Introducing ‘Android Security Evaluation Framework’ ASEF

Have you ever looked at your Android applications and wondered if they are watching you as well? Whether it’s a bandwidth-hogging app, aggressive adware or even malware, it would be interesting to know if they are doing more than what they are supposed to and if your personal information is exposed. Is there really a […]

Read more

Differences between SOA/XML Gateway and a Web Application Firewall

The Digital Revolution is enabling business to provide their customers with new, innovative products and services, thus exposing corporate networks and data to greater risks from cyber threats. These threats are increasingly sophisticated. Existing firewall strategies combined with old fashioned mentality are no longer are able to offer business the security and protection they need. […]

Read more

Introduction to Web Application Testing

Have you ever wondered what SQL injection was, and how it worked? Couldn’t figure out how someone could take over your web browsing and redirect you to another site entirely, or intercept and replace legitimate web traffic with some nasty malware? Dave Millier and Assef G. Levy will give you an overview of web application […]

Read more

Hacking .NET Applications: The Black Arts (v2)

This talk will focus on attacking .NET Desktop Applications(EXE/DLL/Live Memory) Both WhiteHat and BlackHat hacking will be shown on common security concerns such as intellectual property protection systems and licensing systems. This presentation will have a New Drop of forensic info on what can be accessed about a .NET application, with basic info targeted at […]

Read more

Face Today’s Threats Head-On: Best Practices for a BYOD World

Today’s threat landscape is evolving radically and BYOD (Bring Your Own Device) is all the rage. In 2011 alone, Symantec detected and blocked 5.5 billion malicious attacks, an increase of more than 81 percent from the previous year. Social networks and mobile computing are opening up new security vulnerabilities and personal sites and blogs were […]

Read more

Targeted Malware Attacks – Sophisticated Criminals or Babytown Frolics?

Over the past year, Trustwave’s SpiderLabs malware team has been continually reminded why we love our jobs – we get to play with malware. But not just any malware, no, we get to reverse engineer and analyze malware from targeted incident response cases. This opportunity allows us to see what criminals are doing at a […]

Read more

Hunting Carders for fun and profit

“Hunting Carders for fun and profit” describes the rise in E-commerce breaches over the last year. The talk touches on the reasons cardholder data is so valuable on the black market, the three most common attack vectors, examples of malware discovered during actual investigations, the wrong way to encrypt databases and examples of how several […]

Read more

Exposing Enterprise Services to Mobile Platforms

The kinds of web services developed and deployed to support Service Orientation over the first decade of the new millennium are not compatible with the applications being developed for mobile devices. In this talk, you will learn about the “Web APIs” favored by mobile developers, how they differ from the Web Services deployed in SOAs, […]

Read more

Network forensics – the orphan child of cyber investigations

Most computer forensic examinations focus on system forensics – live system and memory data, and the data remaining on storage devices. These investigations neglect the significant amount of network data (moving packets, event logs, and specialized tools such as honeypots). During this session, you will learn proactive and post-response techniques for collecting and analyzing network […]

Read more

Hey, I just middled you, and this is crazy

But, here’s your password. Reset it, maybe? Everyone thinks they know about the Man in the Middle. Most places think as long as they have SSL, they’re immune. Attackers know better. We’ll demonstrate implications of Man in the Middle vulnerability that go beyond the 101. We’ll show how layer 2 weaknesses can be turned into […]

Read more

Mobile Security: Protecting your Corporate Smartphones from Malware & Targeted Attacks

Malware and targeted attacks are an extremely serious threat to the security of SMBs and large enterprises. Targeted attacks generally follow predefined strategies and one of the possible vectors is to attack via a mobile device. A successful targeted attack can seriously damage a company’s intellectual property, confidential information and reputation. Attendees will learn about […]

Read more

BlackHat to Black Suit

You want it all. But you’re scared. You don’t want to put on a suit and watch your soul shrivel. There is another way. In this session, you will learn: – why you want to do this to yourself – how to get the first job (which will suck) – how to turn the first […]

Read more

Reversing Patches for Exploit Creation, Pen-Testing or Just Fun!

