We are proud to present the following lineup of speakers and topics:




A Day in the Life of a Secured User: We've all talked about and researched the various ways that we can secure our data and users, but what does a secured environment look like from a user's perspective? What do we as security professionals see when it all comes together? Is the line between security and productivity tools growing ever closer together? This presentation shows the user's perspective when they are 'living' in a secure environment and highlights what we as security professionals can have at our fingertips when all the solutions come together.

Back to top

Aaron Bedra


Aaron leads the security practices at Relevance where he helps teams design and code security focused software. Aaron works as a technical lead, speaker, and author. His current focus is building enterprise systems using Clojure. He is an active security researcher focusing his time on finding new attack vectors hidden in video and network cards. Aaron is a member of the Clojure/core team (http://clojure.com) and frequent contributor to the Clojure language. He is the author of "Rails Security Audit" and the upcoming second edition of "Programming Clojure".

Mo Cores, Mo Problems Last year, you watched Aaron talk about cracking passwords with video cards. This year, you are invited to hear him talk about the new angles of attack that have become possible by adding processor cores to these devices as well as to network cards and other things you might not think of as having a mind of their own. See what it's going to take to secure your environment from these new attack vectors and not fall victim to what amounts to surprisingly simple attacks on your otherwise hardened platforms.

Back to top

Jerod Brennen


By day, Jerod is a Principal Security Consultant with Jacadis, an award-winning security solutions and services provider. By night, he’s a husband, father, writer, filmmaker, martial artist, and social media junkie.

Jerod has over a decade of IT, infosec, and compliance experience. He spent years as an Information Security Specialist with American Electric Power, one of the nation’s largest generators of electricity, before moving to Abercrombie & Fitch, a multibillion dollar luxury retailer. At A&F, Jerod built out and managed the information security program. His team was tasked with security operations, PCI and SOX compliance, and identity and access management.

His approach to infosec has two key tenets: don't be afraid to void warranties, and you shouldn't need to bypass security to get your work done.

Jerod is currently a Certified Information Security Systems Professional (CISSP) in good standing.

Yes, You Can: How to Securely Deploy and Manage Enterprise Mobile Devices:
Adopting smartphones and tablet devices will give your organization a competitive business advantage. However, the risks associated with a haphazard roll-out of mobile devices can decimate those benefits. Even worse, it could result a very expensive security incident related directly to poorly managed (or unmanaged) devices.

With the right information, a company can have the best of both worlds: competitive advantage plus a secure mobile infrastructure. Jerod will use this presentation to provide you with the information you need, including:
  • Mobile device security policy
  • Employee training expectations
  • Device hardening details
  • Centralized management options
  • Resources for further research

    Back to top

    Alex Cox


    As a Principal Security Researcher for NetWitness, Alex Cox is responsible for providing use-case consulting in network forensics and monitoring to clients and studying existing and emerging information security events to develop content and intelligence for the NetWitness solution suite. Prior to joining NetWitness, Mr. Cox was the lead researcher on the emerging threats analysis and solution development team at the Wachovia Corporation and was responsible for forensics analysis and incident response for security events. He is a former Army Officer in the U.S. Army Military Police Corps, and a former Police Officer. Mr. Cox has a B.S in Administration of Justice from Virginia Commonwealth University, and an M.S in Information Assurance from Norwich University.

    How to be an APT in Seven Easy Steps: In this presentation, Mr. Cox will cover methods and techniques used by attackers to Infiltrate networks and extract data, often right under the nose of trained security teams. With examples and demonstrations based on recent high profile intrusions, Mr. Cox will show how security teams can help to counter this threat and use network analysis and monitoring to develop a detection strategy.

    Back to top

    Adrian Crenshaw


    Adrian Crenshaw has worked in the IT industry for the last twelve years. He runs the information security website Irongeek.com, which specializes in videos and articles that illustrate how to use various pen-testing and security tools. He did the cert chase for awhile (MCSE NT 4, CNE, A+, Network+. i-Net+) but stopped once he had to start paying for the tests himself. He's currently working on a Masters in Security Informatics, and is interested in obtaining a network security/research/teaching job in academia.

    Crude, Inconsistent Threat: Understanding Anonymous: Most of the time, I do tech talks, classes and presentations on "how this protocol works" or "How do I hack that?” This time, I want to delve into a little psychology/sociology. Lots has been said about a "group" referred to as Anonymous. This talk will go into Anonymous' motivations, organization (or lack there of) and how "group" is sort of a misnomer. For those familiar with "chan" culture, this talk may not be of much use, but for those that read about Anonymous and just don't get it, this talk may be of assistance. This talk is not intended to condemn nor promote, but just to help understand "cyber-lynch-mobs" and their security ramifications.

