Identity Next Belgium

Identity.Next Belgium 2012
Identity.Next Belgium event is an initiative of LSEC and the IDentity.Next association . The main mission of the IDentity.Next is to create an open and independent platform to support and facilitate innovative approaches in the world of Digital identity, create awareness about Digital Identity, provide a knowledge and networking platform for experts in IT, Business and Marketeers as a European centre of expertise, and to ensure that everyone connected with the association stays at the forefront of technology, services and business by supporting innovation and by stimulating and supporting knowledge exchange and collaboration.
Yearly, LSEC organizes and co-organises almost 40 different activities in Belgium and abroad. Traditionally, the association has been actively promoting electronic identity and related business, academic and technology activities since 2002.
Now in its third year, IDentity Next has been organizing IDentity Next activities in the Netherland. For the first time, in partnership with LSEC, IDentity Next Belgium is founded.
Identity.Next Association and LSEC, will jointly organize the first Identity Next Belgium. The mix of two strong concepts and leaders in their space, will be bringing together European experts in the domain of Identity Management.

Present and Future of the Digital Identity

The Belgian (un)-conference that will be content rich and with an independent perspective, consisting out of debates, workshops and presentations about “The Digital Identity”

Program Outline

The program is aimed to be a balanced view of current and actual discussions on Identity and information security related topics from both government, end users, academia and industry.

(Please note that not yet all of the following speakers have already confirmed, and we remain open for other suggestions. )

1. Keynotes
a. Government Keynote
b. Analysts Keynote : Evolutions of electronic identities, Mike Small / Martin Kuppinger
c. tbd

2. (Un)-conference debates
The participants decide which topics they would like to get covered, and to have an interactive discussion with peers and experts, sharing opinions, discussion possibilities and challenges. Food for thought or networking at its best.

3. Panel discussions
a. how electronic identities impacted e-government (or not?)
i. (FEDICT, EC, (NL?), (DE?), (FR?))
b. the evolving impact of electronic identities
c. yet another discussion about cloud, but more about “when” then about “if”
d. identity in Network Access Control pro’s and con’s
e. it’s all about information access management isn’t it
f. convergence of electronic identities

4. Presentation Tracks
a. how electronic identities impacted business and government
1. Electronic Identities, relevant for today’s IT beyond Single Sign On, Wouter Janssen, Axl Trax
2. Federated identities, empowering IT systems beyond the local networks, Marc Vanmaele, Secure-IT
3. (TBD)

b. Track : Identity Risk Management
1. Vulnerability Assessment, Rik Van Bruggen, Courion
2. Identity Analytics, Antonio Gomez, Oracle
3. Identity Risk Management, Jan De Meyer, Director, Ascure - PWC

c. Track Authentication Evolution
1. Knowledge based authentication, Dave Vijzelman, CA Technologies
2. Evolution of the token, Bart Renard, Vasco Data Security
3. Authentication of applications, services and systems, and unified ID’s (Patrick Coomans?), Teremark – Verizon Business

d. Innovative Identities
i. TheWriteID; Digital Identity as it should be, Tim de Coninck (Initiator van TheWriteID- http://www.a-cup-of-t.com/thewriteid.html)
ii. Tbd
iii. tbd

e. Track From Identity Management to Information Access Management, a small technological step, but a giant step for business opportunities
1. Information Access Management, controlled sharepoint access, Henk van der Heijden, CA Technologies
2. Document Management, Storage and Security, a powerful combination, Dominique Dessy, RSA the Security Division of EMC
3. The return of DRM?, Peter Van Eeckhout, McAfee - Intel

f. Policy based risk management and access control :
1. From X500 to policy based identity management, Frank Jorissen, eInitiatives – Tygris
2. From business to policy, to XAML and identity access
3. Data center hardening and IAM, by Bernard Francis, Security Practice Manager, BULL Services and Solutions

Abstract : One of the main missing building blocks of any IAM solution is the “execution” phase, which would allow identity and access reconciliation (compare the implemented access right with the access policy). This account management is mainly built upon a strong access control (to systems resources) linked with an efficient intrusion detection, audit and reporting system.
Bull, based on its long integration experience, associated with its commitment to Open Sources solution, has developed a solution which fulfils these requirements. Experience showed that between a proof of concept and a real world deployment, project implementation is more focussed on applications integration into the overall hardening system, than a pure overall technical target.
The presentation outlines the return from experience regarding the move of an overall Unix datacenter landscape into a complete identity and access management solution including strong authentication and audit based on OpenLDAP, Kerberos and OSSEC.

g. The Mobile imperative
1. Mobile Identity Management, sooner or later? Bart Preneel, COSIC, KU Leuven
2. Device Management, another perspective on Mobile Identity? Ulrik Van Schepdael, Mobco
3. Beyond BYOD, information protection on mobile, Ron Ryman, Eurikify
4. (Mobile Payment and Mobile Banking identification, (TBD))

h. Data Protection Evolution
1. The change of the data protection regulatory landscape and impact on managing electronic identities, Hans Graux, Time-Lex

Abstract : On 25 January 2012, the European Commission officially published its proposal for a new legal framework for data protection. The proposal would create a single harmonized legal framework that would apply directly across the EU. But how would this proposal impact existing IDM systems, both in the public and private sector, and what are the chances that the current proposal is adopted as it stands? This presentation will examine some of the more interesting aspects of the proposal for IDMS operators, including an assessment of the main expected benefits and downsides

About : Hans Graux is an IT lawyer at the Brussels based law firm time.lex (http://www.timelex.eu), a firm that specialises in telecommunications, IT/IP, media and e-business. The firm offers strategic and operational legal support in the creation, management and exploitation of information and technology, in all of its diverse forms. In addition, Hans is an affiliated researcher at the Interdisciplinary Centre for Law and Information Technology of the Catholic University of Leuven (ICRI - http://www.icri.be). He graduated in Law in 2002, and obtained a complementary degree in IT in 2003. He then joined the ICRI, where he did fundamental research on a number of IT law related issues, with a specific focus on electronic identity management, data protection and e-government initiatives.

In May 2005 he became a lawyer at the bar of Brussels, and participated in a number of international ICT policy studies, primarily for the European Commission. In July 2007, he co-founded time.lex. His expertise lies mainly in the collection of legal and administrative information in cross border studies, in the analysis of legal frameworks and policy choices, and in formulating specific policy recommendations in this field to eliminate barriers to the correct functioning of the internal market. His recent work has focused specifically on eSignatures, electronic identity management, data protection and cloud computing.

2. Monitoring and data analytics (TBD)
3. Privacy enhancing technologies and electronic identities, (Ronny Bjones, Microsoft)

i. Should I stay or should I go, about identities in the cloud
1. The business case for Cloud Based Identity, (Everett?)
2. ?? andere cloud ID provider ??
3. TBD (Facebook, Google+), …

Other to be discussed and to be made public when available.

Practical Details

Identity.Next Belgium 2012

an organization by LSEC and Identity.Next Association

November 14 - 15th, HuisvandeAutomobiel (http://huisvandeautomobiel.be/)

Register already now, to ensure your seat at http://identitynextbelgium.eventbrite.com

Early bird registration (ends September 30th), 199 € (p.person excluding fees and VAT).
General admission, 299 € (p. person, excluding fees and VAT)
LSEC Members, LSEC partners and partner Members, Agoria Members, ECSA Members will be able to subscribe for 199 € (p. person, exclusing fees and VAT).

Speakers and contributors will be able to participate for free.

Special packages are available for guests and partners.

This event was supported by CA Technologies, an LSEC platinum sponsor for our events. We are always open to other, additional interested parties.

About the organizers :

This event is co-organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions. (For more information, please visit http://www.leadersinsecurity.org)

Identity.Next association is an open and independent platform that supports and facilitates innovative approaches in the world of the Digital Identity, creating awareness and providing a knowledge and networking platform for experts in IT, Business and Marketeers as a European centre of expertise. (For more information, please visit http://www.identitynext.nl)

Preliminary Program

Call for papers is now open.
Submit your ideas for papers, panel discussions or un-conference activities until August 31th, via identitynext @ lsec.be

Practical Details

Brussel, Huisvandeautomobiel, November 14 - 15th, conference and un-conference

subscriptions : http://identitynextbelgium.eventbrite.com

ISSE 2012
INFORMATION SECURITY SOLUTIONS EUROPE CONFERENCE
23 - 24 OCTOBER 2012, BRUSSELS, BELGIUM
CALL FOR CONTRIBUTIONS

ORGANISED BY:
EEMA - The Independent European Association for e-Business
TeleTrusT – IT Security Association Germany
LSEC
Revolution events

SUPPORTED BY:
EU Commission and ENISA - The European Network and Information Security Agency
Brussels Region

ISSE is the only independent, interdisciplinary, unbiased and European focused conference for the presentation and discussion of technical, commercial, organisational, legal and political concepts for information security as well as privacy and data protection.
The focus of ISSE is on security as a part of business processes and electronic transactions.
One of the biggest challenges today is to manage security in applications: issues like return on investment, total cost of ownership, risk management as well as interoperability are of great importance. In 2012 ISSE will focus on submissions on implemented security solutions and case studies from specific application areas and industry sectors:
○ eBusiness
○ financial sector and enterprise security
○ health care
○ eGovernment and public sector
○ private sector

THIS CALL FOR CONTRIBUTIONS IS INTENDED TO…
…call for papers and other contributions such as round tables, panels and plenaries. Papers can be accepted for the ISSE Publication regardless whether they will be presented at ISSE 2012.

TARGET GROUPS:
Technical Experts (Developers, Architects)
Researchers and Academics
Heads of IT Department
General Business Managers
Implementers
Systems Administrators
Security/IT Managers
Product Managers Representatives from government and Policy Makers
Product Managers and Marketing Experts
Legal/Compliance/Regulatory Professionals
Consultants and Business Analysts
Business or Risk Managers
CEOs/CIOs/CSOs/CTOs
IT Business Development and Sales Experts

TOPICS
The submissions to ISSE should be original research results, survey articles or case studies and position papers.
Presentations promoting products will be rejected.

For ISSE 2012 we are especially interested in the following topics (others will be considered):

EU Digital Agenda and Relating Aspects
European Security, eID, Standardisation (CEN/CENELEC, ETSI) Interoperability of Applications, Governance Rules, European Cybercrime Activities, Revision of eSignature, eGovernment and Data Protection Rules

Critical Infrastructure Protection and physical Security
CERT/CSIRT – European and Global Developments, Resilience of Networks and Services, surveillance technics and analytics

Cloud Computing Security
Security of Data in the Cloud, Virtualisation, Security Architecture, Cloud Security Governance, Cloud Security risks, Trustworthy Migration to the Cloud, Service Level Agreements

Security Management and Economics of Security
Risk Mitigation, Compliance and Governance, IT Security Ecosystem

Trustworthy Infrastructures
Rules & Regulations, Resilience & Availability, Privacy & Data Protection, Backup, Recovery & Key Management Services

Solutions for Mobile Applications
Platform Security, Transaction Security, Information Security, Secure NFC Solutions, Treats & Risks, Mobile Malware, Security for APPS, Privacy Aspects, Management of Mobile Devices

Identity and Access Management
Borderless e-Identification, Biometrics, Smart Tokens, e-ID-Cards, e-Passports, RFID & NFC Solutions, Infrastructure Solutions, Trust Levels, Risk Mitigation, Liability, European Interoperability Programs, Business Models, Attribute Verification

Secure Embedded Systems
Emerging Applications, Smart Grid & Automotive Solutions, Ubiquitous Computing, Enabling the Internet of Things (M2M Security)

Privacy and Data Protection in Cyberspace
Privacy and Data Protection Issues in Web 2.0 and Cloud Environments/Social Networks/Search Engines, Use of Privacy enhancing Technologies, Concepts for Security Breach Notification

Awareness and Education
Transparency/Customer Awareness and legal Obligations, Awareness for Social Networks, Mobile Computing/Communication, Cloud Application

Hackers and Threats
Awareness Raising, Social Engineering, Protection against Mail and Web Attacks, Vulnerability Assessment, Penetration Testing

Enterprise Security Services
Authentication, Authorisation and Accounting, Governance, Risk and Compliance,
Data Leakage Protection, Enterprise Rights Management, Forensics, Security related Services

CyberWar, Cybercrime and Forensics, Fraud Detection & Prevention
Attacks and Countermeasures against industrial Infrastructures (SCADA)

 
INSTRUCTIONS FOR SUBMISSIONS
Presentations and other contributions at ISSE conferences are invited as well as selected from abstracts submitted in advance. The process is completely neutral: speakers are solely selected on the merit of their submissions and their position in the organisation.
○ Please submit an extended abstract using the ISSE 2012 template (Download)
○ If you want to submit a round table, a panel or a plenary please also use the ISSE 2012 template
○ After filling in the submission template please upload onto our submission website: http://isse2012.teletrust.de/hotcrp
○ If you have any questions regarding the submission process, please contact:

Marieke Petersohn
ISSE 2012 Programme Manager
TeleTrusT – IT Security Association Germany
marieke.petersohn@teletrust.de
Tel.: +49 30 4005 4308

Sophie Reimer
ISSE 2012 Programme Manager
TeleTrusT – IT Security Association Germany
sophie.reimer@teletrust.de
Tel.: +49 173 3543 069

DEADLINE FOR SUBMISSIONS

MAY 11TH 2012

In case that you are invited as a speaker please note: ISSE does not offer honorariums or reimburse travel expenses. Every speaker will be charged a nominal fee of 350 € to cover a part of the costs related to your conference participation.

ISSE PUBLICATION
ISSE offers a publication of the accepted papers as printed proceedings in “Securing Electronic Business Processes - Highlights of the Information Security Solutions Europe 2012 Conference”. Papers promoting products will be rejected.

WEBSITE
Regularly updated information about ISSE 2012 will be available at: http://www.isse.eu.com

SPONSORSHIP OPPORTUNITIES
If you are interested in sponsoring the event and in other promotional opportunities please contact Deborah Puxty at +44(0)1892 820936 or deborah.puxty@eema.org.

STEERING COMMITTEE:
Jon Shamah (eema)
Roger Dean (eema, Co-Chairman)
Ulrich Seldeslachts (LSEC)
Wolfgang Schneider (TeleTrusT)
Norbert Pohlmann (TeleTrusT)
Holger Muehlbauer (TeleTrusT)
Helmut Reimer (TeleTrusT)

In December 2011, Mobile-commerce – internet retailing via mobile devices - increased by 173%, from the previous month. From about 4 billion today, M-commerce is expected
to grow to over 25 billion € by 2016. In a Europe where smart phones are omnipresent, and mobile internet can be accessed almost everywhere, it is becoming obvious that
consumers are increasingly becoming prepared to use their handsets as a means to operate various types of transactions.

Join us discussing the evolution of the traditional payment system and join our closing keynote speaker Detlev Schlichter on “Paper Money Collapse” on the evening of October 10th.

Introduction

Mobile Payment today? Mobile Payments Secure?
Safely Mobile Banking in Europe?
New developments, market opportunities and the future is near.

Carrying a mobile phone suddenly became more obvious than carrying a wallet with cash, payment cards, ID and other plastic.
Transactions could be purchases via e-commerce stores, but already today there have been numerous test cases to use handhelds as payment means in traditional stores for instance by using NFC. In various major European cities, citizens pay their parking meter in the street by SMS. Today, both PayPal, Google and many other service providers have their mobile apps available to allow their customers to wireless transfer funds.
We are witnessing a second wave of interest in mobile payments. But similar to the first one, there are many fragmented attempts with a diversity of channels and technologies.
This fragmentation has been one of the key factors on why the market has not yet picked up.
Another challenge of this development is ensuring security. Whilst in traditional payment and banking systems, security is a constant challenge, the risks facing those
mobile applications are incremental. Depending on the types of technologies, when using NFC or wireless 3G or wifi for transactions, is in addition being impacted on the OS
of the handheld device and the terminals on the other end. Payment processing providers have developed a series of standards to secure those transactions, but the
applications today are being challenged by mobile Trojans, wireless sniffers and flaws in the OS impacting the trustworthiness of the underlying systems. Security professionals serving financial services industries, e-commerce and retail organizations and other related industries should become aware of the ongoing developments and seize the opportunity of trustworthy processing those transactions.

More information can be found in the Conference Program.

(Last updated, April 17th 2012, 12.21h).

Background

This conference is a joint organization by LSEC in collaboration with Agoria ICT, Agoria Banking Club, Mobile Mondays Brussels and the European Security Innovation Network. Agoria is a Belgian federation of technology companies, representing in this case both ICT and Banking services. LSEC is an association of information security companies. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. Mobile Monday Brussels brings together developers, manufacturers and services organizations in the domain of mobile applications.

In 2011 LSEC, Agoria ICT, Agoria Banking Club (ABC) and Mobile Mondays Brussels started the initiative of the European Mobile Payment Ecosystem, that has the intention to stimulate the development of mobile payments in Europe. The associations bring together the interests of companies, research institutes, policy makers and experts active in the domain of mobile payments, mobile banking, mobile transactions and mobile security. They consist out of operators, financial institutions, transaction services, application developers, system vendors, integrators and consultants.

A unique location

A unique location, easily reachable. The House of the Automobile is ideally situated between Brussels airport and the centre of Brussels, just minutes from the European institutions.
A private parking is available for you attendance.
All conference rooms have daylight and an ultra modern showroom.

Address :
Huis van de Automobiel
Woluwedal 46, bus 6
1200 Brussel
Tel. : 02/778.64.00
Fax : 02/762.81.71
E-mail : info@huisvandeautomobiel.be
http://www.huisvandeautomobiel.be/ for driving locations.

For cars and bikes, spaces have been reserved in the underground parking (access via de Tiendenschuurdreef).

Market Background

Organizing this conference in Brussels is unique because it not offers the opportunity to address various related topics in mobile transactions, but also in bringing together a variety of market aspects that need to be considered in the deployment of mobile transactional systems such as mobile payments or mobile banking. Being organized in Brussels, it also offers the opportunity to relate to policy makers and supporting organizations which have an interest in these ecosystems.

1. Mobile Payment

The mobile payment supplier landscape is a fragmented list of companies, active in the domain of payment and financial services, mobile application developers, telecommunications operators and various technology providers such as terminal and mobile phone manufacturers, security technologies and system integrators.

Download the conference program for more information.

2. Mobile Banking

Mobile Banking has been around in various European countries for many years, but has seen a recent take-off with the appearance of the iPhone and Android systems in the market. All major banks have some form of mobile banking environment, and the way those are developing is quite different on a per country basis. In some cases the offering is getting close to serving also mobile payments, or at least peer to peer transactions between customers amongst themselves, or between customers and merchants.

Download the conference program for more information.

3. Mobile Security

Including in these discussions is the key inhibitors for mobile payments to take off. Security is an instrumental part of the trust relationship between buyer and seller, but security on mobile continues to be a challenge.

Today, a growing number of fraud cases has already been identified, typically in markets throughout the world and especially in Europe where mobile banking has taken off. The discovery of Zeus in the Mobile in 2011 in Spain and Poland is an excellent example of the level of increasing sophistication of fraudsters aiming for the mobile money transactions.
During this track, we will be focusing on the developments of the security landscape both on terminal, application and systems side and try to get an indication of the fraud evolution in the mobile arena.

Download the conference progam for more information.

Preliminary Program Day 1

8.00 - 9.30 : Registration

9.30 : Introduction by Ulrich Seldeslachts, CEO LSEC and Christian Vanhuffel, Director Agoria ICT

9.45 : Keynote : the Mobile Payment state of play, the changing financial services landscape impacting consumers, merchants, operators, services providers and financial services institutions, by Sirpa Nordlund, Executive Director, MobeyForum

About : Ms Nordlund currently serves as Executive Director of Mobey Forum. Previously a guest speaker at Mobey Forum events, Ms Nordlund is now responsible for the direction of Mobey Forum initiatives and for overseeing the operational management of the group. Prior to joining Mobey Forum, Ms Nordlund served ten years at Nokia, where she held several management positions. She was especially involved with the business development of NFC. More recently, Ms Nordlund was responsible for the sales in selected European markets at Venyon, which provided trusted NFC services as a subsidiary of Giesecke & Devrient. Ms. Nordlund has held the position of Mobey Forum Executive Director since 2010.

10.20 : Keynote : Austrian business case & key learnings. From an fragmented operator perspective, challenging banking relations to a consolidation by the operator and the evolution of the transactions : Paybox, by Peter Lohmann, Head of Related Affairs, mobilkom austria AG

The ever growing panel discussion.
This is an unusual panel setup. We will start with some of the challengers in the market, providers of mobile payments services, challenged by some of the innovators, the new technology providers and services providers and finally adding the existing operators and their interests into mobile payments.

10.50 : Panel discussion 1 : challengers

Peter Lohmann, mobilkom austria
Mark Owen, Head of M2M , Orange
Wim Westerhof, Program Director Program Sixpack - Rabobank
Gil Bernabeu, Globalplatform

11.30 : Break

12.00 : Panel discussion 2 : innovators

Jan Van Wijnendaele, CEO Tunz
Jonathan Prince, CEO MPulse, Digicash
Anthony Belpaire, Alcatel Lucent

12.40 : Panel discussion 3 : dinosaurs

Jonathan Main, MasterCard WorldWide
Bernard Vanderlande, Atos
Dirk Cuypers, KBC

Innovations In Payment Delivery Channels - What Do They Mean For Payments Providers In Competitive And Operational Terms?
Debate all aspects of multi-channel delivery - from online to contactless and remote mobile payments - and explore their potential for both retail and wholesale payments providers.

13.10 : networking walking lunch & buffet

14.30 : break outs part 1

Mobile Payment Innovators :
14.30 Tunz.com, Jan Van Wijnendaele
15.00 Alcatel Lucent, Anthony Belpaire
15.30 Clearpark, TBD

Mobile Payment Platforms
14.30 Six-Pack, Wim Westerhof
15.00 Globalplatform, Gil Bernabeu
15.30 O2, Mark Owen

16.00 : Break

16.30 : closing keynote 1 : Near Field Communications, a means to an end or more than just a wireless mechanism for delivery of mobile payments from the scope of the world leading payment facilities providers. by Jonathan Maine, Business Leader Mobile, MasterCard Worldwide Emerging Payments and former Technical Committee Chairman of the NFC Forum

17.05 : closing keynote 2 : Detlev S. Schlichter, Paper Money Collapse

Detlev S. Schlichter is an author and Austrian School Economist. His first book Paper Money Collapse – The Folly of Elastic Money and the Coming Monetary Breakdown was published by John Wiley & Sons in September 2011. He is a senior fellow at the Cobden Centre, London, a free-market think tank devoted to issues of money and banking.

Mr. Schlichter had a 19-year career in investment management. He worked at J.P. Morgan & Co. (1990-1998), Merrill Lynch Investment Managers (1998-2001) and Western Asset Management Co. (2001-2009). During his career Mr. Schlichter has overseen billions in assets under management for institutional clients from around the world. He left the industry in 2009 to focus exclusively on his first book, Paper Money Collapse.

Mr. Schlichter holds a degree in economics (Diplom-Ökonom) from Ruhr-Universität Bochum, Germany.

Paper Money Collapse provides a fundamental analysis of paper money systems that shows conclusively that paper money systems – that is, monetary systems with a fully elastic money supply as opposed to monetary systems based on commodities of essentially inelastic supply (such as gold) – are inherently unstable and that they must over time lead to growing economic imbalances and economic chaos. Historically, all paper money systems have ended in failure. Either a return to commodity money was achieved before a total currency catastrophe occurred, or the system ended in hyperinflation and economic disintegration — with grave social consequences. Paper Money Collapse shows via a conceptual analysis why this is the case, and why this is also the choice we are facing today. Our present monetary system is not only suboptimal, but also fundamentally unsustainable — and the endgame may be fast approaching.

Paper Money Collapse shows that the present financial crisis can only be fully understood as the necessary consequence of decades of ongoing monetary expansion. Excessive levels of debt, weak banks and inflated and distorted asset prices globally are the inevitable result of constant money creation and artificially depressed interest rates, and symptomatic of the late stages of a disintegrating paper money system. The liquidation of these dislocations is now deemed politically unacceptable, and is therefore countered with ever more aggressive money injections. The present crisis is far from over and a complete currency catastrophe is now a distinct possibility.

17.40 : closing notes day 1

17.50 : networking reception

19.00 : close of conference day 1

Preliminary Program Day 2

8.00 - 9.30 : Registration

9.30 : Introduction

9.45 : Keynote : Mobile Payment cases in Europe and in the world, what does it take? by Neil McEvoy, Consult Hyperion

About : Neil is a founding Director of Consult Hyperion. He specializes in security for financial transactions and smart identity cards. He is the inventor of Consult Hyperion’s Structured Risk Analysis method. Every working day, hundreds of billions of pounds of financial transactions are settled through secure networks that Neil has specified and procured. Millions of citizens carry smart identity cards that he has specified. Neil’s expertise has been provided to clients as diverse as the Bank of England , the Hong Kong government, American Express and the European Space Agency. Prior to founding Consult Hyperion, Neil worked as a consultant specializing in the transmission of scientific data from spacecraft, network management and cryptography. He graduated in 1980 from University College, Oxford in chemistry.
Neil is the author of papers on several topics, most recently on information risk analysis, secure transactions and identity cards.

10.20 : Green Paper ‘Towards an integrated European market for card, internet and mobile payments’, by Gerd Heinen, DG Internal Market and Services

About : Gerd joined the European Commission in 2005. Since 2008, he is a policy officer in the Directorate-General Internal Market and Services where he works on payment services, the Single Euro Payments Area (SEPA) and electronic invoicing. Recently, he contributed to the Commission’s Green Paper on card, internet and mobile payments. Prior to joining the Commission, Gerd worked for a leading consumer goods company in different financial management positions and at various locations across Europe and the US. He holds a degree in Applied Mathematics from the University of Trier / Germany and an MBA from KU Leuven / Belgium and the Kellogg Graduate School of Management / US.

Abstract: The European Commission adopted the Green Paper on 11 January 2012, followed by a public consultation period. The paper covers a broad range of themes, more specifically market access and market entry; transparency and cost-effective pricing; standardisation and interoperabilty; and payments security and data protection. The speaker will present the policy and legal background behind the paper as well as the Commission’s vision of an integrated European payments market.

10.50 : Panel discussion : analysts, policy & industry

Neil McEvoy, Consult Hyperion
Gerd Heinen, DG Internal Markets
TBC

11.30 : Break

12.00 : Panel discussion 2 : security challenges

Eddy Willems, GData
Erwin Geirnaert, Zion Security

12.40 : Panel discussion 3 : go to market challenges

13.10 : networking walking lunch & buffet

14.30 : break outs part 2

Mobile Payment Business Case

14.30

15.00

15.30

Mobile Authentication

14.30 Mobile Identity and Mobile Authentication systems evolutions, by Bart Preneel, COSIC, KU Leuven

15.00 Mobile Authentication evolutionary landscape, by Bart Renard, Vasco Data Security

15.30

16.00 : Break

16.30 : closing keynote TBC

17.10 : closing notes and end of conference

Practical Details and Registrations

Mobile Payments, Mobile Banking and Mobile Security Conference
October 11th – 12th, Brussels Belgium.

Register via Eventbrite : http://mobes2012.eventbrite.com

Two day conference pass : 250 € excl service fees charged by Eventbrite, mainly to cater for food and drinks.
Free to attend for LSEC Members, Agoria Members, Members of the European Security Innovation Network, MobeyForum Members upon request via the eventbrite system and upon confirmation of the organizers.

Ask for a special closing keynote only pass of Detlev Schlichter’s Paper Money Collapse and the closing reception, free of charge, available upon registration.

More details will become available soon at this page and on the website http://www.mobilepaymentecosystem.com

During the first edition in 2009, the conference had approximately online and printed media: HelpNet Security online, Security.(Business Magazine for top ICT professionals) and Linux Weekly 2010 and 2011 were an even bigger success with 380 and In addition, reviews of BruCON were written by numerous podcasts. The reviews were very positive over the entire known security conference in Belgium and the rest of Europe.

The BruCON Conference assists any security company enhance its industry leadership position by giving it instant visibility within the security community in Belgium and internationally at the first independent security conference in Belgium.

Brucon aims to become the best and most entertaining security event in Belgium and Europe offering a high quality line up of speakers, opportunities of networking with peers, hacking challenges and
workshops. The conference creates bridges between the various actors active in computer security world, included but not limited to CIOs, CISOs, Security Engineers, Security Managers, Network
Managers, Compliance Officers, Security Consultants, members of non-profit organizations, CERT staff, IT students, law enforcement agencies, education centers and universities etc.....

BruCON, a 2-day Security and Hacking Conference full of interesting presentations, workshops and security challenges. BruCON is an open-minded gathering of people discussing computer security, privacy, and information technology.

Scope
=====
Topics of interest include, but are not limited to :
* Electronic/Digital Privacy
* Wireless Network and Security
* Attacks on Information Systems and/or Digital Information Storage
* Web Application and Web Services Security
* Lockpicking & physical security
* Honeypots/Honeynets
* Spyware, Phishing and Botnets (Distributed attacks)
* Hardware hacking, embedded systems and other electronic devices
* Mobile devices exploitation, Symbian, P2K and bluetooth technologies
* Electronic Voting
* Free Software and Security
* Legal and Social Aspect of Information Security
* Software Engineering and Security
* Security in Information Retrieval
* Security aspects in SCADA, industrial environments and “obscure” networks
* Forensics and Anti-Forensics
* Mobile communications security and vulnerabilities
* Information warfare and industrial espionage
* Social Engineering
* Virtualisation Security
* ...

Deadlines
=========

Call for paper details to be found at http://www.brucon.org

For further information and questions, please feel free to contact cfp 0x40 BruCON.org

Official Announcement: BruCON keynotes

Ed Skoudis is a founder and senior security consultant with InGuardians and the founder of Counter Hack Challenges, a company that creates Capture the Flag challenges for professionals, college students, and high school kids.  Ed’s expertise includes hacker attacks and defenses, the information security industry, and computer privacy issues, with over fifteen years of penetration testing and incident response experience and the scars to show for it. Ed authored and regularly teaches the SANS courses on network penetration testing (Security 560) and incident response (Security 504).  Ed has conducted exhaustive anti-virus, anti-spyware, Virtual Machine, and IPS research; and responded to computer attacks for clients in financial, high technology, healthcare, and other industries.

Katie Moussouris leads the Security Community Outreach and Strategy team at Microsoft. Her team’s work encompasses industry-leading programs such as Microsoft’s BlueHat Prize (http://www.bluehatprize.com the industry’s first and largest prize for defensive security research), the BlueHat conference, security researcher outreach, and Microsoft’s Vulnerability Disclosure Policies. Ms. Moussouris also founded and runs Microsoft Vulnerability Research, which is responsible for Microsoft’s research and reporting of vulnerabilities in 3rd party software. Ms. Moussouris recently was voted the editor of a new draft ISO standard on Vulnerability Handling Processes, following her work over the past 4 years as the lead expert in the US National Body on an ISO draft standard on Vulnerability Disclosure.

Ghent, University Aula, Wednesday 26th and Thursday 27th of September 2012

More information and registration : http://www.brucon.org

This interdisciplinary course is part of the thematic training of the Leuven Arenberg Doctoral School Training Programme. The course is mainly aimed at Ph.D. students from all disciplines (either from the K.U.Leuven or from other universities), but also open to undergraduate students, post-docs, people working in industry, or anyone else interested on the topic.

In a series of lectures, the course will provide an overview of various aspects of privacy from the technical, legal, and social science perspectives. This year’s edition of the course will have a special focus
on privacy by design, web search services, and behavioral advertising.

Privacy By Design - an important challenge for the Security Industry at Large

In addition to the lectures, this year’s course will feature interactive exercise sessions in which the participants will work in groups. In these exercise sessions the participants will apply what they learn in the lectures to a practical case study (web search application). The participants will be asked to identify the stakeholders and their requirements, define the functionality of the system, select the technologies that would be implemented in the design, and discuss the legal and societal aspects of the system. The participation in all the sessions is required in order to obtain the certificate of attendance to the course.

=================================================================================

* When

- Wednesday, June 27, from 9:15 to 17:00
- Thursday, June 28, from 9:00 to 17:15
- Friday, June 29, from 9:15 to 16:30

* Where

Lecture room: MTC1 02.07
Interactive exercise sessions rooms: MTC1 00.07 and MTC1 00.16

MTC1 Maria-Theresiacollege
Sint-Michielsstraat 6
3000 Leuven (Belgium)

* Speakers

- Claudia Diaz (KU Leuven ESAT/COSIC)
- Seda Gürses (KU Leuven ESAT/COSIC)
- Eleni Kosta (KU Leuven Law/ICRI)
- Bettina Berendt (KU Leuven CS/DTAI)
- Jo Pierson (VUB IBBT-SMIT)
- Invited speaker(s) - TBA

* Registration

- The course is free of charge, but attendees are required to register by sending an email to claudia.diaz@esat.kuleuven.be
- The course will provide coffee breaks for the participants. Lunches are not provided. A number of restaurants are in the vicinity of the course venue.
- The registration deadline is: Tuesday, June 20, 2012

* Web page

http://people.cs.kuleuven.be/~bettina.berendt/teaching/Privacy12

=================================================================================

*** Programme

Wed June 27

09:15 - 09:30 Welcome coffee
09:30 - 10:15 Lecture 1: Introduction (Claudia Diaz)
10:15 - 11:15 Lecture 2: Addressing Surveillance and Privacy during Requirements Engineering:
The challenge of search and behavioral advertising (Seda Gürses)
11:15 - 11:40 Coffee break
11:40 - 12:30 Explanation of the practical exercise (Seda Gürses)
12:30 - 14:00 Lunch break
14:00 - 15:15 Exercise session 1
15:15 - 15:40 Coffee break
15:40 - 17:00 Exercise session 2

Thu June 28

09:00 - 09:15 Welcome coffee
09:15 - 10:15 Lecture 3: Web mining and privacy: threats, opportunities, and design issues (Bettina Berendt)
10:15 - 11:15 Lecture 4: Social perspective on (dis)empowerment of users in an internet environment (Jo Pierson)
11:15 - 11:35 Coffee break
11:35 - 12:35 Lecture 5: Technologies for private search (Claudia Diaz)
12:35 - 14:00 Lunch break
14:00 - 15:00 Lecture 6: (Re)introducing privacy by design: the realm of search engines (Eleni Kosta)
15:15 - 15:35 Coffee break
15:35 - 17:15 Exercise session 3

Fri June 29

09:15 - 09:30 Welcome coffee
09:30 - 11:00 Invited talk (tba)
11:00 - 11:20 Coffee break
11:20 - 12:30 Exercise session 4
12:30 - 14:00 Lunch break
14:00 - 15:00 Exercise session 5: preparation of presentations
15:00- 15:20 Coffee break
15:20 - 16:30 Presentations of results of the exercise and discussion

=================================================================================

*** Abstracts

Lecture 1: Introduction (by Claudia Diaz)

This lecture will motivate the need for privacy protection, introduce the arguments in the privacy debate, and review the main approaches to privacy. Some of the questions that we will address in this talk include: Why is privacy important? Why is it so complex? What are the different meanings of “privacy”? How does “privacy” translate to technical properties and how do these relate to classical security properties?

Lecture 2: Addressing Surveillance and Privacy during Requirements Engineering: The challenge of search and behavioral advertising (by Seda Gürses)

Privacy is a debated notion with various definitions that are also often vague. While this increases the resilience of the privacy concept in social and legal context, it poses a considerable challenge to defining the privacy problem and the appropriate solutions to address those problems in a system-to-be.  Surveillance can be summed up as “any collection and processing of personal data, whether identifiable or not, for the purposes of influencing or managing those whose data have been garnered” (Lyon, 2001). One of the main concerns with any type of surveillance is social sorting, a form of classifying people based on surveillance data that may lead to real effects on the life-chances of people. In the context of web-based search, given its current integration with targeted and behavioral advertisement, different parties raise concerns with respect to privacy and surveillance. From an engineering perspective this raises questions about whether and how these matters can be addressed when engineering information systems? Ideally, when engineering systems, the stakeholders of the system step through a process of reconciling the relevant privacy and surveillance definitions and the (technical) privacy solutions in the given social context. We will explore methods to define and elicit concerns based on different privacy and surveillance notions; summarize the desired steps of a multilateral requirements analysis approach; and discuss how these methods can be applied in the context of web based search and behavioral advertising.

Lyon, D. (2001). Surveillance society: Monitoring everyday life. Buckingham, UK: Open University Press.

Lecture 3: Web mining and privacy: threats, opportunities, and design issues (by Bettina Berendt)

Web mining is the application of data mining techniques on Web data such as queries and other records of usage, social-network profiles and friend links, or news, blogs and tweets. Data mining means finding new knowledge that was previously only implicit in data. Web mining thus operates on many personal data that keep growing in volume and interrelatedness, and it0leads to inferences on inferences and groups that may be beneficial for some but unwanted-to-pernicious for others.

In this lecture, I will first give an overview of mining techniques and typical uses such as profiling. I will then describe methods that have been proposed for protecting personal data from unwanted inferences (privacy-preserving data mining) or for reducing the risks of releasing these data (privacy-preserving data publishing). I will investigate the roles in the mining process (who is doing the mining on whose data of what sorts) and identify threats and opportunities in different settings that range from business intelligence to feedback and awareness tools for user empowerment. I will conclude with thoughts on what “privacy by design” may mean in the context of Web mining.

Lecture 4: Social perspective on (dis)empowerment of users in an internet environment (by Jo Pierson)

In a society where people increasing rely on search engines and social media for communication and information sharing, it is vital to investigate these new forms of mediated communication from the social perspective of users/citizens/consumers. However in this transitional digital media ecosystem we observe how people can become simultaneously empowered as well as disempowered, in particularly on the levels of identity, privacy and surveillance. How this works out depends on the interrelationship between how internet systems are being designed (i.e. what they enable) and what people within their social context do with these systems (i.e. are able to do). In this way we notice for example that users of search engines and social media are foremost framed as consumers, and where ‘relevance’ is foremost posited as ‘commercial relevance’. Questions are therefore: How can governance and power manifest itself through the algorithm? To what extent and how are the social practices by citizens and communities following, opposing and/or negotiating the ‘governance’ of internet systems? In what ways is the social self increasingly being commodified, with personal data becoming the new currency? In what way can a socio-technological perspective offer solutions?

Lecture 5: Technologies for private search (by Claudia Diaz)

Search queries are closely related to the issues on which we are interested. This raises privacy concerns, as potentially sensitive information can be inferred from these queries, such as income level, health issues, or political beliefs. In this talk we will review different technologies for implementing private search services. This includes cryptographic techniques such as private information retrieval, as well as obfuscation-based private web search based on automatically generating fake queries.

Lecture 6: (Re)introducing privacy by design: the realm of search engines (by Eleni Kosta)

Building legally compliant systems that process personal information is turning into a nightmare for online business. The quest for finding the balance between the privacy of the users on the one hand, and the maximization of the profit of online business, usually deriving from the processing of user information, on the other, proves to be a difficult task. This lecture will present the initiatives of the European Commission in the frame of the reform of the European Data Protection Directive to achieve such a balance. The case of search engines, who collect and process vast amounts of use information is going to be used as an example.

=================================================================================

*** Interactive exercise sessions

Exercise session 1

In this session the students will identify the stakeholders and describe their interests and stakes in the system. This will include: their incentives, their interests, and the identification of potential conflicts between their interests.

Exercise session 2

In this session the students will specify the functionality, domain, and trust assumptions of the system. They also construct an initial model of the information that is necessary to fulfill the functionality of the system.

Exercise session 3

In this session the participants will identify the legal frameworks that apply, describe the legal roles and responsibilities of the stakeholders and their data protection requirements, and discuss the societal implications of the system linked to power relations between different stakeholders. They will also conduct an analysis of the privacy concerns of the stakeholders and the service integrity guarantees (i.e., threat and security analysis).

Exercise session 4

In this session the participants will further refine the definition of privacy goals and provide suggestions for privacy technologies that could be used in the system. The participants are asked to apply some of the things they learned in the lectures to the system they are developing. The specific choices of technical solutions to be used in the system will require re-thinking of the applicability of legal frameworks, the concrete functionality and the information model.

Exercise session 5

In this session the participants will consolidate their conclusions and prepare the presentation for the rest of the course participants that will take place in the last session of the course.

Security Hardening 2012 - part 2

Sequel to the successful Security Hardening Events of October and February, LSEC and its partners are organizing the next quarterly Security Hardening seminar on June 7th, 2012.

“Security Hardening” means to explore the possibilities of improving the IT and Information Security architectures and systems.
During these seminars, it became obvious that most of the topics were very complementary and gave an interesting viewpoint on how to improve security measures within companies.

Outline

This seminar is mainly intended to companies and government departments already having a security environment, and interested in finding out about new solutions, new approaches and ways to improve their security infrastructure. Security Hardening in this case meant to increase the level of security on different aspects and components of your environment. This would have been be either from a network security perspective, a database and application perspective or increasing the granularity and scope of your data protection technologies. With the hardening was also understood ways and procedures to improve security management as a whole.

All together, we’ve explored how to grow from the typical 80% of managed IT and information security risks to upgrade to 90% or and to understand the complexities, costs and resources necessary to this upgrade path.

9.00h : welcome coffee & registrations

9.30h : Introduction, Security Hardening 2012 part 2 - an overview of hardening by Ulrich Seldeslachts, CEO LSEC

9.45h :  How to overcome “blind spots” created by virtualization, by Bjorn de Jong; Net Optics International Business Development EMEA & LAM

Abstract : Virtualization is delivering many advantages to companies and datacenters. Along with the advantages, virtualization can also become a significant threat. The Phantom Virtual Tap software delivers total visibility of inter-VM traffic passing between virtual servers and reveals previously invisible traffic for superior security, regulatory compliance, and manageability.

About : Bjorn has been active in the IT business since 1998, primarily in network management and security solutions (Network General, NetIQ, Visual, Black Ice/ISS etc). Since 2004 his focus has been on Data Access solutions from Net Optics, Gigamon and Network Critical. Net Optics is the leading provider of Intelligent Access and Monitoring Architecture solutions that deliver real-time IT visibility, monitoring and control. More than 7,000 enterprises, service providers and government organizations—including 85 percent of the Fortune 100—trust Net Optics’ comprehensive solutions to plan, scale and future-proof their networks.

10.20h :  Data Leak, by Bernard Francis, Security Practice Manager, Bull Services and Solutoins

Intellectual property thefts around the world have a cost of around 10 billion €/year to businesses as a whole, without counting the several more billion € /year losses for industrial espionage that businesses suffer. As a matter of fact, “Knowledge” thefts are among the most common attacks on companies from unscrupulous individuals. However, we need also to take into account that the most common data leaks occur from insiders who have no clue about the danger of their behaviour regarding their “art of communication” with the outside world. Organisations are therefore realizing that the risks associated with data leaks must be taken into account at the same security level as the overall enterprise security hardening.

To satisfy this growing business need, Bull has developed a “data leaks” solution whose main pillars are:
- Discover and reference the sensitive documents dynamically, based on rules specific to the organization (keywords, recipients ...)
- Establish a footprint that can be recognized even if they have been altered or camouflaged (copy and paste, capture ...)
- Monitor network flows to detect any improper output.

10.55h: Coffee Break & Networking

11.15h :  GSM network vulnerabilities, by Peter Cox, UM Labs

The need for data security is well understood, most data applications and services have at least some level of security protection.  In contrast, the security problems associated with voice communication is rarely considered. This presentation will examine the security threats relating to voice calls made on GSM networks and will include a demonstration of call interception on a GSM network. The presentation will then outline how these problems can be addressed using VoIP technology and sound data security principles.
An earlier version of this presentation was presented at the Federal Cyber Security Conference in Baltimore, October 2011.

11.50h : 3 generations of access & identity management: technology overview, trends and future evolutions, by Rik Van Bruggen, Regional Sales Director Courion

Abstract : In the past 15 years, our industry has tried and tested multiple strategies to address the “identity problem”. Everyone seems aware of the fact that the “insider threat” is a clear and present vulnerability in our organisations’ IT infrastructure, but our strategies to mitigate the risks associated with this vulnerability have been all over the place. In this presentation, we would like to present an overview of the industry’s evolution, assess strengths, weaknesses and lessons learnt from the different attempts at solving the problem - and suggest a way forward.

About : Rik Van Bruggen has been working in the Identity and Access Management industry since the end of the nineties, at companies like Novell, Imprivata, and now Courion. Having lived through the industry’s different generations of problem solving strategies, he is very well placed at presenting and discussing the latest challenges and solutions with the audience of this session.

12.30h : Lunch Break & Networking

13.30h :  End to end security from data encryption perspective, the case of secure Teleworking by Vincent Vanbiervliet, Sophos

Abstract : when an organization is motivated to allow its employees to work from location, supporting teleworking, the information infrastructure need to be capable of supporting this. Not only IT, but also information security will need to support from virtual private networking, to anti-malware protection on laptops, to secure backup and storage. Full disk encryption and data access can and will be centrally managed for users to be able to access the required data and information coming from the central office. Learn how this holistic approach could also help your organization in supporting teleworking and remote access.

About :

14.05h :  Trusted Computing Platform - using standard encryption technologies embedded in your hardware and software, by Nick Spekkels, Business Development Director EMEA - Wave Systems Corp

Abstract : Trusted Computing is not only a concept of ensuring information technologies that can be trusted, it is also referring to a standardized technology platform which is supported by many hardware and software vendors worldwide to facilitate securing the data on these devices. Hardening your information security, might also mean utilizing your existing TCP (Trusted Computing Platform), which you might not knew you already had. Discover how your may activate your TCP, or how you can include Trusted Computing into your future architecture. Find out how to manage the Trusted platform for disk encryption, network security in combination with two factor authentication mechanisms.

14.40h : Coffee Break & Networking

15.10h :  Security Hardening by Privileged User Access control, tbd, CA Technologies

15.45h : When business fully understands the challenges of security, an end to end security strategy can be considered. An example from laptop to datacenter, by Antonio Mata Gomez, Oracle

Abstract : The simple question was : what is Oracle doing on information security? There was a simple answer : many things. That has resulted in a series of activities for Oracle to demonstrate their security practice, from db hardening to an end to end perspective. Oracle’s identity management solutions, Oracle applications and the whole cloud offering are only a fragment of the security perspectives of Oracle. As a result, with this concept of an end to end approach, as a case study, it becomes clear what the concept of hardening is all about. It starts from the single data digit, but has to be carried throughout the chain of processing, at light speed or faster and secured.

Case:  Transparency, Accountability and Auditability of high privileged users access is mandatory.
Efficient and consistent User Administration of multiple Databases is becoming more and more important, and is a basic requirement in compliance and auditing discussions. Not only making sure that the right users have access to the right databases at any point in time, but also the traceability of the past and a full view of the lifecycle management and auditability of the high privileged users (eg DBAs) is a key basic compliance requirement in any organization Compliance is not only a matter of processes and applications, but also the place where the information is stored, is seen as a serious attention point for auditing the compliance, security and risk exposure. Ensuring that the right people at all times have only access to the information they are entitled to, has never been so important.  The user management across these multiple DB instances is often done individually, with manual interventions or using scripts, which is costly, not error free and not well accepted by auditors.
About : Antonio started his career as an Oracle database consultant. Back then IT was more interested in High Availability and Scalability but enterprises started showing a growing interest in protecting their key Business Assets persisted in database management systems. Antonio’s expertise was formed through many projects where protecting the database was key in order to guarantee the required security level.In his role of Database Security expert Antonio closely followed up on the Identity & Access Management market trends, which has enabled him to approach security projects from multiple angels.

16.20h : Policy Based Networking to cope with BYOD, Ronny Guillaume, Cisco (TBC)

16.40h : BYOD and Device Management, Ulrik Van Schepdael, Mobco (TBC)

17.00h : Closing Remarks & Networking Reception

18.00h : Close of Seminar

Specifically some topics we are aiming for :
- network monitoring, deep packet inspection
- embedded security
- IPv6 & impact on security
- Database security hardening
- Web application security - firewalling
- New developments in hardware security – TPG/CC-based
- Security as a service (in the cloud)
- Virtualization security
- Identity management – access management - authentication
- Vulnerability testing – intrusion detection
- Data Protection technologies & systems
- Critical Infrastructure Protection
- Cybersecurity & Malware protection
- Security Monitoring & Network Monitoring
- Governance & Compliance
- …

Practical Details

LSEC Security Hardening 2012 - part 2
June 7th, Kasteelpark Arenberg, Leuven

Register already now, to ensure your seat at http://securityhardening2012part2.eventbrite.com

Free to participate to LSEC Members, LSEC partners and partner Members, Agoria Members, ECSA Members.
Free to participate to any others when subscribed before March 30th. After that date, subscription fee of 150 €.
Non-Cancellation fee of 150 €, upon no cancellation at least 1 day before the event and non-appearance.

