Identity Next Belgium

IDentityNext event is an initiative of the IDentity.Next association. The main mission of the IDentity.Next association is to create an open and independent platform to support and facilitate innovative approaches in the world of Digital identity, create awareness about Digital Identity, provide a knowledge and networking platform for experts in IT, Business and Marketeers as a European centre of expertise, and to ensure that everyone connected with the association stays at the forefront of technology, services and business by supporting innovation and by stimulating and supporting knowledge exchange and collaboration.

Identity Next and LSEC, will jointly organize the first Identity Next Belgium. The mix of two strong concepts and leaders in their space, will be bringing together European experts in the domain of Identity Management.

Preliminary Program

Call for papers is now open.
Submit your ideas for papers, panel discussions or un-conference activities until February 20th, via identitynext @ lsec.be

Practical Details

Leuven, Ubicenter May 23 - 24th, conference and un-conference

subscriptions : http://identitynextbelgium2012.eventbrite.com/

This one-day course meets the business need of customers who are deploying the attack prevention features of ScreenOS software. The course focuses specifically on the attack-related features and assumes familiarity with ScreenOS software. Upon completing this course, you should be able to return to work and successfully configure and verify the desired attack prevention features.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=NET11
Subscription: http://www.jcacademy.be

Most environments run Windows, and most of these Windows machines are attached to Active Directory domains. By using your installed Windows infrastructure, you have a large variety of built-in options to secure your network, saving your organization a lot of money. ‘Windows security’ discusses for instance Active Directory forest design, the use of Group Policy to lock down desktops, securing public IIS web servers, the architecture of Microsoft PKI, the use of Microsoft firewall products, the use of Hyper-V. The session is illustrated with numerous practical demonstrations.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT43
Subscription: http://www.jcacademy.be

The Juniper IDP appliance will detect malicious signatures and anomalies targeting your network. This course shows you how to install, configure and manage the Juniper IDP appliance.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=NET07
Subscription: http://www.jcacademy.be

In December 2011, Mobile-commerce – internet retailing via mobile devices - increased
by 173%, from the previous month. From about 4 billion today, M-commerce is expected
to grow to over 25 billion € by 2016. In a Europe where smart phones are omnipresent,
and mobile internet can be accessed almost everywhere, it is becoming obvious that
consumers are increasingly becoming prepared to use their handsets as a means to
operate various types of transactions.

Introduction

Carrying a mobile phone suddenly became more
obvious than carrying a wallet with cash, payment cards, ID and other plastic.
Transactions could be purchases via e-commerce stores, but already today there have
been numerous test cases to use handhelds as payment means in traditional stores for
instance by using NFC. In various major European cities, citizens pay their parking meter
in the street by SMS. Today, both PayPal, Google and many other service providers have
their mobile apps available to allow their customers to wireless transfer funds.
We are witnessing a second wave of interest in mobile payments. But similar to the first
one, there are many fragmented attempts with a diversity of channels and technologies.
This fragmentation has been one of the key factors on why the market has not yet
picked up.
Another challenge of this development is ensuring security. Whilst in traditional
payment and banking systems, security is a constant challenge, the risks facing those
mobile applications are incremental. Depending on the types of technologies, when
using NFC or wireless 3G or wifi for transactions, is in addition being impacted on the OS
of the handheld device and the terminals on the other end. Payment processing
providers have developed a series of standards to secure those transactions, but the
applications today are being challenged by mobile Trojans, wireless sniffers and flaws in
the OS impacting the trustworthiness of the underlying systems. Security professionals
serving financial services industries, e-commerce and retail organizations and other
related industries should become aware of the ongoing developments and seize the
opportunity of trustworthy processing those transactions.
While 2011 was the year of the massive launch of mobile banking platforms by
numerous commercial banks worldwide, the security landscape noticed a shift in e-fraud
from the traditional credit card theft to phishing and man in the middle attacks in online
banking services, both traditional and mobile. Major fraud attempts were discovered in
Spain, Germany and other European markets, where mobile banking took off.
This conference will focus on bringing together relevant participants from the finance,
commerce, telecommunications and ict landscape in order to jointly overcome
challenges and commonly seize the growth opportunities

Preliminary Program

8.00 - 9.30 : Registration
9.30 : Introduction
9.45 : Keynote : EUROPAY?
10.20 : Keynote : Austrian business case & key learnings
10.50 : Panel discussion 1 : challengers
11.30 : Break
12.00 : Panel discussion 2 : innovators
12.40 : Panel discussion 3 : dinosaurs
Innovations In Payment Delivery Channels - What Do They Mean For Payments Providers In Competitive And
Operational Terms?
Debate all aspects of multi-channel delivery - from online to contactless and remote mobile payments - and
explore their potential for both retail and wholesale payments providers.
13.10 : networking walking lunch & buffet
14.30 : break outs part 1

The EIC is one of the leading conferences in the field of Identity Management, reaching out yearly to all expert leaders in the domain throughout Europe. Typically attended by industry players, but also by end consumers and government officials, it gathered in 2010 over 550 delegates from all over the world. In depth discussions, new announcements and the IDM award are standard components. Organized as a yearly event by leading European market analyst firm Kuppinger Cole focused on EIC and Cloud Computing.

This year, LSEC is supporting the EIC and its activties and would like to invite its members and partners to participate as well.

About EIC (European Identity Conference)

With more than 550 attendees the European Identity Conference (EIC) 2011 in Munich has been the major platform in Europe to establish, continue and intensify the dialog between GRC and identity management thought leaders and users from all over the world, and between vendors, vendor partners and users.
EIC is the place to meet with enterprise technologists, thought leaders and experts to learn about, discuss and shape the market in most significant technology topics such as Identity Management, Governance, Risk Management and Compliance (GRC) and Cloud Computing. With its world class list of speakers, a unique mix of best practices presentations, panel discussions, thought leadership statements and analyst views, EIC has become an absolute must-attend event for enterprise IT leaders from all over Europe and has been intensively covered in the news, in many blog entries, newsletters and Kuppinger Cole Reports.

https://www.kuppingercole.com/events/eic2011

Thought Leadership
Thanks to 550+ attendees, speakers, sponsors, exhibitors and press members, EIC 2010 again turned into an unforgettable event and a conference having met its role as a major platform to create, continue and intensify the dialog between thought leaders and users, between business and technology. Intensive discussions inside the sessions and outside, exchange of experiences and ideas - we all hope, that you could carry away enough inspirations for your upcoming projects.
Matching tomorrow’s promise with today’s reality - the European Identity Conference has become the place, where thought leaders from all over the world meet with enterprise users and discuss innovations and their impact on enterprise infrastructures.
Best practices
Learning through experience - like in previous years, EIC offers a great choice of valuable end user case studies, delivering practical advice on how to create business value through IAM and GRC programs that enhance effectiveness and efficiency.
Reaching out for maturity, refining and optimizing your strategic and tactical approaches - learn from your peers.
European Identity Award

Practical Details

Conference (10.-13.05.2011) Conference including Pre-Conf Sessions, Expo and Evening Event
Conference + Workshops (10.-13.05.2011) Pre-Conf Sesions, Conference, Expo, Evening Event and Post-Conf Workshops
Public Services, Hospitals + Academic (10.-13.05.2011)
Free access for government and military Free access to the expo area, keynotes and pre-conference workshops

For more details, please register at : European Identity Conference 2011

LSEC partners receive an additional discount by mentioning LSEC1 during registration. LSEC Members should enquire about their reduction by contacting their LSEC representative and asking for their registration code.

EIC 2011 - Kuppinger Cole
Dolce Ballhaus-Forum
Andreas-Danzer-Weg 1 • 85716 Unterschleißheim
Phone: +49 (89) 370 530 0
Internet: http://www.dolcemunich.com/

Organizations transform their systems into intranets, extranets and establish VPN connections over the public Internet. These interconnected systems face several threats that can cause severe damage to the company and its assets: employees, competitors, viruses, crackers,… This course is not about detailed problem descriptions and solutions but wants to provide a conceptual of the security problem.
More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT29
Subscription: http://www.jcacademy.be

In this general and basic security course, we will have a look at some security principles, and afterwards we will discuss some protocols and methods to implement security in the network.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT23
Subscription: http://www.jcacademy.be

Tradeshow, Seminars, Networking, ....

Infosecurity 2012 will offer a great way to explore the latest trends in information security, discuss with various experts, learn from peers and experts during the seminar sesssions.

LSEC Theatre - Best of LSEC 2011 -2012

On Thursday March 29th, LSEC will be hosting a number of interesting talks that were highly appreciated by the attendees of these seminars during 2011.
As a best of show, you’ll be getting a good flavour of the current challenges, opportunities by some of the best speakers and presentations by experts.

You are welcome to join any of these sessions during the show. Probably best to sign up via the Infosecurity.be registration system, or showing up during the show.

10.15 – 10.45 : TBD : Wouter Janssen, Axl & Trax
11.00 – 11.40 : TBD
12.00 – 12.40 : TBD : Marc Vanmaele, SecurIT
13.00 – 13.40 : TBD : Dimension Data, Stefaan Hinderyckx
14..00 – 14.40 : TBD :  Toralv Dirro, McAfee
15.00 – 15.40 : TBD : Vincent Vanbiervliet, Sophos
16.00 – 16.40 : TBD : Vasco Data Security

Other interesting presentations facilitated by LSEC :

Opening Keynote, by Bart Preneel, Chairman LSEC and Head of COSIC, KU Leuven



Bring Your Own Device, by Jean-Luc Delvaux, Belgacom



Web Application Security, by Erwin Geirnaert, Zion Security

Practical Details

Infosecurity 2012, March 28 - 29 2012, Expo Brussel

More information and registration, please visit: http://www.infosecurity.be

This course focuses on the ScreenOS features that are typically required in large-scale networks, including dynamic routing, virtual systems, traffic shaping, and high availability. Upon completing this course, students should be able to return to work and successfully install, configure, and verify that a ScreenOS-based device is interoperating in the network as desired. Through demonstrations and hands-on labs, students gain experience in configuring, testing, and troubleshooting these advanced features of ScreenOS software.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=NET02
Subscription: http://www.jcacademy.be

The Advanced Penetration Testing class aims to bridge the gap between conventional pentesting techniques and blackhat hacking techniques. The class will force to think like a malicious hacker and teaches you how to pentest and break into secure environments, which have fully patched operating systems and programs. The class will focus on a “scenario centric” approach rather than relying on a “tool centric” one.

Participants will learn:

Think out of the box during pentests
Bleeding edge techniques used by hackers
Able to conduct pentests on networks which are fully patched
Conduct the most advanced attacks in the pentest business

Instructor Vivek Ramachandran has been involved in security research, product development, penetration testing and evangelism for over a decade now. He discovered the Caffe Latte attack and also broke WEP Cloaking, a WEP protection schema in 2007 publicly at Defcon and introduced the concept of pure Wi-Fi based malware and worms. He is also the author of the book “Wireless Penetration Testing using BackTrack 5” which has received great appreciation by the worldwide security and hacker community. His second book - “Metasploit Megaprimer “ is due for launch in February 2012.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?r=course&Short=INT55
Subscription: http://www.jcacademy.be

Vunerabilty and intrusion detection and management are key components in any security assessment and consideration to improve the existing environment. During this seminar, LSEC and its partners will inform attendees about current methodologies, best practices, how to recognize the experts, DIY, outsourced or as a service ...

Intrusion Detection and Vulnerability Management

Vulnerabilities in an environment, being it a network, network components, a computer system or an application; vulnerabilities are key in the challenge to secure an information or IT environement. Knowing about them in the first place and next, making sure they should not be considered vulnerabilities going forward.
These vulnerabilities provide holes for hackers, information thieves, and others to exploit your environments. Sometimes they are wrongfully or carelessly engineered, but in many occassions they are just human errors through maintenance or other interventions. They can be basic ports in servers or firewalls, they could be misconfigurations in a database, they might be errors in an adobe pdf reader and can be challenged to either cause a denial of service, or just provide unintended access to the protected information.

Detecting vulnerabilities before they are exploited is a key part of a proactive security strategy, and is required by many compliance regimes as part of due diligence. However, most compliance regimes only require simple forms of vulnerability scanning, causing strong downward price pressure when compliance (versus proactive security) is the driving requirement. Deeper methods of vulnerability discovery, such as penetration testing and static/dynamic application security testing, are being deployed to take more proactive steps against targeted threats that go beyond simply exploiting missing patches or misconfigured operating systems.

During this seminar, LSEC has the intention to inform Information Security professionals, Security Managers, CSO’s, CISO’s, IT Management, CIO’s and Auditors about the current trends, evolutions, methodologies and systems that could help and facilitate in the process of vulnerability management, including assessment, pen testing, intrusion detection and managed or outsourced services.

Preliminary Program

The following speakers and topics have been put under consideration. The organizers are open to other suggestions and ideas, as well as to comments on the current program overview.

- Verizon Business, powered by Cybertrust
- Dimension Data
- Telenet - C-Cure
- Outpost 24, Ron Perris, CTO
- Belgacom ICT - Telindus Advanced Network Security Forensics, by Hans De Raeve, Product Manager ICT Security
- Zion Security :  Combining vulnerability management with web application firewalls: a perfect fit!, by Erwin Geirnaert
- Qualys
- Secunia
- Lancelot Institute
- InveaTech
- ...

Some of the following questions and considerations will be discussed :
- what is vulnerability management, intrusion detection, pen testing, ethical hacking, ...
- methodologies, standards, certifications, ...
- DIY vs outsourced, key elements and considerations
- hosted, as a service vs appliances vs manual, complementary or competitive
- forensics and what if ...
- ...

Practical

LSEC 2012 intrusion detection and vulnerability management

Ubicenter, Verizon Business, Philipssite 5, 3000 Leuven

Friday, March 16th, from 9 AM to 18h, with networking and tradeshow facilities, coffees, lunches.
Limited seating, ensure your seat and reserve today.

Register now at : http://vulnerabilitymanagement2012.eventbrite.com

Free if registered before December 31st. 150 € participation fee if registrered before February 29th, 250 € from March 1st and onwards.
Cancellation fee of 150 € upon cancellation after March 1st.

Free to participate for LSEC Expert Members and Members of TeleTrust, SITC, Systematic, Cluster Seguridad and NSM upon confirmation of their membership.

About the organizers :
This event is organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions.

This course discusses the basic operations of Security Manager. Key topics include server and domain administration, device configuration, template creation and management, policy creation and management, logging, and report generation. Through demonstrations and hands-on labs, students gain experience in configuring, testing, and troubleshooting features of Security Manager.
More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=NET15
Subsription: http://www.jcacademy.be

Wi-Fi has become ubiquitous in our lives today. However, the flexibility and mobility provided by Wi-Fi comes at a cost – inherent insecurity! In this workshop, we will explore the basics of wireless security; learn how to conduct wireless security audits and also how to create a secure wireless network using various industry best practices.
Instructor Vivek Ramachandran is a world renowned security researcher and evangelist. His expertise includes computer and network security, exploit research, wireless security, computer forensics, embedded systems security, compliance and e-Governance. He is the author of the books – “Wireless Penetration Testing using Backtrack” and “The Metasploit Megaprimer ”, both up for worldwide release in mid 2011. Vivek is a B.Tech from IIT Guwahati and an advisor to the computer science department’s Security Lab.
More info:
http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT48
Subscription:
http://www.jcacademy.be

Mobiles have become an integral part of our life. What started off as just a phone, has now transitioned to a powerful full-blown computing platform, which runs applications that can help us, email, surf the Internet, make financial transactions etc. anywhere anytime. Unfortunately, mobile application security has not been able to keep pace with this exponential growth. This is primarily because most end users, application developers and penetration testers still do not understand the intrinsic challenges in mobile application secure usage, development and testing. This 2-day class aims to introduce you to the various challenges of mobile application security and shows you how to systematically test and secure your applications.

Participants will learn:

How to find security vulnerabilities in mobile applications
Penetration test mobile application frontend and backends
Security architecture of iPhone and Android systems
Subverting platform security controls including application decryption and disassembly

More info: http://www.jcacademy.be/jca/be-en/course-details.page?r=course&Short=INT54
Subscription: http://www.jcacademy.be

This intermediate-level course focuses on the wide range of options available when configuring VPNs using Juniper Networks firewall/VPN products. Students attending the course will learn these various deployments through detailed lectures and hands-on lab exercises.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?r=course&Short=NET03
Subscription: http://www.jcacademy.be

You will be guided into the multi-coloured world of hacking using common standard tools. Starting from scratch, you will soon start to look differently at your networking infrastructure. Step for step, we will take a clear look at the fascinating life on the other side of your firewall. In order to stay secure, you need a fresh and stimulating awareness. Furthermore; the knowledge of hacking taxonomies will help you considerably with the configuration and understanding of intrusion detection systems.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT26
Subscription: http://www.jcacademy.be

A professional and seasoned team of Security Professionals will help you take your skills a few steps further. “Common” hacking techniques are revisited from a professional and practical approach for a better and more efficient pentest. Several topics include “hardcore drilldowns”, such as bypassing ASLR during exploit development, injecting malicious code into files under Windows Vista, bypassing Antivirus systems, etc all based on the award winning live Distribution BackTrack. The course is heavily laced with the “do it yourself” approach, and will expose you to the raw underlying mechanisms of the various attack vectors.

The course price includes the syllabus license cost of 1000$ covering:

PDF of the course watermarked by his/her name
Virtual machines with test servers for the labs
30 days access to the online labs
the opportunity to take the online exam and get certified

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT41
Subscription: http://www.jcacademy.be

This course is the first in the ScreenOS curriculum. It is a instructor-led course that focuses on configuration of the Juniper Networks firewall/VPN products in a variety of situations, including basic administrative access, routing, firewall policies and policy options, attack prevention features, address translation, and VPN implementations. The course combines both lecture and labs, with significant time allocated for hands-on experience. Students completing this course should be confident in their ability to configure Juniper Networks firewall/VPN products in a wide range of installations.
More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=NET12
Subscription: http://www.jcacademy.be

The Juniper Secure Access (SA) device gives granular access to your internal network resources through a secured SSL VPN. This course discusses the advanced features.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=NET13
Subscription: http://www.jcacademy.be

A general course on PKI where we discuss and practice several PKI solutions, after having explained how PKI works and what it is built on.

More info: http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT27
Subscription: http://www.jcacademy.be

Security Hardening 2012 - part 1

!!! Update February 1st, new topics added !!!

Sequel to the successful Security Hardening Event of October 2011, LSEC and its partners are organizing the follow-up event on February 8th, 2012.

After the successful LSEC Security Hardening event in October 2011, in the week before the 2012 RSA US Conference, LSEC will organize it’s bi-annual Security Hardening 2012 again in Leuven at the Verizon Business’ Ubicenter. “Security Hardening” means to explore the possibilities of improving the IT and Information Security architectures and systems.

During the seminar, it became obvious that most of the topics were very complementary and gave an interesting viewpoint on how to improve security measures within companies.

Outline

This seminar is mainly intended to companies and government departments already having a security environment, and interested in finding out about new solutions, new approaches and ways to improve their security infrastructure. Security Hardening in this case meant to increase the level of security on different aspects and components of your environment. This would have been be either from a network security perspective, a database and application perspective or increasing the granularity and scope of your data protection technologies. With the hardening was also understood ways and procedures to improve security management as a whole.

All together, we’ve explored how to grow from the typical 80% of managed IT and information security risks to upgrade to 90% or and to understand the complexities, costs and resources necessary to this upgrade path.

Preliminary Program Outline

Security Hardening is a rather wide concept, and leaves a lot of opportunities for various topics, but the idea would be to “bring something new and fresh to Security Officers and related people managing IT Security … “. Both network security, data security, privacy and other topics are very welcome.

9.15h : Welcome Coffee & Registration

9.45h : Introduction & Opening Notes by Ulrich Seldeslachts, CEO LSEC

10.00h : Securing endpoints in the cloud, mobile authentication and encryption to harden the mobile workforce, by Jan Vekemans, Option Mobile Security - Option

Inroducing the concept of The Cloudkey®, a token that provides a platform secure mobile access. Cloudkey hardens the authentication and the mobile communication layers, with proven Vasco Digipass authentication with Option’s 3G communications technology to provide an all in one product that simplifies strong, secure access.For situations where secure, highly available internet connectivity combined with authentication: internet and intranet access in government and enterprises, gambling & gaming applications and in applications where Digipass technology has already been deployed and there is a requirement to combine this with 3G communications.

