In today’s era, organizations and countries world-wide are tremendously relying on the Internet. The Internet has grown greatly as a valuable attacking vector that is used and abused by cyber criminals targeting their victims, and not only do they use their own computers, codes and networks to initiate these targeted attacks; nowadays they have the audacity to use systems and networks of other individuals and organizations to launch such attacks.

In order to cope with the rapid growth of the Internet and the ever increasing vulnerabilities that appear daily; the UAE Telecommunications Regulatory Authority (TRA) has taken a proactive step by establishing the United Arab Emirates Computer Emergency Response Team (aeCERT), which has been accredited by the UAE Cabinet for Services as the National CERT in the country.

The aeCERT is established to facilitate the detection, prevention and response to the cyber security incidents on the Internet. Its mission is to sustain a resilient ICT infrastructure in the UAE against the broader set of cyber security threats and to build a safe and secure cyber culture among the cyber users in the country. The aeCERT launched its operations on July 2008 and is currently working towards signing up with its constituents. It will serve both the government and the private sectors of the UAE.

The Changing Face of Information Security Threats

The face of international information security threats continues to evolve, as do the tactics used by cyber criminals and information security professionals alike. As the certifying body for more than 60,000 information security professionals worldwide, (ISC)²'s observations and those of our certified members show that application and wireless security are rapidly coming to the forefront as significant vulnerabilities. Commerce on the Internet is exploding as it enters the mainstream, while governments are more focused on protecting their borders rather than protecting “cyber lines” of trade.

Whether you’re on the business or information security side of management, the key to keeping your organization secure in this increasingly complex environment is two-fold. You must first understand the risk and second, ensure that you have in place the best people, policies/processes and technology to effectively address those risks. In this session, Howard Schmidt will review the threats organizations and governments are facing, and the things that are working and not working to combat them.  

 

The International Multilateral Partnership Against Syber-Trorism (IMPACT). The International Multilateral Partnership Against Cyber-Terrorism (IMPACT) is the first global public-private initiative against cyber-terrorism. IMPACT is dedicated to bringing together governments, industry leaders and cyber security experts to enhance the global community's capacity to prevent, defend and respond to cyber threats. IMPACT's permanent secretariat is headquartered in Cyber jaya, Malaysia. The foundation of IMPACT is built on four key dynamic pillars, each focused on specific functions that are designed to fulfill the vision of this world's first international multilateral initiative against the real threat of cyber-terrorism. These four pillars are: 1. Centre for Global Response 2. Centre for Policy & International Cooperation 3. Centre for Training & Skills Development 4. Centre for Security Assurance & Research

Privacy and Data Protection in the GCC

Concerns of privacy on the Internet have been increasing with the growth of the use of cyberspace by both the private and the public sectors in countries all around the world.

The Internet is making it possible for vendors to obtain information about customers which they could not obtain through conventional channels and there is little restriction on what the vendor does with this information. But with increasing popularity, these databases will prove to play an important role in the next few years. The privacy issue has become so critical that almost all developed countries have created their own privacy protection codes.

Although there are some differences amongst these codes, all are converging towards the basic privacy framework that was developed by the United Sates Federal Trade Commission.

While most of the attention has been aimed at analyzing the privacy policies of US based or Western based pure play or brick and click businesses, little attention has been aimed at analyzing the existence/lack of, and content of privacy statements of e-businesses in the GCC countries. The presentation adopts a content analysis perspective on a sample of firms in the Gulf Cooperation Council (GCC) countries, by reviewing and analyzing privacy policies of 183 Web sites in the 6 countries of the GCC.

Hacking The Human

The presentation will focus on vulnerabilities in people, policies and processes, how threats exploit those vulnerabilities and what organizations can do to protect themselves.

 

 

 

 

 

 

State of Information Security in 2008

The security organization is finally starting to get the visibility that it had been asking for, but now it doesn’t know how to deal with it. Many CISOs understand that they need to align themselves with business and provide strategic advice, but they don’t know how. The results from Forrester’s annual security survey, highlight some of these issues, challenges and priorities for CISOs across Europe and North America. The presentation will highlight the results of the Forester survey and address:

• The evolving role of the security organization
• Top issues, challenges and priorities for CISOs in 2008
• Future trends and direction

Building a Case for Security Through Metrics and Measurement

To justify the security budgets, measure security performance, and align it to business goals, organizations must define metrics and develop ways to measure these metrics regularly. These metrics should not only measure the tactical and operational elements of information security, but should also focus on strategic and risk management elements. Security managers must know how to create effective metrics, which metrics to measure and how to use metrics to gain visibility into their organization. This presentation will highlight:

• The current state of security metrics and measurement
• Best practices to develop a metrics program from the ground up.
• Three case studies from companies that have successfully established security metrics programs.

