“Setting an example is not the main means of influencing another, it is the only means.” — Albert Einstein

Initial Thoughts

Scott Adams made this observation: If you were talking to Albert Einstein, and he got struck by lightning and became twice as smart, would you be able to tell? Many folks do not understand detailed technological talk. Like the manager, Jen, who in “The IT Crowd” tries but can only hear static when Moss talks computer jargon. As IT professionals, we have to learn to communicate effectively. If we do not, many folks simply cannot tell the difference between the IT professional who may be right but cannot communicate his thoughts and the guy who is just making stuff up but saying it in a smart confident manner.

I am going to be preparing security presentations for work. Basically a lunch and learn education series on security. Once I present, I will post the talks to this site. As part of the preparation, I have begun to make notes of various presentations posted in the RSS feeds I read. Slides and videos done by experts in the field are a great source of information not only on the subject matter but also on ways to present the information.

Not all the presentations available at each of the conferences are included. Please visit the conference sites and look at all the presentations. This posting is to provide a starting point and provide an idea of what is available.

Conferences

Conference sites provide a great source for ideas and material that might be of interest. Since these topics were presented this year, they are topics of concern to folks in the IT world. There are many presentations available at the conference sites. Please visit the sites for additional presentations.

CERIAS

• Provable Data Possession at Untrusted Stores
• The Effect of Rootkits on the Corporate Environment
• Protecting Data Privacy: A Practical Guide to Managing Risk
• Security issues within embedded software development
• Applying Recreational Mathematics to Secure Multiparty Computation
• Towards Effective and Efficient Behavior-based Trust Models
• Role Discovery
• Towards Secure and Re-usable Multiple Password Mnemonics
• Advances in Natural Language Watermarking
• Dumb Ideas in Computer Security
• How the Criminal Law Must Adapt to the Networked World
• Automatic Debugging and Verification of RTL-Specified Real-Time Systems via Incremental Satisfiability Counting and On-Time and Scalable Intrusion Detection in Embedded Systems
• Intrusion Detection Event Correlation: Approaches, Benefits and Pitfalls
• Assured Information Sharing between Trustworthy, Semi-trustworthy and Untrustworthy Coalition Partners
• Cyber Security and the “NEW” world enterprise
• Scenario-Driven Construction of Enterprise Information Policy
• Mathematically Defining Privacy
• WHAT IS INFORMATION?
• Research Challenges in Assured Information Sharing
• Computer-Related Incidents: Factors Related to Cause and Prevention

OCEG

• Information & Communications Privacy
• Evaluating Governance, Risk & Compliance Performance (part of the OCEG Illustrated Series)
• Evaluating Governance, Risk & Compliance Effectiveness (part of the OCEG Illustrated Series)
• Operational Controls (part of the OCEG Illustrated Series)
• Proving the Value of Governance, Risk & Compliance (part of the OCEG Benchmark Series)
• Managing Personal Information: Compliance Practices Throughout the Information Life-Cycle
• Improve the Efficiency and Effectiveness of Your Program (Part of the OCEG Illustrated Series)
• Reduce Complexity, Increase Efficacy (part of the OCEG Illustrated Series)
• Using Technology to Enable Governance, Risk & Compliance Processes (part of OCEG Illustrated Series)
• Managing Information Privacy - Are you Ready for Scrutiny?
• OCEG Illustrated Series: Seeing the Big Picture and Making the Business Case for Governance, Risk & Compliance

NIST

• An Overview of Emerging Standards, Guidelines, and Implementation Activities
• Security Controls for Industrial Control Systems
• NIST Special Publication 800-53 for Industrial Control Systems
• NIST Special Publication 800-37: An Introductory Tutorial with a videocast
• FISMA Implementation: The Strategy, Challenges, and Roadmap Ahead
• Importance of Security Configuration Recommendation Guides
• Hardcopy Security: An Open Door

