Are you drowning in alert data from your devices? Don’t know where to start winnowing down the deluge of potential attacks to find the important threats? Deploying a network of honeypot devices and integrating them into your existing processes can help security teams identify and understand which attacks deserve attention and develop indicators for identifying locally compromised hosts. We’ll introduce the Modern Honey Network and showcase an architecture and set of processes to help get the most utility from this open-source project. This is a topic specific/intermediate level session.Outcomes: Educate attendees on honeypot terminology and a taxonomy of honeypots * Explore operational applications of honeypot data and architectural considerations * Provide perspective on honeypot networks from multiyear deployment
[Read More]

It is a pernicious challenge of blue teams to validate security assumptions and vendor claims with respect to defensive technologies. There is no standardized toolkit available for defenders to benchmark security protections and verify assertions of protection and detection with respect to covert channels. This talk will demonstrate Dissembling Ferret, an open-source suite of testing tools designed to exploit covert channels that can be used to test security technologies’ capability to detect, prevent, or interfere with hidden communications. Outcomes: Learn about covert TCP channels used for exfiltrating data * Learn how to evaluate next-generation firewall security protections * Verify firewall vendor assertions of protection and detection with respect to covert channels
[Read More]

Competition for resources is a reality CIOs and CISOs routinely face as they make high-stakes decisions about where to spend limited resources. Both are looking for data to inform their choices for resource prioritization. EDUCAUSE’s Core Data Service includes data about budget dedicated to security, FTEs, and technologies deployed. Join us as we review the results of an ECAR study that looked for correlations between institutions suffering data breaches and their security program profile. This is a topic specific/intermediate level session.Outcomes: Learn about common factors among institutions that have experienced a breach * Understand the importance of peer survey participation to provide data to inform decisions * Generate additional ideas about how to effectively tackle the resource-prioritization challenge
[Read More]

Conducting SaaS vendor risk assessments in a vacuum provides no value. Help distinguish good risks from bad through some simple consulting techniques and questions. There is no one-size-fits-all security questionnaire, and there is no absolute right answer for business choices—it always depends. Help your business stakeholders recognize the implications of realistic security risks with a vendor, and help your security team understand the current state of “business as usual.” Focus on where and when you can influence changes that improve business by framing thoughtful questions. This is a topic specific/intermediate level session.Outcomes: Approach the security assessment process as a consulting engagement * Determine realistic threats and opportunities to help stakeholders visualize genuine risks * Help business prepare for responses to realistic risks
[Read More]

VA Tech’s IT security strategy is based on the ISO 27002 standard. The Center for Internet Security 20 Critical Controls provide an operational bridge between the standard and actual implementation of a security strategy. The 20 controls provide an effective defense against 75% of known attacks. VA Tech is implementing the 20 Critical Controls as its operational security strategy. This talk presents an update to this multiyear project. Sample gap analysis questionnaires, spreadsheets, and guidance documents developed during this process will be shown and made available to attendees. This is a topic specific/intermediate level session.Outcomes: Learn what the controls are and how they are effective defensive steps * Get access to existing tools to get the process started ASAP * Learn how current techniques map to the 20 Critical Controls
[Read More]

Learn what it takes to simplify risk management and tackle security’s toughest problems. The University of South Carolina will discuss using research and evidence to guide strategy; offering clear, simple solutions to tough problems; presenting top risks to leadership; and giving a program the momentum it needs. We are excited to introduce a threat-confidence model that can guide your program. You will work through practical exercises that will challenge your approach to prioritization. You will leave knowing what threats are relevant and where to focus your efforts. This is a deep dive/advanced level session. Outcomes: Use research and evidence to guide your strategy * Confidently present top risks to leadership * Give your program the momentum it needs
[Read More]

While securing computers can be difficult, securing humans presents a real challenge. Security awareness and training must be designed not only to reach your audience but to engage them and encourage them to be part of the solution. We will discuss ways of developing your security story and delivering it in a way that keeps your audience from tuning out. This is more than just making PowerPoints; this is using classic story structures independent of the delivery mechanism. This is a topic specific/intermediate level session.Outcomes: Understand how stories can pass along important information * Learn how security concepts can be turned into something relatable to the audience * Create a story that can be used in local environments
[Read More]

This talk asks the question, What’s our end game in information security? Too often information security seems to be on a treadmill, refreshing established security controls (log monitoring, firewalls, antimalware solutions) every few years, while continuously bumping into resource limitations and constraints. While recognizing that aspects of the infosec practitioner will always remain tactical, responding to the real-time challenges of our adversaries, we argue that without a long-term, strategic vision for the end state of security, we run the very real risk of underserving our institutions and communities.Outcomes: Develop new perspectives on your career that can be put into practice at your home institution * Identify career development opportunities * Understand better ways to advance your mission at your home institution
[Read More]

The world is filled with mysteries. Much like the Loch Ness Monster or Bigfoot, comprehensive, value-driven IT risk assessments can be elusive. Add the uniqueness of higher education and you have a real enigma. In this session, you will gain actionable insights into how Princeton University’s Office of Information Technology and Office of Audit and Compliance partnered to develop and execute a successful university-wide IT risk assessment that included input from more than 90 people across 29 academic and administrative departments. The effort not only yielded actionable risk data but significantly raised awareness of IT risk across the campus. This is a topic specific/intermediate level session. Outcomes: Understand the strategies used to enable a successful, sustainable, and actionable university-wide IT risk assessment * Manage and reduce risks associated with IT risk assessment * Evangelize and demonstrate the value of partnership
[Read More]

Ohio State has implemented a Security Internship program. Undergraduate students of any major are invited to apply for this program, which includes working with the university security team on a part-time basis, features ongoing mentoring and career skills, and culminates in an external internship and scholarship opportunities. Learn about this program and how you might implement a similar program at your institution. This is a general interest session.Outcomes: Learn how to implement a security internship program * Understand how to engage internal and external stakeholders * Collaborate with participants to identify potential work that interns might do as interns
[Read More]