    Back to top

    Tom Eston


    Tom Eston is a Senior Security Consultant for SecureState. Tom is a senior member of SecureState’s Profiling team which provides attack and penetration testing services for SecureState’s clients. Tom focuses much of his research on new technologies such as social media and mobile devices. He is the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media. Tom is also a security blogger, co-host of the Security Justice and Social Media Security podcasts and is a frequent speaker at security user groups and national conferences including Notacon, OWASP AppSec, Defcon and Shmoocon.

    Attacking and Defending Apple iOS Devices in the Enterprise: IT loves to use Apple iPhones and iPads, but hates supporting them. For most environments, they represent the exception, and are not subject to standard corporate controls. The reason the exception is allowed is usually the fact that the CEO bought an iPhone and iPad the day they were released, and then quickly filled them with sensitive corporate data. With their portability and popularity, it is only a matter of time before one of these devices ends up missing. How worried should you be? This presentation will cover the latest real-world attack techniques for compromising Apple’s iOS devices, introduce a new assessment methodology that can be used by penetration testers, and discuss the latest defensive techniques for securely deploying iOS devices within your enterprise

    Back to top

    Mike Geide


    Mike Geide is a senior security researcher at Zscaler, Inc. - a cloud computing, security software as a service (SaaS) provider. He is responsible for researching, analyzing, and developing mitigation strategies for security threats - particularly threats to Zscaler's cloud and web-based threats to its customers. He has spoken at several security conferences, including RSA, CanSecWest, and SANS; and his research has been cited in the media, including USA Today, The Register, and Dark Reading. Prior to joining Zscaler, Geide worked in the Federal Government for DHS/US-CERT and then the Internal Revenue Service (IRS) Online Fraud Detection and Prevention team. He holds a Masters degree in Computer Science and has several certifications, including the CISSP.

    Twisted Tweets and Fiendish Friends: security risks via the social media web:
    While social media websites provide a real-time feed of tweets, status updates, and other information within your social circle – they also provide an additional avenue of threats from cyber criminals. These threats range from information disclosure, social engineering, malware, and exploitation of vulnerabilities within the social media environment itself. This presentation will showcase how social media sites are used for attacks, and detail examples to include relevant artifacts and logs of these attacks. The insight is based on traffic from millions of users across 140 countries on the Zscaler cloud every day, which enables the company to see global trends across the world.

    Back to top

    Greg Green


    Specialize in Identity & Access Management and Application Security domains. Employed at Nationwide for 20 years: first half in application development & application architecture and second half in information security. Prior to Nationwide, developed (group health insurance) applications for Lincoln Financial Group and, before that, developed (material logistics) applications at International Paper for nearly a decade (with a short stint as an independent consultant in between). A total of over 30 years IT experience (wrote my first application code on the job in 1980). Education: BS Information Systems and MS Business.

    Foundations of Application Security and Design: Initiated in early 2007 with a primary goal of quickly increasing application security skills within information risk management at Nationwide. Secondary goals were to provide a consistent approach to application security assessments and to reduce time required to effectively assess applications.

    FASAD is meant to be a visual representation of application security risk elements, to guide risk assessments and assist risk professionals, application developers and application architects. FASAD is not meant to document industry best practices for secure application development nor meant to be a simple checklist. FASAD is meant to guide the thought process for analyzing the risk posture of a business application.

    FASAD is a taxonomy with 6 high-level elements: information protection, use cases, architecture, access management, code implementation and application operations. While each of the high-level elements can stand alone, they are primarily meant to guide the level of analysis required for a particular application. I.e., if it is determined that there are significant information protection concerns, then use cases should be reviewed to determine how information protection could potentially be compromised.

    Back to top

    Phil Grimes


    Phil Grimes is a Security Analyst for MicroSolved, Inc. MSI is a leading provider of application security assessments and penetration testing. Since 1992, they have been providing security services to organizations ranging from small businesses, financial institutions, e-commerce/telecommunications, manufacturing, education and government agencies, as well as international corporations. Mr. Grimes started learning networking and Internet security as a hobby from AOL in 1996 and has developed his technical skill set independently until joining the MicroSolved Team in 2009. He is experienced in: application security, penetration testing, mobile/SmartPhone security, and social engineering. He performs assessments for high profile customers internationally and is an accomplished speaker and presenter for MSI's "State of the Threat" webinars, CUISPA conferences, and at the Central Ohio WordPress Podcamp.

