4TH ANNUAL CHICAGO IIA &

ISACA HACKING &

CYBERSECURITY CONFERENCE

The most valuable Information

Security conference for Chicago

professionals with responsibility for

Corporate Risk Management and

Information Security

Welcome!

Welcome to the 4th Annual Hacking Conference sponsored by the Chicago Chapter of the Institute of

Internal Auditors (IIA) and the Chicago Chapter of the Information Systems Audit and Control

Association (ISACA). The goal is to provide two days of real world, hands-on, applicable cybersecurity

knowledge and skills that are relevant to the Risk Management/Internal Audit/IT Audit/Information

Security professional.

By the end of this event, we hope you have a greater appreciation for the cybersecurity landscape

and how it impacts your organization. The presentations selected represent what we feel is the best

combination of board-level guidance, practitioner guidance, threat evaluation, and cutting-edge

solutions and approaches to cybersecurity defense. The presentations will also cover a broad range

of security topics, increasing the risk professionals’ awareness in the cybersecurity space, one of the

greatest areas of risks to today’s organizations.

Thank You to Our Sponsors

The following sponsors partnered with us to make this event possible:

Platinum Level SponsorsPlatinum Level SponsorsPlatinum Level SponsorsPlatinum Level Sponsors

Gold Level SponsorsGold Level SponsorsGold Level SponsorsGold Level Sponsors

Bag SponsorBag SponsorBag SponsorBag Sponsor

Mgmt Track Outline- Day 1: Wednesday Oct 25, 2017

Time Management Track Speaker Room

7:00 – 8:15 Registration and Continental Breakfast AB

8:15 – 8:30 State of Conference

Corbin Del Carlo, Co-Chair of Event

ABC

8:30-9:20 Know your Adversary: Firsthand Lessons Learned in the Fight for Cybersecurity

Patrick Hogan, Assistant to the Special Agent in Charge

ABC

9:30-10:30 Understanding Risk Appetite for Information Security

Chris Johnson, Onshore

ABC

10:30-11:00 BREAK

11:00-12:00 Managing Privileged Access to Systems and Data

Katie Stevens, Protiviti

AB

12:00-13:20 LUNCH

13:20-14:10 Harmonized GRC approach with Qualys Mandate Based Reporting

Mark Butler, Qualys

C

14:20-15:10 You Can't Manage What You Don't Measure

Thomas Eck, Forsythe

AB

15:10-15:30 BREAK

15:30-16:20 The Internet of Insecure Things Steve Wernikoff, Honigman Miller Schwartz and Cohn LLP

AB

16:30-17:15 The “Trusted LAN”

Mark Bermingham, Snoopwall

C

17:15-19:00 Social Hour (beer and wine provided)

Please join us to spend some time with fellow colleagues and to meet with speakers

Lounge

Tech Track Outline- Day 1: Wednesday Oct 25, 2017

Time Tech Track Speaker Room

7:00 – 8:15 Registration and Continental Breakfast

8:15 – 8:30 State of Conference

Corbin Del Carlo, Co-Chair of Event

ABC

8:30-9:20 Know your Adversary: Firsthand Lessons Learned in the Fight for Cybersecurity

Patrick Hogan, Assistant to the Special Agent in Charge

ABC

9:30-10:30 Understanding Risk Appetite for Information Security

Chris Johnson, Onshore

ABC

10:30-11:00 BREAK

11:00-12:00 Identity Theft Through OSINT/Social Engineering

Zee Abdelnabi

C

12:00-13:20 LUNCH

13:20-14:10 Understanding your Cybersecurity Footprint Joe Gates, The Mako Group, LLC

AB

14:20-15:10 Threat Intelligence and Risk, a Wild Goose Chase?

Rob Gresham, Phantom C

15:10-15:30 BREAK

15:30-16:20 To Catch A Thief – Defensive Wins That Drive Bad Guys Crazy

Travis Kaun, Wipfli

C

16:30-17:15 Turbo-charging Security Operations to Keep Pace with Threats

John Jolly, Syncurity

AB

17:15-19:00 Networking Event

Mgmt Track Outline- Day 2: Thursday Oct 26, 2017

Time Management Track Speak Room

7:00 – 8:30 Registration and Continental Breakfast ABC

8:30 – 9:50 CISO Panel Tina Hauri, Moderator

ABC

10:00-10:50 4 Critical Mobile Security Holes CISOs are Ignoring

Brian Duckering, Skycure (now part of Symantec)

ABC

10:50-11:20 BREAK

11:20-12:30 Guardians of the Strategy: How Well-Intentioned Cybersecurity Controls Backfire

Piotr Marszalik, Michelle Erickson, Crowe Horwath

AB

12:30-13:20 LUNCH

13:20-14:10 Juggling the Elephants – Making AppSec a Continuous Program

Alyssa Miller, Aspect Security

C

14:20-15:10 New AICPA Cybersecurity Attestation Standard Michael Podemski, E&Y

AB

15:10-15:30 BREAK

15:30-16:20 The Business of Privacy: Balancing Retail and Info Services Business Goals with PII Stewardship

Sarah Powers, Eileen Filmus, Versprite

AB

16:30-17:15 More Vendors, More Problems. How Tech companies that rely on vendors build scalable practices