10.40 :  Intelligent network behavior analysis: qualifying your security events and information and making an evaluated automated evaluation of threats and challenges. Mobile Security Strategies. Hardening your security on the basis of your secrity information, by Gabriel Dusil, Cognitive Security

Synopsis: The explosion in cellular usage and mobile commerce will require advanced levels of protection for mobile users, as hackers continue to find vulnerabilities to exploit. As mobile data is expected to grow 16 fold over the next four years, mobile providers are facing new challenges in balancing subscriber ease-of-use, with cyber-security protection.  A dual strategy which includes end-point and infrastructure security should provide robust and cost effective levels of protection.  Network Behavior Analysis is a viable building block to infrastructure security, and helps to protects a collective subscriber base against sophisticated mobile cyber-attacks.

11.20 : How to protect your data at rest with tape encryption? by Christian Vanden Balck, Oracle Systems EMEA Long Term Storage

Tape encryption, technology of the past or hardening method for archiving?

There is a variety of storage possibilities of archiving methods and systems. Depending on the business needs, many companies are still relying on tapes. Those tapes can become a potential risk, if not securely managed. Hardening security of archiving should be considered. The physical loss of tape cartridges containing sensitive data poses a major risk. High-speed data encryption on the tape drive. Oracly Systems through their acquisition of SUN Microsystems, also aquired StorageTek. Oracle hardened the business requirements with Oracle Key Manager (OKM) which centrally authorizes, secures, and manages all of the encryption keys.

About : Christian has over 19 years of experience in IT, including 7 years of internal IT at Colruyt and 12 years at StorageTek (acquired by Sun Microsystems which was acquired by Oracle). From a PL/1 programmer on IBM mainframe his focus has rapidly evolved to Storage on both IBM mainframe and Open systems. In his current role, Christian is working in an EMEA role supporting the Oracle Long Term Storage business for the BeNeLux and Eastern Europe/CIS clusters. Main topics of interest are hardware encryption on tape, archiving and compliance needs, disaster recovery and green IT.

12.00 : The recent evolution in encryption methods, might be a help in hardening your systems. AES is the standard, but are there other methodologies that could harden your systems and applications? by Vincent Rijmen, Full Professor, COSIC, KU Leuven

12.40 : lunch break

13.40 : Opening the deep risks of virtual infrastructures and assess them against hardening guidelines, by Aman Bar, the Lancelot Institute

During the presentation, the idea is to get access to a remote datacenter. Virtualization technologies provide a great technology to optimize the infrastructure use and provide flexibility in computing.
They should be well secured and sometimes the infrastructure is not completely secured.

14.20 : Hardening open-source content management systems: Drupal, Fork CMS and Umbraco, ... by Erwin Geirnaert, Zion Security

15.00 : Hardening against Advanced Persistent Threats (APT), how to? Marcel Snippe, RSA the Security Division of EMC

15.40 : Coffee Break

16.10 : Banking Trojans, effective, prolific and unstoppable? A technical dissection and hardening suggestions, by Eddy Willems, G Data Software

In the last decades, we have seen an enormous evolution in cyber threats. One of the scarier developments for many internet users in the recent years are banking Trojans. These are specifically targeting them where it hurts the most: in their wallets. And they seem to become more and more effective, if we can believe what we read in the media. But how come these Trojans are so effective and prolific? Aren’t antivirus solutions, which always seem to have malware detection rates of over 98% detecting and stopping them? In this presentation, Eddy Willems, Security Evangelist at G Data, sheds light and how banking Trojans technically work, on how they keep themselves under the radar of the vast majority of all security solutions out there and what can be done to stop them.

16.50 :  Remote Access Security, by Rudolf Schucha – Communications Security Consultant – Ultra Electronics - AEP Networks

All organizations are coping with challenges of remote access. Whether they are to enable employees access for teleworking, accessing partners for remote services, providing access to webservices or even access to cloud environments. An analysis of the problem will indicate that quite a series of challenges are being posed from technology to people skills. Risks appear to be numerous and the provider and receiver will have to be able to trust each other. With this presentation Mr Sucha will present a comprehensive approach of dealing with the challenge and improving your existing setup.

As a former HP/Agilent Network Measurement and Management Consultant of 14 years, Rudolf has been working with a large number of the big companies within the ICT sector as a trusted advisor on how to ensure network security. Rudolf joined AEP Networks (now Ultra Electronics AEP Networks) in September 2010 to add large scale project experience and technical expertise to the growing AEP team. Especially the experience in network management combined with the knowledge in multimedia communication :allow him a really good understanding of the modern and ever growing number of applications which look threatening to the historically grown government and enterprise networks.

17.30h When business fully understands the challenges of security, an end to end security strategy can be considered. An example from laptop to datacenter, by Antonio Mata Gomez, Oracle

Case:  Transparency, Accountability and Auditability of high privileged users access is mandatory.

Efficient and consistent User Administration of multiple Databases is becoming more and more important, and is a basic requirement in compliance and auditing discussions.
Not only making sure that the right users have access to the right databases at any point in time, but also the traceability of the past and a full view of the lifecycle management and auditability of the high privileged users (eg DBAs) is a key basic compliance requirement in any organization
Compliance is not only a matter of processes and applications, but also the place where the information is stored, is seen as a serious attention point for auditing the compliance, security and risk exposure. Ensuring that the right people at all times have only access to the information they are entitled to, has never been so important.
The user management across these multiple DB instances is often done individually, with manual interventions or using scripts, which is costly, not error free and not well accepted by auditors.

In this case we will elaborate how several companies have implemented Oracle CUA4DB to manage and report on high privileged data access profiles in order to cope with their Auditability & Accountability challenges in their database (300+) environment.

18.10h : Concluding notes & network reception

Specifically some topics we are aiming for :
- network monitoring, deep packet inspection
- embedded security
- IPv6 & impact on security
- Database security hardening
- Web application security - firewalling
- New developments in hardware security – TPG/CC-based
- Security as a service (in the cloud)
- Virtualization security
- Identity management – access management - authentication
- Vulnerability testing – intrusion detection
- Data Protection technologies & systems
- Critical Infrastructure Protection
- Cybersecurity & Malware protection
- Security Monitoring & Network Monitoring
- Governance & Compliance
- …

Practical Details

LSEC Security Hardening 2012 - part 1
February 8th, Ubicenter, Leuven

Register already now, to ensure your seat at http://securityhardening2012.eventbrite.com

Free to participate to LSEC Members, LSEC partners and partner Members, Agoria Members, ECSA Members.
Free to participate to any others when subscribed before December 30th. After that date, subscription fee of 150 €.
Non-Cancellation fee of 150 €, upon no cancellation at least 1 day before the event and non-appearance.

This event was supported by CA Technologies, an LSEC platinum sponsor for our events. We are always open to other, additional interested parties.

Your ticket you will receive from Eventbrite will show February 8th only, but will cover for both days. Please inform us if you are only capable of participating one of the two days.

About the organizers :
This event is organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions.

This course discusses the configuration of Secure Access (SA) products in a typical network environment.
Key topics include SSL access technologies, basic implementation, and configuration and management options. Through demonstrations and hands on labs, students will gain experience in configuring, testing, and troubleshooting basic facets of the SA products

More info: http://www.jcacademy.be/jca/be-en/course-details.page?r=course&Short=NET10
Subscription: http://www.jcacademy.be

On Friday January 27th, LSEC organizes a day on data privacy and data protection. Part of the CPDP 2012 Conference, this day will focus on the implications and practical experiences of data protection in Belgium and Europe.

Data Protection in evolution : Coming of Age

During that day, the discussions will be slightly more focused on some of the practical implementations of the various applicable legislations and challenges by companies, organizations and government in applying them. Besides, the perspective will open up to the point when beyond the compliance to data protection regulations, there is also the aspect of protecting data (including private information) from intended or unintended misuse. During these sessions, we will also focus on some of the potential ways to deal with regulations from an operational perspective by presenting some methodologies, solutions and technologies and also their current challenges.
Finally the day will close with some views and discussions on how to practically deal with upcoming legislations, data leakage challenges and policy requirements by means of some innovative approaches, processes and technologies.

About the CPDP 2012 Conference

The CPDP (Computers, Privacy and Data Protection) conference is neither a purely academic conference nor a business or activist conference. It is a privacy stakeholder conference set up by five academic institutes with the aim to bring together academics, practitioners, policy-makers and civil society so they can meet, exchange ideas and discuss emerging issues of information technology, privacy, data protection and law.

CPDP is organised by the following institutions: Vrije Universiteit Brussel, the Université de Namur, the Universiteit van Tilburg, the Institut National de Recherche en Informatique et en Automatique and the Fraunhofer Institut für System und Innovationsforschung.

CPDP has progressively been growing since its inception both in terms of speakers, participants and panels and the ambition for its upcoming fifth consecutive edition is higher than ever. Last year’s conference welcomed more than 400 participants, including 180 speakers from all over the world. Its artistic and public side events such as the privacy party, two public debates, film screening and Pecha Kucha evening attracted an additional 800 people. Determined to exceed the positive feedbacks received from speakers and participants from the last years, which range from “excellent” to “brilliant agenda keeping”, this year’s conference offers twelve panels, a pre-conference, several academic and cultural side events and a PhD-evening.

The regular panels include both the presentation of stakeholders’ agenda and intense debates around key issues in the field of privacy, data protection, technology and society. In addition, specific sessions will be dedicated to the issues of ICT and aging, surveillance and law-enforcement and eDiscovery

Practical Details

Business Track Data Protection and Privacy, Friday January 27th, 2012.
Part of the CPDP Conference 2012
Computers, Privacy & Data Protection 2012 conference - European Data Protection : Coming of Age
25, 26 and 27 January 2012 in Les Halles de Schaerbeek in Brussels, Belgium

For more information and registration please surf to: http://www.cpdpconferences.org/ or contact cpdpconference at lsec.be or download the program guide for the full conference.

Preliminary Program January 27th Business Track

Business Track : LSEC in cooperation with CPDP 2012

CPDP 2012 - Computer Privacy and Data Protection
Data Protection in evolution : Coming of Age
Program January 27th Business Track
Business Track : LSEC in cooperation with CPDP 2012

8.30 : crash course on privacy & data protection in 2012 : business challenges, regulatory environment in Europe and Belgium, supporting advice – Deloitte, Erik Luysterborg

During this first hour, business, IT and legal counsel within corporations and public administrations will be informed about the current and the changing Data Protection landscape and how it affects their business and day to day activities. This introduction into data protection challenges and opportunities will provide a good refreshment or basic understanding .

Data Protection, Computer Security and Privacy in Business

9.30 : discussing one of the problems : update on data loss challenges, data breaches and protecting assets by Stefano Ciminelli, Verizon Business (35”)

10.15 : coffee break

10.30 : continuation of the data loss challenges discussion and discussing some other problems : removing digital footprint, technologies causing issues such as the need for privacy by design, personal data versus corporate communications – online social media, acceptable use and trade unions on privacy and network monitoring, on video surveillance and biometrics

Value of Corporate Secrets and key considerations for DLP, by Rashmi Tarbatt, EMC : why organizations are under investing in protecting secrets and spending more on compliance, update on Data Loss Protection (40”)

Panel Discussion :
Stefano Cimmineli, Verizon Business; Rashmi Tarbatt, Chief Security Architect EMC; John Szabo, CA Technologies; Bruno Schröder, Microsoft, Erik Luysterborg, Deloitte

Data protection technologies are varying from end point encryption on hard disks and portable media, over identification and authentication, information asset management and digital rights to evolutions of data and applications in the cloud. Technologies are evolving, business needs are more demanding, but how to define a suitable strategy and how to find a suitable solution?

An in depth discussion moderated by LSEC and Deloitte (50”)

13.00 : lunch

14.00 : Communicating and managing privacy within organizations

With contributions from TU Berlin and Deloitte.
Awareness and creating awareness are important components of a successfull privacy preserving and data protecting policy. In the past, this has proven to be a critical component in most environment. Some experiences on communications and privacy within the organization will be shared.
Description: A prevalent issue for discussion is that of data protection legislation failing to keep pace with technological developments; particularly in the field of surveillance technologies. Privacy principles in organisations are often lacking, if they exist at all.This is an issue of particular interest currently due to a renewed debate of the principle of accountability.In this panel different approaches of how privacy communication within organisations can be enacted will be presented.
Chair: Daniel Guagnin, Technical University Berlin, Germany
Leon HEMPEL / Carla ILTEN (PATS), Technical University Berlin, Germany
Michelle CHIBBA, IPC Ontario, Canada
Wulf BOLTE / Peter LEPPELT, praemandatum, Germany
David Wright, (PIAF)
Erik Luysterborg, Deloitte

15.15 : coffee break

15.30 : discussing privacy & data protection technologies : challenges and opportunities

With contributions, presentations and panel discussion with RSA, CA Technologies, Microsoft, Deloitte
Discussion on Privacy Issues, A Reference Model for Managing Privacy in Cloud Computing and Other Complex Networked Environments, by John T Sabo, CA Technologies (40”)
This presentation will provide an overview of an important specification supporting online privacy management now being drafted by the Privacy Management Reference Model (PMRM) technical committee in the OASIS standards organization.

Companies and governments are implementing and developing various security systems and measures, in order to better protect and preserve their assets, both people, information and electronic data. But also systems such as surveillance and monitoring solutions are impacting people’s privacy, and their rights as citizens. What are the practical implications? Are their balances to be found? Are there any standard company or trade practices? How should this evolve?

17.00 : concluding remarks

Special Invitations on request

If you like to participate to the CPDP 2012 program, which is co-organized by LSEC, and if you would like to participate to the Business day on Friday January 27th only, please register at http://www.lsecatcpdp2012.eventbrite.com and ask for a special entry until December 31st.

A special invitation to participate to CPDP 2012 Business day only free of charge can be awarded upon confirmation of the LSEC team after registration only. Only a limited amount of seats can be awarded and will be first come first served.
Priority to LSEC Members, and members of our partners TeleTrusT, SITC, Systematic, Cluster Seguridad and NSM.

On Friday January 27th, LSEC organizes a day on data privacy and data protection. Part of the CPDP 2012 Conference, this day will focus on the implications and practical experiences of data protection in Belgium and Europe.

Data Protection in evolution : Coming of Age

During that day, the discussions will be slightly more focused on some of the practical implementations of the various applicable legislations and challenges by companies, organizations and government in applying them. Besides, the perspective will open up to the point when beyond the compliance to data protection regulations, there is also the aspect of protecting data (including private information) from intended or unintended misuse. During these sessions, we will also focus on some of the potential ways to deal with regulations from an operational perspective by presenting some methodologies, solutions and technologies and also their current challenges.
Finally the day will close with some views and discussions on how to practically deal with upcoming legislations, data leakage challenges and policy requirements by means of some innovative approaches, processes and technologies.

About the CPDP 2012 Conference

The CPDP (Computers, Privacy and Data Protection) conference is neither a purely academic conference nor a business or activist conference. It is a privacy stakeholder conference set up by five academic institutes with the aim to bring together academics, practitioners, policy-makers and civil society so they can meet, exchange ideas and discuss emerging issues of information technology, privacy, data protection and law.

CPDP is organised by the following institutions: Vrije Universiteit Brussel, the Université de Namur, the Universiteit van Tilburg, the Institut National de Recherche en Informatique et en Automatique and the Fraunhofer Institut für System und Innovationsforschung.

CPDP has progressively been growing since its inception both in terms of speakers, participants and panels and the ambition for its upcoming fifth consecutive edition is higher than ever. Last year’s conference welcomed more than 400 participants, including 180 speakers from all over the world. Its artistic and public side events such as the privacy party, two public debates, film screening and Pecha Kucha evening attracted an additional 800 people. Determined to exceed the positive feedbacks received from speakers and participants from the last years, which range from “excellent” to “brilliant agenda keeping”, this year’s conference offers twelve panels, a pre-conference, several academic and cultural side events and a PhD-evening.

The regular panels include both the presentation of stakeholders’ agenda and intense debates around key issues in the field of privacy, data protection, technology and society. In addition, specific sessions will be dedicated to the issues of ICT and aging, surveillance and law-enforcement and eDiscovery

Practical Details

Business Track Data Protection and Privacy, Friday January 27th, 2012.
Part of the CPDP Conference 2012
Computers, Privacy & Data Protection 2012 conference - European Data Protection : Coming of Age
25, 26 and 27 January 2012 in Les Halles de Schaerbeek in Brussels, Belgium

For more information and registration please surf to: http://www.cpdpconferences.org/ or contact cpdpconference at lsec.be or download the program guide for the full conference.

Preliminary Program January 27th Business Track

Business Track : LSEC in cooperation with CPDP 2012

8.00 : breakfast crash course on privacy & data protection in 2012 : business challenges, regulatory environment in Europe and Belgium, supporting advice - Deloitte

During this first hour, business, IT and legal counsel within corporations and public administrations will be informed about the current and the changing Data Protection landscape and how it affects their business and day to day activities. This introduction into data protection challenges and opportunities will provide a good refreshment or basic understanding .

Data Protection, Computer Security and Privacy in Business

During the following sessions, speakers have been asked to prepare a 15 minute presentations which will be followed by an in depth panel discussion of 20 to 30 minutes.

9.00 : discussing one of the problems : update on data loss challenges, and data breaches, protecting assets

With contributions and presentations by Verizon Business, FFW, RSA, Belgian Privacy Commission.. Wheter they are accidental loss of memory s
Companies and public authorities have been, and continue to challenged by loss of data in various forms and formats. Whether this is in the form of a memory stick lost in a taxi, theft of a laptop on a train, hackers breaking in the company’s websites, or compromised databases because of disgruntled employees; the value of the data and the cost of the loss itself (in case of personal data loss) are an important business risk.

10.30 : coffee break

10.45 : discussing some other problems : technologies causing issues such as the need for privacy by design, personal data versus corporate communications – online social media, acceptable use and trade unions on privacy and network monitoring, on video surveillance and biometrics

With contributions and presentations by Morpho Saffran, DLA Piper, EC JRC and Dimension Data.
Companies and governments are implementing and developing various security systems and measures, in order to better protect and preserve their assets, both people, information and electronic data. But also systems such as surveillance and monitoring solutions are impacting people’s privacy, and their rights as citizens. What are the practical implications? Are their balances to be found? Are there any standard company or trade practices? How should this evolve?

An in depth discussion moderated by LSEC and Deloitte

12.00 : Privacy officers panel discussion. How to tackle the main privacy issues in practice: behavioral advertising, handling social media use on the work floor, data breach and incident management in changed (eg Cloud) environment, PCI-DSS, … discussing the real current issues and challenges

With Privacy Officers and related functions from various European companies in finance, healthcare, public administration, technology and retail.
This discussion will provide insight into the current day to day dealings of corporate or administrative functions and their responsibilities. How do they relate internally within the organization. Are there any best practices or common challenges, similar or different from other security, legal or risk officers?

13.00 : lunch

During the following sessions, speakers have been asked to prepare a 30 minute presentations.

14.00 : Communicating and managing privacy within organizations

With contributions from TU Berlin and Deloitte.
Awareness and creating awareness are important components of a successfull privacy preserving and data protecting policy. In the past, this has proven to be a critical component in most environment. Some experiences on communications and privacy within the organization will be shared.

Description: A prevalent issue for discussion is that of data protection legislation failing to keep pace with technological developments; particularly in the field of surveillance technologies. Privacy principles in organisations are often lacking, if they exist at all.This is an issue of particular interest currently due to a renewed debate of the principle of accountability.In this panel different approaches of how privacy communication within organisations can be enacted will be presented.

Chair: Daniel Guagnin, Technical University Berlin, Germany

Leon HEMPEL / Carla ILTEN (PATS), Technical University Berlin, Germany
Michelle CHIBBA, IPC Ontario, Canada
Wulf BOLTE / Peter LEPPELT, praemandatum, Germany
(PIAF)(t.b.c.)

15.00 : coffee break

30 minute presentations & discussions

15.15 : discussing privacy & data protection technologies : challenges and opportunities

With contributions and presentations from RSA, Traxion, CA Technologies, Microsoft

Data protection technologies are varying from end point encryption on hard disks and portable media, over identification and authentication, information asset management and digital rights to evolutions of data and applications in the cloud. Technologies are evolving, business needs are more demanding, but how to define a suitable strategy and how to find a suitable solution?

17.00 : concluding remarks & next steps – cocktail reception

Special Invitations on request

If you like to participate to the CPDP 2012 program, which is co-organized by LSEC, and if you would like to participate to the Business day on Friday January 27th only, please register at http://www.lsecatcpdp2012.eventbrite.com and ask for a special entry until December 31st.

