Miller goes on to report that OMB will require “agencies launch a series of cloud computing pilots across the government in 2010 using the E-Government Fund.” In 2013, Miller reports, agencies must provide OMB “a complete alternatives analysis for mixed life cycle projects where agencies are spending new money-known as development, modernization and enhancement-and steady state or operations and maintenance funding for how they could move to cloud computing.”

Miller quotes a former government official as saying, “They are not saying use it, but are pushing us to look at it and do an analysis of alternatives and make a decision based on our business needs. They are pushing us to look at it, yet giving us the ability to decide whether it makes sense.”

How well does your organization understand cloud computing? How will security be handled? What can you do to prepare? During this time of tight budgets, maybe you do not have the funds and/or time to attend conferences and training events. Fortunately, presentations are being posted regularly to the web, allowing you to keep informed on technological challenges. For example, the ZISC Workshop on Security in Virtualized Environments and Cloud Computing, held September 10-11th in Zurich, recently posted all their presentations:

Following NIST’s involvement in an area like cloud computing can help you judge the direction the government is heading. Tim Grance presented at the 5th Annual IT Security Automation Conference and Expo Presentations and the presentations have been made available. Grance presented on the Security Content Automation Protocol (SCAP) (see my previous post “Standardization and Interoperability in Security” for additional information on SCAP). A cloud computing track consisting only of slides (no video) was also posted. If lack of video does not concern you, the following conferences have posted slides on cloud security:

• CCSW 2009: The ACM Cloud Computing Security Workshop, held November 13th, 2009 in Chicago.
• Digital Government Institute’s Cloud Computing 2010: Focus on Operational Efficiency and Security, held December 9, 2009.
• Cloud Interoperability Roadmaps Session held in Long Beach, CA on December 10, 2009.

If you prefer to listen and do not need to see slides, Tim Grance can be heard on Dana Gardner’s BriefingsDirect podcast, “Panel Discussion: Is Cloud Computing More or Less Secure than On-Premises IT?.” The discussion includes a panel of all stars from the cloud security community, including Glenn Brunette, distinguished engineer and chief security architect at Sun Microsystems and founding member of the Cloud Security Alliance (CSA); Doug Howard, chief strategy officer of Perimeter eSecurity and president of USA.NET; Christofer Hoff, technical adviser at CSA and director of Cloud and Virtualization Solutions at Cisco Systems; and Dr. Richard Reiner, CEO of Enomaly. The podcast was recorded at the Open Group’s 23rd Enterprise Architecture Practitioners Conference in Toronto on July 20-22, 1009, along with:

• Jericho Forum Aims to Guide Enterprises Through Risk Mitigation Landscape for Cloud Adoption where Dana interviews Steve Whitlock, a member of the Jericho Board of Management.
• Cloud and Security Join Boundaryless Information as Top-of-Mind Issues for The Open Group where Dana talked with Allen Brown, president and CEO of The Open Group.
• XDAS Standard Aims to Empower IT Audit Trails from Across Complex Events where Dana talks with Ian Dobson, director of the Security Forum for The Open Group, as well as Joël Winteregg, CEO and co-founder of NetGuardians. XDAS is an open-source standard that is hopefully going to help in compliance and regulatory issues and in the automation of heterogeneous environments.
• New Era Enterprise Architects Need Sweeping Skills to Straddle the IT-Business Alignment Chasm where Dana is joined by James de Raeve, vice president of certification at The Open Group; Len Fehskens, vice president, Skills and Capabilities at The Open Group; David Foote, CEO and co-founder, as well as chief research officer, at Foote Partners, and Jason Uppal, chief architect at QRS.
• Cloud Pushes Enterprise Architects’ Scope Beyond IT into Business Process Optimization Role where Dana is joined by Tim Westbrock, managing director of EAdirections; Sandy Kemsley, an independent IT analyst and architect; and John Gotze, international president for the Association of Enterprise Architects.

