RSA Europe 2010 has opened press registration. The registration page can be reached here.



RSA 2010/Security BSides Recap – Day 02

by kriggins on March 13, 2010

in Conferences

I really intended to get this out earlier this week, but me o’ my has this been a busy week.

Anyway, day 2 at RSA 2010/Security BSides started in the reverse order of day1. I went to sessions at RSA first and then tottered over to Security BSides for the afternoon.

My day 1 recap can be found here.

Again, great content in both locations.

RSA 2010

I started the day out at RSA.

2010: A Web Hacking Odyssey – The Top Ten Hacks of the Year by Jeremiah Grossman

In this 50 minute talk, Jeremiah attempted to talk about the top 10 web based hacking hacking DSC_4875 methods for 2010. These are not hacks of particular sites, but ways in which sites can be hacked. There were two amazing things about this talk:

  1. That he even tried to do it in 50 minutes.
  2. That he was successful.

This was a great talk and Jeremiah did a great job of covering a lot of ground. If you are interested in more detail, his presentation deck is available here.

Microsoft SDL Tools: Automating the Security Development Lifecycle by Katie Moussouris and Bryan Sullivan

DSC_4885 The next talk at RSA for me was given by Katie Moussouris and Bryan Sullivan and focused on some tools available from Microsoft in support of a Secure Development Lifecyle.

Some pretty nifty stuff was shown and best of all, most, if not all, were free. Many of them plug right into Visual Studio making them even more available to the developer. It is worth your time to explore the SDL site that Microsoft has available for you here and the SDL blog here.

Risk Management: Getting Engage by Kevin Riggins (me)

The next stop on my RSA Wednesday was the Peer-2-Peer session I moderated. Again, there will be a separate post about it, but the short and sweet is that we all need to find ways to get information security risk management engaged in the business and the business engaged in information security risk management.

This was my last session at RSA for the day. I headed over to Security BSides for pizza and more great sessions.

Security BSides

The first order to business was to grab some lunch 🙂

SDL Lite by Marisa Fagan

DSC_4887 Marisa’s lightning talk was a quick demonstration of how we can implement a SDL “lite” process. Interesting stuff. Marissa could really use your help. Errata Security is conducting a survey about the use of secure development methodologies. From the post:

Errata Security is conducting a survey on the real world usage of software development methodologies such as Microsoft SDL, OWASP's SAMM, and BSIMM. We are interested in learning which organizations are successfully implementing these methods, and also the reasons companies are abstaining from using these methods.

Help her out and take the survey.

The Great Compliance Debate: No Child Left Behind or The Polio Vaccine with Jack Daniel, Josh Corman, Anton Chuvakin, Michelle Klinger

DSC_4898This was a good compliance/PCI discussion that included both the panel and the audience. I am not going to try to summarize it, but it is probably worth your time to catch the video.

Risk Management - Time to blow it up and start over? by Alex Hutton

Alex know risk. I enjoyed this talk and it definitely generated some thought for me. As Alex said,DSC_4901 though, this wasn’t a “throw everything you are doing away” talk. It was look at the current state and trying to figure out if there is a better way. From his description:

Now that the industry is trying to formalize the concept of risk management into neat little compartments like standards (ISO 27005/31000), certifications (CRISC) and products, (GRC) guess what?  We're doing it wrong.  Fundamentally wrong.  This talk will discuss why all this current risk management stuff is goofy and what sort of alternatives we have that might help us understand our ability to protect, our tendency towards failure, and how to match that up with what management will stomach.

He did mention the new Verizon framework that looks pretty nifty.

That was pretty much it for the day from a conference perspective. I went back to my hotel to work for a bit and then it was time to head to the Security Bloggers Meet-up which was a lot of fun. You can see some photos from that event here if you are interested, luckily none of my ugly mug 🙂



I am very pleased to announce that my Peer2Peer session submission for RSA 2010 was accepted.

Here is the definition of a Peer2Peer session from RSA in case you are not familiar with them:

Have a security issue you would like to discuss with your peers? Want to share your experiences with a new technology? Care to explore best practices with colleagues? Then submit a P2P session!