A special invitation to participate to CPDP 2012 Business day only free of charge can be awarded upon confirmation of the LSEC team after registration only. Only a limited amount of seats can be awarded and will be first come first served.
Priority to LSEC Members, and members of our partners TeleTrusT, SITC, Systematic, Cluster Seguridad and NSM.

Exploit Research is the field of finding security vulnerabilities in software, and writing programs to exploit them. This is a very interesting field but also requires a lot of technical background and knowledge to dive into. In this workshop, we will start from the very basics and first learn assembly language programming to prepare you for the task ahead. After this we will learn how to exploit different vulnerabilities and bypass various security mechanism such as DEP and ASLR. We will conclude by looking at how to integrate our exploit code with frameworks such as Metasploit.
Instructor Vivek Ramachandran is a world renowned security researcher and evangelist. His expertise includes computer and network security, exploit research, wireless security, computer forensics, embedded systems security, compliance and e-Governance. He is the author of the books – “Wireless Penetration Testing using Backtrack” and “The Metasploit Megaprimer ”, both up for worldwide release in mid 2011. Vivek is a B.Tech from IIT Guwahati and an advisor to the computer science department’s Security Lab.
More info:
http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT46
Subscription:
http://www.jcacademy.be

On Thursday December 1st, LSEC in cooperation with the European Security Innovation Network partners SITC, TeleTrusT and Systematic organized a one day seminar on the development and opportunity of using Biometrics in enterprise or government applications.

Biometrics 2011 : a market perspective, use cases and best practices

In 2008 LSEC organized a one day seminar on status of Biometrics, its evolutions and applicability.
Three years later, the world has evolved again significantly, and more and more organizations are using fingerprint readers, iris-scanners and other biometric authentication technologies on a day to day basis.
Biometrics are being included in electronic ID cards, evolutions in high performance scanners, evolutions in further reducing false positives in finger scans up to video analytics, standards are being discussed, privacy concerns are increasing while biometric data are being sent over the internet, ….
The time is right to re-visit biometrics and get a perspective of the current state-of-the-art, and applicable solutions. How will biometrics be applied in the ever evolving mobile and virtualized world, will we be having a one single sign authentication, and how can privacy enhancing technologies be applied to biometric information.

The focus of the seminar was to find out what the benefits, challenges and business models for applying biometrics could be, what specific applicable solutions might be presented in environments that could be challenging for other types of authentication technologies.
Could biometrics in 2011 be a solution for your situation?

Program Outline

Biometrics 2011 : a market perspective, use cases and best practices

9.30 : Welcome & Registration

9.45 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC
Coffee continuously available during the morning.

Biometrics in the overall security strategy – where does it belong and when technology makes the difference to add value, and not just be around security.
Ulrich Seldeslachts, LSEC

Biometrics are real, are here to stay
Biometrics solve real business issues and improve security
Technologies have become widespread and continue to improve and evolve
New paradigms are becoming clear
Privacy protection not longer an issue, but still challenging
Standardization drivers

10.05 : Biometrics in electronic documents, identity systems, by Thales

An overview of the application of biometrics in electronic identity systems for documents processing.

10.45 : Addressing border management & security dilemma through consolidation of biometrics and biographic passenger identities or how biometrics can be being used in large scale challenging environments such as airports.
by André Oeyen, Director Biometric Business Development, SITA, Belgium

11.45 : Biometrics in office automation, more specifically: Trusted Office Printing : by Bart Smets CHB and Ilse Borremans, Macro4 : Case CHB – Macro4

12.30 : lunch & networking

13.30 : Using Iris recognition in industrial applications, by George Martin, CEO Smart Sensors

In a world of people movement, interconnection and networking, never has it been more important to know who has access to your assets, whether they are physical assets such as buildings and operational equipment such as plant, process facilities and machinery, or logical assets such as computer and communication systems where vital data, including financial transactions, may be processed and stored.

Biometrics offers a unique opportunity for organisations – both industrial and government – to build infrastructure that can permit or deny access on an automatic basis, according to a set of access permissions, authorisations and hierarchy.

This presentation will explore some of the use cases in this area, and why iris recognition offers a particularly attractive biometric modality.

About : Martin George is CEO of Smart Sensors Limited, based at the University of Bath’s Innovation Centre. The company has developed a class-leading, independent set of algorithms for iris biometrics, with particular application to the field of mobile and small-footprint biometrics. Smart Sensors works closely with iris capture equipment makers and ID Systems Integrators, licensing its algorithms and providing a variety of tools and analytics through which its customers can deploy a strong iris biometric capability.

14.30 : Biometrics, a security enabler – Ronald Huijgens, vice-chairman Dutch Biometric Forum

Director Biometric Technologies, Unisys

The Dutch biometric forum is a foundation that promotes meaningful, safe and reliable use of biometrics. Ronald has many years of experience in providing biometric solutions for companies and governments and has seen the development of the technology, its pro’s and con’s over the last years.
Ronald will be presenting his view on how biometric solutions can be implemented as a security enabler in various contexts and positions. He will be able to present the value of biometrics over and next to other types of security technologies in the space of authentication and identification, in access control and other situation.

15.15 : Coffee Break

15.45 : Security and Privacy challenges with biometric solutions, by Koen Simoens, researcher KU Leuven, COSIC

The future of biometrics, evolutionary landscape, technology perspective, developments in research, industrial and end user challenges

Beyond Performance: Researches Addressing Practical Challenges of Biometrics-Enabled Applications, Bian Yang, Gjovik University College

As a secure and convenient identity authentication means, biometrics’ power in technical performance (accuracy, efficiency, stability, … etc) will obviously give the most important influence to suitability of a biometrics-enabled system to a specific application scenario. However, beyond the technical performance, we are facing various practical challenges (security and privacy, spoofing, scenarios needing new sensing technologies, applications for consumer electronics, … ) that could hinder a biometric system from deployment. This talk will give an overview of such non-technical-performance practical challenges together with some state of art solutions resulting from innovative researches in the relevant fields. Gjøvik University College have been tackling several of these challenges and some recent research results in privacy protection and mobile biometrics applications will be shared with audience. Future research trends will be discussed.

Biography: Dr. Bian Yang is a senior researcher with NISlab, Gjøvik University College, Norway. He received his PhD degree in 2006 from Harbin Institute of Technology (HIT), China, and worked with HIT as a researcher from 2005-2007 on media content security. He visited Fraunhofer IGD, Darmstadt 2003-2005 and involved in the European projects ECRYPT and AXMEDIS. He worked with Thomson Corporate Research (Beijing) on content-based coding 2007-2008. He is with NISlab in Gjøvik since 2008 and focuses his researches in the biometric data security / privacy and interoperability fields and was involved in the European project TURBINE for fingerprint template protection. He is also with Norway Standards in the mirror committee to ISO/IEC SC27. 

16.45 : Panel Discussion
- biometrics ready for today or still for the future
- the business case for biometrics vs other authentication technologies;
- biometrics TCO and other value creation
- crossing the chasm between end users expectations, industrial solutions, R&D and CSI;

17.15 : Closing Reception & Networking

18.30 : Close of Conference

Practical Details

This event took place December 1st, 2011 at the Ubicenter in Leuven, thanks to Verizon Business.

Participation is free when registererd before November 30th, 2011.
Participation fee costs 150 €, unless your organization is Web member of LSEC, Core or Expert Member of LSEC, Member of SITC, TeleTrusT, Systematic, Agoria, ISSA, or ISACA. Cost for non-cancellation : 150 €.

Registration is now open for our next Biometrics event, in 2012. This event has not been finally scheduled, but you can already sign up your interest.

About the organizers :
This event is organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions.

Managing Mobile Devices - Bring your own device

Mobile devices are changing the way many enterprises work, receive information, and remain competitive. The challenge is that the range of devices is growing as well as the number of individuals using personal devices for professional use. This poses a security and deployment issue for many organizations as they try to manage these mobile devices.

Managing mobile devices is increasingly complex and challenging. Organizations have traditionally supported BlackBerry devices with limited range outside of that. However, use of other devices, including the explosion of enterprise use of iPhone and iPad, means that organizations must identify ways to manage the whole environment. The other issue is that employees are using personal mobile devices, which causes information security concerns and vulnerabilities for many businesses.

During this seminar, we have presented an overview of mobile device management and security best practices. An integrated approach to mobile security including company security policies, training, and a mobile device management solution is critical for all enterprises. This will better enable IT staff to manage their deployed mobile devices, in-house apps, collect data points, as well as ensure overall fleet/device security.

In april 2011, Gartner published its Magic Quadrant for Mobile Device Management Software platforms. Some of the represented vendors have been asked to present their perspectives. But as usual, we won’t be limiting ourselves to the analysis of Gartner alone and let you decide for yourself which qualifyers need to be addressed in this extremely dynamic and fast evolving domain.
We’ve also included some system integrators, to present their experiences and perspectives of some of the various market players.

Finally, attendees were able to make an informed decision about managing mobile assets and information assets transported wirelessly.

Final Program Overview

A seminar with various perspectives and market updates.

09.00h : Registration & Welcome Coffee, Networking, opening demo platform

09.30h : Welcoming notes & introduction by Ulrich Seldeslachts, CEO LSEC

09.45h : The perspective from a security platform, managing information security throughout the enterprise up to the mobile devices, by David Van Damme, McAfee

Changing users, hypergrowth in devices and various other trends impact the mobile threat outlook. With Mobile Malware on the rise, appstores and apps that should not be trusted, handhelds will require mobile security handlings for information on the move and at rest. Adding to this the complexities of security management, key management and end point protection, proof that an integrated platform will be useful.

10.15h : The changing mobile landscape and the impact on business, it and security management. Perspectives on dealing with mobiles, by Ulrik Van Schepdael Mobco

Dealing with mobiles in an enterprise environment, from policy development, IT architecture, system integration and mobile devices management, up to implementation and dynamically defining polcy rules.
With experiences shared from implementations of MobileIron and Box.net.

11.00h : Mobile Device Management and BYOD, an insight in a mobile device management platform and market experiences from Airwatch, by Manu Luyten, On2It.

11.45h : From Mobile Device Management to Fourfold Secure Mobile Device Management (Enterprise Mobile Data Lost Prevention).
Managing mobile devices beyond the platform and looking into security, market experiences with Zenprise by John Ferguson, Zenprise & Gert Vanhaeght, Mobila

Today, everyone has a smartphone. For enterprise this brings a duty of care to secure and protect sensitive corporate and customer information. But the complexity of managing and securing multiple device types, often without direct contact, is a challenge many IT personnel do not want to face. This presentation will demonstrate the changing environment, and – as recently identified by the industry analysts - the most capable solution to manage and protect the enterprise you carry in your pocket.

John Ferguson is Director of Product Management responsible for the Zenprise’s Mobile Device Management (MDM) service offerings.  John has 20 years of experience in product management and operations leadership positions with leading security technology companies.  Prior to Zenprise, John worked for Symantec developing cloud based security solutions and data loss prevention products while at Vontu (acquired by Symantec in 2008).  Before joining Vontu, John was an early employee of VeriSign where he had both product management and operations roles, including overall responsibility for VeriSign’s IT infrastructure and operations groups.  John started his professional career at AT&T where he spent 6 years in operations, marketing, and finance positions.  John has a B.S. Degree in Electrical Engineering as well as a Masters of Business Administration Degree in Finance.

Short interactive demo by Liz Knight

Liz Knight is Senior Pre-sales Engineer and from origin comes from New Zealand. Liz has recently made the decision to move to the Netherlands to become an important part of the team to build Zenprise and its entity in the Benelux Region.  Prior to Zenprise Liz, worked for large Telco Carriers as Technical Manager dedicated her professional capabilities to the advancement of wireless mobile data technologies. Customers she worked with include the largest financial and government organizations in New Zealand as well as small to medium emerging businesses. Regardless of size or requirements she strive to ensure each and every customer gets the best out of their mobility investment

12.30h : networking lunch

13.30h : Managing security at all levels for all smart phones, by Fabrice Hatteville, Thales

The fast growth of the smart phone and tablet markets, both in terms of sold units and in terms of technical possibilities, has brought a number of new challenges to the companies.  On one side, professional users tend to use their smart devices for both their professional and private needs, resulting in a mix a sensitive and non sensitive data on a single device.  On the other side, the flexibility of these devices and the rich possibilities they offer in terms of applications, connectivity, ... make them a target of choice for potential attacks by viruses or others.  At the same time, the large variety of brands and models makes it difficult for ICT managers and security managers to follow on technological trends and to anticipate on threats.
There is thus a need for companies to put in place a flexible system allowing at the same time to give access to the company’s standard tools for operational needs, to ensure secure communication between the employees’ smart phones / tablets and the sensitive data in the company’s system and to protect the company’s assets from potential threats coming from private activity on the employee’s device.  This all while maintaining a user friendly and simple-to-use interface. An insight on how these issues can be solved and which solutions exist will be given.

14.15h : Strategies and tips to manage and secure SmartPhones in a context of accelerated consumerization, by Michel Lanaspeze, Sophos.

Mobility and consumerization are defining some of the most significant changes in computing since the shift from mainframe computers,
bringing promises of increased enablement, efficiency, but also new risks and threats.  We will review these trends, giving insights from SophosLabs on risks,
and present strategies and practical advices for organizations to manage SmartPhones and Tablets effectively in order to make BYOD a productive and secure reality.

About : Michel Lanaspèze is Marketing & Communication Manager for Sophos Western Europe, with 24 years of experience in the IT industry,
and the past 15 years dedicated to the IT Security sector.  Michel Lanaspèze holds an Engineering degree from Telecom ParisTech
and an MBA degree from INSEAD.

15.00h : Coffee Break & Networking

15.30h : Integrating tablets Successfully in your Business Environment, The perspective from an operator using various mobiles, by Jean-Luc Delvaux, Belgacom.

In this presentation we will first review the various mobility trends and challenges and introduce the potential solutions.  Then we will discuss the real-life case of belgacom. Indeed, Belgacom has equipped all its sales force with tablets in 2011. We will discuss the choices that had to be made to make this initiative successful.

About : Jean-Luc has been working for Telindus International since 2001 (acquired by Belgacom in 2006) where he has been responsible for the ICT Security Strategy and for the development of the Security business internationally. In this capacity, he is in charge of developing Telindus’ security solutions and services portfolio as well as new market segments and geographies. Jean-Luc has more than 20 years of experience in the international ICT Services industry and close to 15 years more specifically in the Risk and Security domains. Prior to joining Telindus International, Jean-Luc has been active in various responsibility roles within Dimension Data, such as developing internationally the professional training business unit (NetBrain).

16.15h : Making all come together from a Security Management perspective. Closing Notes & Key Learnings of the day, by Steven Ackx, Ascure a full subsidiary of PWC Advisory Services

It’s not all about the technology and the threats. Those are some of the reasons and the how to deal with those threats and operating management of mobiles internally. Managing mobiles and mobile security is also about management and the way to get this included and embraced by the organization, the executives and employees. Risks have to be re-aligned, Security policies need to be adapted, procedures should be revisited and controls should be set in place or changed. Steven will try to make the connection of the technology perspective into the operations, and making sense for management.

About : Steven Ackx is a certified senior level consultant with extensive experience in Operational Risk Management, ICT- and Information Security related disciplines at the strategic, tactical, operational and technical level. Throughout his career he has focused on Information Security Governance, Information Security Management, Mobile Security, Mobile Payments, Information Risk Management, Education and Awareness Program.
At Ascure he is also managing the Ascure Academy, Marketing, Communication and Supporting Services activities. He is also the CEO of the BCM Academy Belgium.
Ascure is a full subsidiary of PwC Advisory Services cvba/scrl.

Also Mobile Management marketplace, meet the various vendors and decide for yourself.

Practical Details

This event took place November 29th, 2011 at Bremberg, Haasrode

Register Now

Register is now closed for Mobile Device Management 2011. You can already show your interest in Mobile Security Management 2012.

This event was free to participate to LSEC Members, LSEC partners and partner Members, Agoria Members, ECSA Members.
Free to participate to any others when subscribed before October 30th. After that date, subscription fee of 100 €.
Non-Cancellation fee of 150 €, upon no cancellation at least 1 day before the event and non-appearance.

This event was supported by CA Technologies.
It includes LSEC Expert Members Mobila, Mobco, Belgacom, McAfee, Sophos and Ascure - PWC.
This event has been supported by INTERREG IVb, in partnership with TeleTrusT, SITC, Systematic Paris Region and nGage Solutions.

About the organizers :
This event is organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions. 

Information Security Solutions Europe (ISSE)

22 - 23 November 2011 –
Prague, Czech Republic

Over the past decade, ISSE has built an unrivalled reputation for its interdisciplinary approach and independent perspective on the e-security market.
ISSE will provide over four hundred ICT security professionals and industry experts with a unique all-encompassing opportunity to learn, share and discuss the latest developments in e-security and identity management.

Supported by a number of key partners, ISSE will provide a unique insight into ongoing projects from the European Commission member states and the EU business community that will meet the industries network and information security requirements.

Visit www.isse.eu.com for more information, registration and full program.

Introduction

With special emphasis placed on case studies and innovative and robust security solutions implemented by European organisations, the event will focus on key security topics such as:
Cloud Computing Security
Security of Data in the Cloud, Virtualisation, Data Leakage Protection, Enterprise Rights Management, Forensics, Security related Services
Public Cloud Challenges
Interoperability & Standards, Compliance, Service Level Agreements, Business Models
Trustworthy Infrastructures
Rules & Regulations, Resilience & Availability, Privacy & Data Protection, Backup, Recovery & Key Management Services
Embedded Security
Emerging Applications, Smart Grid & Automotive Solutions, Ubiquitous Computing, M2M Security
Mobile Security Solutions
Platform Security, Transaction Security, Information Security, Treats & Risks, Privacy Aspects, Management of Mobile Devices
Identity and Access Management
Borderless e-Identification, Biometrics, Smart Tokens, e-ID-Cards, e-Passports, RFID & NFC Solutions, Infrastructure Solutions

e-ID and e-Sig Applications
Trust Levels, Risk Mitigation, Liability, European Interoperability Programs, Business Models, Attribute Verification, Social Sign On

Security Management and Economics of Security
Risk Mitigation, Compliance and Governance, IT Security Ecosystem

Privacy and Data Protection in Cyberspace
Privacy and Data Protection Issues in Web 2.0 and Cloud Environments/Social Networks/Search Engines, Use of Privacy enhancing Technologies, Concepts for Security Breach Notification

Awareness and Education
Transparency/Customer Awareness and legal Obligations, Awareness for Social Networks, Mobile Computing/Communication, Cloud Application

Network Wireless and Endpoint Security
Network-level Security Devices, Interconnectivity Devices, Protocols and Trends, Intrusion Prevention, Network Infrastructures,

Hackers and Threats
Awareness Raising, Social Engineering, Protection against Mail and Web Attacks, Vulnerability Assessment, Penetration Testing

e-Government – Policy and Governance
Emerging European & Global Regulations, Legislations, National Security, Law Enforcement, Governmental Applications

Enterprise Security Services
Authentication, Authorisation and Accounting, Governance, Risk and Compliance

Critical Infrastructure Protection and physical Security
CERT/CSIRT – European and Global Developments, Resilience of Networks and Services, surveillance technics and analytics

CyberWar, Cybercrime and Forensics, Fraud Detection & Prevention
DDoS, Attacks and Countermeasures against industrial Infrastructures (SCADA)

Preliminary Program

This year, LSEC and the European Security Innovation Network are supporting the ISSE 2011 with 4 different panels and various international experts.

November 22nd, 2011

Cloud Computing & Enterprise Security Services afternoon session, chaired by Ulrich Seldeslachts, LSEC

Panel discussions :
* can we trust the cloud? About Security and the cloud
* Security and mobile identity, various perspectives in an evolutionary landscape
* Online Social Networks : Security and Privacy considerations
* European Security CXO Panel - this business of security

with other expert partners from the European Security Innovation Network such as Dr. Marijke De Soete, Prof. Jos Dumortier,

Download the full program. .

CMS2011 is the 12th Conference in the “Communications and Multimedia Security” series. The series is a joint effort of IFIP Technical Committees TC6 (Communication Systems) and TC11 (Security and Privacy Protection in Information Processing Systems). The conference will be hosted by Research group MSEC from the Department Industrial Engineering of the Katholieke Hogeschool Sint-Lieven, Gent, Belgium. The size of the programme committee, consisting of international experts in this field, proves the interest of the research community. Conference proceedings will be published by Springer. There will be a best paper award.