For more video presentations on the cloud security, awhile back I posted “CERT, CERIAS, the Academy, and Google Video: Training Online.” Two other sources include the SecurityTube and O’Reilly Webcasts. Below are a few examples of the presentations available:

• The Belgian Beer Lovers Guide to Cloud Security (Brucon 2009) Tutorial by Craig Balding at Brucon 2009: In this presentation Craig covers why talking about “cloud” is akin to walking into a Belgian bar and asking for “beer”; the common cloud architectures and their implications for you – the security dude; what the beer brewing Trappist Monks can teach us about cloud security; attacking clouds (aka getting free beer); and dealing with the hangover: cloud incident response & forensics.
• Evolution of Security (Fsecure) Tutorial by F-Secure: an animated series on the various threats out there on the Internet and also talks about their state of the art AV (self promotion) They also talk about “cloud security” and how the next generation AV will be in the cloud and not isolated.
• Cloud Security and Privacy by Tim Mather, Subra Kumaraswamy, Shahed Latif: discusses cloud computing’s SPI delivery model, and its impact on various aspects of enterprise information security (e.g., infrastructure, data, identity and access management, security management), privacy, and compliance. Security-as-a-Service and the impact of cloud computing on corporate IT is also discussed.
• Architecting Applications for the Cloud by Jorge Noa: This presentation analyzes aspects of the Amazon EC2 IaaS cloud environment that differ from a traditional data center and introduces general best practices for ensuring data privacy, storage persistence, and reliable DBMS backup.
• Cloud Computing: The Next Frontier for Open Source by Bernard Golden: discusses how the trends of open source and cloud computing reinforce one another, and why cloud computing is a significant driver of enterprise open source adoption.
• Getting Started with Amazon Web Services by Cloud Security Deep Dive by Subra Kumaraswamy, Shahed Latif, Tim Mather: will take a deep dive into cloud security issues and focus on three specific aspects: (1) data security; (2) identity management in the cloud, and; (3) governance in the cloud (in the context of managing a cloud service provider with respect to security obligations). Each of these three topics will be covered in a 30 minute segment that will include a presentation and Q&A with the audience.
• Cloudburst (Hacking 3D and Breaking Out of VMware) Blackhat 2009 by Kostya Kortchinsky: VMware products include implement a lot of functionality, and as such have a decent chance to include some bugs. CLOUDBURST is the combination of 3 of those found in the virtualized video device (more specifically the 3D code). Combined, these allow a user in a Guest to execute code on the Host. Since the virtualized device code is the same for all the branches of the products, this impacts Workstation, as well as Fusion or ESX. Immunity, Inc. will present the various vulnerabilities and the techniques used to exploit the bug reliably, even on platforms with ASLR or DEP such as Vista SP1. Once exploited, Immunity will demonstrate how to establish MOSDEF between the Host and Guest.
• Virtualization: Resource Coupling and Security across the Stack by Dennis Moreau, Configuresoft: The session briefly addressed extension to the cloud and utility computing infrastructures to address how to use configuration and behavioral information to address the increased complexity of security, compliance and risk assessment in virtualized environments.

Other BruCON Security Conference (held September 18-19, 2009) videos are available at their vimeo channel. O’Reilly maintains on YouTube an O’Reilly Media Channel along with an area to sign up for future webcasts. Blackhat DC 2009 video, audio, whitepapers, and slides are also available. Content is ever changing, so keep checking the sites.

Remember that Vivek Kundra, Chief Information Officer (CIO) of the United States of America, outlined as his team’s priorities:

1. Innovation
2. Lowering the cost of Government
3. Transparency
4. Engaging Citizens
5. Ensuring a safe computing environment

In response, FedScoop! started hosting one event each quarter around these pillars. On October 14 at the Newseum, they did their first event bringing together executives in the White House and federal CIO’s, CTO’s, and decision-makers to talk about lowering the cost of government with technology. Check out the video of the Cyber Security Panel. Since one of the topics was cloud computing, FedScoop! scheduled a follow-up event. On December 9th, 2009, they hosted and posted the “Cloud Computing Shoot Out.”

FederalNewsRadio has posted a three part video series on secure cloud computing. The panelists include Jim Flyzik, President of the Flyzik Group; Henry Sienkiewicz, Technical Program Director, Computer Services, Defense Information Systems Agency; Ronald Bechtold, Army Architecture Integration Center at Headquarters, Department of the Army, Chief Information Office/G6; Curt Aubley, Chief Technology Officer CTO Operations & Next Generation Solutions, Lockheed Martin Information Systems & Global Services; Dale Wickizer, Chief Technology Officer-Public Sector, NetApp, Inc.; and Aileen Black, Vice President of Public Sector VMware Inc.