Anders Norremo, ThirdPartyTrust

AB

Tech Track Outline- Day 2: Thursday Oct 26, 2017

Time Tech Track Speakers Room

7:00 – 8:30 Registration and Continental Breakfast ABC

8:30 – 9:50 CISO Panel Tina Hauri – Moderator

ABC

10:00-10:50 4 Critical Mobile Security Holes CISOs are Ignoring

Brian Duckering – Skycure (now part of Symantec)

ABC

10:50-11:20 BREAK

11:20-12:30 Using Guerrilla Warfare to change the paradigm and accomplish strategic objectives

Rob Carson, Celsus

C

12:30-13:20 LUNCH

13:20-14:10 The Ticking Time Bomb - Infrastructure Vulnerabilities of the Internet of Things

Steven Russo, Eclypses

AB

14:20-15:10 Social Engineering: Insider Threat Simulation vs. Adversarial Simulation

Stephanie Carruthers, Mindpoint Group

C

15:10-15:30 BREAK

15:30-16:20 DevSecOps: Why Aren’t You Doing it?

Brian Liceaga, Evolve Security

C

16:30-17:15 The Rogue’s Gallery: Mobile Malware Joseph Opacki, PhishLabs

C

Security is a Process,

Not a Product.

Data Mirrors Policy

The onShore Security Process ensures that Data Mirrors

Policy. Our Panoptic Cyberdefense Security Operations

Center Service is a cybersecurity professional service

involving high-level consulting, monitoring, data

collection, analysis, security management, and reporting.

We typically serve regulated industries and enterprises with complex networks and the need for 24hr

cybersecurity response. We integrate with your IT

organization to increase security visibility, provide

reporting for management and regulators, and inform

policy.

Sessions: Day 1

Keynote: Know your Adversary: Firsthand Lessons Learned in

the Fight for Cybersecurity

8:30-9:20 – ABC Room Hackers are working day and night to infiltrate organizations’ systems. In this talk, I will highlight some of the most common attack and fraud patterns used by multinational organized criminal groups to monetize their activity. This includes lessons learned from a top tier hacker responsible for over $300 million in loss over a 10 year period. I will also discuss considerations of how organizations can better protect their information, how to develop an effective cyber incident response plan, and what to expect if you contact law enforcement.

Patrick Hogan, Assistant to the Special Agent in Charge.

Patrick Hogan is the Assistant to the Special Agent in Charge of the Secret Service’s Chicago Electronic Crimes Task Force. He manages a squad of special agents and task force officers involved in the investigation of cybercrimes occurring within the Chicago area. He has been involved in cyber investigations for the last five years while in the Chicago Field Office. Prior to being in the Chicago Field Office, he was involved in the coordination of national and transnational cybercrime investigations at the headquarters level. His Secret Service career has also given him the opportunity to protect former-Vice President Dick Cheney and to be detailed to the U.S. House of Representatives Select Committee on Homeland Security.

Keynote: Understanding Risk Appetite for Information Security

9:00-9:50 – ABC Room Information security is always hard to measure. In the base categorization, information security failures could all result in the eventual worst case data breach scenario. The end result of someone clicking a phishing link and the latest Microsoft zero-day vulnerability is a similar impact. But if everything is high risk, effectively nothing becomes high risk because we can no longer make effective risk decisions. Our talk will address some novel ways to assess this unique risk.

Chris Johnson, Onshore Security

Chris Johnson has more than a decade of experience in IT services and web development. Chris specializes in helping small to mid-size businesses make strategic IT decisions and technology implementations that improve their cyber-security posture by lowering their risk and exposure in an ever evolving threat landscape. Because of his dual comfort zones of knowing IT “bits and bytes, speeds and feeds,” as well as being able to deliver strategic counsel for how technology can protect and secure business, Chris is an invaluable resource to his clients’ businesses.

Session 1M: Managing Privileged Access to Systems and Data

11:00-12:00 – AB Room Lack of control over privileged access to systems and data presents a significant risk to almost every organization. What is required to protect privileged accounts? Are you in control? In this talk, we will take a look at various strategies to help organizations gain better control over their privileged accounts by establishing an effective Privileged Access Management (PAM) program.

Katie Stevens,,,, Associate Director with Protiviti.

Katie has spent her 15+ years in technology solving complex business problems including Business Continuity Management and Identity & Access Management. Most recently, she’s been leading readiness reviews and creating strategies to address the EU’s General Data Protection Regulation (GDPR) at global firms across a diverse set of industries. She’s currently an Associate Director for Protiviti’s Security Practice in Chicago.

Session 1T: Identity Theft Through OSINT/Social Engineering

11:00-12:00 – C Room This talk will demonstrate how easy identity theft has become because of OSINT and the ability to easily social engineer and grab meta-data. It will cover how an attacker uses OSINT to build targeted attacks. How an attacker builds a profile using software to represent their data about you. How an attacker uses data points to pivot from one source to another online. The target was a random target that was picked. Not only does it cover his current activity but his cached activity which enables attackers to target him. The story will show how an initial search to a complete PWNAGE was done on the individual because of a random blog that was discovered. This talk also shows how easily I was able to find his company's email format, private IP addresses which could have completely allowed me to own his companies network because his company allowed BYOD. It will cover how you can better prepare and protect yourself.