How many times have you wondered what really gets fixed inthe security patches released by vendors? Are you curious to find new vulnerabilities that could be introduced due to faulty patches? This talk will go over some basic reversing techniques that anyone can use to read what exactly gets fixed in patches. These techniques can […]

Read more

CyberCrime Investigator: Forensic Use of HP ArcSight ESM

This session explores the concept of network forensic investigations using HP ArcSight ESM, and how security analysts can use it to assist HR or law enforcement with network interception to gather evidence that must preserve chain-of-custody. With the challenges of cloud-based computing and mobile devices, the need for well-defined workflow and the use of industry-accepted […]

Read more

Forecast of Data Loss in Canada

How many breaches occurred in Canada last year? And how many might there be by 2015? How much personal confidential Canadian data will be lost next year? Join this session to learn which types of firms are losing data and how. He won’t name names, but Dave will quickly walk you through a cool model […]

Read more

Conquer the Beast – How to Effectively Manage Open-source Intelligence Outbursts

Open-source Intelligence has picked up quite a hype lately and everyone talks about its importance within a security program to protect organizations against present and emerging threats. With the advent of social media, monitoring all these sources has become even a bigger challenge. Despite its importance, no one has provided specific guidance on how exactly […]

Read more

Engineering the Social Animal

This presentation was designed to provide a glimpse into the curious world of Social Engineering, and it’s serious impact being felt within businesses and homes around the world. Robert helps to shed light on many of the low tech techniques successfully being used defeat today’s highest-tech security solutions. With a focus on the human elements […]

Read more

Microsoft’s Response Process: 10 Years of Hard-Knock Learning

The Microsoft Security Response Center has been responding to security vulnerabilities and incidents for more than 10 years, and we’ve learned a few things along the way. In this presentation, we’ll pull back the curtain and walk you through the formal processes and informal guidelines that we use to handle hundreds of vulnerability reports every […]

Read more

Monday Night Malware

As companies increase funding for Network Security and get mature in that space, the attackers are shifting their methodologies and attack vectors as well. Targeted malware is not the exception but a norm these days. “Data in Transit” is becoming the new goldmine as the data in database gets ample encryption treatment these days. Parsing […]

Read more

Web Application Scanning in the SDLC

This presentation will review some of the reasons that web application security is so important – citing data from the Verizon Data Breach Investigations Report which identified web applications as one of the primary attack and data loss vectors. Next, an overview of a conventional scanning program will be outlined as well as how a […]

Read more

Controlling BYOD before it Becomes Your Own Demise

Mobile security is the hottest topic for senior security professionals as organizations struggle with how to support smartphones and other consumer-grade devices connecting to the network. This session will present a process to evaluate the risk of these devices, define appropriate policies, and control the use of these devices. We’ll also discuss (at a high […]

Read more

APT ALL THE THINGS: are Mac users no longer safe?

A new development of 2012, targeted attacks (APTs) against human rights now often include malware specifically designed to compromise Macs. Mac users have long thought they’re safe, for a variety of reasons including: “nobody ever targets us” (not anymore!), “Macs are based on Unix so have additional security” (not if new vulnerabilities are found, or […]

Read more

Best Practices on building and operationalizing Microsoft SCOM for health and performance monitoring.

Many organizations face common challenges of fully leveraging their Enterprise Monitoring tool to give a holistic and cross-sectional view of the health and performance of core infrastructure and distributed applications. This presentation provides its audience a greater understanding of how to operationalize Microsoft’s System Center Operations Manager (SCOM 2007 or 2012) based on the key […]

Read more

The Defense RESTs: Automation and APIs for Better Security

Want to get better at security? Improve your ops and improve your dev. Most of the security tools you need aren’t from security vendors, they don’t even need to be commercial. You need tools like chef & puppet, jenkins, logstash + elasticsearch & splunk or even hadoop to name but a few. The key is […]

Read more

Recent Advances in IPv6 Security

The IPv6 protocol suite was designed to accommodate the present and future growth of the Internet, and is expected to be the successor of the original IPv4 protocol suite. It has already been deployed in a number of production environments, and many organizations have already scheduled or planned its deployment in the next few years. […]

Read more

Life’s a Breach! Lessons Learned from Recent High Profile Data Breaches

In this session, “Life’s a Breach! Lessons Learned from Recent High Profile Data Breaches,” Rapid7 will discuss what we can learn from recent high profile breaches including LinkedIn and Global Payments.

