Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1
The 1 ST Annual Web Services Security Conference &
Exhibition
Program
The Inn & Conference Center University of Maryland, College Park, Maryland
May 25‐26, 2006
Unatek_ TransGlobal IT Security Conferences
2
Marriott Hotel College Park
Meeting Rooms
Floor Plan
3
.General Information All WSSC meeting sessions and activities are held inside the buildings in the conference center unless otherwise noted. Consult this program for room locations and check for last minute updates from the WSSC staff or at the conference portal.
SELF‐SERVE REGISTRATION Self‐serve registration is available to pre‐registered and onsite attendees, and exhibitors who are pre‐ registered.
ONLINE REGISTRATION Online registration is available at: http://www.unatek.com/reg istration.htm.
STAFFED REGISTRATION DESK Registration staff will be available to assist you during the following times:
Wednesday, May 24 4:00pm – 8:00pm
Thursday, May 25 7:00am – 3:00pm
Friday, May 26 7:00am – 3:00pm
REGISTRATION POLICY All attendees, speakers and authors must register for the conference. Badges are required for admission to all technical sessions, the exhibition and social functions.
Meet in an environment that truly inspires creativity. The center's handsome Georgian buildings are home to one of Maryland's finest art collections
as well as quality meeting space, advanced conference technologies, and comfortable accommodations.
LOCATION The conference location, Adelphi, Maryland is 12 miles from downtown Washington, D.C. • 35 miles from Dulles International Airport • 30 miles from Baltimore‐Washington International Airport • 20 miles from Reagan National Airport.
CONFERENCE FACILITIES
• 39,000 square feet of dedicated meeting space • 39 meeting rooms, three computer labs • 750seat auditorium with satellite downlink • Executive meeting wing • 8,000squarefoot grand ballroom • Stateoftheart audiovisual capabilities, soundproof walls, adjustable lighting, climate control, 12hour chairs, tackable walls • Teleconferencing • Videoconferencing.
GUEST ROOMS 237 guest rooms including 11 suites • Telephone with dataport, individual climate control, remote‐control cable TV, iron, ironing board, complimentary high speed Internet access, complimentary daily newspaper • Nonsmoking and accessible rooms.
DINING • Mt. Clare Cafe, serving breakfast and lunch buffet style • Garden Restaurant, serving breakfast, lunch, and dinner with table service • Oracle Lounge, serving beer, wine, and cocktails.
ON‐SITE SERVICES
• Dedicated conference services managers • Audiovisual technicians • Business center • Covered parking • Gift/sundry shop • Valet dry cleaning
RECREATION/GROUP ACTIVITIES Art gallery • Exercise room • Golf, tennis, racquetball and swimming on campus • Near Washington, D.C., Baltimore, and Annapolis attractions.
CONTACT ICC Sales Department 3501 University Blvd. East Adelphi, Maryland 20783 USA 301‐985‐7303 Fax: 301‐985‐7445 For more information or to make online reservations, please visit www.umucmarriott.com.
4
Http://www.unatek.com Providing Information Technology Security Services
Intrusion Prevention Solutions
• Design – Implement – Manage ROI
IT Security Solutions
• Assess – plan – design – implement manage
Healthcare Security Solutions
• Health Information Portability and Accountability Act (HIPAA)
Financial Services Security Solutions
• Gramm – Bliley Leach Act (GBLA) Sarbanes – Oxley Act (SABOX)
Securing Your Connections to the World.
A commitment to detect, defend and protect IT infrastructures
For more information, please contact: Unatek, Inc. 1100 Mercantile Lane, Suite 115A, Largo, MD 20774 Tel: (301) 5834629 Fax: (301) 7728540 Email: [email protected]
5
Welcome Dear Colleague:
Welcome to the 1 st annual Web Services Security Conference and Exhibition! With the city of College Park and the Washington DC Metropolitan Area offering us its unique style of hospitality and with a conference program that is unsurpassed in its coverage of Web Services Security, this premier conference promises each of us a wealth of valuable and enjoyable experiences.
The conference will commence with the opening session on Thursday, May 25, 2006. The conference highlight will be a plenary keynote presentation titled: “Web Services Depends on Interoperable Security Standards,” scheduled for Thursday at 8:30am. There are more than twentythree keynotes and specially invited papers. Also worth noting are four industry track panel discussions, the tutorial luncheons, guest lectures, and specialized workshops.
The exhibit at the Marriott Conference Center is a “don’t miss.” Representatives from different companies will occupy booths and display their latest products and services. Another noteworthy event is the conference dinner, scheduled for Thursday evening. At this gala reception, we shall celebrate the achievements in Web Services Security and recognize institutions and the leaders in the field.
As for the conference venue, there are lots of attractions in the city of College Park and the surrounding cities of the Washington Metropolitan Area. With its unique setting as the center of the US government, there are multiple tourist attractions and the famous Baltimore Inner Harbor is just twentyfive minutes away. So, this is an experience unto itself. Whether it is the food, the Inner Harbor riverboats and cruises, Washington monument, numerous museums or the blend of southern and cosmopolitan charm of the area, you will be sure to have a memorable time.
Finally, the successful accomplishment of the conference will undoubtedly result in an achievement of fruitful business and technical progress, and at the same time contribute to the development of Web Services Security.
With best regards,
Charles M. Iheagwara, Ph.D., P.E. Conference Chair
Securing Web Services for Online Transactions Web services in contemporary information technology are increasingly fueling ecommerce, application integration, and businesstobusiness (B2B) ecommerce. By definition, Web services are loosely coupled IT computing services that reduce the complexities of building business applications, save costs, and enable new business models.
The opportunities presented by these services makes them attractive to enterprises that engage in e commerce transactions. But while there is a high interest to integrate Web services into the mainstream of serviceoriented architectures (SOA), security concerns might be the deterrent for enterprises trying to do so or accelerate the pace. In effect, the security for any enterpriselevel Web service transactions performed over the Internet becomes a paramount consideration.
Therefore, for enterprises engaged in or anticipating integrating Web services into their SOA, securing Web services is crucial for financial, legislative, trust, and privacy reasons.
The Web Services Security Conference – which is an annual event – was instituted to explore the issues pertinent to the security of enterpriselevel Web service transactions. This year’s twoday conference features keynotes and presentations on the stateoftheart of the practice by an impressive lineup of local and international security experts, along with innovative CTOs and leading technology inventors.
6
WSSC Dinner
The WSSC inaugural dinner (sponsored by Forum Systems, Inc.) will be held at 7:00p.m. Thursday, May 25, at the Marriott Conference Center’s Garden restaurant. There will be presentations by conference sponsors and invited speeches. CAFE, one of the finest dance bands in the Washington area, will entertain with background music during dinner, with dancing following. Tickets for this premier event are $75 (except for registered conference attendees) and may be purchased at the conference registration desk.
Sponsors
The WSSC Corporate Sponsor Program has helped to further our mission of ensuring a future of continued technological innovation. We gratefully acknowledge the contributions of the organizations listed below:
Platinum sponsors
Gold sponsor
Silver Sponsors
7
Exhibition 2006 . . . Exploring Web Services, Security and Risk Management
Exhibit Hours: Thursday 10am – 7pm
Friday 10am ‐ 5pm
Visit the exhibit for a refreshment break. See the newest in Web services security. Take a look at the latest products, processes and services exhibited by leading organizations from throughout the USA. Meet new business contacts and renew old acquaintances. Visit the booths in the Exhibit Hall.
Thank you to our Exhibitors:
Company Booth #
101
102
103
104
105
106
107
108
109
110
8
Conference at a Glance Wednesday May 24 Thursday May 25 Friday May 26
07:00am Registration Desk Registration
07:00am Registration Desk Registration
08:05am Opening & Welcome 08:05am Opening & Announcements
08:20 09:20am Auditorium Web Services Depends on Interoperable Security Standards Tony Nadalin; Dr. Nagaratnam, IBM
08:20 09:15am Auditorium Threat Protection in a Service Oriented World Andre Yee, NFR
09:25 10:15am Auditorium True Intrusion Prevention Protecting Against Threats From All Vectors, At All Times Martin Roesch, SourceFire, Inc.
09:25 10:15am Auditorium What are the realities of your legal risks?" Melise R. Blakeslee, McDermott Will & Emery LLP
10:00am 19:00 pm Exhibit hall Exhibits open
10:00am 17:00 pm Exhibit hall Exhibits open
10:26am Tea break and Networking 10:26am Tea break and Networking 10:50 11:45am Auditorium Starting with Identity Management Systems for securing Web Services Mamoon Yunus, Forum Systems, Inc.