Zee Abdelnabi

A dedicated security analyst with comprehensive data and telecommunications experience, Zee Abdelnabi is experienced in SIEM, vulnerability management, security testing and compliance, with expertise in data network security analysis and wireless security. Abdelnabi is technically savvy and adept at solving networking, electronics and computer technology problems. She is effective at training technical and non-technical personnel.

Session 2M: Harmonized GRC approach with Qualys Mandate Based Reporting

13:20-14:10 – C Room

Heightened compliance and security requirements require that organizations comply with multiple regulations while managing a security baseline. Top-down GRC provides structure, but little evidence data, while Bottom-Up approaches miss links to the bigger GRC picture. In this talk Qualys will discuss the ‘harmonized approach’, a uniform way customer address many compliance and risk requirements.

Mark Butler, Qualys’ chief information security officer. A former CISO at Fiserv, Mark advocates the needs of CISOs throughout Qualys’ global customer base and serves as a resource for achieving business-aligned information security leadership. With over 24 years of experience leading enterprise security teams, delivering security consulting services and supporting security products, Mark has built and developed effective information security functions, establishing the right blend of technical, administrative and physical controls while providing stakeholders such as executive management, IT leadership and legal counsel with visibility into real business threats and opportunities.

Session 2T: Understanding your Cybersecurity Footprint

13:20-14:10 – AB Room

Every organization has an online presence for business purposes, but managing that information effectively is the difference between a tool and controlling a threat. Information is sitting at the fingertips of any individual wishing to aggregate and leverage the data into attack vectors. This information is often used by advanced persistent threats (APTs) and malicious entities to profile a company and develop an attack strategy. Because the information is obtained using passive information gathering methods and techniques, an organization may be completely unaware of an impending attack. Reconnaissance is the first phase of any network based attack. Time constraints, however, often limit an attacker’s reconnaissance to some basic discovery and port scans to determine what services are running on a host. Thus, a full footprint analysis is often the approach of choice. Using the OSINT Framework, The Mako Group, posing as an attacker, scours the Internet to obtain any available information about the organization to create a thorough understanding of its exposure. Using a single piece of information, the organization’s domain name, The Mako Group will piece together data from sources across the Internet. Information is passively obtained from these Internet sources to assimilate a plan of attack on the target.

Joe Gates, The Mako Group, LLC

Joe is the Senior Security and Controls Advisor for the Mako Group, LLC. In his 12 years, Joe has worked on both the implementation and monitoring of controls. As such he has a unique perspective on how fraud issues come to fruition.

Session 3M: You Can't Manage What You Don't Measure

14:20-15:10 – AB Room

In the book The Four Disciplines of Execution, the authors offer a simple methodology that helps leaders drive their teams toward a common goal. Recently, Forsythe helped a Fortune 250 company implement these principles to define a new approach to the Information Security team's scorecard, and the results have been remarkable. In this talk, we'll discuss how an internal audit finding, an EVP's book recommendation, a mountain of Qualys data, and the CIS Consensus Metrics all came together to create a force for change within our case study organization. You'll leave with a set of actionable Information Security metrics and a plan you can implement in your own organization to help drive your Information Security program to higher levels of effectiveness.

Thomas Eck, Forsythe

Thomas is an IT management consultant, information security/risk management expert and Practice Manager for Forsythe’s Security Solutions practice. He has over 20 years of experience leading global teams and strategic transformation initiatives within large enterprise environments, and has a unique background that balances deep technical expertise across multiple domains of information security and Windows technologies with program/project management and IT service management to help Forsythe’s clients truly realize the business value of their IT investments. Thomas graduated as a Fuqua Scholar in the 2013 Global Executive MBA Program at Duke University’s Fuqua School of Business, and is also the author of many articles and books, including his bestselling title, ADSI Scripting for System Administration by New Riders/Macmillan Technical Press.

Session 3T: Threat Intelligence and Risk, a Wild Goose Chase?

14:20-15:10 – C Room

Hashes, IPs, domains, oh my, what am I to do with all this data? Analyze it. For threat intelligence to provide the proper context, you need to understand your audience and the requirements for intelligence consumption. Open source intelligence provides a capability for collecting intelligence data, but without analysis and requirements, collection efforts could produce a wild goose chase and provide little value. Threat intelligence is changing the risk assessment and evaluation processes; is it for the better? Automating your collection efforts and streamlining just-in-time intelligence collection provides actionable, repeatable results to mitigate the most severe risks. Rob Gresham, Solutions Architect with Phantom Cyber, will cut to the chase to answer relevant questions such as:

• Do I have data in the dark web and is it being sold? • What are my greatest risks and are they exploitable? • Has that exploit been used?

Rob will discuss the contextual threat intelligence process and share tips and tools that will help you make threat intelligence actionable beyond just the bits and bytes.

Rob Gresham, Security Solutions Architect at Phantom

The leader in Security Automation & Orchestration, Rob has over 15 years of experience providing security operations, information security architecture and incident response services to government agencies and commercial businesses. Rob has extensive experience executing and instructing on cyber threat intelligence and incident response particularly in crisis management scenarios. He has successfully built security response teams that provide incident response, threat intelligence and protection for key resources or critical infrastructure. Companies that he has worked with and for include Intel, McAfee, EMC/DELL, McKesson, Cargill, Land O’Lakes, Berkshire Health, Newmont Mining, SCANA Energy, Desjardins Group, New York City DoITT, MTA and Health and Hospitals, various Federal and State agencies and Department of Defense agencies.