The conference provides a forum for engineers and scientists in information security. Both state-of-the-art issues and practical experiences as well as new trends in these areas will be once more the focus of interest just like at preceding conferences. This year, the conference will address in particular security and privacy issues in mobile contexts, web services (including social networking) and ubiquitous environments.

We solicit papers describing original ideas and research results on topics that include, but are not limited to:

•applied cryptography
•biometrics
•secure documents and archives
•multimedia systems security
•digital watermarking
•distributed DRM policies
•attack resistant rendering engines
•adaptive anomaly detection
•censorship resistance
•risk management
•mobility and security/privacy
•mobile identities
•privacy enhanced identity management
•security/privacy policies and preferences
•social networks security/privacy
•security/privacy in geo-localised applications
•security/privacy in VoIP
•web services security
•SOA security
•ubiquitous and ambient computing security
•cloud computing security
•wireless and ad hoc network security
•RFID tags and sensor nodes security
Instruction for authors
The conference will include two refereed paper tracks: the Research track and the Industry/Government/Work-in-progress track. In addition, the conference will also feature a poster session.

Paper submissions for the Research track must be written in English, formatted in the conference style and limited to 12 pages. The paper must be anonymous, with no author names, affiliations, acknowledgements, or obvious references. Authors are requested to submit original papers only. Papers that have previously been published and papers that are currently being considered for publication by another journal or conference are not eligible. Each paper must include a short abstract and a list of keywords indicating subject classification. Its introduction should summarize the contributions of the paper at a level appropriate for a non-specialist reader.

Paper submissions for the Industry/Government/Work-in-progress track are limited to 6 pages. These papers highlight applications or present work-in-progress. They should also address challenges, lessons learnt or research issues arising out of �both successful and unsuccessful- deployment of such applications. Note, however, that sufficient technical content is required.

For poster submissions, a title and an abstract (max. 2 pages) is required. Accepted posters will be published in the proceedings as extended abstract.

All submitted papers will be refereed by members of the Programme Committee for correctness, originality, relevance to the conference and quality of presentation. Acceptance of a paper or poster means an obligation for at least one of the authors to attend the conference and present the paper or poster. The most outstanding research paper, presented at the conference, will receive a “Best paper award”. The proceedings will be published by Springer.

The proceedings will be published by Springer. Authors will have to sign the IFIP copyright assignment form (and not the standard LNCS Copyright Form). Example templates can be downloaded directly from the Springer LNCS Homepage, Please use the templates for “Proceedings and other multiauthor volumes”. Paper submissions must be written in English, formatted in the conference style.

For more information, please visit : http://www.cms2011.net

Security Forum 2011 : Security Hardening

Visit the October 6th page for all conference information.

Security Forum 2011 : Security Hardening

After the successful LSEC events of early september 2011, in the week before the 2011 RSA Europea Conference, LSEC organized the yearly LSEC Security Forum 2011 in Leuven at the Verizon Business’ Ubicenter. The year’s theme “Security Hardening” was meant to explore the possibilities of improving the IT and Information Security architectures and systems.

During the seminar, it became obvious that most of the topics were very complementary and gave an interesting viewpoint on how to improve security measures within companies.

This seminar was mainly intended to companies and government departments already having a security environment, and interested in finding out about new solutions, new approaches and ways to improve their security infrastructure. Security Hardening in this case meant to increase the level of security on different aspects and components of your environment. This would have been be either from a network security perspective, a database and application perspective or increasing the granularity and scope of your data protection technologies. With the hardening was also understood ways and procedures to improve security management as a whole.

All together, we’ve explored how to grow from the typical 80% of managed IT and information security risks to upgrade to 90% or and to understand the complexities, costs and resources necessary to this upgrade path.

As not all topics have been explored, it was decided that a follow-up security hardening event would be organized early February 2012.

Security Hardening

LSEC Security Conference 2011 : Security Hardening

Security Hardening is a rather wide concept, and leaves a lot of opportunities for various topics, but the idea would be to “bring something new and fresh to Security Officers and related people managing IT Security … “. Both network security, data security, privacy and other topics are very welcome.

Specifically some topics we are aiming for :
- IPv6 & impact on security
- Database security hardening
- Bring your own device / mobile
- Web application security
- Next generation firewalling
- New developments in hardware security – TPG/CC-based
- Security as a service (in the cloud)
- Virtualization security
- Identity management – access management - authentication
- Vulnerability testing – intrusion detection
- Data Protection technologies & systems
- Critical Infrastructure Protection
- Cybersecurity & Malware protection
- Security Monitoring & Network Monitoring
- Governance & Compliance
- …

Final Program

The following speakers already confirmed their participation and have been selected to present.

Program of October 6th

9.30 : Welcome & Registration

10.00 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC

Coffee continuously available during the morning.

10.15 : Continuously dealing with vulnerabilities and challenges on networks and systems, and fulfilling compliance requirements. Immediate hardening by more efficient use of resources. by Bart Bosma, Qualys

Abstract : In order to understand how to harden, it makes sense to understand where to start. Policies and controls, but evenly so vulnerability tests and scans will help you to understand immediate and emminent risks and challenges. Linking it to compliance to regulations will help you to translate those risks into business challenges. Continuously dealing with vulnerabilities on networks and systems, and fulfilling compliance requirements means an immediate hardening by more efficient use of resources. You can improve the deployment of people and tools, to where the biggest concerns are, and focus or harden on those that might need even more attention due to risk or business challenges.

About : Before joining Qualys in 2008 as Technical Account Manager for Benelux and Nordics, Bart Bosma has been active as a Security Consultant for more than 10 years at Dimension Data Netherlands and Ubizen, Cybertrust, Verizon Business.

11.00 : Security Hardening through systems, Oracle Systems Security solutions, by Luc Wijns, Oracle Systems

About : Luc has over 22 years of experience in IT, including 14 years at Sun Microsystems & Oracle Corporation.  Currently Luc holds the position of Master Principal Sales Consultant in the Server Division of Oracle in Belgium & Luxembourg and Chief Technologist for the Benelux.  Luc is also active in the Oracle Security Community and in the Oracle EMEA Cloud Architects Professional Community. Luc’s technical strengths are on Datacenter requirements, Architectures, Security (defense in depth, Identity & Access management), Networking, Virtualization and Datacenter Automation. These are the building blocks for a Cloud computing platform. Luc has a lot of software experience from the former Sun Software Practice, putting him in a unique position to understand integration of the software and hardware stack. This end-to-end view is a key differentiator in large data center projects. Luc holds an M.S. Degree in Electrical Engineering and an M.S. Degree in Computer Science from the “Université Catholique de Louvain” in Belgium. Luc is married, father of three children and lives in Belgium.

11.30 : Better protecting some of the crown jewels, database hardening, by Antonino Mata Gomez

About : Antonio started his career as an Oracle database consultant. Back then IT was more interested in High Availability and Scalability but enterprises started showing a growing interest in protecting their key Business Assets persisted in database management systems. Antonio’s expertise was formed through many projects where protecting the database was key in order to guarantee the required security level.In his role of Database Security expert Antonio closely followed up on the Identity & Access Management market trends, which has enabled him to approach security projects from multiple angels.

12.00 : Deep Safe, security solutions by Intel – McAfee, by Peter Van Eeckhout, McAfee

(this presentation will be added at a later moment, due to publishing restrictions by McAfee - Intel for the nature of the contents)

Abstract :. McAfee® DeepSAFE™ technology is the McAfee-Intel jointly-developed technology which allows McAfee to develop hardware-assisted security products that take advantage of a “deeper” security footprint. McAfee DeepSAFE technology sits beyond the operating system (and close to the silicon) allowing McAfee products to have an additional vantage point in the computing stack to better protect systems. McAfee anticipates the McAfee DeepSAFE technology will be a foundation for a number of hardware-assisted security products that take advantage of a “deeper” security footprint which will work in conjunction with McAfee® Endpoint Security Platform that so many organizations trust to protect their endpoints and information

About :  Peter is a Senior Security Engineer defense for NATO and EU at McAfee (a wholly owned subsidiary of Intel). Before joining Mcafee as Senior SE Systems/network, Peter was Security Solution architect at BT and Senior Technical Security consultant at Telindus Belgacom ICT. He started his current carreer as Security and Networking architect at Exxonmobil, as a contractor for Telindus (currently Belgacom ICT).

12.45 : buffet lunch

13.45 : Hardening web applications against malware attacks, by Erwin Geirnaert, Zion Security

Abstract : During this presentation we give an overview of how we can harden web applications against different types of attacks used by malware to bypass the existing security controls in the web application. We discuss the OWASP Top 10 and how malware can abuse these attacks and how the developer must implement a different strategy. We explain why (mobile) browser security is an important aspect of web application hardening and most importantly that the battle against malware is an ongoing battle. For every countermeasure the security industry develops to protect web applications and is used by a lot of companies today we will show how malware is being developed to bypass these solutions. To finalize we give some advice on how to protect against these malware attacks, using pro-active and detective controls.

About : Erwin founded ZION SECURITY in 2005 to help companies to protect against the latest threats, attacks against web applications. ZION SECURITY is nowadays a Belgian market leader in the field of security testing, vulnerability management, penetration testing and banking security. Erwin has more than 10 years of experience in web security, graduating with a Master of Science in Software Development from the University of Ghent. Erwin executes different types of projects for a lot of international software companies, financial institutions, telecom and web agencies. Specialist in executing code reviews in different development languages for critical applications, executing continuous penetration tests of their infrastructure and Internet applications. A specialist in J2EE security, .NET security and web services security. Erwin architects secure e-business projects for web agencies and software companies. He is a recognized application security expert and speaker at international events like Javapolis, OWASP, Eurostar,

14.30 : Most Exploitation is Internal, Learn new proactive defenses against this global networking epidemic, by Bernard Girbal, VP International Operations, Netclarity Inc.

Abstract : Learn about Internal Exploitation, Common Vulnerabilities and Exposures (CVEs) and how hackers, viruses, worms, spyware, botnets, rootkits, Trojans, cybercriminals and cyberterrorists use CVEs to exploit networks.  Over 95% of successful attacks are exploits of these CVEs, while most also happen behind the firewall.
About : Mr. Girbal joined NetClarity after repeat successes spanning more than 20 years of scaling European, Middle East and African (EMEA) channels as the Vice President of Trend Micro, Packeteer (acquired by Blue Coat Systems), Art Technology Group (acquired by Oracle), Candle Corp (acquired by IBM) and Chipcom (acquired by 3Com). Mr. Girbal is graduated from the Paris University of Technology and hold a Business Administration Degree from IAE/APPRA Paris Institut d’Administration des Entreprises ( Sorbonne University), he is certified in Transition and Change Management MRI- Palo-Alto methodology and Executive Assessment. He is a Pilot and an avid musician who has studied at the Paris Classical Music Conservatory. He enjoys golf, and hiking.

15.15 : Changing business challenges, challenging Security change. From hardening key management to cloud integrations. By Dominique Dessy, RSA, security division of EMC

Abstract : As virtualization changes the security dynamics, how should we rethink the Security Stack to regain control , visibility and build trust in the cloud?

About : Dominique is in IT since quite a while (still remembers Z80 assembly code and knapsack crypto ). Joined EMC after the Big Bug of 2000. Passed his CISSP in 2007 and moved to RSA in 2008. One a year gives a lecture for the Executive Master in IT Management of Prof. Ataya.

16.00 : coffee break, networking

16.30 : Hardening patches or enterprise wide ; challenges in data protection technologies and systems by Stefano Ciminelli, Verizon Business

Abstract : Data Security is often seen as the best security solution, or the worst nightmare for companies. Both approaches are wrong - how can Data Security and DLP projects help an organization to protect financial data and intellectual property? When it comes to financial data, how an organization can be sure that some very sensitive information are not being leaked out to the internet (credit card numbers, SSN, …)? How can an industry identify how its intellectual property is being protected? Where are these information on the systems? If you were an attacker, what would you do to steal this kind of information?

About : Stefano Ciminelli is Head of Business Resilience and Data Protection (Critical Data Flow) EMEA, with focus on business continuity strategy definition and sensitive data protection. With extensive experience in IT Security (both technical and managerial), he works together with customers to identify the best security solution to fit their security requirements. He is a speaker to international conferences.  His vertical experience is mainly in Financial (Banking and insurance services), Defense (classified environments) and Manufacturing, R&D (i.e. Intellectual Property protection).

17.15 : New Kids on the Job, firewalling for Digital Natives and Bring Your Own Device. By Tim De Boeck, Palo Alto Networks

Abstract : The next generation of new employees shares a different mindset when it comes to online privacy and security, albeit not quite on purpose. Being the result of a psychological evolution, they will eventually drive change to the security policies in place today. This session will highlight the inherent differences between digital natives and digital immigrants and project the challenges posed on corporate IT security. Some of the key topics that will be discussed are: Natives vs Immigrants, Web 2.0 & 3.0, Bring Your Own Device, Adapting & Improving Your IT Security Posture.

About : Tim De Boeck is a Systems Engineer for Palo Alto Networks – The Network Security Company. 12 Years of experience in the IT security field have enabled him to develop a holistic view of the challenges that companies face today when it comes to IT security. Before joining Palo Alto Networks, Tim held various positions in companies such as IBM, Internet Security Systems and Westcon Security.

18.00 : Closing Reception & Networking

19.00 : Close of Conference

Program of October 7th

9.30 : Welcome & Registration

10.00 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC

Coffee continuously available during the morning.

10.15 : iPv6, sneaking into your networks and opening unexpected doors to the outside world. Did you know? by Eric Vyncke, Cisco Systems - Ipv6 Council Belgium.

Abstract : IPv6 has been around for more almost 15 years, but has only slowly been taken up by the market. There are many advantages to IPv6, but still for most organizations, it has been easier to replace IPv4 equipment with IPv4 equipment. You would think. In fact, since the last 5 years, IPv6 equipment has been slowly but surely replacing older equipment, but it hasn’t been advertised always that much. Examples are the many Windows OS-es, since Vista, but also networking equipment. These bring along some additional challenges in terms of security, that are easily being looked over. Eric will bring us a fresh perspective.

About : Eric graduated from the University of Liège, Belgium, in 1983 with a Master degree in Computer Science. He worked for a couple of companies like Siemens where he was the architect of the firewall product and of the military message handling system. Since 1997, he works for Cisco as a Distinguished Engineer by helping customers with security design and by assisting product design (notably security). His area of expertise includes the security aspects of LAN switching, IP telephony and IPv6. He is a guest professor at a couple of Belgian Universities, participates regularly at the IETF (author of RFC 3585), ... He holds a CISSP certification. He is the main author of ‘LAN Switch Security’ and is currently writing another book on IPv6 security. Eric is also CTO of the IPv6 Council.

11.15 : Hardening your identity layer. A view on large scale identity architectures and why you should start using them today , by Ronny Bjones, Security Strategist, Microsoft

About : Ronny Bjones currently is working for Microsoft Corporate as senior architect in the identity & security division. Ronny joined Microsoft in 2002 to contribute in trustworthy computing. Later he became the EMEA security lead for Microsoft’s enterprise business. He has 26 years of experience in ICT, 20 of those in security. Ronny published QuEST together with several industry specialists in the subject of electronic signatures. The book is a comprehensive guide on how to implement Electronic Signatures solutions and can be downloaded from microsoft.com. Ronny also co-authored “Best Practice for Applications using the electronic Identity Card”. Ronny oversees the whole areas of security but has a special interest in smart cards, PKI, Identity Metasystem, cryptography and digital signatures. Ronny is a board member of EEMA, an organisation providing guidance on e-Business. Ronny is also member of the ISSE program committee. He is also member of the OASIS Security Conference program committee and the World-eID program committee. Since ‘89 he is active in the field of Information Security doing large projects for the European Central banks, Police forces, big financial institutes, European Commission, etc.Ronny Bjones was one of the four founders of Utimaco Belgium, where he worked ten years as R&D director. Before Utimaco Ronny worked for a Belgian EFT specialist called Prodata and one of the first firms to specialize in cryptography in Europe called Cryptech. Ronny Bjones is an active speaker on conferences. Ronny holds a bachelor in electronics, Master in IT management and MSc in Information technology.

12.15 : Improving systems security, virtualization and applications by Dave Vijzelman, CA Technologies

About : Dave Vijzelman has worked in several large heterogeneous environments and has a large experience in designing and implementing architectural RBAC solutions. His focus is primarily on RBAC strategies and role mining. Besides this, he also has a wide knowledge towards the technical approach regarding identity and access management (IAM) strategies. Previously he was as a Senior Information Security Consultant at Ascure where he was responsible for the architectural approach of analyzing and designing RBAC strategies for clients. Before this, he was an RBAC Consultant at BHOLD Company. Today, Dave is Principal Security Consultant with CA Technologies, supporting large associations in their Identity Management challenges.

13.00 : buffet lunch & networking

14.00 : close of conference

You can also download the binder of the documentation as an alternative to the separate presentations and information.

Practical Details

LSEC Security Conference 2011
Security Hardening
October 6 and 7th, Ubicenter, Leuven

This event was
Free to participate to LSEC Members, LSEC partners and partner Members, Agoria Members, ECSA Members.
Free to participate to any others when subscribed before September 23rd. After that date, subscription fee of 50 €.
Non-Cancellation fee of 150 €, upon no cancellation at least 1 day before the event and non-appearance.

This event was supported by CA Technologies, an LSEC platinum sponsor for our events. We are always open to other, additional interested parties.

About the organizers :
This event is organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions.

Impartial insight into the growth sectors - the only RFID event hosted by RFID analysts

Introduction

Some sectors of RFID have grown despite the recession. Other sectors have followed the classic hype cycle curve, but are now in the path of growth and profitability for the suppliers concerned. For the first time in many years, companies in Europe and the US are adding new manufacture volume. In Asia the huge Government support is driving manufacture and demand. The industry is taking off in many ways and in many forms. For example, Wireless Sensor Networks, a form of Active RFID, are being deployed in public buildings to save energy and monitor infrastructure. In 2011, RFID enabled cellphones are appearing from Nokia, Google and many others and the first printed RFID tags are being shipped.

RFID Europe is Europe’s largest conference on the topic. IDTechEx carefully design the program content to provide you with unrivalled insight into the state of the industry. Those wishing to exploit routes to profitability, find where the true demand is and meet customers and investors - must attend. Backed up by free IDTechEx research the complete event package is your yearly RFID benchmark.

LSEC will be hosting a panel discussion on the security challenges and opportunities with some distinguised experts and companies.

Program Outline

Presentation topics will include:
RFID in Apparel and Retail
RFID in Transportation
Security and Tracking Using RFID
RFID in Healthcare
RFID in Oil and Gas
Printed RFID
Real Time Locating Systems (RTLS)
Wireless Sensor Networks
Investment
Challenges
New Developments

2010 end-user speakers included:
BMW
Goodyear
Gerry Weber
Copenhagen Airports
Sony
Cubic
Max Pharma
sQuid Card
Centre Pompidou
Cambridge Central Library
Guide Dogs for the Blind

Practical Details

Organized by IDTechEx, supported by LSEC
Conference, September 27th - 28th
Exhibition, September 27th - 28th
Masterclasses, company tours, September 26th - 29th

More information and registration : IDTechEx RFID conference website

LSEC partners and members will receive a discount for participating and registering.

A day on Identity Management with a series of panel discussions on Identity Management and electronic identities

Program

Taking Control of Privileged Identities by Dominique Van Huffel, Principal Consultant and CC Leader IAM

Despite the serious security risks and the potential for compliance audit failure, many organizations are unaware of their own vulnerabilities when it comes to privileged accounts or, if aware , don’t know how to address it.  Privileged accounts include shared administrator-, firecall- and application accounts.
In this roundtable we’ll dive into the following questions:
• What are best practices for managing shared privileged accounts?
• How can we control their lifecycle? 
• How effective are existing Privileged Identity Management technologies?

Dominique is a Principal Consultant with extensive experience with a broad knowledge & experience concerning Security architectures, Identity & Access Management, Microsoft Infrastructure & Security solutions, network security architectures, anti-malware systems and end-to-end security solutions. Additionally, Dominique is also assigned as the manager of the competence centre “Identity & Access Management”. 

With a special contribution by electronic identity management analyst Mike Small, from Kuppinger Cole and Gerry Gebel from Axiomatics.

A set of panel discussions

For this, instead of the usual lectures of seminars, we would like to have a couple of panel discussions, eventually preceded with a couple of slides on your suggested position. 

