Monthly Meeting: April 15

Meeting at Expedient again

Monthly Meeting – About Penetration Testing, and What’s Wrong with Infosec?
Where: Expedient/Tree of Life, Upper Arlington Google Maps link
When: Wednesday, April 16, 2014
Time: 8:00am – 11:30am
Member Cost: FREE
Non-Member Cost: $20

08:00 – 08:15 : Registration with light breakfast
08:15 – 09:15 : Jason Samide on: Penetration Testing
09:30 – 10:30 : Jeff Foresman on: What’s Wrong with Information Security

08:15 – 09:15 : Jason Samide on: Penetration Testing

How often should your organization conduct a penetration test and what is in scope? I get this question quite often from customers and colleagues. There really is no one correct answer but there are some guidelines I promote and adhere to. A penetration test or sometimes called a ‘pentest’ is a technique of assessing computer and network security by simulating real time attacks from external and internal positions. Penetration tests are simply a snapshot of your attack vectors. It is a means of identifying your high-risk vulnerabilities and assessing the business impact should an exploit occur. A penetration test is typically done using commercial and freeware tools, followed up by a human that verifies vulnerabilities and attempts to exploit systems or gain escalated privileges. This is the primary difference between a Penetration test and a Vulnerability scan. In my professional opinion, anyone in the organization can run a scan by hitting the ‘enter’ button. I highly recommend vulnerability scans to be run from time to time but they are not a substitute for a true penetration test, which does require the human element. A good pentester will understand what the vulnerability and exploit is capable of doing. A great pentester will write their own exploit to attack a system. With threat landscaping changing daily I am not suggesting you perform a pentest daily or weekly but it is very necessary to complete one.

9:15 – 10:15 : Jeff Foresman on: What’s Wrong with Information Security

Jeff Foresman on: What’s Wrong with Information Security

Abstract: This presentation will review the current state of Information Security
and the common problems organizations face. We will look at data breach statistics
and discuss problems with securing corporate networks such as end-users, phishing
and malware. The presentation will include case studies of organizations that were
breached, how it happened and what could have been done to prevent it. The case
studies will include real-world examples of an APT attack, a data breach, social
engineering and a credit card breach. Finally, we will review steps organizations can
take to address the common problems that lead to these breaches.

What Attendees Will Learn in This Session.
1. Overview of 2013 data breaches
2. Common issues faced by companies today
3. Why current security controls are not working
4. Case studies of data breaches
5. Solutions for securing company data in 2014

Presenter Bio: Jeff Foresman is a founding partner of Pondurance. Jeff manages our
compliance practice that specializes in PCI, HIPAA, ISO 27000 and NIST 800-53
advisory services. He also assists clients with developing and implementing
information security programs to meet regulatory compliance. Prior to starting
Pondurance, Jeff worked for the PCI Security Council, Fishnet, Verizon Business and
Sarcom. In addition to his consulting and management duties, Jeff is also the
president of the Central Indiana ISSA Chapter. Jeff is certified as a PCI-QSA, CISSP,

Event Registration

Posted in Uncategorized | Comments Off

Chapter News & Updates

Summary of Upcoming Central Ohio ISSA Events

Check the Event Calendar in the main navigation bar for details and registration.

Secret Pentesting Techniques with David Kennedy

March 17: Central Ohio ISSA is proud to have David Kennedy returning for another full day class on penetration testing techniques. Registration is full, but the waitlist still has some openings. Sign up to be notified if a slot opens up.

Monthly Meeting w/ OWASP Columbus – Application Security

March 19: In a joint meeting with the Columbus OWASP chapter, we will take a fresh look at web application security. Webapps aren’t new, so why are we seeing the same well-known vulnerabilities in so many places? Harry Regan (CISSP, CISM) will help us re-examine the root causes, and suggest some solutions. Register for your seat here.

Board Election – Nominating Committee Needed

We need three “members in good standing” to volunteer for the easiest job in the chapter: the nominating committee’s job is to provide independent verification that each nominee is also a “member in good standing” and to make sure that those nominated are willing to serve. Positions up for election this time are:

  • President
  • Secretary
  • Special Advisor
  • Education Director
  • Treasurer

We will provide all the information necessary, we just need three people who aren’t on the board today, and who aren’t running for a position. You won’t find an easier way to contribute to the smooth running of our group.

Contact COISSA board president David Garcia if you are interested to help out.

Infosec Summit

May 5-6: Plans are well underway for the annual Infosec Summit. We still have some sponsorhip opportunities available – this is a great way to get your name or product out in front of local decision makers and practitioners. Register here.

CISM Training with Ed McCabe

May 7-9: On the heels of the Infosec Summit, COISSA will be hosting a three-day prep class for the CISM, led by Ed McCabe. Details will be available and registration will open soon on the Event Calendar

Event Calendar

To help get information out sooner, we’ve started an Event Calendar – it’s a calendar view of upcoming events, linked on the main navigation of the website. You’ll find links to the registration page for every event we offer, with placeholders and preliminary information available in advance, even for events still in the planning stages.

Posted in Uncategorized | Comments Off