10:50 11:45am Auditorium eRisk and liability in Online Transactions – the impact of the SarbanesOxley Act Ralph Bazilio, TCBA
11:45 12: 25pm Auditorium Poster Session: Prince George’s County: The State of Maryland’s Economic Engine Jack Johnson, County Executive of Prince George's County
11:45 – 12:25pm Intrusion Prevention Auditorium
Gartnerization of IDS/IPS Vendoring: Beyond the magic quadrant…What works? What Doesn’t Charles Iheagwara, Unatek, Inc. IDS isn't dead, your implementation of it is! Lessons learned from an enterprise deployment: how to maximize your detection capabilities and investment Rohan Amin, Lockheed Martin Architectures for Detecting Service Intruders and Holding Them Accountable without Sacrificing User Privacy Prof. U. Flegel, University of Dortmund, FRG
12:25pm Lunch and Networking 12:25pm Lunch and Networking
4:00 PM 8:00 pm
Registration Desk
Early Delegate Registration
5:00 PM 6:00 pm Auditorium
BirdsofaFeather Sessions
• Intrusion Prevention & Vulnerability Management in Web Services and Applications
• eFraud Prevention in banking and financial institutions
13:25 14:20pm Intrusion Prevention Auditorium
Security Metrics Management Grows Up (Finally!)” Dr. Anton Chuvakin, LogLogic McAfee NAC Solution: Gaining back your sanity and minimizing your Risk Andrew J. Berkuta, McAfee, Inc. 13:25 14:20pm Web Services
R00M 1301 Ten Web Services Security Case Studies Mark O’Neill, Vordel Web Services Security and BPM Phil Larson, Appian Corporation
13:25 14:20pm Auditorium eFraud in Online Commerce: Impact on Business Reputation & Consumer Confidence Kerry G. (Kwasi) Holman, Prince Georges County Economic Development Corporation
9
14:25 15:25pm Auditorium Panel 1 Discussions
StateoftheArt in Intrusion Prevention: Product Maturity and Charting the Course for the Next Decade 14:25 15:25pm R00M 1301 Panel 2 Discussions
Web Services Technologies and XML CuttingEdge Products: Maturity and Charting the Course for the Next Decade
14: 25 15: 25pm Web Services Auditorium
Spyware Exploits Donald Debolt, Computer Associates, Inc.
14: 2515: 25pm Risk Management Systems
R00M 1301 Managing Identity Risk Bill Dutcher, Booz Allen and Hamilton Identity Bridging Techniques across SOA based Business Service Networks M. Yunus and R. Mallal, Crosscheck Networks 14: 25 15: 25pm Risk Mgt & Legal issues
R00M 1309 Security for Rich Media Collaboration: The Challenge of Balancing Network Security with the Need to Communicate John Starke, TransGlobal Business Systems 14: 25 15: 25pm Intrusion Prevention
R00M 1307 Establishing A "Best Practice" Security Process: Setting the Standards From Assessment through Incident Response O. K. Helferich, Central Michigan University
15:25pm Tea break and Networking 15:25pm Tea break and Networking
15:35 16:35pm Auditorium
Trusted Computing and its Impact on Web Services Steven Sprague, Wave Systems
15:35 – 16: 35pm Auditorium Panel 3 Discussions
Identity Management Systems and Trust Enablement 15:30 –16:30 pm R00M 1301 Panel 4 Discussions
Technical and Legal Problems with Preserving Data
16:35 17:30 pm Exhibit hall
Ask the Experts 16:35 PM 17:30 pm R00M 1301
Workshop sponsored by TransGlobal Business Systems
16:35 PM 17:30 pm Exhibit hall
Ask the Experts 16:35 PM 17:30 pm R00M 1301
Workshop sponsored by Bowie State University
16:30pm Tea break and Networking 16:30pm Tea break and Networking 17:30 19:00 pm Exhibit hall
Exhibit Hall Reception
17:30 19:00 pm Exhibit hall
Exhibit Hall Reception 19:00 Conference Dinner 18:00 Conference closing
10
Sourcefire, Inc., the world leader in intrusion prevention, is transforming the way organizations manage and minimize network security risks with its 3D Approach Discover, Determine, Defend to securing real networks in realtime. The company's groundbreaking network defense system unifies intrusion and vulnerability management technologies to provide customers with the most effective network security available. Founded in 2001 by the creator of SnortR, Sourcefire is headquartered in Columbia, MD and has been consistently recognized for its innovation and industry leadership by customers, media, and industry analysts alike with more than 16 awards and accolades since January 2005 alone. Most recently, the company was positioned in the Leaders Quadrant of Gartner's "Magic Quadrant for Network Intrusion Prevention System Appliances" report and the Sourcefire 3D System was named "Best Security Solution," at the 2006 SC Magazine Awards. At work in leading Fortune 1000 and government agencies, the names Sourcefire and founder Martin Roesch have grown synonymous with innovation and intelligence in network security.
US Headquarters: 9770 Patuxent Woods Drive
Columbia, MD 21046 800.917.4134
410.290.1616 | 410.290.0024 fax
For more information about Sourcefire, please visit www.sourcefire.com.
11
Technical Program with Abstracts Wednesday, May 24, 2006
4:00 pm 8:00 pm Registration Desk
Early Delegate Registration Pick up your badge and conference materials and avoid the Thursday morning rush.
5:00 pm 6:00 pm Auditorium
BirdsofaFeather Sessions Two preconference sessions: to be moderated by Bill Dutcher, Principal Consultant, Booz Allen and Hamilton, Omar Keith Helferich, Security Research Consultant, Department of Homeland Security and Faculty, Central Michigan University and George Kalb of John Hopkins Information Security Institute.
These sessions are a great chance to interact and discuss timely topics with your peers in a casual, roundtable discussion format before the conference officially begins Thursday morning.
• Intrusion Prevention & Vulnerability Management in Web Services and Applications • eFraud Prevention in banking and financial institutions
Thursday, May 25, 2006
07:00am Registration Desk Delegate Registration and Continental Breakfast.
08:15am Opening & Welcome Auditorium Welcome to Web Services Security Conference 2006 by Anthony Williams
President of Unatek, Inc.
Chairman: Mamoon Yunus, CTO & Founder, Forum Systems 08: 20 – 12:20pm
08:30am Auditorium Plenary Keynote: “Web Services Depends on Interoperable Security Standards.” Tony Nadalin; Dr. Nataraj Nagaratnam Distinguished Engineer and Chief Security Architect, IBM; Chief Architect for Identity Management, IBM The fundamental promise of Web demands predictable interoperability and security. This keynote would highlight the array of emerging Web services security standards (WSSecurity), including those related to token types, headers, signatures and encryption. An overview of OASIS’s inprogress security standards work will also be provided. In addition to the work of OASIS, the WSI Basic Security Profile Working Group is tasked with producing Security Scenarios and a Basic Security Profile.
09:25am Auditorium Keynote: “True Intrusion Prevention Protecting Against Threats From All Vectors, At All Times.” Martin Roesch, CTO & Founder, SourceFire, Inc.
First generation Intrusion Prevention Systems (IPS) have failed to solve today's threat problem breaches are occurring at an ever increasing rate, damaging organizations' reputations and costing revenue. Standalone IPS only protect against intrusions, coming from the perimeter, during the time of the attack. Today's blended threats require blended security systems that have more remediative options. Join Martin Roesch, founder of Sourcefire and creator of Snort, as he discusses how the combination of endpoint, threat and network intelligence provides true intrusion prevention by defending networks against threats from all vectors, all the time before, during and after an attack.
12
10:00am 19:00 pm Exhibit Hall Exhibits open with company sponsored ontheShow floor receptions
Note on Exhibit Hall Reception: The first night for delicious hors d'oeuvres, cocktails and conversation with your peers. Review new products and security solutions from top vendors, and enter to win some fantastic prizes.
10:26am Tea Break and Networking
10:50am Auditorium Keynote: “Starting with Identity Management Systems for securing Web Services.” Mamoon Yunus, CTO & Founder, Forum Systems
Identity Management is the cornerstone of deploying secure Web Services. Applicationto Application & UsertoApplication authentication and authorization are the primary steps in Web Services Threat Mitigation. Identity Management is also fundamental to Trust enablement of Web Services.
This session explores popular secure Web Services deployment scenarios through protocol based (e.g., HTTP Basic Auth, SSL Mutual Auth) and messagebased (e.g., WSX509, SAML) identities. Practical Web Services Identity bridging, XML Threat Sensors, and Web Services Trust functions, such as WSSignatures & WSEncryption, are also presented as pillars of deploying comprehensive Web Services Security.
