INFORMATION SECURITY SUMMIT 2015

Platinum Sponsors :

Gold Sponsors :

General Sponsors :

Organizers :

Website: www.issummit.org Enquiry: (852) 2788 5884

INFORMATION SECURITY SUMMIT

2015Information Anywhere Anytime –

Mobile, Analytics, Cloud, IoTs – Security Friends or Foes

Online Registration https://www.issummit.org

Summit Date : 15 - 16 September 2015 (Tuesday - Wednesday)Venue : Hong Kong Convention and Exhibition CentreWorkshops : 17 September - 13 October 2015Venue : 1/F, HKPC Building, 78 Tat Chee Avenue, Kowloon

2015

INFORMATION SECURITY SUMMIT 2015

MAIN CONFERENCE 15 September 2015 (Tuesday)

Hong Kong Convention and Exhibition Centre, 1 Expo Drive, Wanchai, Hong Kong

SUMMIT TIMETABLE (DAY 1)

Remarks- (E) : English (C/E) : Cantonese with English terminology - The Organizers reserve the right to modify the programme schedule without prior notice.

08:30 – 09:00 REGISTRATION

09:00 - 09:45

Welcome Speech (E)Mrs. Agnes Mak, MH, JP

Executive Director Hong Kong Productivity Council

Opening Address (E)Ir. Allen Yeung

Government Chief Information Officer OGCIO, The Government of the HKSAR

09:45 - 10:25

Keynote 1 INTERPOL's role and effort in Combating Cybercrime (E)

Dr. Madan Mohan Oberoi Director, Cyber Innovation & Outreach

INTERPOL

10:25 - 10:55 Break

10:55 - 11:35

Keynote 2How Cyber Intelligence can improve your Security Resilience (E)

Mr. Harry Pun Heads of Core BUs and Alliance

Dimension Data

Track 1 Track 2

11:35 - 12:05

1.1Security Issues: Application Security and the

Internet of Things (E)Mr. Wesley Simpson

Chief Operating Officer International Information System Security

Certification Consortium, Inc., (ISC)²®

2.1Security Delivery Platform (E)

Ms. Johnnie Konstantas Director, Security Solutions

Gigamon Inc.

12:05 - 12:35

1.2Networked Home Appliances (IoT) and

Vulnerabilities (E)Mr. Hikohiro Y. Lin

Head of Panasonic PSIRTPanasonic

2.2BYOM: Bring Your Own Malware (E)

Mr. Matthew Wong Yun-lam Consulting Systems Engineer for

Hong Kong and Macau FireEye Inc.

12:35 - 13:50 Lunch Break*

13:50 - 14:30

Keynote 3Best Practices for Scoping Infections & Disrupting Breaches (E)

Mr. Paul Pang Chief Security Strategist, APAC

Splunk Inc.

14:30 - 15:00

1.3Fighting Adaptive Attacks Requires Adaptive

Defense with Response Automation (E)Mr. Leow Jun Wei

Regional Solutions Consultant Guidance Software Inc.

2.3Any device, Anywhere, All-round Protection (C/E)

Mr. Siupan ChanSales Engineering Manager, Greater China

Sophos Hong Kong Company Limited

15:00 - 15:30

1.4Detect and Defend Your Network from

Targeted Attacks in Real Time (E)Mr. Tony Lee

ConsultantTrend Micro Limited

2.4IoT Security: Understanding the Challenges

while Mitigating the Risk (E)Mr. Leslie SinSystems Engineer

Cisco Systems HK Limited

15:30 - 16:00 Break

16:00 - 16:30

1.5So you want a

Threat Intelligence capability? (E)Mr. Gavin Reid

Vice President of Threat IntelligenceLancope, Inc.

2.5Combating APT and Crypto Ransomware

with minimal extra investment (C/E)Mr. Eric Kwok General Manager Lapcom Limited

16:30 - 17:10

Keynote 4Securing your Mobile Applications, a Holistic Approach (E)

Mr. Joseph Au-Yeung, VP, Cloud & Cyber-security, PCCW Solutions Limited Mr. Saket Modi, CEO, Lucideus

17:10 - 18:00

Panel DiscussionFriends: How can Organizations achieve Effective Information Security? (E)

Mr. Frank YamModerator

* Lunch will not be provided.


MAIN CONFERENCE 16 September 2015 (Wednesday) Hong Kong Convention and Exhibition Centre, 1 Expo Drive, Wanchai, Hong Kong

SUMMIT TIMETABLE (DAY 2)

Remarks- (E) : English (C/E) : Cantonese with English terminology (P/E) : Putonghua with English terminology - The Organizers reserve the right to modify the programme schedule without prior notice.

08:30 – 09:00 REGISTRATION

09:00 - 09:40

Keynote 1Cybersecurity as a Business Discipline (E)

Mr. Ramsés Gallego Security Strategist & Evangelist

Dell Software

09:40 - 10:20

Keynote 2Better Security through Micro Segmentation and security services in overlay networking (E)

Mr. Tim Hartman Senior Manager, Network & Security Systems Engineering,

Asia Pacific and Japan – Networking and Security Business Unit VMware, Inc

10:20 - 10:50 Break

10:50 - 11:30

Keynote 3Fighting Malware Through Big-Data & Public/Private Partnership – Microsoft Cybercrime Center (E)

Mr. Keshav Singh Dhakad Regional Director - Digital Crimes Unit Asia

Microsoft Operations Pte Limited

11:30 – 12:10

Keynote 4Cyber Security & Threat Intelligence Defense – Preparing For The Changing Landscape (E)

Mr. Jack Chan Security Strategist

Fortinet International Inc.