OWASP

• The OWASP Testing Guide
• The OWASP Application Security Metrics Project
• Advanced Web Hacking
• Advanced Web Services Security & Hacking
• Web Services Hacking and Hardening
• XML Security Gateway Evaluation Criteria
• Securing Web Services using XML Security Gateways
• Metics- What can we measure
• Testing Flash Applications
• Overtaking Google Desktop
• Overtaking Google Desktop, Leveraging XSS to Raise Havoc
• XSS Worms
• Protecting Web applications from universal PDF XSS
• Software Security
• Web Application Firewalls:When Are They Useful?
• Evaluating and Tuning Web Application Firewalls
• Application Denial of Service
• HTTP Message Splitting, Smuggling and Other Animals
• Web Application Incident Response & Forensics: A Whole New Ball Game!
• Can (Automated) Testing Tools Really Find the OWASP Top 10?
• Security Testing through Automated Software Tests
• Testing for common security flaws
• RequestRodeo: Client Side Protection against Session Riding
• Why AJAX Applications Are Far More Likely To Be Insecure (And What To Do About It)
• Ajax Security
• Ajax Security Concerns
• Identity Management Basics
• Advanced SQL Injection
• Advanced Topics on SQL Injection Protection
• Fuzzing in Microsoft and FuzzGuru framework
• Application Security, not just development
• Positive Security Model for Web Applications, Challenges and Promise
• Legal Aspects of (Web) Application Security
• Analyzing Threats

Black Hat

• Fuzzing Sucks! (or Fuzz it Like you Mean it!)
• Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing
• Sphinx: An Anomaly-based Web Intrusion Detection System
• Intranet Invasion With Anti-DNS Pinning
• Traffic Analysis: The Most Powerful and Least Understood Attack Methods
• Reverse Engineering Automation with Python
• Defeating Web Browser Heap Spray Attacks
• Unforgivable Vulnerabilities
• Computer and Internet Security Law: A Year in Review 2006 & 2007
• Building an Effective Application Security Practice on a Shoestring Budget
• Side Channel Attacks (DPA) and Countermeasures for Embedded Systems
• The Security Analytics Project: Alternatives in Analysis
• PISA: Protocol Identification via Statistical Analysis
• Hacking Capitalism
• Hacking Intranet Websites from the Outside (Take 2) “Fun With and Without JavaScript Malware”
• Disclosure and Intellectual Property Law: Case Studies
• A Dynamic Technique for Enhancing the Security and Privacy of Web Applications
• Stealth Secrets of the Malware Ninjas
• Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
• Active Reversing: The Next Generation of Reverse Engineering
• Anonymous Authentication: Preserving Your Privacy Online
• Database Forensics
• Simple Solutions to Complex Problems from the Lazy Hacker’s Handbook
• Hacking Leopard: Tools and techniques for attacking the newest Mac OS X
• A Picture’s Worth: Image analysis and forensics
• Other Wireless: New ways of being Pwned
• Defeating Information Leak Prevention
• Social Network Site Data Mining
• NACATTACK
• OpenID: Single Sign-On for the Internet
• Timing Attacks for Recovering Private Entries From Database Engines
• Static Detection of Application Backdoors

Defcon

• Bridging the Gap Between Technology and the Law
• Analyzing Intrusions & Intruders
• Virtualization: Enough holes to work Vegas
• Computer and Internet Security Law - A Year in Review 2006 - 2007
• Securing Linux Applications With AppArmor
• Hacking Social Lives: MySpace.com
• Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing
• Unraveling SCADA Protocols: Using Sulley Fuzzer
• Boomstick Fu: The Fundamentals of Physical Security at its Most Basic Level
• Trojans: A Reality Check
• Real-time Steganography with RTP
• Everything you ever wanted to know about Police Procedure in 50 minutes
• The Hacker Society around the (corporate) world
• Estonia: Information Warfare and Strategic Lessons
• Security by Politics - Why it will never work
• Hardware Hacking for Software Geeks
• INTERSTATE: A Stateful Protocol Fuzzer for SIP
• HoneyJax (AKA Web Security Monitoring and Intelligence 2.0)
• SQL injection and out-of-band channeling
• Functional Fuzzing with Funk
• Comparing Application Security Tools
• IPv6 is Bad for Your Privacy
• Social Attacks on Anonymity Networks
• How smart is Intelligent Fuzzing - or - How stupid is Dumb Fuzzing?
• Protecting your IT infrastructure from legal attacks- Subpoenas, Warrants and Transitive Trust
• Windows Vista Log Forensics
• Creating and Managing Your Security Career
• The Science of Social Engineering: NLP, Hypnosis and the science of persuasion
• Greater than 1: Defeating “strong” Authentication in Web Applications
• The SOA/XML Threat Model and New XML/SOA/Web 2.0 Attacks & Threats
• OpenBSD remote Exploit and another IPv6 vulnerabilities
• Pen-testing Wi-Fi
• Stealing Identity Management Systems
• Dirty Secrets of the Security Industry
• The Executable Image Exploit
• How I Learned to Stop Fuzzing and Find More Bugs