11:45 12: 20pm Auditorium
Poster Session Topic: “Prince George’s County: The State of Maryland’s Economic Engine.” Jack Johnson, Prince George's County Executive
Prince George’s County is taking the state of Maryland, the Washington Metropolitan area and the entire region on an extraordinary economic ride. Cutting edge technology is necessary to support businesses and residents to continue the county’s tremendous economic growth. Through the use of Egovernment, we are able to pair local businesses with development projects such as the University of Maryland’s 130acre research park, M Square; Konterra, a 2,200acre mixeduse development project; or National Harbor, a $2 billion, 350acre mixed use development project featuring Gaylord Hotel, the first luxury resort hotel and convention center in the county with 2,000 rooms and 460,000 square feet of convention space slated to open in 2008. With projects of this magnitude happening throughout the county and the amount of online information and services our government currently provides residents and businesses, this keynote will share how our government works to secure and responsibly manage our egovernment initiative.
12:25pm Lunch and Networking
13:25 14:20pm Session 1: StateoftheArt of Intrusion Prevention Auditorium Chairman: Martin Roesch, CTO & Founder, Sourcefire, Inc. 13:25 14:20pm Topic: ““Security Metrics Management Grows Up (Finally!).”” Dr. Anton Chuvakin, Director of Product Management, LogLogic
The presentation will cover the role of security metrics for taking control of security management. Specifically, it will define the criteria for good and bad metrics as well as explain operational and executive metrics. The audience will learn the methodology for creating and using various security metrics for assessing their security posture. The entire security metrics lifecycle will be presented in detail. In addition, it will touch upon how recent security standard developments will help organizations acquire better ways of measuring security.
13
13:25 14:20pm Topic: "McAfee NAC Solution: Gaining back your sanity and minimizing your Risk" Andrew J. Berkuta, Senior Security Evangelist | Strategist McAfee, Inc.
You've already seen the CxO once this year...and for them it was enough! Why don't they understand that a good day in security is one where nothing happens? Now with the advent of zero day attacks, bots, and other ferocious types of malware, the industry is calling for end point protection. What is it, and who is out there that can help me with a real flexible and scalable solution? Better yet, HOW can I go back to my CxO and ask for it THIS year?
Andrew J. Berkuta has been there. As a security director, as a "plank owner" for three startup companies, he understands that justifying another expenditure for security can be trying. He will talk about the latest trends in malicious events, the myth of ROI in security, and why a NEW paradigm is necessary to face the combative CxO, and still get what you need to security your enterprise!
13:25 14:20 pm Session 1: Web Services Technologies and XML CuttingEdge Products Room 1301
Chairman: Steven Sprague, CEO, Wave Systems 13:25 14:20pm Topic: “Ten Web Services Security Case Studies.” Mark O’Neill, Chief Technology Officer, Vordel
This presentation consists of ten case studies of Web Services security being deployed. Each case study includes a deployment diagram.
The goals of all the deployments are the same: to ensure that no unauthorized user or malicious XML content can access a Web Services application. However, each case study differs in terms of the products used to deploy the Web Services.
The case studies are as follows: 1) Securing a ParlayX based service deliver platform for a mobile telecoms operator 2) Twostage XML Firewall for an insurance company 3) Protection of a .NET based Web Services deployment 4) Scanning of large (>25MB) XML files for XML Signature integrity and for Schema conformance 5) Integration with a legacy mainframebased authorization system using SAML 6) Protection of a SAP NetWeaver Web Services deployment 7) XML Firewall deployed with a loadbalancer which performs SSL termination 8) A joint deployment of Web Services security with Web Access Control, in front of BEA WebLogic 9) Protection of Apache Axis based Web Services 10) Security as part of a Services Oriented Architecture for a large manufacturing company
13:25 14:20pm Topic: “Web Services Security and BPM.” Phil Larson, Director of Product Strategy, Appian Corporation
The heavy adoption of serviceoriented architecture (SOA) and Web services technology is driving demand for Business Process Management (BPM), and vice versa. However, legitimate security concerns arise when BPM is used to tie together disparate systems using Web services and make them accessible via a single application. Each web service may have its own security requirements reflecting the policies of the service provider. Moreover, the various “flavors” of Web service technology and the prevalence of poorly documented services makes implementing a holistic security paradigm more difficult.
14
BPM is empowering business users to be more responsible and involved in designing and managing their processes. However, most business users are unfamiliar with appropriate security measures to implement when designing application level security into the processes they are building. Conversely, BPM solutions that use Web services should carry over and enforce the same access privileges. This should be done in addition to standard organization security requirements, such as SSL encryption of network traffic, for effective authentication of users.
This session will feature Appian Corporation, the leading provider of humancentric business process management suites (BPMS) and will highlight the different security approaches organizations should look at when implementing BPM technology along with Web services. Appian’s BPM suite solution is currently in use in tandem with Web services technology at leading Government agencies and commercial organizations.
14:25pm Panel 1 Discussions Auditorium Topic: StateoftheArt in Intrusion Prevention: Product Maturity and Charting the Course for the Next Decade Moderator: Dr. Anton Chuvakin, Director of Product Management, LogLogic Panelists include: Martin Roesch, Andree Yee, Andrew Berkuta, Ulrich Flegel, Charles Iheagwara, Rohan Amin
14:25pm Panel 2 Discussions (Parallel with Panel 1) Room 1301
Topic: Web Services Technologies and XML CuttingEdge Products: Product Maturity and Charting the Course for the Next Decade
Moderator: Donald Debolt, Director, Computer Associates Panelists include: Steven Sprague, Rizwan Mallal, Mamoon Yunus, Mark O’Neill, Phil Larson
15:25pm Tea Break and Networking
15:55 16:30 pm Auditorium Chairman: Ralph Bazilio, President, TCBA 15:55 16:30 pm Keynote: “Trusted Computing and its Impact on Web Services.” Steven Sprague, CEO, Wave Systems
Wave Systems has been involved in trustworthy computing since its inception in 1989. Wave has built a variety of security silicon implementations, with support infrastructure, which have been used in trusted computing in specific applications, and in 2003 was one of the first non founding members of the Trusted Computing Group. The Trusted Computing Group (TCG) is an industry organization formed in 2003, and currently is comprised of more than 100 companies representing security silicon manufacturers, platform OEMs, security middleware providers, and security application providers. The purpose of TCG is to develop, define, and promote open, vendorneutral industry specifications for trusted computing. These include hardware building block and software interface specifications across multiple platforms and operating environments. Implementation of these specifications will help manage data and digital identities more securely, protecting them from external software attack and physical theft. TCG specifications can also provide
15
capabilities that can be used for more secure remote access by the user and enable the user’s system to be used as a security token.
At the core of TCG technology is a silicon security device, known as a Trusted Platform Module (TPM), which is embedded on the main processing board of a computing platform. The initial work on integrating TPM technology has focused on the PC, and workgroups are addressing incorporating TPM technology into PDAs, cellphones, servers, and trusted peripherals.
A TPM is a public key capable device which, when embedded in a environment to form a trusted platform, can be utilized by applications and infrastructure to:
• Store keys, digital certificates, passwords and data securely in hardware • Enhance network security • Protect online commerce transactions • Help protect against viruses, worms and other malicious attacks • Protect digital identities • Provide authentication between systems and networks • Allow for single signon to systems • Enable digital signatures for financial and other transactions • Support regulatory compliance for SarbanesOxley, HIPAA and other federal
requirements
The TPM is now shipping on millions of PC platforms driven by logo compliance for Windows Vista. The advent of industry standard security will change how the enterprise implements security. Strong multifactor authentication and strong data protection is possible on every endpoint in the network.
15:30 pm 16:30 pm Exhibit Hall
Ask the Experts. Get oneonone advice and have your questions answered by conference speakers in our "AsktheExperts" area of the Exhibit Hall.
15:4016:40pm
Workshop sponsored by TranGlobal Business Systems Room 1301
Chairman: Mark Walcott, President TransGlobal Business Systems
10:00 19:00 pm Exhibit Hall
Exhibits open with company sponsored ontheShow floor receptions Exhibit Hall Reception: The first night for delicious hors d'oeuvres, cocktails and conversation with your peers. Review new products and security solutions from top vendors, and enter to win some fantastic prizes.
19:00pm Conference Dinner (sponsored by Forum Systems) Garden Restaurant
Background classical, Jazz and contemporary music provided by CAFÉ is sponsored by Transglobal business systems
16
r Friday, May 26, 2006
07:00am Registration Desk Delegate Registration and Continental Breakfast.
