POPULARITY
This talk will look at how systems are secured at a practical engineering level and the science of risk. As we try to engineer secure systems, what are we trying to achieve and how can we do that? Modern threat modeling offers some practical approaches we can apply today. The limits of those approaches are important, and we'll look at how risk management seems to be treated as an axiom, some history of risk as a discipline, and how we might use that history to build better risk management processes. About the speaker: Adam is the author of Threat Modeling: Designing for Security and Threats: What Every Engineer Should Learn from Star Wars. He's a leading expert on threat modeling, a consultant, expert witness, and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft.His accomplishments include:Helped create the CVE. Now an Emeritus member of the Advisory Board.Fixed Autorun for hundreds of millions of systemsLed the design and delivery of the Microsoft SDL Threat Modeling Tool (v3)Created the Elevation of Privilege threat modeling gameCo-authored The New School of Information SecurityBeyond consulting and training, Shostack serves as a member of the Blackhat Review Board, an advisor to a variety of companies and academic institutions, and an Affiliate Professor at the Paul G. Allen School of Computer Science and Engineering at the University of Washington.
In this episode, Steve Bowcut's guest is Adam Shostack. In this discussion focused on Threat Modeling in Modern Software Development, Adam, a threat modeling expert, lends a unique and compelling perspective. Adam offers a glimpse into his work at Shostack & Associates and provides a high-level overview of threat modeling. Steve and Adam discuss the primary benefits of threat modeling, and listeners are provided with an insider's view of the process. Adam talks about his new book: Threats: What Every Engineer Should Learn From Star Wars, explaining why he wrote the book, its target audience, and some of the takeaways from the book. About our Guest Adam is a leading expert on threat modeling and a consultant, entrepreneur, technologist, author, and game designer. He's an Affiliate Professor at the University of Washington, a member of the BlackHat Review Board, and a Linkedin Learning Author. He currently helps many organizations improve their security via Shostack + Associates. Adam is the author of Threats: What Every Engineer Should Learn From Star Wars. Listen in to find answers to all your threat modeling questions.
Today on Too Opinionated we visit with Television historian, archivist and podcast pioneer Stu Shostack! Award-winning filmmaker CJ Wallis' latest documentary STU'S SHOW, chronicling the relationship between legendary actress Lucille Ball and TV historian Stu Shostak, premieres on digital May 2, 2022 from Upstream Flix. The story of TV historian and archivist Stu Shostak, the documentary features screen-legends Tony Dow (“Leave it to Beaver”), Michael Cole ("The Mod Squad"), the late Ed Asner (“Lou Grant”), Butch Patrick (“The Munsters”), Academy Award Winner Margaret O'Brien, Geri Jewell and many, many more. Shostak got his start handing out tickets to Norman Lear sitcom tapings to people in Hollywood and parlayed that into doing audience warm-ups prior to tapings for shows such as “All In The Family” and “One Day At A Time”. The film also indirectly tells the story of television legend Lucille Ball who, contrast to popular belief, was an extremely kind and generous person who treated those around her like family. Ball is hired to hold Q&A's at a Los Angeles based College which provides a window of opportunity that alters the course of Stu's life. Shostak's encyclopedic knowledge of Ball's career earns his way into becoming an essential part of her small inner circle as her archivist and assistant to her husband Gary Morton. After Ball passes away, Shostak pioneers what we know now as “podcasting”, hosting internet shows interviewing celebrity cast and crew of the golden age of television. He also co-produces the widely successful LOVING LUCY conventions which welcomed prior cast, crew and superfans from around the world to come together for a few days to celebrate their love of I Love Lucy. At one of these Loving Lucy conventions Stu meets Jeanine Kasun, a music teacher and Lucy super-fan, who noticed Shostak hosting game shows, events and trivia contests. The two speak on the phone at length and eventually begin dating until Jeanine suffers a brain aneurysm and the two, alongside the legends of television, enter into a war with the medical industry to keep her alive. STU'S SHOW will be available on major digital platforms May 2. Want to Preorder: https://itunes.apple.com/us/movie/stus-show/id1620465541 Want to Watch: YouTube Meisterkhan Pod (Please Subscribe)