Some of the following discussions :

Panel 1 “Market Trends in 2010 - 2011” : current status of the market after the economical downturn and challenges to get identity management introduced into organizations and enterprise environments.
Are projects still on hold, being continued, expanded and deployed? Specific challenges for specific verticals (healthcare, finance, government …). The use of the eID system.

Panel 2 “Operations” : existing identity management becoming more challenging? Integrating various authentication systems, increasing the granularity of electronic identities, adding contextual access control, setting up federation and maintaining IDM systems, …

Panel 3 “Challenges and Opportunities” : the opportunity of cloud environments, privacy the new security, open and closed standards, user-centric models vs government operated, …

Panel 4 “The Future” : Identity Management Systems vs Identity Markets, IDM Service Providers, Mobile Identity Management, the use of biometrics …

Every panel will take approx 1 hour, with 5 – 10 minute of introductions and statement, followed by an interactive discussion.

Including panel members :
- SecurIT, Marc Vanmaele
- Vinti-Q, Ward Duchamps
- Verizon Business : Marcus Lasance
- and many others ...

We invite both end-users, service providers, vendors, system integrators and consultants.

Registration : go to Eventbrite website : http://lsecidm2011.eventbrite.com

Practical details

:
- Leuven, Ubicenter, May 6th
- From 12.30 – 19h
- Panel discussions and networking opportunities
- Free to attend

Jan 24, 2011
Brucon Call For Papers 2011
Call for Papers BruCON.v3 2011
==============================

Brussels, Belgium—This is the call for papers (CFP) and participation for the 3rd edition of BruCON, a 2-day Security and Hacking Conference full of interesting presentations, workshops and security challenges. BruCON is an open-minded gathering of people discussing computer security, privacy, and information technology. The conference tries to create bridges between the various actors active in computer security world including (but not limited to) hackers, security professionals, security communities, non-profit organizations, CERTs, students, law enforcement agencies,etc. The conference will be held in Brussels on the 19th and 20th of September 2011 on the VUB Campus.

Scope
=====
Topics of interest include, but are not limited to :
* Electronic/Digital Privacy
* Wireless Network and Security
* Attacks on Information Systems and/or Digital Information Storage
* Web Application and Web Services Security
* Lockpicking & physical security
* Honeypots/Honeynets
* Spyware, Phishing and Botnets (Distributed attacks)
* Hardware hacking, embedded systems and other electronic devices
* Mobile devices exploitation, Symbian, P2K and bluetooth technologies
* Electronic Voting
* Free Software and Security
* Legal and Social Aspect of Information Security
* Software Engineering and Security
* Security in Information Retrieval
* Security aspects in SCADA, industrial environments and “obscure” networks
* Forensics and Anti-Forensics
* Mobile communications security and vulnerabilities
* Information warfare and industrial espionage
* Social Engineering
* Virtualisation Security
* ...

Deadlines
=========

The following dates are important if you want to participate in the CfP

•Abstract submission: no later than 15th of May 2011
•Notification date: around end May 2011
•Full paper/presentation submission: no later than 31th of July 2011
Submissions can be entered at https://cfp.BruCON.org/submission

For further information and questions, please feel free to contact cfp 0x40 BruCON.org

Submission Guideline (for standard paper track) ==============================================
Authors are encouraged to submit a paper in English or presentation slides, using a non-proprietary and open electronic format. Abstract is up to 500 words. Submissions must be sent via https://cfp.BruCON.org/submission. You can contact us if any errors or issues occur. The program committee will review all papers and the author of each paper will be notified of the result, by electronic means. Provide as much details about your talk as possible. It will enable reviewers who are not subject matter experts in the area that you focus on to still appreciate your abstract and make an informed decision when scoring it. Submissions should also include the following: 1. Presenter, and geographical location (country of origin/passport) and contact info. 2. Brief biography, list of publications or papers. 3. Any significant presentation and/or educational experience/background. 4. Reason why this material is innovative or significant to the BruCON audience 5. Optionally, any samples of prepared material or outlines ready. 6. Information about if yes or no the submission has already been presented and where. The information will be used only for the sole purpose of the BruCON conference including the information on the public website. We do not accept product or vendor related pitches. If your presentation involves an advertisement for a new product or service your company is offering, please do not submit. Also, we do not accept presentations submitted by a third party including (but not limited to) company representatives, management bureau’s, etc. BruCON presentations should be focused on topics that are of interest to security and technology professionals who are paying attention to current trends and issues. We want BruCON to be educational and entertaining to the attendees and the community.

Additional Speakers Info
========================
BruCON is a non-profit event organized by and for the security and hacking community. Speakers are not paid. Financial help on travel expenses and accomodation is possible, but will be handled on a case-by-case basis. Provide as much information about your requirements (including a cost estimation) and we will contact you personally after your talk has been accepted. Lectures should not exceed 45 minutes plus up to 10 minutes for questions and answers. The spoken language of a lecture will be English.

8th European Workshop on Public Key Infrastructures, Services and Applications

EuroPKI’11 will be the eighth event in the EuroPKI workshop series and will focus on all research aspects of Public Key Services, Applications and Infrastructures. Previous EuroPKI workshops were held in Samos (EuroPKI’04), Kent (EuroPKI’05), Torino (EuroPKI’06), Mallorca (EuroPKI’07), Trondheim (EuroPKI’08), Pisa (EuroPKI’09), and Athens (EuroPKI’10).

EuroPKI’11 will be co-located with ESORICS 2011 in Leuven, Belgium.

Preliminary Program Outline

For more information, please visit the Europki pages .

A number of academic papers have been submitted and accepted as well as a couple of keynotes and keynote speakers.
For this year’s activity, LSEC is supporting Europki to the business and research communities by adding a couple of business oriented talks.

Keynotes

We are pleased to announce that the keynote speakers at the event will be:

Chris J. Mitchell

Title: New architectures for identity management - unifying security infrastructures

Abstract: In recent years a large number of identity management systems have been proposed. Unfortunately, although these systems offer the possibility of significantly improving user security, they have not been widely adopted, typically because the cost of adoption is too high for the involved parties. One major problem is that each such system requires the establishment of its own supporting infrastructure (e.g. a PKI), and all participants must adopt the associated protocols to make use of this infrastructure. This creates major barriers to interoperation and adoption. In this talk we consider the problem of designing identity management systems which enable security infrastructures to be unified in a simple and low cost way, and which require minimal changes to the involved parties. This involves designing combinations of security protocols and client machine software architectures that support secure identity management protocols in ways that offer simple and low cost migration paths.

Peter Gutmann

Title: PKI as Part of an Integrated Risk Management Strategy for Web Security

Abstract: In the real world, risk is never binary but always comes in shades of grey. When security systems treat risk as a purely boolean process, they’re prone to failure because the quantisation that’s required in order to produce a boolean result has to over- or under-estimate the actual risk. What’s worse, if an all-or-nothing system like this fails, it fails completely, with no fallback position available to catch errors. Drawing on four decades of experience with security design for the built environment (buildings and houses) known as crime prevention through environmental design (CPTED), this talk looks at how CPTED is applied in practice and, using browser PKI as the best-known example of large-scale certificate use, examines certificates as part of a CPTED-style risk-mitigation system that isn’t prone to all-or-nothing failures and that neatly integrates concepts like EV vs. DV vs. OV and OCSP vs. non-checked certificates into the risk-assessment process, as well as dealing with the too-big-to-fail problem of trusted browser CAs.

Olivier Pereira

Title: Running Mixnet-Based Elections with Helios

Abstract: TBA

Practical details

Leuven, September 15th & 16th.
Business program on Thursday afternoon, following the keynote by Chris Mitchell and lunch.

To confirm your registration as LSEC Member or affiliate, please send your contact details to europki @ lsec.be.

De Nieuwe Valk
For more information and the downloadable program, please visit the Europki 2011 website

THIS EVENT HAS BEEN CANCELLED FOR SEPTEMBER 14th and will be postponed to a later date.

Please contact us for more information at rfid2011@lsec.be

Updated Program

On September 14th, LSEC are organizing a day on applications for short range wireless technologies such as RFID and NFC.
Taken in the first place from a technology perspective, the idea is to present a multitude of applications and their respective challenges and opportunities that these technologies today bring into the market.
With a specific perspective on security in these evolving small wireless technologies. This is a unique event in Belgium, bringing together local specialists and experts from France, UK and other countries.

Introduction

RFID, Radio-Frequency Identification is a series of technologies describing a form of identification, using a wireless radio signal. Typically used with the purpose of tracking, tracing and identifying goods, increasingly it is also being used for people and constantly evolving both passive and active tags. Various companies are using RFID technologies for many different applications, from Wal Mart, public libraries, Airbus, public transportation and international passports; using goods identification for simple pricing, to access control to controlling identities.

According to market research organization IDTechEx, in 2010 the value of the entire RFID market was estimated to be $5.63 billion, up from $5.03 billion in 2009. This included tags, readers and software/services for RFID cards, labels, fobs and all other form factors. $3.27 billion of the total $5.63 billion is spent on non car like structures - from RFID labels to active tags.

Register now at Eventbrite : http://rfid2011.eventbrite.com/ and reserve your free seat prior to March 31st 2011.

More RFID tags than people on the planet

The biggest opportunity : item tagging, moving from price tags to bar codes to radio frequencies in identifiers
The biggest opportunity for RFID is the item level tagging of all things. This ultimately calls for a very low cost tag, something that some printed and chipless RFID technologies have already demonstrated or have the potential to achieve. Interestingly, few of the biggest chip RFID suppliers are working on these technologies. Instead, printers, packagers and electronics and materials companies are leading development, some seeing the ultra low cost RFID tag as just the beginning - with integrated ultra low cost components such as displays, sensors and power to come.

The RFID tagging of apparel is now the largest and fastest growing application of RFID in retailing, the retail supply chain and associated industries. About 100 organizations are tagging apparel in trials and rollouts. Just two - taken together - will buy 500 million tags yearly soon. Analysis indicates that systems and tag business concerned with apparel RFID will grow at double the rate of the overall RFID market through the next ten years.

RFID in the form of tickets used for transit will demand 380 million tags in 2010. The tagging of animals (such as pigs, sheep and pets) is now substantial as it becomes a legal requirement in many more territories, with 178 million tags being used for this sector in 2010. This is happening in regions such as China and Australasia. In total, 2.31 billion tags will be sold in 2010 versus 1.98 billion in 2009. Most of that growth is from passive UHF RFID labels.

The evolutionary landscape of active RFID

The term Active RFID incorporates many technologies including Real Time Locating Systems, Ubiquitous Sensor Networks and Active RFID with ZigBee, RuBee, Ultra Wide Band and WiFi. Active RFID, where a battery drives the tag, is responsible for an increasing percentage of the money spent in the burgeoning RFID market. It will rise from 13% of the total RFID market in 2010 to 25% in 2020, meaning a huge $6.02 billion market. If we include the market for cell phone RFID modules (another form of active RFID), the market is an additional $0.18 billion in 2010 and $1.6 billion in 2020.

Near Field Communication (NFC), and particularly RFID enabled mobile phones, with contactless smart cards and tickets are now reaching the mass market. Are these forms of RFID with advantages and disadvantages and different development paths, or is NFC a different market with more advanced types of applications and services? Expectations are that there will continue to be rapid growth of at least three alternatives for at least ten years. This follows 800 million Chinese acquiring contactless national ID cards in four years and over 70 million Japanese adopting RFID enabled, NFC compatible phones in three years. These were two of the fastest rollouts of electronic products in human history.

Near Field Communication (NFC), by which electronic devices communicate if held within a few centimeters of each other, is underpinned by global ISO specifications. It has attracted the attention of the largest telcos, transport companies, banks and others and new trials are frequently announced all over the world. Many trials confirm that we are all like the Japanese in seeking the convenience that such phones can offer. 
With the fading SIM-cards, throug NFC phones, suddenly Telecommunication Industries are being empowered once more for banking, wallet, ticketing and loyalty applications. Banks are cautious about letting their cards be mimicked by the phones and transport operators are cautious about the ticketing option being loaded.

Program Overview

During this seminar, we are aiming to bring some of the most interesting experts and applications around the table, focusing amongst other on business opportunities and challenges. These could include systems integrations, but also security. Security being one of the applications specifically sought for by short range wireless technologies, we will amongst other challenge the various systems and technologies and indicate that also in this domain, security could better be considered in the design stage.

Some of the following companies and applications have been identified :

• Real-Time Anonymised ID at the point of requirement - a challenge-response approach for an Authority to attest the authenticity of documents and certificates, by Techmatics, Janusz Adamson
• Industrial Identification, RFID Inc, Graham V. Smith – Vice President Europe
An overview of applications for RFID in vehicle identification, warehouses, conveyor belts, meat production facilities, AGV, factory floors and other industrial environments.
• Parallel Solutions, Applications for tracking and tracing of firefighters, children, patients , assets and records
Maintag, Readers, Tags, Low level management software, and other tools for an RFID environment
• NFC Projects in Caen, an overview of private and public proof of concept projects (Caen NFC City, Pay Mobile, Contactless Parking, Normandy Living Lab, ….),
key learning and developments, by Pôle TES
• RFID Security : Issues and Measures, by KU Leuven, COSIC, Dave Singhelee,
• NFC technologies and applications, by NXP Technologies, Phil Teuwen
• Some experiences from practical security challenges, KAHO St Lieven
• NFC and next generation RFID, an evolutionary landscape
• From chip and card to application and everything in between, resolving challenges for Systems Integration, Management and Maintenance Challenges
• Testing and controlling RFID and NFC developments and applications
• GloPass, the integrated solution for ID management, event management
• Integrating personal ID and Mobile ID Management, the challenge ahead
• …

Privacy in RFID and NFC, research activities from MSEC at KaHo St-Lieven, by Vincent Naessens, KAHO Sint-Lieven

This talk will give an overview of research activities in the domain of mobile security at MSEC, KAHO Sint-Lieven.  The research at MSEC is often conducted in collaboration with SMEs, large companies and governmental institutions in Flanders.  Hence, many cases originate from real challenges in industry and government.  The MSEC group works around emergent technologies and application domains for smartphones.  For instance, tamperproof modules (like secure elements and smart micro SD
cards) are used to increase the security level of mobile applications, terminals are extended with trusted platform modules to increase trust in the ecosystem, privacy-enhancing technologies (like anonymous credentials, local privacy policy enforcement modules...) lead to a better privacy level in existing applications… These technologies are relevant in many application domains: personalized health care, advanced physical access control systems, protection of money transfer cycle, supply chain and logistics ...  This talk will mainly focus on the new opportunities of secure solutions that exploit short range communication capabilities of smartphones (like optical communication and near-field communication). More information and an overview of research projects and activities at MSEC can be found on the following url:
http://www.msec.be/

About: Vincent Naessens is head of the research group “Security and Mobility (MSEC)” at KAHO Sint-Lieven since October 2006. The research group focuses on modelling secure, mobile environments. More specifically, his research focuses on e-ID technologies, privacy-enhancing technologies and the integration of these technologies in concrete applications.
Mobile environments often deal with resource-limited devices. The latter often has an impact on the building blocks and technologies that are selected to fulfill security, privacy and trust requirements. Special attention goes to architectural design of such environments. The research group often collaborates with other industrial and academic partners such as DistriNet, Dept. Computer Science at KULeuven and Dramco, Dept. Industrial Engineering at KAHO Sint-Lieven.
He received a master’s degree in Computer Science at the K.U.Leuven University in 1999. Immediately after his studies, he started working as a researcher in the DistriNet research group.  The topics of research he has been working on include: analysis, modelling and design of anonymous applications (anonymous communication, anonymous mail, anonymous publication systems, ...) and the study of techniques for controlled anonymity in various applications. He received his PhD degree in Computer Science at the faculty of Applied Engineering, K.U.Leuven in June 2006.

Types of applications discussed :

Passive RFID
• Drugs
• Other Healthcare
• Retail apparel
• Consumer goods
• Tires
• Postal
• Books
• Manufacturing parts, tools
• Archiving (documents/samples)
• Military
• Retail CPG Pallet/case
• Smart cards/payment key fobs
• Smart tickets
• Air baggage
• Conveyances/Rollcages/ULD/Totes
• Animals/Livestock
• Vehicles
• People (excluding other sectors)
• Passport page/secure documents
• Other tag applications

Active RFID / battery-assisted
• Pharma/Healthcare
• Cold retail supply chain
• Consumer goods
• Postal
• Manufacturing parts, tools
• Archiving (samples)
• Military
• Retail CPG Pallet/case
• Shelf Edge Labels
• Conveyances/Rollcages/ULD/Totes
• Vehicles
• People (excluding other sectors)
• Car clickers
• Other tag applications

Practical Details :

Wednesday, September 14th , 2011
Brussels, IBM Seminar Centre
Seminar and exposition
Free to attend, upon registration prior to May 30th; from June 1st and onwards, registration fee of 150 €
Free for LSEC Members and partners (European Security Innovation Network, Pôle TES, OASIS, Agoria, ISSA, ISACA, …) upon membership identification.

For more information, sponsoring and practical details please contact rfid2011@lsec.be.

Register now at Eventbrite : http://rfid2011.eventbrite.com/

Computer security is concerned with the protection of information in environments where there is a possibility of intrusion or malicious action. The aim of ESORICS is to further the progress of research in computer security by establishing a European forum for bringing together researchers in this area, by promoting the exchange of ideas with system developers and by encouraging links with researchers in related areas.

Progressively organized in a series of European countries, the symposium is confirmed as the European research event in computer security.

ESORICS 2011
September 12-14, 2011
Leuven (Belgium)

ESORICS is the annual European research event in Computer Security. The Symposium started in 1990 and has been held in several European countries, attracting a wide international audience from both the academic and industrial communities.

Papers offering novel research contributions in computer security are solicited for submission to the Symposium. The primary focus is on original, high quality, unpublished research and implementation experiences. Submitted papers must not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. We encourage submissions of papers discussing industrial research and development.

Suggested topics include but are not restricted to:

•Access Control
•Accountability
•Ad hoc Networks
•Anonymity
•Applied Cryptography
•Attacks and Viral Software
•Authentication and Delegation
•Biometrics
•Database Security
•Digital Content Protection
•Distributed Systems Security
•Electronic Payments
•Embedded Systems Security
•Inference Control
•Information Hiding
•Identity Management
•Information Flow Control
•Integrity
•Intrusion Detection
•Formal Security Methods
•Language-Based Security
•Network Security
•Phishing and Spam Prevention
•Privacy
•Risk Analysis and Management
•Secure Electronic Voting
•Security Architectures
•Security Economics
•Security and Privacy Policies
•Security for Mobile Code
•Security in Location Services
•Security in Social Networks
•Security Models
•Security Verification
•Software Security
•Steganography
•Systems Security
•Trust Models and Management
•Trustworthy User Devices
•Web Security
•Wireless Security

Important dates

•Submission of papers: March 21, 2011 23:59 PST (FIRM deadline - NO extensions)
•Notification to authors: May 20, 2011
•Camera-ready copies: June 17, 2011

Instructions for paper submission
The proceedings will be published by Springer in the LNCS Series. All submissions should follow the LNCS template from the time they are submitted (follow the “Information for Authors” link at http://www.springer.de/comp/lncs/authors.html). Submitted papers should be at most 16 pages (using 11-point font), excluding the bibliography and well-marked appendices. Committee members are not required to read the appendices, so the paper should be intelligible without them. All submissions must be written in English.

Submitted papers must not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings.

All accepted papers should be presented at the Symposium. Therefore, at least one author of each accepted paper must register to the symposium, by the early date indicated by the organizers, and present the paper. Upon acceptance, authors must sign a copyright transfer statement.

Paper submissions must be received by March 21, 2011, 23:59 PST through the ESORICS 2011 submission server at: http://www.easychair.org/conferences/?conf=esorics11. Notification of acceptance or rejection will be sent to authors by May 20, 2011 and authors of accepted papers will have the opportunity to revise their papers for the proceedings version due on June 17th, 2011.

For more information, please visit : http://www.cosic.esat.kuleuven.be/esorics2011/?p=cfp.