Read more

How I Learned to Stop Worrying and Love the Cloud

An overview of the risks and mitigations encountered in planning the outsourcing of the United States Mint’s $700 Million a year numismatic ecommerce site. The presentation focuses on how to assess your cloud vendor and specific information and access to request to make sure your data is secure. Many of the mitigations discussed in the […]

Read more

Poortego: An OS-INT correlation tool for the 99%

Aggregating and correlating open-source intelligence (OS-INT) is an important aspect of both attack and defense. When on the offensive, OS-INT provides critical reconnaissance information. Whether sucking down data from corporate directories, gathering information from social networking sites, or combing Pastebin for stolen credentials, the relationships among associated data sets paint a critical picture highlighting potential […]

Read more

Security Organizational Behaviour – making people part of the solution

Why technology and process don’t solve the problem alone and how to make security part of the normal pattern of behaviour for your organization. Instead of assuming that “humans are the weakest link” this talk will show how to make people the first line of defence and make them an asset, instead of a liability.

Read more

Cybercrime in Canada: a Law Enforcement Perspective

This session will highlight the link and differences between security efforts and criminal interdiction. Cybercrime continues to be a significant concern to industry and the public in Canada. This session will highlight some of the important activities now underway to address this criminal threat. Attendees will become aware of crime trends and priority threats. Industry […]

Read more

Hadoop Forensics, Tackling the elephant in the room

Unless you’ve been living under a rock you’ve heard that Hadoop is regarded as the miracle solution for the big data needs of business. It is not uncommon for Hadoop clusters to store and process terabytes of sensitive information. Hadoop’s enormous data stores and inherit security issues make it the perfect storm of risk for […]

Read more

Disc Detainer Locks

This talk will explain disc detainer locks from their basic function to the highest security models. We will examine their emergence in various world markets, particularly their recent emergence in the North America. Schuyler will demonstrate known vulnerabilities from picking, to impressioning to low-cost key duplication. The goal of this talk is to introduce audience […]

Read more

Sniper Forensics v3.0: Hunt

I am a sniper. I hunt malware. Specifically, I hunt malware that is committing a crime. Memory Dumpers, Key Loggers, and Network Sniffers are the enemy. The enemy can take on any form, he deploys stealth to hide from me. To know the enemy, I have to know HOW he works, not just what his […]

Read more

Cubical Warfare, The next Arms Race

Cubical warfare is currently in an up raise. One Nerf gun can cause an arms race escalating beyond current weaponry either from common concept of High Performance Culture, to downright nastiness of co-workers. My goal is to educate attendees to take normal run-of-the-mill soft dart weapons, and make them into weapons of mass pain. Topics […]

Read more

Targeted and Opportunistic Botnet Building

There’s a general myth that botnet operators are opportunistic in their building strategy. In some older and sloppier cases they are but things have moved on. The ecosystem that supports botnet building is increasingly indistinguishable from legitimate Internet businesses – countless shades of gray – and most aspects of that business are well planned and […]

Read more

Incident Response Kung fu: Tree Style

Preparation, Identification, Containment, Eradication, Recovery and Follow-up are nice to say and do – but how does one actually investigate an incident. Jason has been working on a methodology for the past 4 years while being exposed to incidents in a high value institution. In an effort to continue fine tune, Jason wants to present […]

Read more

Malware FreakShow

Well, there’s malware on the interwebs. They’re pwning all your systems, snatching your data up. So hide your cards, hide your docs, and hide your phone, ’cause they’re pwning er’body out there! This may be the 3rd and final installment of the Malware Freak Show series, so we’re pulling out all the stops. This year […]

Read more

Binary Risk Analysis

Security risk analysis techniques are either too complex to be understood by the business or too simple to provide repeatable and meaningful results. Without a proper understanding of the risk associated with security events, businesses are likely to misunderstand the risk that security professionals are working to control. This talk will announce a new, peer […]