This event was supported by CA Technologies, an LSEC platinum sponsor for our events. We are always open to other, additional interested parties.

About the organizers :
This event is organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions.

This one-day course meets the business need of customers who are deploying the attack prevention features of ScreenOS software. The course focuses specifically on the attack-related features and assumes familiarity with ScreenOS software. Upon completing this course, you should be able to return to work and successfully configure and verify the desired attack prevention features.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=NET11
Subscription: http://www.jcacademy.be

Most environments run Windows, and most of these Windows machines are attached to Active Directory domains. By using your installed Windows infrastructure, you have a large variety of built-in options to secure your network, saving your organization a lot of money. ‘Windows security’ discusses for instance Active Directory forest design, the use of Group Policy to lock down desktops, securing public IIS web servers, the architecture of Microsoft PKI, the use of Microsoft firewall products, the use of Hyper-V. The session is illustrated with numerous practical demonstrations.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT43
Subscription: http://www.jcacademy.be

Das Automobil als IT-Sicherheitsfall

TeleTrusT-Informationstag am 11.05.2012 in Berlin

Berlin, 21.02.2012 – Moderne Automobile von heute sind IT-Systeme auf Rädern. Steuergeräte bzw. ‘Embedded Systems’ machen moderne Autos zu rollenden Computern. Zuverlässiges und fehlerfreies Zusammenwirken von Hardware, Software und Mechanik einschließlich der IT-Sicherheit kennzeichnen das Auto der Zukunft.

Autos werden künftig untereinander und mit dem Internet verbunden sein. Diese Anbindung von Fahrzeugen an das Internet eröffnet neue Gefahrenquellen. Angriffe auf die IT-Sicherheit von Autos halten Forscher in Zukunft für wahrscheinlich. Neue Schutzkonzepte sind notwendig. Experten suchen nach Schwachstellen, die anfällig für Manipulationen sind, um die teils gefährlichen Folgen verhindern zu helfen. Es geht nicht nur um die IT-Sicherheit des einzelnen Autos, sondern gleichzeitig auch um die des Straßenverkehrs insgesamt.

Der Bundesverband IT-Sicherheit e.V. (TeleTrusT) widmet sich im Rahmen eines Informationstages am 11.05.2012 diesen Themen:

- Informationssicherheit im Automobil
- Das personalisierte Automobil
- Car ID - Secure Communication Car to Car / Car to Cloud
- M2M-Einsatz von sicheren Web Collaboration-Technologien in der Car-to-Infrastructure Communication
- IT-Sicherheitsanforderungen an das Fahrzeug der Zukunft und Lösungsansätze
- Safety and Security for Automotive using Microkernel Technology
- Secure eMobility: Sichere IKT für Elektromobilität – Smart Car, Smart Grid und Smart Traffic
- IT-Sicherheitsprüfverfahren im Automotive-Umfeld

Vollständiges Programm und Anmeldung unter http://www.teletrust.de/veranstaltungen/automobil/

11.05.2012

Thomas-Dehler-Haus, Reinhardtstraße 14, 10117 Berlin

(Tagungs- und Kongresszentrum Reinhardtstraßenhöfe)

Moderne Automobile von heute sind IT-Systeme auf Rädern. Steuergeräte bzw. ‘Embedded Systems’ machen moderne Autos zu rollenden Computern. Zuverlässiges und fehlerfreies Zusammenwirken von Hardware, Software und Mechanik einschließlich der IT-Sicherheit kennzeichnen das Auto der Zukunft. Autos werden künftig untereinander und mit dem Internet verbunden sein. Diese Anbindung von Fahrzeugen an das Internet eröffnet neue Gefahrenquellen. Angriffe auf die IT-Sicherheit von Autos halten Forscher in Zukunft für wahrscheinlich. Neue Schutzkonzepte sind notwendig. Experten suchen nach Schwachstellen, die anfällig für Manipulationen sind, um die teils gefährlichen Folgen verhindern zu helfen. Es geht nicht nur um die IT-Sicherheit des einzelnen Autos, sondern gleichzeitig auch um die des Straßenverkehrs insgesamt. TeleTrusT widmet sich im Rahmen eines Informationstages diesem Thema.

Programm (Änderungen vorbehalten)

09:15 Uhr
Einlass und Registrierung

10:00 Uhr
Dr. Jan Pelzl, escrypt
Begrüßung, Eröffnung und Moderation

10:15 Uhr
Dr. Marko Wolf, escrypt
“Informationssicherheit im Automobil: Gestern, heute und morgen”

10:45 Uhr
Uwe Peter Braun, UBIN
“Das personalisierte Automobil”

11:15 Uhr
Kaffeepause

11:30 Uhr
Mario Bärmann, Nexus
“Car ID - Secure Communication Car to Car / Car to Cloud”

12:00 Uhr
Axel Häuser, Siemens Enterprise Communications
“M2M-Einsatz von sicheren Web Collaboration-Technologien in der Car-to-Infrastructure Communication”

12:30 Uhr
Mittagspause (Buffet)

13:00 Uhr
Stefan Goetz, Continental Teves
“IT-Sicherheitsanforderungen an das Fahrzeug der Zukunft und der Lösungsansatz - Die Strategie von Continental”

13:30 Uhr
Dr. Matthias Gerlach, OpenSynergy
“Safety and Security for Automotive using Microkernel Technology”

14:00 Uhr
Kaffeepause

14:15 Uhr
Antonio González Robles, if(is)
“Secure eMobility (SecMobil): Sichere IKT für Elektromobilität – SmartCar, SmartGrid und SmartTraffic”

14:45 Uhr
Markus Bartsch/Nils Tekampe, TÜViT
“IT-Sicherheitsprüfverfahren im Automotive-Umfeld”

15:15 Uhr
Abschlussdiskussion

16:00 Uhr
Ende der Veranstaltung
Anmeldung

The Juniper IDP appliance will detect malicious signatures and anomalies targeting your network. This course shows you how to install, configure and manage the Juniper IDP appliance.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=NET07
Subscription: http://www.jcacademy.be

Developing secure mobile apps for iOS & Android

Zion Security in cooperation with LSEC.

Thursday, April 26, 2012 from 9:00 AM - 5:00 PM
This one-day training will give developers, architects and security managers an overview of the security risks when developing and deploying mobile applications that run on iPhone/iPad or Android devices.
The training will be given by Erwin Geirnaert, Co-founder of ZION SECURITY and a well-known security expert in application security. Erwin has hands-on experience with security testing and securing mobile apps.
1. 08h30-09h00: Registration and coffee

2. 09h00-12h00: OWASP Top 10 Mobile Risks: learn about the Top 10 Mobile Risks: Insecure Data Storage, Weak Server Side Controls, Insufficient Transport Layer Protection, Client Side Injection, Poor Authorization and Authentication, Improper Session Handling, Security Decisions Via Untrusted Inputs, Side Channel Data Leakage,Broken Cryptography, Sensitive Information Disclosure. Most security risks will be demonstrated using iGoat or GoatDroid. iGoat is an iOS application with several weaknesses that can be exploited using basic tools, GoatDroid is the same but for Android.

3. 12h00-13h30: Lunch

4. 13h30-15h00: Overview of the security architecture and security controls in iOS and Android: file encryption, keyvault, SSL possibilities, authentication, integration with back-end web services,…

5. 15h00-16h00: Mobile design controls: what are best practices for developing secure mobile apps? An overview of OWASP Top 10 Mobile Controls, secure coding guidelines and best practices.

6. 16h00-17h00: Workshop to discuss your mobile projects, security requirements and questions: now is the time to get help from the expert and from your peers in an interactive discussion to end the intensive day
Leuven, Vlaams Gewest

Registration and more information : visit Zion Security.

The EIC is one of the leading conferences in the field of Identity Management, reaching out yearly to all expert leaders in the domain throughout Europe. Typically attended by industry players, but also by end consumers and government officials, it gathered in 2010 over 550 delegates from all over the world. In depth discussions, new announcements and the IDM award are standard components. Organized as a yearly event by leading European market analyst firm Kuppinger Cole focused on EIC and Cloud Computing.

This year, LSEC is supporting the EIC and its activties and would like to invite its members and partners to participate as well.

About EIC (European Identity Conference)

With more than 550 attendees the European Identity Conference (EIC) 2011 in Munich has been the major platform in Europe to establish, continue and intensify the dialog between GRC and identity management thought leaders and users from all over the world, and between vendors, vendor partners and users.
EIC is the place to meet with enterprise technologists, thought leaders and experts to learn about, discuss and shape the market in most significant technology topics such as Identity Management, Governance, Risk Management and Compliance (GRC) and Cloud Computing. With its world class list of speakers, a unique mix of best practices presentations, panel discussions, thought leadership statements and analyst views, EIC has become an absolute must-attend event for enterprise IT leaders from all over Europe and has been intensively covered in the news, in many blog entries, newsletters and Kuppinger Cole Reports.

https://www.kuppingercole.com/events/eic2011

Thought Leadership
Thanks to 550+ attendees, speakers, sponsors, exhibitors and press members, EIC 2010 again turned into an unforgettable event and a conference having met its role as a major platform to create, continue and intensify the dialog between thought leaders and users, between business and technology. Intensive discussions inside the sessions and outside, exchange of experiences and ideas - we all hope, that you could carry away enough inspirations for your upcoming projects.
Matching tomorrow’s promise with today’s reality - the European Identity Conference has become the place, where thought leaders from all over the world meet with enterprise users and discuss innovations and their impact on enterprise infrastructures.
Best practices
Learning through experience - like in previous years, EIC offers a great choice of valuable end user case studies, delivering practical advice on how to create business value through IAM and GRC programs that enhance effectiveness and efficiency.
Reaching out for maturity, refining and optimizing your strategic and tactical approaches - learn from your peers.
European Identity Award

Practical Details

Conference (10.-13.05.2011) Conference including Pre-Conf Sessions, Expo and Evening Event
Conference + Workshops (10.-13.05.2011) Pre-Conf Sesions, Conference, Expo, Evening Event and Post-Conf Workshops
Public Services, Hospitals + Academic (10.-13.05.2011)
Free access for government and military Free access to the expo area, keynotes and pre-conference workshops

For more details, please register at : European Identity Conference 2011

LSEC partners receive an additional discount by mentioning LSEC1 during registration. LSEC Members should enquire about their reduction by contacting their LSEC representative and asking for their registration code.

EIC 2011 - Kuppinger Cole
Dolce Ballhaus-Forum
Andreas-Danzer-Weg 1 • 85716 Unterschleißheim
Phone: +49 (89) 370 530 0
Internet: http://www.dolcemunich.com/

SPION workshop on social requirements of social network sites, which is going to take place at the premises of SMIT-VUB on Wednesday, 11 April 2012. We would like to
invite you and other experts on the matter to join us to have a discussion and exchange of ideas on the role of user research in the development of a privacy safe environment for social network sites.

The workshop will focus on following questions:

(a) What are social requirements and how can we translate them into technical recommendations, so that they become useful and accessible form an engineering perspective?

(b) How are identity and privacy intertwined and how does this relationship affect the development of privacy enhancing technologies?

(c) How can we use existing (prototypes) technologies for evaluating user needs, so that the co-construction of technology is ensured in future systems?

The participation in the workshop is free. However, for practical reasons, you are kindly requested to register by e-mailing Ralf De Wolf , before the 1st of April. We will be happy to answer any of your questions and provide you with the information you might need. All interested are welcome. But we especially focus on SNS providers, software developers, designers, media researchers and artists to join the workshop. 

Registration, contact Ralf.De.Wolf at vub.ac.be.

Program Outline

Communication seems crucial to constitute ourselves as social beings
and it is only through interaction with each other that we develop
our identities and have the ability to know ourselves. When
technology enters the picture, communication often changes and new
possibilities arise. During the past few years the way we communicate
has altered immensely. Social network sites have given us additional
possibilities to develop and perform our identities, as if on stage.
Unfortunately these changes not only bring along opportunities, but
also risks for the user, like privacy. The latter is a central topic
of discussion among software developers, engineers, policy makers,
lawyers, etc. But in this workshop we want to focus on the needs,
practices and perspective of the user and user communities, to take
into account in the engineering process.

Programme:
13u – 14u00: introduction: experience with user studies
14u00 – 15u00: ‘Privacy and its interplay with identity: Initial
social requirements of SNS
(15 min break)
15u15 – 16u15: Discussion on how to translate social requirements
into technical recommendations
16u15 – 17u15: ‘Privacy beyond the individual’: Analyzing group based
access control models of commercial SNS
(15 min break)
17u30 – 18u00: ‘Opening the black box’: Evaluating technology from a
user perspective

18u00 - …: networking and drinks

Organizations transform their systems into intranets, extranets and establish VPN connections over the public Internet. These interconnected systems face several threats that can cause severe damage to the company and its assets: employees, competitors, viruses, crackers,… This course is not about detailed problem descriptions and solutions but wants to provide a conceptual of the security problem.
More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT29
Subscription: http://www.jcacademy.be

In this general and basic security course, we will have a look at some security principles, and afterwards we will discuss some protocols and methods to implement security in the network.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT23
Subscription: http://www.jcacademy.be

Tradeshow, Seminars, Networking, ....

Infosecurity 2012 will offer a great way to explore the latest trends in information security, discuss with various experts, learn from peers and experts during the seminar sesssions.

Register via Eventbrite for the LSEC Theatre print your receipt and receive your free gift during Infosecurity 2012 at our booth, upon presentation of the receipt. You will also be eligble to participate in our yearly contest, this year to win a set of brand new gaming technology ”Sifteo”.
This receipt does not allow you access to Infosecurity.be 2012, for which you will have to register separetely, via the link below.

LSEC Theatre - Best of LSEC 2011 - 2012

On Thursday March 29th, LSEC will be hosting a number of interesting talks that were highly appreciated by the attendees of these seminars during 2011.
As a best of show, you’ll be getting a good flavour of the current challenges, opportunities by some of the best speakers and presentations by experts.

You are welcome to join any of these sessions during the show. Probably best to sign up via the Infosecurity.be registration system, or showing up during the show.

10.15 – 10.45 : 10 ways to bypass security measures in SAP® systems, by Wouter Janssen, Axl Trax

An exploration of the most common security weaknesses found at companies running SAP systems.

11.00 – 11.40 : Security Threats in 2012, by Vincent Vanbiervliet, Sophos

Seeing the threats through the doom. In 2011, doomscenario’s about hacktivism and the threat du jour overshadowed more common security risks.
Our experts explain the real threat trends you need to watch, based upon the Security Threat Report 2012.

12.00 – 12.10 :introduction of the information security guidelines, the basic measures for companies and institutions in Belgium, by LSEC and Agoria ICT.

12.15 - 12.45 : Free and convenient security for websites : mydigipass.com , by Kurt Berghs, Vasco Data Security

MyDigipass.com is an online portal that allows consumers to manage their online identity and securely access their websites in a convenient way.

13.00 – 13.40 : Providing access to MS Sharepoint and other data sources, both in the cloud and on premise. Information Security is also about enabling restricted access to sensitive data and documents, by Henk Van der Heijiden, CA Technologies.

Information Security should support business in providing controlled and managed access to information, wherever the business requires it to go. Tools and technologies should help, based upon controlled identities, authentication and access to systems and data. Wheter on the road, or with business partners, information security should support business decisions and restrict unauthorized use. As IT Security professionals, take this vision to your colleagues and executive management.

14..00 – 14.40 : Friend of Foe, who wants to be your friend on Facebook and Twitter.h , by Paul Judge, Chief Research, Barracuda Networks

Detailed overview of the way social networks are being used to distribute malware, hack in to your accounts, use your online identities to infringe on your friends or steal personal information.
End of February, even the Belgian police reported hacked twitter accounts and abused electronic identities. Learn about the details and how awareness and vigilance are needed on top of security tools and technologies.

15.00 – 15.40 : Next Generation Network Access Control and Desktop Virtualization as an effective, fast and easy way to deal with the demand of new devices on your networks (BYOD) and supporting the need for authorizing access to internal assets, by Bernard Girbal, Netclarity and Simon McNaly Array Networks

16.00 – 16.40 : Infoscurity 2012, vendors, seminars, discussions, but what does really matter for companies and government institutions today? A discussion with Raj Samani, CTO EMEA McCafee.

A discussion about the European Data Protection regulation, hacking iOS and Android, theft of intellectual property and hacktivism, impact of the cloud for security professionals and the challenges of healthcare providers up to oil riggs ...

Other interesting presentations facilitated by LSEC :

Opening Keynote, by Bart Preneel, Chairman LSEC and Head of COSIC, KU Leuven, Security a Year In Review

Bring Your Own Device, by Jean-Luc Delvaux, Belgacom

Web Application Security, by Erwin Geirnaert, Zion Security

Practical Details

Infosecurity 2012, March 28 - 29 2012, Expo Brussel

More information and registration, please visit: http://www.infosecurity.be

On the 28th of March, the B-CCENTRE in cooperation with LSEC is organising a conference in Brussels on the topic of National Information Sharing. The agenda of the day includes a series of presentations of existing initiatives from both public and private sector which are already contributing today to the facilitation of collecting and sharing information regarding cyber-attacks. Speakers will present activities established in France, Luxembourg, the Netherlands and Germany. Different actors involved in Belgium will take the floor to highlight the specific situation and needs regarding information sharing in Belgium. The next steps to be taken will be debated in a panel discussion and recommendations for the road ahead will be formulated.
Background reading on the conference theme is provided in the briefing note attached to this mail. The target audience for the conference are all private and public actors confronted and dealing with cyber-attacks as well as those in charge of tackling and combatting cybercrime. The conference is free of charge and open to the general public, but subject to enrolment.
Further information on the speakers, a detailed agenda and possibility for registration will be available soon. Stay tuned on http://www.b-ccentre.be!

Brussels, 28 March 2012 – 9.30 to 17.30
More and more cybercrime is becoming part of our daily reality. Hardly a week goes by without news
of cyber-related attacks on both governments and private companies and the trend seems only to
accelerate in 2012. Public and private sector are putting effort in combatting cybercrime. In Belgium
the Belgian Cybercrime Centre of Excellence for Training, Research and Education was launched in
2011. Similar initiatives are taking place in other European countries. 2011 was also the year in which
different countries adopted national cyber security strategies. Both the European Commission and
the Council of Europe promote and support the development of such national strategies as well as
the creation of national centres aiming to increase capacities for dealing with cybercrime as well as
knowledge and information sharing. Countries aspire to be a safe place for business and for their
citizens alike, and to safeguard thus the basis for economic growth based on trust.
An interdisciplinary approach is a pre-requisite for efficiently dealing with the phenomenon of
cybercrime. It is clear that it will take a lot of effort and commitment to develop training and improve
information sharing. It will take time to build trust and efficient cooperation among the different
professionals to be involved, such as law enforcement, judges, lawyers, academics, operators,
businesses, fraud and security experts and policy makers. While international cooperation is
required, it is clear from international organisations that this new culture of cyber security will have
to be developed first at national level.
In response to the multi-faceted dimension of the cybercrime threat, a number of countries have
already set up CERTs, fraud, spam and botnet reporting centres which bring together industry and
authorities. While each initiative brings a unique expertise, it also brings its own limitations, as there
is no comprehensive initiative that can help governments and industry to understand and monitor
the threat landscape in real time.
The need for Information Sharing is the key subject of the 28 March conference. The concept of an
Information Sharing Centre entails a centre which collects information and reports from various
sources, including citizens, and dispatches it to all interested stakeholders: internet service providers,
security vendors, advertisers, brands, but also network security agencies, law enforcement, CERTs,
communication and privacy authorities.
An Information Sharing Centre does not pretend to address all the security and safety issues which
impact the trust of citizens in the online environment, but it does provide a coordinated response
and contributes to the empowerment of consumers, the improvement of the quality and reliability of
online services, enabling enforcement and the promotion of business compliance and trust in our
networks.
The agenda of the conference includes a series of presentations of existing initiatives from both
public and private sector which are already contributing today to the facilitation of collecting and
sharing information. Speakers will present activities established in France, Luxembourg, the
Netherlands and Germany. Different actors involved in Belgium will take the floor to highlight the
specific situation and needs regarding information sharing in Belgium. The next steps to be taken will
be debated in a panel discussion and recommendations for the road ahead will be formulated.

This course focuses on the ScreenOS features that are typically required in large-scale networks, including dynamic routing, virtual systems, traffic shaping, and high availability. Upon completing this course, students should be able to return to work and successfully install, configure, and verify that a ScreenOS-based device is interoperating in the network as desired. Through demonstrations and hands-on labs, students gain experience in configuring, testing, and troubleshooting these advanced features of ScreenOS software.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=NET02
Subscription: http://www.jcacademy.be

Together with our partner ConPro

Addressing the needs of virtualization
For software in production environments
A practical workshop on proven experiences

IT hardware life cycles decrease continuously. This jeopardizes your SCADA/HMI and MES system recovery due to HW breakdown. Well, virtualization is the answer and much moire but other practical challenges need to be addressed!

Agenda :
13:00 : Registration
13:15 : Introduction
13:25 : Virtualization clarified
14:10 : Success story
14:40 : Coffee Break
15:00 : Practical Challenges
15:45 : New features
16:15 : Q&A
16:30 : Network drink

Practical :
Thursday 22/3/2012
Wilrijk, Control & Protection, Neerlandweg 25 - 2610 Wilrijk
Free registration via info@conpro.be or +32 3 829 0335

with the support of GE and Kepware technologies

The Advanced Penetration Testing class aims to bridge the gap between conventional pentesting techniques and blackhat hacking techniques. The class will force to think like a malicious hacker and teaches you how to pentest and break into secure environments, which have fully patched operating systems and programs. The class will focus on a “scenario centric” approach rather than relying on a “tool centric” one.

Participants will learn:

Think out of the box during pentests
Bleeding edge techniques used by hackers
Able to conduct pentests on networks which are fully patched
Conduct the most advanced attacks in the pentest business

Instructor Vivek Ramachandran has been involved in security research, product development, penetration testing and evangelism for over a decade now. He discovered the Caffe Latte attack and also broke WEP Cloaking, a WEP protection schema in 2007 publicly at Defcon and introduced the concept of pure Wi-Fi based malware and worms. He is also the author of the book “Wireless Penetration Testing using BackTrack 5” which has received great appreciation by the worldwide security and hacker community. His second book - “Metasploit Megaprimer “ is due for launch in February 2012.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?r=course&Short=INT55
Subscription: http://www.jcacademy.be

Vulnerabilty and intrusion detection and management are key components in any security assessment and consideration to improve the existing environment. During this seminar, LSEC and its partners will inform attendees about current methodologies, best practices, how to recognize the experts, DIY, outsourced or as a service ...

Intrusion Detection and Vulnerability Management

Vulnerabilities in an environment, being it a network, network components, a computer system or an application; vulnerabilities are key in the challenge to secure an information or IT environement. Knowing about them in the first place and next, making sure they should not be considered vulnerabilities going forward.
These vulnerabilities provide holes for hackers, information thieves, and others to exploit your environments. Sometimes they are wrongfully or carelessly engineered, but in many occassions they are just human errors through maintenance or other interventions. They can be basic ports in servers or firewalls, they could be misconfigurations in a database, they might be errors in an adobe pdf reader and can be challenged to either cause a denial of service, or just provide unintended access to the protected information.

Detecting vulnerabilities before they are exploited is a key part of a proactive security strategy, and is required by many compliance regimes as part of due diligence. However, most compliance regimes only require simple forms of vulnerability scanning, causing strong downward price pressure when compliance (versus proactive security) is the driving requirement. Deeper methods of vulnerability discovery, such as penetration testing and static/dynamic application security testing, are being deployed to take more proactive steps against targeted threats that go beyond simply exploiting missing patches or misconfigured operating systems.

During this seminar, LSEC has the intention to inform Information Security professionals, Security Managers, CSO’s, CISO’s, IT Management, CIO’s and Auditors about the current trends, evolutions, methodologies and systems that could help and facilitate in the process of vulnerability management, including assessment, pen testing, intrusion detection and managed or outsourced services.

Final Program

The following speakers and topics have been put under consideration. The organizers are open to other suggestions and ideas, as well as to comments on the current program overview.

9.00 : Welcome Coffee & Registration

9.30 :  Introduction, Vulnerability Assessment Framework, by Ulrich Seldeslachts, CEO LSEC

9.45 :  Turning a blind eye to cyber threats? Consider an effective approach to security testing, by Daniel Lucq, Dimension Data (BE)

Abstract : Security assessment and penetration testing contribute to understanding the risks to and exposure of critical data. A means of empirically determining and validating vulnerabilities that lead to compromised data will assist organisations in pinpointing the glaring risks that should be focused on as a priority. Effectively assessing its security posture and the threats to its protected data is best achieved through a combination of network and application-level assessments. However there is a lack of consensus regarding the best approach to security testing. Organisations are faced with a multitude of options, not all as effective or with equal ROI.

About : Daniel is a Security Consultant and Team Leader of the Security Governance Line of Business at Dimension Data Belgium. In his position he manages a dedicated team of security consultants engaged in security advisory and assurance services.  Being active in IT for over 10 years, of which the majority devoted to software development and IT security, he is an expert in a variety of domains, specialising in Penetration Testing, Application Security, Security Policy and Compliance engagements, Threat and Risk Assessments, ISO 27001 and PCI DSS.

10.30 :  Advanced Network Security Forensics, by Hans De Raeve, Product Manager ICT Security, Belgacom ICT - Telindus (BE)

11.15 :  Vulnerability management – the common pitfalls, Outpost 24, Ron Perris, CTO (US)

About : Ron Perris is Chief Technical Officer at Outpost24, a global leader in vulnerability management. At Outpost24, Ron leads the research and development team of world class computer security researchers and engineers. Under his leadership the team at Outpost24 has spoken at major security events around the world and found numerous vulnerabilities in core components in the internet and applications from vendors like Cisco, Microsoft, Apple, Checkpoint and others. Ron is a Certified Information Systems Security Professional as awarded by the International Information Systems Security Certification Consortium. He is also a Certified Information Security Manager designated by the Information Systems Audit and Control Association.

Abstract : 
The number of organizations falling victim to data breaches through network and web-based vulnerabilities has increased substantially, with Sony, Lady Gaga, David Beckham and eHarmony all falling victim to this rising threat.  This session will explore the main reasons behind this, and offer participants insight into how to assess if current vulnerability management programs will succeed.  Through reference to recent breach incidents, the session will also explore the most common pitfalls when setting up a vulnerability management program and detail how organizations can look to avoid them.

3 promises you make the audience: “When you leave this session you will...”

1.  Have insight into the current threat associated with network and web-based vulnerabilities
2.  Understand the most common pitfalls presented by vulnerability management
3.  Realize how to adapt your security strategy to effectively avoid this problem

12.30 : networking lunch

13.30 :  Demystifying Advanced Persistent Threats, by Christophe Bianco, General Manager of EMEA, Qualys

The term Advanced Persistent Threat (APT) has been used frequently over the last 18 months, triggered initially by the attack on Google, then refreshed by attacks on high other profile companies, including RSA and Lockheed Martin. These attacks proved that no company is immune, even with advanced security measures in place. But while organizations should understand how APTs work, it is important to remember that they face constant attacks that are not APT-related, mostly by mass malware. Why we are so vulnerable and what can be done to prevent such “advanced” attacks? This session will explore recent threat vectors and show some of the highly publicized malware and 0-day exploits that were used in these attacks. Bianco will then go over the preventative measures that organizations should take to increase their protection and demonstrate the benefits of software hygiene to keep systems patched and up-to-date with recent software updates and meet compliance requirements.

This talk is primarily focused on explaining the benefits of software hygiene and regular software updates by demonstrating using live examples how un-patched systems or software behave when attacked with malware and 0-day exploits.

What delegates will learn at this session:
• Benefits of software Hygiene
• Ability to prevent attacks against zero-days with proper software updates
• Effective ways to expedite PCI compliance audits
• Live examples of recent zero-days

About : With 15 years of experience in providing security services, including security policy and governance, audits, and intrusion detection, Christophe is responsible for strategic, operational, field sales and marketing activities in EMEA. Most recently leading Western Europe sales and managing the Luxembourg subsidiary for Verizon Business Security Solutions, Christophe led a team advising the extended enterprise on how to secure information, secure the infrastructure, and implement governance, risk and security policies. Christophe has also served as the general manager for Ubizen in Luxembourg, where he managed operations and executed the company’s partner and vendor strategy, set up a customer loyalty program, and extended the products and services offered. He has also been manager of information security for SkillTeam, an IBM subsidiary, and network and telecoms engineer for Banque Paribas, both based in Luxembourg. Christophe has a master’s degree in telecoms from the National Superior School of Telecommunications of Brittany, a degree in engineering from the National School of Brest, and an Executive MBA from HEC Paris.

14.15 : Next Generation of Intrusion and Anomaly Detection, by Zdenek Vrbka , AdvaICT (CZ)

Intrusion Detection Systems have had a good reputation for a long time, when most of the threats could be kept outside of the network perimeter and when those threats were known. Today, we don’t know about all threats, how they operate and how to detect them. What are anomalies and how will your systems be capable of protecting you if they don’t know what to look for?

About : Zdenek Vrbka received master degree from computer science in 2005 at Faculty of Informatics of Masaryk University in Brno and holds his PhD degree in Information Science with a specialization in Quality Assurance. Currently he works in AdvaICT, Masaryk University spin- off, which develops the network security and monitoring solution FlowMon ADS (Anomaly Detection System). His main focus is in business development. He is an author of online network security and monitoring service NetHound.

15.00 : Coffee Break

15.30 : OSSEC : All your logs belong to you, by Xavier Mertens, Telenet C-Cure

Log management is a critical step to build your SIEM and SOC. Even small organisations may find lots of interesting stuff in their logs. This session will present OSSEC, an open source log management solution, and explore how it can increase the value of your logs and how to find potential vulnerabilities.

Xavier Mertens is a Security Consultant working for C-CURE, a Belgian consultancy company. His job focuses mainly on “security monitoring” solutions such as log management, SIEM, incident management but also on audits and pentests. Instead of following vendors, he prefers to find the best solutions to solve security issues. One of his preferred tool at the moment is OSSEC. He wrote several blog articles about this software to increase its performance or visibility. In parallel to his daily job, Xavier maintains his security blog and offers some spare time and resources to initiatives like BruCON, EuroTrashSecurity.

16.15 :  Next generation datacenters: vulnerability protection and intrusion prevention as part of à 10Gb and virtualization strategy, by Manu Luyten, On2It (BE)

Abstract : the ever growing datacenters where virtualization and next generation data transfer rates are determining the current architectures, bring along old and new challenges for it security.
Learn how to deal with vulnerbility managament and intrusion prevention at gigaspeed.

About : ON2IT Belgium, part of the SAGA Group, specialises in IT security & lifecycle management. We provide highly skilled consulting and managed security services, assisting our customers in gaining visibility, control and automation over the entire IT infrastructure using next generation security technologies.

17.00 : Combining vulnerability management with web application firewalls: a perfect fit!, by Erwin Geirnaert, Zion Security

Abstract : Application vulnerability management is typically not a focus of an IT environment when it comes to managing security. Most companies tend to focus on networks, perimeter and devices. Today however, most vulnerabilities are exploited through applications. Both desktop applications, but also in combination or even stand alone application servers or web applications. Both the detection and the protection are seamlessly integrated and will help you reducing your vulnerabilities significantly.

About : Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE security, .NET security and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar,

17.45 Conclusions and Networking Drink

19.00 Close of seminar

Some of the following questions and considerations will be discussed :
- what is vulnerability management, intrusion detection, pen testing, ethical hacking, ...
- methodologies, standards, certifications, ...
- DIY vs outsourced, key elements and considerations
- hosted, as a service vs appliances vs manual, complementary or competitive
- forensics and what if ...
- ...

Practical

LSEC 2012 intrusion detection and vulnerability management

Ubicenter, Verizon Business, Philipssite 5, 3000 Leuven

Thursday, April 19th, from 9 AM to 18h, with networking and tradeshow facilities, coffees, lunches.
Limited seating, ensure your seat and reserve today.

Register now at : http://vulnerabilitymanagement2012.eventbrite.com

Free if registered before March 31st. 150 € participation fee if registrered before April 15th, 250 € from April 16th and onwards.
Cancellation fee of 150 € upon cancellation after April 1st.

Free to participate for LSEC Expert Members and Members of TeleTrust, SITC, Systematic, Cluster Seguridad and NSM upon confirmation of their membership.

About the organizers :
This event is organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions.

This course discusses the basic operations of Security Manager. Key topics include server and domain administration, device configuration, template creation and management, policy creation and management, logging, and report generation. Through demonstrations and hands-on labs, students gain experience in configuring, testing, and troubleshooting features of Security Manager.
More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=NET15
Subsription: http://www.jcacademy.be

Wi-Fi has become ubiquitous in our lives today. However, the flexibility and mobility provided by Wi-Fi comes at a cost – inherent insecurity! In this workshop, we will explore the basics of wireless security; learn how to conduct wireless security audits and also how to create a secure wireless network using various industry best practices.
Instructor Vivek Ramachandran is a world renowned security researcher and evangelist. His expertise includes computer and network security, exploit research, wireless security, computer forensics, embedded systems security, compliance and e-Governance. He is the author of the books – “Wireless Penetration Testing using Backtrack” and “The Metasploit Megaprimer ”, both up for worldwide release in mid 2011. Vivek is a B.Tech from IIT Guwahati and an advisor to the computer science department’s Security Lab.
More info:
http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT48
Subscription:
http://www.jcacademy.be

Flexible and safe leverage of the Cloud

A Websense event, supported by LSEC and partners.

Cloud technology offers great opportunities for your organization. Flexible capacity, predictable costs and everywhere and any time access to your (company) data. You may also use a hybrid approach which lets you combine a mix of SaaS and on-premise platforms – and manage the entire system from a single console. However migrating to the cloud and greater collaboration has come at the expense of risks from new malware, methods of attack, and loss of confidential data.

Are you worried about data security in the cloud? During the SpeakUp Live! master class we will bring you up to speed in just one afternoon about the sense and non-sense of cloud-security.

Various opinions
SpeakUp Live! gives you a voice in a forum of your peers and industry experts. Marco Plas managing director at Domus Tecnnica will share recent developments on the cloud market. Security expert Websense will speak about how Cloud computing and collaborative networks have redefined web security and discuss malware trends for 2012. Websense customer Socialistische Mutualiteiten, will share the advantages of cloud technology for their organization and how they have arranged security in the cloud.

Time
The afternoon session will start at 1.30 pm with reception and registration. The event closes at 5.00 pm with a dinner buffet.

What can you expect?
SpeakUp Live! tackles various topics regarding cloud security and cloud DLP (Data Loss Prevention):
- security considerations in moving to a cloud based model;
- social networks, their business use, benefits & risks;
- the unique advantages of both Security-as-a-Service (SaaS, or “cloud") and on-premise (appliance or software) security platforms;
- expected malware trends in 2012;
- Hosted email & web cases
- high performance next generation proxy, consolidation and TCO reduction;
- mobile security & BYOD.

Agenda

13.30 Welcome & Registration With coffee, tea and sandwiches
14.00 Welcome Philippe Michiels, Websense
14.05 Presentation Domus Technica Marco Plas, Managing Director - Cloud market developments
14.45 Presentation Websense Joash Herbrink, SE Manager Northern Europe - 2012 malware predictions, cloud DLP, mobility & cloud

15.30 Break With coffee, tea and cake

16.00 Case Didier Godin, Information Security Officer - Socialistische Mutualiteiten / La Mutualité Socialiste - A way to operational efficiency
16.30 Case Geert van de Wielle, IT Security Manager - CFE - Choosing for a full hybrid solution

17.00 Network reception With dinner buffet

About :

arco Plas
Managing Director

Marco Plas is one of Europe’s most renowned thought leaders on information security and risk management. His unorthodox and direct approach has triggered many debates in this field. The focus of his activities lies in Risk Management, Information Security and Enterprise Architecture

Marco is co-founder and managing partner at Domus Technica, an expert company dedicated to empowering safe collaboration between organizations. In that capacity he also held the positions of Chief Architect at ING Bank and Chief Information Security Officer at ING Insurance Europe and Asia. After his studies in Business Economy and Business Information Science, Marco dedicated himself to IT innovation with a strong focus on collaboration and protection.

During his career he held strategic positions in IT in several large enterprises, such as Capgemini, Deloitte and Getronics.

‘The Book of Jericho 2.0’ (2007), about the changes and direction of IT security architectures as a result of ‘The New Normal’, is by his hands. He also frequently publishes both scientific and popular papers on IT and organizational risk.

WebsenseWebsense
Joash Herbrink
SE Manager Northern Europe

Joash Herbrink is the SE manager for Websense Northern Europe, responsible for the day to day operations of the Sales Engineers team in this region. He joined Websense in 2009 as one of 5 global Senior Consulting systems engineers. This role required him to be the trusted advisor, responsible for the larger and strategic Websense customers on the entire product line, as well as liaising with Product Management to steer the development of the Websense product portfolio, as such, he has extensive field experience on how to secure an ever more mobile workforce, and how Websense can help you with this. oash has been in the IT security industry since the late 90’s and has worked for several local and globally respected Companies such as Kahuna Network Solutions and Dimension Data.

Socialistische MutualiteitenSocialistische Mutualiteiten / La Mutualité Socialiste
Didier Godin
Information Security Officer

Didier Godin has over 20 years experience in IT domains including development, project management, IT infrastructure and information security. As Information Security Officer at UNMS-NVSM, his job is to provide advice to business and technical departments regarding IT Risk Management, Business Continuity and Information Security. Thanks to his long experience in IT infrastructure as well as in software development projects he also acts as technical advisor regarding choice of Business Continuity & Security architectures.

Compagnie d’Entreprises CFEGeert van de WielleCompagnie d’Entreprises CFE
Geert van de Wielle
IT Security Manager

Geert Van de Wielle started working in 2002 at CFE, one one the largest Belgian construction companies as Messaging & Collaboration Manager. Since 2004 he combined that role with his job as IT Security Manager and later on he became IT coôrdinator for the CFE overseas offices as well.

As IT Security Manager he implemented several security measurements in order to increase the level of security within the company. Today he mainly focusses on introducing ISO 27002 compliancy based working within CFE IT department.

Practical Details and Registration

Register now via : https://www.certain.com/system/profile/form/index.cfm?PKformID=0x1273343eb95&

Location

Brasserie Het FenikshofBrasserie Het Fenikshof
Abdijstraat 20
1850 Grimbergen

Tel: 02-306.39.56

http://www.hetfenikshof.be/nl/info/Welkom-Brasserie-Fenikshof

Mobiles have become an integral part of our life. What started off as just a phone, has now transitioned to a powerful full-blown computing platform, which runs applications that can help us, email, surf the Internet, make financial transactions etc. anywhere anytime. Unfortunately, mobile application security has not been able to keep pace with this exponential growth. This is primarily because most end users, application developers and penetration testers still do not understand the intrinsic challenges in mobile application secure usage, development and testing. This 2-day class aims to introduce you to the various challenges of mobile application security and shows you how to systematically test and secure your applications.

Participants will learn:

How to find security vulnerabilities in mobile applications
Penetration test mobile application frontend and backends
Security architecture of iPhone and Android systems
Subverting platform security controls including application decryption and disassembly

More info: http://www.jcacademy.be/jca/be-en/course-details.page?r=course&Short=INT54
Subscription: http://www.jcacademy.be

Big Data, as in massive amounts of data collection, processing, storage and archiving, creates a couple of new challenges for people who try to deal with data management, information management, but also people who are involved in securing this information.
Security for big data is about providing access, ensuring data protection (as in avoiding data leakage), but also about integrity and data management.
Big Data in information security landscape also refers to the way Information Security technologies are making use of historical data, security information and event (SIEM) management data, to improve ways to better secure the organization. The easiest way to understand this, is when companies today are making use of IP-address origin and other location based information to determine of one should be granted access or not to specific privliged information.

Big Data is here, ... to stay

Radical customization, constant experimentation, and novel business models will be new hallmarks of competition as companies capture and analyze huge volumes of data. Are you ready for the era of ‘big data’? The volume of data that businesses collect is exploding: in 15 of the US economy’s 17 sectors, for example, companies with upward of 1,000 employees store, on average, more information than the Library of Congress does. New academic research suggests that companies using this kind of “big data” and business analytics to guide their decisions are more productive and have higher returns on equity than competitors that do not. As big data changes the game for virtually all industries, it will tilt the playing field, favoring some over others. The financial and information sectors rank among those with the highest potential to create value in the near term (McKinsey & co, February 2012). But industries such as healthcare and pharmaceuticals, retail and others have been dealing with those huge amounts of data for many years. Will this eventually transform the industry, and the way we work and operate?

Program Outline - Call for papers

Some speakers and experts already confirmed their participation, including companies such as :
* Oracle
* CA Technologies
* RSA, the Security Division of EMC
* Cognitive Security
* ....

We are open for companies and experts in the domain wishing to contribute.
Please send your ideas and suggestions to bigdata2012 at lsec.be.

Titles and abstracts, speakers are expected before May 30rd,
Draft presentations and concept papers by June 30rd,
Final presentations by August 30rd.

Practical Details

LSEC Big Data and Information Security
Leuven, Kasteelpark Arenberg
Tuesday, September 11th 2012 - part of the Global Security Week 2012

Free to participate for anybody registering before April 30th
150 € for registrations beyond Aprtil 30th.
250 € for registrations beyond June 15th
Cancellation are accepted until August 30th, beyond that date, a cancellation fee of 150 € will be charged. Also non-cancellations and non-attendace will be charged.

Limited seating, ensure your seat and reserve today.

Register now at : http://bigdata2012.eventbrite.com

Free to participate for LSEC Expert Members and Members of TeleTrust, SITC, Systematic, Cluster Seguridad and NSM upon confirmation of their membership.

About the organizers :
This event is organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions.

This intermediate-level course focuses on the wide range of options available when configuring VPNs using Juniper Networks firewall/VPN products. Students attending the course will learn these various deployments through detailed lectures and hands-on lab exercises.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?r=course&Short=NET03
Subscription: http://www.jcacademy.be

You will be guided into the multi-coloured world of hacking using common standard tools. Starting from scratch, you will soon start to look differently at your networking infrastructure. Step for step, we will take a clear look at the fascinating life on the other side of your firewall. In order to stay secure, you need a fresh and stimulating awareness. Furthermore; the knowledge of hacking taxonomies will help you considerably with the configuration and understanding of intrusion detection systems.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT26
Subscription: http://www.jcacademy.be

A professional and seasoned team of Security Professionals will help you take your skills a few steps further. “Common” hacking techniques are revisited from a professional and practical approach for a better and more efficient pentest. Several topics include “hardcore drilldowns”, such as bypassing ASLR during exploit development, injecting malicious code into files under Windows Vista, bypassing Antivirus systems, etc all based on the award winning live Distribution BackTrack. The course is heavily laced with the “do it yourself” approach, and will expose you to the raw underlying mechanisms of the various attack vectors.

The course price includes the syllabus license cost of 1000$ covering:

PDF of the course watermarked by his/her name
Virtual machines with test servers for the labs
30 days access to the online labs
the opportunity to take the online exam and get certified

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT41
Subscription: http://www.jcacademy.be

This course is the first in the ScreenOS curriculum. It is a instructor-led course that focuses on configuration of the Juniper Networks firewall/VPN products in a variety of situations, including basic administrative access, routing, firewall policies and policy options, attack prevention features, address translation, and VPN implementations. The course combines both lecture and labs, with significant time allocated for hands-on experience. Students completing this course should be confident in their ability to configure Juniper Networks firewall/VPN products in a wide range of installations.
More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=NET12
Subscription: http://www.jcacademy.be

The Juniper Secure Access (SA) device gives granular access to your internal network resources through a secured SSL VPN. This course discusses the advanced features.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=NET13
Subscription: http://www.jcacademy.be

A general course on PKI where we discuss and practice several PKI solutions, after having explained how PKI works and what it is built on.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT27
Subscription: http://www.jcacademy.be

Security Hardening 2012 - part 1

!!! Update February 1st, new topics added !!!

Sequel to the successful Security Hardening Event of October 2011, LSEC and its partners are organizing the follow-up event on February 8th, 2012.

After the successful LSEC Security Hardening event in October 2011, in the week before the 2012 RSA US Conference, LSEC will organize it’s bi-annual Security Hardening 2012 again in Leuven at the Verizon Business’ Ubicenter. “Security Hardening” means to explore the possibilities of improving the IT and Information Security architectures and systems.

During the seminar, it became obvious that most of the topics were very complementary and gave an interesting viewpoint on how to improve security measures within companies.

Outline

This seminar is mainly intended to companies and government departments already having a security environment, and interested in finding out about new solutions, new approaches and ways to improve their security infrastructure. Security Hardening in this case meant to increase the level of security on different aspects and components of your environment. This would have been be either from a network security perspective, a database and application perspective or increasing the granularity and scope of your data protection technologies. With the hardening was also understood ways and procedures to improve security management as a whole.

All together, we’ve explored how to grow from the typical 80% of managed IT and information security risks to upgrade to 90% or and to understand the complexities, costs and resources necessary to this upgrade path.

Final Program

Security Hardening is a rather wide concept, and leaves a lot of opportunities for various topics, but the idea would be to “bring something new and fresh to Security Officers and related people managing IT Security … “. Both network security, data security, privacy and other topics are very welcome.

9.15 : Welcome & Registration

9.45 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC

Coffee continuously available during the morning.

10.00 : Securing endpoints in the cloud, mobile authentication and encryption to harden the mobile workforce, by Jan Vekemans, Option Mobile Security - Option

Abstract : Introducing the concept of The Cloudkey®, a token that provides a platform secure mobile access. Cloudkey hardens the authentication and the mobile communication layers, with proven Vasco Digipass authentication with Option’s 3G communications technology to provide an all in one product that simplifies strong, secure access.For situations where secure, highly available internet connectivity combined with authentication: internet and intranet access in government and enterprises, gambling & gaming applications and in applications where Digipass technology has already been deployed and there is a requirement to combine this with 3G communications.

About : Jan Vekemans has been with Option to develop the mobile security Managed Secure Authentication Service. Prior to Option, Jan has been building experience with Vasco, but has been building extensive experience in authentication technologies. He was worked with Genband, being the front runner for EMEA, expanded Netilla to become a household name in IT security. At Vasco, Jan has built channels and motivated teams. Prior to that he has worked with Baltimore Technologies and Xerox Engineering Systems.

10.40 : Intelligent network behavior analysis: qualifying your security events and information and making an evaluated automated evaluation of threats and challenges. Mobile Security Strategies. Hardening your security on the basis of your secrity information , by Gabriel Dusil, Cognitive Security

Abstract : The explosion in cellular usage and mobile commerce will require advanced levels of protection for mobile users, as hackers continue to find vulnerabilities to exploit. As mobile data is expected to grow 16 fold over the next four years, mobile providers are facing new challenges in balancing subscriber ease-of-use, with cyber-security protection.  A dual strategy which includes end-point and infrastructure security should provide robust and cost effective levels of protection.  Network Behavior Analysis is a viable building block to infrastructure security, and helps to protects a collective subscriber base against sophisticated mobile cyber-attacks.
Cognitive Security provides clients with a granular view in their corporate-wide network activities.  This includes visibility into threats that traverse traditional network defenses, and may include sophisticated and unauthorized penetration into sensitive IT assets, targeted malware infections, or strategically motivated black hackers.  Cognitive Security specializes in quickly identifying these attacks, and allowing administrators to quickly mitigate against security breaches.

About : Gabriel Dusil is Vice President at Cognitive Security, a Czech Security technology company. He is expacnding the company’s presence across Europe, the USA, and beyond. Before joining Cognitive Security, Gabriel was the Director of Alliances at SecureWorks, responsible for partnerships across Europe, Middle East, and Africa (EMEA).  Previous to SecureWorks, Gabriel worked at VeriSign and Motorola in a combination of senior marketing and sales roles. Gabriel has lectured in security, authentication, and data communications, as well as speaking in several prominent IT symposiums. Gabriel obtained a Degree in Engineering Physics from the University of McMaster, in Canada and has advanced knowledge in Cloud Computing, SaaS (Security as a Service), Managed Security Services (MSS), Identity and Access Management (IAM), and Security Best Practices.

11.20 : How to protect your data at rest with tape encryption? by Christian Vanden Balck, Oracle Systems EMEA Long Term Storage
Tape encryption, technology of the past or hardening method for archiving?