    Surface Mapping Mobile Applications: With increased presence of smart phones, it has become clear that mobile applications are not going away and have increased our organizations' attack surface area. In this discussion, learn how these applications are targeted, how an attacker maps their course, and how to help lessen the risk in the development process. While these applications are a new frontier, they will continue to become an integral part of business and life. Participants will gain a clear understanding of how to map application attack surfaces and determine areas of an application that may be susceptible to attack.



    Back to top

    William Hagestad II


    Lieutenant Colonel Hagestad has a Bachelor of Arts in Mandarin Chinese, with minor emphasis in Classical Chinese and Modern Japanese and a Masters of Science in the Management Of Technology from the Carlson School of Management, University of Minnesota; he will be receiving a second MasterÕs of Science from the College of Computer Engineering in Security Technologies in 2011. Enlisting in the United States Marine Corps in 1981 and having served in numerous command posts; in 2002 - 2003 Lieutenant Colonel Hagestad was the Anti-Terrorism Officer for Marine Central Command during the initial build-up and subsequent operations in Iraq; and in 2006-2007 Lieutenant Colonel Hagestad served with II Marine Expeditionary Force (MEF) and the US Army's 1st Armoured Division in Ramadi, Al-Anbar Province Iraq. Currently he is an advisory position as an Anti-Terrorism/Force Protection Officer. His personal decorations in the Navy include the Achievement Medal with Gold Star, the Navy Commendation Medal, the Operation Iraqi Freedom Medal with single campaign star, the Global War on Terrorism Medal and the Selected Marine Corps Reserve Medal with 4 stars. Currently he speaks both domestically and internationally on the Chinese Cyber Threat.

    China: A Comparative Analysis of Government & Nationalistic Threat Vectors: Nation State Cyber Threats have many origins as we have seen from affects in Estonia to the United States. During China: A Comparative Analysis of Government & Nationalistic Threat Vectors we shall examine both the PeopleÕs Republic of China Governmental Cyber Initiatives and the groundswell of Nationalistic Chinese who use various cyber hacking methodologies to suppress anyone who would question ChinaÕs role in world. This Cyber Security session will briefly introduce the Communist Chinese Government and Military information warfare initiatives, the underground of the Chinese hacking community and why the relevance of these foreign entities matter to IT Security Professionals in commercial, Federal, state, local, municipal governments, intelligence and military organizations. Perhaps never before has an intimate understanding of the cyber world and things Chinese been so incredibly important.

    Back to top

    Brent Huston


    Brent has 20+ years experience in technical information security, risk management and executive consulting. He is an expert in PCI, GLBA, HIPAA/HITECH and other regulatory scope management/reduction, effective security and compliance program creation and enterprise risk management. Author of the 80/20 Rule for InfoSec which details creating security and compliance programs based on leverage and scope management. Developer of HoneyPoint technology and several other software products over the last two decades.

    As CEO of MicroSolved, Brent has bootstrapped a company through solely organic growth into a nearly 20 year, multi-million dollar organization doing business on a global scale. Our focus on real-world results, customer service and new technologies to reduce risk has allowed us to become a bleeding-edge leader in our industry.

    Brent regularly speaks before industry groups, provide bleeding-edge threat intelligence to Fortune 500 companies and help organizations create, manage and improve their security initiatives. I am an active author, developer and teacher of information security methodologies, tools and techniques that create huge changes in corporate security team effectiveness.

    Crimeware - Detecting compromised hosts and current threat patterns against desktop systems: Today's threatscape is a rapidly changing environment. Infected consumer hosts abound, but compromised hosts lurk on many corporate networks too. In this talk, you will learn about some of the bleeding edge crimeware and attack patterns that attackers are using inside networks. The flow of compromised workstations and data as it is extruded will be explained, along with some tips on locating compromised hosts in your networks beyond the usual anti-virus and log reviews so often pointed to as "best practice". Based on real-world examples and real-time security research from honeypots around the world, you will take away significantly deeper knowledge of how attackers steal data from organizations every day.