Track 1 Track 2

12:10 - 12:40

1.1Techniques for Protecting Business-Critical

Information in Public, Private and Hybrid Cloud Environments (E)

Mr. George ChewArea Vice President, APAC/JAPAN

Vormetric, Inc.

2.1Cloud user's guide to Cloud Security Assurance

and Compliance (E)Mr. Ronald Tse

Founder Ribose

12: 40 - 14:00 Lunch Break*

14:00 - 14:30

1.2Managing the Unmanageable (C/E)

Mr. Chris Chau Lead Sales Engineer

Citrix Systems HK Limited

2.2Recent Threat: Our Incident Handling and

Case Study (E) Mr. Zhao Wei

CEO Beijing Knownsec Information Technology Limited

14:30 – 15:00

1.3Cyber Range in One Box (P/E)

Mr. Smith Sun Senior Business Development Manager, China

Ixia Technologies International Limited

2.3Privacy and Cybersecurity: Legal and

Regulatory Developments (E)Mr. Michael Jackson

Associate Professor, Faculty of Law The University of Hong Kong

15:00 – 15:30

1.4The importance of

Encrypted Traffic Management (E)Mr. David Leung

Senior Solution Engineer Blue Coat Hong Kong

2.4Are your Mobile Apps well protected? (E)

Dr. Daniel LuoResearch Assistant Professor

The Hong Kong Polytechnic University

15:30 – 16:00 Break

16:00 – 16:30

1.5Taking The Fight To Advanced Threats with

Symantec (E) Mr. Avinash Lotke

Business Development Director, Threat Protection Business Symantec Asia Pacific & Japan

2.5Rethinking Passive DNS (E)

Mr. Brandon Dixon, Lead Developer and Co-founder, PassiveTotal

Mr. Steve Ginty, Co-Founder, PassiveTotal

16:30 – 17:10 Keynote 5

TBC

17:10 – 18:00

Panel DiscussionFoes: Horror Stories of Attacks against Organizations (E)

Mr. Paul Jackson Moderator

* Lunch will not be provided.

09:45 – 10:25

10:55 – 11:35

11:35 – 12:05

12:05 – 12:35

13:50 – 14:30


SPEAKERS (Day 1)15 September 2015 (Tuesday)


KeynoteINTERPOL’s role and effort in Combating Cybercrime (E)

Dr. Madan Mohan Oberoi Director, Cyber Innovation & Outreach, INTERPOL

Dr. Oberoi will provide an overview of the new INTERPOL Global Complex for Innovation (IGCI) in Singapore and how IGCI will be leading global efforts to provide operational support, capacity building and harmonization of international legal structures in the fight against cybercrime.

KeynoteHow Cyber Intelligence can improve your Security Resilience (E)

Mr. Harry Pun Heads of Core BUs and Alliance, Dimension Data

Cyber Security has made its way from server room to boardroom and even the Oval office. This underlines the fact that we are facing a huge challenge that is only getting more apparent as we move more to the IoT, Enterprise Mobility, BYOD, virtualisation, cloud and social media. New doors into organisation and more devices create a bigger surface of attack and cause data breaches that become regular headline news. Keeping your organisation secure requires a proactive approach to security. Traditional security controls are no longer enough to keep your business secure, and must evolve to a risk aware and intelligent platform that not only protects but can quickly detect and respond to potential threats.

Security Issues: Application Security and the Internet of Things (E)

Mr. Wesley Simpson Chief Operating Officer, International Information System Security Certification Consortium, Inc., (ISC)²®

With the IoT, we must ask ourselves where traditional security begins and logical security ends. With the generational shift in the use of technology such as vast use of mobile and wearables devices, as attackers and adversaries become more sophisticated in their efforts, we are increasingly seeing exploits that involve both traditional and logical attack vectors. Fewer and fewer people understand how all of this works. How do they work together – what are the devices doing, collecting, and transmitting what to whom. In a sentence, technology is being adopted faster than our ability to secure it.In this presentation, Wesley will be delineating the idea of application security at the source and how we can deploy the 5 Star Automotive Safety Program and how we can begin securing our environment starting with our own selves.

Networked Home Appliances (IoT) and Vulnerabilities (E)

Mr. Hikohiro Y. Lin Head of Panasonic PSIRT, Panasonic

We will talk about changes in the feature of Networked Home Appliances (IoT) and risk of connecting them to the Internet. We will also explain the trends in Vulnerability Analysis for Networked Home Appliances and Security functions that is required for CE products in the IoT era.

KeynoteBest Practices for Scoping Infections & Disrupting Breaches (E)Mr. Paul Pang Chief Security Strategist, APAC, Splunk Inc. To successfully prevent infections from becoming a data breach, security analysts need the ability to continuously collect, analyze, correlate and investigate a diverse set of data. This session will discuss the specific data sources and capabilities required to determine the scope of an infection before it turns into a breach. This session will go over:• The capabilities required to distinguish an infection from a breach• The specific analysis steps to understand the scope of an attack• The data sources required to gain deep and broad visibility• What to look for from network and endpoint data sources

Security Delivery Platform (E)

Ms. Johnnie Konstantas Director, Security Solutions, Gigamon Inc.

