I have been involved with the Society of Information Risk Analysts from almost the very beginning. I think Jay, Chris, and Alex had the idea and I jumped on board a few days later. It is a fantastic organization that has a very active and lively mail list.

The home page for SIRA is here. "Membership" is free and mainly consists of signing up for the mail list and requesting an account on the website.

Anyhoo. We are having our very first conference. It will be the day before Secure360, i.e. May 7th, and it is going to be a day of awesomeness for those who live and breathe risk analysis and risk management or for those who want to know more.

Go here for more details: SIRACon

Feel free to contact me with questions or post them in the comments.


{ 1 comment }

RSA, SecurityBsides San Fran and Me

by kriggins on February 22, 2012

in Announcement, Conferences

Hi folks. Just a quick note to let you all know that I am moderating a session at RSA next week. The title is Cloudy with a Chance of Risk.

From the catalog:

Cloud computing brings with it a need to modify our risk assessment and risk management efforts to incorporate the somewhat unique challenges that a distributed, scalable, location independent architecture brings. This session will explore real world instances of how individuals are addressing this complex issue, resulting in some pragmatic steps that can be used in the real world.

The session is on Wednesday, the 29th at 1:00 in room 111.

I will be spending my time wandering between RSA, SecurityBsides and the hallways. Look me up if you want to chat. The best way to reach me is via twitter using my @kriggins account. Yes, it's protected so you will have to follow me if you want to see any responses to meet-up queries 😉

I look forward to connecting with friends and making new ones.



Security BSides Kansas City Re-cap

by kriggins on September 19, 2010

in Conferences

Updated 9/20/2010: Changed attempted ACH fraud bit from 'this year' to 'to date.'

Last Friday, the 17th of September, was the first ever iteration of Security BSides Kansas City. It was held in conjunction with the Kansas City Infragard chapter's CyberRAID contest. This was bad because I couldn't take any pictures :), but great because of the cross pollination that happens when events take place in conjunction with each other.

BSidesKC was a one day, one track conference packed full of great talks given by great speakers. Below you will find brief descriptions of each talk along with links to the slides where available.

If you ever have the chance to make it to a BSides event, take it! The generally smaller venues create an environment where great conversations can and do happen. BSidesKC was no exception. I was able to meet in person several of the people I chat with on Twitter like @jfug, @n0b0d4, @surbo, and @davehull. I also was able to see @hal_pomeranz and @ax0n again.

The FBI's Response to a Computer Intrusion

The first talk of the day was given by three FBI agents. I will not use their names here as I didn't have a chance to ask for permission to do so. The first part of the talk was a general introduction to the Cyber investigative focus of the FBI. You can read more about that in this post from my FBI Citizen's Academy series (which I need to finish.) They also spoke about some specific cases such as a SPAM case where the instigators were caught and are awaiting sentencing.

The second half dealt with cyber crimes that were focused on exploiting financial services organizations via their customers, i.e. ACH fraud. Some interesting numbers were provided such as the amount of attempted ACH fraud to date, $215 million, and the actual amount lost, $60+ million. Most interesting is that almost all of this type of fraud is perpetrated using customer credentials that have been intercepted via malware on the customers computers. Brian Krebs at Krebs on Security has written extensively on this problem.

Slides: No access to slides.

I Survived IDS Apocalypse '10 and All I Got Was This Stupid T-Shirt

This talk was given by William Metcalf who is a full time developer working for Open Information Security Foundation on Securicata, a network based IDS/IPS. William talked about the features of current release of Securicata and gave us an intro to some of the upcoming features in the roadmap. He also provided some tips for building and high-performance, IDS/IPS on the cheap. One cool thing is that Securicata can make use of GPU acceleration. Some of the features are multi-threading, use Snort's signatures, port independent protocol identification, and more.

A few of the tips Will gave for building an IDS platform on the cheap were:

  • use a Nehalem chip - fast, fast, fast
  • use TNAPI/PF_RING - fast, fast, fast
  • use real hardware raid - fast, fast, fast
  • profile your rules - lose the slow, slow, slow 🙂

Slides: Don't have access to slides.

I See What You Did There

Dave Hull was up next with a talk on timeline forensics. This was a nifty talk and I learned quite a few things I didn't know before. For instance, the NTFS filesystem keeps file timestamp information in two places, $STDINFO and $Filename. Even better, they don't necessarily always agree and best of all, the current champ for malicious timestamp manipulation only affects $STDINFO. Like I said, very nifty stuff. He showed us some ways to use Sleuthkit to build file access timelines and some other tools, like log2timeline, to get other timestamps that exist on a system, of which there are a multitude.