Throughout his career, he has demonstrated strengths in developing and leading teams to meet business challenges, maximizing productivity, motivating teams to exceed expectations, and achieving customer satisfaction.

Session 4M: The Internet of Insecure Things

15:30-16:20 – AB Room

Consumer-oriented connected devices are flooding the market, and many of the devices lack basic security protections. The issue has serious consequences for device manufacturers, consumers, and the connected infrastructure. Both the Federal Trade Commission and private attorneys have sued device manufacturers for failing to build reasonable security into their products. In addition, networks of compromised consumer devices have DDoS’d significant Internet services. This presentation looks at common security issues appearing in connected devices and considers policy and education initiatives aimed at helping improve the issue.

Steve Wenikoff, Honigman Miller Schwartz and Cohn LLP During his long tenure at the FTC, Wernikoff was lead litigation counsel in numerous civil prosecutions involving a wide range of e-commerce and emerging technology issues, including internet and mobile advertising, credit card and other financial fraud, data privacy and security, spam and telemarketing. As Enforcement Director in the Office of Technology Research and Investigation, Wernikoff coordinated investigations and civil prosecutions involving mobile and emerging technologies throughout all divisions and regional offices within the FTC’s Bureau of Consumer Protection.

Wernikoff served as an adjunct faculty member at Northwestern University School of Law and John Marshall Law School, where he taught courses involving internet fraud, online advertising and privacy issues. Prior to working at the FTC, he held two federal clerkships in the Northern District of Illinois, and was a litigator at Jenner & Block in Chicago. He earned a J.D. from Northwestern University School of Law and a B.A. in Journalism from Pennsylvania State University.

Session 4T: To Catch a Thief- Defensive Wins That Drive Bad Guys Crazy

15:30-16:20 – C Room

Receiving penetration test results can be brutal. You've patched your systems; AV is up to date; but the tester took it all. "How did this happen; how could we prevent it?" This talk will look at effective defensive ‘wins’ which will have bad guys (and pentesters) spinning in their tracks. No next-gen blinky-blinky flashy-flashy devices are needed. Through experience of a seasoned penetration tester, we'll take a detailed look at what organizations have done to create environments difficult to crack.

Travis Kaun, Lead Cybersecurity Consultant, Wipfli LLP

Travis leverages more than 10 years of IT experience to provide top-notch services to ensure clients’ technology information systems remain secure. With 100- percent dedication to IT services, Travis focuses on performing penetration tests, social engineering campaigns, Web security assessments, and vulnerability assessments, in addition to working closely with his team on refining methodologies. He also leads a regional security group that meets on a regular basis.

Travis’ specializations include: Penetration testing, Social engineering, Web application assessments, Vulnerability assessments, Defensive controls audits, and Incident response.

Session 5M: The “Trusted LAN”

16:30-17:15 – C Room

In the face of today’s hyper-aggressive cyber-security landscape it’s critical that organizations think differently. Too often organizations continue to invest in areas that are becoming less effective as malware actors have faced the typical formula of security infrastructure for years. Clearly firewalls, AV and the like are not sufficient to address all of an organizations’ security vulnerabilities. The “Trusted LAN” is too often overlooked as a critical area to secure. Given the proliferation of new devices and device types that have joined networks over the last five years including, virtual endpoints, BYOD devices and IoT assets, IT’s ability to identify and control this infrastructure has been significantly diminished. Clearly there is a compelling need to restore the “Trusted LAN”.

Mark Bermingham, SnoopWall Mark leads the channels growth for SnoopWall. Mark has more than 20 years of experience developing sales, marketing and business growth strategies having served in senior sales, marketing and product management roles at numerous high-tech firms. Mark is well seasoned at building out product, marketing and channels in an accelerated fashion for SnoopWall’s potential Public Markets future (as predicted by Owler). He oversees all aspects of SnoopWall’s global marketing efforts, including global channel and partner expansion programs, marketing, and strategic growth initiatives bringing a wealth of experience in go-to-market and marketing strategy, product marketing and positioning, public relations and analyst relations. Mark evangelizes security to link market opportunity with developmental priorities to meet today’s accelerating security challenges. He most recently held a global senior marketing leadership role with Kaspersky Lab’s global marketing organization. Mark is a graduate of UCLA’s Anderson School.