Today’s security architectures are being reconfigured for detection and protection. This means focus and investment is shifting away from the perimeter and toward methods for finding compromise in the network and eliminating the threat. To do this organizations require pervasive network visibility more than ever before. This is the purpose of a security delivery platform and during this session we will examine its basic architecture and functions. Attendees will understand how the SDP can help raise security in their environments.

BYOM: Bring Your Own Malware (E)Mr. Matthew Wong Yun-lam Consulting Systems Engineer for Hong Kong and Macau, FireEye Inc.In today’s world of ubiquitous end-user computing, mobile device usage and BYOD continue to expand within the enterprise and has catapulted mobile security to the top of the priority list. BYOD security concerns like loss of company or client data and unauthorized access to confidential information are more important than ever. Meanwhile, cyber threats are now becoming more sophisticated and these attacks have extended to mobile devices to infiltrate into the organization’s network. This has created new challenges for security professionals tasked with balancing business enablement and risk. What measures should enterprises take to mitigate these risks? Find out how you can protect your organisations from advanced threats through mobile devices. In this session, Matthew will share about:• Evolving threats on mobile devices, in applications and in the network• Security measures to detect attacks and prevent threats and respond to incidents in minutes• Best practices for how organizations can adapt to these new mobile security threats

15 September 2015 (Tuesday) Hong Kong Convention and Exhibition Centre, 1 Expo Drive, Wanchai, Hong Kong

14:30 – 15:00

15:00 – 15:30

16:00 – 16:30

16:30 – 17:10

17:10 – 18:00


SPEAKERS (Day 1)Fighting Adaptive Attacks Requires Adaptive Defense with Response Automation (E)

Mr. Leow Jun Wei Regional Solutions Consultant, Guidance Software Inc.

Attackers are always looking for new vulnerabilities to exploit technologies with large-scale adoption or use/create/modify malware that changes just enough to avoid known detection methods. The same malware or vulnerability is rarely used after public discovery. The defenses widely in use today are limited to technology that is overly reliant on the known, is unable to adapt when attackers change their patterns, or find easier ways to sneak onto our networks undetected. Therefore deflecting adaptive attacks becomes critical.

Detect and Defend Your Network from Targeted Attacks in Real Time (E)

Mr. Tony Lee Consultant, Trend Micro Limited

As tactics and techniques behind targeted attacks and advanced threats continue to evolve, having a flexible line of defense is crucial. To do so, leading organizations are enhancing their security posture with the ability to detect and respond to advanced malware, zero-day exploits and attacker behavior that is behind targeted attacks. This presentation will review the major requirements and capabilities needed for a strong cyber-defense against targeted attacks.

So you want a Threat Intelligence capability? (E)

Mr. Gavin Reid Vice President of Threat Intelligence, Lancope, Inc.

Once the realm of government organizations, the collection, analysis and leveraging of threat intelligence for advanced cybersecurity is now something all corporations should be focused on,” said Reid. “Unfortunately“, few organizations are sure how to do it. My session will demystify the threat intelligence function, and provide security teams with best practices for setting it up within their organizations for improved cyber threat detection and incident response.”Specifically, Reid’s session will outline:• What threat intelligence is• Best practices for developing a threat intelligence function• Common pitfalls to avoid when setting up a threat intelligence practice• How threat intelligence fits in with other components of an enterprise security strategy

Panel DiscussionFriends: How can Organizations achieve Effective Information Security? (E)

Mr. Frank Yam Moderator

KeynoteSecuring your Mobile Applications, a Holistic Approach (E)

Mr. Joseph Au-Yeung VP, Cloud & Cyber-security, PCCW Solutions Limited

Mr. Saket Modi CEO, Lucideus

Mobile applications are hot on every CIO’s agenda. Yet implementing secure mobile application posed major challenges to every IT teams.In order to ensure the corporate brand value and protect customer information assets, we will introduce an end-to-end approach which covers everything from Awareness Trainings, Security Maturity Assessment, Secure SDLC (SSDLC), Proactive and Reactive protection methods, as well systematic training workshop for mobile developers.

Any device, Anywhere, All-round Protection (C/E)

Mr. Siupan Chan Sales Engineering Manager, Greater China, Sophos Hong Kong Company Limited

Not every Enterprise has the expertise and resources to manage every IT security.In this session we’ll examine the inherent complexity of security products and the very different needs of small and large organizations. Then we’ll look at a simpler alternative: cloud-based security and threat monitoring service.

IoT Security: Understanding the Challenges while Mitigating the Risk (E)

Mr. Leslie Sin Systems Engineer, Cisco Systems HK Limited

This session will discuss security threats arise when implementing Internet of Things (IoT). IoT converges an organization's existing information technology (IT) and operational technology (OT) networks, in addition to potentially billions of sensors, devices, and other smart objects. This convergence significantly expands security challenges, due to its increased breadth and depth over existing network connectivity.IT and OT networks are managed with different priorities in mind, and each has distinct security needs. The priority of the IT network is to protect data confidentiality. The focus of the OT network is on physical security and secure access to ensure operational and employee safety.

Combating APT and Crypto Ransomware with minimal extra investment (C/E)

Mr. Eric Kwok General Manager, Lapcom Limited

APT and Crypto Ransomware are the hottest topic among IT security practitioners and are posting real threats to enterprises. Combating these emerging threats can be really expensive. So how businesses with average IT budget better protect itself from it?