Chairman: Professor Ulrich Flegel, University of Dortmund, Germany 08: 20am – 11:25pm
08:15 Auditorium Keynote: “Threat Protection in a Service Oriented World.” Andre Yee, President & CEO, NFR TBA
09:10 Auditorium Keynote: "What are the realities of your legal risks?" Melise R. Blakeslee, Partner, McDermott Will & Emery LLP Court decisions, regulations and your company's own promises may be setting impossibly high standards for data, system and document security and management. This presentation will discuss:
• The surprising decisions from the courts • The confusing regulatory environment • The questions to ask about your company's obligations • The sufficiency of technology solutions; and • The most important steps you need to take to reduce the likelihood of legal liability.
10:10am Tea Break and Networking
10:00 17:00 pm Exhibits open with company sponsored ontheShow floor receptions
10:30am Auditorium Keynote: “eRisk and liability in Online Transactions – the impact of the SarbanesOxley Act.” Ralph Bazilio, President, TCBA In today’s Internet Age, everyone must pay attention to the risks and liabilities in online transactions. For most, if not all of us, we are concerned not only as business professionals providing services to our client base but also as consumers ourselves. There are risks and liabilities to doing business online as they are with any type of business activity. There are also tremendous opportunities available to innovative businesses that understand the risks and take the appropriate measures to mitigate and reduce the risks and manage the potential for liability. The key is adequate planning and risk management.
To complicate matters even further, we have to be concerned with the relevant Federal Laws and Regulations such as the SarbanesOxley Act of 2002. The Act has special significance related to erisk and liability in online transactions. The successful business executive in today’s business environment must develop a plan to effectively manage these and other critical issues that impact our activities.
We will examine some of the most critical erisks and liabilities in online transactions in light of the SarbanesOxley Act of 2002. We will also discuss and exchange ideas on how you can develop and implement a comprehensive strategy to address these and other issues. I will offer some insight on what TCBA has done to assist our clients address these and other related issues.
17
11:25 12:25pm Session 1: Stateoftheart in Intrusion Prevention Auditorium Chairman: Andre Yee, President & CEO, NFR 11:25 12:25pm Topic: “Gartnerization of IDS/IPS Vendoring: Beyond the magic quadrant…What works? What Doesn’t?” Charles Iheagwara, Chief Technology Officer, Unatek, Inc.
Since the inception of the deployment of intrusion detection systems and lately intrusion prevention systems, more than 90 products have been/and are being touted as the ultimate solution(s) for enterprise deployment. In the rush to sale and attract customers, vendors have taken to the highway of producing bogus claims in their sales literature. In the process, different metrics have been used to describe the performance and potency of intrusion detection and prevention products. One of the most widely quoted metrics is Gatner’s “Magic Quadrant.” The quadrant ranks vendors in four categories and produces a leader board.
This presentation discusses the “pros and cons” and the implications of Gartnerization.
11:25 12:25pm Topic: “IDS isn't dead, your implementation of it is! Lessons learned from an enterprise deployment: how to maximize your detection capabilities and investment.”
Rohan Amin, Manager, Lockheed Martin In 2003, Gartner said, "IDSs have failed to provide value relative to its costs and will be obsolete by 2005." Fast forward to 2006, their end conclusion has still not been realized; however, many of the shortcomings they noted in their controversial paper are not shortcomings of the technology but rather of the implementation. This presentation and paper will present a case study of IDS implementation from the world's largest defense contractor and review why Intrusion Detection, correctly implemented, is still a core component of enterprise security.
11:25 12:25pm
Topic: “Architectures for Detecting Service Intruders and Holding Them Accountable without Sacrificing User Privacy.” Prof. Urlich Flegel, University of Dortmund, Germany
For a better digital world we need services and businesses that not only protect the security objectives of the service providers, but also respect the privacy objectives of their users. We examine the requirements of intrusion detection and response in a service environment regarding accountability and anonymity. Such requirements are partially of legal nature and partially mirror the expectations and demands of the users and therefore determine their choice of service providers. Designing or choosing the right technology is key, if we want to provide our service in and make business with countries that enforce restrictive privacy law, such as EU member states, as well as to get the desired share of the user community. Based on the examined requirements we develop an architectural model for secure and pseudonymous authorizations in service environments. Using the model and generic criteria we distinguish and compare distinct architectures, such we can make sound decisions when designing new systems. Also, existing architectures of secure authorization systems can be mapped to this model, and then analyzed and compared, in order to choose the right system for our purposes.
18
12:25pm Lunch and Networking
Chairman: Professor Omar Keith Helferich, Security Research Consultant, Department of Homeland Security and Faculty, Central Michigan University
13: 25 – 14:15pm 13: 25 pm Auditorium Keynote: “eFraud in Online Commerce: Impact on Business Reputation & Consumer Confidence.” Kerry G. (Kwasi) Holman, President, Prince Georges County Economic Dev. Corp.
The scope and target of Internet fraud in online commerce has seen an exponential growth in recent time. For this, there are unexpected consequences – which are not clearly discernable. By their basic nature, Internet fraud involves the use of the Internet as the target or as the means of perpetrating economic crimes of deception. Therefore, this keynote will examine the nature and extent of some of the principal types of business Internet fraud with concrete examples. The keynote will also highlight the impact on business reputation and consumer confidence.
14:15 15:30pm Session 2: Web Services Technologies and XML CuttingEdge Products Auditorium Chairman: Phil Larson, Director of Product Strategy for Appian Corporation 14:15 15:30pm Topic: “Spyware Exploits.” Donald Debolt, Director, Computer Associates, Inc.
Don DeBolt, Director of AntiSpyware Research for CA, will provide insight into the many exploit vectors used by manufacturers of Spyware to distribute their code. Botnets, toolbar bundles, rootkits, driveby downloads, JavaByteVerify attacks, and social engineering are all tactics used by Spyware vendors today. Don will share “in the Wild” examples and provide empirical data to help quantify the treat.
14:15 15:30pm Session 3: Identity Management Systems Room 1301 Chairman: Dr. Nataraj Nagaratnam, Chief Architect for Identity Management, IBM 14:15 15:30pm Topic: "Managing Identity Risk." Bill Dutcher, Principal Consultant, Booz Allen and Hamilton
Identity credentials, such as a passport or a driver’s license, allow us to cash checks, travel abroad, board airliners, and gain entrance to government and commercial buildings. The Department of Defense Common Access Card (CAC) and the forthcoming Personal Identity Verification (PIV) card will create governmentspecific identity credentials that can be used for both personal and electronic authentication to access government and military facilities, as well as to government IT systems.
Any identity credential, not matter how secure it may seem, carries with it some amount of risk. It may have been issued fraudulently, it may have been altered, it may be used by an unauthorized person, or systems it is used to access may not be protected adequately. This presentation will examine the risk elements in creating, using, and managing identity credentials, as well as what IT managers can do to reduce or mitigate those risks.
14:15 15:30pm Topic: “Identity Bridging Techniques across SOAbased Business Service Networks” Mamoon Yunus and Rizwan Mallal, Advisor and CEO, Crosscheck Networks
Identity Management is a critical aspect of deploying secure SOAbased Business Services Networks. Establishing trusted Business Services Networks require application and userlevel authentication and authorization of invoked services. In effective BSNs, service invocations
19
should seamlessly traverse corporate boundaries. With loosely coupled and chained Web Services, building trusted Business Networks require flexibility in Identity Management across protocols and messages. As corporate boundaries become porous to trading partner interactions, identity enforcement and identity bridging become central in ensuring Business Service Network flexibility without compromising trustbased security.
14:15 15:30pm Session 4: Data Theft and Risk Management, Legal Issues Room 1309 Chairperson: Melise R. Blakeslee, Partner, McDermott Will & Emery LLP 14:15 15:30pm Topic: “Security for Rich Media Collaboration: The Challenge of Balancing Network Security with the Need to Communicate.” John Starke, VP TransGlobal Business Systems
Security and network security are intended to serve customers, who need to communicate. Closing firewalls to complex traffic may keep the network safe, but it is also useless. Another popular alternative for secure communications is the safe proxy server. While providing some degree of security, it is expensive to scale and less flexible than peertopeer for personal collaboration. If security systems do not accommodate the need for complex collaboration, then the end users will find alternatives from professionals, who can provide secure and complex collaboration.