By the way, just in case you didn't know, Dave shared that Vista and Windows 7 do not update the access time timestamp by default. Not very helpful. You probably want to go turn that on, particularly in your enterprises.

Slides: I See What You Did There (pdf)

Seven Ways IT is enabling Cybercrime

It actually turned out to be ten ways. Daniel J Molina of Kaspersky gave this talk on ways in which enterprise IT is not helping the organization be more secure.

#10: Data Center Fixation: Ignoring the propagation of data outside the data center.
#9: Information Amnesia: Forgetting the value of data, i.e. only accounting for cost of physical assets.
#8: I missed this one. Sorry
#7: Device Dyslexia: Ignoring the defense of mobile end points. We now have micro-perimeters that need protection.
#6: Social Media Mania: We need proper controls before it's too late.
#5: Attention Misdirection: We are focusing too much on prevention. We need to give detection and reaction more attention.
#4: Awareness Deficit Disorder: Failing to foster a culture of awareness.
#3: Threat Camouflage: Underreporting of attacks and breaches.
#2: Compliance Complacency: Settling for compliance
#1: Assuming Everything is OK

Slides: Don't have access to slides.

Evil WiFi: Subversive Wireless & Self Defense

Ax0n gave a talk on how to defend against subversive individuals who are attacking your wi-fi infrastructure and your wi-fi clients. He gave us a demo of some nastiness that the can be done. He documents this extensively here. Very interesting and eye opening stuff.


Automating Metasploit: Pwning Hosts While You Sleep

Bill Swearingen gave this talk on automating Metasploit. He gave us a full measure of nifty stuff you can do with Metasploit, like separate attack and listening systems, automated scripting of responses from the listeners, and several other tidbits to make setting up your own automated attack infrastructure. Lots of information and lots of fun.

Slides: Automating Metasploit: Pwning Hosts While You Sleep (pdf)

Things that go bump in the Evite

Unfortunately, I was unable to see this talk given by Surbo in its entirety since we didn't want to be on the road too late and had a 3 hour drive ahead of us. Surbo was gracious enough to give the five minute version. All I can really say is that there are some problems with Evite that really need to be fixed.

Slides: Don't have access to slides.

Again, if you have a chance to make it to a BSides event, take it.



Security BSides Kansas City is Friday!

by kriggins on September 15, 2010

in Announcement, Conferences

I have talked about Security BSides conferences before. They are a lot of fun and free. Free is good 🙂

Because they are small conferences, the atmosphere is very conducive to great conversations and interactions with your fellow information security inclined folk.

BSides Kansas City is this Friday the 17th. The line up looks good and, remember, it's FREE.

They do ask that you indicate if you are coming by either updating the page here or by emailing That helps plan for some things.

I'll be there. You should show up and introduce yourself 🙂 I would love to meet some of my readers!



RSA Europe 2010 has opened press registration. The registration page can be reached here.



RSA 2010/Security BSides Recap – Day 02

by kriggins on March 13, 2010

in Conferences

I really intended to get this out earlier this week, but me o’ my has this been a busy week.

Anyway, day 2 at RSA 2010/Security BSides started in the reverse order of day1. I went to sessions at RSA first and then tottered over to Security BSides for the afternoon.

My day 1 recap can be found here.

Again, great content in both locations.

RSA 2010

I started the day out at RSA.

2010: A Web Hacking Odyssey – The Top Ten Hacks of the Year by Jeremiah Grossman

In this 50 minute talk, Jeremiah attempted to talk about the top 10 web based hacking hacking DSC_4875 methods for 2010. These are not hacks of particular sites, but ways in which sites can be hacked. There were two amazing things about this talk:

  1. That he even tried to do it in 50 minutes.
  2. That he was successful.

This was a great talk and Jeremiah did a great job of covering a lot of ground. If you are interested in more detail, his presentation deck is available here.

Microsoft SDL Tools: Automating the Security Development Lifecycle by Katie Moussouris and Bryan Sullivan

DSC_4885 The next talk at RSA for me was given by Katie Moussouris and Bryan Sullivan and focused on some tools available from Microsoft in support of a Secure Development Lifecyle.

Some pretty nifty stuff was shown and best of all, most, if not all, were free. Many of them plug right into Visual Studio making them even more available to the developer. It is worth your time to explore the SDL site that Microsoft has available for you here and the SDL blog here.