Abstract : There is a variety of storage possibilities of archiving methods and systems. Depending on the business needs, many companies are still relying on tapes. Those tapes can become a potential risk, if not securely managed. Hardening security of archiving should be considered. The physical loss of tape cartridges containing sensitive data poses a major risk. High-speed data encryption on the tape drive. Oracly Systems through their acquisition of SUN Microsystems, also aquired StorageTek. Oracle hardened the business requirements with Oracle Key Manager (OKM) which centrally authorizes, secures, and manages all of the encryption keys.

About : Christian has over 19 years of experience in IT, including 7 years of internal IT at Colruyt and 12 years at StorageTek (acquired by Sun Microsystems which was acquired by Oracle). From a PL/1 programmer on IBM mainframe his focus has rapidly evolved to Storage on both IBM mainframe and Open systems. In his current role, Christian is working in an EMEA role supporting the Oracle Long Term Storage business for the BeNeLux and Eastern Europe/CIS clusters. Main topics of interest are hardware encryption on tape, archiving and compliance needs, disaster recovery and green IT.

12.00 : The recent evolution in encryption methods, might be a help in hardening your systems. AES is the standard, but are there other methodologies that could harden your systems and applications? by Vincent Rijmen, Associate Professor, COSIC, KU Leuven

Abstract :.Instead of a regular cocktail and appetizer, this explosive mix of advanced cryptographic evolutions is best served before lunch. The evolution of the encryption methods is an opening theme Vincent uses for the bi-annual COSIC international course. It provides a fast lane into the highway of cryptographic methods and challenges, but also provides a perspective on how easy it could be to break encryption systems in this evolutionary landscape. The reason why also encryption is something to manage, and to harden. 8 digit passwords are a thing of the past, but what is next?

About : Vincent Rijmen is a Belgian cryptographer and one of the two designers of the Rijndael, the Advanced Encryption Standard (AES). Next to other cryptographic hash functions, and block ciphers, he became associate professor (hoofddocent) at KU Leuven, working with the COSIC lab. He did postdoctoral work on several occasions collaborating with Dr. Joan Daemen. One of their joint projects resulted in the algorithm Rijndael, which in October 2000 was selected by the National Institute for Standards and Technology (NIST) to become the Advanced Encryption Standard (AES). Rijmen has been working as chief cryptographer with Cryptomathic. Rijmen was a visiting professor at the Institute for Applied Information Processing and Communications at Graz University of Technology (Austria), and a full professor there from 2004–2007. In 2002, he was named to the MIT Technology Review TR100 as one of the top 100 innovators in the world under the age of 35.

12.40 : buffet lunch

13.40 : Banking Trojans, effective, prolific and unstoppable? A technical dissection and hardening suggestions, by Eddy Willems, G Data Software

Abstract : In the last decades, we have seen an enormous evolution in cyber threats. One of the scarier developments for many internet users in the recent years are banking Trojans. These are specifically targeting them where it hurts the most: in their wallets. And they seem to become more and more effective, if we can believe what we read in the media. But how come these Trojans are so effective and prolific? Aren’t antivirus solutions, which always seem to have malware detection rates of over 98% detecting and stopping them? In this presentation, Eddy Willems, Security Evangelist at G Data, sheds light and how banking Trojans technically work, on how they keep themselves under the radar of the vast majority of all security solutions out there and what can be done to stop them.

About : Eddy Willems studied Computer Sciences at IHB and Vrije Universiteit Brussel. He started working as a Systems Analyst in 1984. He did also some data recovery work in those early days. In 1989 he became interested in viruses because of an incident with the famous AIDS-diskette. From that time on he started to gather information about computer viruses and anti-virus software. In 1991 (from the beginning in Brussels) he became a founding member of EICAR, a European security organisation. Eddy is thé computer virus and malware expert from Belgium.

14.20 : Hardening open-source content management systems: Drupal, Fork CMS and Umbraco, ... by Erwin Geirnaert, Zion Security

Abstract : open source CMS systems have become the most advanced and most popular ways to operate and maintain web communities, both internally and as external websites. Sometimes they serve only a specific part of a company’s web presence, but in many cases they are the central hub for companies that dynamically maintain their web presence. Notwithstanding which platform, or if only components and open sources programming instruments have been used, they need to be maintained and secured. Web vulnerabilities are the most common targets from the outside. A damaged website can cause damage on the public profile of a company or organization, but it could also affect internal operations if it serves as a hub for malware distribution or phishing attacks. An introduction on why and how to harden CMS platforms. Use it to inform your business and marketing departments.

About : Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE security, .NET security and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar,

15.00 : Hardening against Advanced Persistent Threats (APT), how to? Marcel Snippe, RSA the Security Division of EMC

Abstract : Who better than RSA would be able to explain today about the damage that can be caused by APT’s? The SecurID hack in March 2011, according to RSA, resulted in data that was stolen which could potentially compromise its SecurID tokens. The attack against the RSA network was an example of a new breed of security threat aimed at flying under the radar longer and going after bigger payoffs. An APT attack involves patient, skilled, well-funded attackers going after the really big prize. This attack and other demonstrate why APTs are a growing security concern. Attackers with the skill to bypass network security controls, and the patience to do so over time to avoid overtly suspicious activity that might lead to detection, can eventually achieve major network breaches and data compromise.

About :Marcel Snippe is the manager of the RSA Technology Consultants EMEA North since May 2011. Prior to joining RSA, he was Senior Principal Presales Consultant at Symantec, which he joined in 2006 active in the domain of Data Loss Prevention.

15.40 : coffee break, networking

16.10 : Opening the deep risks of virtual infrastructures and assess them against hardening guidelines, by Aman Bar, the Lancelot Institute

Abstract : During the presentation, the idea is to get access to a remote datacenter. Virtualization technologies provide a great technology to optimize the infrastructure use and provide flexibility in computing. They should be well secured and sometimes the infrastructure is not completely secured.

About : Aman works as training & solutions director in the Lancelot Institute. In addition to his management and consulting activities he regularly travels the globe on speaking and teaching engagements for enterprises to assist them in securing their information assets. Aman is academically qualified in Information Systems, and specializes in Information Systems Assurance, Auditing, Continuity, Recovery and Incidence Response. He is author and co- author of the Virtualization Audit Professional™, Cloud Audit Professional™ and Penetration Testing Professional™ training programs.

16.50 : Remote Access Security, by Rudolf Schucha – Communications Security Consultant – Ultra Electronics - AEP Networks

Abstract : All organizations are coping with challenges of remote access. Whether they are to enable employees access for teleworking, accessing partners for remote services, providing access to webservices or even access to cloud environments. An analysis of the problem will indicate that quite a series of challenges are being posed from technology to people skills. Risks appear to be numerous and the provider and receiver will have to be able to trust each other. With this presentation Mr Sucha will present a comprehensive approach of dealing with the challenge and improving your existing setup.

About : As a former HP/Agilent Network Measurement and Management Consultant of 14 years, Rudolf has been working with a large number of the big companies within the ICT sector as a trusted advisor on how to ensure network security. Rudolf joined AEP Networks (now Ultra Electronics AEP Networks) in September 2010 to add large scale project experience and technical expertise to the growing AEP team. Especially the experience in network management combined with the knowledge in multimedia communication :allow him a really good understanding of the modern and ever growing number of applications which look threatening to the historically grown government and enterprise networks.

18.10 : Closing Notes, Reception & Networking

19.00 : Close of Conference

Specifically some topics we are aiming for :
- network monitoring, deep packet inspection
- embedded security
- IPv6 & impact on security
- Database security hardening
- Web application security - firewalling
- New developments in hardware security – TPG/CC-based
- Security as a service (in the cloud)
- Virtualization security
- Identity management – access management - authentication
- Vulnerability testing – intrusion detection
- Data Protection technologies & systems
- Critical Infrastructure Protection
- Cybersecurity & Malware protection
- Security Monitoring & Network Monitoring
- Governance & Compliance
- …

Practical Details

LSEC Security Hardening 2012 - part 1
February 8th, Ubicenter, Leuven

Register already now, to ensure your seat at http://securityhardening2012.eventbrite.com

Free to participate to LSEC Members, LSEC partners and partner Members, Agoria Members, ECSA Members.
Free to participate to any others when subscribed before December 30th. After that date, subscription fee of 150 €.
Non-Cancellation fee of 150 €, upon no cancellation at least 1 day before the event and non-appearance.

This event was supported by CA Technologies, an LSEC platinum sponsor for our events. We are always open to other, additional interested parties.

Your ticket you will receive from Eventbrite will show February 8th only, but will cover for both days. Please inform us if you are only capable of participating one of the two days.

About the organizers :
This event is organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions.

This course discusses the configuration of Secure Access (SA) products in a typical network environment.
Key topics include SSL access technologies, basic implementation, and configuration and management options. Through demonstrations and hands on labs, students will gain experience in configuring, testing, and troubleshooting basic facets of the SA products

More info: http://www.jcacademy.be/jca/be-en/course-details.page?r=course&Short=NET10
Subscription: http://www.jcacademy.be

On Friday January 27th, LSEC organizes a day on data privacy and data protection. Part of the CPDP 2012 Conference, this day will focus on the implications and practical experiences of data protection in Belgium and Europe.

Data Protection in evolution : Coming of Age

During that day, the discussions will be slightly more focused on some of the practical implementations of the various applicable legislations and challenges by companies, organizations and government in applying them. Besides, the perspective will open up to the point when beyond the compliance to data protection regulations, there is also the aspect of protecting data (including private information) from intended or unintended misuse. During these sessions, we will also focus on some of the potential ways to deal with regulations from an operational perspective by presenting some methodologies, solutions and technologies and also their current challenges.
Finally the day will close with some views and discussions on how to practically deal with upcoming legislations, data leakage challenges and policy requirements by means of some innovative approaches, processes and technologies.

About the CPDP 2012 Conference

The CPDP (Computers, Privacy and Data Protection) conference is neither a purely academic conference nor a business or activist conference. It is a privacy stakeholder conference set up by five academic institutes with the aim to bring together academics, practitioners, policy-makers and civil society so they can meet, exchange ideas and discuss emerging issues of information technology, privacy, data protection and law.

CPDP is organised by the following institutions: Vrije Universiteit Brussel, the Université de Namur, the Universiteit van Tilburg, the Institut National de Recherche en Informatique et en Automatique and the Fraunhofer Institut für System und Innovationsforschung.

CPDP has progressively been growing since its inception both in terms of speakers, participants and panels and the ambition for its upcoming fifth consecutive edition is higher than ever. Last year’s conference welcomed more than 400 participants, including 180 speakers from all over the world. Its artistic and public side events such as the privacy party, two public debates, film screening and Pecha Kucha evening attracted an additional 800 people. Determined to exceed the positive feedbacks received from speakers and participants from the last years, which range from “excellent” to “brilliant agenda keeping”, this year’s conference offers twelve panels, a pre-conference, several academic and cultural side events and a PhD-evening.

The regular panels include both the presentation of stakeholders’ agenda and intense debates around key issues in the field of privacy, data protection, technology and society. In addition, specific sessions will be dedicated to the issues of ICT and aging, surveillance and law-enforcement and eDiscovery

Practical Details

Business Track Data Protection and Privacy, Friday January 27th, 2012.
Part of the CPDP Conference 2012
Computers, Privacy & Data Protection 2012 conference - European Data Protection : Coming of Age
25, 26 and 27 January 2012 in Les Halles de Schaerbeek in Brussels, Belgium

For more information and registration please surf to: http://www.cpdpconferences.org/ or contact cpdpconference at lsec.be or download the program guide for the full conference.

Preliminary Program January 27th Business Track

Business Track : LSEC in cooperation with CPDP 2012

CPDP 2012 - Computer Privacy and Data Protection
Data Protection in evolution : Coming of Age
Program January 27th Business Track
Business Track : LSEC in cooperation with CPDP 2012

8.30 : crash course on privacy & data protection in 2012 : business challenges, regulatory environment in Europe and Belgium, supporting advice – Deloitte, Erik Luysterborg

During this first hour, business, IT and legal counsel within corporations and public administrations will be informed about the current and the changing Data Protection landscape and how it affects their business and day to day activities. This introduction into data protection challenges and opportunities will provide a good refreshment or basic understanding .

Data Protection, Computer Security and Privacy in Business

9.30 : discussing one of the problems : update on data loss challenges, data breaches and protecting assets by Stefano Ciminelli, Verizon Business (35”)

10.15 : coffee break

10.30 : continuation of the data loss challenges discussion and discussing some other problems : removing digital footprint, technologies causing issues such as the need for privacy by design, personal data versus corporate communications – online social media, acceptable use and trade unions on privacy and network monitoring, on video surveillance and biometrics

Value of Corporate Secrets and key considerations for DLP, by Rashmi Tarbatt, EMC : why organizations are under investing in protecting secrets and spending more on compliance, update on Data Loss Protection (40”)

Panel Discussion :
Stefano Cimmineli, Verizon Business; Rashmi Tarbatt, Chief Security Architect EMC; John Szabo, CA Technologies; Bruno Schröder, Microsoft, Erik Luysterborg, Deloitte

Data protection technologies are varying from end point encryption on hard disks and portable media, over identification and authentication, information asset management and digital rights to evolutions of data and applications in the cloud. Technologies are evolving, business needs are more demanding, but how to define a suitable strategy and how to find a suitable solution?

An in depth discussion moderated by LSEC and Deloitte (50”)

13.00 : lunch

14.00 : Communicating and managing privacy within organizations

With contributions from TU Berlin and Deloitte.
Awareness and creating awareness are important components of a successfull privacy preserving and data protecting policy. In the past, this has proven to be a critical component in most environment. Some experiences on communications and privacy within the organization will be shared.
Description: A prevalent issue for discussion is that of data protection legislation failing to keep pace with technological developments; particularly in the field of surveillance technologies. Privacy principles in organisations are often lacking, if they exist at all.This is an issue of particular interest currently due to a renewed debate of the principle of accountability.In this panel different approaches of how privacy communication within organisations can be enacted will be presented.
Chair: Daniel Guagnin, Technical University Berlin, Germany
Leon HEMPEL / Carla ILTEN (PATS), Technical University Berlin, Germany
Michelle CHIBBA, IPC Ontario, Canada
Wulf BOLTE / Peter LEPPELT, praemandatum, Germany
David Wright, (PIAF)
Erik Luysterborg, Deloitte

15.15 : coffee break

15.30 : discussing privacy & data protection technologies : challenges and opportunities

With contributions, presentations and panel discussion with RSA, CA Technologies, Microsoft, Deloitte
Discussion on Privacy Issues, A Reference Model for Managing Privacy in Cloud Computing and Other Complex Networked Environments, by John T Sabo, CA Technologies (40”)
This presentation will provide an overview of an important specification supporting online privacy management now being drafted by the Privacy Management Reference Model (PMRM) technical committee in the OASIS standards organization.

Companies and governments are implementing and developing various security systems and measures, in order to better protect and preserve their assets, both people, information and electronic data. But also systems such as surveillance and monitoring solutions are impacting people’s privacy, and their rights as citizens. What are the practical implications? Are their balances to be found? Are there any standard company or trade practices? How should this evolve?

17.00 : concluding remarks

Special Invitations on request

If you like to participate to the CPDP 2012 program, which is co-organized by LSEC, and if you would like to participate to the Business day on Friday January 27th only, please register at http://www.lsecatcpdp2012.eventbrite.com and ask for a special entry until December 31st.

A special invitation to participate to CPDP 2012 Business day only free of charge can be awarded upon confirmation of the LSEC team after registration only. Only a limited amount of seats can be awarded and will be first come first served.
Priority to LSEC Members, and members of our partners TeleTrusT, SITC, Systematic, Cluster Seguridad and NSM.

On Friday January 27th, LSEC organizes a day on data privacy and data protection. Part of the CPDP 2012 Conference, this day will focus on the implications and practical experiences of data protection in Belgium and Europe.

Data Protection in evolution : Coming of Age

During that day, the discussions will be slightly more focused on some of the practical implementations of the various applicable legislations and challenges by companies, organizations and government in applying them. Besides, the perspective will open up to the point when beyond the compliance to data protection regulations, there is also the aspect of protecting data (including private information) from intended or unintended misuse. During these sessions, we will also focus on some of the potential ways to deal with regulations from an operational perspective by presenting some methodologies, solutions and technologies and also their current challenges.
Finally the day will close with some views and discussions on how to practically deal with upcoming legislations, data leakage challenges and policy requirements by means of some innovative approaches, processes and technologies.

About the CPDP 2012 Conference

The CPDP (Computers, Privacy and Data Protection) conference is neither a purely academic conference nor a business or activist conference. It is a privacy stakeholder conference set up by five academic institutes with the aim to bring together academics, practitioners, policy-makers and civil society so they can meet, exchange ideas and discuss emerging issues of information technology, privacy, data protection and law.

CPDP is organised by the following institutions: Vrije Universiteit Brussel, the Université de Namur, the Universiteit van Tilburg, the Institut National de Recherche en Informatique et en Automatique and the Fraunhofer Institut für System und Innovationsforschung.

CPDP has progressively been growing since its inception both in terms of speakers, participants and panels and the ambition for its upcoming fifth consecutive edition is higher than ever. Last year’s conference welcomed more than 400 participants, including 180 speakers from all over the world. Its artistic and public side events such as the privacy party, two public debates, film screening and Pecha Kucha evening attracted an additional 800 people. Determined to exceed the positive feedbacks received from speakers and participants from the last years, which range from “excellent” to “brilliant agenda keeping”, this year’s conference offers twelve panels, a pre-conference, several academic and cultural side events and a PhD-evening.

The regular panels include both the presentation of stakeholders’ agenda and intense debates around key issues in the field of privacy, data protection, technology and society. In addition, specific sessions will be dedicated to the issues of ICT and aging, surveillance and law-enforcement and eDiscovery

Practical Details

Business Track Data Protection and Privacy, Friday January 27th, 2012.
Part of the CPDP Conference 2012
Computers, Privacy & Data Protection 2012 conference - European Data Protection : Coming of Age
25, 26 and 27 January 2012 in Les Halles de Schaerbeek in Brussels, Belgium

For more information and registration please surf to: http://www.cpdpconferences.org/ or contact cpdpconference at lsec.be or download the program guide for the full conference.

Preliminary Program January 27th Business Track

Business Track : LSEC in cooperation with CPDP 2012

8.00 : breakfast crash course on privacy & data protection in 2012 : business challenges, regulatory environment in Europe and Belgium, supporting advice - Deloitte

During this first hour, business, IT and legal counsel within corporations and public administrations will be informed about the current and the changing Data Protection landscape and how it affects their business and day to day activities. This introduction into data protection challenges and opportunities will provide a good refreshment or basic understanding .

Data Protection, Computer Security and Privacy in Business

During the following sessions, speakers have been asked to prepare a 15 minute presentations which will be followed by an in depth panel discussion of 20 to 30 minutes.

9.00 : discussing one of the problems : update on data loss challenges, and data breaches, protecting assets

With contributions and presentations by Verizon Business, FFW, RSA, Belgian Privacy Commission.. Wheter they are accidental loss of memory s
Companies and public authorities have been, and continue to challenged by loss of data in various forms and formats. Whether this is in the form of a memory stick lost in a taxi, theft of a laptop on a train, hackers breaking in the company’s websites, or compromised databases because of disgruntled employees; the value of the data and the cost of the loss itself (in case of personal data loss) are an important business risk.

10.30 : coffee break

10.45 : discussing some other problems : technologies causing issues such as the need for privacy by design, personal data versus corporate communications – online social media, acceptable use and trade unions on privacy and network monitoring, on video surveillance and biometrics

With contributions and presentations by Morpho Saffran, DLA Piper, EC JRC and Dimension Data.
Companies and governments are implementing and developing various security systems and measures, in order to better protect and preserve their assets, both people, information and electronic data. But also systems such as surveillance and monitoring solutions are impacting people’s privacy, and their rights as citizens. What are the practical implications? Are their balances to be found? Are there any standard company or trade practices? How should this evolve?

An in depth discussion moderated by LSEC and Deloitte

12.00 : Privacy officers panel discussion. How to tackle the main privacy issues in practice: behavioral advertising, handling social media use on the work floor, data breach and incident management in changed (eg Cloud) environment, PCI-DSS, … discussing the real current issues and challenges

With Privacy Officers and related functions from various European companies in finance, healthcare, public administration, technology and retail.
This discussion will provide insight into the current day to day dealings of corporate or administrative functions and their responsibilities. How do they relate internally within the organization. Are there any best practices or common challenges, similar or different from other security, legal or risk officers?

13.00 : lunch

During the following sessions, speakers have been asked to prepare a 30 minute presentations.

14.00 : Communicating and managing privacy within organizations

With contributions from TU Berlin and Deloitte.
Awareness and creating awareness are important components of a successfull privacy preserving and data protecting policy. In the past, this has proven to be a critical component in most environment. Some experiences on communications and privacy within the organization will be shared.

Description: A prevalent issue for discussion is that of data protection legislation failing to keep pace with technological developments; particularly in the field of surveillance technologies. Privacy principles in organisations are often lacking, if they exist at all.This is an issue of particular interest currently due to a renewed debate of the principle of accountability.In this panel different approaches of how privacy communication within organisations can be enacted will be presented.

Chair: Daniel Guagnin, Technical University Berlin, Germany

Leon HEMPEL / Carla ILTEN (PATS), Technical University Berlin, Germany
Michelle CHIBBA, IPC Ontario, Canada
Wulf BOLTE / Peter LEPPELT, praemandatum, Germany
(PIAF)(t.b.c.)

15.00 : coffee break

30 minute presentations & discussions

15.15 : discussing privacy & data protection technologies : challenges and opportunities

With contributions and presentations from RSA, Traxion, CA Technologies, Microsoft

Data protection technologies are varying from end point encryption on hard disks and portable media, over identification and authentication, information asset management and digital rights to evolutions of data and applications in the cloud. Technologies are evolving, business needs are more demanding, but how to define a suitable strategy and how to find a suitable solution?

17.00 : concluding remarks & next steps – cocktail reception

Special Invitations on request

If you like to participate to the CPDP 2012 program, which is co-organized by LSEC, and if you would like to participate to the Business day on Friday January 27th only, please register at http://www.lsecatcpdp2012.eventbrite.com and ask for a special entry until December 31st.

A special invitation to participate to CPDP 2012 Business day only free of charge can be awarded upon confirmation of the LSEC team after registration only. Only a limited amount of seats can be awarded and will be first come first served.
Priority to LSEC Members, and members of our partners TeleTrusT, SITC, Systematic, Cluster Seguridad and NSM.

Exploit Research is the field of finding security vulnerabilities in software, and writing programs to exploit them. This is a very interesting field but also requires a lot of technical background and knowledge to dive into. In this workshop, we will start from the very basics and first learn assembly language programming to prepare you for the task ahead. After this we will learn how to exploit different vulnerabilities and bypass various security mechanism such as DEP and ASLR. We will conclude by looking at how to integrate our exploit code with frameworks such as Metasploit.
Instructor Vivek Ramachandran is a world renowned security researcher and evangelist. His expertise includes computer and network security, exploit research, wireless security, computer forensics, embedded systems security, compliance and e-Governance. He is the author of the books – “Wireless Penetration Testing using Backtrack” and “The Metasploit Megaprimer ”, both up for worldwide release in mid 2011. Vivek is a B.Tech from IIT Guwahati and an advisor to the computer science department’s Security Lab.
More info:
http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT46
Subscription:
http://www.jcacademy.be

On Thursday December 1st, LSEC in cooperation with the European Security Innovation Network partners SITC, TeleTrusT and Systematic organized a one day seminar on the development and opportunity of using Biometrics in enterprise or government applications.

Biometrics 2011 : a market perspective, use cases and best practices

In 2008 LSEC organized a one day seminar on status of Biometrics, its evolutions and applicability.
Three years later, the world has evolved again significantly, and more and more organizations are using fingerprint readers, iris-scanners and other biometric authentication technologies on a day to day basis.
Biometrics are being included in electronic ID cards, evolutions in high performance scanners, evolutions in further reducing false positives in finger scans up to video analytics, standards are being discussed, privacy concerns are increasing while biometric data are being sent over the internet, ….
The time is right to re-visit biometrics and get a perspective of the current state-of-the-art, and applicable solutions. How will biometrics be applied in the ever evolving mobile and virtualized world, will we be having a one single sign authentication, and how can privacy enhancing technologies be applied to biometric information.

The focus of the seminar was to find out what the benefits, challenges and business models for applying biometrics could be, what specific applicable solutions might be presented in environments that could be challenging for other types of authentication technologies.
Could biometrics in 2011 be a solution for your situation?

Program Outline

Biometrics 2011 : a market perspective, use cases and best practices

9.30 : Welcome & Registration

9.45 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC
Coffee continuously available during the morning.

Biometrics in the overall security strategy – where does it belong and when technology makes the difference to add value, and not just be around security.
Ulrich Seldeslachts, LSEC

Biometrics are real, are here to stay
Biometrics solve real business issues and improve security
Technologies have become widespread and continue to improve and evolve
New paradigms are becoming clear
Privacy protection not longer an issue, but still challenging
Standardization drivers

10.05 : Biometrics in electronic documents, identity systems, by Thales

An overview of the application of biometrics in electronic identity systems for documents processing.

10.45 : Addressing border management & security dilemma through consolidation of biometrics and biographic passenger identities or how biometrics can be being used in large scale challenging environments such as airports.
by André Oeyen, Director Biometric Business Development, SITA, Belgium

11.45 : Biometrics in office automation, more specifically: Trusted Office Printing : by Bart Smets CHB and Ilse Borremans, Macro4 : Case CHB – Macro4

12.30 : lunch & networking

13.30 : Using Iris recognition in industrial applications, by George Martin, CEO Smart Sensors

In a world of people movement, interconnection and networking, never has it been more important to know who has access to your assets, whether they are physical assets such as buildings and operational equipment such as plant, process facilities and machinery, or logical assets such as computer and communication systems where vital data, including financial transactions, may be processed and stored.

Biometrics offers a unique opportunity for organisations – both industrial and government – to build infrastructure that can permit or deny access on an automatic basis, according to a set of access permissions, authorisations and hierarchy.

This presentation will explore some of the use cases in this area, and why iris recognition offers a particularly attractive biometric modality.

About : Martin George is CEO of Smart Sensors Limited, based at the University of Bath’s Innovation Centre. The company has developed a class-leading, independent set of algorithms for iris biometrics, with particular application to the field of mobile and small-footprint biometrics. Smart Sensors works closely with iris capture equipment makers and ID Systems Integrators, licensing its algorithms and providing a variety of tools and analytics through which its customers can deploy a strong iris biometric capability.

14.30 : Biometrics, a security enabler – Ronald Huijgens, vice-chairman Dutch Biometric Forum

Director Biometric Technologies, Unisys

The Dutch biometric forum is a foundation that promotes meaningful, safe and reliable use of biometrics. Ronald has many years of experience in providing biometric solutions for companies and governments and has seen the development of the technology, its pro’s and con’s over the last years.
Ronald will be presenting his view on how biometric solutions can be implemented as a security enabler in various contexts and positions. He will be able to present the value of biometrics over and next to other types of security technologies in the space of authentication and identification, in access control and other situation.

15.15 : Coffee Break

15.45 : Security and Privacy challenges with biometric solutions, by Koen Simoens, researcher KU Leuven, COSIC

The future of biometrics, evolutionary landscape, technology perspective, developments in research, industrial and end user challenges

Beyond Performance: Researches Addressing Practical Challenges of Biometrics-Enabled Applications, Bian Yang, Gjovik University College

As a secure and convenient identity authentication means, biometrics’ power in technical performance (accuracy, efficiency, stability, … etc) will obviously give the most important influence to suitability of a biometrics-enabled system to a specific application scenario. However, beyond the technical performance, we are facing various practical challenges (security and privacy, spoofing, scenarios needing new sensing technologies, applications for consumer electronics, … ) that could hinder a biometric system from deployment. This talk will give an overview of such non-technical-performance practical challenges together with some state of art solutions resulting from innovative researches in the relevant fields. Gjøvik University College have been tackling several of these challenges and some recent research results in privacy protection and mobile biometrics applications will be shared with audience. Future research trends will be discussed.

Biography: Dr. Bian Yang is a senior researcher with NISlab, Gjøvik University College, Norway. He received his PhD degree in 2006 from Harbin Institute of Technology (HIT), China, and worked with HIT as a researcher from 2005-2007 on media content security. He visited Fraunhofer IGD, Darmstadt 2003-2005 and involved in the European projects ECRYPT and AXMEDIS. He worked with Thomson Corporate Research (Beijing) on content-based coding 2007-2008. He is with NISlab in Gjøvik since 2008 and focuses his researches in the biometric data security / privacy and interoperability fields and was involved in the European project TURBINE for fingerprint template protection. He is also with Norway Standards in the mirror committee to ISO/IEC SC27. 

16.45 : Panel Discussion
- biometrics ready for today or still for the future
- the business case for biometrics vs other authentication technologies;
- biometrics TCO and other value creation
- crossing the chasm between end users expectations, industrial solutions, R&D and CSI;

17.15 : Closing Reception & Networking

18.30 : Close of Conference

Practical Details

This event took place December 1st, 2011 at the Ubicenter in Leuven, thanks to Verizon Business.

Participation is free when registererd before November 30th, 2011.
Participation fee costs 150 €, unless your organization is Web member of LSEC, Core or Expert Member of LSEC, Member of SITC, TeleTrusT, Systematic, Agoria, ISSA, or ISACA. Cost for non-cancellation : 150 €.

Registration is now open for our next Biometrics event, in 2012. This event has not been finally scheduled, but you can already sign up your interest.

About the organizers :
This event is organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions.

Managing Mobile Devices - Bring your own device

Mobile devices are changing the way many enterprises work, receive information, and remain competitive. The challenge is that the range of devices is growing as well as the number of individuals using personal devices for professional use. This poses a security and deployment issue for many organizations as they try to manage these mobile devices.

Managing mobile devices is increasingly complex and challenging. Organizations have traditionally supported BlackBerry devices with limited range outside of that. However, use of other devices, including the explosion of enterprise use of iPhone and iPad, means that organizations must identify ways to manage the whole environment. The other issue is that employees are using personal mobile devices, which causes information security concerns and vulnerabilities for many businesses.

During this seminar, we have presented an overview of mobile device management and security best practices. An integrated approach to mobile security including company security policies, training, and a mobile device management solution is critical for all enterprises. This will better enable IT staff to manage their deployed mobile devices, in-house apps, collect data points, as well as ensure overall fleet/device security.

In april 2011, Gartner published its Magic Quadrant for Mobile Device Management Software platforms. Some of the represented vendors have been asked to present their perspectives. But as usual, we won’t be limiting ourselves to the analysis of Gartner alone and let you decide for yourself which qualifyers need to be addressed in this extremely dynamic and fast evolving domain.
We’ve also included some system integrators, to present their experiences and perspectives of some of the various market players.

Finally, attendees were able to make an informed decision about managing mobile assets and information assets transported wirelessly.

Final Program Overview

A seminar with various perspectives and market updates.

09.00h : Registration & Welcome Coffee, Networking, opening demo platform

09.30h : Welcoming notes & introduction by Ulrich Seldeslachts, CEO LSEC

09.45h : The perspective from a security platform, managing information security throughout the enterprise up to the mobile devices, by David Van Damme, McAfee

Changing users, hypergrowth in devices and various other trends impact the mobile threat outlook. With Mobile Malware on the rise, appstores and apps that should not be trusted, handhelds will require mobile security handlings for information on the move and at rest. Adding to this the complexities of security management, key management and end point protection, proof that an integrated platform will be useful.

10.15h : The changing mobile landscape and the impact on business, it and security management. Perspectives on dealing with mobiles, by Ulrik Van Schepdael Mobco

Dealing with mobiles in an enterprise environment, from policy development, IT architecture, system integration and mobile devices management, up to implementation and dynamically defining polcy rules.
With experiences shared from implementations of MobileIron and Box.net.

11.00h : Mobile Device Management and BYOD, an insight in a mobile device management platform and market experiences from Airwatch, by Manu Luyten, On2It.

11.45h : From Mobile Device Management to Fourfold Secure Mobile Device Management (Enterprise Mobile Data Lost Prevention).
Managing mobile devices beyond the platform and looking into security, market experiences with Zenprise by John Ferguson, Zenprise & Gert Vanhaeght, Mobila

Today, everyone has a smartphone. For enterprise this brings a duty of care to secure and protect sensitive corporate and customer information. But the complexity of managing and securing multiple device types, often without direct contact, is a challenge many IT personnel do not want to face. This presentation will demonstrate the changing environment, and – as recently identified by the industry analysts - the most capable solution to manage and protect the enterprise you carry in your pocket.

John Ferguson is Director of Product Management responsible for the Zenprise’s Mobile Device Management (MDM) service offerings.  John has 20 years of experience in product management and operations leadership positions with leading security technology companies.  Prior to Zenprise, John worked for Symantec developing cloud based security solutions and data loss prevention products while at Vontu (acquired by Symantec in 2008).  Before joining Vontu, John was an early employee of VeriSign where he had both product management and operations roles, including overall responsibility for VeriSign’s IT infrastructure and operations groups.  John started his professional career at AT&T where he spent 6 years in operations, marketing, and finance positions.  John has a B.S. Degree in Electrical Engineering as well as a Masters of Business Administration Degree in Finance.

Short interactive demo by Liz Knight

Liz Knight is Senior Pre-sales Engineer and from origin comes from New Zealand. Liz has recently made the decision to move to the Netherlands to become an important part of the team to build Zenprise and its entity in the Benelux Region.  Prior to Zenprise Liz, worked for large Telco Carriers as Technical Manager dedicated her professional capabilities to the advancement of wireless mobile data technologies. Customers she worked with include the largest financial and government organizations in New Zealand as well as small to medium emerging businesses. Regardless of size or requirements she strive to ensure each and every customer gets the best out of their mobility investment

12.30h : networking lunch

13.30h : Managing security at all levels for all smart phones, by Fabrice Hatteville, Thales

The fast growth of the smart phone and tablet markets, both in terms of sold units and in terms of technical possibilities, has brought a number of new challenges to the companies.  On one side, professional users tend to use their smart devices for both their professional and private needs, resulting in a mix a sensitive and non sensitive data on a single device.  On the other side, the flexibility of these devices and the rich possibilities they offer in terms of applications, connectivity, ... make them a target of choice for potential attacks by viruses or others.  At the same time, the large variety of brands and models makes it difficult for ICT managers and security managers to follow on technological trends and to anticipate on threats.
There is thus a need for companies to put in place a flexible system allowing at the same time to give access to the company’s standard tools for operational needs, to ensure secure communication between the employees’ smart phones / tablets and the sensitive data in the company’s system and to protect the company’s assets from potential threats coming from private activity on the employee’s device.  This all while maintaining a user friendly and simple-to-use interface. An insight on how these issues can be solved and which solutions exist will be given.

14.15h : Strategies and tips to manage and secure SmartPhones in a context of accelerated consumerization, by Michel Lanaspeze, Sophos.

Mobility and consumerization are defining some of the most significant changes in computing since the shift from mainframe computers,
bringing promises of increased enablement, efficiency, but also new risks and threats.  We will review these trends, giving insights from SophosLabs on risks,
and present strategies and practical advices for organizations to manage SmartPhones and Tablets effectively in order to make BYOD a productive and secure reality.

About : Michel Lanaspèze is Marketing & Communication Manager for Sophos Western Europe, with 24 years of experience in the IT industry,
and the past 15 years dedicated to the IT Security sector.  Michel Lanaspèze holds an Engineering degree from Telecom ParisTech
and an MBA degree from INSEAD.

15.00h : Coffee Break & Networking

15.30h : Integrating tablets Successfully in your Business Environment, The perspective from an operator using various mobiles, by Jean-Luc Delvaux, Belgacom.

In this presentation we will first review the various mobility trends and challenges and introduce the potential solutions.  Then we will discuss the real-life case of belgacom. Indeed, Belgacom has equipped all its sales force with tablets in 2011. We will discuss the choices that had to be made to make this initiative successful.

About : Jean-Luc has been working for Telindus International since 2001 (acquired by Belgacom in 2006) where he has been responsible for the ICT Security Strategy and for the development of the Security business internationally. In this capacity, he is in charge of developing Telindus’ security solutions and services portfolio as well as new market segments and geographies. Jean-Luc has more than 20 years of experience in the international ICT Services industry and close to 15 years more specifically in the Risk and Security domains. Prior to joining Telindus International, Jean-Luc has been active in various responsibility roles within Dimension Data, such as developing internationally the professional training business unit (NetBrain).

16.15h : Making all come together from a Security Management perspective. Closing Notes & Key Learnings of the day, by Steven Ackx, Ascure a full subsidiary of PWC Advisory Services

It’s not all about the technology and the threats. Those are some of the reasons and the how to deal with those threats and operating management of mobiles internally. Managing mobiles and mobile security is also about management and the way to get this included and embraced by the organization, the executives and employees. Risks have to be re-aligned, Security policies need to be adapted, procedures should be revisited and controls should be set in place or changed. Steven will try to make the connection of the technology perspective into the operations, and making sense for management.

About : Steven Ackx is a certified senior level consultant with extensive experience in Operational Risk Management, ICT- and Information Security related disciplines at the strategic, tactical, operational and technical level. Throughout his career he has focused on Information Security Governance, Information Security Management, Mobile Security, Mobile Payments, Information Risk Management, Education and Awareness Program.
At Ascure he is also managing the Ascure Academy, Marketing, Communication and Supporting Services activities. He is also the CEO of the BCM Academy Belgium.
Ascure is a full subsidiary of PwC Advisory Services cvba/scrl.

Also Mobile Management marketplace, meet the various vendors and decide for yourself.

Practical Details

This event took place November 29th, 2011 at Bremberg, Haasrode

Register Now

Register is now closed for Mobile Device Management 2011. You can already show your interest in Mobile Security Management 2012.

This event was free to participate to LSEC Members, LSEC partners and partner Members, Agoria Members, ECSA Members.
Free to participate to any others when subscribed before October 30th. After that date, subscription fee of 100 €.
Non-Cancellation fee of 150 €, upon no cancellation at least 1 day before the event and non-appearance.

This event was supported by CA Technologies.
It includes LSEC Expert Members Mobila, Mobco, Belgacom, McAfee, Sophos and Ascure - PWC.
This event has been supported by INTERREG IVb, in partnership with TeleTrusT, SITC, Systematic Paris Region and nGage Solutions.

About the organizers :
This event is organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions. 

Information Security Solutions Europe (ISSE)

22 - 23 November 2011 –
Prague, Czech Republic

Over the past decade, ISSE has built an unrivalled reputation for its interdisciplinary approach and independent perspective on the e-security market.
ISSE will provide over four hundred ICT security professionals and industry experts with a unique all-encompassing opportunity to learn, share and discuss the latest developments in e-security and identity management.

Supported by a number of key partners, ISSE will provide a unique insight into ongoing projects from the European Commission member states and the EU business community that will meet the industries network and information security requirements.

Visit www.isse.eu.com for more information, registration and full program.

Introduction

With special emphasis placed on case studies and innovative and robust security solutions implemented by European organisations, the event will focus on key security topics such as:
Cloud Computing Security
Security of Data in the Cloud, Virtualisation, Data Leakage Protection, Enterprise Rights Management, Forensics, Security related Services
Public Cloud Challenges
Interoperability & Standards, Compliance, Service Level Agreements, Business Models
Trustworthy Infrastructures
Rules & Regulations, Resilience & Availability, Privacy & Data Protection, Backup, Recovery & Key Management Services
Embedded Security
Emerging Applications, Smart Grid & Automotive Solutions, Ubiquitous Computing, M2M Security
Mobile Security Solutions
Platform Security, Transaction Security, Information Security, Treats & Risks, Privacy Aspects, Management of Mobile Devices
Identity and Access Management
Borderless e-Identification, Biometrics, Smart Tokens, e-ID-Cards, e-Passports, RFID & NFC Solutions, Infrastructure Solutions

e-ID and e-Sig Applications
Trust Levels, Risk Mitigation, Liability, European Interoperability Programs, Business Models, Attribute Verification, Social Sign On

Security Management and Economics of Security
Risk Mitigation, Compliance and Governance, IT Security Ecosystem

Privacy and Data Protection in Cyberspace
Privacy and Data Protection Issues in Web 2.0 and Cloud Environments/Social Networks/Search Engines, Use of Privacy enhancing Technologies, Concepts for Security Breach Notification

Awareness and Education
Transparency/Customer Awareness and legal Obligations, Awareness for Social Networks, Mobile Computing/Communication, Cloud Application

Network Wireless and Endpoint Security
Network-level Security Devices, Interconnectivity Devices, Protocols and Trends, Intrusion Prevention, Network Infrastructures,

Hackers and Threats
Awareness Raising, Social Engineering, Protection against Mail and Web Attacks, Vulnerability Assessment, Penetration Testing

e-Government – Policy and Governance
Emerging European & Global Regulations, Legislations, National Security, Law Enforcement, Governmental Applications

Enterprise Security Services
Authentication, Authorisation and Accounting, Governance, Risk and Compliance

Critical Infrastructure Protection and physical Security
CERT/CSIRT – European and Global Developments, Resilience of Networks and Services, surveillance technics and analytics

CyberWar, Cybercrime and Forensics, Fraud Detection & Prevention
DDoS, Attacks and Countermeasures against industrial Infrastructures (SCADA)

Preliminary Program

This year, LSEC and the European Security Innovation Network are supporting the ISSE 2011 with 4 different panels and various international experts.

November 22nd, 2011

Cloud Computing & Enterprise Security Services afternoon session, chaired by Ulrich Seldeslachts, LSEC

Panel discussions :
* can we trust the cloud? About Security and the cloud
* Security and mobile identity, various perspectives in an evolutionary landscape
* Online Social Networks : Security and Privacy considerations
* European Security CXO Panel - this business of security

with other expert partners from the European Security Innovation Network such as Dr. Marijke De Soete, Prof. Jos Dumortier,

Download the full program. .

CMS2011 is the 12th Conference in the “Communications and Multimedia Security” series. The series is a joint effort of IFIP Technical Committees TC6 (Communication Systems) and TC11 (Security and Privacy Protection in Information Processing Systems). The conference will be hosted by Research group MSEC from the Department Industrial Engineering of the Katholieke Hogeschool Sint-Lieven, Gent, Belgium. The size of the programme committee, consisting of international experts in this field, proves the interest of the research community. Conference proceedings will be published by Springer. There will be a best paper award.

The conference provides a forum for engineers and scientists in information security. Both state-of-the-art issues and practical experiences as well as new trends in these areas will be once more the focus of interest just like at preceding conferences. This year, the conference will address in particular security and privacy issues in mobile contexts, web services (including social networking) and ubiquitous environments.

We solicit papers describing original ideas and research results on topics that include, but are not limited to:

•applied cryptography
•biometrics
•secure documents and archives
•multimedia systems security
•digital watermarking
•distributed DRM policies
•attack resistant rendering engines
•adaptive anomaly detection
•censorship resistance
•risk management
•mobility and security/privacy
•mobile identities
•privacy enhanced identity management
•security/privacy policies and preferences
•social networks security/privacy
•security/privacy in geo-localised applications
•security/privacy in VoIP
•web services security
•SOA security
•ubiquitous and ambient computing security
•cloud computing security
•wireless and ad hoc network security
•RFID tags and sensor nodes security
Instruction for authors
The conference will include two refereed paper tracks: the Research track and the Industry/Government/Work-in-progress track. In addition, the conference will also feature a poster session.

Paper submissions for the Research track must be written in English, formatted in the conference style and limited to 12 pages. The paper must be anonymous, with no author names, affiliations, acknowledgements, or obvious references. Authors are requested to submit original papers only. Papers that have previously been published and papers that are currently being considered for publication by another journal or conference are not eligible. Each paper must include a short abstract and a list of keywords indicating subject classification. Its introduction should summarize the contributions of the paper at a level appropriate for a non-specialist reader.

Paper submissions for the Industry/Government/Work-in-progress track are limited to 6 pages. These papers highlight applications or present work-in-progress. They should also address challenges, lessons learnt or research issues arising out of �both successful and unsuccessful- deployment of such applications. Note, however, that sufficient technical content is required.

For poster submissions, a title and an abstract (max. 2 pages) is required. Accepted posters will be published in the proceedings as extended abstract.

All submitted papers will be refereed by members of the Programme Committee for correctness, originality, relevance to the conference and quality of presentation. Acceptance of a paper or poster means an obligation for at least one of the authors to attend the conference and present the paper or poster. The most outstanding research paper, presented at the conference, will receive a “Best paper award”. The proceedings will be published by Springer.

The proceedings will be published by Springer. Authors will have to sign the IFIP copyright assignment form (and not the standard LNCS Copyright Form). Example templates can be downloaded directly from the Springer LNCS Homepage, Please use the templates for “Proceedings and other multiauthor volumes”. Paper submissions must be written in English, formatted in the conference style.

For more information, please visit : http://www.cms2011.net

Security Forum 2011 : Security Hardening

Visit the October 6th page for all conference information.

Security Forum 2011 : Security Hardening

After the successful LSEC events of early september 2011, in the week before the 2011 RSA Europea Conference, LSEC organized the yearly LSEC Security Forum 2011 in Leuven at the Verizon Business’ Ubicenter. The year’s theme “Security Hardening” was meant to explore the possibilities of improving the IT and Information Security architectures and systems.

During the seminar, it became obvious that most of the topics were very complementary and gave an interesting viewpoint on how to improve security measures within companies.

This seminar was mainly intended to companies and government departments already having a security environment, and interested in finding out about new solutions, new approaches and ways to improve their security infrastructure. Security Hardening in this case meant to increase the level of security on different aspects and components of your environment. This would have been be either from a network security perspective, a database and application perspective or increasing the granularity and scope of your data protection technologies. With the hardening was also understood ways and procedures to improve security management as a whole.

All together, we’ve explored how to grow from the typical 80% of managed IT and information security risks to upgrade to 90% or and to understand the complexities, costs and resources necessary to this upgrade path.

As not all topics have been explored, it was decided that a follow-up security hardening event would be organized early February 2012.

Security Hardening

LSEC Security Conference 2011 : Security Hardening

Security Hardening is a rather wide concept, and leaves a lot of opportunities for various topics, but the idea would be to “bring something new and fresh to Security Officers and related people managing IT Security … “. Both network security, data security, privacy and other topics are very welcome.

Specifically some topics we are aiming for :
- IPv6 & impact on security
- Database security hardening
- Bring your own device / mobile
- Web application security
- Next generation firewalling
- New developments in hardware security – TPG/CC-based
- Security as a service (in the cloud)
- Virtualization security
- Identity management – access management - authentication
- Vulnerability testing – intrusion detection
- Data Protection technologies & systems
- Critical Infrastructure Protection
- Cybersecurity & Malware protection
- Security Monitoring & Network Monitoring
- Governance & Compliance
- …

Final Program

The following speakers already confirmed their participation and have been selected to present.

Program of October 6th

9.30 : Welcome & Registration

10.00 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC

Coffee continuously available during the morning.

10.15 : Continuously dealing with vulnerabilities and challenges on networks and systems, and fulfilling compliance requirements. Immediate hardening by more efficient use of resources. by Bart Bosma, Qualys

Abstract : In order to understand how to harden, it makes sense to understand where to start. Policies and controls, but evenly so vulnerability tests and scans will help you to understand immediate and emminent risks and challenges. Linking it to compliance to regulations will help you to translate those risks into business challenges. Continuously dealing with vulnerabilities on networks and systems, and fulfilling compliance requirements means an immediate hardening by more efficient use of resources. You can improve the deployment of people and tools, to where the biggest concerns are, and focus or harden on those that might need even more attention due to risk or business challenges.

About : Before joining Qualys in 2008 as Technical Account Manager for Benelux and Nordics, Bart Bosma has been active as a Security Consultant for more than 10 years at Dimension Data Netherlands and Ubizen, Cybertrust, Verizon Business.

11.00 : Security Hardening through systems, Oracle Systems Security solutions, by Luc Wijns, Oracle Systems

About : Luc has over 22 years of experience in IT, including 14 years at Sun Microsystems & Oracle Corporation.  Currently Luc holds the position of Master Principal Sales Consultant in the Server Division of Oracle in Belgium & Luxembourg and Chief Technologist for the Benelux.  Luc is also active in the Oracle Security Community and in the Oracle EMEA Cloud Architects Professional Community. Luc’s technical strengths are on Datacenter requirements, Architectures, Security (defense in depth, Identity & Access management), Networking, Virtualization and Datacenter Automation. These are the building blocks for a Cloud computing platform. Luc has a lot of software experience from the former Sun Software Practice, putting him in a unique position to understand integration of the software and hardware stack. This end-to-end view is a key differentiator in large data center projects. Luc holds an M.S. Degree in Electrical Engineering and an M.S. Degree in Computer Science from the “Université Catholique de Louvain” in Belgium. Luc is married, father of three children and lives in Belgium.