Seminar : Trust in the cloud and cloud trust, or Security in the cloud : bust the hype

Since 2009 the IT industry has been overwhelmed with the concept of the Cloud. Starting as an evolution from the constant shifts between centralization and decentralization, the shared hosting and collocation offerings, managed services models and the growing technological advantages of broadband speeds and virtualization, Cloud Computing, today is a conglomerate of all sorts of services ranging from infrastructure, to back-end applications to full outsourcing of front- and backend applications and unlimited availability at Total Cost of Ownerships which becomes almost variable based upon the business requirements.
In addition to some of these and environmental advantages, there are also advantages of availability (suddenly you can get a full blown server OS, db, completely configured with all user ID’s, latest security packs available ready to go at no time) and advantages of resilience (automatic failover and redundancy).
Still, many European information security managers and their CIO’s are questioning the level of security of these clouds and cloud services providers. Can clouds be trusted with sensitive corporate data, critical information systems, high availability services, or should companies only consider unimportant information? Will Cloud Service Providers need to come up with a series of certifications such as CSA, or ISO for your organization to be able to trust? Let’s take some of the basic and more advanced security challenges and apply them to the cloud service provider that you would be investigating and test them to all levels of security that you would demand for your own organization. Will they stand the test? Would this be sufficient, or are there other levels of challenges that play, such as data protection regulation and availability 24/7, with high-throughput pipes and means. Are the cloud customers protected against failure, loss of data and what happens if there is an incident? What is the procedure that is being laid out to detect, report, and if possible remediate. What jurisdiction applies for potential litigation? Will there be audit possibilities? On site?

This event was supported by LSEC expert Members CA Technologies, MMS-Secure and Vasco Data Security.
Thanks to Verizon Business for providing the Ubicenter facilities.

Final Program

8.30 : Welcome & Registration

8.45 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC
Coffee continuously available during the morning.

09.15 : Cloud Computing a systemic overview of opportunities and challenges, by Henk van der Heijden, Vice President Security Europe CA Technologies

About : prior to joining CA Technoligies, Henk has developed an extensive experience on customer cases and security needs as Managing Director at Comsec Consulting BV and as Director Security Services at EDS. Before that he was General Manager at Sequent Migrations. Broad and long (25 Years) experience in IT and IT Services. For the last 12 years specialised in Risk Management and Information Security. Henk is specialized in Risk Management and Security Consulting and has a broad and long IT Services knowledge. Within CA Technologies, Henk is responsible for the Security Business Unit in EMEA. Leading the Business Unit of CA Technologies excellent portfolio of Security Solutions.

10.00 : Security in the Cloud, myth versus reality. About auditing in the cloud. by Mike Chung, Manager IT Advisory KPMG Netherlands

About : Mike has been active in IT for over 12 years. Joined KPMG in 2006 where he is involved in security- and system architectures. Within KPMG Netheralnds, Mike is a recognized specialist on cloud computing and sourcing. In his spare time, he likes to listean to heavy metal.

10.45 : Cloud Computing and Virtualization, Security issues, by Jan-Willem Lammers,

About : His 20 years of broad IT experience enables him to keep the overview over complex environments. On the other hand he has the capability to absorb new technologies quickly and mix them with earlier experience. These capabilities has made him a valuable advisor for the most strategic customers in his region. He joined VMware in 2006 when virtualization was still just “cool technology”. His career started with 8 years Syntegra (BT), followed by 8 years of Digital Equipment, Compaq and HP. In HP Consulting he had built a VMware practice with knowledge management, service offerings and trained a large number of colleagues. That was the time to move to VMware, the source of Cloud Computing where his ability to absorb new technology has been put to the test ever since. Now that Virtualization has enabled Cloud computing the work around compliancy, organizational challenges and provider/consumer relations has to be balanced with technological developments.

11.30 : Challenges with Cloud services posed by legal constraints such as Privacy and Data Protection Guidelines; by Bruno Schröder, Microsoft

About : Civil engineer by education, Bruno has been more than 25 years in the IT industry : R&D, Process control, Systems Integration, consulting and sales. Bruno has been active in the public sector and became in charge of the EU consulting practice with Unisys, one of the large public sector suppliers. After having lead the Public Sector for Microsoft Belux, he still is part of the international team following on global level the evolutions and needs of the non-commercial sectors, and also informing governments about long term solutions of information technologies and the potential impact on citizens and organizations. Bruno is involved with the Microsoft Innovation Center and is Member of the Board with the CIO-Club.

12.15 : lunch & networking

13.15 : Cloud Services by Verizon Business and Security measures taken, by Rob Kroneman, Verizon Business

About : Rob Kroneman is a security professional with extensive experience in the Information Security related disciplines both at the organizational, technical and the strategic levels where I have focused on Information Security Management, Information Risk Management, Security reviews, and corporate security policy. He worked for the Dutch National Bank ( De Nederlandsche Bank) in the role of Network Specialist, Security Manager and Auditor, Rob has a strong security expert background in information security, security reviews (audit) and was engaged in information security and information security related projects throughout his career. Rob has a strong security mindset and have an experienced out-of-the-box thinking approach. As cofounder and CEO of a privately run company, Rob was responsible for the creation and enforcement of a profitable organizational structure. Besides fulfilling the role of CEO, he was active in the field as an IT Security Expert. Rob is active as an Information Security consultant handling information security implementations, security reviews, advisory projects and information security framework implementations in the role as temperary CISO. Besides being active as an Intrim CISO Rob is Manager Professional Services ITS within Verizon working with his team on Cloud Strategie and Transformation/Transistion projects for customers.

14.00 : Cloud Services by Microsoft and Security Measures taken by Henk Den Baes, Microsoft

About : Henk Den Baes started his career as a consultant with AMS (now CGI). With AMS I was based at a huge mobile telecom corporation fixing and developing (C, C++, COBOL, JAVA) backend applications. After some years I moved to Utimaco AG, a pure security products company, where I was responsible for developing the Utimaco SSL stack. At that time there was still the strong crypto export restriction from the USA and the European browser versions only had weak SSL protection. While working for Utimaco I also gained a deep knowledge of PKI. Being knowledgeable of PKI, I moved to Belgacom where I was together with a small team responsible for building the Belgacom E-Trust PKI. Out of that department the Belgian eID card project was born and I moved to the newly formed company Certipost. Once the eID project more or less finished I moved to Belgacom ICT (former Telindus) to work as a Senior Technical security consultant. Today I’m working as a technology advisor at Microsoft for Security and Datacenter (Windows server and virtualization). Abstract: Very often, the terms ‘outsourcing’ and ‘Cloud’ are mixed. We can see here that while Outsourcing is mainly about the ownership for certain tasks and controls (e.g. Regulatory, security), Cloud is also an architecture question that goes beyond the who does what. However, this also means that the questions regarding regulatory and security requirements becomes more complex. While Outsourcing questions were often completely left to IT, the Cloud discussions needs involvement from a broader compliance community. The CIO/CSO also needs to be able to translate technological and architectural aspects into Business risks so that internal legal and compliance communities can be involved as early as possible. If this doesn’t happen, legal considerations can soon become a show-stopper in the whole Cloud story. During the LSEC „Security in the cloud“ seminar I will discuss the 5 security areas (COMPLIANCE AND RISK MANAGEMENT, IDENTITY AND ACCESS MANAGEMENT, SERVICE INTEGRITY, ENDPOINT INTEGRITY, INFORMATION PROTECTION) that have become the main focus of discussions with companies going into the Cloud.

14.45 : Cloud Services by Belgacom and Security measures taken, by Bart Callens, Belgacom

About : Bart Callens is a security professional with 15 years of experience. Bart has an extensive knowledge and experience with different security frameworks and technologies, including network, data and application security. Bart was also co-founder of the Belgacom E-Trust Certification Authority, which led to projects such as the Belgian eID Card.At this moment, Bart is as ICT Security Solution Ambassador within Belgacom responsible for managing the lifecycle of the ICT Security portfolio and launching new ICT Security solutions on the market.

15.30 : Panel Discussion

16.00 : Coffee Break

16.30 : Securing your Data in the Cloud, by Luc Wijns, Chief Technologist Oracle Systems

About : Luc has over 22 years of experience in IT, including 14 years at Sun Microsystems & Oracle Corporation. Currently Luc holds the position of Master Principal Sales Consultant in the Server Division of Oracle in Belgium & Luxembourg and Chief Technologist for the Benelux. Luc is also active in the Oracle Security Community and in the Oracle EMEA Cloud Architects Professional Community. Luc’s technical strengths are on Datacenter requirements, Architectures, Security (defense in depth, Identity & Access management), Networking, Virtualization and Datacenter Automation. These are the building blocks for a Cloud computing platform. Luc has a lot of software experience from the former Sun Software Practice, putting him in a unique position to understand integration of the software and hardware stack. This end-to-end view is a key differentiator in large data center projects. Luc holds an M.S. Degree in Electrical Engineering and an M.S. Degree in Computer Science from the “Université Catholique de Louvain” in Belgium. Luc is married, father of three children and lives in Belgium.

17.15 : Security Services in the cloud, managed cloud security services, by Christophe Bianco, Qualys

About : With 15 years of experience in providing security services, including security policy and governance, audits, and intrusion detection, Christophe is responsible for strategic, operational, field sales and marketing activities in EMEA. Most recently leading Western Europe sales and managing the Luxembourg subsidiary for Verizon Business Security Solutions, Christophe led a team advising the extended enterprise on how to secure information, secure the infrastructure, and implement governance, risk and security policies. Christophe has also served as the general manager for Ubizen in Luxembourg, where he managed operations and executed the company’s partner and vendor strategy, set up a customer loyalty program, and extended the products and services offered. He has also been manager of information security for SkillTeam, an IBM subsidiary, and network and telecoms engineer for Banque Paribas, both based in Luxembourg. Christophe has a master’s degree in telecoms from the National Superior School of Telecommunications of Brittany, a degree in engineering from the National School of Brest, and an Executive MBA from HEC Paris.

18.00 : Securing the cloud and cloud security, by Rashmi Knowles, Chief Security Architect EMEA RSA – the Security Division of EMC

About : Rashmi is Chief Security Architect at RSA, The Security Division on EMC. In her role Rashmi is responsible for Technology and Compliance Solutions for the EMEA region. Her current responsibilities include working with customers in a trusted advisor role, evangelism for emerging technologies and key spokesperson in the region for RSA’s Cloud Strategy and Compliance Solutions and a subject matter expert on Data Loss Prevention and Encryption Solutions. Rashmi has over twenty years experience in data communications, mobile communications and has focussed on Information Security for the last ten years, Prior to joining RSA, Rashmi has worked for Hewlett-Packard as a Network Consultant. She has also held Product Marketing and Business Development roles in Ericsson and Damovo responsible for developing key vertical solutions based on information security. Rashmi holds a degree in Computer Science from the De Montfort University and a Post Graduate in Computer Studies from the University of the South Bank, London.

18.45 : Bringing TRUST to the cloud: strong authentication as an enabler for SaaS adoption, by Kurt Berghs, Product Manager VASCO Data Security

About : Kurt Berghs is the worldwide product manager for VASCO’s DIGIPASS as a Service and aXsGUARD Gatekeeper product lines. Kurt started working for Vasco Data Security 6 years ago, with the acquisition of ABLE. He started as channel manager responsible for Belgium. Before Vasco, Kurt started his IT carreer as a programmer. Later he switched from programming to network infrastructure consultant to selling Software solutions for Softconstruct. Abstract : DIGIPASS as a Service is VASCO’s cloud based authentication service. The offer has been designed for companies who want to enhance the security of their web based applications. For web applications traditional authentication does not always offer the adequate solution. Traditional authentication is often considered too costly due to low usage of the application or low transaction value. DIGIPASS as a Service is the answer to these concerns. With DIGIPASS as a Service VASCO manages the entire authentication process for its customers. The end-user will use a hardware or software DIGIPASS to generate a one-time password to log on to the web based application or an e-signature to sign an online transaction. The company can focus on its core activities while VASCO manages the authentication process.

19.15 : Cloud Security Solutions wrap-up, and future challenges by Ulrich Seldeslachts, LSEC

19.30 : Closing Reception & Networking

20.30 : Close of Conference

During this seminar, we wanted to try to get most of the uncertainties out, and remove the clouds from the cloud in terms of security challenges. Can we put trust in the cloud? To what extent and at which levels. What is the level of granularity and maybe layers of confidence that we have to build upon? What is needed for the clouds to be trusted and to become secure? How does this work in an ever changing and challenged environment which is facing new security threats every next day.

We’ve invited both Cloud Service Providers and Security Experts to challenge and be challenged. We don’t expect to receive all answers, but at least some issues will rise, and a discussion at large can be held properly.
This seminar is intended to all business people considering cloud services that want to be informed about their options and potential risks, to all security managers and executives who might feel threatened by the opportunity of the cloud services, to all IT auditors that want to be informed about challenges and opportunities, to executive management that needs to be informed about risks and potential costs versus the cost reduction potential that they get presented.

You can also download the whole slideware package.

Practical Details :

Seminar with presentations and panel discussions

Leuven, Ubicenter, September 8th

Free of Charge for LSEC Members and Affiliate Members, and by special invitation. Cancellation Fee of 150 € : please cancel latest the day prior to the event to avoid a cancellation fee.
Thanks to the sponsors of the Global Security Week, we can offer participation to this event. Free of charge upon registration prior to September 5th, 50€ entrance fee after that date.

Sponsoring opportunities :
CA is an LSEC platinum sponsor for this event, but we are open to other, additional interested parties.
MMS Secure is a gold sponsor.

About the organizers :
This event is organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions.

Facebook, Netlog, Twitter, LinkedIn, Xing, … collectively represent more than a billion users and many thousands of organizations large and small accessing and using those networks on a daily basis. They are a great opportunity for trendy marketeers and smart business people, whilst building new standard communication channels for friends that we have lost track with and many business partners which are sometimes difficult to connect.

Twitter and Facebook are also providing major impact on mass media and in critical situations. Important societal events such as the Arabic spring or major disasters such as the terrorist attack in Norway, or even more recent the Pukkelpop festival in Belgium; social media are supporting communications and provide a relief for victims, family and relatives.
They have become and will continue to be important communication channels for leisure and pleasure, but increasingly for critical situations.

Introduction

Companies and other institutions are faced with the challenge of embracing these new channels and opportunities. In many cases this evolution has many similarities to the evolution of the internet in the enterprise, and the current challenges of the smartphones and mobile devices. For some they are considered a major threat, others recognize them as a new way of doing business, maintaining relationships, marketing new products, exchanging information, …
Statistics indicate that quite a lot of internet traffic is related to online social networks, typically within busy hours. Sometimes, they only relate to a small minority of personal, actively using the systems for business purposes, but in many cases they are being used for personal means.
Online Social Networks are also becoming an increasingly important channel for distribution of modern malwares. Current AV-tools are not always sufficient and need another approach.
Increasingly the online social networks are being misused, providing misleading information and falsified identities to release valuable information from the potential partners; sometimes they serve as a channel for data breaches.

This event is supported by LSEC Expert Members Barracuda Networks and MMS-Secure

Download more information

Barracuda Networks and Websense have been publishing various reports on some of the reported issues.
Visit their website to find out more, or download immediately :

Challenges, Threats and Opportunities

Finally there are increasing concerns on privacy, both for individuals and corporations. Online Social Networks are constantly adapting their guidelines and internal rules, to the benefit of some to the deficit of others, not always that clear. The changing data protection regulations are suggesting that citizen would also need to get the right to remove their historical data. Even as an organization using online social networks, marketing departments are struggling to keep the right messages coming across.

In this seminar, LSEC brought together some expertise to explain some of these challenges, and indicate some potential evolving solutions. Discussions were relate toward some upcoming threats and challenges, without forgetting the opportunity of the online social networks & online social media.

This seminar was intended to marketing departments, information security and security professionals, social and communication experts and information technology departments.

Program Overview

9.30 : Welcome & Registration

Coffee continuously available during the morning.

9.45 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC

10.00 : Online Social Networking for Business explained, by Mark Vanlook, ceo of anaXis,
Whether it is to find new clients to do business somewhere online, to reach your market… more and more companies are taking advantage of Social Media today. Learn why and how companies are seizing the opportunity of Online Social networks and how also your company could be supported in using online social networks not only for the leisure of employees. Mark Vanlook explains what role social media can play in your company and which strategy is to follow in order to optimize your social media campaigns.

10.45 : Social media and expectations of your customers, an insight on social media for IT companies, by Frank De Graeve, Quadrant Communications.

Online Social media are more than a toy for youngsters. In every enterprise, at least someone is working with linkedin, wiki’s, twitter, and other online social networking tools. As professional communication services, more companies are asking us what the potential advantages could be, and how to deal with them.

11.30 :  Social Media Malware Problems, by Eddy Willems, G-Data

A historical perspective on Malware and what happens in the online social media environments. Some facts and figures on malware distribution through Online Social Media.

12.15 : the example of using Twitter as a channel for malware distribution, identity fraud and physing attacks, by Joeri Vanhoof, Barracuda Networks

13.00 : lunch & networking

14.00 : The use of online social networking as part of network traffic, and how to relate to it from a network management and network security management perspective, by Stijn Rommens, Palo Alto Networks

In it’s bi-annual white paper, Palo Alto Networks reports on the use of online social media and other traffic within the companies of their install base. They indicate how traffic inside the company is being shaped and how it could impact business communications. Learn how to use application firewalls to also prevent malicious attempts of malware coming in through the backdoor of online social media.

14.45 : Keynote address : Privacy disasters in social media – how vulnerable is your organization?, by Abhilash V. Sonwane – Vice President for Cyberoam, a division of Elitecore Technologies

Abstract: The aim of this presentation is to highlight emerging threats due to privacy disclosures faced by organizations and their employees, partners etc. who are active in social networks. While applications such as Facebook, Twitter and Linkedin have opened new windows of opportunity for their businesses, most organizations are unaware that each time they use social media tools, it reveals a potential minefield of sensitive information which may be used against them by competitors.

Seemingly harmless forum posts, remarks, tweets, or status updates by employees, when fitted together as a jigsaw puzzle, disclose startling facts about the organization which only an insider might be aware of.  This level of privacy breach is equivalent to hacking into a company’s network to learn its plans, products, clients or trade secrets, or finding a person to be bribed, coerced or blackmailed to get such information. 
Cyberoam recently did a research on social media presence of 20 organizations from around the world, and their employees to mine for information which could be potentially embarrassing. The findings were interesting and scary at the same time – employees are tweeting away anything from sensitive financial information to product launch details. What’s more, studying the patterns of corporate disclosures can even unravel the very DNA of the organization.
About : Abhilash V. Sonwane is Sr. Vice President - Product Management for Cyberoam, a division of Elitecore Technologies, where he is responsible for product and technology direction of the Cyberoam product line of Unified Threat Management appliances and other network security products.  He is a key innovator of the patent pending Layer 8 technology that implements the Human Layer over the theoretical 7 layers of the network stack. His current research involves studying people behavior in social engineering, and the evolution of next-generation threats emanating from social media.
Abhilash has around 11 years of experience in developing products solutions. His excellent grasp of the security industry and in-depth technical knowledge has been instrumental in the evolution of the Cyberoam brand worldwide. A prolific public speaker, he has addressed prestigious network security forums including RSA Conference (San Francisco), Virus Bulletin (Vienna), Interop and more.

15.45 : Coffee Break

16.15 : Securing the social enterprise - make your business safe to be social, by Philippe Michiels,Territory Account Manager, Belgium, Websense

Abstract : Do you want to reap the social web business benefits of posts, tweets, and tubes? Do you want to capitalize on the social web without employees wandering off to unproductive sites or engaging in illegal activities and confidential data loss? Follow this session and learn the secrets to:
• Enable the use of the social web and protect productivity and limit legal liability
• Eliminate the risks of the social web and help prevent modern malware

About : Philippe Michiels joined Websense in April 2011 as Territory Account Manager for Websense in Belgium. In this role, he is responsible for the effectiveness of the Belgium channel and is there to advise customers about Websense security solutions.

Philippe has been in the security industry for over 15 years. He has a passion for IT and a self confessed fascination for the never ending evolution of the Internet following trends like Web 2.0 and the rise of Social Media. He studied electronics and began his career with an IT distributor before moving on to become a Systems Engineer, working hands-on designing and implementing the first Windows NT server deployments for enterprise customers.  It was at this time his enthusiasm for IT Security blossomed due to the new and rising phenomenon of the Internet. 

Philippe joins Websense from Trend Micro where he held positions as direct touch account manager and pre-sales engineer. Prior to that he held sales, sales engineer and security engineer positions at Dolmen CA, IN2 Computer and Tritech. Philippe plays a key role in educating our customers in Belgium and is an active company spokesperson discussing security-related matters at events and conferences.

17.00 : Privacy and Security in online social networks? A critical perspective from a research point of view, by Seda Guerses, COSIC, KU Leuven.

17.45 : Panel Discussion

18.15 : Closing Reception & Networking

19.15 : Close of Conference

You can also download a package with all the presentations of the day.