Session 5T: Turbo-charging Security Operations to Keep Pace

with Threats

16:30-17:15 – AB Room

It’s become a cliché: today’s threat landscape moves at light speed, while typical IT security defenses can’t keep pace. It’s not that enterprises and agencies don’t have the latest and greatest widgets for threat prevention and detection, it’s the fact their security operations processes are too manual and slow to properly detect and respond. Organizations must move beyond SIEMs and manual processes for investigation and response. They must properly organize the people and processes, and accelerate them with automation and orchestration. Specifically, first-line analysts should be split based on skills/experience into teams that triage the raw incoming alerts from SIEM, ticketing systems, extraneous point tools and emails. Using automation to verify the severity and scope of an alert, these alerts can be verified as either a false positive, or can be escalated to incidents, using a simple checklist presented in software. The checklist captures all the steps as they’re executed, and the information gathered so that the more experienced analysts can investigate further and run the appropriate Incident Response playbook. These playbooks can’t be binders, spreadsheets, or a SharePoint site. They must be workflows instantiated in software, which are followed to ensure adherence to protocol for audit and compliance reporting purposes. All of this captured activity and data provides the basis for rich scheduled and ad hoc reporting and analysis to determine effectiveness, highlight top sources of false positives, and tuning of various point solutions protecting the enterprise. In addition, this system and data serves as the basis to prove 1) the enterprise has a defined process, and 2) that the process is being following. Both of which are critical to maintaining satisfactory audit, compliance and cyber-risk insurance status. Attendees will learn:

• The importance of separating Alert Triage from full-blown Incident Response • The audit need for capturing and managing alert triage and incident response processes with

a purpose-built system • How to ensure attempts to automate and orchestrate security operations meet audit,

compliance and cyber-risk insurance standards • Key metrics to use for intra-industry, as well as cross-industry benchmarking

John Jolly, President and CEO, Syncurity

John is the President and CEO of Syncurity and has over 30 years of experience in the security industry. Prior to joining Syncurity, John was a Vice President and General Manager at General Dynamics where he led a large portfolio of commercial and Federal cybersecurity business, including the digital forensics incident-response practice responsible for responding to and resolving some of the largest security breaches in history. John also led the acquisition of Fidelis Security Systems, a market leading network software security business, in order to reposition General Dynamics existing digital forensics and incident response business within the commercial network security space.

We are proud to sponsor the Chicago IIA and ISACA Chapter’s

4th Annual IT Hacking & Cybersecurity Conference.

Forsythe can help you

protect your data, wherever it is

800.843.4488 I forsythe.com I focus.forsythe.com

MAKE IT HAPPEN

© 2017 Forsythe Solutions Group, Inc.

PRIORITIZE CRITICAL ALERTS FIRST

in

Sessions: Day 2

Keynote: CISO Panel – Perspectives on addressing today’s

security challenges

8:30 – 10:00 – ABC Room

Join our panel of 4 local Chief Information Security Officers to discuss the areas of largest concern for them and how they have their best relationships with the second and third line business functions. Moderated by Tina Hauri, we will also allow for questions from the audience that you have always wanted to know but were perhaps hesitant to ask your CISO. Glenn Kapetansky, CSO, Trexin Glenn Kapetansky has a passion for building systems, organizations, and teams that endure, and has done so across a number of business sectors, technologies, and roles. For over 20 years Glenn has advised senior executives and built teams throughout the delivery cycle: strategy, architecture, development, quality assurance, deployment, operational support, financials, and project planning. Richard Rushing, CISO, Motorola Richard Rushing is the Chief Information Security Officer for Motorola Mobility LLC. Richard participates in corporate, community, private, and government security councils and working groups, setting standards, policies, and solutions for current and emerging security issues. As Chief Information Security Officer for Motorola Mobility, he has led the organization’s security effort by developing an international team to tackle targeted attacks, cyber-crime, and emerging threats to mobile devices. He has organized, developed, and deployed practices, tools, and techniques to protect the enterprise’s intellectual property worldwide. A much-in-demand international speaker on information security, Richard has spoken at many of the leading security conferences and seminars around the world. Erik Devine, CISO, Riverside Hospital Erik has 23 years’ experience, excelling in finding new innovations and solutions within Information Technology and Security. He has 15 years as an Information Technology & Security leader and is currently focused on cultivating an information security culture in healthcare while balancing the clinical and research workflows to help improve patient outcomes and new medical innovation. Very passionate on developing cyber security frameworks and defensive technologies; monitoring cyber security threats, and increasing information security awareness and training throughout the enterprise and community. While security is my passion, technology is the fun side. I love using technology to bend the rules, improve clinician and patient process, and create a possibility that didn't exist before. Waqas Akkawi, CISO, SIRVA Waqas is an Information Security Executive (ISACA CISM) with over 20 years of experience in setting the overall strategy, direction, development, delivery, and management of global information security and cyber security program. Highly effective relationship builder bringing together key business executives, IT executives, head of Internal Audit, Chief Privacy Officer, Chief compliance Officer working on common goals and reducing risk to acceptable level for the business to be successful and profitable.

Keynote: 4 Critical Mobile Security Holes CISOs are Ignoring

10:00 – 10:50 – ABC Room

Hackers are finding new ways to steal data and infiltrate organizations daily. A number of trends are driving the need for mobile threat defense, including the ubiquity of mobile devices among employees, agents and executives, and the rise of targeted cyber attacks and executive espionage. Attend this session to learn the best practices on how to avoid mobile attacks and secure both BYOD and corporate-owned devices. The session will also include a live demo of an ethical hack in which the speaker will hack any iOS or android device in less than 60 seconds. Dare to participate? This presentation will discuss: • Learn the realities of mobile threat defense and why it is different from traditional security • Understand the real implications of a mobile breach, including a live demonstration • Identify the critical considerations for adopting a comprehensive mobile security solution Brian Duckering, Mobile Security Specialist - Symantec Brian Duckering has been a thought leader and respected advisor in enterprise IT for over 20 years. With experience in engineering, product management, marketing, business strategy and technology evangelism, he has held executive-level positions at business- and consumer-facing companies, both large and small, and has multiple degrees in engineering and technology management. Brian has spent the last seven years focused on enterprise mobility, with a focus on achieving both productivity and security.