14:25 15:25pm Session 4: Risk Management Room 1307 Chairman: Rohan Amin, Manager, Lockheed Martin 14:25 15:25pm Topic: “Establishing A "Best Practice" Security Process: Setting the Standards From Assessment through Incident Response.” Omar Keith Helferich, Security Research Consultant, Department of Homeland Security and Faculty, Central Michigan University
Corporate commitment to protect the public as well as their brand image through risk assessment, planning, and more resilient supply networks is increasing given the recognition that the U.S. is vulnerable to a wide range of potential service disruptions from natural disasters, pandemic disease, disgruntled employees, special interest groups, and/or acts of terrorism. Michigan State University through a Department of Homeland Security Grant and in collaboration with industry is developing a strategic level methodology that defines a leading Brand ProtectionSupply Chain Security Process. The objective of the process is to impact and prescribe brand protection/security controls to reduce or eliminate risks to the disruption of the overall supply chain. The process can serve as the cornerstone for the development of a brand protection program that identifies disruption risks that could affect business operations while prescribing cost effective solutions to mitigate these risks and optimize effective resilient networks. The process standard is dynamic, capable of being adapted to changing issues, new risks, or operational circumstances and business needs. The presentation will discuss the value, steps"template" and metrics to achieve such a "Leading Practice" Process for overall Supply Chain Brand Protection/ Risk Management.
15:35 – 16: 35PM Panel 3 Discussions Auditorium
Topic: “Identity Management Systems and Trust Enablement.”
Moderator: Dr. Nataraj Nagaratnam, Chief Architect for Identity Management, IBM Panelists include: Mamoon Yunus, John Starke, Bill Dutcher, Edyth Poole, Charles Kumi, Rizwan Mallal, Computer Associates Track 3: B Practices
20
15:30 – 16:30 PM Panel 4 Discussions (Parallel with Panel 3) Room 1301
Topic: “Technical and Legal Problems with Preserving Data.”
Moderator: Melise R. Blakeslee, Partner, McDermott Will & Emery LLP
Panelists include: Paul Doyle, Omar Keith Helferich, Charlton Sampson.
16:30 Tea Break and Networking
15:0017:00pm Room 1301 Workshop sponsored by Bowie State University Chairman: Professor David Anyiwo
18:00pm Conference Closing
1101 15 th Street NW, Suite 1200 Washington, DC 20005, U.S.A. T: 202 – 737 – 3300 F: 202 – 737 2684
Information Technology Assurance & Control
Thompson, Cobb, Bazilio & Associates, PC (TCBA) has been in business for more than 20 years providing excellent services to commercial entities, notforprofit entities, federal, state and local governments. Several years ago TCBA created an IT SWAT team called the Information Technology Assurance & Control (ITAC) Group in anticipation of the growing demand for rapid IT assessment/audit and IT staff augmentation demands. ITAC is a cadre of certified IT Auditors and Information Systems and Network Security specialists, well experience with multiple systems and platforms. From mainframe systems to SQL Servers, from LAN/WANs to VPN, and from UNIX to MVS. ITAC professional certifications include CISA, MCSA, MCP, MCSE, CISM, CISSP and PMP. Services
The ITAC group provides the following services:
• SAS 70 Type I and II audits • Emergency Data Center assessment and staff
augmentation • FISMA compliance program development and
audits • Financial systems assurance audits • IT Risk Assessment • System Development Life Cycle (SDLC) reviews • Internet security and vulnerability assessment
(Penetration Testing)
• General and application controls reviews • Operating systems security • Logical and physical security • Network security • Firewall reviews • Database security • Change Management Reviews • Operations Center Reviews • Ecommerce/EDI reviews • Virus/Malicious Software Reviews • Help Desk/Customer Support evaluations • System implementations evaluations • Contract compliance reviews
21
We Salute
The outstanding quality of the technical program presented at this year’s conference is due to the contribution of our distinguished keynote and specially invited speakers. Their wealth of experience, dedication and commitment to the profession is a gift to all of us. We salute and thank the following whose biographies are described below.
Dr. Nataraj Nagaratnam is the Chief Architect for Identity Management at IBM, and lead architect for on demand security infrastructure and technical strategy. As a Senior Technical Staff Member in Tivoli organization, Raj drives security architecture and design activities across IBM products and platforms, and importantly the SWG architectural direction. In his career in IBM, he has been the lead security architect for the WebSphere Platform. He leads and/or participates in various open standards activities in standards organizations including OASIS, JSP, WSI, and GGF. He has authored and coauthored numerous journal articles, papers, books and security specifications, including the book on
"Enterprise Java Security" published by Addison Wesley.
Anthony Nadalin is IBM’s chief security architect. As a Distinguished Engineer, he is responsible for security infrastructure design and development across IBM, Tivoli and Lotus. He serves as the primary security liaison to Sun Microsystems’ JavaSoft Division for Java security design and development collaboration, and to Microsoft for Web Services security design and development collaboration. In his 21year career with IBM, Anthony has covered the following positions: lead security architect for VM/SP, security architect for AS/400, and security architect for OS/2. Anthony has authored and coauthored over thirty technical
journal and conference articles. Anthony has published two books on Java Security and the Internet. Anthony has been on the technical committee of three major scientific journals and one conference, and has reviewed extensively work published by peers in the field. He has given several presentations and invited speeches at numerous technical security conferences.
Martin Roesch founded Sourcefire in 2001 and serves as its Chief Technology Officer. A respected authority on intrusion prevention and detection technology and forensics, he is responsible for the technical direction and product development efforts. Martin, who has 17 years industry experience in network security and embedded systems engineering, is also the author and lead developer of the Snort Intrusion Prevention and Detection System ( www.snort.org) that forms the foundation for the Sourcefire 3D System.
Over the past eight years, Martin has developed various network security tools and technologies, including intrusion prevention and detection systems, honeypots, network scanners, and policy enforcement systems for organizations such as GTE Internetworking, Stanford Telecommunications, Inc., and the Department of Defense. He has applied his knowledge of network security to penetration testing and network forensics for numerous government and large corporate customers. Martin has been interviewed as an industry expert in multiple technology publications, as well as print and online news services such as MSNBC, Wall Street Journal, CNET, ZDNet, and numerous books. Snort has been featured in Scientific American, on A&E's Secret Places: Inside the FBI, and in several books, such as Network Intrusion Detection: An Analysts Handbook, Intrusion Signatures and Analysis, Maximum Security, Hacking Exposed, and others. Martin has also been the recipient of the 2004 InfoWorld IT Heroes Innovator Award as well as winning the 2004 "40 under 40" award from the Baltimore Business Journal.
Martin holds a B.S. in Electrical and Computer Engineering from Clarkson University.
Mamoon Yunus is an industryhonored CTO in Web Servicesbased technologies for enterprises and is a pioneer in Web Services Firewalls. He is the founder of Forum Systems, the leader in Web Services Security. Prior to Forum Systems, Mr. Yunus was a Global Systems Engineer for webMethods where he developed business integration strategy and architecture plans for Global 2000 companies such as GE, Prudential, Pepsi,
Siemens, and Mass Mutual. He has held various high level executive positions at Informix (acquired by IBM) and Cambridge Technology Group. Mr. Yunus holds two Graduate Degrees in Engineering from MIT and a BSME from Georgia Institute of Technology.
He has been recognized by InfoWorld as one of 4 “Up and coming CTOs to watch in 2004” and is a sought after speaker at industry conferences such as RSA, Web Services Edge, Gartner, and Networld + Interop. He has been featured on CNBC as Terry Bradshaw’s “Pick of the Week.”
22
Melise R. Blakeslee is a partner in the law firm of McDermott Will & Emery LLP based in the Washington, D.C. office. As a member of the Intellectual Property, Media & Technology Department, Melise is the leader of the Firm’s Tech Transactions and eBusiness Group. She is admitted to the bars of New York and Washington, D.C.
Melise’s practice is unique in that she has a transactional practice focusing on information technology and the Internet as well as an active litigation docket focusing on complex software and copyright disputes.
Melise’s practice routinely bridges across a wide range of complex IT and IP arrangements, including Multinational IT and BPO outsourcing; and B2B, B2C and commodity exchanges.
In addition, she counsels internetbased businesses on issues such as: consumer privacy, transaction authentication, content licensing, electronic payment systems, advertising concerns and ebusiness related insurance issues.
Melise has 19 years of experience protecting and licensing IP in many industry sectors, including software, advertising, art and music. She leads the Firm's largescale Internet policing program on behalf of many famous brands.
Melise has chaired several conference panels and has been widely quoted and has published several articles in widely distributed and respected journals, magazines and other editions.
Andre Yee is the President and Chief Executive for NFR Security. Mr Yee's experience includes an impressive track record of leading innovative product development for public and private companies. Prior to NFR, Mr. Yee was Vice President, Research & Development for SAGA Software (Software AG Americas) where he led the development of Sagavista, an award winning enterprise application integration product. Before SAGA Software, he was Director,
Product Development with Landmark Systems, a leading systems management company. Mr. Yee is a noted author and featured conference speaker on topics related to security, distributed computing and middleware. He has authored several articles on intrusion detection and prevention. His books include Integrating Your eBusiness Enterprise (SAMS, 2001) and Mastering Java (Sybex, 1996). Mr Yee is listed as an inventor on two patents
Ralph Bazilio is the President of Thompson, Cobb, Bazilio & Associates, PC (TCBA) and for the past 20 years, has been an active participant in the business community in the Washington, D.C. metropolitan area. Through his vision and leadership, TCBA has expanded its range of services to included IT audits. These services are performed by a new unit within the firm called the Information Technology Audit and Control Group, the group is staffed by CISAs, CISSPs,
PMPs’ and CPAs TCBA has grown to be among the top 50 accounting firms in the nation, having 200 employees in five states and the District of Columbia where it is headquartered.