09:00 – 09:40

09:40 – 10:20

10:50 – 11:30


SPEAKERS (Day 2)16 September 2015 (Wednesday)


KeynoteCybersecurity as a Business Discipline (E)

Mr. Ramsés Gallego Security Strategist & Evangelist, Dell Software

Security turned into Cybersecurity when we connected our systems, when our data started flowing around. This is an era where the terms cyber-resiliency, cyber-warfare, cyber-protection have become first page on the news and we need to get ready. We need to expect the unexpected. This is the epoch for the businesses to understand this dimension and start asking the right questions to the right people at the right time. This is the time to embrace the cybersecurity challenge and start talking about Enterprise Risk Management.

KeynoteBetter Security through Micro Segmentation and security services in overlay networking (E)

Mr. Tim Hartman Senior Manager, Network & Security Systems Engineering, Asia Pacific and Japan – Networking and Security Business Unit, VMware, Inc

This session will discuss why traditional network design and operational methods need to change and how current technologies are enabling organizations to build granular security policies with the operational model of the Virtual Machine.

KeynoteFighting Malware Through Big-Data & Public/Private Partnership – Microsoft Cybercrime Center (E)

Mr. Keshav Singh Dhakad Regional Director - Digital Crimes Unit Asia, Microsoft Operations Pte Limited

Cybercrime is on a rapid rise at a global scale, becoming a multi-billion dollar industry, and causing enormous amount of disruption & losses. Particularly, malware facilitated crimes are having the most devastating impact on businesses (particularly financial sector), governments and individuals. Malware (malicious codes) are multiplying in numbers by the form, types & threats and can do untold amount of damage without warning, like hacking confidential information, stealing private and personal information, key-logging passwords, hi-jacking email/social media accounts via identify theft, committing financial theft & wire-fraud, causing disruption of IT systems & critical networks, denial of service attacks, etc.

Microsoft takes the impact of malware facilitated cybercrime very seriously to protect its customers’ data & privacy, and its own platforms & intellectual property. Microsoft’s Digital Crimes Unit (DCU), through global public-private partnerships, targets cyber-criminal organizations that are looking to make illegal profits through spread of vicious malware infections. DCU’s Cybercrime Center engages in legal & technical operations to disrupt and take-down malware networks (e.g., botnets), liberating infected devices in the process at a global level, and making it more expensive for cyber-criminals to operate. In that effort, DCU partners with cybercrime experts across industries, governments, criminal law enforcement, cybercrime experts, academia, to identify and eliminate cyber threats impacting the entire digital ecosystem. Through these operations, and partnerships under DCU’s Cyber-Threat Intelligence Program (CTIP) with global Computer Emergency Response Teams (CERTs), ISPs, Industry Bodies, etc., DCU has enabled successful identification and cleaning of millions of infected devices globally - a task which is ongoing.

Hong Kong similarly faces huge challenges in fighting cybercrime considering it’s a big financial hub in the Asia region and Microsoft is committed to help Hong Kong fight cybercrime with effective sharing of cyber threat intelligence, through public-private partnerships.

11:30 – 12:10 KeynoteCyber Security & Threat Intelligence Defense – Preparing For The Changing Landscape (E)

Mr. Jack Chan Security Strategist, Fortinet International Inc.

How does mindset around security needs to adopt with the growing usage of internet, IoTs, BYOD and cloud computing? What role does threat intelligence plays in the changing security landscape? In this presentation Jack Chan from Fortinet’s FortiGuard lab will present the changing threat landscape, the types of threat intelligence required to combat security on a day-to-day basis, a taste of the dark web and where the ideal cross over between security and convenience should be.

12:10 – 12:40 Techniques for Protecting Business-Critical Information in Public, Private and Hybrid Cloud Environments (E)

Mr. George Chew Area Vice President, APAC/JAPAN, Vormetric, Inc.

The cloud computing has transformed the way organizations approach IT, enabling them to become more agile, introduce new business models, provide more services, and reduce IT costs. Yet for security professionals, the cloud presents a huge dilemma: How do you embrace the benefits of the cloud while maintaining security controls over your organizations’ assets? This session cover: • Cloud/virtualization Computing Security Challenges • Techniques for Encrypting Data in the Cloud • Strategies for Secure Transition to the Cloud

16 September 2015 (Wednesday)Hong Kong Convention and Exhibition Centre, 1 Expo Drive, Wanchai, Hong Kong

14:00 – 14:30

12:10 – 12:40

14:30 – 15:00


SPEAKERS (Day 2)

Managing the Unmanageable (C/E)

Mr. Chris Chau Lead Sales Engineer, Citrix Systems HK Limited

Due to the boom in the mobility and web access, accessing your corporate resources and customer information could be anytime and anywhere. Citrix will introduce our Delivery Network Solutions, in order to cater the potential risks to your corporate information and reputation.

Cyber Range in One Box (P/E)

Mr. Smith Sun Senior Business Development Manager, China, Ixia Technologies International Limited

Ixia CyberRangeInOneBox solution supplies an Environment to simulate real world traffic scenarios, Attacks, Malware, hostile behavior... With it, you can Practice attacking vs defending, you can do POC test for new product and technology, you also can do security training for IT people.

Recent Threat: Our Incident Handling and Case Study (E)

Mr. Zhao Wei CEO, Beijing Knownsec Information Technology Limited

We would like to brief about our recent technology and platforms, how we could deal with and understand our recent threats and try to mitigate the risk. The session will be with demonstration and case studies, it would be practical.