11.30 : Better protecting some of the crown jewels, database hardening, by Antonino Mata Gomez

About : Antonio started his career as an Oracle database consultant. Back then IT was more interested in High Availability and Scalability but enterprises started showing a growing interest in protecting their key Business Assets persisted in database management systems. Antonio’s expertise was formed through many projects where protecting the database was key in order to guarantee the required security level.In his role of Database Security expert Antonio closely followed up on the Identity & Access Management market trends, which has enabled him to approach security projects from multiple angels.

12.00 : Deep Safe, security solutions by Intel – McAfee, by Peter Van Eeckhout, McAfee

(this presentation will be added at a later moment, due to publishing restrictions by McAfee - Intel for the nature of the contents)

Abstract :. McAfee® DeepSAFE™ technology is the McAfee-Intel jointly-developed technology which allows McAfee to develop hardware-assisted security products that take advantage of a “deeper” security footprint. McAfee DeepSAFE technology sits beyond the operating system (and close to the silicon) allowing McAfee products to have an additional vantage point in the computing stack to better protect systems. McAfee anticipates the McAfee DeepSAFE technology will be a foundation for a number of hardware-assisted security products that take advantage of a “deeper” security footprint which will work in conjunction with McAfee® Endpoint Security Platform that so many organizations trust to protect their endpoints and information

About :  Peter is a Senior Security Engineer defense for NATO and EU at McAfee (a wholly owned subsidiary of Intel). Before joining Mcafee as Senior SE Systems/network, Peter was Security Solution architect at BT and Senior Technical Security consultant at Telindus Belgacom ICT. He started his current carreer as Security and Networking architect at Exxonmobil, as a contractor for Telindus (currently Belgacom ICT).

12.45 : buffet lunch

13.45 : Hardening web applications against malware attacks, by Erwin Geirnaert, Zion Security

Abstract : During this presentation we give an overview of how we can harden web applications against different types of attacks used by malware to bypass the existing security controls in the web application. We discuss the OWASP Top 10 and how malware can abuse these attacks and how the developer must implement a different strategy. We explain why (mobile) browser security is an important aspect of web application hardening and most importantly that the battle against malware is an ongoing battle. For every countermeasure the security industry develops to protect web applications and is used by a lot of companies today we will show how malware is being developed to bypass these solutions. To finalize we give some advice on how to protect against these malware attacks, using pro-active and detective controls.

About : Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE security, .NET security and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar,

14.30 : Most Exploitation is Internal, Learn new proactive defenses against this global networking epidemic, by Bernard Girbal, VP International Operations, Netclarity Inc.

Abstract : Learn about Internal Exploitation, Common Vulnerabilities and Exposures (CVEs) and how hackers, viruses, worms, spyware, botnets, rootkits, Trojans, cybercriminals and cyberterrorists use CVEs to exploit networks.  Over 95% of successful attacks are exploits of these CVEs, while most also happen behind the firewall.
About : Mr. Girbal joined NetClarity after repeat successes spanning more than 20 years of scaling European, Middle East and African (EMEA) channels as the Vice President of Trend Micro, Packeteer (acquired by Blue Coat Systems), Art Technology Group (acquired by Oracle), Candle Corp (acquired by IBM) and Chipcom (acquired by 3Com). Mr. Girbal is graduated from the Paris University of Technology and hold a Business Administration Degree from IAE/APPRA Paris Institut d’Administration des Entreprises ( Sorbonne University), he is certified in Transition and Change Management MRI- Palo-Alto methodology and Executive Assessment. He is a Pilot and an avid musician who has studied at the Paris Classical Music Conservatory. He enjoys golf, and hiking.

15.15 : Changing business challenges, challenging Security change. From hardening key management to cloud integrations. By Dominique Dessy, RSA, security division of EMC

Abstract : As virtualization changes the security dynamics, how should we rethink the Security Stack to regain control , visibility and build trust in the cloud?

About : Dominique is in IT since quite a while (still remembers Z80 assembly code and knapsack crypto ). Joined EMC after the Big Bug of 2000. Passed his CISSP in 2007 and moved to RSA in 2008. One a year gives a lecture for the Executive Master in IT Management of Prof. Ataya.

16.00 : coffee break, networking

16.30 : Hardening patches or enterprise wide ; challenges in data protection technologies and systems by Stefano Ciminelli, Verizon Business

Abstract : Data Security is often seen as the best security solution, or the worst nightmare for companies. Both approaches are wrong - how can Data Security and DLP projects help an organization to protect financial data and intellectual property? When it comes to financial data, how an organization can be sure that some very sensitive information are not being leaked out to the internet (credit card numbers, SSN, …)? How can an industry identify how its intellectual property is being protected? Where are these information on the systems? If you were an attacker, what would you do to steal this kind of information?

About : Stefano Ciminelli is Head of Business Resilience and Data Protection (Critical Data Flow) EMEA, with focus on business continuity strategy definition and sensitive data protection. With extensive experience in IT Security (both technical and managerial), he works together with customers to identify the best security solution to fit their security requirements. He is a speaker to international conferences.  His vertical experience is mainly in Financial (Banking and insurance services), Defense (classified environments) and Manufacturing, R&D (i.e. Intellectual Property protection).

17.15 : New Kids on the Job, firewalling for Digital Natives and Bring Your Own Device. By Tim De Boeck, Palo Alto Networks

Abstract : The next generation of new employees shares a different mindset when it comes to online privacy and security, albeit not quite on purpose. Being the result of a psychological evolution, they will eventually drive change to the security policies in place today. This session will highlight the inherent differences between digital natives and digital immigrants and project the challenges posed on corporate IT security. Some of the key topics that will be discussed are: Natives vs Immigrants, Web 2.0 & 3.0, Bring Your Own Device, Adapting & Improving Your IT Security Posture.

About : Tim De Boeck is a Systems Engineer for Palo Alto Networks – The Network Security Company. 12 Years of experience in the IT security field have enabled him to develop a holistic view of the challenges that companies face today when it comes to IT security. Before joining Palo Alto Networks, Tim held various positions in companies such as IBM, Internet Security Systems and Westcon Security.

18.00 : Closing Reception & Networking

19.00 : Close of Conference

Program of October 7th

9.30 : Welcome & Registration

10.00 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC

Coffee continuously available during the morning.

10.15 : iPv6, sneaking into your networks and opening unexpected doors to the outside world. Did you know? by Eric Vyncke, Cisco Systems - Ipv6 Council Belgium.

Abstract : IPv6 has been around for more almost 15 years, but has only slowly been taken up by the market. There are many advantages to IPv6, but still for most organizations, it has been easier to replace IPv4 equipment with IPv4 equipment. You would think. In fact, since the last 5 years, IPv6 equipment has been slowly but surely replacing older equipment, but it hasn’t been advertised always that much. Examples are the many Windows OS-es, since Vista, but also networking equipment. These bring along some additional challenges in terms of security, that are easily being looked over. Eric will bring us a fresh perspective.

About : Eric graduated from the University of Liège, Belgium, in 1983 with a Master degree in Computer Science. He worked for a couple of companies like Siemens where he was the architect of the firewall product and of the military message handling system. Since 1997, he works for Cisco as a Distinguished Engineer by helping customers with security design and by assisting product design (notably security). His area of expertise includes the security aspects of LAN switching, IP telephony and IPv6. He is a guest professor at a couple of Belgian Universities, participates regularly at the IETF (author of RFC 3585), ... He holds a CISSP certification. He is the main author of ‘LAN Switch Security’ and is currently writing another book on IPv6 security. Eric is also CTO of the IPv6 Council.

11.15 : Hardening your identity layer. A view on large scale identity architectures and why you should start using them today , by Ronny Bjones, Security Strategist, Microsoft

About : Ronny Bjones currently is working for Microsoft Corporate as senior architect in the identity & security division. Ronny joined Microsoft in 2002 to contribute in trustworthy computing. Later he became the EMEA security lead for Microsoft’s enterprise business. He has 26 years of experience in ICT, 20 of those in security. Ronny published QuEST together with several industry specialists in the subject of electronic signatures. The book is a comprehensive guide on how to implement Electronic Signatures solutions and can be downloaded from microsoft.com. Ronny also co-authored “Best Practice for Applications using the electronic Identity Card”. Ronny oversees the whole areas of security but has a special interest in smart cards, PKI, Identity Metasystem, cryptography and digital signatures. Ronny is a board member of EEMA, an organisation providing guidance on e-Business. Ronny is also member of the ISSE program committee. He is also member of the OASIS Security Conference program committee and the World-eID program committee. Since ‘89 he is active in the field of Information Security doing large projects for the European Central banks, Police forces, big financial institutes, European Commission, etc.Ronny Bjones was one of the four founders of Utimaco Belgium, where he worked ten years as R&D director. Before Utimaco Ronny worked for a Belgian EFT specialist called Prodata and one of the first firms to specialize in cryptography in Europe called Cryptech. Ronny Bjones is an active speaker on conferences. Ronny holds a bachelor in electronics, Master in IT management and MSc in Information technology.

12.15 : Improving systems security, virtualization and applications by Dave Vijzelman, CA Technologies

About : Dave Vijzelman has worked in several large heterogeneous environments and has a large experience in designing and implementing architectural RBAC solutions. His focus is primarily on RBAC strategies and role mining. Besides this, he also has a wide knowledge towards the technical approach regarding identity and access management (IAM) strategies. Previously he was as a Senior Information Security Consultant at Ascure where he was responsible for the architectural approach of analyzing and designing RBAC strategies for clients. Before this, he was an RBAC Consultant at BHOLD Company. Today, Dave is Principal Security Consultant with CA Technologies, supporting large associations in their Identity Management challenges.

13.00 : buffet lunch & networking

14.00 : close of conference

You can also download the binder of the documentation as an alternative to the separate presentations and information.

Practical Details

LSEC Security Conference 2011
Security Hardening
October 6 and 7th, Ubicenter, Leuven

This event was
Free to participate to LSEC Members, LSEC partners and partner Members, Agoria Members, ECSA Members.
Free to participate to any others when subscribed before September 23rd. After that date, subscription fee of 50 €.
Non-Cancellation fee of 150 €, upon no cancellation at least 1 day before the event and non-appearance.

This event was supported by CA Technologies, an LSEC platinum sponsor for our events. We are always open to other, additional interested parties.

About the organizers :
This event is organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions.

Impartial insight into the growth sectors - the only RFID event hosted by RFID analysts

Introduction

Some sectors of RFID have grown despite the recession. Other sectors have followed the classic hype cycle curve, but are now in the path of growth and profitability for the suppliers concerned. For the first time in many years, companies in Europe and the US are adding new manufacture volume. In Asia the huge Government support is driving manufacture and demand. The industry is taking off in many ways and in many forms. For example, Wireless Sensor Networks, a form of Active RFID, are being deployed in public buildings to save energy and monitor infrastructure. In 2011, RFID enabled cellphones are appearing from Nokia, Google and many others and the first printed RFID tags are being shipped.

RFID Europe is Europe’s largest conference on the topic. IDTechEx carefully design the program content to provide you with unrivalled insight into the state of the industry. Those wishing to exploit routes to profitability, find where the true demand is and meet customers and investors - must attend. Backed up by free IDTechEx research the complete event package is your yearly RFID benchmark.

LSEC will be hosting a panel discussion on the security challenges and opportunities with some distinguised experts and companies.

Program Outline

Presentation topics will include:
RFID in Apparel and Retail
RFID in Transportation
Security and Tracking Using RFID
RFID in Healthcare
RFID in Oil and Gas
Printed RFID
Real Time Locating Systems (RTLS)
Wireless Sensor Networks
Investment
Challenges
New Developments

2010 end-user speakers included:
BMW
Goodyear
Gerry Weber
Copenhagen Airports
Sony
Cubic
Max Pharma
sQuid Card
Centre Pompidou
Cambridge Central Library
Guide Dogs for the Blind

Practical Details

Organized by IDTechEx, supported by LSEC
Conference, September 27th - 28th
Exhibition, September 27th - 28th
Masterclasses, company tours, September 26th - 29th

More information and registration : IDTechEx RFID conference website

LSEC partners and members will receive a discount for participating and registering.

A day on Identity Management with a series of panel discussions on Identity Management and electronic identities

Program

Taking Control of Privileged Identities by Dominique Van Huffel, Principal Consultant and CC Leader IAM

Despite the serious security risks and the potential for compliance audit failure, many organizations are unaware of their own vulnerabilities when it comes to privileged accounts or, if aware , don’t know how to address it.  Privileged accounts include shared administrator-, firecall- and application accounts.
In this roundtable we’ll dive into the following questions:
• What are best practices for managing shared privileged accounts?
• How can we control their lifecycle? 
• How effective are existing Privileged Identity Management technologies?

Dominique is a Principal Consultant with extensive experience with a broad knowledge & experience concerning Security architectures, Identity & Access Management, Microsoft Infrastructure & Security solutions, network security architectures, anti-malware systems and end-to-end security solutions. Additionally, Dominique is also assigned as the manager of the competence centre “Identity & Access Management”. 

With a special contribution by electronic identity management analyst Mike Small, from Kuppinger Cole and Gerry Gebel from Axiomatics.

A set of panel discussions

For this, instead of the usual lectures of seminars, we would like to have a couple of panel discussions, eventually preceded with a couple of slides on your suggested position. 

Some of the following discussions :

Panel 1 “Market Trends in 2010 - 2011” : current status of the market after the economical downturn and challenges to get identity management introduced into organizations and enterprise environments.
Are projects still on hold, being continued, expanded and deployed? Specific challenges for specific verticals (healthcare, finance, government …). The use of the eID system.

Panel 2 “Operations” : existing identity management becoming more challenging? Integrating various authentication systems, increasing the granularity of electronic identities, adding contextual access control, setting up federation and maintaining IDM systems, …

Panel 3 “Challenges and Opportunities” : the opportunity of cloud environments, privacy the new security, open and closed standards, user-centric models vs government operated, …

Panel 4 “The Future” : Identity Management Systems vs Identity Markets, IDM Service Providers, Mobile Identity Management, the use of biometrics …

Every panel will take approx 1 hour, with 5 – 10 minute of introductions and statement, followed by an interactive discussion.

Including panel members :
- SecurIT, Marc Vanmaele
- Vinti-Q, Ward Duchamps
- Verizon Business : Marcus Lasance
- and many others ...

We invite both end-users, service providers, vendors, system integrators and consultants.

Registration : go to Eventbrite website : http://lsecidm2011.eventbrite.com

Practical details

:
- Leuven, Ubicenter, May 6th
- From 12.30 – 19h
- Panel discussions and networking opportunities
- Free to attend

Jan 24, 2011
Brucon Call For Papers 2011
Call for Papers BruCON.v3 2011
==============================

Brussels, Belgium—This is the call for papers (CFP) and participation for the 3rd edition of BruCON, a 2-day Security and Hacking Conference full of interesting presentations, workshops and security challenges. BruCON is an open-minded gathering of people discussing computer security, privacy, and information technology. The conference tries to create bridges between the various actors active in computer security world including (but not limited to) hackers, security professionals, security communities, non-profit organizations, CERTs, students, law enforcement agencies,etc. The conference will be held in Brussels on the 19th and 20th of September 2011 on the VUB Campus.

Scope
=====
Topics of interest include, but are not limited to :
* Electronic/Digital Privacy
* Wireless Network and Security
* Attacks on Information Systems and/or Digital Information Storage
* Web Application and Web Services Security
* Lockpicking & physical security
* Honeypots/Honeynets
* Spyware, Phishing and Botnets (Distributed attacks)
* Hardware hacking, embedded systems and other electronic devices
* Mobile devices exploitation, Symbian, P2K and bluetooth technologies
* Electronic Voting
* Free Software and Security
* Legal and Social Aspect of Information Security
* Software Engineering and Security
* Security in Information Retrieval
* Security aspects in SCADA, industrial environments and “obscure” networks
* Forensics and Anti-Forensics
* Mobile communications security and vulnerabilities
* Information warfare and industrial espionage
* Social Engineering
* Virtualisation Security
* ...

Deadlines
=========

The following dates are important if you want to participate in the CfP

•Abstract submission: no later than 15th of May 2011
•Notification date: around end May 2011
•Full paper/presentation submission: no later than 31th of July 2011
Submissions can be entered at https://cfp.BruCON.org/submission

For further information and questions, please feel free to contact cfp 0x40 BruCON.org

Submission Guideline (for standard paper track) ==============================================
Authors are encouraged to submit a paper in English or presentation slides, using a non-proprietary and open electronic format. Abstract is up to 500 words. Submissions must be sent via https://cfp.BruCON.org/submission. You can contact us if any errors or issues occur. The program committee will review all papers and the author of each paper will be notified of the result, by electronic means. Provide as much details about your talk as possible. It will enable reviewers who are not subject matter experts in the area that you focus on to still appreciate your abstract and make an informed decision when scoring it. Submissions should also include the following: 1. Presenter, and geographical location (country of origin/passport) and contact info. 2. Brief biography, list of publications or papers. 3. Any significant presentation and/or educational experience/background. 4. Reason why this material is innovative or significant to the BruCON audience 5. Optionally, any samples of prepared material or outlines ready. 6. Information about if yes or no the submission has already been presented and where. The information will be used only for the sole purpose of the BruCON conference including the information on the public website. We do not accept product or vendor related pitches. If your presentation involves an advertisement for a new product or service your company is offering, please do not submit. Also, we do not accept presentations submitted by a third party including (but not limited to) company representatives, management bureau’s, etc. BruCON presentations should be focused on topics that are of interest to security and technology professionals who are paying attention to current trends and issues. We want BruCON to be educational and entertaining to the attendees and the community.

Additional Speakers Info
========================
BruCON is a non-profit event organized by and for the security and hacking community. Speakers are not paid. Financial help on travel expenses and accomodation is possible, but will be handled on a case-by-case basis. Provide as much information about your requirements (including a cost estimation) and we will contact you personally after your talk has been accepted. Lectures should not exceed 45 minutes plus up to 10 minutes for questions and answers. The spoken language of a lecture will be English.

8th European Workshop on Public Key Infrastructures, Services and Applications

EuroPKI’11 will be the eighth event in the EuroPKI workshop series and will focus on all research aspects of Public Key Services, Applications and Infrastructures. Previous EuroPKI workshops were held in Samos (EuroPKI’04), Kent (EuroPKI’05), Torino (EuroPKI’06), Mallorca (EuroPKI’07), Trondheim (EuroPKI’08), Pisa (EuroPKI’09), and Athens (EuroPKI’10).

EuroPKI’11 will be co-located with ESORICS 2011 in Leuven, Belgium.

Preliminary Program Outline

For more information, please visit the Europki pages .

A number of academic papers have been submitted and accepted as well as a couple of keynotes and keynote speakers.
For this year’s activity, LSEC is supporting Europki to the business and research communities by adding a couple of business oriented talks.

Keynotes

We are pleased to announce that the keynote speakers at the event will be:

Chris J. Mitchell

Title: New architectures for identity management - unifying security infrastructures

Abstract: In recent years a large number of identity management systems have been proposed. Unfortunately, although these systems offer the possibility of significantly improving user security, they have not been widely adopted, typically because the cost of adoption is too high for the involved parties. One major problem is that each such system requires the establishment of its own supporting infrastructure (e.g. a PKI), and all participants must adopt the associated protocols to make use of this infrastructure. This creates major barriers to interoperation and adoption. In this talk we consider the problem of designing identity management systems which enable security infrastructures to be unified in a simple and low cost way, and which require minimal changes to the involved parties. This involves designing combinations of security protocols and client machine software architectures that support secure identity management protocols in ways that offer simple and low cost migration paths.

Peter Gutmann

Title: PKI as Part of an Integrated Risk Management Strategy for Web Security

Abstract: In the real world, risk is never binary but always comes in shades of grey. When security systems treat risk as a purely boolean process, they’re prone to failure because the quantisation that’s required in order to produce a boolean result has to over- or under-estimate the actual risk. What’s worse, if an all-or-nothing system like this fails, it fails completely, with no fallback position available to catch errors. Drawing on four decades of experience with security design for the built environment (buildings and houses) known as crime prevention through environmental design (CPTED), this talk looks at how CPTED is applied in practice and, using browser PKI as the best-known example of large-scale certificate use, examines certificates as part of a CPTED-style risk-mitigation system that isn’t prone to all-or-nothing failures and that neatly integrates concepts like EV vs. DV vs. OV and OCSP vs. non-checked certificates into the risk-assessment process, as well as dealing with the too-big-to-fail problem of trusted browser CAs.

Olivier Pereira

Title: Running Mixnet-Based Elections with Helios

Abstract: TBA

Practical details

Leuven, September 15th & 16th.
Business program on Thursday afternoon, following the keynote by Chris Mitchell and lunch.

To confirm your registration as LSEC Member or affiliate, please send your contact details to europki @ lsec.be.

De Nieuwe Valk
For more information and the downloadable program, please visit the Europki 2011 website

THIS EVENT HAS BEEN CANCELLED FOR SEPTEMBER 14th and will be postponed to a later date.

Please contact us for more information at rfid2011@lsec.be

Updated Program

On September 14th, LSEC are organizing a day on applications for short range wireless technologies such as RFID and NFC.
Taken in the first place from a technology perspective, the idea is to present a multitude of applications and their respective challenges and opportunities that these technologies today bring into the market.
With a specific perspective on security in these evolving small wireless technologies. This is a unique event in Belgium, bringing together local specialists and experts from France, UK and other countries.

Introduction

RFID, Radio-Frequency Identification is a series of technologies describing a form of identification, using a wireless radio signal. Typically used with the purpose of tracking, tracing and identifying goods, increasingly it is also being used for people and constantly evolving both passive and active tags. Various companies are using RFID technologies for many different applications, from Wal Mart, public libraries, Airbus, public transportation and international passports; using goods identification for simple pricing, to access control to controlling identities.

According to market research organization IDTechEx, in 2010 the value of the entire RFID market was estimated to be $5.63 billion, up from $5.03 billion in 2009. This included tags, readers and software/services for RFID cards, labels, fobs and all other form factors. $3.27 billion of the total $5.63 billion is spent on non car like structures - from RFID labels to active tags.

Register now at Eventbrite : http://rfid2011.eventbrite.com/ and reserve your free seat prior to March 31st 2011.

More RFID tags than people on the planet

The biggest opportunity : item tagging, moving from price tags to bar codes to radio frequencies in identifiers
The biggest opportunity for RFID is the item level tagging of all things. This ultimately calls for a very low cost tag, something that some printed and chipless RFID technologies have already demonstrated or have the potential to achieve. Interestingly, few of the biggest chip RFID suppliers are working on these technologies. Instead, printers, packagers and electronics and materials companies are leading development, some seeing the ultra low cost RFID tag as just the beginning - with integrated ultra low cost components such as displays, sensors and power to come.

The RFID tagging of apparel is now the largest and fastest growing application of RFID in retailing, the retail supply chain and associated industries. About 100 organizations are tagging apparel in trials and rollouts. Just two - taken together - will buy 500 million tags yearly soon. Analysis indicates that systems and tag business concerned with apparel RFID will grow at double the rate of the overall RFID market through the next ten years.

RFID in the form of tickets used for transit will demand 380 million tags in 2010. The tagging of animals (such as pigs, sheep and pets) is now substantial as it becomes a legal requirement in many more territories, with 178 million tags being used for this sector in 2010. This is happening in regions such as China and Australasia. In total, 2.31 billion tags will be sold in 2010 versus 1.98 billion in 2009. Most of that growth is from passive UHF RFID labels.

The evolutionary landscape of active RFID

The term Active RFID incorporates many technologies including Real Time Locating Systems, Ubiquitous Sensor Networks and Active RFID with ZigBee, RuBee, Ultra Wide Band and WiFi. Active RFID, where a battery drives the tag, is responsible for an increasing percentage of the money spent in the burgeoning RFID market. It will rise from 13% of the total RFID market in 2010 to 25% in 2020, meaning a huge $6.02 billion market. If we include the market for cell phone RFID modules (another form of active RFID), the market is an additional $0.18 billion in 2010 and $1.6 billion in 2020.

Near Field Communication (NFC), and particularly RFID enabled mobile phones, with contactless smart cards and tickets are now reaching the mass market. Are these forms of RFID with advantages and disadvantages and different development paths, or is NFC a different market with more advanced types of applications and services? Expectations are that there will continue to be rapid growth of at least three alternatives for at least ten years. This follows 800 million Chinese acquiring contactless national ID cards in four years and over 70 million Japanese adopting RFID enabled, NFC compatible phones in three years. These were two of the fastest rollouts of electronic products in human history.

Near Field Communication (NFC), by which electronic devices communicate if held within a few centimeters of each other, is underpinned by global ISO specifications. It has attracted the attention of the largest telcos, transport companies, banks and others and new trials are frequently announced all over the world. Many trials confirm that we are all like the Japanese in seeking the convenience that such phones can offer. 
With the fading SIM-cards, throug NFC phones, suddenly Telecommunication Industries are being empowered once more for banking, wallet, ticketing and loyalty applications. Banks are cautious about letting their cards be mimicked by the phones and transport operators are cautious about the ticketing option being loaded.

Program Overview

During this seminar, we are aiming to bring some of the most interesting experts and applications around the table, focusing amongst other on business opportunities and challenges. These could include systems integrations, but also security. Security being one of the applications specifically sought for by short range wireless technologies, we will amongst other challenge the various systems and technologies and indicate that also in this domain, security could better be considered in the design stage.

Some of the following companies and applications have been identified :

• Real-Time Anonymised ID at the point of requirement - a challenge-response approach for an Authority to attest the authenticity of documents and certificates, by Techmatics, Janusz Adamson
• Industrial Identification, RFID Inc, Graham V. Smith – Vice President Europe
An overview of applications for RFID in vehicle identification, warehouses, conveyor belts, meat production facilities, AGV, factory floors and other industrial environments.
• Parallel Solutions, Applications for tracking and tracing of firefighters, children, patients , assets and records
Maintag, Readers, Tags, Low level management software, and other tools for an RFID environment
• NFC Projects in Caen, an overview of private and public proof of concept projects (Caen NFC City, Pay Mobile, Contactless Parking, Normandy Living Lab, ….),
key learning and developments, by Pôle TES
• RFID Security : Issues and Measures, by KU Leuven, COSIC, Dave Singhelee,
• NFC technologies and applications, by NXP Technologies, Phil Teuwen
• Some experiences from practical security challenges, KAHO St Lieven
• NFC and next generation RFID, an evolutionary landscape
• From chip and card to application and everything in between, resolving challenges for Systems Integration, Management and Maintenance Challenges
• Testing and controlling RFID and NFC developments and applications
• GloPass, the integrated solution for ID management, event management
• Integrating personal ID and Mobile ID Management, the challenge ahead
• …

Privacy in RFID and NFC, research activities from MSEC at KaHo St-Lieven, by Vincent Naessens, KAHO Sint-Lieven

This talk will give an overview of research activities in the domain of mobile security at MSEC, KAHO Sint-Lieven.  The research at MSEC is often conducted in collaboration with SMEs, large companies and governmental institutions in Flanders.  Hence, many cases originate from real challenges in industry and government.  The MSEC group works around emergent technologies and application domains for smartphones.  For instance, tamperproof modules (like secure elements and smart micro SD
cards) are used to increase the security level of mobile applications, terminals are extended with trusted platform modules to increase trust in the ecosystem, privacy-enhancing technologies (like anonymous credentials, local privacy policy enforcement modules...) lead to a better privacy level in existing applications… These technologies are relevant in many application domains: personalized health care, advanced physical access control systems, protection of money transfer cycle, supply chain and logistics ...  This talk will mainly focus on the new opportunities of secure solutions that exploit short range communication capabilities of smartphones (like optical communication and near-field communication). More information and an overview of research projects and activities at MSEC can be found on the following url:
http://www.msec.be/

About: Vincent Naessens is head of the research group “Security and Mobility (MSEC)” at KAHO Sint-Lieven since October 2006. The research group focuses on modelling secure, mobile environments. More specifically, his research focuses on e-ID technologies, privacy-enhancing technologies and the integration of these technologies in concrete applications.
Mobile environments often deal with resource-limited devices. The latter often has an impact on the building blocks and technologies that are selected to fulfill security, privacy and trust requirements. Special attention goes to architectural design of such environments. The research group often collaborates with other industrial and academic partners such as DistriNet, Dept. Computer Science at KULeuven and Dramco, Dept. Industrial Engineering at KAHO Sint-Lieven.
He received a master’s degree in Computer Science at the K.U.Leuven University in 1999. Immediately after his studies, he started working as a researcher in the DistriNet research group.  The topics of research he has been working on include: analysis, modelling and design of anonymous applications (anonymous communication, anonymous mail, anonymous publication systems, ...) and the study of techniques for controlled anonymity in various applications. He received his PhD degree in Computer Science at the faculty of Applied Engineering, K.U.Leuven in June 2006.

Types of applications discussed :

Passive RFID
• Drugs
• Other Healthcare
• Retail apparel
• Consumer goods
• Tires
• Postal
• Books
• Manufacturing parts, tools
• Archiving (documents/samples)
• Military
• Retail CPG Pallet/case
• Smart cards/payment key fobs
• Smart tickets
• Air baggage
• Conveyances/Rollcages/ULD/Totes
• Animals/Livestock
• Vehicles
• People (excluding other sectors)
• Passport page/secure documents
• Other tag applications

Active RFID / battery-assisted
• Pharma/Healthcare
• Cold retail supply chain
• Consumer goods
• Postal
• Manufacturing parts, tools
• Archiving (samples)
• Military
• Retail CPG Pallet/case
• Shelf Edge Labels
• Conveyances/Rollcages/ULD/Totes
• Vehicles
• People (excluding other sectors)
• Car clickers
• Other tag applications

Practical Details :

Wednesday, September 14th , 2011
Brussels, IBM Seminar Centre
Seminar and exposition
Free to attend, upon registration prior to May 30th; from June 1st and onwards, registration fee of 150 €
Free for LSEC Members and partners (European Security Innovation Network, Pôle TES, OASIS, Agoria, ISSA, ISACA, …) upon membership identification.

For more information, sponsoring and practical details please contact rfid2011@lsec.be.

Register now at Eventbrite : http://rfid2011.eventbrite.com/

Computer security is concerned with the protection of information in environments where there is a possibility of intrusion or malicious action. The aim of ESORICS is to further the progress of research in computer security by establishing a European forum for bringing together researchers in this area, by promoting the exchange of ideas with system developers and by encouraging links with researchers in related areas.

Progressively organized in a series of European countries, the symposium is confirmed as the European research event in computer security.

ESORICS 2011
September 12-14, 2011
Leuven (Belgium)

ESORICS is the annual European research event in Computer Security. The Symposium started in 1990 and has been held in several European countries, attracting a wide international audience from both the academic and industrial communities.

Papers offering novel research contributions in computer security are solicited for submission to the Symposium. The primary focus is on original, high quality, unpublished research and implementation experiences. Submitted papers must not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. We encourage submissions of papers discussing industrial research and development.

Suggested topics include but are not restricted to:

•Access Control
•Accountability
•Ad hoc Networks
•Anonymity
•Applied Cryptography
•Attacks and Viral Software
•Authentication and Delegation
•Biometrics
•Database Security
•Digital Content Protection
•Distributed Systems Security
•Electronic Payments
•Embedded Systems Security
•Inference Control
•Information Hiding
•Identity Management
•Information Flow Control
•Integrity
•Intrusion Detection
•Formal Security Methods
•Language-Based Security
•Network Security
•Phishing and Spam Prevention
•Privacy
•Risk Analysis and Management
•Secure Electronic Voting
•Security Architectures
•Security Economics
•Security and Privacy Policies
•Security for Mobile Code
•Security in Location Services
•Security in Social Networks
•Security Models
•Security Verification
•Software Security
•Steganography
•Systems Security
•Trust Models and Management
•Trustworthy User Devices
•Web Security
•Wireless Security

Important dates

•Submission of papers: March 21, 2011 23:59 PST (FIRM deadline - NO extensions)
•Notification to authors: May 20, 2011
•Camera-ready copies: June 17, 2011

Instructions for paper submission
The proceedings will be published by Springer in the LNCS Series. All submissions should follow the LNCS template from the time they are submitted (follow the “Information for Authors” link at http://www.springer.de/comp/lncs/authors.html). Submitted papers should be at most 16 pages (using 11-point font), excluding the bibliography and well-marked appendices. Committee members are not required to read the appendices, so the paper should be intelligible without them. All submissions must be written in English.

Submitted papers must not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings.

All accepted papers should be presented at the Symposium. Therefore, at least one author of each accepted paper must register to the symposium, by the early date indicated by the organizers, and present the paper. Upon acceptance, authors must sign a copyright transfer statement.

Paper submissions must be received by March 21, 2011, 23:59 PST through the ESORICS 2011 submission server at: http://www.easychair.org/conferences/?conf=esorics11. Notification of acceptance or rejection will be sent to authors by May 20, 2011 and authors of accepted papers will have the opportunity to revise their papers for the proceedings version due on June 17th, 2011.

For more information, please visit : http://www.cosic.esat.kuleuven.be/esorics2011/?p=cfp.

Seminar : Trust in the cloud and cloud trust, or Security in the cloud : bust the hype

Since 2009 the IT industry has been overwhelmed with the concept of the Cloud. Starting as an evolution from the constant shifts between centralization and decentralization, the shared hosting and collocation offerings, managed services models and the growing technological advantages of broadband speeds and virtualization, Cloud Computing, today is a conglomerate of all sorts of services ranging from infrastructure, to back-end applications to full outsourcing of front- and backend applications and unlimited availability at Total Cost of Ownerships which becomes almost variable based upon the business requirements.
In addition to some of these and environmental advantages, there are also advantages of availability (suddenly you can get a full blown server OS, db, completely configured with all user ID’s, latest security packs available ready to go at no time) and advantages of resilience (automatic failover and redundancy).
Still, many European information security managers and their CIO’s are questioning the level of security of these clouds and cloud services providers. Can clouds be trusted with sensitive corporate data, critical information systems, high availability services, or should companies only consider unimportant information? Will Cloud Service Providers need to come up with a series of certifications such as CSA, or ISO for your organization to be able to trust? Let’s take some of the basic and more advanced security challenges and apply them to the cloud service provider that you would be investigating and test them to all levels of security that you would demand for your own organization. Will they stand the test? Would this be sufficient, or are there other levels of challenges that play, such as data protection regulation and availability 24/7, with high-throughput pipes and means. Are the cloud customers protected against failure, loss of data and what happens if there is an incident? What is the procedure that is being laid out to detect, report, and if possible remediate. What jurisdiction applies for potential litigation? Will there be audit possibilities? On site?

This event was supported by LSEC expert Members CA Technologies, MMS-Secure and Vasco Data Security.
Thanks to Verizon Business for providing the Ubicenter facilities.

Final Program

8.30 : Welcome & Registration

8.45 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC
Coffee continuously available during the morning.

09.15 : Cloud Computing a systemic overview of opportunities and challenges, by Henk van der Heijden, Vice President Security Europe CA Technologies

About : prior to joining CA Technoligies, Henk has developed an extensive experience on customer cases and security needs as Managing Director at Comsec Consulting BV and as Director Security Services at EDS. Before that he was General Manager at Sequent Migrations. Broad and long (25 Years) experience in IT and IT Services. For the last 12 years specialised in Risk Management and Information Security. Henk is specialized in Risk Management and Security Consulting and has a broad and long IT Services knowledge. Within CA Technologies, Henk is responsible for the Security Business Unit in EMEA. Leading the Business Unit of CA Technologies excellent portfolio of Security Solutions.

10.00 : Security in the Cloud, myth versus reality. About auditing in the cloud. by Mike Chung, Manager IT Advisory KPMG Netherlands

About : Mike has been active in IT for over 12 years. Joined KPMG in 2006 where he is involved in security- and system architectures. Within KPMG Netheralnds, Mike is a recognized specialist on cloud computing and sourcing. In his spare time, he likes to listean to heavy metal.

10.45 : Cloud Computing and Virtualization, Security issues, by Jan-Willem Lammers,

About : His 20 years of broad IT experience enables him to keep the overview over complex environments. On the other hand he has the capability to absorb new technologies quickly and mix them with earlier experience. These capabilities has made him a valuable advisor for the most strategic customers in his region. He joined VMware in 2006 when virtualization was still just “cool technology”. His career started with 8 years Syntegra (BT), followed by 8 years of Digital Equipment, Compaq and HP. In HP Consulting he had built a VMware practice with knowledge management, service offerings and trained a large number of colleagues. That was the time to move to VMware, the source of Cloud Computing where his ability to absorb new technology has been put to the test ever since. Now that Virtualization has enabled Cloud computing the work around compliancy, organizational challenges and provider/consumer relations has to be balanced with technological developments.

11.30 : Challenges with Cloud services posed by legal constraints such as Privacy and Data Protection Guidelines; by Bruno Schröder, Microsoft

About : Civil engineer by education, Bruno has been more than 25 years in the IT industry : R&D, Process control, Systems Integration, consulting and sales. Bruno has been active in the public sector and became in charge of the EU consulting practice with Unisys, one of the large public sector suppliers. After having lead the Public Sector for Microsoft Belux, he still is part of the international team following on global level the evolutions and needs of the non-commercial sectors, and also informing governments about long term solutions of information technologies and the potential impact on citizens and organizations. Bruno is involved with the Microsoft Innovation Center and is Member of the Board with the CIO-Club.

12.15 : lunch & networking

13.15 : Cloud Services by Verizon Business and Security measures taken, by Rob Kroneman, Verizon Business

About : Rob Kroneman is a security professional with extensive experience in the Information Security related disciplines both at the organizational, technical and the strategic levels where I have focused on Information Security Management, Information Risk Management, Security reviews, and corporate security policy. He worked for the Dutch National Bank ( De Nederlandsche Bank) in the role of Network Specialist, Security Manager and Auditor, Rob has a strong security expert background in information security, security reviews (audit) and was engaged in information security and information security related projects throughout his career. Rob has a strong security mindset and have an experienced out-of-the-box thinking approach. As cofounder and CEO of a privately run company, Rob was responsible for the creation and enforcement of a profitable organizational structure. Besides fulfilling the role of CEO, he was active in the field as an IT Security Expert. Rob is active as an Information Security consultant handling information security implementations, security reviews, advisory projects and information security framework implementations in the role as temperary CISO. Besides being active as an Intrim CISO Rob is Manager Professional Services ITS within Verizon working with his team on Cloud Strategie and Transformation/Transistion projects for customers.

14.00 : Cloud Services by Microsoft and Security Measures taken by Henk Den Baes, Microsoft

About : Henk Den Baes started his career as a consultant with AMS (now CGI). With AMS I was based at a huge mobile telecom corporation fixing and developing (C, C++, COBOL, JAVA) backend applications. After some years I moved to Utimaco AG, a pure security products company, where I was responsible for developing the Utimaco SSL stack. At that time there was still the strong crypto export restriction from the USA and the European browser versions only had weak SSL protection. While working for Utimaco I also gained a deep knowledge of PKI. Being knowledgeable of PKI, I moved to Belgacom where I was together with a small team responsible for building the Belgacom E-Trust PKI. Out of that department the Belgian eID card project was born and I moved to the newly formed company Certipost. Once the eID project more or less finished I moved to Belgacom ICT (former Telindus) to work as a Senior Technical security consultant. Today I’m working as a technology advisor at Microsoft for Security and Datacenter (Windows server and virtualization). Abstract: Very often, the terms ‘outsourcing’ and ‘Cloud’ are mixed. We can see here that while Outsourcing is mainly about the ownership for certain tasks and controls (e.g. Regulatory, security), Cloud is also an architecture question that goes beyond the who does what. However, this also means that the questions regarding regulatory and security requirements becomes more complex. While Outsourcing questions were often completely left to IT, the Cloud discussions needs involvement from a broader compliance community. The CIO/CSO also needs to be able to translate technological and architectural aspects into Business risks so that internal legal and compliance communities can be involved as early as possible. If this doesn’t happen, legal considerations can soon become a show-stopper in the whole Cloud story. During the LSEC „Security in the cloud“ seminar I will discuss the 5 security areas (COMPLIANCE AND RISK MANAGEMENT, IDENTITY AND ACCESS MANAGEMENT, SERVICE INTEGRITY, ENDPOINT INTEGRITY, INFORMATION PROTECTION) that have become the main focus of discussions with companies going into the Cloud.

14.45 : Cloud Services by Belgacom and Security measures taken, by Bart Callens, Belgacom

About : Bart Callens is a security professional with 15 years of experience. Bart has an extensive knowledge and experience with different security frameworks and technologies, including network, data and application security. Bart was also co-founder of the Belgacom E-Trust Certification Authority, which led to projects such as the Belgian eID Card.At this moment, Bart is as ICT Security Solution Ambassador within Belgacom responsible for managing the lifecycle of the ICT Security portfolio and launching new ICT Security solutions on the market.

15.30 : Panel Discussion

16.00 : Coffee Break

16.30 : Securing your Data in the Cloud, by Luc Wijns, Chief Technologist Oracle Systems

About : Luc has over 22 years of experience in IT, including 14 years at Sun Microsystems & Oracle Corporation. Currently Luc holds the position of Master Principal Sales Consultant in the Server Division of Oracle in Belgium & Luxembourg and Chief Technologist for the Benelux. Luc is also active in the Oracle Security Community and in the Oracle EMEA Cloud Architects Professional Community. Luc’s technical strengths are on Datacenter requirements, Architectures, Security (defense in depth, Identity & Access management), Networking, Virtualization and Datacenter Automation. These are the building blocks for a Cloud computing platform. Luc has a lot of software experience from the former Sun Software Practice, putting him in a unique position to understand integration of the software and hardware stack. This end-to-end view is a key differentiator in large data center projects. Luc holds an M.S. Degree in Electrical Engineering and an M.S. Degree in Computer Science from the “Université Catholique de Louvain” in Belgium. Luc is married, father of three children and lives in Belgium.

17.15 : Security Services in the cloud, managed cloud security services, by Christophe Bianco, Qualys

About : With 15 years of experience in providing security services, including security policy and governance, audits, and intrusion detection, Christophe is responsible for strategic, operational, field sales and marketing activities in EMEA. Most recently leading Western Europe sales and managing the Luxembourg subsidiary for Verizon Business Security Solutions, Christophe led a team advising the extended enterprise on how to secure information, secure the infrastructure, and implement governance, risk and security policies. Christophe has also served as the general manager for Ubizen in Luxembourg, where he managed operations and executed the company’s partner and vendor strategy, set up a customer loyalty program, and extended the products and services offered. He has also been manager of information security for SkillTeam, an IBM subsidiary, and network and telecoms engineer for Banque Paribas, both based in Luxembourg. Christophe has a master’s degree in telecoms from the National Superior School of Telecommunications of Brittany, a degree in engineering from the National School of Brest, and an Executive MBA from HEC Paris.

18.00 : Securing the cloud and cloud security, by Rashmi Knowles, Chief Security Architect EMEA RSA – the Security Division of EMC

About : Rashmi is Chief Security Architect at RSA, The Security Division on EMC. In her role Rashmi is responsible for Technology and Compliance Solutions for the EMEA region. Her current responsibilities include working with customers in a trusted advisor role, evangelism for emerging technologies and key spokesperson in the region for RSA’s Cloud Strategy and Compliance Solutions and a subject matter expert on Data Loss Prevention and Encryption Solutions. Rashmi has over twenty years experience in data communications, mobile communications and has focussed on Information Security for the last ten years, Prior to joining RSA, Rashmi has worked for Hewlett-Packard as a Network Consultant. She has also held Product Marketing and Business Development roles in Ericsson and Damovo responsible for developing key vertical solutions based on information security. Rashmi holds a degree in Computer Science from the De Montfort University and a Post Graduate in Computer Studies from the University of the South Bank, London.

18.45 : Bringing TRUST to the cloud: strong authentication as an enabler for SaaS adoption, by Kurt Berghs, Product Manager VASCO Data Security

About : Kurt Berghs is the worldwide product manager for VASCO’s DIGIPASS as a Service and aXsGUARD Gatekeeper product lines. Kurt started working for Vasco Data Security 6 years ago, with the acquisition of ABLE. He started as channel manager responsible for Belgium. Before Vasco, Kurt started his IT carreer as a programmer. Later he switched from programming to network infrastructure consultant to selling Software solutions for Softconstruct. Abstract : DIGIPASS as a Service is VASCO’s cloud based authentication service. The offer has been designed for companies who want to enhance the security of their web based applications. For web applications traditional authentication does not always offer the adequate solution. Traditional authentication is often considered too costly due to low usage of the application or low transaction value. DIGIPASS as a Service is the answer to these concerns. With DIGIPASS as a Service VASCO manages the entire authentication process for its customers. The end-user will use a hardware or software DIGIPASS to generate a one-time password to log on to the web based application or an e-signature to sign an online transaction. The company can focus on its core activities while VASCO manages the authentication process.

19.15 : Cloud Security Solutions wrap-up, and future challenges by Ulrich Seldeslachts, LSEC

19.30 : Closing Reception & Networking

20.30 : Close of Conference

During this seminar, we wanted to try to get most of the uncertainties out, and remove the clouds from the cloud in terms of security challenges. Can we put trust in the cloud? To what extent and at which levels. What is the level of granularity and maybe layers of confidence that we have to build upon? What is needed for the clouds to be trusted and to become secure? How does this work in an ever changing and challenged environment which is facing new security threats every next day.

We’ve invited both Cloud Service Providers and Security Experts to challenge and be challenged. We don’t expect to receive all answers, but at least some issues will rise, and a discussion at large can be held properly.
This seminar is intended to all business people considering cloud services that want to be informed about their options and potential risks, to all security managers and executives who might feel threatened by the opportunity of the cloud services, to all IT auditors that want to be informed about challenges and opportunities, to executive management that needs to be informed about risks and potential costs versus the cost reduction potential that they get presented.

You can also download the whole slideware package.

Practical Details :

Seminar with presentations and panel discussions

Leuven, Ubicenter, September 8th

Free of Charge for LSEC Members and Affiliate Members, and by special invitation. Cancellation Fee of 150 € : please cancel latest the day prior to the event to avoid a cancellation fee.
Thanks to the sponsors of the Global Security Week, we can offer participation to this event. Free of charge upon registration prior to September 5th, 50€ entrance fee after that date.

Sponsoring opportunities :
CA is an LSEC platinum sponsor for this event, but we are open to other, additional interested parties.
MMS Secure is a gold sponsor.

About the organizers :
This event is organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions.

Facebook, Netlog, Twitter, LinkedIn, Xing, … collectively represent more than a billion users and many thousands of organizations large and small accessing and using those networks on a daily basis. They are a great opportunity for trendy marketeers and smart business people, whilst building new standard communication channels for friends that we have lost track with and many business partners which are sometimes difficult to connect.

Twitter and Facebook are also providing major impact on mass media and in critical situations. Important societal events such as the Arabic spring or major disasters such as the terrorist attack in Norway, or even more recent the Pukkelpop festival in Belgium; social media are supporting communications and provide a relief for victims, family and relatives.
They have become and will continue to be important communication channels for leisure and pleasure, but increasingly for critical situations.

Introduction

Companies and other institutions are faced with the challenge of embracing these new channels and opportunities. In many cases this evolution has many similarities to the evolution of the internet in the enterprise, and the current challenges of the smartphones and mobile devices. For some they are considered a major threat, others recognize them as a new way of doing business, maintaining relationships, marketing new products, exchanging information, …
Statistics indicate that quite a lot of internet traffic is related to online social networks, typically within busy hours. Sometimes, they only relate to a small minority of personal, actively using the systems for business purposes, but in many cases they are being used for personal means.
Online Social Networks are also becoming an increasingly important channel for distribution of modern malwares. Current AV-tools are not always sufficient and need another approach.
Increasingly the online social networks are being misused, providing misleading information and falsified identities to release valuable information from the potential partners; sometimes they serve as a channel for data breaches.

This event is supported by LSEC Expert Members Barracuda Networks and MMS-Secure

Download more information

Barracuda Networks and Websense have been publishing various reports on some of the reported issues.
Visit their website to find out more, or download immediately :

Challenges, Threats and Opportunities

Finally there are increasing concerns on privacy, both for individuals and corporations. Online Social Networks are constantly adapting their guidelines and internal rules, to the benefit of some to the deficit of others, not always that clear. The changing data protection regulations are suggesting that citizen would also need to get the right to remove their historical data. Even as an organization using online social networks, marketing departments are struggling to keep the right messages coming across.

In this seminar, LSEC brought together some expertise to explain some of these challenges, and indicate some potential evolving solutions. Discussions were relate toward some upcoming threats and challenges, without forgetting the opportunity of the online social networks & online social media.

This seminar was intended to marketing departments, information security and security professionals, social and communication experts and information technology departments.

Program Overview

9.30 : Welcome & Registration

Coffee continuously available during the morning.