Mr. Bazilio became a certified public accountant in 1979 and has since grown to be a leader in his profession and a mentor to those entering the field of accounting. For two years, Ralph served on the American Institute of Certified Public Accountants Council, the unit within the 350,000member organization that sets policy and direction for the profession. He also served for six years as a member of the board of the Greater Washington Society of CPAs and was its president in 2000. In the National Association of Black Accountants, Ralph has been a leader in the movement to encourage more African Americans to become certified public accountants.
Ralph has been equally active in community services, and applies the same dedication and care in service to the community as he does in his corporate and professional activities. He serves on the board of the Cultural Academy for Excellence, a nonprofit organization in Prince George’s County, Maryland, which seeks to enhance the academic, social, and leadership skills of youth through the performing arts, and is also on the Advisory Board of the University of the District of Columbia’s School of Business. He is a member of the Gideons International, and served as the president of its Prince George’s Central Camp in 2002. He also serves as Vice Chair of the Board of First Wesleyan Church of Oxon Hill, Maryland.
John Starke is the Vice President of Technology & Applications Development, TransGlobal Business Systems and a member of its Board of Directors. John is also the Managing Director of the Jobs Access Network, a notforprofit consulting firm specializing in using virtual presence technologies to improve performance of distributed worker, and to spur economic development in communities. He has been CEO of two real estate finance firms, and he has been a consultant in risk management for both industry and government agencies. He also
was President of the Telework Consortium, Director of Planning at the Government National Mortgage Association (Ginnie Mae), and Chairman of the Electronics Development Corporation.
23
Mr. Starke graduated from The George Washington University with a BS (Electrical Engineering) and MS (Operations Research). He also graduated from the Sloan School of Management at the Massachusetts Institute of Technology with an MS (Management). Mr. Starke is the author of numerous articles on mortgage lending, and the author of a book, Mortgage Lending and Investing, Understanding Risks in a Changing Market, Business OneIrwin, 1991.
Steven Sprague is president and CEO of Wave Systems Corp. Based in Lee, MA, Wave is a leader in delivering trusted computing applications and services with advanced products, infrastructure and solutions across multiple trusted platforms from a variety of vendors. Wave holds a portfolio of significant fundamental patents in security and ecommerce applications and employs some of the world's leading security systems architects and engineers.
Sprague was a vice president of Wave from 1992 to 1995. In 1995 he founded Wave Interactive Network, a specialized consumer distribution channel. In 1996, Wave acquired Wave Interactive Network and Sprague was elected president and COO of Wave Systems. In
2000 he took over responsibilities as CEO.
Sprague has a B.S. in mechanical engineering from Cornell University and resides in Lenox, MA.
Jack Johnson was sworn in as the sixth County Executive of Prince George's County on December 2, 2002. Prior to being elected County Executive, Mr. Johnson served as the County's State's Attorney for eight years.
As County Executive, Mr. Johnson launched his highly anticipated Livable Communities Initiative within three months of taking office. Mr. Johnson's keen sense of people and understanding of their needs has successfully propelled this initiative to all economic
segments and geographic areas of the county. Mr. Johnson credits his formula for "having the understanding that quality schools help create first class communities and that communities clean and free of crime, are attractive places for economic opportunities."
In less than two years as the incumbent County Executive, Mr. Johnson worked closely with the council and the state to save the Prince George's County Hospital system. He negotiated the revival of the National Harbor Convention Center Complex and Luxury Hotel project and in partnership with the County Council reached an agreement with developers to construct National Harbor. Once completed, National Harbor will be the first and largest resort hotel and convention center "in Gorgeous Prince George's County," and the largest privately funded project of its kind on the East Coast.
A native of South Carolina, Mr. Johnson received a degree in Business Administration from Benedict College in Columbia, South Carolina and a Juris Doctor degree from Howard University School of Law in Washington, D.C. He has held a variety of leadership roles in civic and professional organizations. His accomplishments and dedication to the community have been recognized with many awards and honors including the NAACP's "Presidential Award and the Army's Patriot Award." Most recently, he received the National Foundation For Black Public Administrator's Leadership Award.
Kerry G. (Kwasi) Holman is currently President and CEO of Prince George's County Economic Development Corporation and has an expansive and professional background in business and economic development, banking, small business turnaround, legislative affairs, policy analysis and marketing spans over two decades.
Mr. Holman began his career in 1983 working for The District of Columbia Office of Business and Economic Development as Executive Director where he developed the District’s first industrial park, with new initiatives in development of arts facilities. From 1987 1991, he joined the National Bank of Washington as a Senior Vice President responsible for a $10 million portfolio. In 1992, he worked as Executive Director for the Ellington Fund and raised and managed $1.2 million fund to support the academic and arts programs at the Duke Ellington School of Arts. In 1993, he served as Executive Vice President for the District of Columbia Chamber of Commerce where he directed and administered programs to heighten visibility of the Chamber and to enhance membership. In 1999, in his role as President and CEO of the New York Avenue Development Corporation he implemented transportation and policy improvements designed to attract businesses and residents to the New York Avenue corridor. In 2002, he worked for the National Capital Revitalization Corporation as the Director of Business Development where he managed the Economic Development Finance Corporation. In February of 2003, he launched his own consulting company, The Holman Group that includes a number of clients. He is currently the President and CEO of the Prince George’s County Economic Development Corporation, a non profit organization whose mission is to develop, implement and evaluate programs and initiatives intended to foster the industrial, economic, commercial growth and expansion and revitalization of Prince George’s
24
County.
Mr. Holman currently serves as President of his condominium association. He is a former member of the DC Zoning Commission, Leadership Washington, Secretary of Downtown DC Business Improvement District Board member, Treasurer and Secretary of the Washington Projects for the Arts.
Mr. Holman holds a Bachelor’s Degree in Government, Economics and History from Wesleyan University in Middletown, Connecticut (1971), a Juris Doctorate from Howard University School of Law in Washington, D.C. (1974) and is a graduate of the Fundraising School of Indiana University Principles of Fundraising (1988).
Dr Anton Chuvakin, GCIA, GCIH, GCFA is a recognized security expert and book author. A frequent conference speaker, he also represents the company at various security meetings and standard organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and the upcoming "Hacker's Challenge 3". Anton also published numerous papers on a broad range of security subjects. In his spare time
he maintains his security portal http://www.infosecure.org and blogs at O'Reilly (http://www.oreillynet.com/pub/au/1207) and Blogspot (http://chuvakin.blogspot.com).
Dr. Charles Iheagwara, the founder and chief technology officer of Unatek is an information technology security executive with experiences that covers a broad spectrum of Enterprise Information Assurance practice at business consulting and corporate implementation levels. Prior to assuming the position of CTO, Dr. Iheagwara worked in the business consulting unit and lead multiple engagements including subcontracting with KPMG on risk management and eCommerce software security projects for the Washington Metropolitan Airports Authority; and consulting with
Thompson, Cobbs, Bazilio and Associates (TCBA) on different projects for numerous clients. Previous employment include stints at Lockheed Martin, Aligned Development Strategies, Inc (ADSI), Edgar online, Inc. and UTV environmental. At Lockheed Martin, he was the lead consultant for the Enterprise Information Systems next generation intrusion detection systems reengineering project, as director of IT security services at ADSI, he managed the INFOSEC program of the ten million dollars ($10,000,000.00) District of Columbia government HIPAA privacy project for the TCBA –ADSI – Bearing Point contractor group, and as a systems security administrator at Edgar online worked on corporate and NASDAQ Online Web services /Internet portal IT security programs.
Dr. Iheagwara has served as an adjunct professor at several universities including Bowie State University, Bowie, Maryland and has published more than thirtyeight (38) papers in referred international technical and scientific journals and conference proceedings.
Dr. Iheagwara received a Ph.D. degree in computer science from the University of Glamorgan, Wales, UK, a Master of Science degree in Metallurgical Engineering from the University of Minnesota, Minneapolis, Minnesota, USA, and a Bachelor/Master of Science degree in Metallurgical Engineering from the Moscow University of Steel and Alloys Technology, Moscow, Russia. Dr. Iheagwara is a licensed professional engineer.
