IISP Congress and Crest Con

Wednesday 20th March 2013 saw the IISP and Crest organisations have their first joint conference. Details 

Agenda for stream 1.  Agenda for stream 2

Stream 1

Agenda – STREAM 1
09:00 – 09:30 Registration
09:30 – 09:40 Ian Glover & Alastair MacWillson, CREST & IISP, Welcome & Coffees
09:45 – 10:30 Russell Kempley BAE Detica, Command and Control
Assessing command and control channels; including how we find them using external threat intelligence, behavioural
analytics, malware analysis; and how we investigate them through traffic analysis, listening on the target and deobfuscation and decryption. The presentation includes examples of hiding in plain sight, breaking obfuscation and
tunnelling through other protocols and gives an assessment of where we are now as well as known incidents.
Requirements for architects, penetration testers and incident responders are also detailed.
10:35 – 11:00 Jamie Riden, PTP, Network Honeypots to Augment Intrusion Detection Systems
By careful placement of network honeypots masquerading as production servers, it is possible to receive rapid
notification of exploratory scans on internal networks that are indicative of a compromise or an insider attack. By
creating a new server with no business function, the number of false positives can be greatly reduced over standard
intrusion detection systems that are configured to examine all traffic on a network. This technique is not intended to
replace traditional IDS, but to augment it; that is to alert the operator and indicate that the IDS and other available
logs need to be examined to see if the action is truly malicious. The capabilities of the honeypot can also be enhanced
to provide active response for the local network.
Jamie Riden has worked in software development, system administration and more recently IT security, including at
Massey University, New Zealand where he was involved in incident response, forensics and intrusion detection. During
this time he developed an interest in using honeypots to discover more about attackers and methods used to
compromise machines, and actions taken post-compromise. He has been working in full time penetration testing for a
number of years and holds CCT App and Infrastructure, and has an Erdös number of 4.
11:00 – 11:30 Coffee & Networking
11:30 – 12:15 Melissa Augusti, McAfee, Memory Forensics: Finding What Isn’t There
Malware is out to get you and it is getting smarter – rootkits hiding themselves from normal IR triage and, malware
injecting itself into valid processes- You even have malware that has little to no hard disk footprint. Memory forensics
is the answer to help find the ‘badness’ on your machine. Malware cannot hide in memory– no matter how obfuscated
it looks. In this talk, we go over some of the techniques malware uses to thwart traditional analysis and how memory
forensics defeats it. Are you grabbing memory dumps in your analysis? After this presentation, you will be asking why
Melissa has 5 years in the computer security realm, and within that time frame has touched almost every aspect of
forensics. Beginning her career with the US Department of Defense, she was a member of the Incident Response FlyAway Team—travelling around the country analyzing intrusions. Now as a member of McAfee Profession Services
Foundstone here in EMEA, Melissa conducts Emergency Incident Response in the region as well as focusing on
memory forensics and malware analysis. She currently resides in London.
12:20 – 12:45 Jermaine Ellis, GDS, P0wn Clock Cycles, not Your Wallet: Hacking with Cheap Hardware
Cheap hardware hacking demonstrates that hacking does not have to be expensive or complex. All that is needed is a
little imagination, a soldering iron and the open source community. In recent years, the security community has seen
huge leaps forward in computational power, mainly by using advanced and expensive hardware accelerators. This
presentation will demonstrate how individual hackers, such as an independent security specialist, can take advantage
of cheaper hardware to get the performance they need. We will also talk about how to create your own hardware
devices, which can be used for security purposes. Jermaine Ellis is a penetration tester working with Gotham Digital Science in London. He focuses on web application,
infrastructure and thick application testing. Before becoming a member of the Gotham Digital Science team, Jermaine
was working with electronics, constructing many useful and original gadgets. This has enabled Jermaine to use his
creativity to view security challenges in new and interesting ways. By combining his knowledge and passion for both
security and electronics, he is able to construct new security hardware which harmoniously integrates with computer
systems. With this combination of hardware and IT security, Jermaine is becoming a recognised name in both the
hardware and software security world.
12:45 – 13:45 Lunch
13:45 – 14:30
A Cloud of Bugs, Kevin O’Reilly, Context Information Security
Performing security testing of Infrastructure as a Service requires not just traditional external infrastructure pen
testing techniques, but also Hypervisor breakout testing, internal infrastructure testing, and new traps and tricks.
This talk will cover some of the more interesting security bugs that have been found in the Cloud and the new
techniques that have to be used to perform these types of assessments. This includes the Evil PXE attack, Dirty
Disks, Hypervisor breakout etc.
14:35 – 15:20 Ari Davies & Paul Marsh, Deloitte, Electronic interception of RF
This talk will address some of the non-mainstream methods of electronic interception that attackers are increasingly
using against businesses. We’ll cover the more well-known systems such as Wi-Fi, Bluetooth and DECT interception,
but also touch on other systems such as digital ‘private’ mobile radio, RFID entry systems, VSAT satellite data
networks, SCADA telemetry and microwave links.. We’ll give you some sanitised examples of ‘real world’ findings as
food for thought.
Ari has been an ethical hacker and penetration tester for over 12 years with a specialisation in information warfare
and a background in the more exotic information assurance exercises such as social engineering, red teaming, and RF
systems use and abuse. However, Ari’s weak spot is cybercrime both from a technical as well as ethical and
philosophical point of view. Paul has been hacking terrestrial and satellite RF systems since the early 90’s, this coupled
with his interest in ‘infosec’ has led to a natural combination of the two subjects. Paul also enjoys hacking electronic
and embedded systems, mechanical engineering and red-team pentests.
15:20 – 15:50 Coffee & Networking
15:50 – 16:15 Andy Davis, NCC Group, To dock or not to dock, that is the question
Laptop docking stations are widely used in the corporate world, but they are an attractive target for an attacker. They
have access to the network, to all the ports on a laptop and are permanently connected to a power supply. But most
importantly, they are considered to be trusted, ‘dumb’ devices. The IT department is more concerned about someone
stealing your laptop, so they’ll ask you to secure your laptop with a Kensington Lock (but not necessarily to secure the
dock). This talk is about how attackers can exploit the privileged position that laptop docking stations have within the
corporate environment to ex-filtrate sensitive data. It will also include a demo of a fully functional, remotely
controllable hardware implant; and most importantly, it will discuss some of the techniques that can be employed to
detect such devices and mitigate the risks they pose.
Andy has worked in the Information Security industry for over 20 years, performing a range of security functions
throughout his career. Prior to joining NCC Group, Andy held the positions of Head of Security Research at KPMG, UK
and Chief Research Officer at IRM Plc. Before working in the private sector he worked for ten years performing various
roles in Government. Recently, Andy has been leading security research projects into technologies such as embedded
systems and hardware interface technologies and developing new techniques for software vulnerability discovery.
16:20 – 16:45 Arron Finnon, Activity, The doer alone learneth – Building a better understanding of your
NIDS/NIPS have a rich and documented history of being subverted, almost as rich as their history of failing at
detecting intrusions. This has led to the somewhat universal declaration of their death amongst many security
practitioners; and yet even amongst this deathly chorus they are still being deployed in great numbers. This talk
looks at why auditing and testing of security devices such as NIDS/NIPS is beneficial to organisations. Why the
current NIDS/NIPS environment is limiting in a testing context and what steps can be taken by organisations to
conduct a worthwhile test of these devices. Additionally, the talk will discuss what current steps are being taken by
the security community itself to better test and maintain devices such as NIDS/NIPS.
Arron “finux” Finnon has been involved in security research for a over 6 years. Arron has discussed a wide range of
security related topics at a number of Security/Hacking conferences in the UK, Europe, and America as well as
produced over 60 security related podcasts. Interviewing countless security professionals as part of the Finux Tech
Weekly Show. During Arron’s time at Abertay University he was awarded the SICSA Student Open Source Award for
his Advocacy of Free and Open Source software. Now a Consultant Researcher for Activity Information Management
Ltd, he spends most of his time involved with security research, testing and consultancy.
16:50 – 17:00 Ian Glover, CREST, Closing Address
17:00 – 18:00 CREST & IISP, Drinks and Networking