9.45 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC

10.00 : Online Social Networking for Business explained, by Mark Vanlook, ceo of anaXis,
Whether it is to find new clients to do business somewhere online, to reach your market… more and more companies are taking advantage of Social Media today. Learn why and how companies are seizing the opportunity of Online Social networks and how also your company could be supported in using online social networks not only for the leisure of employees. Mark Vanlook explains what role social media can play in your company and which strategy is to follow in order to optimize your social media campaigns.

10.45 : Social media and expectations of your customers, an insight on social media for IT companies, by Frank De Graeve, Quadrant Communications.

Online Social media are more than a toy for youngsters. In every enterprise, at least someone is working with linkedin, wiki’s, twitter, and other online social networking tools. As professional communication services, more companies are asking us what the potential advantages could be, and how to deal with them.

11.30 :  Social Media Malware Problems, by Eddy Willems, G-Data

A historical perspective on Malware and what happens in the online social media environments. Some facts and figures on malware distribution through Online Social Media.

12.15 : the example of using Twitter as a channel for malware distribution, identity fraud and physing attacks, by Joeri Vanhoof, Barracuda Networks

13.00 : lunch & networking

14.00 : The use of online social networking as part of network traffic, and how to relate to it from a network management and network security management perspective, by Stijn Rommens, Palo Alto Networks

In it’s bi-annual white paper, Palo Alto Networks reports on the use of online social media and other traffic within the companies of their install base. They indicate how traffic inside the company is being shaped and how it could impact business communications. Learn how to use application firewalls to also prevent malicious attempts of malware coming in through the backdoor of online social media.

14.45 : Keynote address : Privacy disasters in social media – how vulnerable is your organization?, by Abhilash V. Sonwane – Vice President for Cyberoam, a division of Elitecore Technologies

Abstract: The aim of this presentation is to highlight emerging threats due to privacy disclosures faced by organizations and their employees, partners etc. who are active in social networks. While applications such as Facebook, Twitter and Linkedin have opened new windows of opportunity for their businesses, most organizations are unaware that each time they use social media tools, it reveals a potential minefield of sensitive information which may be used against them by competitors.

Seemingly harmless forum posts, remarks, tweets, or status updates by employees, when fitted together as a jigsaw puzzle, disclose startling facts about the organization which only an insider might be aware of.  This level of privacy breach is equivalent to hacking into a company’s network to learn its plans, products, clients or trade secrets, or finding a person to be bribed, coerced or blackmailed to get such information. 
Cyberoam recently did a research on social media presence of 20 organizations from around the world, and their employees to mine for information which could be potentially embarrassing. The findings were interesting and scary at the same time – employees are tweeting away anything from sensitive financial information to product launch details. What’s more, studying the patterns of corporate disclosures can even unravel the very DNA of the organization.
About : Abhilash V. Sonwane is Sr. Vice President - Product Management for Cyberoam, a division of Elitecore Technologies, where he is responsible for product and technology direction of the Cyberoam product line of Unified Threat Management appliances and other network security products.  He is a key innovator of the patent pending Layer 8 technology that implements the Human Layer over the theoretical 7 layers of the network stack. His current research involves studying people behavior in social engineering, and the evolution of next-generation threats emanating from social media.
Abhilash has around 11 years of experience in developing products solutions. His excellent grasp of the security industry and in-depth technical knowledge has been instrumental in the evolution of the Cyberoam brand worldwide. A prolific public speaker, he has addressed prestigious network security forums including RSA Conference (San Francisco), Virus Bulletin (Vienna), Interop and more.

15.45 : Coffee Break

16.15 : Securing the social enterprise - make your business safe to be social, by Philippe Michiels,Territory Account Manager, Belgium, Websense

Abstract : Do you want to reap the social web business benefits of posts, tweets, and tubes? Do you want to capitalize on the social web without employees wandering off to unproductive sites or engaging in illegal activities and confidential data loss? Follow this session and learn the secrets to:
• Enable the use of the social web and protect productivity and limit legal liability
• Eliminate the risks of the social web and help prevent modern malware

About : Philippe Michiels joined Websense in April 2011 as Territory Account Manager for Websense in Belgium. In this role, he is responsible for the effectiveness of the Belgium channel and is there to advise customers about Websense security solutions.

Philippe has been in the security industry for over 15 years. He has a passion for IT and a self confessed fascination for the never ending evolution of the Internet following trends like Web 2.0 and the rise of Social Media. He studied electronics and began his career with an IT distributor before moving on to become a Systems Engineer, working hands-on designing and implementing the first Windows NT server deployments for enterprise customers.  It was at this time his enthusiasm for IT Security blossomed due to the new and rising phenomenon of the Internet. 

Philippe joins Websense from Trend Micro where he held positions as direct touch account manager and pre-sales engineer. Prior to that he held sales, sales engineer and security engineer positions at Dolmen CA, IN2 Computer and Tritech. Philippe plays a key role in educating our customers in Belgium and is an active company spokesperson discussing security-related matters at events and conferences.

17.00 : Privacy and Security in online social networks? A critical perspective from a research point of view, by Seda Guerses, COSIC, KU Leuven.

17.45 : Panel Discussion

18.15 : Closing Reception & Networking

19.15 : Close of Conference

You can also download a package with all the presentations of the day.

Topics under consideration

1. effectively using social networks in an enterprise context : block or embrace?
2. The example of using Twitter as a channel for malware distribution, identity fraud and physing attacks
3. enterprise social networking usage scenario’s, and how to deal with them
a. the real life experience : what do users do in their office time and some suggestionof dealing with it intelligently
b. social networks and data loss : should your security strategy be antisocial? 
4. social networks as means for targetted attacks and malware distribution
5. mapping an organization’s DNA using social media
6. privacy and online social networks : besides the personal data, is your enterprise or product social network protected?
7. ...

Practical Details :

Seminar with presentations, interactive discussions and panel discussions
Leuven, Ubicenter, September 6th from 9 AM until 7.30 PM

Free of Charge for LSEC Members, SIGNATURE partner Members and other Affiliate Members, and by special invitation
Free to attend upon registration before July 1st 2011, 150 € after July 1st.

Register at our http://socialnetworking2011.eventbrite.com.

About the organizers :
This event is organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions.

Register at our http://socialnetworking2011.eventbrite.com.

Looking forward welcoming you on September 6th.

On June 30th in the afternoon Palo Alto Networks and LSEC are welcoming you to an afternoon of discussions on innovation and information security in Antwerp. We would like to stimulate your mind before going into holidays by stimulating you to be innovative, also with information security.
Part of the afternoon will be a guided tour to the Museum aan de Stroom, next to drinks and lunch kindly offered to you by our partners.

Program Outline

13.00h Welcome & lunch

14.00 LSEC & Palo Alto Networks introductions to innovations and security, by Ulrich Seldeslachts, CEO LSEC

14.30 Industrial innovation strategies, Information Security and Innovation. A reflection on where innovation strategies could support your business in reacting to Security challenges, and to support your innovative businesses; by Ulrich Seldeslachts, CEO LSEC.

With contributions and papers such as :
“Strategies for Innovation in Security” ;
“Innovative approaches to Security”....

15.00 Nir Zuk : Innovate or Die

Nir Zuk, founder and CTO of internet security start-up Palo Alto Networks, brings a wealth of network security expertise and industry experience to Palo Alto Networks. Prior to co-founding Palo Alto Networks, Nir was CTO at NetScreen Technologies, which was acquired by Juniper Networks in 2004. Prior to NetScreen, Nir was co-founder and CTO at OneSecure, a pioneer in intrusion prevention and detection appliances. Nir was also a principal engineer at Check Point Software Technologies and was one of the developers of stateful inspection technology.

Nir and Palo Alto Networks are being seen as some of the more innovative information security developers. Nir is capable of seeing new challenges and brings new ideas around the table that challenge the existing landscape in trying to improve the current environment.

Passionate about technology, Nir started already at the age of 16 writing computer viruses ...
That led him to be recruited by a special unit for the military in Israel, his country of origin, specifically looking for whiz kids like him. After serving five years, he studied Mathematics at university and was recruited by Check Point in ‘94, developing the first stateful inspection firewall.
In ‘97 Nir moved to the US, continuing his carreer with Check Point Software and later starting Palo Alto Networks.

Nir visited us late 2010, where we had a couple of controversial discussions. Today the challenge is for Nir to help convincing companies that they have to innovate also in Security, and in information security in order to face the current security challenges.

16.15 : Coffee Break

17.00 MAS Tour / MAS networking drink

As part of our innovation discovery, we welcome you to join us during a guided tour of the Antwerp MAS (Museum aan de Stroom).

Innovative for its setting, architecture, used materials, environment, set-up and many many other things, the MAS is a good example of an innovative development, where tradition, history, and creativity come together.

The MAS is an impressive building with a museum, among other things. Because it is also the visible storage, the museum square with Luc Tuymans’ mosaic, the boulevard, the rooftop panorama, etc. The MAS is a total experience.

The MAS brings together the collections from the former Etnografisch Museum, the Nationaal Scheepvaartmuseum and the Volkskundemuseum. They are given a new home in the MAS along with part of the Vleeshuis Museum collection and the Paul and Dora Janssen-Arts collection.

The collection amounts to a total of 470,000 objects and is still growing. The MAS regroups the collections in an innovative story, through four universal themes with which everyone can identify. They are spread over five floors.

+4: Display of Power. On prestige and symbols
+5: Metropolis. On here and elsewhere
+6: World port. On trade and shipping
+7: Life and death. On men and gods
+8: Life and death. On the Upper- and Underworld

19.00 End

Practical Details

Antwerp, Barcelona-Meeting, June 30th from 1 to 5 pm, followed by a guided visit to the MAS.

Date: 15 June 2011
Agenda:
15:00 : Welcome of delegation at Systematic’s annual convention (at Supelec, Plateau du Moulon 3, rue Joliot-
Curie, Gif-sur-Yvette)
15:15 - 17:00 : Guided tour of exhibition area including specific security projects.
17:00 : Cocktail and networking on exhibition area.
Venue: Systematic Annual Convention at SUPELEC (Systematic R&D project exhibition (project demonstration)

Day 2:
Date: 16 June 2011
Time: 9 am to 2 pm
Venue: See map location below
Purpose:
Brokerage event for preparing FP7 Security call on the theme of: Critical Infrastructures through “Security of
Information Systems” angle
Agenda:
9:15 – 9:30: Welcome by Institut Telecom and Systematic
Part I
9:30 – 11:00: Introduction (focusing on FP7 SEC related themes):
“Smart Grids”: Presentation by Hervé Debar, Telecom & Management Sud Paris and Markus Bartsch, TUV IT
“Resilience”: Presentation by Louis Granboulan, EADS and Otto Hellwig, CIIP expert, Institute for Applied
Information Processing and Communications of the Technical University Graz, B-CCENTRE
“Privacy by design”: Presentations by Jean-Marc Suchier, Morpho and Joss Wright, Oxford Internet Institute
11: 00 Tea & Coffee Break

Part II
11:15-11:40: Presentation and outputs of SIGNATURE desk research exercise by Dr. Richard Chisnall INNOVASEC
11:40-13:00: Mini Brokerage session on FP7 Security call (will be continued after lunch break if necessary)
Presentation by Frédéric Laurent, French Ministry of Higher Education and Research, of FP7 Security topics and
feedback from SMIGS Meeting in Brussels 8-9 June
Presentation of collaborative projects’ ideas (5 minutes per presentation). Cf. template attached.
Presentation of competences’ offer (by SMEs or academics). Cf. template attached.

Download the program for more information and details.

Contact your local European Security Innovation Network partner at belgium @ securityinnovationnetwork.com for more information

Looking forward seeing you there.

Metasploit is one the most popular vulnerability assessment and exploit research frameworks available today. It is a community driven open source project and hundreds of security researchers contribute their know how to it regularly. In this workshop, we will take you through an in-depth tutorial on using Metasploit for vulnerability assessment and exploit research.
Instructor Vivek Ramachandran is a world renowned security researcher and evangelist. His expertise includes computer and network security, exploit research, wireless security, computer forensics, embedded systems security, compliance and e-Governance. He is the author of the books – “Wireless Penetration Testing using Backtrack” and “The Metasploit Megaprimer ”, both up for worldwide release in mid 2011. Vivek is a B.Tech from IIT Guwahati and an advisor to the computer science department’s Security Lab.
More info:
http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT47
Subscription:
http://www.jcacademy.be

The AppSec Europe conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 400-500 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

AppSec Europe 2011 will be held at Trinity College Dublin (map) on June 6th through 10th 2011. There will be training courses on June 6th, 7th and 8th followed by plenary sessions on the 9th and 10th with each day having at least three tracks. AppSec Europe may also have BOF (informal adhoc meetings), break out, or speed talks in addition to the standard schedule depending on the submissions received.
If you have any questions, please email the conference chair: appseceu at owasp.org

For more information and registration, please visit http://www.owasp.org/index.php/AppSecEU2011

Truth or Dare – Course and Seminar on GRC, Governance Risk & Compliance

Just before the economic crisis, the next big acronym was blasted into the market promising an overall strategy for a very old challenge : GRC. GRC could stand for Getting Reasonably Cold, Growing Rapidly Clean, Green Recyclable Costs, General Restructuring Climate, Given Reaction Challenge – or in our case Governance, Risk & Compliance.

The last two to three years, an ever growing set of regulations, requirements to become compliant, additional components, various measurements, whaling, correlated events, … have resulted not only in increased security measures, but also the necessity to provide comprehensive reporting, instant-available real-time situation overviews, anticipating audits and providing sufficient means and information to report on them.

Introduction

Any company has to deal with a variety of disruptive changes evolving : threats, technology, business, economics, compliance. Corporate boundaries are disappearing with opportunities such as ever growing mobile, internet web 2.x and cloud offerings. Reduction of cost, centralization, mergers and consolidation provide challenges of maintaining environments less familiar than the homegrown systems.

Governance, Risk and Compliance, collectively GRC is an acronym that creates headaches and a challenge for many IT and security managers, but also legal officers and business executives. Having tools and technologies to support management, maintenance and enforcing is already one major element, but allowing for comprehensive reporting on an executive level and bringing results of reporting back into the development area could be more challenging.

During the following seminar, we are trying to get an understanding of the evolution of the market, by presenting some live experiences, some key lessons learned during and beyond implementation, challenges for integration and maintenance, potential for in-house or outsourced GRC, and ways of seizing the internal and external audits. We’ll have a look at potential tools, their benefits and advantages and their deficits. We will try to present an evolutionary landscape and roadmap, following some other available examples with a view of the impact of virtualization and cloud environment.

Program Outline

Program
9.30 : Welcome & Registration
9.45 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC
Coffee continuously available during the morning.
10.00 : Introduction to GRC, understanding the basic and overview, by Wouter Janssen, Axl-Trax
Abstract : 
Managing risk through GRC (Governance, Risk & Compliance)
- Short overview of (SAP)GRC components(?)
- SAP and risk management (IT , security & process risks)
- Categorization of SAP risks and types of controls for mitigation
- Access risks (GRC AC), segregation of duties and the art of automation
- Process risks and business process control
- An approach for selecting risks and establishing appropriate control measures
Risk assessment & selection/identification
Establishing control objectives and key controls
Documentation, automation and process-orientation
Roles & responsibilities
Closing the circle: continuous monitoring of controls effectiveness
About : About : Wouter Janssen CISSP CISA CISM CGEIT CFE is a security specialist working as a director for Axl & Trax in Belgium. Working in the security consulting and audit field for many years, he has combined his technical skills and security knowledge with business insight and experience to assist customers in finding tailored solutions for security challenges. He has over 10 years of professional experience in the areas of IT security, identity & access management, SAP security, governance, compliance and control. He has been involved in and managed large-scale IT security projects and advised various multinationals across Europe.

10.45 : Governance, Risk & Compliance further investigated, by Els Houbrechts, Information Security Officer SPE Luminus & Carlo Schüpp Partner Vinti-Q &
Abstract :
Access Control does not enjoy a lot of sympathy with every business manager. It is often seen as a barrier that focuses too much on confidentiality and too little on reliability of data and process-driven controls. The business manager, however, expects the Security Officer to recognize the role of reconciliation processes and the review of operational reports in maintaining trust in data. This session provides a case study of how SAP GRC was used to set up a constructive dialogue between business and IT during reorganizations.
About : Els Houbrechts is currently Information Security Officer at SPE Luminus. Prior to that she worked as a security consultant with Telindus after having been security engineer at Utimaco and Security consultant at Utimaco Safeware AG before it was acquired by Sophos.
About : Carlo co-founded Vinti-Q, a high-end management advisory and engineering firm focused on information security and information-driven innovation. Prior to that, Carlo led Deloitte’s European practice of Security & Privacy. His clients typically seek for security assessments, business continuity planning, application audits, IT governance questions, computer forensics and incident response, and compliance reviews. Carlo has had a career managing business lines and new initiatives. He served twelve years at Swift as a leader in product and market management. He participated in The Way Forward programme to transform Swift from a passive institution to a commercial enterprise. He built Swift’s first data warehouse to analyse all daily financial transactions and helped transform Swift from a proprietary network to a service provider facing the security challenges of the internet. He conducted process audits and provided top-management consultancy to banks in the global top-100, etc. He also served five years at Ubizen (today Verizon Security Business Solutions) as CIO leading the managed security services. Carlo was part in founding LSEC together with K.U.Leuven-COSIC en K.U.Leuven LRD, from a clear need within Ubizen to position Leuven as a center of expertise on Information Security that is recognised worldwide. Upon his departure at Ubizen, Carlo is a Board Member of LSEC.

11.30 : An economic approach to GRC, by Rudy Meert, Senior Security Consultant (Risk MGT & IT Governance), CISSP-CISA-CISM-CGEIT-CRISC, Belgacom ICT
Abstract : Challenges for GRC supporting methods & tools, like maturity, complexity, effectiveness, efficiency, improvement simulation, transparent reporting to business & decision support, and the way Belgacom deals with these by adopting an economic approach
Objective of presentation: share our experience in the GRC - & information risk management area Important challenges for GRC & risk management supporting methods & tools + lessons learned:
• Basic requirements
• Reinventing the wheel problem & complexity
• Configuration Management syndrome & efficiency
• Low maturity - & less scientific approaches
• The effectiveness, efficiency & flexibility requirements
• The simulation capability requirement
• The added value of quantitative approaches
About : Computer scientist, more than 25 years of experience in information security and risk management. Financial, pharmaceutical & consultancy industry. Specialised in cryptography, risk management and optimisation methods & techniques. Professional certifications: CISM, CISA, CISSP, CGEIT, CRISC Developed several algorithms & methods in the area of cryptography and risk management. Optimisation techniques. New approaches on risk - and value management.

12.10 : Human Behaviour and IT Security No Longer Need to Be In Conflict, by Dave Vijzelman, Security Consultant, CA Technologies
Abstract : how challenges in the environment are being managed with a series of tools that consider the changing landscape.
About : About : Dave Vijzelman has worked in several large heterogeneous environments and has a large experience in designing and implementing architectural RBAC solutions. His focus is primarily on RBAC strategies and role mining. Besides this, he also has a wide knowledge towards the technical approach regarding identity and access management (IAM) strategies. Previously he was as a Senior Information Security Consultant at Ascure where he was responsible for the architectural approach of analyzing and designing RBAC strategies for clients. Before this, he was an RBAC Consultant at BHOLD Company. Today, Dave is Principal Security Consultant with CA Technologies, supporting large associations in their Identity Management challenges.

12.50 : Walking Lunch & Networking

14.00 : See more, Act faster and Spend less in your compliance domain, Solutions Specialist Europe, RSA the Security Division of RSA
Abstract : In our increasingly globalized business environment, economies and enterprises are steadily becoming interrelated. Yet many key functions and departments that deal with related information and business processes remain siloed. As competition escalates, as organizations become more dispersed, and as regulations increase in number and complexity, risk inevitably grows. So, too, does the demand—from markets, regulators and customers—for increased accountability.The answer is to bring governance, risk management and compliance together in an integrated program where policies, data and controls are strategically managed and visible throughout the enterprise. An enterprise governance, risk and compliance (eGRC) strategy, supported by a common technology platform, creates consistency and transparency, enables collaboration, fosters operational efficiencies, and ensures the continuity and success of the business. See more, Act faster and Spend less in your compliance domain is key in a complex environment.
About : Since 2009 René Pieëte is working as a Consultant at RSA, the Security Division of EMC. After his graduation at the Groningen University, Phd economics, he works several years as a economist. René has 25 years experience in several positions in enterprise software development, sales, consultancy and implementation. Currently he leads different areas of expertise such as Authentication, Data Loss Prevention, Anti Fraud, SIEM and Governance Risk and Compliancy. René has a wide expertise as security leader with an inspiring view on end-to-end security.

15.00 : How security tools can accelerate GRC projects, by Johan Hermans, Partner CSI-Tools
Abstract :
Full integrated GRC system perfect, helpful etc BUT
- How to implement it what are the requirements
- There is according to me only one approach Top Down & Bottom Up
- The bottom up approach requires specific (small) security tools
- In which faze are they used and for what
- We end the presentation with lessons learned (of our 200 customers the last 10 years)
The idea of the presentation is Bruce Schneier statement: “If you think technology can solve your security problems, then you do not understand the problems and you don’t understand the technology”
About : Johan is CEO of Axl-Trax (former CSI-Belgium) and CSI-tools. Previously, Johan was IT Auditor at Coopers & Lybrand and Financial Auditor at C&L. Being pioneers in the GRC business, CSI from experience which solution best matches specific needs where gradually extended the scope of our services to meet the more complex demands, expectations and legal requisites of the current business world.

15.45 : Information Security Doesn’t matter, by Geert Vandenbranden, CISSP, CISM, CISA, CIRM, MBCI, P2FC, Information Risk Management Consultant, Competence Center Leader Information Security Governance, Ascure
Abstract : In a lot of companies information security is still not handled with care. IT and information is becoming more and more important, nevertheless information security governance does not show the same growth in value to those companies.
About : Geert Vandenbranden has an extensive experience in ICT and Information Security related disciplines both at the strategic, tactical and technical levels.  In his current position as Senior Information Security Consultant, he focuses on Information Security Governance / Program Management, Information Security Policy design/implementation, Information Risk management, Information Security Awareness Programs, Business Continuity Planning, Business Continuity Testing, Intrusion Detection/Prevention techniques and Security Architectures and Infrastructures.

16.30 : Panel Discussion & Coffee Break

17.15 : Case Study : Security Management at the Olympic Games, by Chris Van den Abbeele, Solution Manager, Atos Origin
Abstract : For the Vancouver 2010 Olympic Winter Games, the Atos Origin security team collected almost 9 million security related events each day to detect any potential IT security risk for the Olympic Games IT systems. Thanks to extensive correlation and filtering, only a hundred were identified as issues and were investigated. All were resolved, so there was no impact at all on the Olympic Games.This session gives a view behind the scenes of how Atos protects the most visible IT environment in the world.
About : Chris Van Den Abbeele is Solution Manager for Identity and Security solutions at Atos Origin. He is responsible for managing the Identity Security offering at Atos Origin Belgium.  Chris has over ten years experience in designing Identity solutions.  He has a clear view on the technology, the market and the players.  Prior to joining Atos Origin, Chris worked as a Technology Specialist at Novell for about ten years.

18.15 : Closing Notes & Networking Reception

19.30 : Close of Seminar

Other subjects to be discussed :
1. Where to start with GRC? Data to be easily obtained? Get results and refine, or dig deep and deliver later? What to present and what not (yet)?
2. How to identify the core security data that reflects performance? Some practical examples that apply everywhere?
3. GRC and ISO 27k – is there a match in heaven to be made, or even more of a nightmare?
4. The collection of stupid data is still stupid, or isn’t it?
5. Defining performance indicators in information security that matter.
6. Systems integration, the long and windy road …
7. So you have GRC environment, now what? What does it do?
8. GRC, taking security management beyond the basics
9. From security tools and systems to comprehensive risk management
10. Applying the CSA Cloud Security Matrix in GRC
11. Experiences with Cloud Service Providers
12. Is there room for benchmarking?
13. Did we forget anything : risk monitoring and control
14. …

Unfortunately the following two presentations were cancelled.

AI & Digital Forensics and ISO Compliance, by Godfried Williams, Intellas UK (cancelled)
Abstract : AI techniques are effective for problems that require pattern recognition, as well as analyzing complex data and problems. This presentation explores a standard framework for guiding the use of artificial intelligence tools for digital forensics activities. AI forensics technology has the potential to effectively solve web counter-terrorism surveillance, fighting Internet fraud, masking identities online and data mining for managing online digital footprints. Intelligence gathered from analyzing multiple sources of information could be useful for providing leads to digital investigations. This presentation focus on ongoing work by standard bodies and assesses requirements that are likely to facilitate the adoption of such frameworks by the forensic community.
About : Godfried Williams is the CEO of Intellas UK, the Artificial Intelligence and Information Security and Forensics Company based at London Canary Wharf. A Course Leader, at the department of Computing, University of Gloucetershire UK, and visiting Professor in information security to many universities.
He has approximately 20 years professional experience in the IT industry. A Graduate of Cornell University’s Johnson’s School of Management where he studied Leadership and Strategic Management. is undergraduate computer training from the prestegious WANG Computer Laboratories in Boston USA. Previously worked as Senior Systems Analyst and Project Leader for the International Development Association (IDA) of the World Bank resident at the Accounting and Management Information Systems Unit, (AMISU), between. 1995 and 1997. He assisted in the Planning and Management Information Systems Unit in handling the World Bank Highway Sector Investment Credit (IDA Credit 2858-GH) on behalf of the Ministry of Roads and Transport Ghana.
A Fellow of British Computer Society(BCS). Fellow of Royal Society for the Encouragement of Arts and Manufacturing.

and

iGRC, Cyber Protection by Mike Popham, Infogov

Large-scale ICT networks are now the fundamental basis for UK critical infrastructure and economic activity. However, there is an urgent need to develop the underlying science and engineering principles required to support such complex systems. In particular, the application of autonomous AI techniques and self-organising networks has the potential to create CNI systems that are an order-of-magnitude more resilient and dependable than current methods.
In order to manage this growing system complexity the SATURN programme will demonstrate how self-managing intelligent services can enable the rapid discovery and fusion of critical network data feeds in real-time. SATURN will also develop and validate novel tools and techniques for visualising and understanding the complex interdependencies between the service layer, and the underlying physical networks. In addition the project will enhance the underlying theory of complex networks in the CNI domain, and create new modelling and simulation capabilities.
The key output will be an advanced demonstrator that displays ultra-resilient ICT service capabilities. The system will also enable automated knowledge management and integrated data fusion. (A key requirement for improved CNI decision support.) Northrop Grumman, as part of our contribution to TSB Project SATURN, will develop a cyber range capability that can be leveraged for use in evaluating cyber effects on large scale, complex, heterogeneous and cooperative network structures.  This range will provide the United Kingdom with a new ability to conduct meaningful cyber experiments and assessments of infrastructure survivability and assurance.

CyberProtection iGRC by Mike Popham

Workshop Day 2

During the second day, a lecture by Peter Houtmeyers - Titans Consulting on the use of ISO 27k and GRC was followed by a workshop with the attendees.

The results of the workshop will be shared in an overview paper.

Participants to the workshop were given the details of the results.

Smart Logistics Community has a succesful series of sessions on Sustainable Logistics.

Security and Traceability are just but a few ways of impacting logistics today and even more in the future. Regulations and compliancy will be leading the domain, and more requirements will develop.
Innovative products, services and concepts can be useful.

What are the practical implementations and applications that can be used?

Cold Chain Logistics, Smart Transport Systems, Security and Track&Trace en Crisis & Eventlogistics.

Program Overview

Vergroot de weerbaarheid van uw logistieke keten

Dinsdag 24 mei 2011, 13.30u - 18.00u

De logistieke keten is een kwetsbaar gegeven. Een maximale veiligheid en beveiliging in alle schakels is een must.

En dan spreken we niet alleen over zaken doen met betrouwbare partners, die actief deelnemen aan (gecertificeerde) beveiligingsprogramma’s. Maar ook in het productieproces, het verladen, tijdens het transport en bij de overslag van goederen is een goede beveiligingsaanpak onontbeerlijk.

Programma

13.30u  

Onthaal

14.00u

Verwelkoming
POM Vlaams-Brabant

14.05u

Kadering
Kris Neyens - Vlaams Instituut voor de Logistiek

14.20u

Case 1: Toegangscontrole in de havens met camera
Jan Bossens - Camco

14.35u

Case 2: Productauthentificatie in de farma
Pascal Durdu - Zetes

14.50u

Case 3: T&T beveiliging door sensoren
Stephen Dunphy - Essensium

15.15u

Koffiepauze

15.45u

Case 4: T&T voor supply chain
Peter Dewolf - DHL

16.00u

Case 5: Luchthavenbeveiliging door nieuwe concepten en technologieën
Jean-Paul Van Avermaet - G4S

16.15u

Case 6: Privacywetgeving i.v.m. toegangscontroles
Ronny Saelens – Vrije Universiteit Brussel 

16.30u

Netwerkmoment

 
Enkele praktische aspecten

Datum: dinsdag 24 mei, 13.30 – 18.00 uur
Locatie: Belgocontrol, Controletoren Tervuursesteenweg 303, 1820 Steenokkerzeel

Foto’s en presentaties vindt u terug via onderstaande link:
http://www.flanderssmarthub.be/logistech/doelstellingen/community-smart-logistics/

LSEC is supporting SITC as co-organizer and partner of the Safe Cities initiative as part of the European Security Innovation Network.

Frost & Sullivan has identified the Rise of Safe Cities as one of the key mega trends in the future.
Megacities across the globe are already following the trend and discussing options to implement
Safe Cities projects. As a key enabler to this concept, Security Solutions are increasingly
becoming a critical element in the planning and development of Smart Cities across the Globe.
The Safe Cities market is characterised by a very fragmented customer base, strong competition
and different business models towards integration and industrial partnership.
As an evolving concept, industry players are still trying to understand how to best approach market
opportunities in existing and future Safe Cities projects.
Frost & Sullivan is planning to host this specific track at its GIL Europe 2011 with the aim to
enable organisations to:
• Gain a better understanding what is a Safe City, from a vendor, a city planner and end user
perspective
• What vendors/integrators, from different industries (i.e. IT, Building Technologies, Defence,
Security)
• What are the business challenges and opportunities
• What vendors/ integrators can/need to do in order to position themselves strategically in this
emerging market

Proposed Agenda

“We Accelerate Growth”
Introduction….continued

The annual Growth Innovation and Leadership Congress will take place at the Emirates Stadium on
17th May 2011.
The proposed schedule is as follows:
1.45pm CEO’s 360 Degree Perspective – Safe Cities
2.15pm Growth Success Story
2.45pm Interactive Workshop: Developing a Visionary Perspective for the Future
3.45pm Interactive Panel on Innovation/Industry Convergence

Practical Details

For more information and registrations links, please visit : http://www.securityintech.com/articles/86

Part of the GIL Conference (Global Community of Growth, Innovation and Leadership), Tuesday 17 and Wednesday 18th.

LSEC is supporting SITC as co-organizer and partner of the Safe Cities initiative as part of the European Security Innovation Network.

Frost & Sullivan has identified the Rise of Safe Cities as one of the key mega trends in the future.
Megacities across the globe are already following the trend and discussing options to implement
Safe Cities projects. As a key enabler to this concept, Security Solutions are increasingly
becoming a critical element in the planning and development of Smart Cities across the Globe.
The Safe Cities market is characterised by a very fragmented customer base, strong competition
and different business models towards integration and industrial partnership.
As an evolving concept, industry players are still trying to understand how to best approach market
opportunities in existing and future Safe Cities projects.
Frost & Sullivan is planning to host this specific track at its GIL Europe 2011 with the aim to
enable organisations to:
• Gain a better understanding what is a Safe City, from a vendor, a city planner and end user
perspective
• What vendors/integrators, from different industries (i.e. IT, Building Technologies, Defence,
Security)
• What are the business challenges and opportunities
• What vendors/ integrators can/need to do in order to position themselves strategically in this
emerging market

Proposed Agenda

“We Accelerate Growth”
Introduction….continued

The annual Growth Innovation and Leadership Congress will take place at the Emirates Stadium on
17th May 2011.
The proposed schedule is as follows:
1.45pm CEO’s 360 Degree Perspective – Safe Cities
2.15pm Growth Success Story
2.45pm Interactive Workshop: Developing a Visionary Perspective for the Future
3.45pm Interactive Panel on Innovation/Industry Convergence

Practical Details

For more information and registrations links, please visit : http://www.securityintech.com/articles/86

Part of the GIL Conference (Global Community of Growth, Innovation and Leadership), Tuesday 17 and Wednesday 18th.

A special SITC, LSEC, Security Innovation Network discount is available, at a special rate of 250 GBP instead of 1800 GBP.
Contact us at safecities @ lsec.be for more information.

Our Partner Member CA Technologies organizes the CA Technologies Open Day, in May 17th.

Visit us there and participate to the Security and other activities.

Does Cloud make us more Agile or should we just be Agile to be able to connect Cloud seamlessly to the existing business and IT infrastructure? During CA Technologies Open Day on May 17 CA will show you what this might mean for your organisation. Experts will share their experiences with you.

At this top location in Evere renowned speakers within the business community and software industry, will share their vision and experiences with you. They will talk about market trends, their own practical experiences and technical (im)possibilities. The day is split into two parts. In the morning extraordinary and interesting keynotes will pass by. The afternoon sessions consist of several parallel tracks with specific themes about Cloud, Mainframe and Portfolio Management.

Apart from the sessions, there is a Partner Expo, which is open the whole day.

Register Now at the CA Technologies website.

Plenary tracks in the morning

09.30-10.00 Registration
10.00-10.15 Welcome & Introduction
Dirk Janssen, Senior Director Country Sales, CA Technologies
10.15-10.45 Industry Keynote
Vincent Van Quickenborne, Minister of Entrepreneurship & Administrative Simplification

10.45-11.15 Customer Keynote
Kris Verheye, VP Corporate Market, Enterprise Business, Belgacom
11.15-11.45 Network Break Partner Expo
11.45-12.15 CA Technologies Keynote
Dr. Donald Ferguson, Executive Vice President & CTO CA Technologies International
12.15-12.45 Recap with Dirk Denoyelle
12.45-14.00 Networking Lunch Partner Expo
14.00-14.35 Parallel Sessions – part 1
(Mainframe, Portfolio Management, Cloud Build, Cloud Manage, Cloud Secure, MSP Track, CA ARCserve Track)
14.40-15.15 Parallel Sessions – part 2
15.20-15.50 Networking Break Partner Expo
15.50-16.15 Parallel Sessions part 3
16.15-16.45 Guest Performance Dirk Denoyelle
16.45-17.00 Raffle CA World 2011 Las Vegas packages
17.00-18.00 Networking Drink Partner Expo

Security Program Detail

Cloud Secure Parallel Tracks
Secure Identities in the Cloud Mission Impossible?
14.00-14.35
In an increasingly more open environment of; Partners, Suppliers, Home-workers and Cloud applications,
keep track of who has access to what and why is becoming an almost impossible task. Add more demanding
Auditors and Regulators to this equation and it is no wonder that companies feel they are heading towards
disaster. Join us in this track view the future of Identity Management.
Speaker: Dave Vijzelman, Senior Solution Strategist, CA Technologies (17th May BE)
Speaker: Paul Ferron, Senior Solution Strategist, CA Technologies (19th May NL)
Identity compliance: Can you afford not to act?
14.40-15.25
In order to show compliance to various regulations, like ISO 2700x, Identity Compliance has become a real
issue. In this track PWC and CA Technologies will explain how to execute controls, and policy definitions into
the technical domain to ensure continuous identity compliancy.
Speaker: Dave Vijzelman, Senior Solution Strategist, CA Technologies (17th May BE)
Speaker: Paul Ferron, Senior Solution Strategist, CA Technologies (19th May NL)
Bring your own Device! A pain or a pleasure for
Information Security?
15.50-16.15
In today’s consumer driven economy more and more end user are demanding flexibility in their work devices.
How can you enable this trend of blending Business and Fun in an acceptable manner.
Speaker: Dave Vijzelman, Senior Solution Strategist, CA Technologies (17th May BE)
Speaker: Paul Ferron, Senior Solution Strategist, CA Technologies (19th May NL)

Practical Details

May 17th - The Event Lounge in Evere BE

Registration and participation are free of charge.
Registration : at the CA Technologies website.

The Event Lounge
16 F Bld Général Wahis - Generaal Wahislaan
1030 Brussels
http://www.eventlounge.be

Data breaches continue to plague organizations worldwide and Verizon, this year again in collaboration with the U.S. Secret Service and new this year, the National High Tech Crime Unit of the Netherlands Policy Agency (KLPD) - continue to analyze them.

Once again, Verizon is very glad to share their newest research into the world of data breaches: “the Verizon 2011 Data Breach Investigations Report” (DBIR) with you. We will do so in print as well as face-to-face, if you are available.

On 10th May, Wade Baker, director of risk intelligence for Verizon and creator, author and primary analyst for Verizon’s DBIR series, is presenting the analysis, findings and recommendations of the 2011 DBIR at an ISSA-BE event… and you’re invited.

Venue: Verizon, Ubicenter, Philipssite 5, 3001 Leuven
Time: 10th May, 6 p.m. – 8.45 p.m. (networking until 10 p.m.)
Registration: free but mandatory (

Register Now!

Should you not be available or wish to prepare for Wade Baker’s visit on 10th May, feel free to download a soft copy of the 2011 DBIR via the LSEC website.

Some of the 2011 DBIR key findings:
- 92% stemmed from external agents;
- 97% of breaches were avoidable through simple and intermediate controls;
- 89% of victims subject to PCI-DSS had not achieved compliance;
- 50% utilised some form of hacking
- 49% incorporated malware

We hope to see you on 10th May!

LSEC Special Spring Event : Information Security Challenges in 2011

On April 28th, in the evening, LSEC, ISSA Belgium European in co-operation with Isaca Belgium are organizing a special networking event, bringing together various people and insights fromt he Information Security Industry.
Besides the social activities, some drinks and the special location of the Coudenberghmuseum, we will be updating our partners and members with some insights in Information Security Challenges in 2011.

Managing mobiles and smartphones is one of the key topics identified by both the information security industry and the enterprise security management, as one of the key potential risks and threats in information management. Over the last five years, it has been identified as a major threat and due to the evolution of those smartphones, the potential risks became even greater. Some phones hold memory capacity of up to 64 GB, allowing for quite some data to leak from the enterprise. Most phones retain confidential information, both emails with confidential documents and discussions; as well as contacts and personal data of the relations of the person who’s using the smartphone on a daily basis. On top, most of the applications being developed, have not at all been strenghtened to today’s level of potential software threats. It’s all about convenience, user friendliness and downloading pieces of software that’s fun to share, please the kids or talk about over drinks.

At the end of 2010, ENISA published the ENISA Smartphone Security report, indicating some trends and challenges for companies to manage smartphones.

During our evening, ISSA invited ENISA to explain some of their findings in more detail and to discuss the issues with some other industry specialists.

Next to that, we have invited Raj Samani, McAfee’s EMEA CTO to give a view on some of the other Information Security Challenges we are facing in 2011.
Prior to McAfee, Raj was involved in the Public Administration Healthcare in the UK; having been part of the transformation from paper to digital and facing major security challenges in that process.
Today he’s supporting enterprise, government and McAfee in making the right choices when it comes to future challenges.
Raj is the European representative of the Cloud Security Alliance, is working on a Security management guideline, the global collaborative project used to evaluate objective measurement of IA maturity known as the Common Assurance Maturity Model (CAMM).

Finally, to close the program, we’ve invited some of the latest LSEC members to shortly present themselves and their companies in a 5 minute elevator pitch, which will bring us to the reception and a visit of the museum.

Learn more about Egemin, one of the latest LSEC members.

About the Location : Coudenberghmuseum and BELvue

The Coudenberghmuseum, an underground tour discovering the remains of the palace of Charles V
From the middle ages, a castle overlooked Brussels from Coudenberg hill. From the 12th century, the successive monarchs and their representatives transformed a small fortified castle into a sumptuous residential palace, one of the most beautiful palace of Europe and one of Charles V’s main residences.

This prestigious building is severely damaged by fire in 1731. Some forty years later, the ruins of the palace are pulled down and the ground flattened out for the construction of the new royal district. The remains of this palace make up the Coudenberg archaeological site.

During your visit, you will discover the Rue Isabelle and the old structures of the main buildings of the former palace of Brussels, which are now the foundations for today’s royal district and the Hoogstraeten House where the most interesting discoveries made during the various archaeological excavations conducted on the Coudenberg are displayed.

The BELvue museum provides a great overview of Belgian history. History has been written in the museum. In 9 halls and temporary exhibitions, this country surprises its inhabitants and visitors. Historic events uniquely documented, poignant film snippets and photos that you’ll never forget, moments in the past brought back to life to be relived as a memory for the elder and a discovery for the young…

You could also ‘just’ visit for the magnificent setting, the former 18th century Bellevue hotel – next to the royal palace, with a view of the gardens, beautifully renovated and one of a kind. A building that is more than just bricks and mortar, more than history, a building in which you can partake in our collective memory and that welcomes you with open arms – as a Belgian or a foreign visitor. BELvue has a story that it wants to share with you.

Program Outline

Part 1
16.45h : Welcome and Registration for the Coudenbergh visit

17.00h : Guided visit to the Coudenbergh museum (indepently from the BELvue. Limited spaces only, first come first serve.

Part 2
18.00h : registration & welcome drink

visit to the BELvue museum for those who are interested, until 20h.

18.15h : Opening address by Ulrich Seldeslachts, CEO LSEC; welcoming notes by ISSA Belux President and by ISACA Belgium President

18.20h : Security… is there an app for that? An overview of ENISA’s smartphone security report, by Marnix Dekker, ENISA

Abstract: Last year, together with a number of smartphone experts and security officers, we wrote a paper about smartphone security. The paper gives an overview of the top ten information security risks when using smartphones and also highlights important information security opportunities. To address the risks we make recommendations by giving pragmatic (risk-based) advise to end-users and IT (security) officers in businesses and governmental organisations for reducing the risks. In this presentation I will give an overview of the report, discuss the top ten risks, the opportunities, and look ahead to our future work in this area.

About : Marnix works in ENISA’s Secure applications program. He focuses on smartphone security, secure software engineering and cloud security. Previously he worked as an IT architect at KPMG, designing and auditing large identity management systems (for example the Dutch DigiD and the eRecognition framework). He has a PhD degree in Computer science and a Master degree in Theoretical physics.

19.00h : Auditing Mobile Apps and Mobile Forensics, by Aman Bahr, Training & Solutions Director, The Lancelot Institute

Abstract: Exponential growth in both apps for, and malware infections on, mobile devices, whole-sale theft of a developed nation’s Prime Minister’s email from her mobile device, and the continuing extension of corporate and government networks to include “smart” mobile end-points, are just some of the reasons for this seminar. “We will discuss and demonstrate policies needed to govern the use of apps on mobile devices, how to implement these policies as a secure, yet practical, baseline for current “smart” mobile devices, how to audit said apps and devices against the nominated baseline, and how to detect and dissect malware and other intrusion-based incidents via mobile forensics. We will do this by way of case studies and practical demonstrations.”

Bio: Aman works as training & solutions director in the Lancelot Institute. In addition to his management and consulting activities he regularly travels the globe on speaking and teaching engagements for enterprises to assist them in securing their information assets. Aman is academically qualified in Information Systems, and specializes in Information Systems Assurance, Auditing, Continuity, Recovery and Incidence Response. He is author and co- author of the Virtualization Audit Professional™, Cloud Audit Professional™ and Penetration Testing Professional™ training programs.

19.40h : mobile security panel discussion

Moderator : Ulrich Seldeslachts, CEO LSEC
Panellists :
- Marnix Dekker, ENISA
- Aman Bahr, The Lancelot Institute
- Jean-Luc Delvaux, Belgacom ICT
- Gert Vanhaeght, Mobila
- Raj Samani, McAfee

Snacks and drinks will be served during the presentations. There will be opportunity to network and have social discussions next to the speaker’s contributions.

20.00h : Information Security Challenges in 2011, by Raj Samani, McAfee CTO EMEA

About Raj Samani :
Raj is an active member of the Information Security industry, through involvement with numerous initiatives to improve the awareness and application of security.  He is currently working as the VP, Chief Technical Officer for Mcafee EMEA, having previously worked as the Chief Information Security Officer for a large public sector organisation in the UK.

In addition, Raj is currently the Vice President for Communications in the ISSA UK Chapter, having previously established the UK mentoring programme. He is also on the advisory council for the Infosecurity Europe show, Infosecurity Magazine, and expert on both searchsecurity.co.uk, and infosec portal. He has had numerous security papers published, and appeared on television (ITV and More4). As well as providing assistance in the 2006 RSA Wireless Security Survey and part of the consultation committee for the RIPA Bill (Part 3). He is also leading the global collaborative project used to evaluate objective measurement of IA maturity known as the Common Assurance Maturity Model (CAMM).

Next to his work Raj has also obtained;

CESG Listed Advisor Scheme, (CLAS), Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Microsoft Certified Systems Engineer (MCSE – in NT4, Win2k, Win2003), Check Point Certified Security Administrator (CCSA in NG and 4.1), Check Point Certified Security Expert (CCSE - NG), Citrix Certified Administrator (CCA), QualysGuard Certified, RSA Certified Systems Engineer (SecurID), Cisco Certified Network Administrator (CCNA), as well as a BA (Hons), and MSc.

21.45h : close of evening

22.00h : close of Hoogstraeten Hotel Museum

Practical Details

April 28th, Coudenberghmusem, entrance until 20h via BELvue museum via the Warandepark entry. (official address Koningsplein 1000 Brussel)
From 20h onwards entrance via Hoogstraeten Hotel.

Free to attend, upon prior registration and confirmation.
You are welcome to join just for drinks, to freely visit the museum, participate in the talks or do all of the above combined.

Registration is easy, but mandatory, please visit Special LSEC, ISSA Spring event at the Eventbrite website.

Please register for
Part 1 : 16.30h and onwards visit to the Coudenberghmuseum
Part 2 : 18.00h and onwards evening activities and visit to the BELvue museum (until 20h)

Limited places available, seats granted on first come, first serve basis.
Please cancel your reservation at least 48 hours in advance, in order for us to proceed to a waiting list.
No cancellation 48 hours in advance and no show, will result in a cost of 150 € for our organizations, that we will invoice you.

For more information, suggestions and other, please contact lsecspring @ lsec.be.

Looking forward sharing Spring Blossoms and Flower ideas.

Lecture on “Crypto and e-Voting: Homomorphisms, Zero-Knowledge Proofs, and Other Tricks of the Trade”, by Prof. Dan Wallach, Rice University

About

LICT, LSEC and secappdev.org kindly invite you to this talk that will take place on March 2nd, 2011 at 18:00.
The session is open for all interested parties.
Participation is free of charge, but advance registration is asked for by February, 27th.

Date: March 2, 2011
Time: 18:00 - 20:00 (Sandwiches are foreseen at 18:00. The actual lecture starts at 18:30)
Location:  K.U.Leuven, Dept. Electrical Engineering - ESAT, Aud A
Kasteelpark Arenberg 10, Leuven, Belgium

Program Outline

This lecture, which assumes a modest amount of cryptographic knowledge in advance, explains many of the cryptographic techniques necessary to build “end-to-end” secure cryptographic voting systems, including homomorphic Elgamal encryption, reencryption mixnets, and zero-knowledge proofs.

Bio of speaker:
Dan Wallach is an associate professor in the Department of Computer Science at Rice University in Houston, Texas and is the associate director of NSF’s ACCURATE (A Center for Correct, Usable, Reliable, Auditable and Transparent Elections). His research involves computer security and has touched on issues include web browsers and servers, peer to peer systems, smartphones, and voting machines. He has testified about voting security issues before government bodies in the U.S., Mexico, and the European Union, has served as an expert witness in a number of voting technology lawsuits.

Target Audience:
The lecture is targeting at students, researchers and other interested people with some knowledge of basic cryptography.
Organisation:
This lecture is jointly organised by LICT and secappdev.org.

Practical Details

Participation is free of charge but advance registration is asked for by February, 27th. (LICT event registration page)
Sandwiches will be provided at 18:00.

EEMA, and the Estonia Ministry of Economic Affairs and Communications have joined forces to produce a unique experience - the European e-Identity Management Conference, which examines the key challenges and strategies in effectively managing organisation, administration, employee and citizen identities.