Privacy and Cybersecurity: Legal and Regulatory Developments (E)

Mr. Michael Jackson Associate Professor, Faculty of Law, The University of Hong Kong

This presentation will discuss recent legislative and regulative developments in relation to privacy and/or cyber security in Hong Kong and overseas which impact on the cyber risks of the Internet.

Cloud user's guide to Cloud Security Assurance and Compliance (E)

Mr. Ronald Tse Founder, Ribose

Cloud service providers (CSP) often claim their services are "secure". How much of that should you trust? In this session we discuss the notion of cloud security assurance from the perspective of the cloud user: introducing different types of assurances, comparing existing assurance schemes, considering international and regional issues, and most importantly, showing how to discern the truth behind smokescreens.

15:00 – 15:30 The importance of Encrypted Traffic Management (E) Mr. David Leung Senior Solution Engineer, Blue Coat Hong Kong

Industry has been focusing on varies technologies on protecting their organization from Advanced Threats. However, we always missed the importance of visibility on these threats. Research shows that there is a rising trend on attacks hidden in encrypted traffic. David will talk about the importance of Encrypted Traffic Management and how to address those challenges.

Are your Mobile Apps well protected? (E)

Dr. Daniel Luo Research Assistant Professor, The Hong Kong Polytechnic University

The prosperity of mobile app economy provides lucrative and profitable targets for hackers. Among OWASP’s top ten mobile risks for 2014, the lack of binary protections makes it easy to reverse, modify, and repackage Android apps. This talk discusses mobile app protection from two aspects. First, we introduce how attackers turn popular apps into malware and then describe our research on quickly detecting such repackaged apps. Second, we sketch how newly emerging packing services harden Android apps and then present our recent research on unpacking such hardened apps.

16:30 – 17:10

17:10 – 18:00

SPEAKERS (Day 2)16 September 2015 (Wednesday)


KeynoteTBC

Panel Discussion Foes: Horror Stories of Attacks against Organizations (E)

Mr. Paul Jackson Moderator

Rethinking Passive DNS (E)

Mr. Brandon Dixon Lead Developer and Co-founder, PassiveTotal

Mr. Steve Ginty Co-Founder, PassiveTotal

Having a good set of historical data is like having a time machine. As threat researchers, passive/active DNS provides us with a map of an attacker's infrastructure behaviors and history. Unfortunately, this data set is static, lacking context, additional enrichment data and the ability to persist analysis to guide analyst assessments.

In the early days of threat infrastructure analysis, we simply displayed passive DNS results inside of an HTML table. While smaller sets of data were easy to analyze, as resolutions grew, so did the complexity of the data and the effort needed to properly analyze it. This can lead to mistakes being made, missed changes, and failure to really understand the data set due to the quantity of data presented.

According to a January 2014 study published by MIT, the human brain is capable of processing an entire image in as little as 13 milliseconds of exposure. With this in mind, we looked to remake these raw data sets into color-coded, visual indicators and images that allow analysts to interpret results faster, reduce analysis and assessment time, and persist findings.

Attendees should expect to walk away with a better understanding of how DNS data is useful in security research, different ways to interpret the data, and tools that could provide assistance when performing analysis.

16:00 – 16:30 Taking The Fight To Advanced Threats with Symantec (E) Mr. Avinash Lotke Business Development Director, Threat Protection Business, Symantec Asia Pacific & Japan

Advanced persistent threats (APTs) have been perfected and they are fast outpacing defensive measures, leaving many organizations unwittingly vulnerable. It has become impossible to distinguish the safe from the dangerous; almost no company, whether large or small, is immune. In 2014, advanced attackers targeted 5 out of 6 large companies, a 40 percent increase over the year before, and there were almost 1 million new malware variants developed daily. Join the session and learn about how to stop the next advanced attack.

SCHEDULE

THU

17 SE

P 201

5

TUE

22 SE

P 201

5

THU

17 SE

P 201

5

WED

23 SE

P 201

5

FRI

25 SE

P 201

5

FRI

18 SE

P 201

5

THU

24 SE

P 201

5

MON

5 Oct 2

015

WED

7 Oct 2

015

MON

12 O

CT 201

5

MON

21 SE

P 201

5

THU

24 SE

P 201

5

TUE

6 OCT 2

015

THU

8 OCT 2

015

TUE

13 O

CT 201

5

Workshop 1 Enterprise Risk Management and Auditing for the new era of Cloud, Mobility and Identity Speaker : Mr. Ramsés Gallego

Workshop 3 (Day 2)

Hacking and Analyzing Your Android Application (Hands-On) Speaker: Mr. Anfa Sam

Workshop 2 (Day 2)

Analyst Methods for Cyber Espionage Analysis [Hands-on] Speakers: Mr. Brandon Dixon and Mr. Steve Ginty

Workshop 4 (Day 2)

Securing Custom Mobile Applications for Safe, Profitable E-Commerce Speakers: Mr. Richard Stagg and Mr. Michael Dahn

Workshop 6Cybersecurity Fundamentals Speaker: Mr. Frank Chow

Workshop 8 (Day 1)

Advanced Web Application Pentest Kungfu (Hands-On) Speakers: Mr. Anthony Lai and Mr. Zetta Ke

Workshop 8 (Day 2)

Advanced Web Application Pentest Kungfu (Hands-On) Speakers: Mr. Anthony Lai and Mr. Zetta Ke