Stream 2

Agenda – STREAM 2
09:00 – 09:30 Registration
09:30 – 09:40 Ian Glover & Alastair MacWillson, CREST & IISP, Welcome & Coffees
09:45 – 10:25 Keynote: Chris Ensor, CESG, Building Capacity to Meet today’s Cyber Threat
10:30 – 11:00 Ed Hamilton, PwC, Are Organisations Prepared
11:00 – 11:30 Coffee & Networking
11:30 – 12:00 Stephen Bonner, KPMG, Can CISO’s Rise to the Challenge
12:05 – 12:35 Discussion: Is the Security ‘Model’ Broken
Panel: Alastair MacWillson, Accenture and IISP Chair (facilitator)
Adrian Davis, ISF
Ian Bryant De Montford University
12:35 – 13:35 Lunch
13:35 – 14:05 Bob Nowill, BT, Next Generation Security Operations
14:10 – 14:40 Dave Bailey, BAE Detica, Advanced Analytics & Threat Detection
14:45 – 15:15 David Alexander, Cassidian, Securing Critical Infrastructures
15:15 – 15:45 Coffee & Networking
15:45 – 16:15 Andrej Kawalec, HP, Big Data and Security
16:20 – 16:50 Discussion: Is the IISP Prepared
Panel: Wendie Deamer, Atos (Facilitator)
John Pringle, AWE
Jeff Booker, Lloyds
16:50 – 17:00 Alastair MacWillson, IISP, Closing Address
17:00 – 18:00 CREST & IISP, Drinks and Networking


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s