Mark O’Neill is the Chief Technology Officer of Vordel, Inc. In this role, Mark oversees the development of Vordel’s technical strategy and product development for the delivery of XML and SOA management and security solutions for Global 2000 companies and Governments worldwide. He regularly presents at industry seminars on the security and management issues effecting Web Services and is author of the book, “Web Services Security”, and co author of “Hardening Network Security” published by OsborneMcGraw Hill. Mark holds a doublehonors degree in Mathematics and Psychology from Trinity College Dublin and
studied neural network modeling at Oxford University.
Dr. Omar Keith Helferich is a consultant and university faculty member with experience in environmental/ safety engineering, supply chain, decision support systems, incident management, and continuity planning. Keith received a Doctor of Business Administration with concentrations in operations, logistics and information management (1970) from Michigan State University. He received an MBA with concentration in Quantitative Methods, an MS in Environmental/Sanitary Engineering, and a BS in Civil Engineering from the University of Michigan.
25
Dr. Helferich experience includes five years in nuclear, biological and chemical safety engineering for Atomic Energy Laboratories, nuclear weapons testing in the Pacific and United States, and nuclear power safety systems engineering. He was also a member of the “Hot Spot” team that responds to USA nuclear weapons accidents. During the past fifteen years Dr. Helferich has been a disaster logistics volunteer for the American Red Cross (ARC). His logistics leadership response experience includes fires, storms, train derailments, Oklahoma bombing, the World Trade Center terrorist incident and hurricane Katrina. He is an ARC disaster logistics instructor, a member of the ARC Weapons of Mass Destruction Task Force, the US ARC Critical Response Team (CRT) for Air, Transportation and Weapons of Mass Destruction disasters. He is also an advisor to the National ARC Logistics Function. Current projects involve developing an improved process for food procurement and inventory management to support national disasters and security of the national food supply chain through migration programs.
Dr. Helferich also has worked with the DOD initiative on ”network centric” operational concepts based on sense and response processes to achieve effective logistics support. Presentations on supply chain security have been made for such organizations as the Society of Industry Security professionals, major university conferences on achieving business resilience, and the largest logistics professional group The Council of Supply Chain Management Professionals (CSCMP). Helferich also is on the advisory board and track chair for the Distribution Business Management educational group.
Omar K. Helferich has over 20 years experience in supply chain consulting including positions as a Vice President with Integrated Strategies, a partner with Cleveland Consulting Associates and as CoFounder and Managing Director of the Dialog Systems Business Division of AT Kearney. Dr. Helferich was Director of the Supply Chain Management Outreach Program at Michigan State University from 1992 through 1999. His areas of focus are supply chain strategy, risk management, application of DSS tools to system optimization, vehicle routing, scheduling, inventory planning, layout, process reengineering, forecasting, environmental impact and business continuity planning. Current initiatives with MSU and GSC Mobile Solutions Inc. involve research under the Department of Homeland Security to enhance security for the US national food supply plus electronics and pharmaceutical product segments.
Dr. Helferich has been a member of CSCMP, formerly the Council of Logistics Management (CLM) since graduate school at Michigan State University. He has been a frequent speaker at the CLM Conferences. He is a cauthor of the 2001 White Paper for CLM, “Securing the Supply Chain”. Dr. Helferich is also Co author with Dr. Robert L. Cook of the Chapter on Supply Chain Security in the forthcoming Handbook on Supply Chain Management. He is coauthor with Air Force Major Mary Kay Allen PhD of the 1992 CLM sponsored monograph, “Putting Expert Systems to Work in Logistics” and two CLM supply chain environmental impact case studies. He has coauthored two logistics textbooks and a number of articles and proceedings. He is on the editorial staff of the Distribution Business Management Journal. Dr. Helferich has made presentations to business organizations on topics of DSS tools, logistics strategy, environmentally responsible supply chain practices, disaster logistics and supply chain continuity planning.
Rohan Amin is the Manager of Security Intelligence and Incident Response at Lockheed Martin, one of the world’s largest defense contractors. Rohan leads the enterprise team that provides Incident Response, Intrusion Detection, Situational Awareness and Security Intelligence capabilities for the corporation. Rohan has a Bachelor’s Degree in Computer and Telecommunications Engineering and a Master’s Degree in Telecommunications and Networking from the University of Pennsylvania. Rohan is also, currently, a doctoral student
at George Washington University in the NSA Information Assurance program.
Donald Debolt is the Director of AntiSpyware Research at CA, one of the world’s largest IT management software providers. Don leads his team daily in identifying new forms of Spyware ensuring all samples are evaluated against common criteria. Prior to joining CA Don lead the Managed Security Operations for Counterpane Internet Security under Bruce Schneier. There he worked to protect Fortune 500 companies from daily attack. He has been working within the IT security field for the
last 10 years and now brings his well rounded security background to the table when targeting Spyware.
Andrew J. Berkuta is a Senior Security Evangelist / Strategist for McAfee, Inc., creators of bestofbreed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. He consults regularly with executives and clients from a unique customer’s prospective, as well as speaks frequently on various security trends and techniques. Prior to joining the McAfee Security team, he was a security director in the mortgage industry, started 3 companies, a manager of a unique proof of concept lab, and has a diverse consulting background that spans more
26
than 15 years.
Dr. Ulrich Flegel is a research associate of the Information Systems and Security chair of the University of Dortmund, Germany. He focuses on information security in general and specifically on reactive security and privacy enhancing technologies. Dr. Flegel serves the scientific community as an author of numerous publications, and as a member of programme and organizing committees of national and international conferences, as well as guest editor and author of scientific journals. He is the founder and chairman of the steering committee of the international conference series DIMVA on Detection of Intrusions and
Malware & Vulnerability Assessment. Dr. Flegel also is a member of the steering committee of the Security chapter of the German Informatics Society (GI) and is in charge of the chair position of the GI special interest group SIDAR Intrusion Detection and Response.
Bill Dutcher is a member of the Booz Allen Hamilton Global Resilience team, working with Department of Defense and government customers to install and operate identity management and Internet security systems, and to solve network operations problems. His specialties are network operations and network security, DNS services, and PKI. He has worked for Xerox, supporting the first commercial Ethernet workstation systems, for SAIC and Network Solutions, consulting on DoD and commercial network operations, and for VeriSign, developing Internet access and telephony services. He is the author of two books,
Managing IP Addresses, and The Network Address Translation Handbook, and is the coinventor of the WebNum wireless Internet access system.
Rizwan Mallal, director at Crosscheck Networks is also the founding member and Chief Security Architect of Forum Systems, Rizwan is responsible for all security related aspects of Forum's technology. Rizwan currently serves on the Advisory Board of Trlokom, a leading antimalware security company.
Previously, Rizwan was the Chief Architect at Phobos where he was responsible for developing the industry's first embedded SSL offloader. This product triggered Phobos's acquisition by Sonicwall (NASD: SNWL). Before joining Phobos, he was member of the coreengineering group at Raptor Systems, which pioneered the Firewall/VPN space in the mid 1990s. Raptor after its successful IPO in 1996 was later acquired by
Axent/Symantec (NASD: SYMC).
Rizwan started his career at Cambridge Technology Partners (acquired By Novell) where he was the technical lead in the client/server group. Rizwan has a BSc. in Computer Science from Albright College and MSc. in Computer Science from University of Vermont.
Phil Larson, Director of Product Strategy for Appian Corporation, guides the strategic vision of Appian Enterprise, the company's flagship solution. With more than 6.1 million seats deployed, Appian Enterprise is an industryleading enterprise BPM suite and is being used in a wide range of projects within government agencies, nongovernment organizations, and Fortune 500 companies.
Special Thanks We express our appreciation to the conference attendees, sponsors, exhibitors, and the entire staff of SBI, Prince George’s County Economic Development Corporation, Welz & Weisel Communications and the Marriott Conference Center for their various contributions towards a successful 2006 WSSC.
We want to also thank our esteemed speakers, chairs and moderators for their pioneering role, vision and leadership of the profession.
27
McDermott Will & Emery is a leading international law firm with 1,000 lawyers representing a wide range of industrial, commercial and financial enterprises. Our diversified practice serves clients through numerous integrated practice and industry groups across offices in the United States and Europe. Over our 70year history, McDermott Will & Emery has earned a reputation for outstanding service. We consider client satisfaction the ultimate measure of our success.
McDermott Will & Emery’s Intellectual Property, Media & Technology Department provides legal services relating to every aspect of intellectual property law and plays a significant role in developing and defending intellectual property rights in virtually every major industry. With 190 lawyers and patent agents, McDermott offers one of the largest concentrations of patent, trademark and copyright prosecution, licensing and litigation services worldwide.