CNET’s editor of Webware, Rafe Needleman and senir writer Stephen Shankland talked with Christofer Hoff on the Reporters’ Roundtable podcast about the “Dangers of Cloud Computing.” Chris also presented at Microsoft’s BlueHat, “Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure.” Any presentation with such a great title must be watched. There is a short interview with Chris from Bluehat.

One of my favorite stories of Abraham Lincoln involved the McCormick-Manny case of 1855 where Lincoln was one of Manny’s lawyers. Lincoln basically was pushed aside and humiliated. After the trial, he told Ralph Emerson, a young lawyer who was present at the trial, “I am going home. I am going home to study law.” Emerson asked, “Mr. Lincoln, you stand at the head of the bar in Illinois now! What are you talking about?” Lincoln replied, “Ah, yes, I do occupy a good position there, and I think that I can get along with the way things are done there now. But these college-trained men, who have devoted their whole lives to study, are coming West, don’t you see? And they study their cases as we never do. They have got as far as Cincinnati now. They will soon be in Illinois.” Emerson stated Lincoln turned to him, his countenance suddenly assuming that look of strong determination which those who knew him best sometimes saw upon his face, and said, “I am going home to study law! I am as good as any of them, and when they get out to Illinois, I will be ready for them.”

Change is coming. If you try just to get along, the future will overwhelm you. While we do not live in a world of unlimited funds for conferences and training, people are sharing a wealth of information. Take advantage of it and get ready for whatever might be heading your way.

For a little perspective, remember back in August 2008, the Air Force suspended all efforts to the establishment of the Cyber Command. This was after the Air Force was hyping the Cyber Command capabilities on TV, in Web video advertisement, and in presentations. In September, the Pentagon decided that the US Strategic Command in Omaha, NE should create and run a version of the joint Cyber Command. Deputy Secretary of Defense Gordon England wrote in a memo, “Because all the combatant commands, military departments and other defense components need the ability to work unhindered in cyberspace, the domain does not fall within the purview of any particular department or component.”

In October, top Air Force leadership decided to continue efforts to stand up the Cyber Command. At the time, Air Force Secretary Michael Donley made the statement, “The conduct of cyber operations is a complex issue, as [Defense] and other interagency partners have substantial equity in the cyber arena. We will continue to do our part to increase Air Force cyber capabilities and institutionalize our cyber mission.”

Top military officials in May 2009 argued for a single joint command and went on to tell the media that a “Cyber attack could bring U.S. military response.” In June 2009, Defense Secretary Robert M. Gates in a memo Stated, “Our increasing dependency on cyberspace, alongside a growing array of cyber threats and vulnerabilities, adds a new element of risk to our national security. To address this risk effectively and to secure freedom of action in cyberspace, the Department of Defense requires a command that possesses the required technical capability and remains focused on the integration of cyberspace operations.”

The Defense Department failed to meet an Oct. 1 target launch date. There have been no confirmation hearing for the command’s first director. Nakashima is reporting that the project was delayed by “congressional questions about its mission and possible privacy concerns.”

NSA Deputy Director John (Chris) Inglis said “90 percent” of the command’s focus will be on defensive measures because “that’s where we are way behind.” The offensive measure lead to many policy and doctrinal questions involving cyber warfare. Nakashima goes on to report one official familiar with the Pentagon’s plans, who was not authorized to speak for the record, stated “The rules can vary dramatically depending upon under what authority you’re doing something. An offensive action is not a decision that can be taken very lightly. It is an extraordinary action because of the consequences that could result for either DOD or the intelligence community or critical U.S. industries.”

Offensive computing is a difficult topic to tackle. Remember Col. Charles W. Williamson III? He ran into a bit of controversy back in May 2008 when he posted “Carpet bombing in cyberspace: Why America needs a military botnet.” He stated, “America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic.” Richard Bejtlich’s post, “Mutually Assured DDoS” points out several of the problems with a af.mil robot network. Sean Sullivan from F-Secure also did a thoughtful response titled “US Air Force Colonel Proposes Skynet.” The problem will always be in cyberspace, attackers do not wear uniforms, nor do they necessarily come from a particular domain. It is not so easy to identifying the enemy. The intelligent attacker makes all effort to blend into the population.