Workshop 9 (Day 1)Securing your Enterprise Mobility - Strategy, Operations and Technology (Hands-on) Speakers: Mr. Aditya Modha and Mr. Vilakshan Jakhu

Workshop 2 (Day 1)

Analyst Methods for Cyber Espionage Analysis [Hands-on] Speakers: Mr. Brandon Dixon and Mr. Steve Ginty

Workshop 4 (Day 1)


Workshop 5 (Day 2)

Let's get your hands dirty with Honeypot Sensors (Hands-On) Speaker: Mr. Tan Kean Siong

Workshop 3 (Day 1)

Hacking and Analyzing Your Android Application (Hands-On) Speaker: Mr. Anfa Sam

Workshop 5 (Day 1)

Let's get your hands dirty with Honeypot Sensors (Hands-On) Speaker: Mr. Tan Kean Siong

Workshop 7 ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27018 Information Security Standards - Auditing, Awareness and Updates Speaker: Mr. Danny Yip

Workshop 9 (Day 2)Securing your Enterprise Mobility - Strategy, Operations and Technology (Hands-on) Speakers: Mr. Aditya Modha and Mr. Vilakshan Jakhu

17 September – 13 October 2015 1/F, HKPC Building, 78 Tat Chee Avenue, Kowloon


WORKSHOPS

Workshop 1 (1 Day)

Enterprise Risk Management and Auditing for the new era of Cloud, Mobility and IdentitySpeaker : Mr. Ramsés Gallego Medium of Instruction: English

Workshop 2 (2 Days)

Analyst Methods for Cyber Espionage Analysis [Hands-on] Speakers : Mr. Brandon Dixon and Mr. Steve Ginty

Medium of Instruction: English

Nature & Objectives: Course Outline:■ Discovery of new approaches and technologies for

Enterprise Risk Management and Auditing in 'The Nexus of Forces’

■ Understanding of ‘the new normal’■ Comprehension of the realities that shape the world

we live in

Information is the currency in today’s world. Companies are understanding that a new approach is needed when it comes to provide assurance that sensitive data will be protected to fight the threats to cybersecurity. Organizations around the globe are embracing a new vision that will become the foundations for tomorrow. This is the need of a shift in perception. We need to move from Technology Risk to Enterprise Risk. A new beginning. A new dawn. Enterprises are moving from what once was a domain of technology to a new reality; that, at the end of the day, what it really matters is mitigating enterprise risk, the risk appetite of the company as a whole. What it is really important these days is to realize that not only is instrumental to execute correctly, with the proper attitude, with the right mindset, but also to embrace the overarching discipline of Governance, to empower end users while, at the very same time, the assurance of the responsible use of resources is guaranteed.By attending this session, insights will be gained on how to provide value for the business, through technology, in a changing security landscape where ‘The Nexus of Forces’ (Cloud. Mobility, Identity) are paramount for success. The attendee will be able to discover new angles for engaging with the business and provide communication channels and reporting methods to protect the two most important assets for a company: people and information. Knowledge will be shared in the area of metrics and indicators that provide tangible value, in business terms for the C-level suite. This is the very much needed new dimension. From Technology Risk to Enterprise Risk. A New Beginning.

Who Should Attend:✓ CIOs✓ CTOs✓ Chief Risk Manager✓ Chief Audit Executives✓ Security Directors✓ Risk practitioners✓ Auditors

Nature & Objectives: Course Outline:To understand multiple techniques and processes to identify, defend and analyze Cyber Espionage malware (APT).

The Threat Intelligence workshop will focus on advanced threat actors and techniques analysts could use to identify or defend against them. The class will be tailored towards information security professionals with a background in the understanding of malicious attacks. Demonstrations of real-world attacks and analysis will be done through interactive labs using the PassiveTotal platform and Maltego transforms. Attendees will walk away with a better understanding of how to obtain, process and analyze attacks to mine more threat intelligence from them.

Who Should Attend:Those looking to understand more about analysis techniques centered around APT events.

Requirement for Participant:Register for an account and confirm your email on passivetotal.org. We will be able to sign-up users on the day of, but it will be a lot faster for each user to already have an account.

SEP 2015

17THURSDAY

SEP 2015

17THURSDAY

09:30 – 17:00

09:30 – 17:00

SEP 2015

18FRIDAY


WORKSHOPS 17 September – 13 October 2015 1/F, HKPC Building, 78 Tat Chee Avenue, Kowloon

Workshop 3 (2 Days)

Hacking and Analyzing Your Android Application (Hands-On)Speaker : Mr. Anfa Sam Medium of Instruction:

Cantonese with handout in English

Workshop 4 (2 Days)



Nature & Objectives: Course Outline:

■ Understand general attack vectors■ Finding vulnerabilities■ Secure development

• Intro to Android Application Architecture• Intro to OWASP Top 10 Mobile Risks• Static Analysis• Dynamic Analysis• Application Analysis in PracticeWho Should Attend:

✓ Mobile (java / objc) development experience✓ Rooted android phone (optional)

Requirement for Participant:Students have to bring their own notebook computer with the following software:

• Windows 7 or 8 with JRE & JDK 1.7.x with 30GB free disk space• VM Player version 7 (https://www.my.vmware.com/web/vmware/

free#desktop_end_user_computing/vmware_player_7_0)• GenyMotion for Windows 2.5

(https://www.genymotion.com/#!/download)• Android Studio Bundle 141

(https://www.developer.android.com/sdk/index/html#other)

Nature & Objectives: Course Outline:■ Moderately technical training, with discussion time

likely to be more technical.■ There is a focus on e-commerce/payment apps, but

the instruction is applicable to all custom mobile apps.