Topics under consideration

1. effectively using social networks in an enterprise context : block or embrace?
2. The example of using Twitter as a channel for malware distribution, identity fraud and physing attacks
3. enterprise social networking usage scenario’s, and how to deal with them
a. the real life experience : what do users do in their office time and some suggestionof dealing with it intelligently
b. social networks and data loss : should your security strategy be antisocial? 
4. social networks as means for targetted attacks and malware distribution
5. mapping an organization’s DNA using social media
6. privacy and online social networks : besides the personal data, is your enterprise or product social network protected?
7. ...

Practical Details :

Seminar with presentations, interactive discussions and panel discussions
Leuven, Ubicenter, September 6th from 9 AM until 7.30 PM

Free of Charge for LSEC Members, SIGNATURE partner Members and other Affiliate Members, and by special invitation
Free to attend upon registration before July 1st 2011, 150 € after July 1st.

Register at our http://socialnetworking2011.eventbrite.com.

About the organizers :
This event is organized by LSEC, a not-for-profit association focused on Information Security in Belgium. LSEC has been organizing over the last couple of years over 100 highly professional information security oriented activities. LSEC is a founding member of the European Security Innovation Network, a project supported by the European Commission through the INTERREG IVb program that supports innovative developments in the North Western European region in Security. With its partners Systematic Paris region in France, SITC in the UK and TeleTrusT in Germany, LSEC welcomes the active participation of companies to participate in the discussion of potential threats, challenges and opportunities for companies in the domain of Security, or to the enterprise market and government institutions.

Register at our http://socialnetworking2011.eventbrite.com.

Looking forward welcoming you on September 6th.

On June 30th in the afternoon Palo Alto Networks and LSEC are welcoming you to an afternoon of discussions on innovation and information security in Antwerp. We would like to stimulate your mind before going into holidays by stimulating you to be innovative, also with information security.
Part of the afternoon will be a guided tour to the Museum aan de Stroom, next to drinks and lunch kindly offered to you by our partners.

Program Outline

13.00h Welcome & lunch

14.00 LSEC & Palo Alto Networks introductions to innovations and security, by Ulrich Seldeslachts, CEO LSEC

14.30 Industrial innovation strategies, Information Security and Innovation. A reflection on where innovation strategies could support your business in reacting to Security challenges, and to support your innovative businesses; by Ulrich Seldeslachts, CEO LSEC.

With contributions and papers such as :
“Strategies for Innovation in Security” ;
“Innovative approaches to Security”....

15.00 Nir Zuk : Innovate or Die

Nir Zuk, founder and CTO of internet security start-up Palo Alto Networks, brings a wealth of network security expertise and industry experience to Palo Alto Networks. Prior to co-founding Palo Alto Networks, Nir was CTO at NetScreen Technologies, which was acquired by Juniper Networks in 2004. Prior to NetScreen, Nir was co-founder and CTO at OneSecure, a pioneer in intrusion prevention and detection appliances. Nir was also a principal engineer at Check Point Software Technologies and was one of the developers of stateful inspection technology.

Nir and Palo Alto Networks are being seen as some of the more innovative information security developers. Nir is capable of seeing new challenges and brings new ideas around the table that challenge the existing landscape in trying to improve the current environment.

Passionate about technology, Nir started already at the age of 16 writing computer viruses ...
That led him to be recruited by a special unit for the military in Israel, his country of origin, specifically looking for whiz kids like him. After serving five years, he studied Mathematics at university and was recruited by Check Point in ‘94, developing the first stateful inspection firewall.
In ‘97 Nir moved to the US, continuing his carreer with Check Point Software and later starting Palo Alto Networks.

Nir visited us late 2010, where we had a couple of controversial discussions. Today the challenge is for Nir to help convincing companies that they have to innovate also in Security, and in information security in order to face the current security challenges.

16.15 : Coffee Break

17.00 MAS Tour / MAS networking drink

As part of our innovation discovery, we welcome you to join us during a guided tour of the Antwerp MAS (Museum aan de Stroom).

Innovative for its setting, architecture, used materials, environment, set-up and many many other things, the MAS is a good example of an innovative development, where tradition, history, and creativity come together.

The MAS is an impressive building with a museum, among other things. Because it is also the visible storage, the museum square with Luc Tuymans’ mosaic, the boulevard, the rooftop panorama, etc. The MAS is a total experience.

The MAS brings together the collections from the former Etnografisch Museum, the Nationaal Scheepvaartmuseum and the Volkskundemuseum. They are given a new home in the MAS along with part of the Vleeshuis Museum collection and the Paul and Dora Janssen-Arts collection.

The collection amounts to a total of 470,000 objects and is still growing. The MAS regroups the collections in an innovative story, through four universal themes with which everyone can identify. They are spread over five floors.

+4: Display of Power. On prestige and symbols
+5: Metropolis. On here and elsewhere
+6: World port. On trade and shipping
+7: Life and death. On men and gods
+8: Life and death. On the Upper- and Underworld

19.00 End

Practical Details

Antwerp, Barcelona-Meeting, June 30th from 1 to 5 pm, followed by a guided visit to the MAS.

Date: 15 June 2011
Agenda:
15:00 : Welcome of delegation at Systematic’s annual convention (at Supelec, Plateau du Moulon 3, rue Joliot-
Curie, Gif-sur-Yvette)
15:15 - 17:00 : Guided tour of exhibition area including specific security projects.
17:00 : Cocktail and networking on exhibition area.
Venue: Systematic Annual Convention at SUPELEC (Systematic R&D project exhibition (project demonstration)

Day 2:
Date: 16 June 2011
Time: 9 am to 2 pm
Venue: See map location below
Purpose:
Brokerage event for preparing FP7 Security call on the theme of: Critical Infrastructures through “Security of
Information Systems” angle
Agenda:
9:15 – 9:30: Welcome by Institut Telecom and Systematic
Part I
9:30 – 11:00: Introduction (focusing on FP7 SEC related themes):
“Smart Grids”: Presentation by Hervé Debar, Telecom & Management Sud Paris and Markus Bartsch, TUV IT
“Resilience”: Presentation by Louis Granboulan, EADS and Otto Hellwig, CIIP expert, Institute for Applied
Information Processing and Communications of the Technical University Graz, B-CCENTRE
“Privacy by design”: Presentations by Jean-Marc Suchier, Morpho and Joss Wright, Oxford Internet Institute
11: 00 Tea & Coffee Break

Part II
11:15-11:40: Presentation and outputs of SIGNATURE desk research exercise by Dr. Richard Chisnall INNOVASEC
11:40-13:00: Mini Brokerage session on FP7 Security call (will be continued after lunch break if necessary)
Presentation by Frédéric Laurent, French Ministry of Higher Education and Research, of FP7 Security topics and
feedback from SMIGS Meeting in Brussels 8-9 June
Presentation of collaborative projects’ ideas (5 minutes per presentation). Cf. template attached.
Presentation of competences’ offer (by SMEs or academics). Cf. template attached.

Download the program for more information and details.

Contact your local European Security Innovation Network partner at belgium @ securityinnovationnetwork.com for more information

Looking forward seeing you there.

Metasploit is one the most popular vulnerability assessment and exploit research frameworks available today. It is a community driven open source project and hundreds of security researchers contribute their know how to it regularly. In this workshop, we will take you through an in-depth tutorial on using Metasploit for vulnerability assessment and exploit research.
Instructor Vivek Ramachandran is a world renowned security researcher and evangelist. His expertise includes computer and network security, exploit research, wireless security, computer forensics, embedded systems security, compliance and e-Governance. He is the author of the books – “Wireless Penetration Testing using Backtrack” and “The Metasploit Megaprimer ”, both up for worldwide release in mid 2011. Vivek is a B.Tech from IIT Guwahati and an advisor to the computer science department’s Security Lab.
More info:
http://www.jcacademy.be/jca/be-en/course-details.page?Short=INT47
Subscription:
http://www.jcacademy.be

The AppSec Europe conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 400-500 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

AppSec Europe 2011 will be held at Trinity College Dublin (map) on June 6th through 10th 2011. There will be training courses on June 6th, 7th and 8th followed by plenary sessions on the 9th and 10th with each day having at least three tracks. AppSec Europe may also have BOF (informal adhoc meetings), break out, or speed talks in addition to the standard schedule depending on the submissions received.
If you have any questions, please email the conference chair: appseceu at owasp.org

For more information and registration, please visit http://www.owasp.org/index.php/AppSecEU2011

Truth or Dare – Course and Seminar on GRC, Governance Risk & Compliance

Just before the economic crisis, the next big acronym was blasted into the market promising an overall strategy for a very old challenge : GRC. GRC could stand for Getting Reasonably Cold, Growing Rapidly Clean, Green Recyclable Costs, General Restructuring Climate, Given Reaction Challenge – or in our case Governance, Risk & Compliance.

The last two to three years, an ever growing set of regulations, requirements to become compliant, additional components, various measurements, whaling, correlated events, … have resulted not only in increased security measures, but also the necessity to provide comprehensive reporting, instant-available real-time situation overviews, anticipating audits and providing sufficient means and information to report on them.

Introduction

Any company has to deal with a variety of disruptive changes evolving : threats, technology, business, economics, compliance. Corporate boundaries are disappearing with opportunities such as ever growing mobile, internet web 2.x and cloud offerings. Reduction of cost, centralization, mergers and consolidation provide challenges of maintaining environments less familiar than the homegrown systems.

Governance, Risk and Compliance, collectively GRC is an acronym that creates headaches and a challenge for many IT and security managers, but also legal officers and business executives. Having tools and technologies to support management, maintenance and enforcing is already one major element, but allowing for comprehensive reporting on an executive level and bringing results of reporting back into the development area could be more challenging.

During the following seminar, we are trying to get an understanding of the evolution of the market, by presenting some live experiences, some key lessons learned during and beyond implementation, challenges for integration and maintenance, potential for in-house or outsourced GRC, and ways of seizing the internal and external audits. We’ll have a look at potential tools, their benefits and advantages and their deficits. We will try to present an evolutionary landscape and roadmap, following some other available examples with a view of the impact of virtualization and cloud environment.

Program Outline

Program
9.30 : Welcome & Registration
9.45 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC
Coffee continuously available during the morning.
10.00 : Introduction to GRC, understanding the basic and overview, by Wouter Janssen, Axl-Trax
Abstract : 
Managing risk through GRC (Governance, Risk & Compliance)
- Short overview of (SAP)GRC components(?)
- SAP and risk management (IT , security & process risks)
- Categorization of SAP risks and types of controls for mitigation
- Access risks (GRC AC), segregation of duties and the art of automation
- Process risks and business process control
- An approach for selecting risks and establishing appropriate control measures
Risk assessment & selection/identification
Establishing control objectives and key controls
Documentation, automation and process-orientation
Roles & responsibilities
Closing the circle: continuous monitoring of controls effectiveness
About : About : Wouter Janssen CISSP CISA CISM CGEIT CFE is a security specialist working as a director for Axl & Trax in Belgium. Working in the security consulting and audit field for many years, he has combined his technical skills and security knowledge with business insight and experience to assist customers in finding tailored solutions for security challenges. He has over 10 years of professional experience in the areas of IT security, identity & access management, SAP security, governance, compliance and control. He has been involved in and managed large-scale IT security projects and advised various multinationals across Europe.

10.45 : Governance, Risk & Compliance further investigated, by Els Houbrechts, Information Security Officer SPE Luminus & Carlo Schüpp Partner Vinti-Q &
Abstract :
Access Control does not enjoy a lot of sympathy with every business manager. It is often seen as a barrier that focuses too much on confidentiality and too little on reliability of data and process-driven controls. The business manager, however, expects the Security Officer to recognize the role of reconciliation processes and the review of operational reports in maintaining trust in data. This session provides a case study of how SAP GRC was used to set up a constructive dialogue between business and IT during reorganizations.
About : Els Houbrechts is currently Information Security Officer at SPE Luminus. Prior to that she worked as a security consultant with Telindus after having been security engineer at Utimaco and Security consultant at Utimaco Safeware AG before it was acquired by Sophos.
About : Carlo co-founded Vinti-Q, a high-end management advisory and engineering firm focused on information security and information-driven innovation. Prior to that, Carlo led Deloitte’s European practice of Security & Privacy. His clients typically seek for security assessments, business continuity planning, application audits, IT governance questions, computer forensics and incident response, and compliance reviews. Carlo has had a career managing business lines and new initiatives. He served twelve years at Swift as a leader in product and market management. He participated in The Way Forward programme to transform Swift from a passive institution to a commercial enterprise. He built Swift’s first data warehouse to analyse all daily financial transactions and helped transform Swift from a proprietary network to a service provider facing the security challenges of the internet. He conducted process audits and provided top-management consultancy to banks in the global top-100, etc. He also served five years at Ubizen (today Verizon Security Business Solutions) as CIO leading the managed security services. Carlo was part in founding LSEC together with K.U.Leuven-COSIC en K.U.Leuven LRD, from a clear need within Ubizen to position Leuven as a center of expertise on Information Security that is recognised worldwide. Upon his departure at Ubizen, Carlo is a Board Member of LSEC.

11.30 : An economic approach to GRC, by Rudy Meert, Senior Security Consultant (Risk MGT & IT Governance), CISSP-CISA-CISM-CGEIT-CRISC, Belgacom ICT
Abstract : Challenges for GRC supporting methods & tools, like maturity, complexity, effectiveness, efficiency, improvement simulation, transparent reporting to business & decision support, and the way Belgacom deals with these by adopting an economic approach
Objective of presentation: share our experience in the GRC - & information risk management area Important challenges for GRC & risk management supporting methods & tools + lessons learned:
• Basic requirements
• Reinventing the wheel problem & complexity
• Configuration Management syndrome & efficiency
• Low maturity - & less scientific approaches
• The effectiveness, efficiency & flexibility requirements
• The simulation capability requirement
• The added value of quantitative approaches
About : Computer scientist, more than 25 years of experience in information security and risk management. Financial, pharmaceutical & consultancy industry. Specialised in cryptography, risk management and optimisation methods & techniques. Professional certifications: CISM, CISA, CISSP, CGEIT, CRISC Developed several algorithms & methods in the area of cryptography and risk management. Optimisation techniques. New approaches on risk - and value management.

12.10 : Human Behaviour and IT Security No Longer Need to Be In Conflict, by Dave Vijzelman, Security Consultant, CA Technologies
Abstract : how challenges in the environment are being managed with a series of tools that consider the changing landscape.
About : About : Dave Vijzelman has worked in several large heterogeneous environments and has a large experience in designing and implementing architectural RBAC solutions. His focus is primarily on RBAC strategies and role mining. Besides this, he also has a wide knowledge towards the technical approach regarding identity and access management (IAM) strategies. Previously he was as a Senior Information Security Consultant at Ascure where he was responsible for the architectural approach of analyzing and designing RBAC strategies for clients. Before this, he was an RBAC Consultant at BHOLD Company. Today, Dave is Principal Security Consultant with CA Technologies, supporting large associations in their Identity Management challenges.

12.50 : Walking Lunch & Networking

14.00 : See more, Act faster and Spend less in your compliance domain, Solutions Specialist Europe, RSA the Security Division of RSA
Abstract : In our increasingly globalized business environment, economies and enterprises are steadily becoming interrelated. Yet many key functions and departments that deal with related information and business processes remain siloed. As competition escalates, as organizations become more dispersed, and as regulations increase in number and complexity, risk inevitably grows. So, too, does the demand—from markets, regulators and customers—for increased accountability.The answer is to bring governance, risk management and compliance together in an integrated program where policies, data and controls are strategically managed and visible throughout the enterprise. An enterprise governance, risk and compliance (eGRC) strategy, supported by a common technology platform, creates consistency and transparency, enables collaboration, fosters operational efficiencies, and ensures the continuity and success of the business. See more, Act faster and Spend less in your compliance domain is key in a complex environment.
About : Since 2009 René Pieëte is working as a Consultant at RSA, the Security Division of EMC. After his graduation at the Groningen University, Phd economics, he works several years as a economist. René has 25 years experience in several positions in enterprise software development, sales, consultancy and implementation. Currently he leads different areas of expertise such as Authentication, Data Loss Prevention, Anti Fraud, SIEM and Governance Risk and Compliancy. René has a wide expertise as security leader with an inspiring view on end-to-end security.

15.00 : How security tools can accelerate GRC projects, by Johan Hermans, Partner CSI-Tools
Abstract :
Full integrated GRC system perfect, helpful etc BUT
- How to implement it what are the requirements
- There is according to me only one approach Top Down & Bottom Up
- The bottom up approach requires specific (small) security tools
- In which faze are they used and for what
- We end the presentation with lessons learned (of our 200 customers the last 10 years)
The idea of the presentation is Bruce Schneier statement: “If you think technology can solve your security problems, then you do not understand the problems and you don’t understand the technology”
About : Johan is CEO of Axl-Trax (former CSI-Belgium) and CSI-tools. Previously, Johan was IT Auditor at Coopers & Lybrand and Financial Auditor at C&L. Being pioneers in the GRC business, CSI from experience which solution best matches specific needs where gradually extended the scope of our services to meet the more complex demands, expectations and legal requisites of the current business world.

15.45 : Information Security Doesn’t matter, by Geert Vandenbranden, CISSP, CISM, CISA, CIRM, MBCI, P2FC, Information Risk Management Consultant, Competence Center Leader Information Security Governance, Ascure
Abstract : In a lot of companies information security is still not handled with care. IT and information is becoming more and more important, nevertheless information security governance does not show the same growth in value to those companies.
About : Geert Vandenbranden has an extensive experience in ICT and Information Security related disciplines both at the strategic, tactical and technical levels.  In his current position as Senior Information Security Consultant, he focuses on Information Security Governance / Program Management, Information Security Policy design/implementation, Information Risk management, Information Security Awareness Programs, Business Continuity Planning, Business Continuity Testing, Intrusion Detection/Prevention techniques and Security Architectures and Infrastructures.

16.30 : Panel Discussion & Coffee Break

17.15 : Case Study : Security Management at the Olympic Games, by Chris Van den Abbeele, Solution Manager, Atos Origin
Abstract : For the Vancouver 2010 Olympic Winter Games, the Atos Origin security team collected almost 9 million security related events each day to detect any potential IT security risk for the Olympic Games IT systems. Thanks to extensive correlation and filtering, only a hundred were identified as issues and were investigated. All were resolved, so there was no impact at all on the Olympic Games.This session gives a view behind the scenes of how Atos protects the most visible IT environment in the world.
About : Chris Van Den Abbeele is Solution Manager for Identity and Security solutions at Atos Origin. He is responsible for managing the Identity Security offering at Atos Origin Belgium.  Chris has over ten years experience in designing Identity solutions.  He has a clear view on the technology, the market and the players.  Prior to joining Atos Origin, Chris worked as a Technology Specialist at Novell for about ten years.

18.15 : Closing Notes & Networking Reception

19.30 : Close of Seminar

Other subjects to be discussed :
1. Where to start with GRC? Data to be easily obtained? Get results and refine, or dig deep and deliver later? What to present and what not (yet)?
2. How to identify the core security data that reflects performance? Some practical examples that apply everywhere?
3. GRC and ISO 27k – is there a match in heaven to be made, or even more of a nightmare?
4. The collection of stupid data is still stupid, or isn’t it?
5. Defining performance indicators in information security that matter.
6. Systems integration, the long and windy road …
7. So you have GRC environment, now what? What does it do?
8. GRC, taking security management beyond the basics
9. From security tools and systems to comprehensive risk management
10. Applying the CSA Cloud Security Matrix in GRC
11. Experiences with Cloud Service Providers
12. Is there room for benchmarking?
13. Did we forget anything : risk monitoring and control
14. …

Unfortunately the following two presentations were cancelled.