Paul B. Kurtz, a cybersecurity expert who served in the George W. Bush and Clinton administrations stated, “I don’t think there’s any dispute about the need for Cyber Command. We need to do better defending DOD networks and more clearly think through what we’re going to do offensively in cyberspace. But the question is how does that all mesh with existing organizations and authorities? The devil really is in the details.”

Nakashima reports officials stated:

“The initial operating plan for a cyber command is straightforward: to merge the Pentagon’s defensive unit, Joint Task Force-Global Network Operations, with its offensive outfit, the Joint Functional Command Component-Network Warfare, at Fort Meade, home to the NSA. The new command, which would include about 500 staffers, would leverage the NSA’s technical capabilities but fall under the Pentagon’s Strategic Command.

Lt. Gen. Keith B. Alexander, director of the NSA, has been nominated by President Obama to be the director of the Cyber Command. Congressional staff have been briefed three times, and the Pentagon hopes to brief lawmakers this month. Once the staff are satisfied the understand the command’s purpose and operating place, the Senate Armed Service Committee can hold the confirmation hearing for a new director.

Edmund Burke once said, “All that is necessary for evil to succeed is that good men do nothing.” Of course, Saint Bernard of Clairvaux would have cautioned, “Hell is full of good intentions or desires.” While there are many issues involved with the development of a US Cyber Command, steps are continuing to occur. Issues are being considered. Is it progress? I believe so. Stay tuned and we will all see what happens.

On a mission to reveal the truth behind Pere Noel, Mone took time for an interview on NPR’s Morning Edition and did an one hour lecture at MIT. Shaula Clark reporting for the Boston Phoenix on the MIT lecture, exposed some of Babbo Natale’s trade secrets:

• Kanakaloka is not immortal, but retains his jolly vigor with the help of organ printers.
• Swiety Mikolaj does not, in fact, leave toys under the tree; instead, he comes bearing complex chemical reactions — toys assemble themselves in their packaging.
• Ded Moroz’s Christmas Eve rounds are actually accomplished via several teams of Santa-recruited lieutenants, a series of short-distance wormholes, and time travel.
• Papai Noel’s base of operations (actually in Greenland, not the North Pole) is greatly threatened by global warming — to keep his unfathomably large server farm cool, he needs the Arctic chill. Papai Noel’s own green initiatives include planting trees and cloning his elves (“because he wouldn’t want [them] breeding on their own”).

According to Mone, Sinter Klaas uses tools that are hundreds of years beyond what we have at our disposal. For example, “Santa’s suit is laden with what are called metamaterials, which have the effect of bending light around a person so that they turn invisible” — which can come in handy if there are curious children peeking during his Christmas deliveries.

Questions on the Internet have been raised as to where Mone may have obtained his information. At the beginning of the month, Mone traveled to Google allegedly to take part in the Authors@Google series. During the talk Mone discussed how implanted listening devices in the ornaments help Hoteiosho keep the naughty and nice kids straight. Also discussed was the use of cloning and wormhole technology to help Baba Chaghaloo get to every household. A few posts on the Internet question whether Google could be providing information to Shengdan Laoren through advance data mining in exchange for some of the advance technologies.

Could the US government also be involved? Those Internet posts point to the partnership between Google and NORAD (the North American Aerospace Defense Command), a bi-national United States and Canadian organization. NORAD and Google are helping children track the journey of Jolasveinar around the world using Google Maps and Google Earth. In a possible attempt to gain patents and disrupt Google market shares, there are even rumors that Gaghant Baba’s workshop has been purchased by Bill Gates. Could a secret message exist behind the Microsoft Bing commercial about Daidi na Nollag?

Google maintains that they take user privacy very seriously. In this case, I believe them. If there is trickery, Tomten would likely be behind it. How can one trust a person who goes by so many names? And what exactly is his past? Every country provides a different story. If he is a jolly old elf, there are reports that elves have used trickery as a means to an end. Local and federal governments across the world have gift policies limiting the the value and number of gifts that can be given to government employees. Gifts can be used as bribes. One could begin to wonder if the gift bearing holiday might be a cover for a massive yearly bribery event. More troubling, attempts to trace those questioning Internet posts lead back to ISPs in Greenland. Maybe Jack Bauer is needed to get at the truth.