Onondaga Community College's SRC Arena will host Central New York's inaugural Maker Faire Syracuse this spring. The event will be held Saturday, April 2 from 10 a.m. to 4 p.m. The event is expected to attract more than 150 "makers" and 1,000 attendees.A Maker Faire is a gathering of fascinating, curious people who enjoy learning and who love sharing what they can do. From engineers to artists to scientists to crafters, Maker Faire is a venue for these "makers" to show hobbies, experiments, and projects.The Call for Makers is now open! Organizers are looking for DIYers, hobbyists, tinkerers, crafters, scientists, robotics experts, artists, cosplayers, and more. Anyone interested in participating can sign up at this link no later than March 1.Tickets for Maker Faire Syracuse are on sale. More information is available on the event ticket page.Volunteers are needed to help make the event a huge success. Information on specific roles is available at the event volunteer page.Maker Faire Syracuse is presented by OCC and the Technology Alliance of Central New York. The Maker Faire Syracuse planning committee includes members from many local organizations and higher education institutions including Syracuse University, Le Moyne College, OCM BOCES, Central New York Library Resource Council, and several librarians and staff members from the Onondaga County Public Libraries system. The event is being co-produced by Mike Cimino of the Fayetteville Free Library and Pauline Shostack of Onondaga Community College's Coulter Library.Shostack is our guest on this edition of our podcast, "Chatting About College." Enjoy the podcast!
Adam is a leading expert on threat modeling, and a consultant, expert witness, author and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft. While not consulting or training, Shostack serves as an advisor to a variety of companies and academic institutions. Adam joins us to talk about fast, cheap, and good threat models. We discuss how Adam defines these categories, the weight of threat modeling, questionnaires/requirements, expertise, and how to make threat modeling conversational. We hope you enjoy this conversation with...Adam Shostack.
Open Web Application Security Project (OWASP) - Portland, Oregon Chapter
We have three very special guests today. All come from different backgrounds but share a common interest in gaming - the kind that can be used to teach you things, like how to become better at handling security incidents or winning a historical insurrection. This podcast is sponsored by the We Hack Purple Academy.Volko Ruhnke is a renowned wargame designer and educator. He retired as a career analyst with the CIA and as an instructor for the Sherman Kent School for Intelligence Analysis which is responsible for training people in the intelligence community. While working there he became an acclaimed designer of commercial board games - best known for the COIN Series published by GMT Games. Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an advisor and mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security. Hadas Cassorla is a security leader in the Portland area. She is the manager of security engineering and platform engineering at Simple Finance in Portland. She also does work with Hackback Gaming as an Incident Master (IM) running teams through dynamic role playing in tabletop incident response scenarios. Hadas is a recovering attorney too who took up improv after finishing law school. Volko Ruhnke, Adam Shostack and Hadas Cassorla are interviewed by David Quisenberry and John L. WhitemanLinks from the Show:Zenobia Award (Board Game Design Contest for Underrepresented Groups)HackBack GamingAdam Shostack's Home PageElevation of PrivilegePhilip Sabin - Simulating War: Studying Conflict through Simulation GamesJeremy Holcomb - The White BoxFollow us:HomepageTwitterMeetupLinkedInYouTube- Become an OWASP member- Donate to our Support the show (https://owasp.org/supporters/)
All links and images for this episode can be found on CISO Series (https://cisoseries.com/security-is-suffering-from-devops-fomo/) Darn it. DevOps is having this awesome successful party and we want in! We've tried inserting ourselves in the middle (DevSecOps) and we launched a pre-party (shift left), but they still don't like us. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Dayo Adetoye (@dayoadetoye), senior manager - security architecture and engineering, Mimecast. Thanks to our sponsor, Capsule8. Capsule8 is defining modern enterprise protection by providing detection and response for Linux infrastructure in any environment. Capsule8 provides host-based detection and investigatory data for incident response with on-going support. Unlike anyone else, Capsule8 mitigates the financial, scalability and reliability limitations of protecting your Linux infrastructure. On this week’s episode Are we making the situation better or worse? What makes a successful phish? On Sophos' blog Paul Ducklin writes about their most successful phishing emails. Ducklin noted that most of the successful phishes dealt with mundane and undramatic issues that still had a sense of importance. Looking at these examples they do seem to follow a similar pattern of something looking official that is being requested from the company and could you click here to check it out. Is that the majority of what you're testing? If so, what exactly is the value in conducting phishing tests on employees? Can the testing have a negative effect in security or even morale? There’s got to be a better way to handle this What is the right approach to threat modeling? In a blog post, Chris Romeo of Security Journey opines that formal training or tools won't work. Security needs to ask questions of developers about features and then show them how a threat evolves, thus allowing them to ultimately do it themselves. Adam Shostack of Shostack and Associates advocates for formal training. He says Romeo's informal approach to threat modeling sounds attractive, but doesn't work because you're trying to scale threat modeling across developers and if you tell one developer the information it's going to be passed down like a game of telephone where each successive person tells a distorted version of what the last person said. So what's the right approach to building threat models across a DevOps environment? What's Worse?! What's the worst place to find your company assets? Close your eyes and visualize the perfect engagement Shifting Left. DevSecOps, These are the mechanisms that have been used to infuse security into the DevOps supply chain. While noble, both concepts break the philosophy and structure of DevOps which is based on automation, speed, and delivery. But, DevOps is also about delivering quality. So rather than inserting themselves, how does security participate in a way that DevOps already loves? If you haven’t made this mistake, you’re not in security On AskNetSec on reddit, Triffid-oil asked, "What was something that you spent effort learning and later realized that it was never going to be useful?" And let me add to that, it's something either someone told you or you believed for some reason it was critical for your cybersecurity education and you later realized it wasn't valuable at all.
SETI Researcher Seth Shostack discusses the effort to find intelligent extraterrestrial life. Books - www.amazon.com/shop/jvjtaps Host - JV Johnson - www.facebook.com/jvjparanormal Patreon - www.patreon.com/johaw --- Support this podcast: https://anchor.fm/brparanormal/support
Software Engineering Radio - The Podcast for Professional Software Developers
Adam Shostack of Shostack & Associates and author of Threat Modeling: Designing for Security discussed different approaches to threat modeling, the multiple benefits it can provide, and how it can be added to an organization’s existing software proc
https://twitter.com/AlyssaM_InfoSec/status/1159877471161839617?s=19 Looking forward to sharing my vision for ending the 60 year cycle of bad defense strategies in #infosec and my challenge to think about security in a more effective way. https://sched.co/TAqU @dianainitiative #DianaInitiative2019 #cdwsocial @CDWCorp 1961 - MIT - CTSS - https://en.wikipedia.org/wiki/Compatible_Time-Sharing_System Egg, coconut, brick ( my example of security --brbr) Start with critical assets Layer outward, not perimeter in. Medieval castles Create the keep, build out from that Active defenses Dover Castle - https://en.wikipedia.org/wiki/Dover_Castle#/media/File:1_dover_castle_aerial_panorama_2017.jpg Detection defenses - watchguards Mitigation defenses - moats - give time/space to respond (network segmentation) Active countermeasures - knights/archers/cannons DeepFake technology Election year Spoke at RSA Business threat? “Outsider trading” “Video of Elon talking about problems - fake…” Stocks tank - short https://www.vice.com/en_us/article/ywyxex/deepfake-of-mark-zuckerberg-facebook-fake-video-policy Could it be done strategically to destabilize things Extort business leaders Fake videos used to extort Still difficult to create What’s the hurdles stopping it from being mainstream? Huge render farms? https://www.youtube.com/watch?v=18LN7VQM1aw - deepfake Sharon Stone/ Steve Buscemi Threat modeling in devSecOps Agile env needs to be quick, fast, and Build it into user stories Shostack’s method is a bit weighty How do we implement that in such a way to make dev want to do them? Organizing Virtual cons https://Allthetalks.online - April 15 24 hour conference for charity Talks, followed by interactive channels, community generation Virtual Lobbycon Comedian CFP is open 01 April 2020 Sticker swap! Bsides Atlanta 27-29 March https://bsidesatl.org/ - All virtual this weekend! Infosec Oasis https://Infosecoasis.com - 18 April https://mashable.com/article/zoom-conference-call-work-from-home-privacy-concerns/ https://www.theverge.com/2019/7/10/20689644/apple-zoom-web-server-automatic-removal-silent-update-webcam-vulnerability Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Open Web Application Security Project (OWASP) - Portland, Oregon Chapter
Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the CVE and many other things.He currently helps many organizations improve their security via Shostack & Associates, and advises startups, including as a Mach37 Star Mentor.While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.Adam is interviewed by David Quisenberry, Ben Pirkl and John L. WhitemanSupport the show (https://www.owasp.org/index.php/Membership#tab=Other_ways_to_Support_OWASP)
Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups. Adam is known for his [...] The post Adam Shostack — Threat modeling layer 8 and conflict modeling appeared first on Security Journey Podcasts.
Announcements: SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/ Austin Cybernauts meetup - https://www.eventbrite.com/e/cybernauts-ctf-meetup-indeed-tickets-58816141663 SHOW NOTES: Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer. https://github.com/OWASP/ASVS “is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “ #ASVS team: Daniel Cuthbert @dcuthbert Andrew van der Stock Jim Manico @manicode Mark Burnett Josh C Grossman https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3 - Older BrakeSec Episode ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.” What are the biggest differences between V3 and V4? Why was a change needed? https://xkcd.com/936/ - famous XKCD password comic David Cybuck: Appendix C: IoT Why was this added? These controls are in addition to all the other ASVS controls? How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization. You added IoT, but not ICS or SCADA? https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project BrakeSec IoT Top 10 discussion: http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3 http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3 Seems incomplete… (Section 1.13 “API”) Will this be added later? What is needed to fill that in? (manpower, SME’s, etc?) 3 levels of protection… why have levels at all? Why shouldn’t everyone be at Level 3? I just don’t like the term ‘bare minimum’ (level 1)--brbr Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf https://www.youtube.com/watch?v=2C7mNr5WMjA Cost to get to L2? L3? https://manicode.com/ secure coding education https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site: https://brakesec.com/bdswebsite #iHeartRadio App: https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3 Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly. We discuss the different threat modeling types (STRIDE, DREAD, Trike, PASTA) and which ones Adam enjoys using. Mr. Boettcher asks how to handle when people believe an OS is better than another, how to do threat modeling to decide which OS should be the one to use. Stay after for a special post-show discussion with Adam about his friend Stephen Toulouse (@stepto). RSS: http://www.brakeingsecurity.com/rss Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ SHOW NOTES: Ideas and suggestions here: Start with “What is threat modeling?” What is it, why do people do it, why do organizations do it? What happens when it’s not done effectively, or at all? At what point in the SDLC should threat modeling be employed? Planning? Development? Can threat models be modified when new features/functionality gets added? Otherwise, are these just to ‘check a compliance box’? Data flow diagram (example) - process flow External entities Process Multiple Processes Data Store Data Flow Privilege Boundary Classification of threats- STRIDE - https://en.wikipedia.org/wiki/STRIDE_(security) DREAD - https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model) PASTA - https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf Trike - http://octotrike.org/ https://en.wikipedia.org/wiki/Johari_window Butler Lampson, Steve Lipner link: https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf Escalation Of Privilege card game: https://www.microsoft.com/en-us/download/details.aspx?id=20303 NIST CyberSecurity Framework: https://www.nist.gov/cyberframework Data Classification Toolkit - https://msdn.microsoft.com/en-us/library/hh204743.aspx Microsoft bug bar (security) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307404.aspx Microsoft bug bar (privacy) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307403.aspx OWASP threat Modeling page: https://www.owasp.org/index.php/Application_Threat_Modeling OWASP Threat Dragon - https://www.owasp.org/index.php/OWASP_Threat_Dragon Emergent Design: https://adam.shostack.org/blog/2017/10/emergent-design-issues/ https://www.researchgate.net/profile/William_Yurcik/publication/228634178_Threat_Modeling_as_a_Basis_for_Security_Requirements/links/02bfe50d2367e32088000000.pdf Robert Hurlbut (workshop presenter at SourceCon Seattle) https://roberthurlbut.com/Resources/2017/NYMJCSC/Robert-Hurlbut-NYMJCSC-Learning-About-Threat-Modeling-10052017.pdf (much the same content as given at Source) Adam’s Threat modeling book http://amzn.to/2z2cNI1 -- sponsored link https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998/ref=mt_paperback?