Session 1M: Guardians of the Strategy: How Well-Intentioned Cybersecurity Controls Backfire

11:20 – 12:30 – AB Room

There are enormous amounts of tools and resources available to help security teams harden their environments and prevent malicious activity. Unfortunately, these tools are not always easy to use, design, or configure. These misconfigurations can result in unknown vulnerabilities on the network and may give organizations a false sense of security. We will discuss common pitfalls when designing an information security environment, as well as strategies for testing to verify that you are as protected as you think you are.

Piotr Marszalik, Michelle Erickson, Crowe Harwath

Piotr Marszalik is an Information Security Consultant and Manager at Crowe Horwath. He specializes in methodology and tool development for Crowe's Penetration Testing and Red Teaming services. Piotr is also an Offensive Security Certified Expert (OSCE). His responsibility at Crowe includes planning and execution of various penetration testing and security awareness assessments.

Michelle Erickson is an Information Security Risk Consultant at Crowe Horwath. She has an educational background in General Engineering and has gained experience providing services related to Security and Privacy, Third Party Risk Management, Healthcare Technology, and Security Controls Testing. Michelle has worked with teams to provide Penetration Testing and Network Security Assessment services, and is specialized in the Financial Services industry.

Session 1T: Using Guerrilla Warfare to change the paradigm and

accomplish strategic objectives

11:20 – 12:30 – C Room

Change is hard would—you like a hug? Ever presented an idea that seems so obvious only to have to explain it 3 times? Or find that your message is not being understood? In this session we will review the tactics, techniques and procedures used by insurgents and counter insurgents and correlate its application the corporate world.

Rob Carson, Senior Advisor for the Celsus Advisory Group

Rob is the Senior Advisor for the Celsus Advisory Group. Rob has several years of experience in management in the areas of information security management systems (such as HIPAA Compliance and many other leading Governance Security Standards across multiple industry sectors), secure collaboration platforms, mobile email management, email and web security gateways, and next generation firewalls. Rob formerly served as a Captain in the U.S. Marines and is a Certified Information Security Professional (CISSP) and Certified Information Systems Auditor (CISA).

Session 2M: Juggling the Elephants – Making AppSec a Continuous Program

13:20-14:10 – C Room

As security professionals charged with protecting large enterprise application portfolios, we continually find ourselves managing a wide array of disparate security initiatives, each of which demands to be treated as a top priority. Few of these initiatives ever achieve full coverage across the application portfolio. So we’re left to prioritize on the fly and try to keep everything we’re juggling in the air. Inevitably some will get dropped.

What if we could develop an AppSec program that ties those disparate initiatives together into a repeatable and continuous program that not only addresses coverage of the entire portfolio but acts as an enabler of high-paced development paradigms such as DevOps and CI/CD? In this presentation we’ll discuss a model for deploying AppSec programs that addresses these goals. A strategy for tying together various security activities including threat modeling, code reviews, and penetration tests, with business and risk processes in a way that actually makes development more efficient. We’ll discuss how an organization can leverage this model to tailor their own program and address the unique challenges and business goals of the individual firm.

Alyssa Miller, Aspect Security Alyssa Miller leads the Program Services practice at Aspect Security. She regularly works with senior and executive leaders responsible for application security in major firms throughout the United States and internationally. Alyssa has six years of experience in security consulting helping organizations elevate their tactical application security initiatives into higher level strategic and efficient programs. Prior to her work as a security consultant, Alyssa led the Security Testing Team and was responsible for the vulnerability management program for a Fortune 100 financial services firm. Before entering the security industry, Alyssa spent ten years as a developer on large financial services applications.

Session 2T: The Ticking Time Bomb - Infrastructure

Vulnerabilities of the Internet of Things

13:20-14:10 – AB Room

Gartner forecasts that 8.4 billion connected things will be in use worldwide in 2017, up 31 percent from 2016, and will reach 20.4 billion by 2020. Total spending on endpoints and services will reach almost $2 trillion in 2017. When analyzed, one can safely assume that vulnerabilities to malware will be present. Additionally, DDoS attacks are on the rise, approximately 71% between late 2015 to late 2016. Manufacturers, as has been in the past, do only the absolute minimum to secure these devices until their hand is forced. Researchers have uncovered more than two dozen vulnerabilities in products used in critical infrastructure systems that would allow attackers to crash - or even hijack – the servers that control both electric substations and water systems. This includes the ability to execute remote code-injection into a server, which in turn, provides an opportunity for an attacker to open and close breakers at substations and cause power outages. As you can see, there are serious issues at hand. Steven Russo , Executive Vice President , Eclypses / Certain Safe. Steven is cyber protection professional and consultant with Eclypses and has over 20 years of experience in the information security and technology field.

Session 3M: New AICPA Cybersecurity Attestation Standard

14:20-15:10 – AB Room

E&Y will present the new AICPA cybersecurity attestation standard. Discussions will center around why the AICPA introduced this new standard and how it fits with the attestation standards (i.e., SOC 1, SOC 2, and SOC 3). We will breakdown how this new attestation standard helps organizations communicate the effectiveness of their cybersecurity risk management programs.