    Back to top

    Alex Hutton


    Alex Hutton is a big fan of trying to understand security and risk through metrics and models. Currently, Alex is a principal for Research & Intelligence with the Verizon Business RISK Team. The Verizon RISK Team builds and hones the risk models for Cybertrust services, produces the Verizon Data Breach Investigation, the Verizon's PCI Compliance report, and is responsible for the VERIS data collection and analysis efforts. As a member of the RISK team, Alex also writes regularly for the Verizon Security Blog.

    Alex likes risk and security so much, he spends his spare time working on projects and writing about the subject. Some of that work includes contributions to the Cloud Security Alliance documents, the CIS metrics project, the ISM3 security management standard, and work with the Open Group Security Forum. Alex is a founding member of the Society of Information Risk Analysts and blogs for their website and records a podcast for the membership. He also blogs at the New School of Information Security Blog.

    The Verizon 2011 Data Breach Investigations Report & Evidence-Based Risk Management Version 1.0: In Information Security success isn't always obvious, but significant failure is often painfully observable. The 2011 Verizon Data Breach Investigations Report (DBIR) gives us a stunning look at the Information Security landscape by observing, classifying, and aggregating failures across a population of organizations. In looking at these failures, we can classify and identify key risk determinants, and begin to understand how and why data breaches happen.

    Thanks to the involvement of the US Secret Service in the DBIR and similar reports now appearing across the industry, we can start to put one small piece of the security puzzle together. When we finally do, we will have an opportunity to re-invent the ways we manage security and risk - one based on evidence and science rather than fear, uncertainty, and doubt.

    Back to top

    Jack Jones


    Jack Jones (CISM, CISA, CISSP) has been employed in technology for the past twenty-seven years, and has specialized in information security and risk management for nineteen years. During this time, he’s worked in the United States military, government intelligence, consulting, as well as the financial and insurance industries. Mr.Jones has over seven years of experience as a CISO, with five of those years at a Fortune 100 financial services company. His work there was recognized in 2006 when he received the 2006 ISSA Excellence in the Field of Security Practices award at that year’s RSA conference. He is also the author and creator of the Factor Analysis of Information Risk (FAIR) framework.

    In 2007, Mr. Jones was selected as a finalist for the Information Security Executive of the Year, Central United States, and judged the national Information Security Executive of the Year competition. From 2008 to 2009 he was an invited member of an international task force convened by ISACA to develop a standard framework for risk management, now referred to as RiskIT. He currently Chairs the ISACA committee tasked with developing a certification exam for information and technology risk professionals.

    Mr. Jones’ company, Risk Management Insight LLC, helps companies to manage risk cost-effectively through accurate and meaningful quantitative risk analysis.

    Better Metrics: Over the past few years there has been growing recognition that metrics are an important part of any mature information security program. Unfortunately, there is also widespread agreement that identifying, gathering, and reporting useful metrics is extremely challenging. In this interactive session we will discuss common metrics in use today, the role metrics should play in managing risk, as well as metrics that are meaningful to decision-makers. Participants in this session will come away with a clearer idea of where to focus (and where not to focus) their metrics and reporting efforts.

    Back to top

    David Kennedy


    David Kennedy (ReL1K) is a Director of Information Security for Diebold Incorporated, a Fortune 1000 company. David is a penetration tester that likes to write code, break things, and develop exploits. Dave is on the Back|Track and Exploit-Database development team and the co-host of the Social-Engineer podcast. David continues to contribute to a variety of open-source projects. David had the privilege in speaking at some of the nations largest conferences on a number of occasions including BlackHat, Defcon and Shmoocon. David is the creator of the Social-Engineer Toolkit (SET), Fast-Track, modules/attacks for Metasploit, and has released a number of public exploits. David heavily co-authored the Metasploit Unleashed course available online and has a number of security related white-papers in the field of exploitation. David has a book being released in June from NoStarch Press, "Metasploit: A Penetration Testers Guide". Lastly, David worked for three letter agencies during his U.S Marine career in the intelligence field specializing in red teaming and computer forensics.

    Leveraging Social-Engineering in your INFOSEC Program: Social-Engineering has been a hot topic with the recent breaches and attacks occurring and something our information security programs aren't typically designed to handle. This talk will cover how effective Social-Engineering attacks can be and ways of circumventing the traditional technologies that we've invested our security budget in. Live demonstrations will be performed leveraging the Social-Engineer Toolkit; an open source python driven social-engineering framework for testing your user awareness and information security program. Lastly, we'll be diving into what we'll be facing in the years to come and how to build our security programs in a manner that can effectively tackle these types of attacks.