I am not saying Chimney John is not a jolly nice fellow. I am just not a great believer in security through obscurity. There is a great deal we don’t know about Samichlaus. As security minded people, we need to be always questioning. Video of Mone’s Google talk has been made available. View it below and judge for yourself:

Wishing you a great holiday, wherever you may be and whatever you may believe.

Initial Thoughts

Scott Adams made this observation: If you were talking to Albert Einstein, and he got struck by lightning and became twice as smart, would you be able to tell? Many folks do not understand detailed technological talk. Like the manager, Jen, who in “The IT Crowd” tries but can only hear static when Moss talks computer jargon. As IT professionals, we have to learn to communicate effectively. If we do not, many folks simply cannot tell the difference between the IT professional who may be right but cannot communicate his thoughts and the guy who is just making stuff up but saying it in a smart confident manner.

I am going to be preparing security presentations for work. Basically a lunch and learn education series on security. Once I present, I will post the talks to this site. As part of the preparation, I have begun to make notes of various presentations posted in the RSS feeds I read. Slides and videos done by experts in the field are a great source of information not only on the subject matter but also on ways to present the information.

Not all the presentations available at each of the conferences are included. Please visit the conference sites and look at all the presentations. This posting is to provide a starting point and provide an idea of what is available.

Conferences

Conference sites provide a great source for ideas and material that might be of interest. Since these topics were presented this year, they are topics of concern to folks in the IT world. There are many presentations available at the conference sites. Please visit the sites for additional presentations.

CERIAS

• Provable Data Possession at Untrusted Stores
• The Effect of Rootkits on the Corporate Environment
• Protecting Data Privacy: A Practical Guide to Managing Risk
• Security issues within embedded software development
• Applying Recreational Mathematics to Secure Multiparty Computation
• Towards Effective and Efficient Behavior-based Trust Models
• Role Discovery
• Towards Secure and Re-usable Multiple Password Mnemonics
• Advances in Natural Language Watermarking
• Dumb Ideas in Computer Security
• How the Criminal Law Must Adapt to the Networked World
• Automatic Debugging and Verification of RTL-Specified Real-Time Systems via Incremental Satisfiability Counting and On-Time and Scalable Intrusion Detection in Embedded Systems
• Intrusion Detection Event Correlation: Approaches, Benefits and Pitfalls
• Assured Information Sharing between Trustworthy, Semi-trustworthy and Untrustworthy Coalition Partners
• Cyber Security and the “NEW” world enterprise
• Scenario-Driven Construction of Enterprise Information Policy
• Mathematically Defining Privacy
• WHAT IS INFORMATION?
• Research Challenges in Assured Information Sharing
• Computer-Related Incidents: Factors Related to Cause and Prevention

OCEG

• Information & Communications Privacy
• Evaluating Governance, Risk & Compliance Performance (part of the OCEG Illustrated Series)
• Evaluating Governance, Risk & Compliance Effectiveness (part of the OCEG Illustrated Series)
• Operational Controls (part of the OCEG Illustrated Series)
• Proving the Value of Governance, Risk & Compliance (part of the OCEG Benchmark Series)
• Managing Personal Information: Compliance Practices Throughout the Information Life-Cycle
• Improve the Efficiency and Effectiveness of Your Program (Part of the OCEG Illustrated Series)
• Reduce Complexity, Increase Efficacy (part of the OCEG Illustrated Series)
• Using Technology to Enable Governance, Risk & Compliance Processes (part of OCEG Illustrated Series)
• Managing Information Privacy – Are you Ready for Scrutiny?
• OCEG Illustrated Series: Seeing the Big Picture and Making the Business Case for Governance, Risk & Compliance

NIST

• An Overview of Emerging Standards, Guidelines, and Implementation Activities
• Security Controls for Industrial Control Systems
• NIST Special Publication 800-53 for Industrial Control Systems
• NIST Special Publication 800-37: An Introductory Tutorial with a videocast
• FISMA Implementation: The Strategy, Challenges, and Roadmap Ahead
• Importance of Security Configuration Recommendation Guides
• Hardcopy Security: An Open Door