HITB 2007

• Hacking SCADA: How to 0wn Critical National Infrastructure
• Exploiting the Intranet With a Webpage - Is JavaScript the New Shellcode?
• Advanced Web Application and Database Threat Analysis with MatriXay
• Meta Anti Forensics: The HASH Hacking Harness
• High Security Locks - Illusion or Reality?
• Insider Threat Visualization
• 360° Anomaly Based Intrusion Detection
• Hacking the Bluetooth Stack for Fun, Fame and Profit
• Hacking Hardened and Secured Oracle Servers
• Slipping Past The Firewall
• Attack Surface of Modern Applications
• Hacking Ajax and Web Services: Next Generation Web Attacks on the Rise
• Protocol Fuzzing
• Enterprise Hacking: Who Needs Exploit Codes?
• An End-to-End Analysis of Securing Networked CCTV Systems
• Googling for Malware and Bugs
• The Computer Forensics Challenge and Anti-Forensics Techniques

Microsoft Bluehat

• Microsoft’s Circle of Life: Patch to Exploit
• Black Ops 2007: DNS Rebinding Attacks< /li>
• Fuzzing Sucks!
• Security Trade-Offs and Pitfalls in Virtualized Platforms
• Subverting Windows CE Kernel for Fun and Profit
• Mobile and Embedded Security - The Elephant Under the Carpet
• WABISABILABI: The Exploit Marketplace Project
• Malware, Isolation and Security Boundaries: It’s Harder Than It Looks
• An External Perspective to Extending Microsoft’s Phoenix Framework
• Automated Application Security Testing Models with Cool WPF Visualizations
• Structural Classification of Malware

Web2Summit

• David Recordon and Brad Fitzpatrick: Opening Up the Social Graph

Bro Intrusion Detection System Hands-On Workshop

• Bro Design & major features: Vern Paxson
• Bro installation and configuration: Brian Tierney
• Basic Bro Configuration and Tuning: Robin Sommer
• Scripting Language Overview: Vern Paxson
• Bro used as an IPS at LBL: Brian Tierney
• Advanced Bro Scripting: Robin Sommer
• Bro communication: Robin Sommer
• Bro Shell: Scott Campbell
• Custom Bro analysis at OSU: Seth Hall
• Time Machine: Overview and Introduction: Fabian Schneider
• Conclusion and Outlook: Robin Sommer

ZDnet

• Simplify Compliance with Auditing
• The PCI Half-dozen: Six Recommendations for PCI Compliance
• TechRepublic Roadshow: Handling Internal Security Threats
• Assess Your Business’s Unique Security Risks and How to Mitigate Them
• Vulnerability Management and Policy Compliance Overview
• Identity Management and the Sarbanes-Oxley Act
• Three Ways to Optimize Your Security Spending
• Addressing Platform Vulnerabilities With Innovative Security Research
• Introduction to Federated Identity Management
• An Identity-Capable Platform
• SOA Security Overview: SOA the ‘Perfect Storm’ of Security

Special Interest Topics

These are topics that are of special interest to me. The topics may or may not have been presented at the conferences. The presentations have been pulled from bloggers who I respect.