    Back to top

    Dave Mortman


    David Mortman runs Operations and Security for C3, LLC and is a Contributing Analyst at Securosis. Formerly the Chief Information Security Officer for Siebel Systems, Inc., Previously, Mr. Mortman was Manager of IT Security at Network Associates. Mr. Mortman has also been a regular panelist and speaker at RSA, Blackhat, Defcon and Information Security Decisions as well. Mr. Mortman sits on a variety of advisory boards including Qualys. He holds a BS in Chemistry from the University of Chicago. David writes for Securosis, Emergent Chaos and the New School blogs. David was an editor for the 2nd Ed of the Cloud Security Alliance Guidance and is involved with CAMM as well.

    Cloud Security Realities: Facts Not FUD: Vulnerabilities need to be viewed in the context of how the system or application is deployed, what compensating controls may be in place, the value of the data being protected and how likely is it that an attack will happen and how often it will be successful. In this session, I will present a new methodology for doing this and, as a demonstration, perform risk assessments on recently released vulnerabilities.

    Back to top

    Chris Novak


    Christopher Novak is an internationally recognized expert in the field of Investigative Response and Computer Forensics. He has been involved with information security for over 10 years. He has assisted corporations, government agencies, and attorneys with all matters involving IT security compliance, litigation support, computer forensics, fraud investigations, and computer security incident response matters.

    Christopher is a co-founder of the Verizon Business Investigative Response Unit and an active senior investigator. He has led dozens of tactical response cases over the past 18 months and continues to respond to high-profile cases on a global basis. He works closely with local, state and federal law enforcement agencies as well as joint investigative operations coordinated with foreign law enforcement.

    As both a manager and a technical forensic investigator, Christopher provides regular advice and guidance to medium and large size organizations on a global basis. He maintains extensive experience on the latest and greatest commercial forensic hardware and software as well as working internally to develop proprietary and situation-specific tools and methods.

    Christopher is an active public speaker and can be commonly heard at IAFCI, RSA, ISSA, ISACA, Gartner, InfraGard and other popular IT security events around the world discussing various topics ranging from high-level best practices to in-depth and technical training. He has also written numerous articles for various IT Security journals, trade magazines and blogs. Most recently he co-authored the 2008, 2009 & 2010 Data Breach Investigations Reports and is a member of multiple industry trade groups such as IAFCI and ICST among others.

    Christopher holds a Bachelor of Science Degree in Computer Engineering from Rensselaer Polytechnic Institute. He also acts as an Adjunct Professor and guest lecturer within various universities within the SUNY system.

    Cloud-based IT Investigations: The Cloud is increasingly changing the way we look at IT but did you know the Cloud is also changing the way we fight electronic crimes? Cloud-based investigative techniques are dramatically evolving the IT investigative world. The conventional digital forensics approach no longer applies. The Cloud opens up the possibility to leverage entirely new tools and methods to fight electronic crimes: containment can be achieved more quickly and the stage is better set for arrest and prosecution than ever before. Criminals can no longer hide - and as you might expect - these factors are beginning to change the face of electronic crimes threats around the globe.

    This presentation will explore the role of The Cloud in today's more complex data breach investigations, spanning both cybercrime and cyberwarfare cases. Attendees will learn how The Cloud is being leveraged by both law enforcement and the private sector in the course of IT investigations, including detail on techniques and tricks being actively deployed to combat electronic crime.

    Back to top

    Gunter Ollmann


    Gunter Ollmann, Vice President of Research, Damballa Inc., has over 20 years of experience within the information technology industry and is a known veteran in the security space. Prior to joining Damballa, Gunter held several strategic positions at IBM Internet Security Systems (IBM ISS) with the most recent being the Chief Security Strategist. In this role he was responsible for predicting the evolution of future threats and helping guide IBM's overall security research and protection strategy, as well as being the key IBM spokesperson on evolving threats and mitigation techniques. He also held the role of Director of X-Force as well as the former head of X-Force security assessment services for EMEA while at ISS (which was acquired by IBM in 2006). Prior to joining ISS, Gunter was the professional services director of Next Generation Security Software (NGS), a vulnerability research and attack-based consulting firm. Gunter has been a contributor to multiple leading international IT and security focused magazines and journals, and has authored, developed and delivered a number of highly technical courses on Web application security. He is a well-known industry speaker worldwide and is often invited to present at various international security conferences. Gunter is also highly regarded in the press as an expert source on security threats and is a frequently quoted by the international media.