Risk Management: Getting Engage by Kevin Riggins (me)

The next stop on my RSA Wednesday was the Peer-2-Peer session I moderated. Again, there will be a separate post about it, but the short and sweet is that we all need to find ways to get information security risk management engaged in the business and the business engaged in information security risk management.

This was my last session at RSA for the day. I headed over to Security BSides for pizza and more great sessions.

Security BSides

The first order to business was to grab some lunch 🙂

SDL Lite by Marisa Fagan

DSC_4887 Marisa’s lightning talk was a quick demonstration of how we can implement a SDL “lite” process. Interesting stuff. Marissa could really use your help. Errata Security is conducting a survey about the use of secure development methodologies. From the post:

Errata Security is conducting a survey on the real world usage of software development methodologies such as Microsoft SDL, OWASP's SAMM, and BSIMM. We are interested in learning which organizations are successfully implementing these methods, and also the reasons companies are abstaining from using these methods.

Help her out and take the survey.

The Great Compliance Debate: No Child Left Behind or The Polio Vaccine with Jack Daniel, Josh Corman, Anton Chuvakin, Michelle Klinger

DSC_4898This was a good compliance/PCI discussion that included both the panel and the audience. I am not going to try to summarize it, but it is probably worth your time to catch the video.

Risk Management - Time to blow it up and start over? by Alex Hutton

Alex know risk. I enjoyed this talk and it definitely generated some thought for me. As Alex said,DSC_4901 though, this wasn’t a “throw everything you are doing away” talk. It was look at the current state and trying to figure out if there is a better way. From his description:

Now that the industry is trying to formalize the concept of risk management into neat little compartments like standards (ISO 27005/31000), certifications (CRISC) and products, (GRC) guess what?  We're doing it wrong.  Fundamentally wrong.  This talk will discuss why all this current risk management stuff is goofy and what sort of alternatives we have that might help us understand our ability to protect, our tendency towards failure, and how to match that up with what management will stomach.

He did mention the new Verizon framework that looks pretty nifty.

That was pretty much it for the day from a conference perspective. I went back to my hotel to work for a bit and then it was time to head to the Security Bloggers Meet-up which was a lot of fun. You can see some photos from that event here if you are interested, luckily none of my ugly mug 🙂



I meant to mention this again earlier this week, but forgot to. ShmooCon will be live streaming the entire event this year. The conference starts today at 3:00 EDT.

If you are not familiar with ShmooCon, here is a tidbit from the conference website:

Different • ShmooCon is an annual East coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software & hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks, One Track Mind. The next two days, there are three tracks: Break It!, Build It!, and Bring It On!.

Affordable • ShmooCon is about high-quality without the high price. Space is limited! ShmooCon has sold out every year, so unless taking a chance on an eBay auction to get your ticket sounds like fun, register early!

Accessible • ShmooCon is in Washington, D.C., at the Marriott Wardman Park Hotel, just a few steps from the D.C. Metro. Fly into DCA, IAD, or BWI, or take a train to Union Station, and you are just a quick cab ride away from the con

Entertaining • Brain melting from all the cool tech you are learning? Check out some of the contests running at ShmooCon, including the Hacker Arcade and Hack-Or-Halo. In years past, we have also thrown massive parties at a local area hot-spot, so expect that to happen again too!

Here are the links to the different streams. The source page is here.

Friday Feb 5th, 2010

One Track Mind

Saturday Feb 6th, 2010

Build It
Break It
Bring It On

Sunday Feb 7th, 2010

Build It
Break It
Bring It On

I'll be watching as much as I can. You should too!


Reblog this post [with Zemanta]


Vote For My #BSidesSF Talk

by kriggins on February 1, 2010

in Announcement, Conferences

I have submitted a topic for consideration for Security BSides San Francisco 2010 which happens concurrently with RSA.

For those not familiar with Security BSides, the following is from the website:

What is BSides?

BSides is an ad-hoc gathering of information security types born from the desire for people to share and learn in an open environment. It is an intense event with discussions, demos and interaction from participants. It is entirely community driven.  It is where conversations for the next-big-thing may be happening.  We've followed the BarCamp format... because it works.

My topic:

  • Title: Discussion: What Makes a Good Risk Management Practice?
  • Abstract: All of our organizations have to manage risk, specifically information security risk. What does it mean to do that well? What are the moving parts that make up a good risk management practice? This discussion/panel/talk will not focus on assessment methodologies or frameworks. It will also not focus on the "information security program." We will spend some time focusing on the other moving parts of a risk management practice. Engagement with our business partners, how we bring it all together, how we can manage the inputs and outputs of the risk management process, etc. It will be an opportunity for those interested to share and learn from each other.