Blogging

• Ethics and law firm blogging for the ABA Lawyers Professional Liability Fall Conference, Scottsdale, Arizona.
• Powerpoint on the Nuts and Bolts of Law Firm Blogs

Security Metrics

• Gunnar Peterson Security Metrics Automation
• Measuring Network Security Using Attack Graphs
• Security Meta Metrics–Measuring Agility, Learning, and Unintended Consequence
• Security Metrics in Practice: Development of a Security Metric System to Rate Enterprise Software
• A Software Security Risk Classification System
• Web Application Security Metrics
• Operational Security Risk Metrics: Definitions, Calculations, and Visualiztions
• Metrics for Network Security Using Attack Graphs: A Position Paper

Fuzzing

• Fuzzing - Brute Force Vulnerability Discovery

Identity Management

• Digital Identity Tutorial
• Digital Identity Tutorial for WWW2007
• A Framework for Building Reputation Systems
• Information is …Social …People …Practical

Logging, E-Records, and E-evidence

• E-Records and E-Evidence
• Logging Web Proxy Logs: Best Practices, Big Tips & Meeting Compliance Mandates

Social engineering

• Teach your users to recognize and resist social engineering ploys
• 10 common social engineering ploys

Forensics

• Windows Memory Analysis

Bluetooth Eavesdropping

• I Can Hear You Now: Eavesdropping on Bluetooth Headsets

IDS abnormal detection

• IDS abnormal detection
• Visual Security Event Analysis
• Aanval

Phishing

• Test Your Anti-Phishing Knowledge with Anti-Phishing Phil

Virus

• The WildList is Dead, Long Live the WildList!
• The Trojan Money Spinner
• Exposing Stormworm by Brandon Enright

Visualization

• Insider Threat Visualization
• Automated Application Security Testing Models with Cool WPF Visualizations
• Visual Security Event Analysis
• Malware Cinema: A Picture is Worth a Thousand Packets
• High Bandwidth Visual Analysis of Security Data Flows
• Network Attack Visualization
• Tamara Munzner Presentation on InfoVis at UBC CS

Web Application

• Web 2.0 hacking, keeping focus on Ajax and Web Services
• How to take your Web Application Offline with Google Gears
• Web Application Security: Keeping Your Application Safe by Joe Walker
• Future of Web Apps: Google Gears by Dion Almaer
• The Future of Firefox and JavaScript by John Resig
• Architecture Behind WordPress.com by Matt Mullenweg
• Preparing for Enterprise Adoption by Suw Charman
• Coding on the Shoulders of Giants by Matt Biddulph
• Making Your App Social by Rashmi Sinha

Videos

There are videos presentations available online.

• Dark Reading TV
• Virus Bulletin Presentation - Excerpt
• Berkman.TV
• Google Open Source Speaker Series
• Google Tech Talks
• What Every Engineer Needs to Know About Security and Where to Learn It
• Reverse engineering techniques to find security bugs: A case study of the ANI Vulnerability
• Crime: The Real Internet Security Problem
• Security is Broken
• How the FreeBSD Project Works
• Introduction To Digital Identity
• Searching For Evil
• Towards HardLANs: Building intrusion detection to 1 Gbps and beyond
• Reducing the Risk of Shallow Information Analysis
• How To Break Web Software - A look at security vulnerabilities in web-based software
• Internet Scale Identity, Collaboration, and Higher Education
• Anomaly-Based Unsupervised Intrusion Detection
• SOX Television

covering “every aspect of the Sarbanes-Oxley Act and the related areas of governance, risk and compliance.”

• Risk Television

is “devoted exclusively to risk management research.”

Hacking Simulations and Challenges

These sites provide nice demonstrations on hacking techniques. Plus, the sites are just plain fun.

• NTO Hackme Test Site (part of the Mighty Seek Podcast - Hands On Series)
• Hack-Test
• Ed Skoudis’ CounterHack
• Test Your Anti-Phishing Knowledge with Anti-Phishing Phil

Final Thoughts

This posting is meant as a starting point. There are some very good presentations listed above. I have been working in security for awhile. Recently I was reminded not to take anything for granted. Many very smart people can be so focused on their slice of business that they do not get much exposure to basic security. While organizations may require security refresher classes, often people just page through the online material, not paying much attention. It is my hope that by allowing organizations to select security topics to present on, that this approach can help introduce people to topics of special interest to that organization. People will be more interested in the security topics and more open to learning. Our final goal is to raise security awareness while educating folks so they can speak with confidence while actually knowing what they are talking about.