Read more

SSD: Solid State Drives & How They Work For Data Recovery And Forensics

This presentation will be about the comparison of Flash USB Drives & Solid State Drives VS. Conventional Hard Drive for Data Recovery and Forensics. This presentation is also done with 3D ANIMATIONS that rival the History Channel! As we are all aware, solid state hard drives are going to overtake the hard drives soon rather […]

Read more

Think outside the enterprise security box

The last decade has seen network security products become as standard as routing and switching. In an effort to differentiate themselves, vendors have pushed the “simplicity of deployment” marketing message, to sell more devices. In concert, the threat landscape has become more organized, more directed, and more sophisticated. So in this age of “do less […]

Read more

OSSAMS, Security Testing Automation and Reporting

This presentation will discuss the options available to automate the conduct of vulnerability assessment and penetration testing engagements, and the reporting processes. The most important parts of running a security test are following a consistent methodology, utilizing the appropriate tools and their configuration, data management, getting accurate results, manual validation, and standardized reporting. The goal […]

Read more

A Technical View on Cloud Security: How Not To Get Your Undies In A Bunch aka Please Don’t Squeeze The Charmin

Most of the material out there today on cloud security is all about how it is more/less secure then managing things internally and very little of the material focuses on the fundamental differences between internal vs external hosting. And while there has been some discussion of the actual issues (with a few notable exceptions) they […]

Read more

Information Security and Risk pertaining to smart phone and mobile devices

The mobile worker population grew to 1 billion in 2010 and over 250 million smart phones and other innovative devices were shipped and connected to the internet. This phenomenon is forecasted to grow by 25% annually through to 2013. 44% of users (Forester) have bought their own devices and want to connect them to their […]

Read more

Everything You Need to Know about Cloud Security (and then some)

Everyone is fired up about the cloud. Per usual, that means most businesses are rushing headlong into the abyss with nary a concern of security or risk management. Yeah, we all know how this ends. And most practitioners don’t even know what they don’t know at this point. Mike will provide the unvarnished truth about […]

Read more

Web Browser Security Faceoff

At no other point in the evolution of computing has user experience (as well as attack surface) been so defined by a single piece of software as it is today. Still, no authoritative picture of the true defensive capabilities of the three major web browsers has existed. A team of Accuvant Labs researchers have been […]

Read more

Cybersecurity, the Law, and You

This talk will cover how new US legislation and regulations are going to affect cyber security in the coming months. It will discuss, among other things, the new cresit card security specification, PCI DSS 2.0, the US Governments “Cyber 3” initiative, and cybersecurity legislation in front of the US Congress. It will also cover new […]

Read more

Built What? Why The Bad Guys Do It Better

For well over a decade cyber-crime has steadily risen at incredible rates across the world. How is this possible with so many law enforcement and security vendors out there trying to solve the problem? Over the past eleven years viruses and trojans have evolved into a never ending deluge of crimeware campaigns. How is this […]

Read more

HTTP Header Hunter – Looking for malicious behavior into your http header traffic

Most malware uses HTTP/HTTPS to call home or install other parts of a malicious action. Since thousands and thousands of samples appear daily, it is almost impossible to create signatures to dectect all malicious activities. Based on this problem, we started to analyze common headers and behaviors for malicious connections based on Spiderlabs research analysis […]

Read more

Building a GRC Strategy

Dave Millier will talk about gathering information from various sources (security and system logs, reports, processes, people, etc), and turning it into meaningful reports and dashboards that can be used to track compliance of various standards and regulations, including PCI, CobiT, SOX, NERC CIP, and others. Rather than focusing on any particular technology, Dave will […]

Read more

Change Happens: CISO Survival Through Adaptation

The Chief Information Security Officer role is transitioning through unprecedented change in information technology, in both scope and pace. CISOs must learn to adapt in kind and support the four ‘personas’ of the CIO, where the I stands for Infrastructure, Integration, Intelligence and Innovation. This panel will address the trends and adaptation strategies necessary to […]

Read more
Subscribe to the Sector Blog
Enter your contact information below to have future blog posts delivered directly to your inbox!
Fields marked with an * are required