Peer2Peer sessions are limited to 25 people who share a common interest and want to discuss or learn more about a particular security issue. The sessions are interactive and moderated by someone who knows the subject at hand and also can keep the conversation flowing. No PowerPoint allowed!

The first Yay! is that you won't be subjected to a PowerPoint; the second is that you will get to help shape the conversation and learn from your peers.

The title of my session is Risk Management: Getting Engaged.

Before we can effectively practice risk management in our organizations, a number of things have to happen. One of the key things that must occur is getting our business partners to engage with us. In this Peer2Peer session we will explore different ways to capture our business partners attention so that we can effectively and efficiently provide the risk management activities that help our organizations make appropriate risk based decisions.

Here are the details:

Session Track: Peer2Peer
Session Code: P2P-203B
Scheduled Date: 3/3/2010
Scheduled Time: 10:40 AM - 11:30 AM
P2P Session Title: Risk Management: Getting Engaged

I hope to see you there!


Reblog this post [with Zemanta]


RSA Europe 2009 – Day 3 Recap

by kriggins on October 25, 2009

in Conferences

The final day of RSA Europe 2009 was particularly special to me since it was my speaking debut at an RSA function.

About 20 minutes before I was due to go on I tweeted "6 VMs, a slide deck and me typing...easy peasy :)." Surprisingly enough, it was easy peasy. I got through the deck, there were no technical failures and I didn't make a single typing mistake......okay, the last bit is a fib.

Things went well and I was able to demonstration most everything I wanted to. I am know looking forward to the audience feedback.

I did manage to attend a few sessions as well. I started the day out with "The Impact of Future Regulation on Risk & Security Management." The description indicated that the presentation would take a look at how future regulation might impact information security risk management. I was hoping for some possible guidance about what might be coming down the road, but that did not really appear. What was offered was a general implementation roadmap for any new regulation that might come along. Essentially, it was; study the new regulations, review current governance, define awareness, revise policy where appropriate, revise processes and controls as needed and review and consolidate. Nothing earth shattering, but not a bad plan either.

I next sat with James DeLuccia, who has some great recap posts too, in the "Can Virtualization Threaten Security & Compliance?" panel. This was a great discussion. One of those panels that you wish could go on well beyond the time allotted. There a great deal of good commentary about the impact of virtualization on security and compliance. Beyond the conversation, three things really impressed me about this panel:

  1. It did not turn into discussion about cloud computing although cloud computing was covered where appropriate.
  2. The panel members were all very respectful of each other and the audience.
  3. The panel was prepared and ready to discuss the topic.

The information was flying fast and I was too busy paying attention and participating to take good notes, but  a few things that stood out were:

  • Shadow IT - How are we going to enforce standards, policy and achieve compliance when anybody can fire up a virtual machine either internally or via a cloud service?
  • Server mobility is a real issue - What if the regulation you need to comply with says your machine has to stay in a particular location? How are you going to check that? How are your going to enforce that?
  • Inactivity/sprawl/licensing - Virtualization give us the ability to rapidly provision servers and, in a lot of cases, without the active participation of an IT worker. How are we going to deal with sprawl? How are we going to manage licensing? How are we going to keep on top of active vs inactive virtual machines? How are we going to deal with inactive machines?

One of my favorite bits from the panel was from John Howie, Senior Director, Microsoft Corporation. He said, a bit paraphrased, "The greatest threat to infosec pros is the Chief Financial Officer." This was in reference to the lower cost of running them and moving the expense from capital expenditure to operating expense. These business drivers mean we will see more and more call for virtualization.

I did attend the closing keynote. The only real message was there needed to be better integrated controls and they let me get away with it.

I will be making a final RSA Europe 2009 post with my general thoughts, so I will close this one down now.



RSA Europe 2009 – Day 2 Recap

by kriggins on October 22, 2009

in Conferences

Day 2's recap is going to be rather short and for that I apologize. I spent a good portion of the day tweeking and twiddling with my presentation. My presentation went well. No technical failures and I got all my points across. I would have been happier with it being a little smoother, but over all, I am happy.