Bob Braico and Michael Podemski, E&Y Bob is a Partner and the Advisory Account Leader for UnitedHealth Group. His areas of expertise include business process improvement, information technology and risk consulting. Bob’s primary responsibility as Advisory Account Leader on UHG is to coordinate service delivery among EY’s service lines. He has also acted as Engagement Partner on various UHG engagements including EY’s work on the Sarbanes Oxley, Cybersecurity, Encounter Data Processing System (EDPS), Enterprise Systems Development Program (ESDP), IT Security projects, Service Organization Control (SOC) Reports and IT Internal Audits. Bob has consulted with major corporate clients on business process improvements from initial process design through rollout and on risk management activities associated with systems development projects throughout all phases of the development lifecycle. He has over twenty years of experience assisting clients in the Healthcare, Life Sciences, and Financial Services Industries.

Michael Podemski, CISA, CISM, CRISC, CIPM, CIPT, is a Senior Manager in the Risk Advisory Services practice of Ernst & Young LLP. He focuses on managing and delivering high-quality IT assurance and advisory engagements, including financial statement audits/internal controls over financial reporting (SOX 404), pre- and post-implementation system review. Prior to EY, he has over

15 years of experience in IT Internal Audit, IT operations, and IT solutions delivery. In addition to his role as a senior manager, he is the immediate past president of the Chicago chapter of ISACA where he serves as an advisor to the current president and other board members as well as assist in organizing events, chairing special committees, or researching responses to questions from the board. Besides his role as the immediate past president, he is an instructor for the CISA, CISM, and CRISC

Session 3T: Social Engineering: Insider Threat Simulation vs. Adversarial Simulation

14:20-15:10– C Room

Social Engineering is the most common attack vector utilized to breach organizations, however, historically, it has been overlooked. According to the 2017 Verizon Data Breach Investigations Report, “social has been on top and trending upward for the last few years, and it does not appear to be going away any time soon”. Today, it is not only imperative for organizations to conduct Social Engineering assessments, but in order to be effective, these assessments should be customized to each organization’s unique environment. During this presentation, Stephanie will discuss the common Social Engineering attack vectors that are being used today (via email, phone and in person) and why organizations should be conducting Social Engineering assessments. Stephanie will also explain why organizations should not pursue cookie-cutter assessments and discuss the benefits of developing customized assessments by providing an understanding of the different assessment style approaches (insider threat simulation and adversarial simulation). Audience takeaways:

• Insight to different types of Social Engineering attacks • Why organizations should be conducting Social Engineering assessments • Threat Simulation style assessments • Adversarial Simulation style assessments

Stephanie Carruthers, Mindpoint Group

After winning a black badge at DEF CON 22 for the “Social Engineering Capture The Flag”, Stephanie pursued her career as a full time Social Engineer. Stephanie Carruthers leads the social engineering practice for MindPoint Group where she leads engagements providing Open-Source Intelligence (OSINT) gathering, phishing, vishing, and physical security assessments. She has taught and presented at numerous security conferences to include BSidesSLC, CircleCityCon, SAINTCON, ISACA (Salt Lake City), Hackfest Canada, and NolaCon - as well as guest webcasts for SANS. In her free time, she enjoys going to theme parks and playing table top games. Stephanie currently resides in Salt Lake City, Utah with her family.

Session 4M: The Business of Privacy: Balancing Retail and Info

Services Business Goals with PII Stewardship

15:30-16:20 – AB Room

The privacy landscape changes constantly. With each generation sharing more and more personal information online, it can be a challenge for businesses in the e-commerce, retail, and information industries to understand why their sharing or handling of data could be a serious violation of

Privacy. What the business sees are limits and loss, not the liability. This talk will take listeners through the Privacy Impact Assessments (PIA’s) process, with examples of problems solved. At the end listeners will be better equipped to implement PIA's in their own companies, improving both the risk management and the business.

Sarah Powers, Eileen Filmus, Versprite

Sarah Powers (GRC consultant) is an information security consultant with many years of experience in the governance, risk, and compliance space. She has a strong background in Privacy, Compliance, and understanding the threats and needs that businesses face. Sarah has also participated in Red team engagements, from which she takes her experience and applies it in both Social Engineering Awareness and Prevention Training, as well as Incident Response Exercises. Eileen Filmus (Security Consultant): As part of VerSprite’s Governance, Risk and Compliance arm, Eileen has a strong and diverse background in Information Security. In addition to driving security programs, she also prepares clients for compliance audits by creating or enhancing policies and procedures, addressing contractual security obligations, as well as performing assessments to determine organizations’ security risk posture by evaluating the effectiveness of their information security management programs.

Session 4T: DevSecOps: Why Aren’t You Doing it?

15:30-16:20 – C Room

With business demand for DevOps, Agile and public cloud offerings, traditional security processes are no longer efficient at keeping pace and have become major roadblocks that are doomed for extinction (or to be circumvented). The purpose and intent of DevSecOps is to build on the mindset that "everyone is responsible for security" with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required. This talk will focus on how DevSecOps enables security teams to leverage automation capabilities that maximize the use of security resources and cohesion amongst other teams while minimizing risk without the need of drastically increasing team size, alert fatigue, and security stop gaps.