The conference

The conference provides an ideal and rare opportunity for identity experts to share their experience and knowledge with others, through case studies, presentations, networking, Q&A sessions and debate; and for all participants to learn more about the most critical technical, business and legal issues in identity today. For example:

· What are the advantages and shortcomings of the different models of e-identity management?
· What are the main components of a secure ID management system?
· How do you solve the challenges of provisioning and de-provisioning?
· What are the challenges of federated ID management?
· What is the current position of “new technologies” ID? i.e. Mobile or Cloud
· How do you ensure interoperability of ID cards?
· How can you measure the effectiveness of your identity and access management (IAM) implementation?
· What legal parameters must you consider in implementing e-ID systems?
· How do you balance the need for ID management with Governance & Compliance Audit issues

Practical Details

EEMA’s 24th Annual Conference
08/06/2011 to 09/06/2011 - Tallinn, Estonia

13th edition of the international COSIC course! This course on computer security and cryptography is organized by COSIC, a research group from the Katholieke Universiteit Leuven and research team of the Interdisciplinary Institute for Broadband Technology (IBBT), in cooperation with LSEC - Leaders in Security and will be held in Leuven from Tuesday, June 14, 2011 till Friday, June 17, 2011.

Program Outline

Part I
Day 1: Tuesday, June 14, 2011
09:00 Welcome
09:10 Introduction Vincent Rijmen
09:40 Basic concepts Vincent Rijmen
10:40 Coffee break
11:00 Block ciphers and stream ciphers Vincent Rijmen
12:00 Public-key cryptography Frederik Vercauteren
13:00 Lunch
14:30 Privacy technologies Claudia Diaz
15:20 Coffee break
15:40 Hash functions and MACs Bart Preneel
16:30 SHA-3 Sebastiaan Indesteege
17:00 End of day 1

Day 2: Wednesday, June 15, 2011
Track 1
09:00 Secure hardware & side-channel attacks, Ingrid Verbauwhede
09:50 Privacy and Security: a Trade-Off?, Jos Dumortier
10:40 Coffee break
11:00 Entity authentication & key establishment, Bart Preneel
12:40 Lunch
14:10 Enforcing security policies on untrusted software, Frank Piessens
15:00 Computer security, Stefaan Seys
15:50 Coffee break
16:10 Public-key infrastructures, Bart Preneel
17:50 End of the first track of day 2

Track 2
11:00 Public-key cryptography: advanced topics, Frederik Vercauteren
11:50 Biometrics, Koen Simoens
12:40 Lunch
14:10 RFID hands-on, Philippe Teuwen
15:50 Coffee break
16:10 RFID hands-on, Philippe Teuwen
17:30 End of the second track of day 2,

--------------------------------------------------------------------------------
Part II
Day 3: Thursday, June 16, 2011
09:00 Graphical passwords and knowledge-based authentication, Paul Van Oorschot
09:50 U-prove, Ronny Bjones
10:40 Coffee break
11:00 E-ID security, Walter Fumy
11:50 Security for an international card payment system, Michael Ward
12:40 Lunch
14:10 Mobile payments, Marijke De Soete
15:00 Coffee break
15:20 Extension of card payments, Cristian Radu
16:10 Secure software installation and update, Paul Van Oorschot
17:00 eID in Belgium, Danny De Cock
17:50 End of day 3
19:30 Conference Dinner @ The Faculty Club

Day 4: Friday, June 17, 2011
09:00 GSM/3G algorithms, Helena Handschuh
09:50 Verification for cryptographic protocol implementations, Cédric Fournet
10:40 Coffee break
11:00 Standardization, Walter Fumy
11:50 Mifare plus and privacy preserving technologies, Marc Vauclair
12:40 Lunch
14:10 Telematics road pricing: building a secure and privacy-respecting solution, Michaël Peeters
15:00 Coffee break
15:20 PUFs, Helena Handschuh
16:10 E-voting, Danny De Cock
17:00 End of day 4

Practical Details

June 14 - 17th 2011, Heverlee, Belgium - KU Leuven
Auditorium “De Tweede Hoofdwet”, Thermotechnisch Instituut, Kasteelpark 41 - 3001 Heverlee
Registration and more information : visit https://www.cosic.esat.kuleuven.be/course

Full registration fee, part 1 + part 2 :  2000 €
Academic fee, part 1 + part 2 :  1000 €
Full-time student fee, part 1 + part 2 :  700 €
Full registration fee, part 2 :  1200 €
Academic fee, part 2 :  700 €
Full-time student fee, part 2 :  400 €

This fee included the books “Secuyrity Engineering (2nd edition), by Ross Anderson and “Modern Cryptography : Theory and Practice”, by Wenbo Mao

Registration before May 14th, early bird reduction of 10%

LSEC Members and partners receive an additional discount of 15% (on top of early bird reduction if registered before May 14th). Mention LSEC during registration.

Identity Management STIG at the Pre-Conference EIC Munich, Germany – May 10th

The EIC is one of the leading conferences in the field of Identity Management, reaching out yearly to all expert leaders in the domain throughout Europe. Typically attended by industry players, but also by end consumers and government officials, it gathered in 2010 over 550 delegates from all over the world. In depth discussions, new announcements and the IDM award are standard components. Organized as a yearly event by leading European market analyst firm Kuppinger Cole focused on EIC and Cloud Computing.

Download the STIG brief document with all relevant information and contacts.

Participate in the development of European Electronic Identity & Identity Management Expertise

The Security Innovation Network has been set up to facilitate the collaboration and working relationships between companies and experts in different areas of security in the UK, France, Belgium and Germany but is open to participation from other countries. In a series of interactive workshops, security experts will be challenged with current and future potential threats. Finally, there will be a focus on a converging landscape (physical vs electronic) and cross state borders.
You will be heard as experts about the future developments of electronic Identities, Identity & Access Management and related topics, in the domain of information security and physical security. Your guidance can help the physical security industry to better understand evolutions and requirements from the logical space.

Security Innovation Network Security Thematic Interest Group

This year, the European Security Innovation network has been invited to organize a session in the Pre-Conference activities, for a European Security Innovation Network STIG, on Tuesday May 10th from 9 until 1 PM.
It’s a unique environment to bring in both expert industry leaders, and our SME communities who are involved in either Electronic Identities, Access Management, Authentication,, Identity Management, or Cloud Computing Products and Services.

For the Tuesday morning STIG activity, we propose the following :
1. introduction by LSEC, Ulrich Seldeslachts as partner responsible for the WP Security of Information Systems, setting the scene, expectations
2. challenges in IDM in 2011, previewing the EIC
3. Elevator pitches part 1 : 10 minute company presentations, challenges, partner interests
4. Keynote by Kim Cameron, Microsoft (tbc)
5. Top Research Activities in IDM and related a collection and call for participation
6. Elevator pitches part 2 : 10 minute company presentations, challenges, partner interests
7. Workshop : Defining future challenges
a. User-centric, federated, Identity Service Providers will the winner take all?
b. Identity theft, is it a challenge?
c. Beyond the consulting? What’s in it for the vendors?
d. Mobile IDM
e. Open topic
8. Identify opportunities for Research Activities, International and Local Calls for Tenders and Research Projects, Identify some key Innovative developments in IDM

Practical Details

This event is inteded to European SME’s in the domain of Electronic Identities and Identity and Access Management, being product development companies (authentication, services, systems integration, consulting, ... ) system integrators or consultants. It is also accessible to larger organizations and associations from Europe and beyond in these domains.

Additional benefits for SIGNATURE partners or companies related to the SIGNATURE partners apply to participate at the full conference.

Please apply for registration and await for confirmation.
Visit the Security Innovation Network pre-EIC activity (http://eicstig.eventbrite.com) page at Eventbrite.
The pre-conference activity by LSEC and the Security Innovation Network are free of charge.
Registration and confirmation are required and will be checked upon entrance.

For more information, please download the STIG brief, or contact us directly.

Tradeshow, Seminars, Networking, ....

Infosecurity 2011 will offer a great way to explore the latest trends in information security, discuss with various experts, learn from peers and experts during the seminar sesssions.

LSEC Theatre - Best of LSEC 2010

On Thursday January 24th, LSEC will be hosting a number of interesting talks that were highly appreciated by the attendees of these seminars during 2010.
As a best of show, you’ll be getting a good flavour of the current challenges, opportunities by some of the best speakers and presentations by experts.

You are welcome to join any of these sessions during the show. Probably best to sign up via the Infosecurity.be registration system, or showing up during the show.

10.15 – 10.45 : Securing SAP & ERP Environment : Wouter Janssen, Axl & Trax
11.00 – 11.40 : Security in Industrial Automation : Wim Tindemans, Egemin
12.00 – 12.40 : Federated Identity Management : Marc Vanmaele, SecurIT
13.00 – 13.40 : SIEM: A Critical Component of Information Risk Management: Dimension Data, Stefaan Hinderyckx
14..00 – 14.40 : Straight from the Anti-Malware Labs: Attack’s technical evolution and sophistication, Toralv Dirro, McAfee
15.00 – 15.40 : Internet Security Threats in 2011 : Vincent Vanbiervliet, Sophos
16.00 – 16.40 : Six Lessons Learned for Effective Information Security Management, Ward Duchamp, Vinti-Q

Other interesting presentations facilitated by LSEC :

Infosecurity Trends in 2010, by Bart Preneel, Chairman LSEC and Head of COSIC, KU Leuven



Wireless Security Challenges by dave Singhelee, Researcher KU Leuven



The evolution of Identity Management by Tim Dunn, CA Technologies

Practical Details

Infosecurity 2011, took place March 23 - 24 2011, Expo Brussel
More information, please visit: http://www.infosecurity.be

The European eID Interoperability Conference
“Bridging the Identity Divide”
March 16-17 2011, Leuven, Belgium
Hosted by Verizon

Introduction

The last year has seen some dramatic industry developments and innovations; however, there are many issues that have still not been resolved. Now in its 6th year, this annual conference will address these and many other issues. Organised by EEMA, this conference acts as a neutral forum where industry, business and administrations can address specific areas of importance in the digital identity arena. It also facilitates the exchange of ideas amongst delegates who want to learn and build upon their knowledge in a relaxed, constructive environment. As one of the pioneers of Identity cards in Europe, Belgium is again the ideal venue for the European eID Interoperability Conference.
The conference will explore how the interoperability of European Identity is evolving in practise and the implications for governments, businesses and the citizen today.

The Conference

Building on the success of our five previous European e-ID Interoperability Conferences, this two day meeting will include:
• Presentations by visionaries and experts who will discuss the vision of eID for both government and industry; including Dr Aniyan Varghese from DG INFSO, eGovernment, European Commission, talking about EU initiatives to facilitate cross-border services.
• Technical debates on the latest solutions available and how to implement them
• A choice of discussions on topics such as eID Legal and Privacy Issues, federated identity; eID in the Cloud; and standards and enforcement
• And don’t forget the networking!

In addition, delegates will hear case studies from experts who have first hand experience of implementing eID solutions, and understand the challenges and pitfalls.
This is a hands-on conference and all delegates will be encouraged to participate fully, so come and join the debate! If your remit has anything to do with eID, this is a perfect opportunity to expand your knowledge, network with peers and experts, and to take back to your organisation new knowledge and ideas that will be of real practical benefit.

Program Outline

For more information and registration, please visit : www.eema.org website.

10:00 Opening Plenary Welcome and Introduction Roger Dean EEMA
Welcome and Perspective of Business eID Application Challenges Peter Tippett Verizon
Latest European Union initiatives to facilitate the provision of cross border public services – a European Large Scale bridging action on eIDM Aniyan Varghese European Commission
The SSEDIC Thematic Network Daniela Merella Nestor
User Managed Access (UMA) - a Kantara Initiative Cordny Nederkoom Immune-IT Testprofessionals
Managing Multiple Identities Slawomir Gorniak ENISA
TBC Ashley Evans Verizon Business
14:00 The Business Benefits of National eID Cards and Cross-Border Applications Chairman Frank Leyman FedICT
Bridging STORK and ECAS European eID Interoperability for 350+ EC Information Systems Frédéric Poels European Commission
So What’s Different About the UK Mark King EADS/Cassidian
Practical Examples of Integrating eID into Web Applications Frank Cornelis FeDICT
The new German eID card and the European Dimension Volker Reible T-Systems International
16:30 The Business Benefits of eID Schemes Provided by Private Industry in a Global Economy Chairman Paul Donfried Verizon
Using a Global Validation Service for Interoperable Efficiency Jon Shamah NETS eSecurity
TBC . . . 

Day 2 -Thursday 17 March 2011

Time Agenda Title Speaker Company Biography
09:00 Federated Identity Chairman Stein Welberg Everett
Cataliyzing an Identity Verification Marketplace Matthew Gardiner CA Inc
Stitching Federations Together Across Sectors, Borders and Technologies Drives Business Forward David Simonsen WAYF.DK
Identity Federation Technologies: what standards are dominating Heiko Roßnagel Fraunhofer Institute for Industrial Engineering
09:00 eID Legal and Privacy Issues Chairman Jos Dumortier time.lex
Data Protection Challenges in Cross Border Exchange of Private Data Charles Bastos Rodriguez Atos Origin
Purpose-oriented and Policy-driven Federation of Credential Margarete Donovang-Kuhlisch IBM Deutschland GmbH
Information Sharing with User Managed Access/user Centric Web-resource Management System Mohammad Alam Fraunhofer SIT
11:00 eID in the Cloud Chairman . . . 
Establishing Federation Relationships Using International Trust Frameworks Don Thibeau Verizon
DigIdentity Innovation in Dutch eID Landscape Elisabeth de Leeuw Siemens IT Solutions and Services
User Authentication On-site and in the Cloud Anit Wohl SafeNet Inc
11:00 Current and Emerging eID Standards Chairman . . . 
On Secure Cross-border SOA Based e/mgovernment Systems Dr Milan Marković Mathematical Institute SANU, Belgrade
Using eID Documents with Standard Smartcard Middleware Marco Smeja Cryptovision
Certificate-based MObile Authentication and Security Bruno Quint CORISECIO GmbH
13:30 User Experiences and Future Perspective Chairman . . . 
Large Scale Electronic Identity Deployment and Use: issues and limits Liboor Neumann ANECT a.s. 
Lessons Learned from a High-trust Consumer Identity Initiative in the Dutch Insurance Industry Bob Hulsebosch Novay
A Vision of Next Generation Directory Ideas Speaker tbc . 

SSEDIC Side Activity

In addition to the Interoperability conference there are SSEDIC meetings taking place on 15 March - see http://www.eid-ssedic.eu for more information - and on Thursday 17 March in the afternoon after the conference closes, there is a STORK industry meeting.
To register for the SSEDIC meetings please visit http://www.eema.org.
Both SSEDIC and STORK meetings are at the same venue as the conference, open to all and are free of charge.

Practical Details

The conference fee is just €250 for eema members and €450 for non members, and there is a substantial discount of 25% if you register and pay by February 25th; so if you have not already registered, visit the website today (http://www.eema.org) for further details, the full agenda and to register.
Leuven, Ubicenter - Verizon

8-9 June 2011 – Tallinn, Estonia
The European City of Culture 2011

The European e-Identity Management Conference is Europe’s leading forum for this critical security application, tackling the key issues surrounding identity as a core enabler of today’s personal, business and government processes.

Organised by EEMA and this year hosted by the Estonian Ministry of Economic Affairs and Communications, this truly international forum provides a unique and rare opportunity for identity experts and security professionals to network with their peers and share knowledge through keynotes, panel discussions, case studies, roundtables & workshops.
Registration is Now Open!
Obtain your special early booking rate by securing your place today.

Visit http://www.eema.org/eidentityeurope for more information, registration and more detailed program.

European Data Protection : in good health?

For the full program and registration, please visit : http://www.cpdpconferences.org/

On Thursday January 27th, LSEC organizes a day on data privacy and data protection. Part of the CPDP 2011 Conference, this day will focus on the implications and practical experiences of data protection in Belgium and Europe.

During that day, the discussions will be slightly more focused on some of the practical implementations of the various applicable legislations and challenges by companies, organizations and government in applying them. Besides, the perspective will open up to the point when beyond the compliance to data protection regulations, there is also the aspect of protecting data (including private information) from intended or unintended misuse. During these sessions, we will also focus on some of the potential ways to deal with regulations from an operational perspective by presenting some methodologies, solutions and technologies and also their current challenges.
Finally the day will close with some views and discussions on how to practically deal with upcoming legislations, data leakage challenges and policy requirements by means of some innovative approaches, processes and technologies.

About the CPDP Conference

CPDP 2011 - Computers, Privacy and Data Protection is a three-day conference organised by academics from all over Europe, which has the ambition of becoming Europe’s most important forum for academics, practitioners, policymakers and activists.
CPDP 2011 is a place where these people can meet, exchange ideas and discuss emerging issues of information technology, privacy, data protection and law.
CPDP has grown steadily over the last 4 years. It has the most ambitious agenda so far with 12 panels, a pre-conference, a philosophical reading panel and a PhD-evening. In addition the 2011 edition includes 2 one-day events on ‘eHealth’ and surveillance and law enforcement, and a round table on body scanners. In total more than 150 speakers will contribute.
The conference takes place the same week as the 4th annual European Privacy Day (Friday 28th January 2011), which will see the organisation of a series of events around Brussels with the participation of the Vrije Universiteit Brussel. Furthermore CPDP is organising a range of side-events, which involve members of the CPDP Scientific Committee. Pecha Kucha Evening, Film screening of ‘Erasing David’, Privacy Party, Political debates will be the social events around CPDP 2011.
CPDP is organised by the Vrije Universiteit Brussel, the Université de Namur, the Universiteit van Tilburg, the Institut National de Recherche en Informatique et en Automatique and the Fraunhofer Institut für System und Innovationsforschung.

Practical Details

Business Track Data Protection and Privacy, Thursday January 27th, 2011.
Part of the CPDP Conference 2011
Computers, Privacy & Data Protection 2011 conference - European Data Protection : In Good Health ?
25, 26 and 27 January 2010 in Les Halles de Schaerbeek in Brussels, Belgium

For more information and registration please surf to: http://www.cpdpconferences.org/ or contact cpdpconference at lsec.be or download the program guide for the full conference.

Preliminary Program January 27th Business Track

8.45 AM – 9.00 AM Introduction by Paul de Hert Vrije Universiteit Brussel and Tilburg University (BE & NL) & Ulrich Seldeslachts, CEO LSEC (BE)

9.00 AM – 10.00 AM Overview of the European and local legislative maze impacting organizations, businesses and government on data protection & privacy
15 minute presentations & panel discussion Speakers :
- Paul de Hert (BE)
- Hans Graux from Time.lex (BE)

10.00 What do data protection officers and privacy officers have to deal with in 2011?
15 minute presentations & panel discussion
- Philippe Renaudière, Data Protection Officer from the European Commission (BE)
- Erik Luysterborg, EMEA Lead Partner Data Protection & Privacy Services (BE)

11.00 AM – 11.15 AM Coffee Break

11.15 AM – 12.15 AM Joint Session : Panel 9 Revision of the EU Data Protection Directive : The State of The Art

12.25 AM – 1.00 PM
Building a Data Protection and Privacy Model for Private and Public Cloud-Based Infrastructures John Sabo, CISSP, Director from CA Technologies, Global Government Relations (US)

Cloud computing and the many infrastructures which will use cloud computing services, such as networked electronic health systems, smart grid, social networks, federated identity management systems, transformational government and the Internet of Things, are accompanied by novel data protection and privacy risks, presenting both policy and technical challenges. This presentation will discuss activity underway to assess data protection and privacy issues that can become barriers to cloud computing deployments, with focus on an important cloud computing research effort undertaken by the World Economic Forum. It will also describe the work of the new Privacy Management Reference Model (PMRM) Technical Committee in the OASIS standards organization and provide an overview of how this proposed new standard can help both policymakers and technical specialists develop lifecycle privacy requirements and architect extended lifecycle, privacy-compliant systems.

1.00 PM – 2.00 PM Lunch

2.00 PM – 3.00 PM What are we trying to protect? Part 1 40 minute presentations and panel discussion
- Matthijs Van Der Wel from Verizon Business (NL) : an inside view on the 2010 Data Breach Investigations Report
- Joash Herbrink, Websense (NL)
- John Sabo from CA Technologies (US)

3.00 PM – 3.30 PM Coffee Break

3.30 PM - 5.00 PM What are
What are data protection technologies and how can they help in protection of data loss, privacy, data retention and suspected incidents.
Taking the example : the use of data monitoring platforms, dlp solutions, identity management solutions and proxies … how can they be of assistance when used properly … What is the future of data protection technologies and how do they relate to privacy? Is there use for privacy enhancing technologies?
15 minute presentations and panel discussion
- Gauthier Van Daele, Sophos (BE)
- Brendan Rizzo, from McAfee – Intel (UK)
- Claudia Diaz from KU Leuven University (ES)

5.15 PM – 5.30 PM

Concluding notes

Ulrich Seldeslachts, CEO of LSEC (BE)

This program has been organized by the CPDP and the European Security Innovation Network (SIGNATURE), a European project aimed at increasing competitiveness in the North West European market, supported by the EU INTERREG IVb program. This project is supporting innovative developments, facilitating R&D and facilitating trust amongst private companies in the regions, consisting out of the following organizations bringing together over 1350 companies in the region : LSEC (BE), SITC (UK), Systematic Paris Region (FR) and TeleTrust (DE). http://www.securityinnovationnetwork.com

In 2008, LSEC organized a seminar on Information Security Management Standards and the impact and interest for organizations interested in applying those. Two years later, we would like to understand what the current level of expertise, typical organizational structure, challenges, facilities and interests are of organizations, both enterprise and government in managing information security.

Security Management Seminar 2010

The aim for this seminar was not only to understand the current market situation, by means of best practices and real cases; but also in an attempt to find sufficient expertise to demonstrate the level of professionalism in this domain, and to present to companies and people challenged with the day to day operations a further guidance to professionalize their activities.

By means of presentations on IT and Information Security Management, a panel with respective CSO-CISO-CIO explaining their professional experiences, presentations on best practice guides and standards, cases and discussions; we had liked to gather an indication of the situation in Belgium.
Simultaneously, we are planning an industry-wide survey on the current market situation in Belgium on the responsibilities of Security within organizations.

This seminar “Security Management in 2010 – A Day On Security Management” offered the opportunity to listen to expert presentations, participate in panel discussions, sharing your expertise with peers , or any other type of witness, … during ,

Some of the following topics have been highlighted:
- Information Security Management, a good practice
- Information and IT Security, part of Risk Management, Information Management, Security Management, or an expert practice
- Panel discussion with CIO’s, CISO’s and CSO’s : the search for the white rabbet
- The CISO/IT Security Manager in Belgium and abroad
- The typical Information Security Organization
- A budgetary approach to Security Management
- Good Cop – Bad Cop : Security Manager – Audit & Controller : who’s who
- In- or Out? Should IT & Information Security Management
- Theory & Practice : Risk-IT, ISO27000, …
- …

Final Program

9.00 : Welcome & Registration

9.45 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC

10.00 :  Six lessons learned for effective security management, by Ward Duchamps - Vinti-Q
A collection of best practices from more than 10 years experience in the field on security management, collected in 45 minutes.

Or visit : http://sixlessons.vinti-q.com/

Abstract : Despite all standardization efforts, Information Security Management remains - just like any other management discipline - a subjective matter. In this presentation Ward will reflect on some lessons learned that he collected during 10 years of field experience. Starting from “the art of getting things done through people”, this session puts business, people, standards and daily operations in a cohesive perspective that may inspire security practitioners to think about their management approach.

About : Ward is cofounder of VintiQ, a new company of senior security consultants that specialize in convincing the C-suite and business leaders to think positively about the risks related to information processing. With his in depth specialist knowledge combined with management capabilities and business insight he enabled several blue chip companies to manage information security in an effective and efficient manner. Ward is certified as CISM, CISSP, CISA, CGEIT and ISO27001 Lead Auditor. He holds a Master in Engineering and is in the process of obtaining the degree of MSc Information Security at the Royal Holloway University of London

11.00 : Risk-IT and COBIT in practice, by Dirk Steuperaert - IT In Balance

Abstract: Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues. Risk IT is a framework based on a set of guiding principles for effective management of IT risk. The framework complements COBIT, a comprehensive framework for the governance and control of business-driven, IT-based solutions and services.

While COBIT provides a set of controls to mitigate IT risk, Risk IT provides a framework for enterprises to identify, govern and manage IT risk. Simply put, COBIT provides the means of risk management; Risk IT provides the ends. Enterprises who have adopted (or are planning to adopt) COBIT as their IT governance framework can use Risk IT to enhance risk management.

Being one of the authors of both COBIT and Risk-IT, Dirk was also part of the Development Team of the “Risk IT Practitioner Guide”, a 135p guide published in 2009 on Risk Universe, Appetite and Tolerance;
Risk Awareness, Communication and Reporting; Expressing and Describing Risk, Risk Scenarios; Risk Responses and Prioritisation; Using COBIT® and Val ITTM

With all of this background and his personal experiences as both auditor and guiding companies in their efforts on implementing COBIT and Risk IT, Dirk is a unique expert in Belgium.

About : Dirk is Managing Director of IT In Balance BVBA, - delivering consulting services on IT Governance issues, focussing on COBIT and related frameworks, and including COBIT related training.
Dirk used to be steering committee member for COBIT within ISACA, the association for the development, adoption and use of globally accepted industry-leading knowledge and practices for information systems. He provided consulting support to ISACA as project manager of the development team for the new Risk IT framework and is currently performing a similar role for the new COBIT® 5.0 research initiative. Since 1997, Dirk has been active within PricewaterhouseCoopers (PwC), as a Director responsible for IT governance services. Earlier, Dirk has worked with ING and SWIFT, as engineer and IT auditor. Dirk has been studying Electronics Engineering at the university of Ghent and mastered in Computer Auditing at the Management School of the Antwerp University.

12.00 : Sandwich Lunch, snacks soft drinks & Coffee

13.00 : Security Management, a challenging metier?, by Olaf Jonkers, Belgacom ICT - Telindus

Abstract : Security Management is without a doubt a challenging “métier”, where different areas of conflict come together. In different market segments, the challenges seem to be different from a business point of view, whereas the IT-service implications often boil down to quite similar issues and solutions. From their longstanding IT-Service outsourcing contracts Belgacom provides insights on these issues, and how contractual obligations are enforced throughout an IT-Service catalogue and towards subcontractors. For this presentation, Security Managers from these contracts provided their insights, issues and solutions in order to manage security across an ICT Services Catalogue, and a complex delivery organisation

About : Olaf has been active in the field of Information and ICT Security for over 12 years. His roots lie within the field of PKI and cryptography, but his knowledge also covers network-specific as well as system-based security technology and tools. The processes governing the management of information security, including risk assessment methods, have been the centerpoint of the more recent years at Belgacom ICT, where he worked as a business consultant, focussing on ICT / information Security.”

14.00 : Information Security Governance in Practice, by Peter Houtmeyers - Consultant, TITANS Consulting

Abstract: Peter will be focusing on using the ISO 27000 family of standards to guide us through ways of governing Information Security in practice. From the various drivers to the choice of a good standard, understanding the changing shift in Information Security and by showing some concrete case examples on how to get to real implementations. He will walk us through the different steps of assessment, choice, implementation, certification up until audit, a practical guide for future Information Security Management practitioners.
About : Peter is a highly qualified senior level Information Security and Security Governance expert holding various certifications, including CISSP, CISA, CISM, CGEIT and ISO 27001Lead Auditor. After his career as an information security specialist at a leading inter-banking and financial telecommunications company, Peter joined as a senior security advisor in a distinguished security consultancy company in which he gained a considerable amount of experience in Incident Response Management, Compliance Auditing, Information Security Policy Implementation and the development and implementation of Corporate Security Governance frameworks. As an Information Security Advisor Peter was active as an advisor and consultant in the Information Security Governance practice, mainly delivering professional services for governmental, military, financial companies and automotive institutions on Information Security Management related projects. With a bachelor’s degree in informatics, Peter applies a structured and methodological approach in combination with clear and direct communication to deliver pragmatic high-quality results in line with client expectations. Peter lectures at various business schools and institutions in Belgium such as UAMS, Solvay Brussels School of Economics and Management and ISACA. In his spare time, Peter is a basketball enthusiast, and loves books related to IT and security. Prior to joining Branswijck, Peter had worked with ACROSS Technology as Principal Consultant, at Belgacom ICT - Telindus as Senior Consultant Information Security and as Senior Security Advisor with Uniskill. Prior to that, Peter was Security Administrator at SWIFT.

15.00 : Coffee Break

15.30 : Practical Experiences with implementing Security Management, Pierre Dewez, Devoteam

About : Married and happy father of four children, active in the field of information technologies for 13 years and member of the executive board of directors within Devoteam Belgium for global security and education related matters, Pierre has been Lead Auditor for management systems (quality, information security, IT service management and business continuity) and advisor in IT risk management for many financial, insurance or service delivery companies in Belgium and abroad (Germany, France, Luxembourg, Netherlands, Canada). Member of the Belgian federation of the technological enterprises (Agoria) and the JTC1/sc27 sub-committee, Pierre takes part as an international ITSMS, ISMS and risk management expert while contributing to the elaboration of recommendations intended to improve the contents and the relevance as of these international standards (ISO 20000, ISO 27001, BS 25999, ...) towards the market. Trainer and author of various articles and operational support tools relating to the information security audit and the IT service management, Pierre collaborates with other international trainers to the continuous improvement of the courses contents, audit activities and seminars associated with these practices around Europe and Canada.

16.15 : Panel discussion : the role of the Security Manager, CSIO and CSO in 2010

17.00 : Closing Notes

17.30 : Reception & Networking

18.30 : Special Evening activity : The future of internet networks and security by Nir Zuk, CTO PaloAltoNetworks

20.30 : Close of Seminar

Practical Details

Monday, October 25th 2010.

Day Seminar, from 9 am onwards, with closing special event from 17.30h onwards.
SAP Lounge, Vilvoorde
Participation : free to attend, if registered prior to October 20th. Afterwards : 150 € (excl vat) participation fee or cancellation fee. Free to attend for LSEC, VICTOR, EEMA, AGORIA, ISACA, ISSA, TeleTrusT, Systematic & SITC Members.

On Monday October 25th, LSEC in collaboration with Telenet C-Cure and Palo Alto Networks offer a special encounter with Nir Zuk, CTO of Palo Alto Networks.

Nir Zuk, founder and CTO of internet security start-up Palo Alto Networks, brings a wealth of network security expertise and industry experience to Palo Alto Networks. Prior to co-founding Palo Alto Networks, Nir was CTO at NetScreen Technologies, which was acquired by Juniper Networks in 2004. Prior to NetScreen, Nir was co-founder and CTO at OneSecure, a pioneer in intrusion prevention and detection appliances. Nir was also a principal engineer at Check Point Software Technologies and was one of the developers of stateful inspection technology.

Somewhat controversial

Not afraid of being somewhat controversial, an evening with Nir Zuk promises to be quite an experience. Nir is capable of seeing new challenges and brings new ideas around the table that

Passionate about technology, Nir started already at the age of 16 writing computer viruses ...
That led him to be recruited by a special unit for the military in Israel, his country of origin, specifically looking for whiz kids like him. After serving five years, he studied Mathematics at university and was recruited by Check Point in ‘94, developing the first stateful inspection firewall.

In ‘97 Nir moved to the US, continuing his carreer with Check Point Software and later starting Palo Alto Networks.

We have asked Nir to enlighten us about his views on the future of the internet, more specifically the challenges these bring in terms of security for companies, countries and people all together. Do current “solutions” to internet security really bring anything to the table, or are they just a patch on an every growing cancer of threats in cyber world. Is there a way beyond firewalls and antivirus and what to do against zero-day, or customized and targeted attacks.

Practical details

An evening with Nir Zuk, founder and CTO of Palo Alto Networks
Monday, October 25th in the SAP Lounge, Vilvoorde.

Registration from 17.30h onwards.
You can also participate during the LSEC Security Management Seminar that day. Please visit and register at http://www.lsec.be/index.php/whats_happening/event/security_management_2010/

An LSEC - Telenet C-Cure event in collaboration with Palo Alto Networks.

To register, go http://nirzuk.eventbrite.com

Together with our partner LAN News, we’re happy to invite you to the LSEC - LAN News Total Security Day, next Thursday, 21st of October 2010. ‘Golflife Center’ Sterrebeek, near Brussels Airport.

A view on a variety of network security vendors and an insight in the management of them by means of SIEM tools.
With the diversity of appliance vendors lined up, we are looking forward for an interesting perspective in the development of requriements for secure networks.

Program Outline

Explore the latest threats and vulnerabilities and discover potential solutions with the different appliance manufacturers. Get an in depth view of the practical implementation of SIEM tools from the leading experts Dimension Data.

09.00 Hr Registration and welcome
09.30 Hr Barracuda Networks: Barracuda WAF and NG Firewall - efficient Protection and Compliance. Joeri Van Hoof
10.00 Hr SonicWall: How Application Intelligence and Control enables network security in the wake of Web 2.0, Cloud Computing and Mobility. Luc Eeckelaert, Country Manager Benelux
11.00 Hr Trend-Micro: Virtualisation security & VDI Unleash your endpoints - Virtualisation Security without losing your freedom. Philippe Michiels.
11.30 Hr Array Networks: Secure , On-demand and High Performance Access. Featuring Secure Remote Access ; Site-to-Site Access ; Wireless LAN Security and Universal & Secure Access Policies. Simon McNally - Senior Sales Engineer, Array Networks EMEA. Presented by MMS-Secure.

12.00 Hr Thai Lunch

13.00 13.30 Hr Fortinet: Security as Simple as 1,2,3; Get Control, Get Optimized & Keep it Simple. Reduce the risk of human mistakes by virtualizing, consolidating and simplifying the ever more complex security infrastructures and management
14.20 Hr Dimension Data: SIEM: A Critical Component of Information Risk Management. Stefaan Hinderyckx, Security Director, Europe
14.50 Hr Cisco systems: Email and Web Security with Cisco IronPort. Jeroen Arends, System Engineer, IronPort Benelux
15.20 Hr A10 Networks: Changing the economics of application delivery. Hugo Prooij, Benelux Product Manager. Proposed by Exclusive Networks
15.50 Hr AEP Networks : The Battle for the Cloud. Rudolf Schucha, Communication Security Consultant
16.20 Hr End of Program and casual drink.

Practical Details & Registration

Total Security Day by LAN News, supported by LSEC
Thursday, 21st of October 2010 fro 9.30h onwards ‘Golflife Center’ Sterrebeek, near Brussels Airport
For more information and registration, please visit http://www.lannews.be/totalsecurity2010

The annual Security Research Conference (SRC) is a meeting place for security research, technology development and innovation stakeholders in Europe. It is also an important discussion forum for shaping the European security research agenda.
SRC’10 is part of the actions undertaken in the FP7 European Security Research Programme, aiming at the development of knowledge and new technologies to improve the security of European citizens while enforcing the competitiveness of Europe’s economy. Therefore, SRC’10 aims at facilitating the dialogue between research and innovation actors, policy makers and end-users.

Supported by the European Security Innovation Network

Attended by approximately 1000 security professionals, government institutions and researchers from all over the world, SRC’10 is part of the actions undertaken in the FP7 European Security Research Programme, aiming at the development of knowledge and new technologies to improve the security of European citizens while enforcing the competitiveness of Europe’s economy. Therefore, SRC’10 aims at facilitating the dialogue between research and innovation actors, policy makers and end-users.
Supported by the European Security Innovation Network, LSEC, Systematic Paris Region, SITC and TeleTrusT, will actively participate to this year’s SRC and further facilitate the development of commercial and research projects amongst its Members, with enterprises and governments.

SRC’10 will showcase the importance of security research for citizens in view of the research agenda beyond FP7 and the 2020 perspective. Leading experts will give their view on the consequences and opportunities for security research following the Lisbon Treaty and facing new global security challenges. Special attention will be given to presentations of successful FP7 projects in the diverse security fields, involving in particular users and SME’s. A brokerage event and an exhibition will facilitate networking between companies, scientific experts, operators and policy makers from Member States Associated states and Third Countries.

To give the 5th edition of SRC a dynamic flavour, it is intended to organize live demonstrations in the fields of cargo security and crisis management, illustrating the multidisciplinary approach that is needed to resolve security issues.

SRC’10 is an event of the Belgian EU Presidency, organised with the support of the European Commission’s DG Enterprise, the Belgian Science Policy Office, the Federal Ministry of Mobility and Transport, the department of Economy, Science and Innovation of the Flemish Government and the public service of Wallonia.

Visitors to the SRC 2010 of the associations LSEC, Systematic, SITC, TeleTrusT or affiliated partners such as ECSA, ISACA, INTERREG and the EC are invited to the special networking event on September 23rd from 5.30pm and onwards. Request your entrance voucher at the European Security Innovation booth during the conference.

Register here for the European Security Innovation Network Brokerage Event on Thursday September 23rd from 17.30h onwards in Oostende at the Royal Promenade (restaurant Savarin), close to the conference venue. You can also pick up your Personal Invitation at the LSEC - Security Innovation Network Booth during the conference.

Program Overview

September 22nd Afternoon :
* Belgian Minister for Science Policy
* VP EC Commissioner Industry & Entrepeneurship
* Where do we stand with Security Research
* Maritime, Standardisation, CBRN

September 23rd :
* The continuum of internal and external security after Lissabon
* Security as a prerequisite for Prosperity
* Cybersecurity, Transport Security
* Critical Infrastructure, Social Dimension & Ethics,
* The view of Stakeholders
* Horizon 2020

Friday September 24th :
* European Security Research Programme
* Brokerage Events
* Increasing Security of Citizen, Infrastructures and Utilties, Intelligent Surveillance, Crisis
* Interconnectivity, Society, Research Coordination

Registration and More Information on SRC 2010

Practical details, the full program overview and registration for SRC 2010, please visit :the SRC 2010 website.

On September 10, LSEC organized a one day seminar on “The Future Internet & Network (Security) Architecture”.
Network Security is still one of the major components of any IT Security environment, and in most cases the most hardware intensive.

Over the last 20 years, the ways that people have been doing business and communicating all together have changed dramatically. Managing information flows has become a challenge in itself, and ensure that you remain under control of your information is even a greater challenge. At the same time those evolutions have brought a great deal of opportunities, not the least in the world of information security. During this seminar, we want to take a look into the future: what are the upcoming infrastructural changes ahead and how can we cope with them from a strategic perspective, to manage them properly and be ahead of the curb when it comes to securing them.

We want to address during this seminar was not only on :

- What are the new network evolutions ahead of us both mobile & fixed : IPv6, Ethernet, NGMN, service and content aware architectures, …
- What are the challenges of these new architectures in terms of security and risk management
- Are there differences in management (in house / outsourced), …
- What about virtualization (virtual appliances, cloud services and architectures, …)
- What about Trusted Computing in the Future Internet Architectures
- …

This day is scheduled to take place in Leuven, Kasteelpark Arenberg from 12 until 7 pm, with drinks, lunch and networking facilities included.

Final Program

12.00h : Welcome & Registration - Sandwich Lunch & Networking

13.00h : Introduction by Ulrich Seldeslachts, CEO of LSEC

13.10h : The Future of Borderless Network Security by Michel Kelkeneers, Cisco Technical Solutions Architect

Abstract : “Borderless Networks”, does this term signifiy a new network architecture built for new cloud computing requirements or is it just a new label for today’s LANs, WANs, and public network infrastructure? While market cynicism is certainly understandable, borderless networks isn’t a Madison Avenue creation; rather, this trend is extremely important and already well underway. It involves the current evolving use of the Internet such as the heavy use of rich internet content and video, mobile users and devices and consumerization of IT. According to analyst ESG, Current security defenses are a mismatch for borderless network security requirements, Borderless network security demands an architectural approach, Borderless network security architecture demands strong leadership and industry cooperation effort and The borderless network architecture will evolve in phases.

14.00h : The Next Step : Application Aware Firewalling, by Stijn Rommens; Palo Alto Networks

Abstract: For most enterprises Network Security has become a sprawl of solutions and appliances.  Stitching all of these technologies together whilst maintaining a uniform security policy along all, has become impossible.  Many trade-offs need to be made, being it less security, less throughput or higher latency.  A consistent view on what applications and possible threat vectors exist on your network is based on estimations or based on very expensive and complex correlation solutions.  Complexity is not the only issue, cost might even be a bigger concern.  Different vendors, different contracts, different licenses and all on a different cycle… Today you have a choice to have one simple policy and control tool that effectively can implement an abstract policy like ‘Marketing people should have access to Facebook all day long with a guaranteed bandwidth and via a preferred Internet connection whilst other people can have read-only access to Facebook at lunch time, only via the Cable or DSL connection.’

About : Stijn Rommens has over 10 years of experience in designing, teaching and maintaining Network Security solutions.  Stijn has taken the path of the field, through support and education to pre-sales.  Over the last 6 years, Stijn held the position of Systems Engineer at ISS, now part of IBM, Juniper Networks and today Palo Alto Networks.  The red line through his career is the thru network security evolution.  The result of that journey till today is his dedication to the Next Generation Network Security solutions.

14.45h :  Secure network provisioning on demand, providing secured Community of Interest based virtual networks based on the user (or his role) that logs on… , by Luc Leysen - Unisys

Abstract:Most network managers dream of reducing the complexity of their network infrastructure and the associated management effort, while having to cope with fading network frontiers.  Be it the consolidation of secret, confidential and restricted networks on a single carrier or a flexible response to ever changing demands to adapt the networks ad hoc to the business requirements while increasing the security level, a community of interest based approach Today can bring that dream to reality. Community of interest virtual networks can be provisioned based on the identity and the role of a user and remove the most of the need to reconfigure the physical network.

About : Luc Leysen has over 18 years of experience in designing and managing Information Technology and Security solutions. He is an expert in the area of building Information Security Architectures.
Prior to joining Unisys, Luc held architect and management positions in both the Belgian Armed Forces and the private sector. Within the Armed Forces he designed and managed networks and systems in a high security environment and represented his nation in international working groups related to intelligence coalition networks. In the private sector he assumed the roles of information risk manager and later security architect. In the past 8 years he has been working as Security Expert within Unisys driving Security Business Development and delivery in Europe with a focus on Identity & Access management.

15.30h : Coffee Break & Networking

16.00h :  How will our future networks and infrastructures be affected by malware? 80% spam and a zillion botnets?, by Patrik Runald, Senior Manager, Security Research,Websense Security Labs

What is the expected evolution of malware and “internet threats” in the future? Even more common attacks and increase in complexity of customized zero-day attacks? Or will we be able to defeat the bad guys in time?

Real time (content) security, not just a luxury, but a necessity.
- Why real time security beats traditional solutions.
- What is real time security according to Websense.
- Websense Triton, simplifying management, closing the point solution gap.
- True hybrid security solutions, cloud based scaling and knowledge, with on-premises power.

About :  Patrik Runald is a Senior Manager, Security Research at Websense Security Labs and has worked in the IT security field since 1995. Before joining Websense in 2009, Patrik did extensive research in the antivirus field and he was part of the team that made world wake up to the Conficker threat in 2008. He heads-up the US Websense Security Labs, the team within Websense that ensures that our 45 million customers are protected against all type of web- and email based threats

16.45h :  Is there a place for a UTM in this new world? by Malay Upadhyay, Cyberoam Senior Security Consultant

Abstract : Globalization, convergence, virtualization, mobile/wireless-based web devices, social networking and Web 2.0/Web 3.0 are some of the future trends that will take the online world by storm.

As a result, an organization’s network security architecture (NSA) will have to be reengineered to address newer forms of Internet threats.

The following topics will be covered during this session:

- Current Security Scenario
o Security Timeline from past till now
o Limitations of Existing Security
- Future Security Trends
o Scalable and Extensible Security Architecture
o Role of Application Layer Control
o Cloud Computing Challenges
o Mobile Malware
o Social Networking
And many more
- Desired Elements in Security Architecture

About : Working as a Sr. Presales Security Consultant in Cyberoam International Presales team, Malay Upadhyay is providing on-site, online technical support related to network deployments/installations, defining security loop holes and overriding them. He also conducts USP/webinar on various Cyberoam products Cyberoam UTM, Cyberoam EPDP, Cyberoam I-View, Cyberoam SSL VPN, Cyberoam central console and on technological presentations for distributors/partners/resellers.
Since his Bachelor in Computer Science in India followed by a Master in Internetworking in Sydney, Malay has 3 years of experience in Network Security, Routing & Switching that includes hand on experience on UTM (Firewall, VPN, Anti virus, Anti Spam, Multi link manager, Load balance & failover), various routers, switches & Security tools. He has been working as a part of International team handling Europe, Middle East & Africa. Malay has also experience in ethical hacking, Security Analysis, Internetworking.

17.30h : Secure DNS and the future secure network infrastructures by Jan Janssens, Managing Partner Sensirius

18.00h : Closing Panel & Notes, Networking Reception

19.00h : Close of Event

Thanks for attending.

The goal of the European Cryptography Day is to present the main research achievements of ECRYPT II over the last year. The program is complemented with some invited talks on topics related to the ECRYPT II research. It is an event aiming at ECRYPT II partners, associate members as well as anyone interested in information security and cryptology.

Program Outline

9.30-9.35 Welcome
> Bart Preneel (KULeuven)
9.35-10.00 Introductory Talk by Head of Sector, Trust and Security European Commission, DG Information Society and Media
> Dirk Van Rooy (European Commission)
10.00 Overview sessions different research domains
10.00-10.20 SYMLAB* overview talk; The Symmetric Techniques Virtual Lab
> Vincent Rijmen(KULeuven)
10.20-10.40 MAYA* overview talk; The Multi-party and Asymmetric Algorithms Virtual Lab
> Phong Nguyen (ENS)
10.40-11.00 VAMPIRE* overview talk; The Secure and Efficient Implementations Virtual Lab
> Tanja Lange (TU/eindhoven) and Christof Paar (RUBochum)
11.00-11.30—Coffee
11.30-12.05 SYMLAB Focus Talk; Algorithmic tools in cryptanalysis
> Antoine Joux (Université de Versailles)
12.05-12.40 MAYA Focus Talk; Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes
> Nigel Smart (University Bristol) and Frederik Vercauteren (KULeuven)
12.40-14.00—Lunch
14.00-14.35 VAMPIRE Focus Talk; Attacking Elliptic Curve Challenges with Diverse Emerging High-Performance Computing Platforms
> Tanja Lange (TU/eindhoven)
14.35 Invited Talks
14.35-15.10 Invited Talk 1; Bringing open audit elections into practice
> Olivier Pereira (Université catholique de Louvain)
15.10-15.30—Coffee Break
15.30-16.05 Invited Talk 2; The SHA-3 competition; status report
> John Kelsey (Nist)
16.05-16.40 Invited Talk 3; Physical Attacks
> Mathias Wagner (NXP)
16.40-17.15 Invited Talk 4; Hardware Intrinsic Security
> Pim Tuyls (Intrinsic-ID)
17.15-18.00 ECRYPT II General Assembly Meeting
19.00 Dinner

* Virtual Labs
SYMLAB= The Symmetric Techniques Virtual Lab
MAYA= The Multi-party and Asymmetric Algorithms Virtual Lab
VAMPIRE= The Secure and Efficient Implementations Virtual Lab

Practical Details

European Cryptography Day
8 September 2010, Auditorium Zeger Van Hee (De Valk) in Leuven city centre

More information and registration, please visit : https://www.cosic.esat.kuleuven.be/ecrypt/courses/openevent10/program.shtml

As one of the leading business applications in the world, an SAP-system is typically a complex environment that serves many business processes and support a variety of business decisions. It is typically integrated with many other applications and tightly integrated with applications servers and networks. Like with any similar type of environment, these applications are challenging from an Information Security perspective.
During this seminar, we want to focus on the general Information Security challenges with SAP, but also with some of the particular issues typically found with companies that work with SAP environments.
Some of our experts will be able to show and share some of their experiences, from and with customer environments.

Besides, we will also zoom into some of the typical business challenges such as GRC, Identity Management, R/3 Security, Single Sign On, Compliancy issues and Web Application Security, next to typical policy challenges such as Segregation of Duties, Access Management and ICT and Business Audit and Controls.

Some of the topics that will be addressed during this seminar :
- R/3 Security, BW Security, Enterprise Portal, CUA,
- Single Sign On,
- SOX/ SoD,
- OSS,
- HR Security
- Other SAP Apps
- GRC setup
- Identity Management
- Integration with other systems such as MS or Oracle databases and other applications
- Challenges for integration due to mergers or de-mergers
- …

Read the Datanews article on the seminar (in Dutch).