McDermott has been ranked as one of the Top 10 IP litigation firms by IP Law & Business and as one of the leading patent firms by Intellectual Property Today. Our strategic patent prosecution program resulted in 1,282 U.S. patents for clients in 2005, and our trademark practice ranks among the top 10 percent of trademark firms in the United States. More than 130 members of our team hold scientific and/or technical degrees, and more than 95 are registered with the U.S. Patent and Trademark Office.
Washington, D.C. 600 13th Street, N.W. Washington, DC 200053096 U.S.A.
T: 202.756.8000 F: 202.756.8087
Since its founding in 1996, NFR Security has demonstrated a deep understanding of the intrusion management market, and has established a strong reputation for product innovation and technical superiority.
Today, NFR Security redefines the intrusion defense and management market by offering both trusted intrusion prevention and accurate intrusion detection technologies. Considered by many as best in class for network intrusion management since 1996, NFR Security's products are used by more than 500 organizations worldwide, including Fortune 100 companies, federal government agencies, and leaders in the financial, utility, healthcare, and manufacturing sectors. NFR is also the product of choice of major telecommunications companies, ISPs, OEMs, and MSPs.
Customers are served via a worldwide network of channel partners, as well as NFR Security's direct sales force.
NFR Security, Inc. World Headquarters 5 Choke Cherry Road
Suite 200 Rockville MD 208504004
Voice 800.234.8419, 240.632.9000 Fax 240.632.0200
28
THE 2006 WORLD SUMMIT ON INTRUSION PREVENTION
Marriott Conference Center, University of Maryland, College Park, Maryland
October 30 – 31, 2006
Plan now to attend the latest in a series of outstanding international conferences on the science, technology and applications of intrusion prevention. The world’s top experts from the industry and academia will present numerous papers on the latest scientific, technological and business developments. An international exhibit of products and services will accompany the technical program.
TOPIC HIGHLIGHTS
• Intrusion prevention in wired enterprise systems
• Wireless perimeters and intrusion prevention
• Product maturity
• The challenges ahead • Prospects and emerging trends • Risk management • Legal issues
Plenary keynote by The World's Most Famous Former Hacker
Kevin Mitnick is a celebrated former hacker who's "gone straight" and now devotes his considerable skills to helping corporations, organizations, and government agencies protect themselves from the kinds of attacks described in his books, the bestseller The Art of Deception (2002) and his more recent The Art of Intrusion (2005).
Sponsored by: UNATEK IT SECURITY CONFERENCES
For more information, please contact Unatek, Inc.
Attn: WSIP 1100 Mercantile Lane, Suite 115A,
Largo, MD 20774 Tel: (301) 5834629 Fax: (301) 7728540
Email: [email protected]
29
The 2007 Web Services Security Conference & Exhibition
Marriott Conference Center, University of Maryland, College Park, Maryland
April ‐ May, 2007 Plan now to attend the latest in a series of outstanding international conferences on the science, technology and applications of Web Services Security. The world’s top experts from the industry and academia will present numerous papers on the latest scientific, technological and business developments. An international exhibit of products and services will accompany the technical program.
TOPIC HIGHLIGHTS • Securing Financial online
transactions • Federated Identity Management • Security of ServiceOriented
Architecture • TCP, XML, HTTP, in security
context • What is your stake and take on
online transaction security
• Product maturity • The challenges ahead • Prospects and emerging trends • Risk management • Legal issues • +++ More
•
Sponsored by: UNATEK IT SECURITY CONFERENCES
For more information, please contact Unatek, Inc.
Attn: WSIP 1100 Mercantile Lane, Suite 115A,
Largo, MD 20774 Tel: (301) 5834629 Fax: (301) 7728540
Email: [email protected]
30
Company Fact Sheet Salt Lake City Office: Boston Office: 45 West 10000 South, Suite #415 95 Sawyer Road, Suite #110 Sandy, UT 84070 Waltham, MA 02453 Tel: (801) 3134400 Tel: (781) 7884200 Fax: (801) 3134401 Fax: (781) 7884201
About Forum Systems, Inc. Forum Systems, Inc. is the leader in Web services security with a comprehensive suite of trust management, threat protection and information assurance solutions for the automated Web. Forum Systems flexible hardware, software and embedded products make vibrant business communications possible by actively guarding XML data and Web services across networks and business boundaries. Forum’s products have been chosen by over 40 Fortune 1000 industry leaders and are winners of Network Computing Magazine’s WellConnected 2004 Award and Product of the Year 2004 Award, Network Computing Magazine’s Editor’s Choice 2003 Award, Network Magazine’s Product of the Year 2003 Award and DEMO 2004 Invitation. http://www.forumsys.com/
About Forum S3A™ Forum S3A (Seamless Security Solutions Architecture) is a life cycle approach to protecting next generation service oriented architectures and datalevel networks. Forum S3A relies on an adaptive approach to building trustworthy, ubiquitous and robust securityminded enterprise applications. Forum solutions include Web services risk management services, testing tools, firewalls and gateways. Availability: software, PCIcard and appliances.
Forum Sentry™ Web Services Security Gateway enables trusted information sharing using XML data and Web services across disparate security domains and complex business processes. Forum Sentry allows enterprises to achieve a higher return on investment by implementing secure serviceoriented architectures and eventdriven applications.
Forum Presidio™ OpenPGP Security Gateway is a secure content exchange platform that allows enterprises to immediately comply with government information privacy regulations without complexity and at a lower total cost of ownership using the ubiquitous OpenPGP™ standard.
Forum XWall™ Web Services Firewall with data level authentication, XML intrusion prevention and interoperability enforcement protects enterprises against XML viruses, denial of Web service attacks and unauthorized data access. Forum XWall ensures applications are appropriately accessible and continuously available by enforcing policies that check data integrity and control access to exposed enterprise Web services.
Forum XRay™ Web Services Diagnostics is a quality assurance solution that tests Web services for security susceptibilities, functional accuracy and performance requirements. Forum XRay can systematically and costeffectively detect and eliminate designcentric as well as attackcentric vulnerabilities prior to application deployment.
Forum Vulcon™ Vulnerability Containment Service is an early warning system for known and impending XMLrelated vulnerabilities. Forum Vulcon is an online subscription services that automatically delivers threat intelligence reports, antivirus updates as well as software and policy revisions.
FactsAtAGlance Founded: May 2001, Launched DEMO February 2002 Corporate Headquarters: Salt Lake City, Utah Funding: Privately held; $30.5 million in funding led by GMG Capital Industry Associations: eBXML, IS Alliance, OASIS, W3C, WSI, XBRL, XML Working Group Forum Foundation Partners: HP, IBM, Lockheed Martin, Microsoft, nCipher, Computer Associates, Oracle, RSA, SonicSoftware, Sun, Systinet, Oblix, NetContinuum and Software AG Awards: Network Computing Editors Choice, Network Computing Well Connected 2004 Finalist, Best of Interop Finalist, 2003 Network Magazine Product of the Year Customers: Over 40 Fortune 1000 enterprises have adopted Forum S3A™ products including Amazon, Motorola, Charles Schwab, Mass Mutual and Lockheed Martin
Management Team Forum’s management team brings a wide range of experience in commercial enterprise, government and financial services industries with deep technology expertise in networking, security and business integration.
31
TransGlobal Business Systems, Inc. 1100 Mercantile Lane, Suite 115A, Largo, MD 20774 301 583 4630 (O), 301 772 8540(F) www.transglobalbiz.com
TransGlobal Business Systems, Inc. provides integrated, endtoend solutions that reliably deliver information, and communications services while being deliberate at implementing security considerations throughout the enterprise architecture. We traditionally deliver bestofbreed solutions using our proprietary solutions as well as extending solutions of the world's leading providers of Government and Enterprise IT solutions through Value Added Reseller agreements and Strategic partnering. As Developers and Systems Integrators (SI) of systems that harness and deliver strategic intelligence to firstresponder end users such as Law Enforcement, Emergency Response Management, and Fire. TransGlobal applies a holistic and disciplined approach in addressing our client’s needs. Our
approach is designed maximize client participation in describing their “as is”, Business and IT Enterprise Architecture and practices, as well as describing their desired outcome. Our recommended solutions are then compared to Industry’s best practices so as to inform sensible decisions and procurement choices towards improved efficiencies and cost savings for the client. Our recommended solutions emphasize the value of integrating systems and data, controls over data and information security, systems interoperability and system compliance. Ultimately, TransGlobal Business Systems, Inc. strives to lead in Global, Regional and EnterpriseWide Information sharing initiatives, as well strategic intelligence capture and sharing.