I did manage to take in one of the keynotes, "The Underground Economy." Andy Auld from SOCA and Keith Mularski from the FBI gave an interesting talk about how the computer crime economy works. They spoke about the different forms of malware and spam, digital currencies, exchangers and then talked about the organized criminal networks that they have come across. A very interesting talk even if a number of the slides where rather difficult to see.

The next session I attended was "Is IT Risk Management Just a Fad?". I expected a talk that would compare and contrast what I call "checklist security" and information security risk management. Unfortunately, that was not the case and I did not really take anything away from this talk.

They final talk I attended was the "Collateral Hacking" panel. It consisted of moderator Hugh Thompson and panelists, Andrew Nash from PayPal, David Ostertag of Verizon Business Services and Ira Winkler of ISAG. From the description, the panel was going to talk about what happens when your co-tenant in a cloud is attacked, hence the title of Collateral Hacking. Unfortunately, it quickly lost its way and ended up being far off topic.



RSA Europe 2009 – Day 1 Recap

by kriggins on October 21, 2009

in Conferences

Yesterday was the first day of RSA Europe 2009 and I enjoyed it a great deal.

I ran into Brian Honan first thing in the morning and Craig Balding shortly thereafter.

I attended both opening keynotes and they were well done.

I particularly enjoyed Hugh Thompson's presentation.  He spoke about gateway data. This is data, that by itself, seems innocuous. However, it can be used or combined with other data to get more data or more access. He was speaking from the perspective of the data that we often put in public spaces such as Facebook, Twitter, blogs, etc. He also mentioned how on-line behaviors can be used to infer additional information. He classified this data into three different types:

  1. Direct Use - Public data that can be transformed
  2. Amplification - Conversion of public data to private data by bouncing it off a person
  3. Collective Intelligence - Collecting and correlating information from different on-line activities to deduce private information.

The last was the most interesting. He is doing a study which shows how the activities of individuals on LinkedIn can often be correlated to significant future events in the companies the individuals work for.

The next session I attended was 'How Information Security Careers are Changing.' This was an interesting session that looked at where are profession started and where it is going. This biggest take away for me was that where our profession used to be primarily technical, we have started to see a shift to a more differentiated situation where we have technical specialists, generalists, consultants and leaders. This means we both have more choices and have to be cognizant of the choices we make as we navigate our careers.

Brian Honan's talk on stealing an identity using purely public information was very enjoyable. About a year ago, a journalist challenged Brian to "steal her identity" using only publicly available information, no automated tools and only completely legal means. Of course, he didn't actually steal her identity, but through the information he found online, he was able to get a copy of her birth certificate, a completely legal activity in Ireland. Pretty much game over at that point. The message here is to be very careful what you put out there because it a) never disappears and b) can be used easily by the 'evil hackers.' He then showed us a number of automated tools like and maltego that can make this process even easier.

My final session for the day was Craig Balding's Cloud Security talk. Again, very well done. His talk was a great overview of the issues that exist. Craig is an engaging speaker and stressed that the first step to being able to effectively use cloud services in as secure a manner as possible, is to classify our data. Yup, an old song, but a tune that is even more catchy when considering cloud computing. Unfortunately, I had to cut out a little early, but will definitely be catching the rest when the recordings become available.

The last event of my day was the RSA Europe 2009 Security Bloggers Meetup. I have already written my quick recap post of that one and so will not repeat it here other than to say that I really enjoyed seeing old friends, meeting on-line friends for the first time and making some new ones.

If you happen to be here and would like to say hi, send me a note at or @ me on twitter. I am @kriggins there.


Reblog this post [with Zemanta]


Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. The PandaLabs 3rd quarter report has been released.
    Q3 report released - PandaLabs
    Tags: ( reports )
  2. Alan is looking for a little feedback on how the Security Blogger Awards for the 2010 RSA USA Security Blogger Meetup will be run this year. Drop by and offer him your thoughts.
    StillSecure, After All These Years: Social Security Blogger Awards 2010
    Tags: ( rsa meetup )
  3. Want a job? Looks like DHS will be hiring.
    Security Fix - DHS Seeking 1,000 Cyber Security Experts
    Tags: ( career )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.



Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Dark Reading is hosting a free all-day virtual conference titled "Dealing with Insider Threats" next week.
    Dark Reading To Hold Virtual Conference On Insider Threats Next Week - security events/Security - DarkReading
    Tags: ( conference )
  2. You can download the cfp document and instructions for RSA USA 2010 already. The website will be live for submission soon. The deadline is August 15th since the conference is a month earlier next year.
    RSA Conference 365
    Tags: ( cfp rsa-usa-2010 )
  3. Mubix gave an impromptu talk about Metasploit last night and this happened. Just hilarious.
    YouTube - Anon's raid Mubix
    Tags: ( humor )
  4. Here's a place to read about information security FUD or offer your own stories about it.
    Welcome To -
    Tags: ( fud )
  5. Jeremiah offers some thoughts on why vulnerable code should still be fixed after a web application firewall has been installed. Good comments too.
    Jeremiah Grossman: Why vulnerable code should be fixed even after WAF mitigation
    Tags: ( waf )
  6. Looks like all the hoopla about OpenSSH yesterday was just that, hoopla.
    OpenSSH 0day FUD
    Tags: ( openssh )
  7. A nifty reference card for 802.11.
    Will Hack For SUSHI >> 802.11 Pocket Reference Guide
    Tags: ( 802.11 )
  8. Lee Kushner and Mike Murray will be on PaulDotCom tonight at 7:00PM EDT. Cool stuff. Post tells what they will be talking about.
    InfoSec Leaders on PaulDotCom Tonight | Information Security Leaders
    Tags: ( career )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.


{ 1 comment }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Time to patch Apple owners.
    21 OS X Vulnerabilities Patched By Apple - Security Watch
    Tags: ( patches apple vulnerabilities )
  2. Even Google can get taken in by ad-based malware.
    Google sponsored links caught punting malware * The Register
    Tags: ( malware google ads )
  3. Be careful on Facebook. Well, you should always be careful on Facebook, but there are a few specific reasons you should be until they get them fixed.
    Four XSS flaws hit Facebook | Zero Day |
    Tags: ( exploit vulnerability xss facebook )
  4. Andy points to an article by Rebecca Herold about the importance of vetting your 3rd party service providers information security stance. He then offers his opinion which agrees with Becky's and mine for that manner.
    3rd Party Security
    Tags: ( security vendor review )
  5. Look out folks. It appears that India is being targeted by Chinese hackers. With significant out sourcing going to India, we need to be very aware of this situation.
    The Dark Visitor >> Chinese hackers stealing Indian InfoTech data
    Tags: ( breach india )
  6. The invitations for the RSA Security Blogger's Meet-up. Better get your RSVP in soon. Only 200 will get to attend.
    Network Security Blog >> Look for your invite
    Tags: ( rsa meetup )
  7. This is just nifty.
    ITSec Non-Hypocritical Oath
    Tags: ( creed )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.



Howdy folks.

We are going to try something a little new today.

As you have all probably realized, these posts have all been built from blogger sources to date. I am going to start expanding them to include things I see in the news and from other sources that have infosec applications. As we go forward, I am interested in knowing if you would prefer to have two separate posts or if you like the combined format.

As always, leave a comment with your opinion or email me kriggins _at_ On with the show.

From the Blogosphere.

Jennifer Leggio has a post up on her new blog Feeds at ZDNET (congrats Jennifer) about privacy concerns with Company Groups on Linked. She points out some very real privacy and data leakage concerns for this type of automated grouping.

Richard Bejtlich has a good summary of the Verizon Business 2008 Data Breach Investigations Report which you should go ahead and read.

From the newsosphere.

Via Dark Reading, RSA is introducing a flexible card shaped authenticator.

Via SearchSecurity, The PCI council is launching an assessor quality assurance program. Kinda have to wonder why it has taken this long for something like this to happen.

The Register brings us an interesting article about fraudsters gaming the address verification system in use in the UK for charges.

From congressmen are saying that China is hacking their computers. Of course China is denying it.

Have a great day and remember, let me know which format you prefer, combined or separate.


Technorati Tags: , , , , , , , , ,

{ 1 comment }