Brian Liceaga, Evolve Security

Brian Liceaga has worked and consulted for organizations of all sizes from start-ups to large corporations. Brian’s experience includes vulnerability management, application security, incident response, security program development, cloud security, DevSecOps, and penetration testing. Notably, he has developed and implemented solutions to establish secure SDLC processes for Waterfall and Agile environments. Recently, his focus has been on next-generation vulnerability management utilizing automation and orchestration as well as finding solutions for privacy and security to better coexist.

Session 5M: More Vendors, More Problems. How Tech companies that rely on vendors build scalable practices.

16:30-17:15 – AB Room

Where forty three percent of data breaches and cyber-attacks are caused by third party vendors or contractors, it is imperative that organizations implement a controllable, pragmatic vendor risk management strategy. The most efficient strategy incorporates converged practices, collaboration, and relationship building at the third and fourth party levels. This panel will include vendor risk

management professionals from technology companies that rely on vendors for critical pieces of the business. We will discuss why vendors are essential in a technology first environment and how best to ensure business units are managing, reporting and accurately assessing vendor risk. The panel members will include: Koushik Subramanian, Director of Risk & Compliance, Uptake, Andy DeNovo, DNS Security Consulting, Managing Partner, and Nick James, Risk and Compliance Manager, Deloitte.

Anders Norremo, CEO, ThirdPartyTrust

Anders Norremo serves as Chief Executive Officer for ThirdPartyTrust, a vendor risk management platform he co-founded in 2015. ThirdPartyTrust offers an innovative SaaS vendor management platform that makes it simple for companies to evaluate third and fourth party risk through collaborative tools and automated processes. His prior experience includes 15 years state-of-the-art scalable SaaS companies. Anders served as Vice President at Firm58, where he ran deployment services and customer support. Previously, Anders worked at Accenture, where he managed large-scale enterprise implementations.

Session 5T: The Rogue’s Gallery: Mobile Malware

16:30-17:15 – C Room

When most people think about cyber risk, they think primarily of their organization’s servers, PCs, and laptops, and how they might be vulnerable to attack. But in recent years, the way in which users interact with the outside world has changed. In March this year, for the first time ever, Android overtook Windows to claim the largest share of Internet traffic. And naturally, where users go, threat actors will surely follow. For the past few years, we’ve observed a gradual but consistent increase in the number of threat actors choosing to focus their efforts on mobile devices. This presentation will identify the various types of mobile malware, the common functionality, and examples of each. It will also identify the steps taken to minimize an organization’s risk in this area. Joseph Opacki, PhishLabs Joseph Opacki is responsible for threat research, analysis, and intelligence at PhishLabs. Prior to joining PhishLabs, Mr. Opacki was the Senior Director of Global Research at iSIGHT Partners and was also an Adjunct Professor at George Mason University where he taught malware reverse engineering in the Master of Computer Forensics program. Mr. Opacki has also participated in several industry advisory councils to include the Cybersecurity Curriculum Advisory Council at the University of Maryland University College. Before his career in the private sector, Mr. Opacki was the malware reverse engineering Subject Matter Expert (SME) and the Technical Director of advanced digital forensics in the Operational Technology Division at the Federal Bureau of Investigation.

Thank You

This is the 4th Annual Chicago Hacking Conference. This conference has been developed, organized, and

presented in large part due to the efforts of the entire conference team and the two co-chairs Jason Torres

and Corbin Del Carlo. I would like to thank both Jason and Corbin for their extensive efforts in creating

this conference to educate the profession on emerging trends in IT Security. Additionally our new

members this year have all made significant contributions. Anthony Chan – Speakers Committee Chair,

Shantanu Keskar – Sponsors Committee Chair, Alicia Li – Brochure committee chair, and Gina Rogers –

Marketing and Day of Event committee chairs. All members contributed to all parts of this conference

and I am very pleased with everyone’s contributions. We thank them all for their significant time

commitments to this event. This conference has grown significantly and the team already have exciting

ideas for next year. Please join me in thanking Jason, Corbin and the Team for making this a successful

event for Internal Audit and Information Security practitioners.

Sincerely,

Eileen Iles

Vice President of Education

The Institute of Internal Auditors, Chicago Chapter

Our Platinum Sponsors

Platinum

Founded in 1991, onShore Security is a leading provider of managed network

security. Developing from our early days as network consultants and software

developers to our launch of managed network security in 1998, we have

renamed our company onShore Security as a commitment to our focus. We

believe that security requires a well-developed process and a 24x7 operation.

Our mission is to bring our clients the freedom to thrive through greater security.

www.onshore.com

The world’s leading cyber security company, has acquired Skycure, a leader in

mobile threat defense. Skycure combined with Symantec’s Integrated Cyber

Defense Platform offers customers access to comprehensive and effective

endpoint protection offerings across traditional and mobile devices, with

enhanced capabilities for mobile devices, applications, network gateways and

data protection. To date, Symantec has invested in mobile security through

SEP Cloud and Norton Mobile product lines. The protection capabilities in those

product lines will expand with this acquisition and puts Symantec on the path to

protect more than 1 billion endpoints.

https://www.skycure.com/about/