Defense in Depth

GRC - Governance, Risk Management, And Compliance

Recently, there has been a lot of talk about GRC. This presentation will try to answer the following questions about GRC:

1. What is GRC all about ?
2. What has is surfaced recently ?
3. Is it another hype ?
4. GRC Tools, Can they deliver what they promise ?
5. What role does IT play in this  ?
6. What approach should you take towards GRC ?

In doing so, the main focus would be on introducing GRC to the audience, its importance, what should organisations do about it, and what tools are out there in the market today. It also looks at IT’s role in GRC.

Cyber Threats to the Financial Industry and Fighting Back

The advent of the Internet and technology provides criminals a new approach for robbing banks of money.  This method of robbing banks has very low-risk and very high-gain.  A criminal can be anywhere in the world to rob a bank, they no longer need physical access to the site that they are going to rob.  The criminal needs a computer and an Internet connection for his activity.  The likelihood that the criminal will be identified or even arrested is extremely low.  The losses to the financial sector from Internet crime estimated in billions of dollars (US).

In many ways, the financial sector is on its own and can and must address the cyber threats that are being directed against the industry.  Strategies to be discussed include:

• Threats to the financial sector from cyber criminals and OC
• Collaboration between financial sector security groups
• Cyber security awareness for financial sector customers and employees
• Developing and implementing a Computer Emergency Response Team (CERT) and Incident Response capability
• Internal banking controls that are critical to mitigate cyber criminal activity
•  Vulnerability assessments to identify risk to the financial sector

Bluetooth Security - To blue, or Not to Blue: That is the Question

Walking down any city street or business office, it's obvious that the majority of the population is using Bluetooth technologies and all kinds of related devices: mobile phones, PDAs, wireless headsets, hands-free car kits, GPS receivers, computers, etc. Most of these devices are used to store and exchange private and sensitive information, including data and voice communications. Is Bluetooth secure enough for personal and corporate usage?

In this technical presentation, Raul Siles will speak about the risks of Bluetooth, and how it can expose organizations to unauthorized information disclosure threats. Raul will also demonstrate an attack against a popular Bluetooth headset where readily available hardware and software can be used to discover a device in non-discoverable mode, injecting and recording arbitrary audio between the attacker and the victim.

Online Fraud: How It Works and How to Fight It

Over the last few years traditional crime has shifted from the physical world to the cyberspace. Online Crime such as Corporate Espionage, Bank & Credit Card Fraud or Identity Theft has been creating huge money loses to all types of organizations, especially to large corporations and companies in the financial sector. Additionally, these strategies are being used as a stepping stone to collect critical information that can be used against Governments, Critical Infrastructure, or Telecommunication Networks.

In this talk Jess Garcia will uncover the latest techniques used by attackers in Online Fraud, and the most effective solutions in terms of Protection, Detection and Reaction that can be put in place to fight them.

The presentation will include live demos to illustrate how hackers steal bank credentials and why most common security measures implemented by banks are not enough.

How to build a SOC from the ground up to full day-to-day operations

More and more organizations take security seriously and have dedicated groups to architecture, engineer and deploy security devices, services and processes. But quite often this same team runs the security operations
which means that there's no clear separation of duties, usually no 24x7 availability, lack of event management and usually no time available to analyze what's going on.

At this stage there's a clear need to have a security operations team, or even better, a security operations center (SOC). While it may seem easy to set up and run, people need to realize that security operations is not the same as network nor system operations.

The key challenge, after establishing proper processes and procedures, is to find, educate and most important keep your key engineers in a 24x7 environment that can quickly evolve from boring security policy changes and watching screens to respond to denial of service attacks and reverse engineering of malcode.

The technical infrastructure is also an important piece that needs to be defined properly: dedicated and separated networks, integration with the company's fault management system, access to the customers and users
information base, security event management software, etc.

In this presentation we'll go thru all the building blocks required to build a SOC: from planning it to building it, the human factor part, the procedures and processes, the tools, and most important how we did

it at COLT, a large tier 1 telco, and sharing the lessons learned.

The five Habits of Highly Secure Organizations

Companies that have developed world-class information security programs have all accomplished their goals via focusing on security from a framework of risk mitigation.

This session will focus on the five main habits that are consistent amongst the most secure organizations.  By focusing on these habits, organizations are able to spend much less on security, all the while gaining a significant level of security.

 

Measuring The Weakest Link

Social engineering is a collection of techniques used to manipulate people into performing actions or revealing confidential information. Currently, companies perform penetration testing to critical information systems Corporate-wide.

However, Penetration Testing (PT) identifies systems vulnerabilities, which results to subsequent hardening on a specific system, network, or applications. However, this periodical penetration test is considered incomplete unless we measure and involve the human element. This paper present SE as measure that will show the effectiveness of information protection policies and processes.

This paper examines the best approach to test social engineering affect and assess the legality of conducting social engineering vulnerability assessment in Saudi Arabia.