OWASP

• The OWASP Testing Guide
• The OWASP Application Security Metrics Project
• Advanced Web Hacking
• Advanced Web Services Security & Hacking
• Web Services Hacking and Hardening
• XML Security Gateway Evaluation Criteria
• Securing Web Services using XML Security Gateways
• Metics- What can we measure
• Testing Flash Applications
• Overtaking Google Desktop
• Overtaking Google Desktop, Leveraging XSS to Raise Havoc
• XSS Worms
• Protecting Web applications from universal PDF XSS
• Software Security
• Web Application Firewalls:When Are They Useful?
• Evaluating and Tuning Web Application Firewalls
• Application Denial of Service
• HTTP Message Splitting, Smuggling and Other Animals
• Web Application Incident Response & Forensics: A Whole New Ball Game!
• Can (Automated) Testing Tools Really Find the OWASP Top 10?
• Security Testing through Automated Software Tests
• Testing for common security flaws
• RequestRodeo: Client Side Protection against Session Riding
• Why AJAX Applications Are Far More Likely To Be Insecure (And What To Do About It)
• Ajax Security
• Ajax Security Concerns
• Identity Management Basics
• Advanced SQL Injection
• Advanced Topics on SQL Injection Protection
• Fuzzing in Microsoft and FuzzGuru framework
• Application Security, not just development
• Positive Security Model for Web Applications, Challenges and Promise
• Legal Aspects of (Web) Application Security
• Analyzing Threats

Black Hat

• Fuzzing Sucks! (or Fuzz it Like you Mean it!)
• Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing
• Sphinx: An Anomaly-based Web Intrusion Detection System
• Intranet Invasion With Anti-DNS Pinning
• Traffic Analysis: The Most Powerful and Least Understood Attack Methods
• Reverse Engineering Automation with Python
• Defeating Web Browser Heap Spray Attacks
• Unforgivable Vulnerabilities
• Computer and Internet Security Law: A Year in Review 2006 & 2007
• Building an Effective Application Security Practice on a Shoestring Budget
• Side Channel Attacks (DPA) and Countermeasures for Embedded Systems
• The Security Analytics Project: Alternatives in Analysis
• PISA: Protocol Identification via Statistical Analysis
• Hacking Capitalism
• Hacking Intranet Websites from the Outside (Take 2) “Fun With and Without JavaScript Malware”
• Disclosure and Intellectual Property Law: Case Studies
• A Dynamic Technique for Enhancing the Security and Privacy of Web Applications
• Stealth Secrets of the Malware Ninjas
• Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
• Active Reversing: The Next Generation of Reverse Engineering
• Anonymous Authentication: Preserving Your Privacy Online
• Database Forensics
• Simple Solutions to Complex Problems from the Lazy Hacker’s Handbook
• Hacking Leopard: Tools and techniques for attacking the newest Mac OS X
• A Picture’s Worth: Image analysis and forensics
• Other Wireless: New ways of being Pwned
• Defeating Information Leak Prevention
• Social Network Site Data Mining
• NACATTACK
• OpenID: Single Sign-On for the Internet
• Timing Attacks for Recovering Private Entries From Database Engines
• Static Detection of Application Backdoors

Defcon

• Bridging the Gap Between Technology and the Law
• Analyzing Intrusions & Intruders
• Virtualization: Enough holes to work Vegas
• Computer and Internet Security Law – A Year in Review 2006 – 2007
• Securing Linux Applications With AppArmor
• Hacking Social Lives: MySpace.com
• Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing
• Unraveling SCADA Protocols: Using Sulley Fuzzer
• Boomstick Fu: The Fundamentals of Physical Security at its Most Basic Level
• Trojans: A Reality Check
• Real-time Steganography with RTP
• Everything you ever wanted to know about Police Procedure in 50 minutes
• The Hacker Society around the (corporate) world
• Estonia: Information Warfare and Strategic Lessons
• Security by Politics – Why it will never work
• Hardware Hacking for Software Geeks
• INTERSTATE: A Stateful Protocol Fuzzer for SIP
• HoneyJax (AKA Web Security Monitoring and Intelligence 2.0)
• SQL injection and out-of-band channeling
• Functional Fuzzing with Funk
• Comparing Application Security Tools
• IPv6 is Bad for Your Privacy
• Social Attacks on Anonymity Networks
• How smart is Intelligent Fuzzing – or – How stupid is Dumb Fuzzing?
• Protecting your IT infrastructure from legal attacks- Subpoenas, Warrants and Transitive Trust
• Windows Vista Log Forensics
• Creating and Managing Your Security Career
• The Science of Social Engineering: NLP, Hypnosis and the science of persuasion
• Greater than 1: Defeating “strong” Authentication in Web Applications
• The SOA/XML Threat Model and New XML/SOA/Web 2.0 Attacks & Threats
• OpenBSD remote Exploit and another IPv6 vulnerabilities
• Pen-testing Wi-Fi
• Stealing Identity Management Systems
• Dirty Secrets of the Security Industry
• The Executable Image Exploit
• How I Learned to Stop Fuzzing and Find More Bugs