_encoding=UTF8&me= Is the book still applicable? New book What traps do people fall into? Attacker-centered, asset-centered approaches Close with “how do I get started on threat modeling?” SecShoggoth’s Class “intro to Re” Johari window? http://www.selfawareness.org.uk/news/understanding-the-johari-window-model
Black Hat Briefings, Las Vegas 2005 [Audio] Presentations from the security conference
In the last year, there have been 45 security incidents compromising the personal information of 9.3 million individuals. What can we do given our current situation? How are we going to successfully secure personal information moving forward? This panel will discuss the future of personal information and its implications on privacy. Joseph Ansanelli is CEO of Vontu, a software company focused on the insider threat. Joseph has spoken to Congress twice in the past twelve months as an advocate of privacy and consumer data standards. Mr. Ansanelli has successfully co-founded and led two other companies and has an extensive track record of developing innovative solutions into successful companies. His first venture, Trio Development's Claris Organizer, was ultimately acquired by Palm, Inc. Mr. Ansanelli holds four patents and received a B.S. in Applied Economics from the Wharton School at the University of Pennsylvania Rich Baich, CISSP, CISM, Chief Information Security Officer, ChoicePoint. Mr. Baich has been working in the Information Security Business for over 10 years and has extensive experience working with government and commercial executives providing risk management and consultative council while developing, improving and implementing security architecture, solutions and policies. He has held security leadership positions as the Cryptolog Officer for the National Security Agency (NSA), Sr. Director Professional Services at Network Associates (now McAfee) and after 9/11 as the Special Assistant to the Deputy Director for the National Infrastructure Protection Center (NIPC) at the Federal Bureau of Investigation (FBI). Rich is the author of a security executive leadership guidebook, Winning as a CISO. The book is the first-of-its-kind to detail and provide the roadmap to transform security executives from a technical and subject matter expert to a comprehensive well-rounded business executive. He holds a BS from United States Naval Academy, MBA / MSM from University of Maryland University College, and has been awarded the National Security Telecommunications and Information Systems Security (NSTISSI) 4011 Certification and the NSA sponsored Information Systems Security (INFOSEC) Assessment Methodology (IAM) Certification. Adam Shostack is a privacy and security consultant and startup veteran. Adam worked at Zero-Knowledge building and running the Evil Genius group of advanced technology experts, building prototypes and doing research into future privacy technologies, including privacy enhancing networks, credentials, and electronic cash. He has published papers on the security, privacy, as well as economics, copyright and trust. Shostack sits on the Advisory Board of the Common Vulnerabilities and Exposures initiative, the Technical Advisory Board of Counterpane Internet Security, Inc and others. Adam is now an independent consultant. Paul Proctor is a vice president in the security and risk practice of Gartner Research. His coverage includes Legal and Regulatory Compliance, Event Log Management, Security Monitoring (Host/Network IDS/IPS), Security Process Maturity Risk Management Programs, Forensics and Data Classification. Mr. Proctor has been involved in information security since 1985. He was founder and CTO of two security technology companies and developed both first- and second-generation, host-based intrusion-detection technologies. Mr. Proctor is a recognized expert in the field of information security and associated regulatory compliance issues surrounding the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Gramm-Leach-Bliley Act (GLBA). He has authored two Prentice Hall books and many white papers and articles. Mr. Proctor is an accomplished public speaker and was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of Sept. 11. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder and Practical Security.
