ISSA Meeting

lalamri — Fri, 22 Jan 2010 16:00:49 -0600

ISSA Meeting

March 16th, 2010
1:30 PM - 4:00 PM

Dorsey Ewald Conference Center

1000 Westgate Drive
St. Paul, MN 55114
Ph: 651-290-6260

Directions: http://www.ewald.com/displaycommon.cfm?an=1&subarticlenbr=54

Speaker: Gunnar Peterson

Title: Dealing with the Wildness That Awaits
Abstract: Inexactitude is a part of software development project, but the problem is which part is inexact? Finding the imperfection in the software you're building before attackers do is a laudable goal, but also a kind of guesswork. To deal with this issue, we look at the margin of safety as a software engineering tool that leverages our knowledge and skills.

The fitness of the system is not decided at design time, its ability to withstand attacks is ultimately decided at runtime; but there are concrete design steps that can be taken to build systems that resist and recover from attacks. The combination of Threat Models, which show how the system may fail, and Attack Surface which show where the system is vulnerable, is a starting point for assessing Margin of Safety at design time. The output of the combined Threat Model and Attack Surface is a Countermeasure Model, which identifies and locates the Countermeasures in the system.

The Countermeasure Model forms the basis of the Margin of Safety by providing testable criteria for the resiliency of both the countermeasures and the system as a whole. This has proven useful in the field for two reasons, one expected and the other more subtle. The expected reason for the utility of the Countermeasure Model is that security gets more challenging each day due to new threats, vulnerabilities, attacker skill, functionality and connectivity. The more subtle reason is that Security Countermeasures are first and foremost a systems integration problem, meaning the resultant Countermeasures, such as access control systems, require architecture, planning, prioritization, and detailed design to effectively integrate with system’s applications, network channels, messages and other constituents. Suffice to say, this is not a linear process, and frequently decisions are not based on technical merits.

The Margin of Safety concept is used to provide the team with a framework to:

· Make security architecture decisions
· Communicate security architecture decisions
· Provide a concrete basis for building the security architecture
· Measure security architecture effectiveness
· Manage security architecture lifecycle

In this talk we will take an end to end example of a portion of security architecture from design time (using Threat Models and Attack Surface to build a Countermeasure Model), reviewing the Margin of Safety; and then examine how these are applied in deployment and runtime policies and security mechanisms. This being a security talk, we will wrap up discussing how this all goes wrong when the rubber meets the road, specifically what failure modes are present in current Web service implementations.

BIO: Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and insurance systems, as well as emerging start ups. Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, a contributor to the SEI and DHS Build Security In portal on software security, a Visiting Scientist at Carnegie Mellon Software Engineering Institute, and an in-demand speaker at security conferences. He maintains a popular information security blog athttp://1raindrop.typepad.com

Speaker: Brian Tokuyoshi

Title: Too Many Encryption Keys

Abstract: In the effort to meet compliance goals and to encrypt more information, companies are deploying a greater number of encryption products. However, as many companies are discovering, the inconsistencies of tools and policies for managing encryption keys are creating a growing administrative problem. Could the deployment of too many encryption products and the lack of centralized policy increase the risk of data loss?

In this session, learn about the ins & outs of key management. Brian will discuss the problem of too many encryption keys, dig into the architectures behind enterprise key management, and go over strategies to get the problem under control for better centralized management in the future.

BIO: Brian Tokuyoshi is a Solution Manager for PGP Corporation, overseeing the server products. He has a 14 years of expertise in data encryption, identity management, smart cards and enterprise messaging. Prior to PGP, Brian served as Product Marketing Manager for ActivIdentity, where he oversaw the smart card management systems and strong authentication solutions. He was part of the team that launched the Sun Identity Management platform, and also served as the senior market analyst for The Radicati Group, covering the PKI and directory server markets.

View Open Positions

sstaubin — Wed, 24 Dec 2008 12:48:35 -0600

Members of MN-ISSA and Sponsors are able to post resumes or open positions within their organization on the Minnesota ISSA web site. If you are interested in doing so, please submit your resume / open position to the webmaster.

Speaking Opportunities

sstaubin — Fri, 05 Sep 2008 11:34:18 -0500

Feedback is obtained at each meeting as to what topics are of interest. Below are the top requests:

PCI requirements / solutions
Forensics
Attack methods / defense
Database security and best practices
Application Security
Awareness
Penetration testing
Data loss prevention
Security architecture
End-point intelligence

If you are able to present on any of the above topics, please contact the program director.

Minnesota ISSA Chapter - Minnesota ISSA Chapter - Serving the Upper Midwest

ISSA Meeting

View Open Positions

Speaking Opportunities