart these breaches?

• Increasing customer confidence by securing online banking channels which are threatened by rampant identity theft and fraud
• Methods to preventing fraudsters from gaining access to user's accounts and manipulating individual transactions
• Maintaining paper-based records while preventing online exposure to sensitive records and identify theft
• Best practices for using authentication to protect information
• Discovering safer ways to lower authentication hardware provisioning and replacement costs while making remote access to the enterprise network more convenient for users

Back to Top