■ Objectives are to teach all those involved in the lifecycle of a custom mobile application how to create and preserve security throughout the app's whole life, and – as a beneficial side-effect – how to achieve compliance with mandatory standards.

New mobile apps are being launched at an incredible rate, and the potential for e-commerce over mobile devices is growing as new payment methods emerge.This two-day course looks at how to secure custom mobile applications, with a particular emphasis on e-commerce and payment security. We consider:

• Whole-lifecycle security, from design, through the software development lifecycle, testing, to deployment

• Safe interactions with digital wallets (Apple Pay, Google Wallet etc) and also new mobile payment techniques using NFC, “bumping” to pay, etc

• Detailed, specific guidance, with examples about:

- Securing the server side by design, detecting and responding to attacks

- Securing the communications between server and mobile, and between mobile and mobile

- Securing distribution and deployment of apps (both B2C and B2E, with enterprise app stores), and handling rooted/jailbroken devices

- Securing the client app, with a review of general principles, and technical specifics for iOS, Android and Windows devices

- Ongoing security, including updates, testing and vulnerability management through the whole life of the app

- Compliance issues, including PCI DSS, and how to make meeting compliance obligations a benefit, not an inconvenience

Who Should Attend:✓ Mobile application developers✓ Mobile application designers✓ Technical managers, security officers, auditors or

anyone else involved in QA for mobile applications

SEP 2015

21MONDAY

SEP 2015

23WEDNESDAY

09:30 – 17:00

09:30 – 17:00

SEP 2015

22TUESDAY

SEP 2015

24THURSDAY



WORKSHOPS

Workshop 5 (2 Days)

Let's get your hands dirty with Honeypot Sensors (Hands-On)Speaker : Mr. Tan Kean Siong Medium of Instruction: English

Nature & Objectives: Course Outline: Listening to the network traffics and detecting network attacks are always the exciting experiences.

In this workshop, we will have the real hand-on experience of setting up the open source honeypot sensors to detect network-based attacks. We will have an insight into notorious network protocols that commonly targeted by attackers and massive malware outbreaks in the past years.

In addition, we will showcase the recent developed IoT (Internet of Things) honeypot capability for Dionaea sensor, which could help us dive into the emerging IoT attacks landscape.

• Dive into notorious network protocols for massive malware outbreaks in the past years

• Highlight the strategy and best practices of honeypot deployment/management

• Explore the IoT attacks landscape and relevant network protocol

• Have an exciting hands-on experience of setting up honeypot network sensor

Who Should Attend: Those interested to understand more about detecting network attacks with honeypots.

SEP 2015

24THURSDAY

09:30 – 17:00

SEP 2015

25FRIDAY

Workshop 6 (1 Day)

Cybersecurity Fundamentals Speaker : Mr. Frank Chow Medium of Instruction:

Cantonese with handout in English

Nature & Objectives: Course Outline:This workshop wi l l introduce the concepts of cybersecurity using a systemic approach and will explore the direct influences on cybersecurity such as concepts, architecture principles and incident response and evolving technology (e.g. APT, Cloud, Mobile). (Help for the ISACA's Cybersecurity Fundamentals exam)

The Cybersecurity Fundamentals course consists of foundational knowledge across five key areas:

• Cybersecurity Concepts • Security Architecture Principles• Security of Networks, Systems, Applications and Data

• Incident Response • Security Implications and Adoption of Evolving Technology

(e.g. Advanced Persistent Threats, Mobile Technology, Cloud etc.) Who Should Attend:✓ Professionals with a familiarity of basic IT and

information security concepts and who need to ensure a sound foundation knowledge of cybersecurity.

✓ Anyone planning to work in a position that requires cybersecurity knowledge.

✓ Anyone interested in the field of cybersecurity.

OCT 2015

5MONDAY

09:30 – 17:00



Workshop 8 (2 Days)

Advanced Web Application Pentest Kungfu Speakers : Mr. Anthony Lai and Mr. Zetta Ke

Medium of Instruction: Cantonese with handout in English

OCT 2015

7WEDNESDAY

09:30 – 17:00

OCT 2015

8THURSDAY

Workshop 7 (1 Day)

ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27018 Information Security Standards - Auditing, Awareness and Updates Speaker : Mr. Danny Yip Medium of Instruction:

Cantonese with handout in EnglishNature & Objectives: Course Outline:The purpose of this Workshop is to: ■ Provide an Overview of ISO/IEC 27000, ISO/IEC

27001, ISO/IEC 27002, and ISO/IEC 27018 ■ Provide an in-depth analysis of the recent changes

to the new versions of ISO/IEC 27001 and ISO/IEC 27002

■ Provide an insight into Information Security Standards ISO/IEC 27000 (revised) & ISO/IEC 27017 to be released in the next 12 months

■ Provide awareness tips to assist preparation for an ISO/IEC 27001 certification audit

• Overview of ISO/IEC 27000, ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27018

• Overview of upcoming changes in ISO/IEC 27000 and ISO/IEC 27017• In-depth analysis of recent changes in ISO/IEC 27001 and