Download the CA SAP Security White Paper CA Technologies Improving SAP Security CA Identity 2010.pdf

Preliminary Program

9.00 : Registration & Welcome Coffee

9.45 : Introduction & Opening Notes

10.00 : Experiences Securing business information in SAP and managing user access risk effectively: Facing today’s challenges and adopting security standards with good practices , by Wouter Janssen, Axl-Trax

Abstract : Organizations deploying SAP solutions to facilitate their business rely heavily upon the correct processing, manipulation and reporting on business-critical information. Due to the integrated nature of mySAP ERP as well as the interconnectivity and interaction between different components in the information architecture, risk is the keyword that must be properly addressed.
The challenge of security SAP implementations is not new and dates back from the early 90ies when the ERP-component R/3 became available. Many organizations have grown a good practice in securing what is important to them, others have learned the hard way. Business drivers, threats and risk appetite have shifted in recent years and during this presentation, the trends and good practices in managing user access risks effectively will be discussed

About : Wouter Janssen CISSP CISA CISM CGEIT CFE is a security specialist working as a director for Axl & Trax in Belgium. Working in the security consulting and audit field for many years, he has combined his technical skills and security knowledge with business insight and experience to assist customers in finding tailored solutions for security challenges.
He has over 10 years of professional experience in the areas of IT security, identity & access management, SAP security, governance, compliance and control. He has been involved in and managed large-scale IT security projects and advised various multinationals across Europe.

10.50 : Vulnerabilities of SAP systems : history and trends, by Fred van den Langenburg (ERP Security) and Joris van de Vis

Abstract : A modern SAP system based on the Netweaver based architecture may employ several different software components located on different servers and is connected to the Interne. This means that a SAP Netweaver system has many more possible entry points or attack vectors1 than the older R3 systems which were not connected to the Internet. Modern SAP systems based on Netweaver are more vulnerable and prone to attacks than their R/3 predecessors.
During this presentation we will learn about the evolution of the potential threat vectors in SAP-systems, in order to get a better understanding on how we might learn from history to avoid similar mistakes in the future.

About : Fred van de Langenberg has been working as a freelance SAP technical consultant for the past 13 years for various multi-nationals including Heineken, Shell, Ericson and Philips. His experience also includes working for IT companies such as Atos Origin, IBM and currently T-Systems. Over the years he has acquired in-depth knowledge of SAP systems through hands-on experience. In addition to being an all-round SAP Basis consultant, he is also a certified ABAP programmer. The introduction of the SAP Netweaver platform brought new challenges in the field of security which triggered his interest in SAP platform security.

About : Joris van de Vis has been working in many technical roles. Next to developing and working as a Netweaver Technical consultant his special interest goes out to the SAP Security domain. He helps customers securing their business by hardening their SAP platform. He is also a SAP vulnerability researcher. Over the past 10 years he has been working for large fortune-500 companies like Philips and Heineken and he helped several governmental departments with implementing SAP Security related solutions.

11.40 : Coffee Break & Networking

12.10 : Building an enterprise-wide GRC solution with the SAP environment at the core, by Chris Van den Abbeele, Atos Origin

Abstract : Session abstract:
Organizations today are looking for ways to leverage their investments in SAP by extending their SAP policies to other non-SAP systems.
This session present how to extend the reach of SAP Access Control, SAP Process Control and SAP Risk Management to build an enterprise-wide GRC solution that includes non-SAP applications.

In particular, this session covers a solution which spans SAP- and non-SAP applications, that enforces Roles Based Access Control, alerts in near-real-time if access to enterprise systems violates business policies, shows how roles granted in SAP can be easily mapped to non-SAP systems, and how roles granted in non-SAP systems can be mapped back into SAP, while respecting the defined restraints like Separations of Duty and business approvals.

All too often, we see enterprises take a siloed approach to solve tactical issues. When new compliance regulations, eg PCI, arise, a new project is put into place to solve that specific need.

At TechEd on October 13, 2009, SAP and Novell announced the expansion of their global partnership to include the delivery of integrated governance, risk, and compliance solutions. As a dedicated integration partner of both SAP and Novell, Atos Origin is in a privileged position to turn this vision into a working ensemble.

The modular approach presented in this session shows how to drive towards a consistent, sustainable enterprise-wide GRC strategy that reduces risk, lowers costs and provides improved business performance.

About : Chris Van Den Abbeele is Solution Manager for Identity and Security solutions at Atos Origin. He is responsible for defining and managing the Identity and Access Management offering at Atos Origin Belgium.  Chris has over ten years experience in designing Identity and Access Management solutions.  He has a clear view on the technology, the market and the players.  Prior to joining Atos Origin, Chris worked as a Technology Specialist at Novell for about ten years.

13.00 : Walking lunch & Networking

13.45 : Keynote Address : Achieving comprehensive Security for SAP in a Heterogeneous Environment with CA and SAP, Phil Allen, Director Security Practice EMEA, CA Technologies

Abstract : Abstract: CA and SAP have been long term partners. This talk will explore how you can achieve comprehensive and effective security for SAP environments that are implemented in a heterogeneous environment.

14.35 : SAP GRC-AC implementation: challenges encountered at customer implementation, by Melissa Dielman Deloitte Enterprise Risk Services

Abstract : Segregation of Duties conflicts are an ongoing issue in audit reports, particularly in the context of SoX (Section 404) or similar legislation worldwide. SAP’s response consists of the GRC application suite “Access Control (5.3)”. A proper implementation should ensure that typical application-level fraud scenarios are identified and controlled.

Access control over key information assets and SoD compliance are among the most effective safeguards against fraud and mistakes, and a prerequisite for compliance to various regulations. SAP GRC Access Control consists of 4 modules, each with specific functionality to maximize this level of control. In our presentation, we will highlight the functionalities of the components and more important, the way they can efficiently interact together.

Where technically, AC projects contain few challenges, we know the great pitfalls lie elsewhere. The most difficult part of each implementation is the proper alignment of functionality with the enterprise’s (GRC) maturity level. Implementing a GRC application suite is not just implementing another tool, it is implementing a new culture; requiring a lot of input, effort and cooperation from the entire business.
Our best practice implementation consists of a phased approach. The goal is gradually evolving from a focus on getting clean, to remaining in control of the situation and staying clean. We will list the different phases to go through in order to simultaneously prepare business, IT and audit stakeholders for the ownership of a Risk controlled environment. We will also clarify the need for a diverse implementation team to ensure a successful implementation.
Summarizing, in this session, we (Deloitte ERS) will elaborate on our strategy of implementing a suitable customized instance of SAP GRC Access Control. We will include various lessons learned from passed implementations, focusing on the different challenges encountered and analysing root cause of both successful and failing implementation projects.

About : Melissa is Senior Manager at Deloitte-ERS in the Security & Data Privacy department. She is responsible for the SAP Security service offerings & teamlead. Over the years Melissa has a built a solid expertise in SAP authorization management & GRC, having participated and led different size projects in Belgium and Europe. Her education, interests and working experience allow her to get a combined view on all components of the SAP Security management, from business processes, risk & control to technical implementation perspective.

15.15 : Coffee Break

15.45 : SoX/ SoD or GRC setup, by Paul Albertini, Manager, KPMG

Abstract : Understand and resolve the insecurities with your ERP system. Understand the basic security threats and see a live demo of how insecure some sytems can be. Learn how to protect your vulnerabilities and find some solutions that can help protect you also further in the future.

About : Paul is a manager in the Antwerp practice of KPMG Advisory. He is specialized in advisory services in the fields of ERP Advisory. Over the last years Paul was involved in several SOD projects. For these engagements he assisted clients in their strategy, building the business case and performing project management activities as well as developing security policies and procedures. Paul is also a member of the Information System and Control Association (ISACA) and a certified information system auditor (CISA). Other main certifications that he obtained in his career can be summarized as follows: SAP Solution Architect and Prince2.

16.35 : Aligning access rights in SAP R3 & BW through a uniform authorization concept, by Pieter Lenaerts, Deloitte Enterprise Risk Services

Abstract : Companies have been investing in increased security restriction, monitoring & ownership in their daily transaction systems due to the increased attention to Good Governance in the Data & Fraud protection area, and the growing legislative requirements (SOX, Basel II,..). To enable this drive, a SAP R3 environment offers one of the most flexible and therefore complex authorization mechanisms on the market. SAP BW adds to this complexity with an additional security layer controlling access to data.

SAP BW, being mainly a reporting tool, is easily overseen as a key information provider on business sensitive data, financial results & HR information. As a consequence SAP BW security is often perceived to be less sensitive while it is imperative that the access rights between SAP R3 and SAP BW are aligned across the different authorization environments.

This presentation intends to give a broad audience, from BW project management via BW developers to R3 authorization specialists, a conceptual overview of the main role design strategies made possible by the new BW authorization mechanisms to secure access to data, and compare these strategies in the long – operational – run. It will show some of the do’s and don’ts based on hands on experience aligning authorizations for R3, BW and SAP Portal. To ensure your BW concept works for your business we will highlight the different stakeholders and their role in this process.

About : Pieter is Senior Consultant at Deloitte-ERS in the Security & Data Privacy department. Starting as IT auditor, Pieter has expanded and increased his knowledge on SAP security & GRC to become a true expert in this area. He has conducted projects on SAP security within R3, BI & CRM and specializes in automation of SAP authorizations maintenance.

17.00 : ABAP backdoors and compliance killers, by Andreas Wiegenstein, Managing Director & CTO Virtualforge

Abstract : based upon the experience of having reviewed many SAP / ABAP applications, Andreas will present an overview of some of the most common and some of the more interesting security issues, being them real threats, leaks, backdoor channels, ... simply from the missing or incorrect authority checks, bypass mechanisms and other.

Andreas Wiegenstein has been working as a professional SAP security consultant for 8 years. He performed countless SAP code audits and has been researching security defects specific to SAP / ABAP applications. Andreas has spoken at SAP TechEd on security on several occasions and is co-author of the first book on ABAP security (SAP Press 2009).

17.50 : Panel Discussion

18.30 : Closing Notes, Reception & Networking

19.00 : Close of Event

Practical Details

Auditorium Kasteel, Kasteelpark Arenberg, 3001 Heverlee
Tuesday, September 7th, 2010
Day Seminar : from 10 AM until 6 PM
Free to register for enterprises and industry. Non-SAP customers, systems integrators and consultants (without operational SAP-systems) will be invoiced 150 € (ex VAT) participation fee.

Thanks to Eventbrite for supporting our Registrations

The yearly Global Security Week, the second week of September is already taking place for the third time in Belgium. A busy week full of activities, great speakers, a lot of
interested attendees and excellent discussions on topics such as Security Management, Security for systems such as SAP and the future Network Architectures, or an update on Cybercrime and how to prevent from becoming a victim of it.

Register now to one or more of these activities, and revitalise your summer holiday spirit into the challenges of managing security.

• 07.09.2010 : SAP & Security, Governance Risk & Compliance with SAP
• 08.09.2010 : ECrypt II - European Cryptography Day
• 10.09.2010 : The Future Network (Security) Infrastructures
• 14.09.2010 : Security Management 2010

Looking forward meeeting you there.

Berlin, 20 May 2010 - In 2010, the ISSE (Information Security Solutions Europe) is again organized by TeleTrusT in co-operation with eema (Independent European e-Identity & Security Association), and ENISA (European Network and Information Security Agency). The ISSE 2010 is as a combined event with the GI-"Security 2010”.

Since its founding, it has been the approach of the ISSE to promote development and dissemination of trusted computing concepts and of information and communication security in Europe. International experts from industry, research and politics exchange ideas in an interdisciplinary dialogue on technical, organizational and legal aspects of information security. The ISSE has a firm place in calendars of important IT security conferences since 1999.

TeleTrusT Germany is responsible for the ISSE program committee and, along with its partners, for the ambitious conference program.

For the ISSE 2010 until now over 100 submissions were received. The program offers 54 lecture slots and another six slots in German Workshops organized by TeleTrusT. A total of 70 speakers is expected, including five keynote addresses. These keynote speakers are invited:

- Thomas de Maizière, Federal Minister of the Interior, Germany
- Neelie Kroes, Vice President of the European Commission and European Digital Agenda Commissioner
- Scott Charney, Corporate Vice President of Trustworthy Computing, Microsoft, USA
- Michael Hange, President, Federal Office for Information Security, Germany
- Udo Helmbrecht, Executive Director, European Network and Information Security Agency (ENISA).

The GI-"Security" comes up with 36 presentations.

Preliminary Program

With special emphasis placed on case studies and innovative and robust security solutions implemented by European organisations, the event will focus on key security topics such as:
•Identity and Access Management
e-Identification, Biometrics, Smart Tokens, e-ID-Cards, e-Passports, RFID-Solutions, Infrastructure Solutions
•Security Management and Economics of Security
Risk Mitigation, Compliance and Governance
•Data Security
Security of Data in the Cloud, Data Leakage Protection, Enterprise Rights Management, Forensics, Security related Services
•Privacy and Data Protection in Cyberspace
Privacy and Data Protection Issues in Web 2.0 and Cloud Environments/Social Networks/Search Engines, Application of Privacy enhancing Technologies, Support of Transparency/Customer Awareness and legal Obligations, Concepts for Security Breach Notification
•Network and Mobile Security
Network-level Security Devices, Interconnectivity Devices, Protocols and Trends, Intrusion Prevention, Network Infrastructures, Management of Mobile Devices
•Hackers and Threats
Awareness Raising, Social Engineering, Protection against Mail and Web Attacks, Vulnerability Assessment, Penetration Testing
•Technical Solutions
Mobile & Wireless Security, Embedded Systems, Operating Systems, Virtualization, Endpoint Security Capabilities, Web Services Security
•e-Government – Governance and Policy
Emerging Regulations, Legislations, national Security, Law Enforcement, Government Procurement
•Enterprise Security Services
Authentication, Authorisation and Accounting, Governance, Risk and Compliance
•Emerging Applications
Object Rights – Management, Service oriented Security, Security enabled Technologies, e-Voting, IPv6
•Future of Security Aspects and Technologies
European IT-Security Projects, Open Source Software & Security, Ubiquitous Computing, Emerging Crypto Developments, Trusted Computing
•Critical Infrastructure Protection and physical Security
CERT/CSIRT – European and Global Developments, Resilience of Networks and Services, surveillance technics and analytics
•Cybercrime and Forensics, Fraud Detection & Prevention

Download the Preliminary Program.

TeleTrusT awards the “TeleTrusT Innovation Award” on the occasion of the ISSE. This annual award is given to applicants that have developed an innovative and trustworthy information technology, software or online service for use in industry, government or research. An international Jury will propose the winner using the following criteria:
- Is the security level of the application appropriate?
- Are the security functions integrated part of the application?
- Are the built-in security functions transparent to the user and fit for use?
- Is the application interoperable, ideally with European reach?
- Does the application contribute to economic stability (e.g. of the company)?

Practical Details and Registration

All details and registration are available at http://www.isse.eu.com/

This year, the ISSE/GI-SICHERHEIT conference and exhibition will be held at the Maritim Hotel in Berlin, Germany.
Venue Address:

Maritim Hotel Berlin
Stauffenbergstraße 26
10785 Berlin
Tel: +49 (0) 30 2065-0
website: http://www.maritim.de/de/hotels/deutschland/hotel-berlin/lage-anfahrt

It runs from October 5th until October 7th.

Kennisdag rond Informatieveiligheid bij gemeentebesturen en OCMW’s

V-ICT-OR organiseert op 25 juni, in samenwerking met de KHMechelen, een Kennisdag rond Informatieveiligheid bij gemeentebesturen en OCMW’s. Deze dag gaat door in ‘t Arsenaal te Mechelen van 9u tot 13u.

Inschrijven kan via : http://www.v-ict-or.be/content/shoptit_forms/record.php?ID=147&EVENT=331

Op het programma staat als keynote speaker Luc Beirens, Diensthoofd van de Federal Computer Crime Unit (FCCU), die het zal hebben over de werkwijze van hedendaagse computercriminelen die een bedreiging vormen voor de veiligheid van de computernetwerken van de overheid en voor e-government. Vanuit de politiepraktijk zal de heer Beirens een antwoord geven op onder andere de volgende vragen: Waar situeren zich de risico’s in cyberspace? Zijn we momenteel voldoende beschermd tegen cyberaanvallen? Hoe kunnen we ons wapenen tegen de dreigende gevaren?

Daarna worden er 2 parallelle tracks georganiseerd waarbij de ene track zich toespitst op het technische luik van informatieveiligheid bij lokale besturen en de andere track zich toespitst op het doordacht vormgeven van het IT-beleid. Onder meer volgende vragen komen aan bod

• Technologie
• Hoe makkelijk wordt het netwerk van uw bestuur gehackt?
• Wat zijn de veiligheidsrisico’s van SSL-VPN verbindingen voor thuiswerk?
• Beleid
• Hoe kunnen OCMW’s en gemeenten een gezamenlijk veiligheidsbeleid uitwerken?

De andere onderwerpen die aan bod komen op 25 juni, zullen spoedig volgen.

Prijs:

V-ICT-OR-leden & sponsors kunnen deelnemen aan 35 euro.

Niet V-ICT-OR-leden die werkzaam zijn in een overheidsorganisaties kunnen deelnemen aan 50 euro.

Niet V-ICT-OR-leden die werkzaam zijn in privé-bedijven kunnen deelnemen aan 100 euro.

Dealing with Identity Fraud and Identities in today’s society is an increasingly difficult challenge. We have a personal identity, but typically many electronic identities.
User names, passwords, a variety of tokens and appliances are a challenge to us on personal basis. But for a company, an organization or a government department that has to manage many user accounts and citizen identities, it could even be worse. Passwords get forgotten, an administrator has too many privileges, electronic identities get abused and data integrity is lost.
Managing identities in 2010 has become a real challenge. The reality of Identity Management in 2010 is that most companies today are still trying to understand why Identity Management would need to be important to them, the types of challenges that effective Identity and Access management can help resolve and how it fits within their organization. Companies that did embrace the concept of Identity Management, for reasons of Single Sign On, reduction of cost of IT support, more efficient use of resources, segregation of duties, or transparent but securely working with a variety of partners and organizations, … – those companies today should be looking into the potential of the reality of Federated Identity Management the challenges of Privacy and the opportunity to expand the functionalities and integrations of the Identities consisting out of many attributes and functions, or expanding into cloud systems. Technologies have matured and are specializing in specific services, Service Providers and System Integrators have further professionalized and deepened their expertise. Enterprises and government institutions are constantly increasing the ease of access and availability of systems to a wider area of users, thus reducing their own operational costs and empowering their business lines and still being in control of the activities and facilitating audits.

Read the following review in Uri’s blog : Private IDs – or – Time, space, and Leuven.

Final Program

Subjects for discussion :
- Back to the basics : why identity management is relevant to today’s business and government environments, cases, examples, best practices
- The business reasoning for Identity Management : cost reduction, managing controls, facilitating activities, ease of access and use
- The cost of a single project vs company wide deployment
- IDM, the new e-business?
- Governance of identity management projects : learning from experience
- Best practices
- Examples of federated identities
- Challenges towards the future : privacy, dealing with multiple functions, going towards attribute management
- The Sun behind the Cloud
- …

9.15 : Registration & Welcome Coffee
9.45 : Introduction & Opening Notes, by Ulrich Seldeslachts, CEO LSEC

10.00 : Experiences in managing Identities, in Belgium and abroad. The current status of Identity Management, by Wouter Janssen, Axl-Trax

About : Wouter Janssen CISSP CISA CISM CGEIT CFE is a security specialist working as a director for Axl & Trax in Belgium. Working in the security consulting and audit field for many years, he has combined his technical skills and security knowledge with business insight and experience to assist customers in finding tailored solutions for security challenges.
He has over 10 years of professional experience in the areas of IT security, identity & access management, SAP security, governance, compliance and control. He has been involved in and managed large-scale IT security projects and advised various multinationals across Europe.

Abstract :  Identity Management?; The identity management business case; The current status of identity management; Managing expectations; Challenges ahead; Lessons learned; Reflections

10.45 :  Shifts in identity management introduced by the cloud and virtualization, by Dave Vijzelman - Principal Security Consultant, CA Technologies

About : Dave Vijzelman has worked in several large heterogeneous environments and has a large experience in designing and implementing architectural RBAC solutions. His focus is primarily on RBAC strategies and role mining. Besides this, he also has a wide knowledge towards the technical approach regarding identity and access management (IAM) strategies. Previously he was as a Senior Information Security Consultant at Ascure where he was responsible for the architectural approach of analyzing and designing RBAC strategies for clients. Before this, he was an RBAC Consultant at BHOLD Company. Today, Dave is Principal Security Consultant with CA Technologies, supporting large associations in their Identity Management challenges.

His variety of experience has been proven in a number of business and industry sectors. In Switzerland, he designed and implemented an RBAC strategic tool for audit and control for a large insurance company in Basel. Also for a banking company in The Netherlands, he successfully implemented a RBAC tool primarily based to audit a Active Directory environment.

Abstract : The Cloud has multiple perspectives, each of which influences how security is managed. Your organization might consume Cloud-based applications and services, might provide Cloud-based applications and services, or even provide aspects of security from the Cloud to others. Organizations should not dismiss any of these roles out-of-hand, even if at first glance they seem different from past practices. The emergence of the Cloud might re-jigger existing markets as well as open-up new market opportunities. This session will focus on CA’s security management product strategies and how we enable all three of these modes of Cloud security, both now and with an eye towards the future.

11.20 : Coffee Break & Networking

11.40 : Identity Management in Practice – The case of a large Hospital in Flanders by Jeff Verhulst, Traxion

Customer Case: Identity Management @ AZ Sint-Lucas Gent, by Jeff Verhulst - Project Manager, Traxion

Abstract : Identity Management in practice, Identity Management in Health Care, Customer Case: AZ Sint-Lucas Gent

Outline presentatie:

Customer Case: Identity Management @ AZ Sint-Lucas Gent

- Identity Management in practice
- Traxion in practice
- Identity Management in Health Care
- Customer Case: AZ Sint-Lucas Gent
- Conclusions
- Questions

About : Jeff is currently project manager and IAM Consultant at Traxion. Previously he was IAM Solution Engineer at ACA IT-Solutions and ICT Engineer at Contineo. He did his master thesis at Janssen Pharmaceutica and was educated at the Katholieke Hogeschool Kempen, and Katholieke Universiteit Leuven . At Traxion, Jeff has moved towards business consultancy and is currently responsible for project management, functional and technical analysis.

12.15 : Federated Identities in Practice – The case of a large corporate company , by Marc Vanmaele, SecurIT

Abstract : Federated Identity Management has come to age: if not between disperse organisations, for sure within large enterprises as a means to overcome difficult Identity Management challenges. The presentation will illustrate multiple use cases, including the Belgacom case and POCs realised to demonstrate the integrating of Microsoft SharePoint servers at ING and the Flemish government.

About : Marc Vanmaele is the Founder and Managing Director of SecurIT, located in the Benelux and specialised in Identity and Access Management since 1999. In addition to its System Integrators role, the company sells its own software products, such as its innovative TrustBuilder® Identity data Services solution, on a worldwide basis in close cooperation with a network of partners in many countries. More info on http://www.securit.biz. Marc has over 30 years of experience in ICT with large organisations. He is a recognized authority in this field and renowned speaker at conferences over the past years.

12.50 : Walking lunch & Networking

13.45 : Keynote : The basics of an Identity and the Challenge of managing identities in the future, by Kim Cameron, Microsoft

About : Kim Cameron is the Chief Architect of Identity in the Identity and Security Division at Microsoft, where he champions the emergence of a privacy enhancing Identity Metasystem reaching across technologies, industries, vendors, continents and cultures.

Kim plays a leading role in the evolution of Active Directory, Federation Services, Identity Lifecycle Manager, CardSpace and Microsoft’s other Identity Metasystem products.

He joined Microsoft in 1999 when it bought the ZOOMIT Corporation.  As VP of Technology at ZOOMIT, he had invented metadirectory technology and built the first shipping product. Before that he led ZOOMIT’s development team in producing a range of SMTP, X.400, X.500, and PKI products.

Kim is a Microsoft Distinguished Engineer.  He grew up in Canada, attending King’s College at Dalhousie University and l’Université de Montréal.  He serves on RISEPTIS, a high-level European Union advisory body providing vision and guidance on policy and research challenges in the field of security and trust in the Information Society.  He has won a number of industry awards, including Digital Identity World’s Innovation Award (2005), Network Computing’s Top 25 Technology Drivers Award (1996) and MVP (Most Valuable Player) Award (2005), Network World’s 50 Most Powerful People in Networking (2005), Microsoft’s Trustworthy Computing Privacy Award (2007) and Silicon.com’s Agenda Setters 2007.

Kim blogs at identityblog.com, where he published the Laws of Identity.

14.40 : Why does a standard matter for Identity Management and how to apply them in an integrated world, by Marcel Rizcallah, Western Europe Security Strategy & Business Development, Oracle Consulting

About : Marcel Rizcallah is currently responsible for the Western Europe IDM & Security Service Line at Oracle Consulting. He is also heading the Security Practices in France and Switzerland.
He is in charge of defining the Security Sales Strategy and Business development for the Western Europe region, including packing the consulting offerings and methodologies, training the sales representatives, launching the go-to-market initiatives, liaising with Product management and working closely with License Sales representatives to sell the Security products (Identity management products and security database options).
He is also a thought leader in IDM & Security and has participated to different events in Europe (Assises de la Securité in France, IDC and Gartner events, etc.).
Prior to Oracle, Marcel was the head of Technology at Valoris, a leading European Consulting and System Integrator in BIW, CRM and Internet technologies, during 12 years (including 2 years in London).  He was responsible for business development and consulting on e-Commerce, Portal and Content Management, SOA/BPM, and Identity & Access Management. Before Valoris, Marcel was the CTO of Telino, an X400 messaging and EDI software company, and was responsible for Product Management and R&D during 7 years.
Marcel is the author of a book on LDAP directories in French (Annuaires LDAP - Eyrolles 2004), and translated in English (LDAP directories - John Wiley & Sons Ltd 2003).

15.20 : Panel Discussion

15.40 : Coffee Break

16.15 : Federation is surrounded by a cloud of uncertainty… (Point of View on real-life Federation Services) by Jan Vanhaecht, Deloitte Enterprise Risk Services

About : Jan joined Deloitte and is more specifically active in the Enterprise Risk Services/Security and Privacy-group since June 2008. There, he is acting as a leading Identity and Access Management Architect. He is involved in major national and international projects. Next to the projects he’s involved in, he actively researches the possibilities of commercial IAM platforms and the integration of these platforms with major software components (ERP systems, Document Management Systems, …).
Amongst other projects, Jan is the lead architect of the awarded project “Identity Management at the Flemish Government” (Gebruikersbeheer bij de Vlaamse Overheid). This project allows for the Flemish Government to make applications available to partners (local government, education institutes, economic actors, …) in both a secure and fast way. Next to his experience in Public Sector, Jan is also active in private sector (especially financial services) as a trusted IAM expert.
Meanwhile, Jan regarded as a very senior expert in the fields of Identity Provisioning, Access Control Management, Role Management, Federated Identity/Access Management, IAM-GRC integration, ...

Abstract : Federation is surrounded by a cloud of uncertainty…although federation standards have been around for many years. Technically, federation projects face little or no challenges. But still effective, large scale federation projects are hard to find.
During this keynote, Jan Vanhaecht will discuss conflicting interests and problems he faced during actual projects. Based on his field-experience, Jan will analyze root cause of both successful and failing federation projects. From his Enterprise Risk Services background, he will focus on different levels of problems: technical implementation, information exchange and business level “trust” issues and how these issues were handled in a number of real-life projects.

17.00 : Identity Management integration in practice (File temporarily unavailable)- Prevent fraudulous access to IT assets, by Dominique LAIGLE - Senior Security Consulant, Bull

About : Dominique LAIGLE, Dominique is Senior Security Consulant at Bull in charge of recommendations and design of complex secure IT architecture.

Abstract: In most companies and/or organizations, ICT system and application administrators do have access to technical accounts. They therefore administer systems and applications through those accounts and not through their personal IT account. This is of course not compliant with recommendations but also not in line with most companies and organisation security policies. Following an internal audit, a large financial organisation has asked Bull to put in place an infrastructure that will prevent access to technical account while allowing auditors to track un-authenticated accesses to systems and application resources. Moreover, the infrastructure had to support a complete heterogeneous environment consisting of different UNIX platforms and several applications (like DB2, BEA, Oracle, MQ-Series, Swift?) The technical infrastructure that in scope of this project is based on MIT Kerberos and OpenLDAP while logging and auditing rely on OSSEC. This infrastructure offers furthermore the Single Sign On feature.The project is split into 3 phases:
• The proof of concept which aims at building, testing and, evaluating the technical infrastructure
• The pilot whose objective is to deploy the technical infrastructure on several hardware platforms, assess impacts on applications and evaluate the deployment process
• The final deployment, to be carried out on more than thousand servers.

17.35 : Closing Notes & Reception & Networking

19.00 : Close of Seminar

Practical Details

Managing Identities in 2010 & Federated Identities Seminar
Thursday June 17th, Leuven
Auditorium “De Tweede Hoofdwet”, Kasteelpark Arenberg, KU Leuven, Heverlee

Free to participate upon prior registration

A non-cancellation fee of 150 € will be charged upon non-attendance and non-cancellation at least 24 hours prior to the event, by sending an email to identities2010 at lsec.be and getting confirmation of your cancellation.

Thanks for participating.

BT Benelux and Skybox Security are pleased to invite you to an exclusive session featuring Bruce Schneier, one of the world’s leading experts on information security and Chief
Security Technology Officer of BT.
In addition to his keynote presentation, Bruce Schneier will participate in a panel session about Cyberwarfare with security experts Jo Basselier (Euroclear), Noël Van den Driessche
(KBC), Didier Verstichel (SWIFT) and Glyn Finan (Lloyds Bank). The discussion will be moderated by Richard Cross, Corporate Risk Manager at TOYOTA Motor Europe.
Glyn Finan (Security Solution Architect, Lloyds Bank) will share with us the eSecurity challenges that his company faced during the Lloyds-HBOS merger.
Justin Coker (VP - EMEA, Skybox Security) will share his view on “How to predict and prevent cyber attacks”.
This seminar will take place in the BT office in Diegem, from 09 -13hrs, and includes a networking lunch offered by our cosponsor Skybox Security.
We hope you will be able to join us at this exceptional occasion.

Agenda :
08.45 – 09.15 : Registration
09.15 – 09.25 : Introduction
Edwin Hageman, board member BT Benelux
09.25 – 10.00 : (Cyber)security
Bruce Schneier, Chief Security Technology Officer of BT
10.00 – 10.30 : eSecurity challenges during the Lloyds-HBOS merger
Glyn Finan, Security Solution Architect, Lloyds Banking Group
10.30 – 10.45 : Risk modelling and simulation, a behind the scenes look at how to prevent cyber attacks Justin Coker, VP EMEA, Skybox Security
10.45 – 11.00 : Coffee break
11.00 – 12.00 : Expert Panel discussion: Cyber-war: The missing ‘Peace’ or the next Great Distraction? Bruce Schneier, Chief Security Technology Officer of BT Glyn Finan, Security Solution Architect, Lloyds Banking Group Jo Basselier, Head of IT Security Management, Euroclear Noël Van den Driessche, Head of Information Risk Management, KBC Didier Verstichel, Director, Enterprise Security & Architecture, SWIFT Moderator: Richard Cross, Corporate Risk Manager, TOYOTA Motor Europe
12.00 – 13.00 : Walking lunch

Practical details :
- registration was on first come first serve basis,
- only accessible upon confirmation by BT Belgium of your attendance
- the event is now complete, no more registrations can be accepted
- should you be hindered in attending, please inform us at waragainstcybercrime at lsec.be as soon as possible,

Thanks for your understanding

The 2010 Information Assurance Symposium, (NIAS), will be held September 28th ­–30th, 2010 at SHAPE Headquarters, Mons, Belgium. The 2009 event was a resounding success with over 800 delegates and 50 exhibitors participating in the recently held event. The 2010 NIAS is poised to be even bigger and better with increased attendance and enhanced and exciting exhibitor opportunities.

NATO INFORMATION ASSURANCE SYMPOSIUM 2010

The NATO IA Symposium is an annual event between senior NATO IA Staff, NATO nations IA leaders and leading Industry IA providers to develop industry best practice solutions for NATO use. The NATO IA Symposium will bring together more than 800 NATO and Industry delegates to discuss innovative ways of meeting NATO’s IA requirements.

NIAS is the biggest IA event in the NATO calendar and this year the event promises to be bigger than ever.

This year the theme of the symposium will be:

Solving the challenges of delivering Information Assurance in a federated world

NATO is a coalition. It relies on federated IA services to provide a secure environment for today’s operations. The resolution to the challenges of the delivery of capability and effect through federated systems presents itself as a powerful theme for this year’s symposium.

Symposium highlights

Senior NATO and industry keynote briefings
Commercial vendor stands showcasing innovative IA Products
IA conference dinner sponsored by industry representation
Static displays from the 1st NATO Signal Battalion (1NSB)
Workshops covering the following areas:
• Cryptography
• Identity management
• Cyber Defense
• Cross domain working
• IA product acquisition
IA Golf Tournament (invite only)

As part of Belgium’s presidency of the EU, this coming 27th and 28th May, the Directorate-General Institutions & Population of the Belgian FPS Interior is holding an international symposium over two half-days in Brussels and devoted to identity management and identity fraud. In parallel, there will also be the presentation of the results of a site survey into the creation, registration and use of identity, conducted as part of a pilot project in eight European countries.

This is undoubtedly a large-scale event that will consist of a programme of internationally renowned presentations, combined with extensive periods for discussion and exchanging information.
A large audience of some 1500 attendees is expected over the 2 days of the symposium, made up as follows:

Target audience :
Belgian and foreign municipalities
Police services
The world of business
Social security
Febelfin
Representatives from the prison services
Organisations representing the homeless
Law and order
Members of the European Commission
Federations and representatives of notaries, bailiffs, lawyers, etc.
Topics and objectives
The topics for this symposium include identity as a whole, the identity card, its uses, misuses and optimisation in terms of security.

The main aim of the symposium, based on the site survey conducted in 8 countries, is to launch a European project in which identity fraud can be tackled as a Europe-wide focus of interest.

This pilot project needs to be extended to all 27 EU countries. The resolution is to create a platform to bring about this enlargement.

Biometric passports and driving licences will also be topics broached during the 2 half-days.

Program Outline Day 1 - May 27th

13.00 Registratie van de bezoekers, koffie en bezoek aan de standhouders

14.00 Identiteitsfraude next door door de Minister van Binnenlandse Zaken (t.b.v.)

14.10 Identiteitsfraude in de financiële wereld in ons land Michel Vermaerke (Febelfin)

14.25 Identiteitsfraude in de financiële wereld in Europa Pascale-Marie Brien (French Banking Federation)

14.40 Identiteitsfraude in cyberspace Luc Beirens (FCCU – Federale Politie)

15.00 How to prevent fraudulous access to IT assets Bernard Francis (Bull)

15.10 Koffie en bezoek aan de standhouders

15.30 “Waar gebeurd”; documentvervalsing Alain Boucar (Federale Politie)

15.50 ‘Identificatie in de strafrechtketen…, niet te onderschatten’ W.L. Borst (Ministerie van Justitie Nederland)

16.10 Use of Belgian eID to sign PDF documents Peter Schellemans (Adobe)

Thursday 27th May 2010 from 6.30 to 10.30 pm
Cost: 99.00 EUR (+ VAT 21%)
Location: Brussels

Participation at the gala dinner is subject to a charge. Attendance must be confirmed using the official online form under “registration” at the same time as confirming your attendance at the symposium.

Registration

Visit http://www.identityfraud.be/page/35/Registration_form_for_symposium_and_gala_dinner/

for practical details and registration.

LAN News & LSEC Total Security Day Luxemburg, May 20th

The Total Security Day in the Sofitel Hotel, Kirchberg (Luxembourg) is this year being organized by LAN News in cooperation with LSEC, Leaders in Security.
With the objective to provide an interesting perspective on future security challenges from a number of domain experts and technology providers. Insights on Virtualization Security, the future Security Infrastructures, Data Protection perspectives, Identity Challenges and Managed Security Solutions will provide an up to date view on current evolutions and potential threats for any company operating Information Technologies.

Intended to inform Information Managers (CIO’s, CISO’s, ...) and business line managers dealing with Information Technologies, and the IT-aware CSO’s, these talks will be highlighting some of the current challenges that any company is facing in today’s connected world, and increasing data production environment. During this day, you will be having the opportunity to meet companies like Cisco Systems, IBM, Sonicwall, Trend-Micro, Palo Alto Networks and Computer Associates in the mini expo and you can participate in the different technical seminars. Only for IT professionals, with lunch offered by our sponsors. With the strenghts of LAN News and LSEC combined, we will be able to bring you a well-balanced neutralized transfer of expertise and information, and a fine networking activity to be able to meet your peers and discuss challenges and opportunities.

Preliminary Program

• 09h00 – 09h30 Welcome, coffee and registration
• 09h30 – 10h20 SonicWall: Social Media & Next Generation Firewalling. How to deal with Twitter, Facebook, YouTube, Hyves etc… Luc Eeckelaert, Regional Sales Manager Benelux
• 10h20-10h50 Coffee Break
• 10h50-11h30 Palo Alto Networks : New Security Riscs with Enterprise 2.0. The Spotlight is on the Specific Applications, Riscs, Threats, and potential Rewards for IT. Franklyn Jones, Director of EMEA Marketing
• 11h30-12h20 Trend-Micro : Titanium Security ; the Notebook Security in Cloud mode.
• 12h20-13h30 Lunch
• 13h30-14h20 Cisco Systems: Methods for Improving Information and Computing Assets Security.
• 14h20-15h10 IBM: Issues related to virtualization and Cloud Computing. Johan Celis, Security Solutions Architect
• 15h10-16h00 Computer Associates: The Root of the Problem: Malice, Misuse or Mistake. Dave Vijzelman, Principal Consultant
• 16h00-16h50 McAfee :  Protect confidential data from unauthorized transfer out of the company -demonstration. Peter van Eeckhout, Senior Security system & networking Engineer
• 17h00 End of Program

Practical Details

- May 20th, from 9.30 - 18.00h
- Hotel Sofitel Kirchberg Luxemburg
- Free to attend upon registration here or at totalsecurity2010 @ lsec.be
- Cancellation fee of 150 € applies if not cancelled latest 24h prior to the event

LSEC and Microsoft want to invite you to this half day Microsoft TechNet seminar where you can learn more about the Microsoft Identity and Access Management portfolio. Together with our partners such asTraxion, IS4U and others, LSEC encourages people to attend this afternoon seminar to experience some of the technologies offered by Microsoft to manage identities within your organizations.

Kicked off by Kim Cameron, Distinguished Engineer and Chief Architect of Identity, in a wider identity conversation; the seminar will dive into the needs and IT challenges that Identity and Access management brings and how Forefront Identity Manager tackles these. In a final a technical overview, the Forefront Identity Manager will be presented with live demos.

Agenda

13:00 - 13:30 : Welcome and registration

13:30 - 14:30 : Wider identity conversation, by Kim Cameron

Kim Cameron is Chief Architect of Identity in the Identity and Security division, where he works on establishing a user-centric identity architecture for the Internet, and ensuring Active Directory, Federation Services, Identity Lifecycle Manager, CardSpace and Microsoft’s other identity products become its leading implementations.

14:30 - 15:30 : Microsoft Identity & Access Management: Business Needs and IT Challenges”, by Henk Den Baes

Today’s economy has increased the strain to run a lower-cost, more secure IT infrastructure that also enables workers to complete their work quickly and with flexibility. This situation can create a seemingly impossible challenge between workers who want the flexibility of a dynamic work environment and an IT department that needs greater control and manageability. When it comes to managing identity and access across an organization (or within the new organization formed by mergers), even the simplest things can introduce security (and policy) failures, multiply hidden costs, and leave both end users and IT personnel frustrated. As a result, there is proliferation of IDs and passwords. Users need to have different IDs and passwords associated with different resources creating challenges of password management and of course, loss of passwords or inability to access a resource triggers a help desk call. Every help desk call that is generated is a loss to the business in terms of time and agility.


15:30 - 16:00 : Coffee Break

16:00 - 17:15 : Forefront Identity Manager 2010: from identity synchronization to identity management, by Federico Guerrini

The session will provide a technical overview of Forefront Identity Manager (FIM) 2010. The product’s architecture will be covered, with emphasis on the new components that have been layered on top of the synchronization engine of its predecessor, ILM 2007. Live demos will be given in order to show how easily and effectively FIM 2010 can automate identity management processes within complex organizations, which require much more than pure data synchronization.

17:15 - 18:00 : Networking and Cocktail

For more information, please visit the Microsoft TechNet website.
Supported by the following LSEC Members : Traxion, IS4U, Microsoft

Practical Details

Date : Monday May 3rd, 2010

Location : Living Tomorrow, Indringingsweg 1 - Vilvoorde

During registration, you can type “LSEC” when asked for a registration code.

Don’t miss this unique opportunity and register now for this free event!



Register Now via the Microsoft webiste

BruCON is an annual security and hacker(*) conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Brussels, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. BruCON is a conference by and for the security and hacker(*) community.

The conference tries to create bridges between the various actors active in computer security world, included but not limited to hackers(*), security professionals, security communities, non-profit organizations, CERTs, students, law enforcement agencies, etc.....

LSEC at BruCON 2010

Participate the European Security Innovation Workshop on Friday September 24th, a workshop on potential threats and possible solutions of Cybersecurity and Information Security in general.

The workshop is part of the program of the SIGNATURE project, a cooperation between the leading Security clusters in North-West Europe.
The aim of the workshop is to discuss amongst experts potential research & development projects and to support innovation and the competitiveness of the region all together.

As leader of the work program on Information Security, LSEC will guide this workshop and ensure follow-through of potential outcomes for enterprises and researchers.

Preliminary Schedule and Program

Keynote: Memoirs of a Data Security Street Fighter by Mikko Hypponen

Presentations:
Automated 0wnage with Return Oriented Programming by Erik Buchanan
Creating a CERT at WARP Speed: How To Fast Track the Implementation of Your CERT by Brian Honan
CsFire: browser-enforced mitigation against CSRF by Lieven Desmet
Cyber [Crime|War] - connecting the dots by Ian Amit
Embedded System Hacking and My Plot To Take Over The World by Paul Asadoorian
Finding Backdoors in Code : Repelling the Wily Insider by Matias Madou
Fireshark - A tool to Link the Malicious Web by Stephan Chenette
GSM security: fact and fiction by Fabian van den Broek
Head Hacking – The Magic of Suggestion and Perception by Dale Pearson
NFC (Near Field Communication) Malicious Content Sharing by Roel Verdult
Project Skylab 1.0: Helping You Get Your Cloud On by Craig Balding
The Monkey Steals the Berries: The State of Mobile Security by Tyler Shields
The WOMBAT Project: Recent Developments in Internet Threats Analysis by Olivier Thonnard and Andy Moser
Top 5 ways to steal a company: Forget root, I want it all. by Chris Nickerson
Tor: Censorship Circumvention in the Real World by Jacob Appelbaum
You Spent All That Money And You Still Got Owned by Joseph McCray
Your Project: From Idea To Reality: Make A Living Doing What You Love by Mitch Altman

Workshops:
Cryptanalysis workshop: Breaking office encryption by Eric Filiol
Damn Vulnerable Web App by Ryan Dewhurst
Hardware Hacking Area: Learn To Make Cool Things With Microcontrollers! by Mitch Altman
Living with SELinux How to configure SELinux for your daily applications in CentOS/RHEL by Toshaan Bharvani
Lockpicking 101 by Walter Belgers (TOOOL.nl)
Malicious PDF analysis by Didier Stevens
RFID workshop by Philippe Teuwen
Seccubus workshop: Analyzing vulnerability assessment data the easy way by Frank Breedijk
The Security Innovation Network - Cluster of Clusters by Ulrich Seldeslachts
Events during conference:
The Hex Factor
Live Security Podcaster Meetup
Lightning Talks
Hardware Hacking Area with Mitch Altman and Hardhack.org

For abstracts and details of the presentation, please check: the BruCON website.

About BruCON

How did BruCON start?
BruCON is organized as a non-profit event by volunteers. A group of security enthusiasts decided that it was time in Belgium to have its own security and hacker conference. A lot of countries around the world have these kind of conferences to discuss and present research on computer security and related subject matters. We want to unite people who share the same passion and support the Belgian (research) communities, with BruCON as a yearly highlight. We are not professional organizers and started this as a non-profit organization. We all have full time jobs and dedicate a lot of our free time to this project. Everyone is welcome to join us and help!!

When and where is BruCON 2010?
To help us fund the conference, we are providing some excellent Training courses on 22 & 23 September and the Conference itself is on 24 & 25 September in The Surfhouse.

What are the rules of BruCON ?
There are no rules. But we ask you to refrain from doing anything that might jeopardize the conference or other attendees. BruCON crew members are there to answer your questions and help you wherever they can. It is unwise to do any illegal activities as law enforcements officers probably will attend the event as well.

What is there to do at BruCON?
BruCON offers a presentation track and some workshops by some very interesting and bright people bringing some of the most recent material in security research. The attendees of the conference can help us shape the event. We welcome anyone with some innovative research, a tool or just to present an interesting website to give a lightning talk or a workshop. If you want to give an additional workshop or need some space for your project, please contact us

Will there be hackers at BruCON?
We hope so!!! Many people have different definitions of what is a ‘hacker’. The only one we don’t agree with is the mass media definition of ‘Hackers’ meaning criminals that deface websites and break into networks also correctly known as ‘crackers’. “Hackers build things, crackers break them”. For us, examples of great hackers are Linus Torvalds or Steve Wozniak. Although security vulnerabilities in software are also discussed during BruCON, today this is called security research or white-hat hacking to improve our software and infrastructure.

(*)Hackers are “persons who delight in having an intimate understanding of the internal workings of a system, computers and computer networks in particular.” People who engage in illegal activities like unauthorized entry into computer systems are called crackers and don’t have anything to do with hacking. BruCON doesn’t promote any illegal activities and behavior. Many hackers today are employed by the security industry and test security software and systems to improve the security of our networks and applications. In addition, for the younger generations, we want to create some awareness and interest in IT students to learn more about IT Security.

Practical Details and Registration

BruCON Security Training : September 22nd - September 23rd

BruCON Security Conference : September 24th - September 25th

BruCON is held at the Surf House in Evere. It’s ideally located between Brussels National Airport (Zaventem) and Brussels North Railway Station.

The Surf House features a big auditorium, a lounge and several modular workshop rooms. In the auditorium, there are five huge screens to provide a panoramic view of the message you wish to convey. This area is perfect for holding presentations as the high-tech apparatus is a boon for efficient and professional communicating. In the lounge you can relax yourself in between the presentations and workshops and join us at the party on Saturday evening.

The location is easy to reach by train, bus, car or taxi. See below for more information.:

The Surf House
Rue Stroobants 51
B - 1140 Evere
Tel : +32 (0)2 243 03 85
http://www.surfhouse.be/

For Barracuda Networks premise-based gateways and software, cloud services, and sophisticated remote support to deliver comprehensive security, networking and storage solutions. The company’s expansive product portfolio includes offerings for protection against email, Web and IM threats as well as products that improve application delivery and network access, message archiving, backup and data protection.

Join Michael Hughes, VP Sales EMEA of Barracuda Networks, for his presentation on the benefits of Barracuda Networks Products and how they significantly reduce administrative overhead and costs.

This complementary event (including lunch, snacks) will highlight the following points:

•The importance of a Next Generation Firewall in modern IT-environments
•Effectively index and preserve all emails, enhance operational efficiencies and enforce policies for regulatory compliance
•Full local data backup combined with a storage subscription to replicate data to two offsite locations
•Application blocking and malware protection solution
•Protection against hackers leveraging protocol or application vulnerabilities to instigate data theft, denial of service or defacement of your Web site.
•Maintaining uptime, scaling data center capabilities to handle increased load, and protecting infrastructure from network vulnerabilities
•Secure, clientless remote access to internal network resources from any Web browser
•Cloud-based secure Web gateway, protects users from malware, phishing, identity theft, and other harmful activity online
•Eliminating spam and viruses from your organization
•Benefits of a central management
•Update on the existing Award Winning Barracuda Networks Portfolio
•Enduser Experiences

Timescale
11.30 Registration and LUNCH BUFFET
12.30 - 14.30 Presentations
14.30 - 15.00 Coffee break and snacks
15.00 - 17.00 Presentations
17.00 - 18.00 Networking Cocktail

WHEN :  April 20, 2010
TIME :  11:30 AM - 05:00 PM
WHERE :  Van der Valk Hotel Brussels Aiport - - - Brussels

Trade show and seminars on IT and Information security

Infosecurity.be offers ICT professionals an overview of the latest security technologies, products and services. More than 80 exhibitors guarantee a wide exhibition programme. Keynote speakers at the seminar programme are Eugene Schulz (Chief Technology Officer at Emagined Security), Noël van den Driessche (Head of Information Risk Management KBC Group) and Christofer Hoff (Director Cloud & Virtualization Solutions, Cisco Systems). One of the keynote activities is the Professional Development Cafe by (ISC)2. Infosecurity.be and (ISC)2 invite visitors to round table discussions and small groups discussions on professional development.

