ToddHDow Studios

Category: Technology

  • SC Congress – Day 2 – 3:55pm – “Software security: Automation to scale your secure SDLC”

    Security CompassDay 2 – Wed June 12 2013:
    3:55pm – “Software security: Automation to scale your secure SDLC”, by Nish Bhalla, founder, Security Compass

    Nish provided an overview of project lifecycles and how each requires unique approaches to quality management, specifically relating to security.

    Nish provided a quick overview of the following project lifecycle approaches:

    • Waterfall (long planning)
    • Agile (Iterative)
    • Continuous Integration (no process / ticket at a time)

    For all models, security requirements are inserted at the beginning of the project and/or product feature backlog. Security requirement verification occurs during regression testing.

    I really liked his presentation as it related security to the project management lifecycle, something that is often neglected when thinking about security (as security is often seen as a bolt-on for infrastructure or after the fact work).

    One interesting thing to note: Nish was extremely casual with his presentation, venturing into the audience to present. I was sitting in the front row and for much of the presentation, he was located in the middle of the room speaking to the back half of the room, which required me to turn in my seat to pay attention.

    I was really impressed with the large library of security requirements that Nish displayed during the presentation. He directed us to Safecode.org where we can find an exhaustive security guidance guide, amongst other resources available on that site.

    As well, Nish directed us to additional resources at:

    Overall, this was a great presentation and the resources that Nish suggested are quite valuable.

  • SC Congress – Day 2 – 1:20pm – “Detecting modern malware in your environment”

    Day 2 – Wed June 12 2013:
    1:20pm – “Detecting modern malware in your environment”, by Iain Patterson, information security officer, Trillium Health Partners

    This presentation offered a high level survey of how to mitigate, detect, handle and remove malware from computer systems. The bulk of the presentation was fairly high level, discussing process, concepts and best practices.

    The last couple of slides were quite valuable, as they identified the tools that are helpful in detecting and mitigating malware. Iain offered two sets of tools:

    The “Security on a budget” list:

    Iain also offered a great list of bigger budget tools. Unfortunately, I couldn’t get the list. I’ll be watching for the slides, at which point I’ll update my list.

    Ian’s final slide highlighted some great tools for malware analysis:

    Very valuable resources!

  • SC Congress – Day 2 – 12:30pm – “Keynote: Embracing BYOD”

    FixmoDay 2 – Wed June 12 2013:
    12:30pm – “Keynote: Embracing BYOD”, by Tyler Lessard, CMO, Fixmo.

    This presentation offered a high level survey of the risks and best practises pertaining to Bring Your Own Device (BYOD). I didn’t take many notes at this session. There was plenty of good discussion, but nothing noteworthy.

     

  • SC Congress – Day 2 – 11:30am – “Forensics”

    KPMGDay 2 – Wed June 12 2013:
    11:30am – “Forensics”, hosted by Ron Plesco, managing director, cyber investigations/risk consulting, KPMG

    Ron provided a great presentation. He walked the audience through a few examples of malware, how they work and how to detect and clean systems that have been infected (rebuild!). I really want to get the slides for this presentation. I will link to them here if/when I obtain them.

    Ron started by giving an overview of Leprechaun Lite, which is a 2 year old malware package that is used to intercept banking info. He explained how it worked and he walked through an example of the malware capturing user data.

    Ron shared a fantastic Jimmy Kimmel Anonymous video from YouTube. Too funny! This video was referring to OpUSA, which was supposed to occur on May 7 2013.

    Ron summarized the best approach to stopping hackers: “Think like a hacker!” We (as in government, business infosec personnel, law enforcement, etc.) need to be skilled resources who think like hackers, not like PEN testers. That’s the only way we’re going to identify and fix threats before the damage is done.

    Ron walked us through the investigation steps for an information security incident. The full steps are exhaustively highlighted in the National Institute of Standards and Technology’s (NIST) Computer Security Incident Handling Guide.

    Overall, this was a fantastic presentation: plenty of great material, articulate and engaging speaker and interesting topic.

  • SC Congress – Day 2 – 9:50am – “Keynote: Supply chain + cyber intelligence + (insert bad country) = Risk”

    Day 2 – Wed June 12 2013:
    9:50am – “Keynote: Supply Chain + cyber intelligence + (insert bad country) = Risk”, hosted by Curtis Levinson, U.S. cyber defense advisor to NATO

    Curtis was a great storyteller. He shared plenty of stories pertaining to the origins and history of Stuxnet and a Maryland Sorority girl who found herself ostracized after posting offensive material on Facebook.

    Curtis summarized his presentation by warning us to be careful where we get our computer equipment from. Beware of the potential for manufacturers (whether foreign or domestic) to insert malware and other spying mechanisms into the supply chain, and ultimately, into your environment.