Black Hat Briefings, Las Vegas 2005 [Video] Presentations from the security conference
In the last year, there have been 45 security incidents compromising the personal information of 9.3 million individuals. What can we do given our current situation? How are we going to successfully secure personal information moving forward? This panel will discuss the future of personal information and its implications on privacy. Joseph Ansanelli is CEO of Vontu, a software company focused on the insider threat. Joseph has spoken to Congress twice in the past twelve months as an advocate of privacy and consumer data standards. Mr. Ansanelli has successfully co-founded and led two other companies and has an extensive track record of developing innovative solutions into successful companies. His first venture, Trio Development's Claris Organizer, was ultimately acquired by Palm, Inc. Mr. Ansanelli holds four patents and received a B.S. in Applied Economics from the Wharton School at the University of Pennsylvania Rich Baich, CISSP, CISM, Chief Information Security Officer, ChoicePoint. Mr. Baich has been working in the Information Security Business for over 10 years and has extensive experience working with government and commercial executives providing risk management and consultative council while developing, improving and implementing security architecture, solutions and policies. He has held security leadership positions as the Cryptolog Officer for the National Security Agency (NSA), Sr. Director Professional Services at Network Associates (now McAfee) and after 9/11 as the Special Assistant to the Deputy Director for the National Infrastructure Protection Center (NIPC) at the Federal Bureau of Investigation (FBI). Rich is the author of a security executive leadership guidebook, Winning as a CISO. The book is the first-of-its-kind to detail and provide the roadmap to transform security executives from a technical and subject matter expert to a comprehensive well-rounded business executive. He holds a BS from United States Naval Academy, MBA / MSM from University of Maryland University College, and has been awarded the National Security Telecommunications and Information Systems Security (NSTISSI) 4011 Certification and the NSA sponsored Information Systems Security (INFOSEC) Assessment Methodology (IAM) Certification. Adam Shostack is a privacy and security consultant and startup veteran. Adam worked at Zero-Knowledge building and running the Evil Genius group of advanced technology experts, building prototypes and doing research into future privacy technologies, including privacy enhancing networks, credentials, and electronic cash. He has published papers on the security, privacy, as well as economics, copyright and trust. Shostack sits on the Advisory Board of the Common Vulnerabilities and Exposures initiative, the Technical Advisory Board of Counterpane Internet Security, Inc and others. Adam is now an independent consultant. Paul Proctor is a vice president in the security and risk practice of Gartner Research. His coverage includes Legal and Regulatory Compliance, Event Log Management, Security Monitoring (Host/Network IDS/IPS), Security Process Maturity Risk Management Programs, Forensics and Data Classification. Mr. Proctor has been involved in information security since 1985. He was founder and CTO of two security technology companies and developed both first- and second-generation, host-based intrusion-detection technologies. Mr. Proctor is a recognized expert in the field of information security and associated regulatory compliance issues surrounding the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Gramm-Leach-Bliley Act (GLBA). He has authored two Prentice Hall books and many white papers and articles. Mr. Proctor is an accomplished public speaker and was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of Sept. 11. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder and Practical Security.