    How Criminals Build Botnets for Profit: Building a globe-spanning botnet lies within the reach of anyone knowledgeable enough to know how to use Google and install software on their own Windows system. But how do criminals monetize that botnet and evade detection? Building a newbie botnet is easy enough, but building a robust and scalable money-making botnet isn’t quite so trivial. There are tricks that the experienced and downright criminal botnet operators use to extend the life of their botnets, their campaigns, and their professional careers. Constructing a criminal “cloud” service requires a fair bit of effort, allowing criminals to reap financial rewards in many new and innovative ways. This talk will cover the tactics and strategies behind building modern criminal botnets – how criminals build bullet-proof botnet Command and Control topologies, how they ensure the release of unique and undetectable malware delivery, and how they remotely control and assign batch jobs to tens or hundreds of thousands of victim systems. But that’s not all. What’s the point in going to all this effort (and expense) if the criminal does not end up with a profitable business? The talk will cover (by way of example) the ways in which botnets are monetized now (and in to the future) – e.g. how criminals cash in a growing collection of bot-infected victims. The talk will conclude with an overview of the most effective techniques and solutions to identify and stop the botnet operators and their profitable operations.

    Back to top

    Rafeeq Rehman


    Rafeeq Rehman has a long track record in information technology and has worked with multiple organizations to create effective IT solutions. He is author of multiple books, including one on Snort IDS.

    Creating enterprise distributed IDS using Snort, Splunk, Rsync, and SSH: Snort is a mature and open-source Intrusion Detection System (IDS). This session is to enable the participants to build a corporate IDS by integrating Snort into other tools like Splunk. The system involves centralized management of Snort rules, checking status of multiple sensors, collecting log and alert data on a centralized management server and analyzing the data using Splunk. The whole system uses Linux and utilities available on Linux operating system without the need of any additional software. (Snort and Splunk are trademarks of Sourcefire and Splunk respectively)

    Back to top

    Richard Tsai


    Richard Tsai is a senior product manager at Application Security, Inc., where he is responsible for the DbProtect product offering-- the companyÕs industry-leading database security suite.Ê Richard has been evangelizing database security and finding innovative solutions to the security, risk and compliance challenges for the majority of the past decade.

    Richard is a technology veteran that possesses a deep blend of security knowledge and practical business risk mitigation.Ê His perspective is shaped by his fourteen years of experience as a consultant integrating enterprise systems, developing web solutions, and developing database security solutions including encryption, assessment and activity monitoring.Ê Richard has been a key strategic member at Application Security since its inception occupying various leadership roles in the engineering and marketing organizations.

    Richard holds a BS in Computer Science from Binghamton University.

    A Defense-in-depth Approach To Safeguarding Sensitive Information in the Database: As threats to enterprise data continue to mount, and regulatory compliance requirements become more complex, organizations need to prioritize a defense-in-depth approach to certify that their database environments are secure AND in continuous compliance.

    Since 2008, 519 million records have been breached. Is your database next? Can you withstand the negative impact a breach would have on your reputation?

    No organization, industry, or government agency is immune to the proliferation of complex cyber-threats and malicious behavior. Ensuring database security is a priority for organizations interested in protecting sensitive data and passing audits.

    In an era of tight budgets, rising threats, and database audits, it is critical to integrate controls and defensive mechanisms to most effectively minimize your database security risk. During this presentation, attendees will be introduced to the database security best practices that have allowed numerous organizations to pragmatically secure the confidentiality, integrity, and availability of sensitive enterprise data where it lives Ð in the database. The session will conclude with a list of easily achievable first steps that can significantly improve an organizations database security posture, and overall defense strategy recommendations.

    Attendees will learn:
  • How organizations through an integrated defense strategy can effectively manage their database risks across large, heterogeneous database environments with automated controls
  • How integrated deployments have helped organizations pass database audits with the combination of powerful reporting capabilities
  • irst-hand use cases from organizations that take a defense-in-depth approach to safeguarding their database assets

    Back to top

    Dino Tsibouris


    Dino Tsibouris is the founding principal of the law firm Tsibouris & Associates, LLC. His practice concentrates in the area of technology and intellectual property law with specific expertise in electronic commerce, online financial services, licensing, and privacy law. In addition, Mr. Tsibouris' practice includes the implementation of electronic signatures, records management and information security. He was previously an attorney with Thompson Hine LLP and a Vice President and Counsel for eCommerce and Technology at Bank One Corporation (now JPMorganChase). He has conducted CLE and trade association presentations on various e-banking and e-commerce matters, and he has participated in many regulatory and industry task forces addressing new legislation. Mr. Tsibouris is listed in The Best Lawyers in America in the area of Technology Law.