ISO/IEC 27002 and their impact to implementation of ISMS• Major challenges encountered in implementation and certification

audit of ISMS

Who Should Attend:✓ Auditors with an interest in ISO/IEC 27001

certification✓ Individuals interested in Information Security

Management Systems (ISMS) ✓ Managers responsible for ensuring information

security within their organization ✓ Organization planning to adopt a world-class

recognized approach to information security controls

✓ Anyone with an interest in understanding the changes to the new and upcoming versions of ISO/IEC ISMS Standards

OCT 2015

6TUESDAY

09:30 – 17:00

Nature & Objectives: Course Outline: We have already carried out Pentest Kungfu Part 1 about OWASP Top 10 and basic tricks and skills in both network and web application penetration test. We would like to present a little bit advanced on topic related to Cryptography, development framework and train you up with some mini-wargames.Basics of cryptography will be briefed but most of the time we will brief about tricks and attack on systems depending on crypto and hash in their authentication and session. Meanwhile, we will cover some common flaws of the development framework.In addition, it would be a practical session to play in group to review what you have learnt in OWASP Top 10 and tricks via CTF (Capture The Flag) game.This is the course for people have understood Pentest Kungfu part 1 from us or/and well understand OWASP Top 10.

• OWASP Top 10 Quick Review • Intermediate level and advanced techniques in XSS and SQL Injection• Development Framework vulnerabilities

• Web security test technique with crypto • CTF game to test your skills

Who Should Attend: The target audience is for anyone who would like to get familiar with Web application penetration test, especially for those who are IT auditors or those who are system administrator/software developers as they could apply the learnt skills to test/audit the systems. It is also good for people who would like to transform themselves into penetration tester.



WORKSHOPS

Workshop 9 (2 Days)

Securing your Enterprise Mobility - Strategy, Operations and Technology (Hands-on) Speakers : Mr. Aditya Modha and Mr. Vilakshan Jakhu


Nature & Objectives: Course Outline: Live Hands On Workshop with objective of providing the participants with a live hacker’s perspective of how popular hacks are executed along with walk around for ensuring the security against the hacks.

Mitigate against common vulnerabilities and security threats against web, wireless mobile applications & their platforms Live demonstrations and practical sessions of methods used to attack web applications, wireless networks, mobile devices, including OWASP Top 10 and other attacks. Each Individual to be provided with Certificate of Completion, Practical Toolkit (DVD) with tools used during the workshop, white papers, video tutorial etc.Who Should Attend:

✓ CIO & CISO ✓ Innovation Office and Strategy Team ✓ IT Security & Audit Professionals ✓ Application Developers ✓ Information Technology & Security Operations Team ✓ IT Risk management professionals & ✓ Mobile Application Developers

Requirement for Participant:Participants will need a spare smart phone (preferably an iPhone).

OCT 2015

12MONDAY

09:30 – 17:00

OCT 2015

13TUESDAY



2. Please fill in the form below to complete registration:

Company / Organization :

First Name : Surname : (Shown on Workshop Attendance Certificate only)

Position :

Phone : Fax :

Mobile : E-mail :

Address :

Name of Organizer / Supporting Organization (if applicable) :

1. Please " ✓ " the conference/workshop(s) you would attend and complete the form below for reservation!

Please send Cheque, made payable to “Hong Kong Productivity Council”, to:ITD, 2/F HKPC Building, 78 Tat Chee Avenue, Kowloon, Hong Kong (Attn: Ms. Tracy Choy) for seat confirmation.

For Enquiry: Please contact Ms. Tracy Choy at (852) 2788-5884.

Consent statement

PaYment

supporting organizations

media PartnersiPhone Android Cloud

www.linuxpilot.com

Personal data (including your name, phone number, fax number, correspondence address and email address) provided by you will be used for the purpose of the administration, evaluation and management of your registration by HKPC or HKPC’s agent. You have the right to request access to, and amend your personal data in relation to your application. If you wish to exercise these rights, please send email to: [email protected].

HKPC intends to use the personal data (including your name, phone number, correspondence address and email address) that you have provided to promote the latest development, consultancy services, events and training courses of HKPC. Should you find such use of your personal data not acceptable, please indicate your objection by ticking the box below:

□ I do not agree to the proposed use of my personal data in any marketing activities arranged by HKPC.

□ I do not agree to the proposed transfer of my personal data to HKPC's sponsor(s) involving in this event for any marketing activities.

香港工程師學會

資訊科技分部

THE HONG KONGINSTITUTION OF ENGINEERS

Information Technology Division

The Institution ofEngineering and Technology

英國電腦學會(香港分會)

Internet Security and PKI Application Centre互聯網安全及PKI應用中心

Early Bird Price Normal Price

Non-Member Member of Organizer/ Supporting Organization Non-Member Member of Organizer/

Supporting Organization

Conference (Day 1) ■ * Free of Charge (Please select the session(s) you would attend!)

Conference (Day 2) ■ * Free of Charge (Please select the session(s) you would attend!)

Workshop 1 ■ HK$3,050 ■ HK$2,850 ■ HK$3,250 ■ HK$3,050









CPE Hours: A number of supporting organizations have indicated that recognition credits will be awarded for attendance and participation in the Information Security Summit Workshops. Please check with your local organization for the level of credits you will be entitled to receive.

Total: HK$

* EARLY BIRD price on or before 31 August 2015


REGISTRATION

INFORMATION SECURITY SUMMIT 2015

Documents

Transcript of INFORMATION SECURITY SUMMIT 2015