Infosecurity.be takes place on 24 and 25 March 2010 at Brussels Expo, at the same time as the trade show Storage Expo BE (data storage and management). A unique one-stop shopping opportunity: with just one visit, you can kill two birds with one stone! A visit to Infosecurity.be is, after registration, free of charge. To register yourself and go to the http://www.infosecurity.be website, click on the banner :

LSEC Security Innovations Booth

For the first time at Infosecurity.be, a special Innovations booth has been established. Innovative Flemish Information Security companies will demonstrate their most recent development at the LSEC Security Innovations Booth.

LSEC Security Innovations Booth

Flanders is a renowned for its centers of expertise on a global basis. With companies such as Verizon Business Solutions – Cybertrust (the former Ubizen), Vasco Data Security and Zetes, the Flanders security business is leading in many fronts. But also with innovative engineering such as AES encryption based on the Rijndael algorithm or the Belgian eID-card, Belgium has been a leader in Information Security.
At Infosecurity.be some of the newer developments will be demonstrated by companies such as Zion Security, a company amongst other things specialized in Application Security. Zion will demonstrate the use of its Web Application Firewall as a Service, an innovative service to protect websites in the cloud as a managed service. With GLOPASS (the Global Logical and Physical Access and Signing System) arrowUp is standing out from the crowds with a unique framework to connect logical access control and identification systems with a variety of physical access systems. Entering the building with your personal ID-card and seamlessly collecting information from the printer with the same card, or logging in to your pc to facilitate the ease of access and to reduce the cost of maintaining multiple systems. arrowUp will also demonstrate the Secure signature of important documents on the road with SafeSign for Blackberry devices. Traxion have been developing smart installations of Single Sign On systems for hospitals and enterprises. Easily integrating with Microsoft back ends, they facilitate the development of a wider identity and access management environment. eID Company have been building innovative applications based around the use of the Belgian eID card such as e-Voting (for polls or votes within companies or to facilitate elections of any kind) or setting up of electronic archives, or even easy to use electronic document signing tools. Not only secure signing of document, but also authenticating and identifying the user based upon his or her electronic credentials (Belgian eID card, certificates, an RFID-card, or any other electronic token) is now accessible for any desktop as a webservice. Finally, Celadon Hailstone Biometrics will be showing their latest developments in biometric access control systems.
Visit the LSEC Security Innovations booth and discover also other recent Security Innovations from Flanders.

The LEUVEN Center on Information and Communication Technology (LICT)
Event
Title: The Building Security In Maturity Model (BSIMM) by GARY MCGRAW [Reg]
When: 23.02.2010 18.00 h - 19.30 h
Category: Distinguished Lecture Program Description
Abstract:

Software security has made great progress over the last decade. There are now at least 58 large scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals. Brian Chess, Sammy Migues and Gary McGraw interviewed the executives running nine firms’ initiatives including: Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. The resulting data, drawn from real application security programs at different levels of maturity was used to guide the construction of the Building Security In Maturity Model (BSIMM, http://bsi-mm.com/). Since the introduction of the BSIMM, the size of the study has been tripled to include data from 31 firms.
This talk will describe the observation-based maturity model, drawing examples from many real software security programs. A maturity model is appropriate because improving software security almost always means changing the way an organization works---people, process, and automation are all required. While not all organizations need to achieve the same security goals, all successful large scale software security initiatives share common ideas and approaches. Whether one relies on the Cigital Touchpoints, Microsoft’s SDL, OWASP CLASP, or ones own methodology there is much to learn from practical experience. BSIMM can be used as a yardstick to determine where one stands and what kind of software security strategy will work best in a specific case.

Bio of speaker:

Gary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Java Security, Building Secure Software, Exploiting Software, Software Security, and Exploiting Online Games; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for informIT, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean’s Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors, produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT), and produces the Reality Check Security Podcast for CSO Online.

Organisation:

This lecture is jointly organised by LICT, LSEC and secappdev.org.

Registration:

Participation is free of charge, but advance registration is required by February 15.

Sandwiches will be provided.

Data Protection in 2010 : changing evolutions and local impact

In 2009, the discussion on data breaches and loss of data was clearly overshadowed by the economic turmoil and the financial crisis. According to the recent studies by Verizon Business indicated that there were more than 285 million records breached in 2008. In 2009, the expectation is that there will be many more for a number of reasons : more data breaches were reported (both willingly and required by law or regulations; more regulatory bodies require companies to notify data breach and more people had a reason to take along data from their employers (because of the number of failing companies and people being laid down).


Also in 2009 Data Protection remained a key driver for companies to manage Governance, Risk and Compliance. Not only the fact that data increasingly have to be protected by law and regulations, there is also the fact that companies have to be able to present proof of this protection. Audit and ICT Control are playing an increasingly important role in organizations processing large volumes of critical data. At the same time, there is an increasing requirement and interest in protecting people’s privacy. With an increasing number of services being executed in the cloud, and personal data being transmitted cross-border, local Data Protection Agencies (DPA) are considering new challenges for companies from abroad. Data Protection has become a strategic challenge for many companies.


Finally, there is also the need for Data Retention. The new EC Telecommunication Directive impacts Telecom and Internet operators in the first place. But clearly, othe companies also challenge with the vast amount of ever-growing data and information, and to ensure that this data is being kept and its integrity remains protected.


With this event, LSEC aimed to inform companies and government administration on the current challenges of Data Protection and its evolution in 2009. A public discussion on the needs for Data Breach notification and Data Retention will re-open the debate on the potential impact of Privacy, Data Protection and Data Retention regulations in the EU, between countries and on a local basis. At the same time, by presenting some experiences, cases and expertise, we wanted to share some experiences adn present some possible solutions to some of the present and future challenges.

With the kind support of

With a number of international experts

Keynote by Stewart Room, author of “Data Security Law and Practice”. Barrister and Solicitor Stewart Room, is a partner in Field Fisher Waterhouse’s Privacy and Information Law Group and the Financial Times’ Legal Innovator of the Year 2008, With his book, Stewart brings together the key laws and resources that should be known by all professionals working in the area of data security.

Final Program

Download the Final Program Guide.

9.00 : Welcome Coffee & Registation

9.40 : Introduction & Opening Notes by Ulrich Seldeslachts, CEO LSEC

9.50 : the impact of Data Breach Notification on Belgian companies, by Prof. Dr. Yves Poullet, CRIT, Université de Namur et Liège

About : Yves POULLET, Ph.D. in Law and graduated in Philosophy, is professor at the Faculty of Law at the University of Namur (FUNDP) and Liège (Ulg), Belgium. Yves Poullet heads the CRID, since its creation in 1979. He conducts various researches in the field of new technologies with a special emphasis on privacy issues and individual and public freedom in the Information Society. He is one of the legal experts at the UNESCO and the Council of Europe. He is also member of the Belgian Commission on Data Protection (Commission belge de protection de la vie privée). He has been in charge of the sector of telecommunications and of the Working Group on Telecommunications and Media (International Conference of Data Protection Commissioners). In addition, he is member of Legal Advisory Board of European Commission and the president of the Task Force “Electronic Democracy and Access to public records”. He also chaired the Belgian Computer Association ABDI (Association Belge de Droit de l’Informatique). Yves Poullet is an active member of the Editorial Board of various famous law reviews. He is a founder of the European Telecommunication Forum, ECLIP and FIRILITE.

Download the excerpts of the European Directives as presented by Dr. Poullet.

10.35 : Keynote Address : Data Protection and Breach Notification experiences, by Stewart Room, Field, Fisher Waterhouse

11.20 : Coffee Break

11.40 : Perspectives on Data Protection and Breach Notification from the European Commission by Philippe Renaudiere, European Commission Data Protection Officer

About : Philippe Renaudière is Data Protection Officer at the European Commission since May 2006. He is responsible for the good implementation of the data protection regulation by the European Commission. He is administratively attached to the Commission’s Secretariat General, but enjoys a complete independence in the exercise of his mission. His previous assignment with the Commission was head of the Data Protection Unit in DG Freedom, Security and Justice, a position which he occupied from 2001 to 2006. In this capacity, he was responsible, inter alia, of the first implementation report of Directive 95/46 and of the action programme attached to it, and he lead the secretariat of the Art 29 Working Party.  During the last 5 years, he represented the Commission in numerous European and International Data Protection Conferences, Seminars and Workshops.
Philippe is a Belgian lawyer and has been with the Commission since 1987. He worked successively in the areas of Environment, Transport, Competition –he was a member of the Cabinet of Karel Van Miert, and Internal Market, where he was the Head of the unit in charge of the External Dimension of the Internal Market. Prior to joining the Commission, Philippe Renaudière was in-house counsel with Tractebel in Brussels. He gained his undergraduate law degree from the Université Libre de Bruxelles in 1976, a master’s degree in economic law in 1978 and a special diploma in industrial legislation in 1984. He also gained a MA in International Relations (CERIS/Université de Paris XI) in 2004.

12.30 : Discussion Panel : the need for a clear Data Breach Notification Law for Belgium, with the Belgian Data Protection Agency represented by Dieter Verhaeghe

About : Mr. Verhaeghe assisted the Belgian Data Protection Authority as legal advisor between 1997 and 2000. Between 2000 and 2004 he gained experience as company lawyer in the field of B2B financial services and telecom services. He joined the DPA again in 2004. He is specialized in Belgian and European Data Protection law, mainly applied in the field of compliance (data protection and money laundering/antiterrorism obligations), blacklisting and profling, direct marketing, e-billing/document platforms, various e-gov projects with Ministry of mobility and transport, emerging smart grid, re-use of public data for commercial purposes, international transfers,…

13.00 : Lunch Break

13.45 : Strategies for Mitigating Insider Risk, by johan Vanhove, Country Manager RSA

14.30 : Don’t Be the Next Big Data Loss Media Story, by Nick Spekkels, McAfee

With numerous news stories detailing public breaches that have led to sensitive user data getting released—on websites, stolen as part of a laptop theft, or even released accidentally over an email or instant messaging (IM) communications—organizations are increasingly under pressure to protect privacy data.
Are you losing data without even knowing it? Your customer information, intellectual property, financial data, and personnel files may be leaving your corporate borders
right now. And the perpetrators are not only hackers—they are also your own employees.

15.15 : DLP: Old wine in new barrels, or opening Pandora’s box?, by Stefaan Hinderyckx, Dimension Data

Recently published incidents of data leakage have highlighted the dire consequences of these incidents, such as public embarrassment and disclosure cost, direct financial loss, penalties due to breach of compliance requirements, breach of customer and partner trust, and many more. As a result, organisations may get caught up in the hype around DLP and treat it as an entirely ‘new’ threat or only focus on one sub-set of the risk. It is important to remember that DLP needs to form part of the overall security roadmap and must be addressed across the IT ecosystem. An organisation’s security infrastructure must protect its data, regardless of how it is used, where it is located, what devices use it, and how users access it. More importantly, non-technology issues need to be taken into account when addressing DLP. Organisations cannot depend on end-users to become security experts. Provide user-friendly solutions that support knowledge workers, rather than have an impact on their productivity.

Threats are continuously evolving which means that there are no guarantees in the IT security world. Only when organisations follow an all-encompassing approach (people, process and technology) can they rest assured that their information is being protected appropriately.

About :
A graduate of the Katholieke Universiteit Leuven, Stefaan has Masters degrees in Business Administration and Computer Science, and more than 15 years experience in IT security, specialised around managed security services, professional services and high-end security infrastructure solutions. Stefaan has held numerous senior, pan-European positions with organisations including Verizon, Symantec and Getronics. As Dimension Data’s Security Director, Europe one of Stefaan’s key focus areas is to translate security technology, people and process into tangible business value. This outcomes-focused approach puts his services in high demand among our strategic global clients, who look to unite the generic benefits of the technology with practical applications that adapt seamlessly for their individual operations and deliver a sophisticated security armoury.

16.00 : Coffee Break

16.30 : the Impact of Data Protection on your business by James Lyne, Utimaco-Sophos

17.20 : KPMG’s Insights into lost and stolen information in 2009, by Dirk De Maeyer, KPMG Advisory

Incidents and people affected by Data Breach are clearly on the rise since 2005. Causes of data loss are quite diverse, but a major increase in 2009 has been detected on malicious insider incidents.Clearly, hackers are more than ever active in trying to obtain sensitive data. Learn also about those sectors experiencing most data loss incidents. Better understand your liabilities and how to cope with these threats.

18.10 : Closing Notes and Networking Reception

Panel discussioin with some of the following topics will be addressed :
1. What is the best way to avoid privacy violations (and being in the news)?
2. How do you balance between access and security?
3. How can you achieve compliance at reasonable cost?
4. How do you keep the good guys in — and the bad guys out?
5. Where has all the data gone — How do you control copies?
6. How dan you best meet legal requirements for data protection?
7. When should data be encrypted — and when not?
8. How can you best achieve a reasonable level of data protection?
9. Data is everywhere — so how do you protect it?
10. Can you stop data from heading out the door?

Understand the actual causes of data protection program failures, using case studies from both public agencies and private companies.
Explore the deficiencies in current program approaches that lead to these failures, including technology limitations, incorrect prioritizing, and process gaps.
Design a forward thinking approach to avoid future data protection failures and ensure the protection of consumer and citizen data and critical infrastructure.
Developing a Data Protection Plan for Your Organization

Data protection has become a major issue in an era in which data is the lifeblood of every organization. Data protection is essential to prevent loss of customer trust, and avoid leaks, breaches, and violations of regulations while still keeping data highly available. Smart organizations are beginning to take comprehensive measures to secure sensitive data and use them as a differentiator to gain and retain customers. The problem of data protection spans the lifecycle of data � from the time it is created until it is backed up, archived, or discarded. Part of this seminar will focus on basic approaches to developing a comprehensive data protection plan, including the making of a business case, business continuity and disaster recovery, networking aspects, and IT management. Breakout sessions will allow participants a chance to ask questions and develop major conclusions, best practices, and issues to be resolved.

Practical Details

LSEC Data Breach, Data Protection, Data Retention : LSEC DLP 2

Leuven, Auditorium Kasteel van Arenberg, Kasteelpark Arenberg - 3001 Heverlee
Tuesday, February 9th, 2010 - from 9h - 18h seminar with exhibition and panel discussions.

Attendance Fee :
- This seminar is part of LSEC’s awareness program and free to attend for anyone bringing along a colleague or a friend. Send us the email you’ve forwarded to your colleague or friend, and you and him (her) will be able to attend for free
- Alternatively you can support our activities by paying a small fee to support our catering and facilities of 150 € (excl VAT)
- We do have a cancellation policy that requires you to pay a fee of 150 € (excl VAT) if you have not cancelled at least 24 hours prior to the event.

OWASP Belgium Chapter meeting, together with ISSA Belgium

The Open Web Application Security Project (http://www.owasp.org) Belgium Chapter
organizes their next Chapter meeting. OWASP’s all-volunteer participants
produce free, professional quality, open-source documentation, tools, and
standards on application security. An example of this is the famous OWASP
top ten of most critical web application security flaws. The OWASP
community facilitates conferences, local chapters, articles, and message
forums. Participation in OWASP is free and open to all, as are all the
materials we produce.

Practical Details

Monday, February 1th, 2010 (18h00pm-21h00pm), together with ISSA Belgium. 
WHERE
Location is sponsored by Ernst&Young’s Information Security Team.
address: De Kleetlaan 2, 1831 Diegem (Route + Google Maps)
PROGRAM
• 18h00 - 18h30: Welcome & Refreshments
• 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, Zenitel, OWASP Board)
• 18h45 - 19h00: ISSA Update (by tbd, ISSA)
• 19h00 - 20h00: GreenSQL: an Open Source database firewall (by Yuli Stremovsky, VP of Research and Development at GreenSQL)
• 20h00 - 20h15: Break
• 20h15 - 21h15: Mobile malware now and in the future (by Mikko Hypponen, Chief Research Officer at F-Secure Corp)
More information can be found at http://www.owasp.org/index.php/Belgium#tab=Chapter_Meetings .
WHO should attend?

Anyone interested in Web Application Security (management, security
professionals, developers, students, etc). OWASP Belgium chapter
membership is free. All meetings are free. There are never vendor
pitches or sales presentations at OWASP meetings.

Check our chapter page http://www.owasp.org/index.php/Belgium on
meeting details, sign up to the chapter mailing list and introduce
yourself.
REGISTRATION
There are only 100 seats available (first register, first serve)!

Please send a mail to ‘belgium at owasp.org’ if you plan to attend,
so we can size the venue appropriately and keep you updated on
last-minute changes.

Special Event : LSEC at the Attic

On January 28th, in the SAP Lounge in Vilvoorde, you’re kindly invited to meet with your peers and other Security Industry Experts.
Join us for a bite and a drink and participate in some interesting discussions on the challenges and opportunities of security. Book your seat now!

Top Expert Roundtable Discussion

During the evening, we’ve invited a number of Top Experts in the domain of Information Management, Risk Management and Security Technology to discuss upcoming challenges and threats, opportunities, evolutions and dynamics. Join us learning more from :

Freddy Van den Wyngaert, CIO Agfa Healthcare, Vice-Chairman of the CIO Forum Belgium and CIO of the Year 2008
Noël Van den Driessche, Head of Information Risk Management KBC Global Services
Ronny Depoortere, Vice President ZETES P.A.S.S.
Erwin Roels, Country Manager Verizon Business Cybertrust Benelux
Stefaan Hinderyckx, Security Director Dimension Data
Bruno Vermeire, Informatiebeveiliging Nationale Veiligheidsoverheid (NVO) Belgium

The panel will be moderated by LSEC and yourself, with a focus of sharing best practices, knowledge exchange and discovering innovation opportunities.

At the Attic : A History of 20 Years of Information Security

Our German partner and Information Security cluster TeleTrusT celebrated in 2009 its 20th anniversary. Prof. Dr. Norbert Pohlmann, Vorstandsvorsitzender TeleTrusT Deutschland e.V. will guide us through 20 years of Information Security. With experiences from Germany and looking ahead into the future European market. At the attic of the SAP lounge in Vilvoorde, we look back into the pictures of the past, learn from our mistakes and turn the page of the last two decades, and the last century.

Practical Details

Schedule :

17.00 : Welcome & Registration
17.30 : At the Attic : a History of 20 Years of Information Security
18.15 : Top Expert Roundtable
19.00 : New Year Reception with snacks and drinks

Thursday January 28th
SAP Lounge, Dewezplein 5 (near Rondeweg)

Price
Free to attend upon prior registration at http://www.lsec.be, click the button below. A confirmation will be sent to you shortly. Register

You can also apply for a seat by sending an email to attheattic (at) lsec.be. A confirmation email will be sent to you, once your application has been sucessfully received.

Looking forward seeing you Thursday January 28th, 2010 at at one of our earlier events.

Have you ever been Hyperjacked ? Recently found a Botnet in your Cloud?

Last year, LSEC organized a seminar on some of the Security aspects of Virtualization and Cloud Computing. During that seminar, an outline was presented on current threats, potential solutions and future evolutions. The current business drive on virtualization and cloud computing and the evolution of threats in the cloud, make this topic more than ever important for businesses, organisations and administrations working on or towards Virtualization.


Not yet aware about Hyperjacking, or you don’t know how to run Botnets in the Cloud? We plan to revisit some of the potential threats posed by the use of Hypervisors, Virtual Machines on multiple OS or even running a variety of Virtual Machines on a multitude of physical servers, Did you realize that physically moving a VM from one machine to another, is actually done in the clear?
How easy would it be within your organization to walk in with a USB-stick running a VM, copying all of the VM’s active and re-running their states somewhere else to find out your weaknesses?
How do you realize patch management in VM’s that have been online for a while, but could resurface with potential threats in them? How do you plan to control your ICT-environment, with this Virtual environment? What are your rights when a government enforcement groups hijacks your physical and virtual machines? The challenges are omnivalent and complex. Solutions are non-existent, or just barely surfacing.

Next to that, we also plan to investigate what opportunities Virtualization bring to the world of Security. In this case, as a means to an end. Using Virtual Security Appliances, but also Security solutions in your Virtual Machines, Hypervisors and ensuring their activities run secure - are topics that will be addressed.


Finally, we want to open the discussion on a local basis on the protection of activities in the cloud. What are your challenges in terms of Security? Business people can and will move company data outside of the company’s premises, but the controls can probably not always go along. There will be an increasing challenge to your security, with an increased need for security measures and control. But how can you ensure that no breaches have happened? What about concerns over data ownership, regulations and privacy concerns. Do you require stronger SLA’s? Will you be able to enforce those, if your data is residing abroad? The opportunity of Cloud Computing is there, but the discussion has only just begun.

Preliminary Program

13.00 : Welcome Coffee & Registration
13.30 : Introduction & Opening Notes by Ulrich Seldeslachts
13.40 : Overview of the current challenges on Cloud Computing and Security of Virtualization. Conclusions and ideas from the ENISA Working Group on Cloud Computing and Virtualization, by Phlippe Massonent, CETIC
14.30 : Update on Security Issues related to Virtualization and Cloud Computing, by Johan Celis, IBM Security Solutions Architect
15.20 : Coffee Break
15.40 : Security Challenges In Virtual Environments and how to address them, by Jeroen De Corel, Check Point Security Software, Security Engineer Belux
16.30 : Advantages and Security considerations when publishing applications on mobile devices from out of a cloud, by Gert Vanhaeght, Syscon
17.00 :  Legal Challenges in Cloud Computing, by Maarten Truyens, DLA Piper

About Maarten Truyens : Maarten Truyens is a qualified lawyer registered with the bar of Brussels (Belgium) and practices information technology law at DLA Piper Brussels. He specialises in the fields of e-commerce, IT contracting, data protection, telecom, consumer protection, outsourcing and new technologies. His practice includes clients in both the public and the private sector, in Belgium and abroad. In the domain of open source, he advises both startup companies and multinationals on issues such as dual licensing, open core licensing and the assessment of derivative works in the context of GPL software.

He is a contributing editor of the international Journal for Internet Law (Wolters Kluwer) and is also a regular speaker on seminars regarding ICT law, IT security (identity theft, internet crime), open source, privacy, electronic document management and corporate governance. He regularly participates in both national and international projects investigating the impact of new IT and telecommunications law. He was involved in a European study on the future of the legal framework for the information society (see http://www.euinternetlaw.eu) and another study on technology transfer (see http://www.eutechnologytransfer.eu), both for the European Commission.

Recent books and articles written or co-authored by Maarten Truyens include “Monitoring and analysis of technology transfer and intellectual property regimes and their use” (published in 2009); “Legal issues in technology transfer”, the European Association of Research Managers & Administrators, October 2009; “Standardisation in the European ICT sector: official procedures at the verge of being overhauled” (Shidler Journal of Law, Commerce & Technology, July 2009); “A balanced approach to open source” (IT Professional nr. 44, 9 April 2008); “Long awaited opinion on the use of search engines” (BNA International World Data Protection Report, April 2008); “The Swift Case” (Privacy Advisor, 2007); “The law and security” (Data News ICT Guide 2007) and “Rules for electronic commerce” (Informatie (NL), 2006).

Recent seminars include “Publishing vs patenting”, EIROforum Technology Transfer Conference organised by the European Commission, November 2009; “Legal developments in open source in the US and the EU”, iTechLaw conference for IT Lawyers, November 2009; “Open Source” (ADM, 2008); “How Liable Are You for Identity Theft?”, (RSA Security Conference 2007); “Legal aspects of electronic document management” (Kluwer, 2005-2007); “Legal aspects of IT systems” (University of Antwerp Management School, 2006) and “Instant Messaging: Legal aspects” (Microsoft, 2006).

Before joining DLA Piper Belgium in 2005, Maarten worked as an IT consultant, in areas such as transactional high-volume websites, database publishing, multimedia and business automation. This hands-on experience with e-commerce matters, from both a technical and managerial point of view, has rendered him invaluable technical information, which he now combines with his legal knowledge. His clients value his active technical knowledge of internet-related technologies and protocols, programming languages, databases and Web 2.0 programming frameworks. Having witnessed the internet revolution from the inside, he is acquainted with the benefits and pitfalls of e-commerce transactions and on-line business models.

17.50 : Some solutions in managing Security on Virtual Machines, by Peter van Eeckhout, McAfee IT Security and Compliance Solutions
18.40 : Reception and Close of Seminar

Other subjects to be discussed :
Security challenges of Hypervisors and Virtualization broken down.
Some solutions for better improving your Virtual Machines, your Virtualization environment and your Hypervisors.
Business and legal challenges posed by Cloud Computing.
The local debate on the future of Security and Control in the space of Virtualization and Cloud Computing.

Practical Details

LSEC Security Virtualization, Virtualization Security and Cloud Computing Issues 2009 Revisited

Leuven, Auditorium Kasteel Arenberg, KU Leuven, Kasteelpark Arenberg - 3001 Heverlee
Tuesday, January 26th, 2010 - from 13h - 18h seminar with exhibition and panel discussions.

Grotere kaart weergeven

Grotere kaart weergeven
Registration :
- You are welcome to register on this website if you haven’t done before and fill in your personal and company details.
- Afer registering on the website, or logging in on the homepage (scroll down to the fill in form) return to this page and push the subscribe button
- Too difficult? no problem, just send us email with your contact details to virtual2 at lsec.be

Attendance Fee :
- This seminar is part of LSEC’s awareness program and free to attend for anyone bringing along a colleague or a friend. Send us the email you’ve forwarded to your colleague or friend, and you and him (her) will be able to attend for free
- Alternatively you can support our activities by paying a small fee to support our catering and facilities of 150 € (excl VAT)
- We do have a cancellation policy that requires you to pay a fee of 150 € (excl VAT) if you have not cancelled at least 24 hours prior to the event.

The LSEC team is looking forward welcoming you January 26th.

Evolutions of Access Control and Identity Management

A two day conference on the Present and Future of Access Control, IAM and Identity Management : Identity and Access Management, Identity Lifecycle management, Single Sign On, eID developments, Physical and Logical Access Control, Federated Identities, Multi-factor Authentication, … : presentations, customer cases, technology focus, market developments, panel discussions, …

This event is made possible with the kind support of our partner :

Governance, Risk and Compliance continue to be the main drivers for Identity and Access Management installations and services, according to a recent survey by KPMG and Everett. Some of these projects are becoming increasingly of strategic importance to many companies, not only to be able to control the identities, but increasingly to facilitate all sorts of activities.
During this two-day conference, we aim to bring together most of the important players and projects from 2009 and try to present a glimpse on the next year in terms of IAM activities.

With a special focus on convergence : where physical and logical identities meet.
- Governing risk and compliance both logical and physical access
- Single sign on in applications, Multiple entries in reality

Some other topics to be addressed :
- Identities in the Cloud
- IAM and ILM

Physical and Logical Access Control Combined : a world of converging technologies

For reasons of cost reduction, economies of scale, control or just ease of use, an increasing number of companies are considering the use of the same access control system (or at least integrated) between physical and logical access control. Considerations for using the same token (RFID card, biometrics, password, ...) have already been implemented over the last years.


What considerations are companies following to have a joint or integrated system for both? Who should be in charge of those systems : facilities, security management, HR, IT, or both? What is the basic business case, and how should we see the evolutions of such systems? Are there ways to integrate my access control system with my Identity Management System(s), should I prepare this in my IAM business case?

Identities in the Cloud

Security in the cloud is a significant concern, and requires fresh thinking about how siloed security frameworks can be modified to deal with an emerging compute model. Identity management vendors have been wrestling for some time with the transition toward a loosely coupled architecture based on a set of common standards. This transition will gain pace as enterprises look to take advantage of the cost efficiencies and flexibility of cloud services yet still maintain a set of appropriate access controls and event monitoring to satisfy compliance requirements.

Federated Identities

New evolutions of Role based access, such as ABAC (attribute based access control), CBAC (context based) have appeared. Also locally, Federated Identity Systems have seen the light in 2009. Who has access to what, who is who, and who verified who? When is who giving access to what? Why has who access to what? Who controls who should have access to what? Who controls that access, or when does he or she have access?


Federation takes these questions and concerns a step further; Either putting the who in charge, or the organisation controlling the who.

IAM and ILM

From a perspective on storing and retrieving information in the world of Information Lifecycle Management (ILM) to a world of access to information, systems, applications and even access to building, rooms, doors, ... from the world of Identity and Access Management (IAM).

Managing and storing information is a practice that was there long before computer even existed. Allowing access to those electronic data, storing vast quantities of data, meeting regulatory requirements for retention and protection and deciding upon critical and sensitive information that might require another risk management profile than regular data is a challenge for any organization both from a business and an IT perspective.

Learn from the leaders in Identity and Access Management services and solutions

According to Forrester worlds of Data Governance And Content Governance will collide. Ownership, accessibility, availability, trustworthiness, security, and compliance are problems faced on both the structured and unstructured sides of the information management coin. The organizational methodologies for governing structured data and unstructured content are actually quite similars. Maximize the potential value of a governance investment with a methodology that can get you started without forcing you to break the data/content siloes.

Final Program

Thursday, December 3rd

9.00 : Welcome & Registation
9.40 : Introduction & Opening Notes by Ulrich Seldeslachts
9.50 : Keynote Opening Presentation by . Peter Strickx, FEDICT : 10 million eID’s and kids ID’s, so now what?

By the end of 2009, there will be about 9 million electronic ID’s and numerous kids ID’s. This makes Belgium one of the leading countries in the world having this unique identifier as technology.
What are the next steps? What type of applications can be used and how should it be considered by business as a means to authenticate or to get access to systems and infrastructures.

10.35 : Results of the KPMG Identity and Access Management Survey 2009 by Benny Bogaert, KPMG

In 2009, KPMG and Everett with the support of EEMA and LSEC, organized the yearly interactive survey on Identity and Access Management.
With a clear development towards Governance, Risk and Control, also the economical climate have obviously had its impacts on the current situation. How do you relate that into your organisation and what are the key learnings of the study?

11.20 : Coffee Break

11.40 : Putting the User back in Charge over his Idenity, A case for User Centric IDM by John Harrison, Edentity

The Personal Information Brokerage (PIB). Working in collaboration with three UK universities, a large telco, and payment systems company,PIB envisages that an individual will be able to select one or more ‘information brokers’ from a managed market. Each broker will enable the individual to authenticate to, and communicate with, multiple organisations and other individuals (jointly counterparties), all at the appropriate level of security and using a coherent set of authentication steps.
As well as single-sign-on, and the various communication tools, the broker will enable the individual to give fine-grained transaction-based permission for the transmission of personal information to, and between, counterparties. It can be thought of as a grown-up and distributed version of social networking: the individual can invite new counterparties to ‘link’ to his broker account; and can then decide which ‘profile’ a new counterparty should see.

12.30 : Lunch Break

13.15 : Use Case with KBC : using multiple authentication methods on the same website with Webseal and trustbuilder C-Man, combining both Vasco Digipass, DIgipass Card Reader, smartcard and usb X.509 certificates by Dirk Verbiest, KBC

14.05 : Security and the essential role of IAM in the Cloud by John Van Westeneng, Traxion

What is the role of IAM in the cloud. Besides the standard federated components for amongst other single sign on, provisioning of identities, but also of access rights play a giant role in facilitating enterprise cloud services. Next to that, the following themes will be discussed :

- the strategic steps an organisation had to make to start using cloud services,
- the business case for the use of cloud services including the required infrastructures,
- the suppliers of service providers and what could not yet work as such
- the security elements that need (and need not) to be resolved

15.00 : Access Governance by Joris Ter Hart, KPMG

Access control is one of the key control mechanisms in place to protect sensitive (financial) information. Due to the economic crisis, information breaches through misusing access rights are increasing. Also the regulations around managing user access are getting stricter and an organisation has to proof that access controls are operating effectively. Validation of access rights is not completely new. In rather every organisation some kind of verification of access rights is implemented. However this is often done on an ad-hoc basis in a manual manner with a limited scope and profundity.Access Governance is an efficient process, with use of advanced analytics tools, to review user access to and within applications on a frequent basis to achieve regulatory compliance and improved security. In the presentation Access Governance will be elaborated in detail based on a case study and also the relationship with Identity & Access Management as a whole will be discussed.

15.55 : Closing Notes

16.00 : End of Day 1

Friday, December 4th

9.00 : Welcome Coffee & Registration

9.45 : Opening Notes by Ulrich Seldeslachts, CEO LSEC

10.00 : Convergence of Physical and Logical Identities, by Thomas van Vooren, Everett

Increasingly, the security of IT-services and the physical security of spaces and environment are being seen combined. Where traditionally the one the environment is of IT, the other a facility service, today often combined access means, monitoring and security models are being used. During this talk, some of the more important drivers of this development will be discussed, as well as the architectre including a central place for Identity and Access Management.
Finally, some examples will be discussed.

10.50 : Case Study : How a logical IAM systems had been implemented to ensure physical and logical access control, by Rik van Bruggen, EMEA VP Imprivata

11.40h : Physical Access Control in reality, an evolution in the world of access control, by Michael Andauer, KABA

12.20h : Lunch Break

13.00h : Discussion : ILM & IDM, the next challenge Identity in the Cloud and Federated models with SUN Microsystems

13.45h :  Securing Web Services in the Cloud, by Jan Van den Bergh, ACA-IT

The rise of Software as a Service (SaaS) leads to some interesting security problems. Moving infrastructure, applications and services to the cloud holds many benefits, but also introduces some interesting security challenges. The organization’s trust boundary is greatly extended and moves beyond the control of IT. This results in loss of control that challenges established governance and control models, and can even impede the adoption of cloud services. A well established IAM system becomes an essential component for a smooth transition to the cloud. For service providers, the use of industry IAM standards can greatly accelerate the adoption of new cloud services.
Federation protocols (SAML, ID-FF) can be used to solve the security problems that have to do with authentication and authorization: it then becomes possible to integrate web applications of different organizations and let users access them while their identity is passed automatically. Web services can be protected in a similar way, by adding assertions to the messages to guarantee the identity of the caller. Typically a Secure Token Service or STS is used to generate and validate the tokens containing these assertions, but other solutions exist as well.
In this presentation we will describe these concepts in more detail and tell you how they can be used in real-life applications. There will also be a small demo where Sun OpenSSO is used for federation and web service security.

14.30h : Centralizing authentication and authorization in a Unix World, by Wim Remes, Bull

Does an out of the box solution solve the the objective of having several flavours of machines and OS-es working integratedly together in an SSO? Or is there a better fit with totally integrated model based upon Open Source?

15.05h : STORK, the European eID Interoperability Platform by Marc Stern, Approach

The aim of the STORK project is to establish a European eID Interoperability Platform that will allow citizens to establish new e-relations across borders, just by presenting their national eID.
Cross-border user authentication for such e-relations will be applied and tested by the project by means of five pilot projects that will use existing government services in EU Member States. In time however, additional service providers will also become connected to the platform thereby increasing the number of cross-border services available to European users.

Thus in the future, you should be able to start a company, get your tax refund, or obtain your university papers without physical presence; all you will need to access these services is to enter your personal data using your national eID, and the STORK platform will obtain the required guarantee (authentication) from your government.

15.45h : Closing Notes

16.00h : Close of Conference

Advanced Role Based Access Mechanisms and Information Access Management : the perspectives from the user and the organization
Information Lifecycle Management : the perspectives from the data and information flowing in the organization.
Information Risk Management (IRM) in relation to Information Lifecycle Management
What is the impact of the lifecycle of information on Identity and Access Management (IAM)
Identity Enabled Information Lifecycle Management
The needs for Information Lifecycle Management : compliance, cost & control
The needs for Identity & Access Management : compliance, cost & control
Data Protection and ILM
Frameworks for considering and planning data protection
Understanding storage technology from the standpoint of data protection
Architecting more effective backup/restore solutions
Leveraging core computer security concepts and strategies to protect your most critical data
Securing your entire storage infrastructure, not just servers
Using policy-driven data protection and Data Lifecycle Management (DLM) to improve security and reduce cost
Using ILM to identify your highest-value data and choose the right ways to protect it

Information lifecycle management (ILM) entails the process of managing information from conception until disposal, in a manner that optimizes storage and access at a cost, relative to its value. Especially predicting the way people need to access information and define storage needs could be challenging as the business grows.
If the current economical climate doesn’t allow for massive investments and companywide projects, for any organization it remains sensible to investigate the impact of its information management systems and to consider potential future evolutions and trends. During this seminar the aim is to explore the evolutions of managing the lifecycle of information not only from an access perspective, but also from a storage and control perspective even over time. How to start taking both into account from the beginning? How to define where both concepts will be challenged at the same time? Or can they continue to be separated programs in your company?

Bring a colleague or friend and attend for free

With this event, again we want to create awareness on the evolution of Idenity and Access Management in Belgium and abroad.

If you send us an email with the forwarded invitation (securityforum2009 @ lsec.be), or copy us in the forwarded invitation to a colleague of your organization, or maybe a friend at another organization, you will be allowed free access to this event.
Alternatively, the access fee for 1 day seminar is 150 € (excl VAT), and 250 € (excl. VAT) for the combined days.

Practical Details

150 € (excl. VAT) for 1 day, 250 € (excl. VAT) for 2 days.
Free upon presentation prior to the event of the forwarded invitation.

Grotere kaart weergeven

For more information about this event, please email to securityconference2009 @ lsec.be or

the largest BeNeLux OWASP event on record

Free your agenda: Wednesday, December 2nd, 2009.
The good news: free! No fee!
The bad news: there are only 200 seats available (first register, first serve)!

PROGRAM

• 11:30 AM - 12:00 AM: Welcome & Refreshments
• 12:00 AM - 16:00 PM: Workshop OWASP tools
• 16:00 PM - 22:00 PM: Talks
List of confirmed speakers, with more to come:
 Prof. Dr. Ir. Bart Preneel, Professor at Computer Security and Industrial Cryptography research group, University of Leuven
 Colin Watson, Technical Director and principal consultant at Watson Hall and Global Industry Committee Member at OWASP Foundation
 Eoin Keary, Attack and Penetration team senior manager for EMEIA at Ernst & Young and OWASP Code Review Guide Author and Lead
 Sebastien Deleersnyder, Lead Application Security at Telindus, Belgacom ICT and OWASP Foundation Board Member
 Noa Bar-Yosef, Senior Security Researcher with the Imperva Application Defense Center
 Erwin Geirnaert, Partner & Co-founder at ZION SECURITY and OWASP Belgium Board Member

ORGANIZATION

OWASP’s all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.

WHO should attend?

Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.

Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.

Practical Details

Wednesday, December 2nd, 2009 (12:00 AM - 10:00 PM)
College De Valk
Tiensestraat 41
3000 Leuven
BELGIUM

Only 200 places, please Register upfront!
All latest details are available on http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2009
Hope to see you all!

The BeNeLux Program Committee,
Bart De Win / Sebastien Deleersnyder (OWASP Belgium)
Bert Koelewijn / Martin Knobloch (OWASP Netherlands)
Jocelyn Aubert (OWASP Luxembourg)

Supported by LSEC, affiliated partner.

DNS & Security and Security & DNS

Office building infrastructures tend to collapse in the event of weak(-ened) foundations. If an organisations’ DNS infrastructure is compromised, the event can be equally devastating, though less obvious: the casual surfer may not notice he/she is ending up at a phishing site, or that e-mail to business partners is being redirected, but confidentiality, integrity and availability all can be impacted by attacks on one’s DNS infrastructure. This is a risk that is often misunderstood or underestimated.

Therefore we are very pleased to be able to bring to you this long-awaited technical ISSA event by renown DNS & Security expert Marc Lampo!

Telindus - Belgacom ICT is kindly providing the venue as well as food and beverages.

Program Details

1800h : Welcome with drinks and sandwiches
1830h : “DNS & Security - part 1”
1930h : short break
1945h : “DNS & Security - part 2”
2045h : networking drink
2130h : end of the event

Abstract :
DNS & Security

The impact of Dan Kaminsky’s presentation on DNS cache poisoning, during the Black Hat security conference in July 2008, is still vibrating. Despite the positive results of proof-of-concept code - the vulnerability is real - Dan admits fewer then expected/anticipated attacks have been noticed. In this talk Marc Lampo will address the priciples of the attack, in order to make everybody understand it.
And from that understanding, it will become clear why the attack is not so popular from the Internet; but why the danger remains for internal networks !
Still building on the understanding, he will show some true approaches to obtain protection - and also warn against a wrong approach, that even increases the danger.
Finally , one consequence of Dan’s speech will hit us all, somewhere in 2010 : DNSSEC is coming.  Marc Lampo will elaborate on “DNS with signatures” - the protection offered for whom and ... what the prerequisites are.

Bio :
Marc Lampo is senior technical consultant for Telindus - Belgacom ICT. Focus is on network security, a believer of “security by design” - as will also become clear in his talk. He has been configuring and consulting on DNS matters for over 15 years, both from the ISP side (EUnet) as well as from the integrators’ point of view. For the John Cordier Academy, he has developped a course - “DNS Explained” - of which he is still the teacher.

Practical Details

Date : Tuesday December 15th, 2009
Place : The John Cordier Academy Auditorium, Geldenaaksebaan 335, B-3001 Leuven (Haasrode)

Route description and access plan : check out http://www.jcacademy.be/infrastructure/_down/Location_JCA_Leuven.pdf

Please bear in mind :

(1) when coming from Brussels via E40 : the exit Haasrode has been reengineered, you need to take the second exit immediately after the old exit that is currently only leading to Blanden instead of Haasrode
(2) when entering the parking garage underneath the building, please do so cautiously in order not to bump into cars leaving the garage!

Registration procedure :

Registration for the event is free but mandatory. In case there would be more registrations than available seats (sixty), ISSA members in good standing will be favoured over other people in a ratio of 70% Members to 30% non-members. Early registrants will have precedence over late registrants. Registration starts as of November 23rd. Members as well as non-members register by e-mailing their contact details (name, surname, company/organisation, ISSA Membership Nr) to register at issa-be.org mentioning “DNS & Security” in the subject line.

Kind regards,

Tom Van den Eynde
ISSA-BE
Communications Officer

Half Day Seminar by SecurIT and IBM

Learn industry best-practices on how to take control over who has access to what in you enterprise information system
In half a day you become updated about how you can realize efficient control of digitalised identities and about how you can manage the rights to entry to business information on an effective way.
IAM specialist SecurIT and Software supplier IBM, a market leading combination in the Benelux, divide their expertise with you this day.

Program

Part 1: Introduction and seminar overview
Speaker : Marc Vanmaele – Duration : 10 minutes

Part 2: Taking control of Identities in a landscape of scattered applications.SecurIT will explain how a user provisioning project and products such as Tivoli Identity Manager be a cornerstone of future Identity Management initiatives.
Speaker : Marc Vanmaele – Duration : 45 minutes

Part 3: Single Sign-On project as a source of finance for Identity Management projects ?Traditionally, Identity and Access Management have been difficult to finance due to the long duration of such initiatives and lack of direct end-user of such visibility.  SSO projects can used as key milestone of your identity management strategy, by bringing direct visibility to end-users and management. 
IBM Speaker - Duration : 45 minutes

Part 4: How can roles effectively help organization manage authorization in a cost-effective manner.SecurIT will present how the introduction of roles in user provisioning tools effectively allow organization to rationalize time and cost. A use case will be presented to illustrate the comparison between traditional request-based access control and fully automated business-roles driven access control.
SecurIT Speaker : Alain Fichot - Duration : 45 minutes

Part 5: Fine-grained access control in the real world.Discover how Tivoli Security Policy Manager helps organizations take control on how security policies are derived from business up to technical configuration. Real-world use cases will be presented to presented to illustrate how security policies are enforced, up to application level.
IBM Speaker :Martin Borett – Duration : 45 minutes

For program updates and registrations, please visit the SecurIT registration website.

Register now for Infosecurity 2009 in Utrecht

Infosecurity.nl 2009 is the annual reference tradeshow for Information Security related professionals in The Netherlands and neighbouring countries.

Register today and reserve your place at one of the seminars or discussion fora.

Meet with some of the LSEC Members and their partners.

Global Security Week 2009

Part of the Global Security Week 2009, LSEC offers Security start-ups and innovative SME’s active in the domain of Security to participate to the Global Security Challenge.

During this event, both security professionals, industry relations, investors, press, academia and other interested persons are invited to participate to this afternoon in innovation at the LSEC & GSC Awards. Participation is free, but registration is required. Please fill in the requested form after pushing the “Subscribe"-button on the top or bottom of this page. If necessary, please return to this page for further confirmation.

Program History

The Belgian expertise centre for information security, LSEC, invited all Belgian start-up companies and SMEs to compete in the Global Security Challenge 2009, the biggest international competition in the field of security innovation.

Global Security Challenge

LSEC is the European partner of the Global Security Challenge (GSC). This competition offers researchers, entrepreneurs and start-up companies the opportunity to showcase their security inventions and compete for some great prizes. All European participants are invited to an event in Brussels on 09.09.09 where other participants, but also investors and interested companies, are given the chance to question them.

Companies competing in the GSC are not only handed a national, but also an international platform to showcase their innovation to the world. And they are also introduced to international investors who are specialized in the subject and are able to support them. And finally, more than 500,000 dollar in grants and subsidies can be won.

Western Europe Event Practical Details

LSEC invites you to the Western Europe Final event of the Global Security Challenge (GSC), the competition that offers researchers, entrepreneurs, start-up companies and Small and Medium Sized enterprises the opportunity to showcase their security innovations and compete for additional funding grants taking place on Wednesday September 9th, 2009 (9.9.2009) in the SAP-lounge in Vilvoorde – Brussels.

During the deliberation of the jury, information security expert David Lacey will talk about his experiences and thoughts on the Human Factor in Security, the Psycho-Social Side to Security, based upon his latest publication.
This event can be freely attended, upon registration below at this page.

Register now in order to ensure your seat at the event. The number of participants are strictly limited, so registering in advance is advised.

Preliminary Program

13.00h Registrations & Sandwich Lunch
Opening of the Finalists Innovation Booths

14.00h Welcome & Introduction by LSEC and the GSC

14.15h Keynote Speech : David Lacey
The Human Factor in (Information) Security, the Psycho-Social side to security

14.50h Presentations from top three European Security SMEs
(5 mins each)
o Piexon, Switzerland :  pyrotechnic launching of liquids through complex nozzle systems.
o Omniperception, UK :  computer vision capabilities, specialising in facial biometrics and advanced image processing
o Mobilegov, France : Digital DNA, a patented technology which rest on the thorough identification of any digital equipment.

15.10h Presentations from top three European Security Start-ups
(5mins each)
o Kromek, UK : diverse technology base and is building expertise based on its core competence of materials technology and advanced x-ray imaging
o Intrinsic-ID, The Netherlands : offers the only key storage solution for system and semiconductor companies that provides technology independent security to a level that’s physically unclonable, making cloning a thing of the past.
o Auxetix, UK :  ballistic-protection fabrics can provide significant protection against primary and secondary fragmentation.

15.30h Discussion Panel with the Belgian Jury Members

16.10h Coffee Break & Refreshments, visit to the Finalists Innovation Booths

Parallel session: Closed door question and answer session for teams and judges deliberations (16. 00h – 17.30h)
(10mins each, 20mins deliberations)

16.50h Outsourcing & Security : David Lacey

18.00h Return of the Jury, Announcement of results
presentation of the Winner of the Finalists
(15mins)

18.15h Closing Notes

18.30h Cocktail Reception & Networking

20.00h Close of Event

By showcasing innovative ideas and developments to other Belgian companies, LSEC also wants to launch a broader social debate about current information security challenges. Companies competing in the GSC are not only handed a national, but also an international platform to showcase their innovation to the world. And they are also introduced to international investors who are specialized in the subject and are able to support them. And finally, more than 500,000 dollar in grants and subsidies can be won.

Practical Details

Global Security Challenge Western Europe Finals
Wednesday September 9th, 2009
SAP Lounge, Vilvoorde, Dewezplein 5 (near Rondeweg)
For Registration and program updates :
http://www.lsec.be/index.php/whats_happening/event/global_security_challenge_and_lsec_awards_2009/

You can also apply for a seat by sending an email to gsc2009 (at) lsec.be. A confirmation email will be sent to you, once your application has been sucessfully received.

The Western Europe Final of the Global Security Challenge is part of the Global Security Week, a week during which special focus is drawn to activities on the protection of information in the world. During this week, a number of activities are being held in Belgium by LSEC, including seminars on VoIP Security, Security Information and Event Management and Information Lifecycle management and IAM.
These events are intended to make people and organizations aware about the needs of information security and security as a whole.

Looking forward seeing Wednesday September 9th, 2009 or any of our earlier events.