    Managing the legal risks associated with cloud computing services: Important legal issues should be taken into consideration when negotiating cloud computing contracts. Specifically, the presentation will address legal issues relating to privacy and security of data; availability and location of the data; retention, access to, and transfer of data; electronic discovery and compelled disclosure of data to the government; and contracting negotiation tips.

    Back to top

    Troy Vennon


    Troy Vennon began his career in Information Technology as a newly enlisted recruit into the United States Marine Corps in 1998. Over the period of the next four years, Troy deployed to various locations around the world, erecting, configuring and maintaining both classified and unclassified networks to facilitate logistics, maneuvers, and morale and welfare of deployed forces in places such as Australia, Japan, Korea and Thailand. In 2002, Troy was hand selected to join the Marine Information Technology Network Operation Center (MITNOC) in Quantico, Va, where he managed the point-of-presence security perimeters for Marine bases, posts and stations around the globe. Upon the organization's evolution to the Marine Corps Network Operations and Security Center (MCNOSC), Troy was assigned as a Non-commissioned Officer and promoted to the Staff Non-commissioned Officer of the Marine Computer Emergency Response Team (MARCERT) where he oversaw a team of Marines and contractors charged with analyzing and defending the Marine Corps networks from network-based attacks.

    Troy joined SMobile Systems as a member of the Global Threat Center in June 2009, managing the team of security experts that make up the only dedicated team that provides "cert-like" functionality for mobile devices and mobile threats. Recently acquired by Juniper Systems, the Junos Pulse Global Threat Center brings proven, methodology-driven analysis of security concepts to mobile devices and operating systems. The team leverages proven security concepts and advances made in the security models of mobile device platforms to create the environment where the 3 pillars of information security research are established and maintained: Confidentiality, Integrity, and Availability.

    State of Mobile Security: The inaugural decade of the century laid the groundwork of innovation that allowed 2010 to be the year that mobile device platforms and capabilities came to the forefront of nearly every person's daily life. Whether the discussion involves Enterprise, SMB, Government or Consumer, the use of smartphone devices to manage oneÕs professional and personal affairs has become the norm. With this widespread adoption have come dramatic changes in the use of mobile devices. Users are implored, through all forms of media, to download as many applications as possible to increase productivity and provide entertainment. Mobile devices are equipped to store amounts of data equal to those of laptop computers while having the convenience of being easily carried throughout the day. Business activities, online banking, and commerce are enabled and available for ease of use. In essence, smartphone devices have become the new personal computer, with one important differentiator. While most personal computers come equipped with anti-virus and other endpoint security software, the vast majority of mobile devices perform the same functions, devoid of security protection.

    This report provides a holistic and objective briefing into the current state of mobile security in. Consistent with the areas of research conducted by the Juniper Global Threat Center, specific information will be provided to address the vectors of exploitation relating to mobile devices, including:
    • Malware - Spyware, Viruses, Trojans, Worms
    • Direct Attacks - SMS exploits, browser exploits
    • Loss and Theft
    • Data Communication Interception
    • Exploitation and Misconduct

    Back to top

    Bob West


    Founder and CEO, Echelon One

    Bob is responsible for creating and executing Echelon One’s corporate strategy. He has over 25 years of experience in corporate and startup environments.

    Bob is a frequent speaker on the subject of information security and risk, and on global policy issues such as payment fraud and critical infrastructure. He is on the board of management for the Jericho Forum, advisory boards for Agilance, the Hispanic Information Technology Executive Council, Security Growth Partners, Trusteer, the University of Detroit Mercy’s College of Liberal Arts and Education and has also been on Securent’s advisory board (acquired by Cisco), TriCipher’s advisory board (acquired by VMWare), a member of RSA Security’s Customer Advisory Council, and the ISS Customer Advisory Council. He is quoted frequently in the press including the BusinessWeek, Forbes and The Wall Street Journal.

    Previously, Bob was Chief Information Security Officer (CISO) at Fifth Third Bank in Cincinnati where he was responsible for the enterprise information security strategy. Prior to joining Fifth Third, Bob worked for Bank One in Columbus where he held several key leadership roles, including Information Security Officer for Bank One's Retail Group. Prior to joining Bank One, Bob was a manager with Ernst & Young’s Information Security Services practice in Chicago, and a Senior Systems Officer with Citicorp International in New York and Chicago.