This topic is modeled after the RSA Peer-2-Peer sessions in that it is not a presentation. I anticipate a discussion where we can all contribute to the conversation and try to define what we it means to build a good risk management practice in our organizations.

Please vote for my topic by tweeting the following if this sounds like a conversation you'd like to be a part of:

@SecurityBSides I vote for “What Makes a Good Risk Management Practice?” by @kriggins #BSidesSF



I am very pleased to announce that my Peer2Peer session submission for RSA 2010 was accepted.

Here is the definition of a Peer2Peer session from RSA in case you are not familiar with them:

Have a security issue you would like to discuss with your peers? Want to share your experiences with a new technology? Care to explore best practices with colleagues? Then submit a P2P session!

Peer2Peer sessions are limited to 25 people who share a common interest and want to discuss or learn more about a particular security issue. The sessions are interactive and moderated by someone who knows the subject at hand and also can keep the conversation flowing. No PowerPoint allowed!

The first Yay! is that you won't be subjected to a PowerPoint; the second is that you will get to help shape the conversation and learn from your peers.

The title of my session is Risk Management: Getting Engaged.

Before we can effectively practice risk management in our organizations, a number of things have to happen. One of the key things that must occur is getting our business partners to engage with us. In this Peer2Peer session we will explore different ways to capture our business partners attention so that we can effectively and efficiently provide the risk management activities that help our organizations make appropriate risk based decisions.

Here are the details:

Session Track: Peer2Peer
Session Code: P2P-203B
Scheduled Date: 3/3/2010
Scheduled Time: 10:40 AM - 11:30 AM
P2P Session Title: Risk Management: Getting Engaged

I hope to see you there!


Reblog this post [with Zemanta]


RSA Europe 2009 – Day 3 Recap

by kriggins on October 25, 2009

in Conferences

The final day of RSA Europe 2009 was particularly special to me since it was my speaking debut at an RSA function.

About 20 minutes before I was due to go on I tweeted "6 VMs, a slide deck and me typing...easy peasy :)." Surprisingly enough, it was easy peasy. I got through the deck, there were no technical failures and I didn't make a single typing mistake......okay, the last bit is a fib.

Things went well and I was able to demonstration most everything I wanted to. I am know looking forward to the audience feedback.

I did manage to attend a few sessions as well. I started the day out with "The Impact of Future Regulation on Risk & Security Management." The description indicated that the presentation would take a look at how future regulation might impact information security risk management. I was hoping for some possible guidance about what might be coming down the road, but that did not really appear. What was offered was a general implementation roadmap for any new regulation that might come along. Essentially, it was; study the new regulations, review current governance, define awareness, revise policy where appropriate, revise processes and controls as needed and review and consolidate. Nothing earth shattering, but not a bad plan either.

I next sat with James DeLuccia, who has some great recap posts too, in the "Can Virtualization Threaten Security & Compliance?" panel. This was a great discussion. One of those panels that you wish could go on well beyond the time allotted. There a great deal of good commentary about the impact of virtualization on security and compliance. Beyond the conversation, three things really impressed me about this panel:

  1. It did not turn into discussion about cloud computing although cloud computing was covered where appropriate.
  2. The panel members were all very respectful of each other and the audience.
  3. The panel was prepared and ready to discuss the topic.

The information was flying fast and I was too busy paying attention and participating to take good notes, but  a few things that stood out were:

  • Shadow IT - How are we going to enforce standards, policy and achieve compliance when anybody can fire up a virtual machine either internally or via a cloud service?
  • Server mobility is a real issue - What if the regulation you need to comply with says your machine has to stay in a particular location? How are you going to check that? How are your going to enforce that?
  • Inactivity/sprawl/licensing - Virtualization give us the ability to rapidly provision servers and, in a lot of cases, without the active participation of an IT worker. How are we going to deal with sprawl? How are we going to manage licensing? How are we going to keep on top of active vs inactive virtual machines? How are we going to deal with inactive machines?

One of my favorite bits from the panel was from John Howie, Senior Director, Microsoft Corporation. He said, a bit paraphrased, "The greatest threat to infosec pros is the Chief Financial Officer." This was in reference to the lower cost of running them and moving the expense from capital expenditure to operating expense. These business drivers mean we will see more and more call for virtualization.

I did attend the closing keynote. The only real message was there needed to be better integrated controls and they let me get away with it.

I will be making a final RSA Europe 2009 post with my general thoughts, so I will close this one down now.