Attacking Mobile Phone Messaging

Once only used as a novelty, SMS messages are now regarded as an increasingly important communications medium.  As SMS messages expand to become more and more feature rich, they represent a rapidly         emerging attack surface in today's mobile phones.

This talk will discuss how these types of messages work, the attack surface they      expose, and experiences from both attacking mobile devices an d   defending against these attacks at the carrier level.

 

CRITICAL INFRASTRUCTURE PROTECTION

Unveiling the “EBSM” a.k.a. “Equipment-Based Security Mentality” in the corporate world, which most often falls short of preventing hackers from infiltrating those so-called secure infrastructure systems.

Hackers often prey on the mistakes made by users of a network and feed on them to break into a “defenseless defense”. In any case, once a simple breach occurs, further breaches will be cascaded through the network. This session will also discuss on the best practices in achieving optimal security in organizations, and how to eliminate EBSM.

Cyber-warfare

Warfare refers to the conduct of conflict between opponents, and usually involves escalation of aggression to full-scale armed conflicts, waged until one side accepts defeat or peace terms are agreed on.

Cyber-warfare (also known as cybernetic war, or cyberwar) is the use of computers and the Internet in conducting warfare in cyberspace

 

Risk Resilience and Business Continuity

In a Digitalised Economy You can't eliminate risk, but you can become more resilient to it. Great risk resilience brings business strength and sharpens competitive edge. Business performance is set by objectives.

Without understanding of risk, performance is a gamble.

Risk and control management requires real information properly managed and visualized. Risk mitigation is a cost to the business so must be proportionate, efficient and effective. The pressures for better risk management will grow – organizations must begin their transformation now to prosper.

Emerging Continuity Challenges - the Role of Information Governance

 

 

 

 

 

 

Emerging Ubiquitous Network Security

The future Ubiquitous Utopia will be filled by the many heterogeneous terminals and upcoming new wireless technologies. Ease of use, anytime and anywhere network access must be provided for everyone in the ubiquitous society where the users will expect an enhanced set of intelligence communication services regardless of the access technologies used.

Devising emerging ubiquitous communications for true digital convergence such as devices convergence, services convergence, solutions convergence and networks convergence have got the major technical security challenges for ubiquitous network research directions. Therefore, I will not only discuss the particular security challenges but also propose feasible solutions involved in securing such ubiquitous environments. My goal is to establish practical ubiquitous network security scheme and future directions that might lead towards the ubiquitous utopia.

A Study of Security Awareness in UAE

As enterprises expand their use of advanced security technology, it is becoming more difficult to conduct technical attacks. Unfortunately, little is used to secure the weakest link, i.e. the people.

This is pushing attackers to gain unauthorized access to information by exploiting people’s trust and tendency to help. Whether it was accessing a wireless network, answering a telephone, typing a password, or checking email, people must be encouraged to think security into every decision they make and action they take.

In this talk we discuss the security awareness among UAE residents. We report our findings based on several social engineering studies conducted among students at the American University of Sharjah and employees in Dubai Internet City. We also share interesting results of a recent study on wireless security awareness in UAE. We explore several countermeasures that can be used to increase the security awareness among resi-dents and reduce the social engineering attacks.

Defense-in-depth with Microsoft

Today’s security market landscape is complex and fragmented, making it hard for businesses to implement a comprehensive defense-in-depth security solution that covers data, applications, operating systems, networks, the perimeter, identity, management, policies and processes.

In this session, see how Microsoft Forefront easily integrate with your organization’s IT infrastructure, and can be supplemented through interoperable third-party solutions, enabling end-to-end, defense-in-depth security solutions. Simplified management, reporting, analysis, and deployment enable you to more efficiently protect your organization’s information resources and secure access to applications and servers. With highly responsive protection supported by Microsoft technical guidance, Microsoft Forefront helps you confidently meet ever-changing threats and increased business demands.

ISO27001 and needs for the Information Security Management System

• Why ISO 2700x is a must for all organizations?
• How to start?
• How to implement?
• How to manage the ISMS?
• Policy Framework and awareness
• Benefits and Results

 

 

 

 

 

 

IT and Internet use is being adapted at a faster rate in the GCC then in anywhere else in the world. With that adoption come a variety of challenges. What are the unique security challenges we face in the GCC and what can we do about them?

The panel will discus these issues together with input and questions from the audience. The panel discussion will be moderated by Mr. Lance Spitzner and last for 90 minutes.

With a world economic downturn on our doorsteps, how do we justify our information security budget? Many security solutions vendors publish own research that offers claims of lost billions due to security breaches.

But aren't they just trying to push their products? Would strategic management buy these claims? At first sight, collecting information security metrics is as difficult as it gets. How do you build a business case? What about ROI - is there such a thing when it comes to security?

The panel will discus these issues together with input and questions from the audience. The panel discussion will be moderated by Mr. Milen Nikolov and last for 90 minutes.