    Bob received the 2004 Digital ID World Conference award for Balancing Innovation and Reality, and a 2004 InfoWorld 100 Award for implementing cross-company authentication using SAML. Bob graduated from Michigan State University with a Bachelor of Arts in German and then received his Master of Science in Management Information Systems from North Central College.

    Characteristics of a Highly Effective Information Security Executive: The vast majority of information security professionals haven’t been given the proper guidance on how to collaborate with their executive teams. Because of this, they have very little interaction with their executives and board members and thus insufficient budgets and resources. This session will discuss the how information security executives can be highly effective leaders and collaborate as a partner with their executive teams.

    Back to top

    Panel Topic: Selling Security Upward to Executive Leadership

    Angelo Mazzocco - Panel Moderator


    Angelo Mazzocco is the Chief Information Officer of Progressive Medical, Inc. Progressive Medical, Inc. is a nationwide, managed care and health care cost containment company. It coordinates care for workers' compensation, auto-no-fault and personal injury protection cases. Progressive Medical, Inc. provides medical equipment, medical supplies, pharmacy management, health services and ancillary services, such as outpatient rehabilitation, transportation, translation and radiology. Its nationwide network of pharmacies and equipment providers offer prompt service, detailed follow-up and cost containment reports to insurers, employers and third party administrators. Prior to coming to Progressive in January 2006, Angelo was the Vice President and Chief Information Officer of The Dispatch Printing Company and Affiliates. The Dispatch Printing Company and Affiliates include 16 privately held companies. Angelo’s career has also included employers NC Group, CompuCom, Accenture, Nationwide Insurance, and NCR.

    He has served as an adjunct faculty member of the Ohio State University and Otterbein College since 1991.

    An active leader in the Columbus and Ohio community, Angelo co-founded the CIO Forum and CIOhio CIO Symposium events. Angelo is a past recipient of the 2003 TechColumbus President's Top Contributor to the Advancement of Technology (TopCAT) award, 2005 TopCAT Executive of the Year, 2005 TopCAT Large Technology Team Leader, 2006 TopCAT finalist, 2007 TopCAT Large Technology Service Provider, 2008 TopCAT Large Technology Team, and the 2005 Volunteer of the Year for GroundWork Group which is an annual award bestowed upon an individual with exceptional leadership and personal commitment to the Central Ohio community. He is a member of the Board of directors of GroundWork Group, Gladden Community House, Navigator Management Partners, LLC., ZebraMobile, Inc., Quick Solutions, Inc., TechColumbus Membership, and the Ohio State University Digital Union.

    Keith Fricke


    Keith Fricke is the Information Security Officer for Catholic Health Partners, the largest not-for profit hospital system in Ohio and operational in several other states. Keith has 25 years of IT experience, the last 11 of which are in Information Security. He frequently speaks at national, state, and local security events. He is a board member of the Cleveland InfraGard chapter. He holds a CISSP certification and earned his MBA from Baldwin-Wallace College.

    Geri Fultz


    Geri has over 25 years experience in Information Technology security, risk management, governance and compliance, working in the energy, financial services and consumer products industries. She is a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified in the Governance of Enterprise Information Technology (CGEIT). She is currently the Manager of IT Governance & Compliance at the ScottsMiracle-Gro Company.

    Sommers "Skip" Holler


    Sommers has been in the information technology field for over 35 years. He began his career in the United States Air Force, training on secure voice and data communications, and went from there to work on various platforms with a leading computer manufacturer. The last 19 years, Sommers has been in state government, developing and managing several groups, the last being Information Security. He is happily married to his wife Donna for 38 years, has three daughters and ten grandchildren. He is a devoted Christian serving at Briggs Road Baptist Church and enjoys golf.

    Kent King


    Kent is a 1983 graduate of The Ohio State University (BSCIS) and began his career as a software developer at CompuServe. Kent has been working in information security and risk management for over 15 years. He has worked in the telecommunications, energy and insurance sectors and is currently a Security Manager for IBM. In addition to his career, he is an avid collector of antique radio equipment and together with his wife, also operates an 11 acre alpaca farm in Delaware County.

    Kellene Stets


    Kellene Stets CISSP, CISA, PMP, is the Information Security and Continuity Manager for Safelite Group. She has nearly 15 years in IT, with more than a decade focused on Information Security and risk management. When not working, she is often found at a hockey rink, where she also keeps bad things out of her net.



    Back to top