HITB 2007

• Hacking SCADA: How to 0wn Critical National Infrastructure
• Exploiting the Intranet With a Webpage – Is JavaScript the New Shellcode?
• Advanced Web Application and Database Threat Analysis with MatriXay
• Meta Anti Forensics: The HASH Hacking Harness
• High Security Locks – Illusion or Reality?
• Insider Threat Visualization
• 360° Anomaly Based Intrusion Detection
• Hacking the Bluetooth Stack for Fun, Fame and Profit
• Hacking Hardened and Secured Oracle Servers
• Slipping Past The Firewall
• Attack Surface of Modern Applications
• Hacking Ajax and Web Services: Next Generation Web Attacks on the Rise
• Protocol Fuzzing
• Enterprise Hacking: Who Needs Exploit Codes?
• An End-to-End Analysis of Securing Networked CCTV Systems
• Googling for Malware and Bugs
• The Computer Forensics Challenge and Anti-Forensics Techniques

Microsoft Bluehat

• Microsoft’s Circle of Life: Patch to Exploit
• Black Ops 2007: DNS Rebinding Attacks< /li>
• Fuzzing Sucks!
• Security Trade-Offs and Pitfalls in Virtualized Platforms
• Subverting Windows CE Kernel for Fun and Profit
• Mobile and Embedded Security – The Elephant Under the Carpet
• WABISABILABI: The Exploit Marketplace Project
• Malware, Isolation and Security Boundaries: It’s Harder Than It Looks
• An External Perspective to Extending Microsoft’s Phoenix Framework
• Automated Application Security Testing Models with Cool WPF Visualizations
• Structural Classification of Malware

Web2Summit

• David Recordon and Brad Fitzpatrick: Opening Up the Social Graph

Bro Intrusion Detection System Hands-On Workshop

• Bro Design & major features: Vern Paxson
• Bro installation and configuration: Brian Tierney
• Basic Bro Configuration and Tuning: Robin Sommer
• Scripting Language Overview: Vern Paxson
• Bro used as an IPS at LBL: Brian Tierney
• Advanced Bro Scripting: Robin Sommer
• Bro communication: Robin Sommer
• Bro Shell: Scott Campbell
• Custom Bro analysis at OSU: Seth Hall
• Time Machine: Overview and Introduction: Fabian Schneider
• Conclusion and Outlook: Robin Sommer

ZDnet

• Simplify Compliance with Auditing
• The PCI Half-dozen: Six Recommendations for PCI Compliance
• TechRepublic Roadshow: Handling Internal Security Threats
• Assess Your Business’s Unique Security Risks and How to Mitigate Them
• Vulnerability Management and Policy Compliance Overview
• Identity Management and the Sarbanes-Oxley Act
• Three Ways to Optimize Your Security Spending
• Addressing Platform Vulnerabilities With Innovative Security Research
• Introduction to Federated Identity Management
• An Identity-Capable Platform
• SOA Security Overview: SOA the ‘Perfect Storm’ of Security

Special Interest Topics

These are topics that are of special interest to me. The topics may or may not have been presented at the conferences. The presentations have been pulled from bloggers who I respect.

Blogging

• Ethics and law firm blogging for the ABA Lawyers Professional Liability Fall Conference, Scottsdale, Arizona.
• Powerpoint on the Nuts and Bolts of Law Firm Blogs

Security Metrics

• Gunnar Peterson Security Metrics Automation
• Measuring Network Security Using Attack Graphs
• Security Meta Metrics–Measuring Agility, Learning, and Unintended Consequence
• Security Metrics in Practice: Development of a Security Metric System to Rate Enterprise Software
• A Software Security Risk Classification System
• Web Application Security Metrics
• Operational Security Risk Metrics: Definitions, Calculations, and Visualiztions
• Metrics for Network Security Using Attack Graphs: A Position Paper

Fuzzing

• Fuzzing – Brute Force Vulnerability Discovery

Identity Management

• Digital Identity Tutorial
• Digital Identity Tutorial for WWW2007
• A Framework for Building Reputation Systems
• Information is …Social …People …Practical

Logging, E-Records, and E-evidence

• E-Records and E-Evidence
• Logging Web Proxy Logs: Best Practices, Big Tips & Meeting Compliance Mandates

Social engineering

• Teach your users to recognize and resist social engineering ploys
• 10 common social engineering ploys

Forensics

• Windows Memory Analysis

Bluetooth Eavesdropping

• I Can Hear You Now: Eavesdropping on Bluetooth Headsets

IDS abnormal detection

• IDS abnormal detection
• Visual Security Event Analysis
• Aanval

Phishing

• Test Your Anti-Phishing Knowledge with Anti-Phishing Phil

Virus

• The WildList is Dead, Long Live the WildList!
• The Trojan Money Spinner
• Exposing Stormworm by Brandon Enright

Visualization

• Insider Threat Visualization
• Automated Application Security Testing Models with Cool WPF Visualizations
• Visual Security Event Analysis
• Malware Cinema: A Picture is Worth a Thousand Packets
• High Bandwidth Visual Analysis of Security Data Flows
• Network Attack Visualization
• Tamara Munzner Presentation on InfoVis at UBC CS

Web Application

• Web 2.0 hacking, keeping focus on Ajax and Web Services
• How to take your Web Application Offline with Google Gears
• Web Application Security: Keeping Your Application Safe by Joe Walker
• Future of Web Apps: Google Gears by Dion Almaer
• The Future of Firefox and JavaScript by John Resig
• Architecture Behind WordPress.com by Matt Mullenweg
• Preparing for Enterprise Adoption by Suw Charman
• Coding on the Shoulders of Giants by Matt Biddulph
• Making Your App Social by Rashmi Sinha

Videos

There are videos presentations available online.

• Dark Reading TV
• Virus Bulletin Presentation – Excerpt
• Berkman.TV
• Google Open Source Speaker Series
• Google Tech Talks
• What Every Engineer Needs to Know About Security and Where to Learn It
• Reverse engineering techniques to find security bugs: A case study of the ANI Vulnerability
• Crime: The Real Internet Security Problem
• Security is Broken
• How the FreeBSD Project Works
• Introduction To Digital Identity
• Searching For Evil
• Towards HardLANs: Building intrusion detection to 1 Gbps and beyond
• Reducing the Risk of Shallow Information Analysis
• How To Break Web Software – A look at security vulnerabilities in web-based software
• Internet Scale Identity, Collaboration, and Higher Education
• Anomaly-Based Unsupervised Intrusion Detection
• SOX Television

covering “every aspect of the Sarbanes-Oxley Act and the related areas of governance, risk and compliance.”

• Risk Television

is “devoted exclusively to risk management research.”

Hacking Simulations and Challenges

These sites provide nice demonstrations on hacking techniques. Plus, the sites are just plain fun.

• NTO Hackme Test Site (part of the Mighty Seek Podcast – Hands On Series)
• Hack-Test
• Ed Skoudis’ CounterHack
• Test Your Anti-Phishing Knowledge with Anti-Phishing Phil

Final Thoughts

This posting is meant as a starting point. There are some very good presentations listed above. I have been working in security for awhile. Recently I was reminded not to take anything for granted. Many very smart people can be so focused on their slice of business that they do not get much exposure to basic security. While organizations may require security refresher classes, often people just page through the online material, not paying much attention. It is my hope that by allowing organizations to select security topics to present on, that this approach can help introduce people to topics of special interest to that organization. People will be more interested in the security topics and more open to learning. Our final goal is to raise security awareness while educating folks so they can speak with confidence while actually knowing what they are talking about.