AI & Digital Forensics and ISO Compliance, by Godfried Williams, Intellas UK (cancelled)
Abstract : AI techniques are effective for problems that require pattern recognition, as well as analyzing complex data and problems. This presentation explores a standard framework for guiding the use of artificial intelligence tools for digital forensics activities. AI forensics technology has the potential to effectively solve web counter-terrorism surveillance, fighting Internet fraud, masking identities online and data mining for managing online digital footprints. Intelligence gathered from analyzing multiple sources of information could be useful for providing leads to digital investigations. This presentation focus on ongoing work by standard bodies and assesses requirements that are likely to facilitate the adoption of such frameworks by the forensic community.
About : Godfried Williams is the CEO of Intellas UK, the Artificial Intelligence and Information Security and Forensics Company based at London Canary Wharf. A Course Leader, at the department of Computing, University of Gloucetershire UK, and visiting Professor in information security to many universities.
He has approximately 20 years professional experience in the IT industry. A Graduate of Cornell University’s Johnson’s School of Management where he studied Leadership and Strategic Management. is undergraduate computer training from the prestegious WANG Computer Laboratories in Boston USA. Previously worked as Senior Systems Analyst and Project Leader for the International Development Association (IDA) of the World Bank resident at the Accounting and Management Information Systems Unit, (AMISU), between. 1995 and 1997. He assisted in the Planning and Management Information Systems Unit in handling the World Bank Highway Sector Investment Credit (IDA Credit 2858-GH) on behalf of the Ministry of Roads and Transport Ghana.
A Fellow of British Computer Society(BCS). Fellow of Royal Society for the Encouragement of Arts and Manufacturing.

and

iGRC, Cyber Protection by Mike Popham, Infogov

Large-scale ICT networks are now the fundamental basis for UK critical infrastructure and economic activity. However, there is an urgent need to develop the underlying science and engineering principles required to support such complex systems. In particular, the application of autonomous AI techniques and self-organising networks has the potential to create CNI systems that are an order-of-magnitude more resilient and dependable than current methods.
In order to manage this growing system complexity the SATURN programme will demonstrate how self-managing intelligent services can enable the rapid discovery and fusion of critical network data feeds in real-time. SATURN will also develop and validate novel tools and techniques for visualising and understanding the complex interdependencies between the service layer, and the underlying physical networks. In addition the project will enhance the underlying theory of complex networks in the CNI domain, and create new modelling and simulation capabilities.
The key output will be an advanced demonstrator that displays ultra-resilient ICT service capabilities. The system will also enable automated knowledge management and integrated data fusion. (A key requirement for improved CNI decision support.) Northrop Grumman, as part of our contribution to TSB Project SATURN, will develop a cyber range capability that can be leveraged for use in evaluating cyber effects on large scale, complex, heterogeneous and cooperative network structures.  This range will provide the United Kingdom with a new ability to conduct meaningful cyber experiments and assessments of infrastructure survivability and assurance.

CyberProtection iGRC by Mike Popham

Workshop Day 2

During the second day, a lecture by Peter Houtmeyers - Titans Consulting on the use of ISO 27k and GRC was followed by a workshop with the attendees.

The results of the workshop will be shared in an overview paper.

Participants to the workshop were given the details of the results.

Smart Logistics Community has a succesful series of sessions on Sustainable Logistics.

Security and Traceability are just but a few ways of impacting logistics today and even more in the future. Regulations and compliancy will be leading the domain, and more requirements will develop.
Innovative products, services and concepts can be useful.

What are the practical implementations and applications that can be used?

Cold Chain Logistics, Smart Transport Systems, Security and Track&Trace en Crisis & Eventlogistics.

Program Overview

Vergroot de weerbaarheid van uw logistieke keten

Dinsdag 24 mei 2011, 13.30u - 18.00u

De logistieke keten is een kwetsbaar gegeven. Een maximale veiligheid en beveiliging in alle schakels is een must.

En dan spreken we niet alleen over zaken doen met betrouwbare partners, die actief deelnemen aan (gecertificeerde) beveiligingsprogramma’s. Maar ook in het productieproces, het verladen, tijdens het transport en bij de overslag van goederen is een goede beveiligingsaanpak onontbeerlijk.

Programma

13.30u  

Onthaal

14.00u

Verwelkoming
POM Vlaams-Brabant

14.05u

Kadering
Kris Neyens - Vlaams Instituut voor de Logistiek

14.20u

Case 1: Toegangscontrole in de havens met camera
Jan Bossens - Camco

14.35u

Case 2: Productauthentificatie in de farma
Pascal Durdu - Zetes

14.50u

Case 3: T&T beveiliging door sensoren
Stephen Dunphy - Essensium

15.15u

Koffiepauze

15.45u

Case 4: T&T voor supply chain
Peter Dewolf - DHL

16.00u

Case 5: Luchthavenbeveiliging door nieuwe concepten en technologieën
Jean-Paul Van Avermaet - G4S

16.15u

Case 6: Privacywetgeving i.v.m. toegangscontroles
Ronny Saelens – Vrije Universiteit Brussel 

16.30u

Netwerkmoment

 
Enkele praktische aspecten

Datum: dinsdag 24 mei, 13.30 – 18.00 uur
Locatie: Belgocontrol, Controletoren Tervuursesteenweg 303, 1820 Steenokkerzeel

Foto’s en presentaties vindt u terug via onderstaande link:
http://www.flanderssmarthub.be/logistech/doelstellingen/community-smart-logistics/

LSEC is supporting SITC as co-organizer and partner of the Safe Cities initiative as part of the European Security Innovation Network.

Frost & Sullivan has identified the Rise of Safe Cities as one of the key mega trends in the future.
Megacities across the globe are already following the trend and discussing options to implement
Safe Cities projects. As a key enabler to this concept, Security Solutions are increasingly
becoming a critical element in the planning and development of Smart Cities across the Globe.
The Safe Cities market is characterised by a very fragmented customer base, strong competition
and different business models towards integration and industrial partnership.
As an evolving concept, industry players are still trying to understand how to best approach market
opportunities in existing and future Safe Cities projects.
Frost & Sullivan is planning to host this specific track at its GIL Europe 2011 with the aim to
enable organisations to:
• Gain a better understanding what is a Safe City, from a vendor, a city planner and end user
perspective
• What vendors/integrators, from different industries (i.e. IT, Building Technologies, Defence,
Security)
• What are the business challenges and opportunities
• What vendors/ integrators can/need to do in order to position themselves strategically in this
emerging market

Proposed Agenda

“We Accelerate Growth”
Introduction….continued

The annual Growth Innovation and Leadership Congress will take place at the Emirates Stadium on
17th May 2011.
The proposed schedule is as follows:
1.45pm CEO’s 360 Degree Perspective – Safe Cities
2.15pm Growth Success Story
2.45pm Interactive Workshop: Developing a Visionary Perspective for the Future
3.45pm Interactive Panel on Innovation/Industry Convergence

Practical Details

For more information and registrations links, please visit : http://www.securityintech.com/articles/86

Part of the GIL Conference (Global Community of Growth, Innovation and Leadership), Tuesday 17 and Wednesday 18th.

LSEC is supporting SITC as co-organizer and partner of the Safe Cities initiative as part of the European Security Innovation Network.

Frost & Sullivan has identified the Rise of Safe Cities as one of the key mega trends in the future.
Megacities across the globe are already following the trend and discussing options to implement
Safe Cities projects. As a key enabler to this concept, Security Solutions are increasingly
becoming a critical element in the planning and development of Smart Cities across the Globe.
The Safe Cities market is characterised by a very fragmented customer base, strong competition
and different business models towards integration and industrial partnership.
As an evolving concept, industry players are still trying to understand how to best approach market
opportunities in existing and future Safe Cities projects.
Frost & Sullivan is planning to host this specific track at its GIL Europe 2011 with the aim to
enable organisations to:
• Gain a better understanding what is a Safe City, from a vendor, a city planner and end user
perspective
• What vendors/integrators, from different industries (i.e. IT, Building Technologies, Defence,
Security)
• What are the business challenges and opportunities
• What vendors/ integrators can/need to do in order to position themselves strategically in this
emerging market

Proposed Agenda

“We Accelerate Growth”
Introduction….continued

The annual Growth Innovation and Leadership Congress will take place at the Emirates Stadium on
17th May 2011.
The proposed schedule is as follows:
1.45pm CEO’s 360 Degree Perspective – Safe Cities
2.15pm Growth Success Story
2.45pm Interactive Workshop: Developing a Visionary Perspective for the Future
3.45pm Interactive Panel on Innovation/Industry Convergence

Practical Details

For more information and registrations links, please visit : http://www.securityintech.com/articles/86

Part of the GIL Conference (Global Community of Growth, Innovation and Leadership), Tuesday 17 and Wednesday 18th.

A special SITC, LSEC, Security Innovation Network discount is available, at a special rate of 250 GBP instead of 1800 GBP.
Contact us at safecities @ lsec.be for more information.

Our Partner Member CA Technologies organizes the CA Technologies Open Day, in May 17th.

Visit us there and participate to the Security and other activities.

Does Cloud make us more Agile or should we just be Agile to be able to connect Cloud seamlessly to the existing business and IT infrastructure? During CA Technologies Open Day on May 17 CA will show you what this might mean for your organisation. Experts will share their experiences with you.

At this top location in Evere renowned speakers within the business community and software industry, will share their vision and experiences with you. They will talk about market trends, their own practical experiences and technical (im)possibilities. The day is split into two parts. In the morning extraordinary and interesting keynotes will pass by. The afternoon sessions consist of several parallel tracks with specific themes about Cloud, Mainframe and Portfolio Management.

Apart from the sessions, there is a Partner Expo, which is open the whole day.

Register Now at the CA Technologies website.

Plenary tracks in the morning

09.30-10.00 Registration
10.00-10.15 Welcome & Introduction
Dirk Janssen, Senior Director Country Sales, CA Technologies
10.15-10.45 Industry Keynote
Vincent Van Quickenborne, Minister of Entrepreneurship & Administrative Simplification

10.45-11.15 Customer Keynote
Kris Verheye, VP Corporate Market, Enterprise Business, Belgacom
11.15-11.45 Network Break Partner Expo
11.45-12.15 CA Technologies Keynote
Dr. Donald Ferguson, Executive Vice President & CTO CA Technologies International
12.15-12.45 Recap with Dirk Denoyelle
12.45-14.00 Networking Lunch Partner Expo
14.00-14.35 Parallel Sessions – part 1
(Mainframe, Portfolio Management, Cloud Build, Cloud Manage, Cloud Secure, MSP Track, CA ARCserve Track)
14.40-15.15 Parallel Sessions – part 2
15.20-15.50 Networking Break Partner Expo
15.50-16.15 Parallel Sessions part 3
16.15-16.45 Guest Performance Dirk Denoyelle
16.45-17.00 Raffle CA World 2011 Las Vegas packages
17.00-18.00 Networking Drink Partner Expo

Security Program Detail

Cloud Secure Parallel Tracks
Secure Identities in the Cloud Mission Impossible?
14.00-14.35
In an increasingly more open environment of; Partners, Suppliers, Home-workers and Cloud applications,
keep track of who has access to what and why is becoming an almost impossible task. Add more demanding
Auditors and Regulators to this equation and it is no wonder that companies feel they are heading towards
disaster. Join us in this track view the future of Identity Management.
Speaker: Dave Vijzelman, Senior Solution Strategist, CA Technologies (17th May BE)
Speaker: Paul Ferron, Senior Solution Strategist, CA Technologies (19th May NL)
Identity compliance: Can you afford not to act?
14.40-15.25
In order to show compliance to various regulations, like ISO 2700x, Identity Compliance has become a real
issue. In this track PWC and CA Technologies will explain how to execute controls, and policy definitions into
the technical domain to ensure continuous identity compliancy.
Speaker: Dave Vijzelman, Senior Solution Strategist, CA Technologies (17th May BE)
Speaker: Paul Ferron, Senior Solution Strategist, CA Technologies (19th May NL)
Bring your own Device! A pain or a pleasure for
Information Security?
15.50-16.15
In today’s consumer driven economy more and more end user are demanding flexibility in their work devices.
How can you enable this trend of blending Business and Fun in an acceptable manner.
Speaker: Dave Vijzelman, Senior Solution Strategist, CA Technologies (17th May BE)
Speaker: Paul Ferron, Senior Solution Strategist, CA Technologies (19th May NL)

Practical Details

May 17th - The Event Lounge in Evere BE

Registration and participation are free of charge.
Registration : at the CA Technologies website.

The Event Lounge
16 F Bld Général Wahis - Generaal Wahislaan
1030 Brussels
http://www.eventlounge.be

Data breaches continue to plague organizations worldwide and Verizon, this year again in collaboration with the U.S. Secret Service and new this year, the National High Tech Crime Unit of the Netherlands Policy Agency (KLPD) - continue to analyze them.

Once again, Verizon is very glad to share their newest research into the world of data breaches: “the Verizon 2011 Data Breach Investigations Report” (DBIR) with you. We will do so in print as well as face-to-face, if you are available.

On 10th May, Wade Baker, director of risk intelligence for Verizon and creator, author and primary analyst for Verizon’s DBIR series, is presenting the analysis, findings and recommendations of the 2011 DBIR at an ISSA-BE event… and you’re invited.

Venue: Verizon, Ubicenter, Philipssite 5, 3001 Leuven
Time: 10th May, 6 p.m. – 8.45 p.m. (networking until 10 p.m.)
Registration: free but mandatory (

Register Now!

Should you not be available or wish to prepare for Wade Baker’s visit on 10th May, feel free to download a soft copy of the 2011 DBIR via the LSEC website.

Some of the 2011 DBIR key findings:
- 92% stemmed from external agents;
- 97% of breaches were avoidable through simple and intermediate controls;
- 89% of victims subject to PCI-DSS had not achieved compliance;
- 50% utilised some form of hacking
- 49% incorporated malware

We hope to see you on 10th May!

LSEC Special Spring Event : Information Security Challenges in 2011

On April 28th, in the evening, LSEC, ISSA Belgium European in co-operation with Isaca Belgium are organizing a special networking event, bringing together various people and insights fromt he Information Security Industry.
Besides the social activities, some drinks and the special location of the Coudenberghmuseum, we will be updating our partners and members with some insights in Information Security Challenges in 2011.

Managing mobiles and smartphones is one of the key topics identified by both the information security industry and the enterprise security management, as one of the key potential risks and threats in information management. Over the last five years, it has been identified as a major threat and due to the evolution of those smartphones, the potential risks became even greater. Some phones hold memory capacity of up to 64 GB, allowing for quite some data to leak from the enterprise. Most phones retain confidential information, both emails with confidential documents and discussions; as well as contacts and personal data of the relations of the person who’s using the smartphone on a daily basis. On top, most of the applications being developed, have not at all been strenghtened to today’s level of potential software threats. It’s all about convenience, user friendliness and downloading pieces of software that’s fun to share, please the kids or talk about over drinks.

At the end of 2010, ENISA published the ENISA Smartphone Security report, indicating some trends and challenges for companies to manage smartphones.

During our evening, ISSA invited ENISA to explain some of their findings in more detail and to discuss the issues with some other industry specialists.

Next to that, we have invited Raj Samani, McAfee’s EMEA CTO to give a view on some of the other Information Security Challenges we are facing in 2011.
Prior to McAfee, Raj was involved in the Public Administration Healthcare in the UK; having been part of the transformation from paper to digital and facing major security challenges in that process.
Today he’s supporting enterprise, government and McAfee in making the right choices when it comes to future challenges.
Raj is the European representative of the Cloud Security Alliance, is working on a Security management guideline, the global collaborative project used to evaluate objective measurement of IA maturity known as the Common Assurance Maturity Model (CAMM).

Finally, to close the program, we’ve invited some of the latest LSEC members to shortly present themselves and their companies in a 5 minute elevator pitch, which will bring us to the reception and a visit of the museum.

Learn more about Egemin, one of the latest LSEC members.

About the Location : Coudenberghmuseum and BELvue

The Coudenberghmuseum, an underground tour discovering the remains of the palace of Charles V
From the middle ages, a castle overlooked Brussels from Coudenberg hill. From the 12th century, the successive monarchs and their representatives transformed a small fortified castle into a sumptuous residential palace, one of the most beautiful palace of Europe and one of Charles V’s main residences.

This prestigious building is severely damaged by fire in 1731. Some forty years later, the ruins of the palace are pulled down and the ground flattened out for the construction of the new royal district. The remains of this palace make up the Coudenberg archaeological site.

During your visit, you will discover the Rue Isabelle and the old structures of the main buildings of the former palace of Brussels, which are now the foundations for today’s royal district and the Hoogstraeten House where the most interesting discoveries made during the various archaeological excavations conducted on the Coudenberg are displayed.

The BELvue museum provides a great overview of Belgian history. History has been written in the museum. In 9 halls and temporary exhibitions, this country surprises its inhabitants and visitors. Historic events uniquely documented, poignant film snippets and photos that you’ll never forget, moments in the past brought back to life to be relived as a memory for the elder and a discovery for the young…

You could also ‘just’ visit for the magnificent setting, the former 18th century Bellevue hotel – next to the royal palace, with a view of the gardens, beautifully renovated and one of a kind. A building that is more than just bricks and mortar, more than history, a building in which you can partake in our collective memory and that welcomes you with open arms – as a Belgian or a foreign visitor. BELvue has a story that it wants to share with you.

Program Outline

Part 1
16.45h : Welcome and Registration for the Coudenbergh visit

17.00h : Guided visit to the Coudenbergh museum (indepently from the BELvue. Limited spaces only, first come first serve.

Part 2
18.00h : registration & welcome drink

visit to the BELvue museum for those who are interested, until 20h.

18.15h : Opening address by Ulrich Seldeslachts, CEO LSEC; welcoming notes by ISSA Belux President and by ISACA Belgium President

18.20h : Security… is there an app for that? An overview of ENISA’s smartphone security report, by Marnix Dekker, ENISA

Abstract: Last year, together with a number of smartphone experts and security officers, we wrote a paper about smartphone security. The paper gives an overview of the top ten information security risks when using smartphones and also highlights important information security opportunities. To address the risks we make recommendations by giving pragmatic (risk-based) advise to end-users and IT (security) officers in businesses and governmental organisations for reducing the risks. In this presentation I will give an overview of the report, discuss the top ten risks, the opportunities, and look ahead to our future work in this area.

About : Marnix works in ENISA’s Secure applications program. He focuses on smartphone security, secure software engineering and cloud security. Previously he worked as an IT architect at KPMG, designing and auditing large identity management systems (for example the Dutch DigiD and the eRecognition framework). He has a PhD degree in Computer science and a Master degree in Theoretical physics.

19.00h : Auditing Mobile Apps and Mobile Forensics, by Aman Bahr, Training & Solutions Director, The Lancelot Institute

Abstract: Exponential growth in both apps for, and malware infections on, mobile devices, whole-sale theft of a developed nation’s Prime Minister’s email from her mobile device, and the continuing extension of corporate and government networks to include “smart” mobile end-points, are just some of the reasons for this seminar. “We will discuss and demonstrate policies needed to govern the use of apps on mobile devices, how to implement these policies as a secure, yet practical, baseline for current “smart” mobile devices, how to audit said apps and devices against the nominated baseline, and how to detect and dissect malware and other intrusion-based incidents via mobile forensics. We will do this by way of case studies and practical demonstrations.”

Bio: Aman works as training & solutions director in the Lancelot Institute. In addition to his management and consulting activities he regularly travels the globe on speaking and teaching engagements for enterprises to assist them in securing their information assets. Aman is academically qualified in Information Systems, and specializes in Information Systems Assurance, Auditing, Continuity, Recovery and Incidence Response. He is author and co- author of the Virtualization Audit Professional™, Cloud Audit Professional™ and Penetration Testing Professional™ training programs.

19.40h : mobile security panel discussion

Moderator : Ulrich Seldeslachts, CEO LSEC
Panellists :
- Marnix Dekker, ENISA
- Aman Bahr, The Lancelot Institute
- Jean-Luc Delvaux, Belgacom ICT
- Gert Vanhaeght, Mobila
- Raj Samani, McAfee

Snacks and drinks will be served during the presentations. There will be opportunity to network and have social discussions next to the speaker’s contributions.

20.00h : Information Security Challenges in 2011, by Raj Samani, McAfee CTO EMEA

About Raj Samani :
Raj is an active member of the Information Security industry, through involvement with numerous initiatives to improve the awareness and application of security.  He is currently working as the VP, Chief Technical Officer for Mcafee EMEA, having previously worked as the Chief Information Security Officer for a large public sector organisation in the UK.

In addition, Raj is currently the Vice President for Communications in the ISSA UK Chapter, having previously established the UK mentoring programme. He is also on the advisory council for the Infosecurity Europe show, Infosecurity Magazine, and expert on both searchsecurity.co.uk, and infosec portal. He has had numerous security papers published, and appeared on television (ITV and More4). As well as providing assistance in the 2006 RSA Wireless Security Survey and part of the consultation committee for the RIPA Bill (Part 3). He is also leading the global collaborative project used to evaluate objective measurement of IA maturity known as the Common Assurance Maturity Model (CAMM).

Next to his work Raj has also obtained;

CESG Listed Advisor Scheme, (CLAS), Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Microsoft Certified Systems Engineer (MCSE – in NT4, Win2k, Win2003), Check Point Certified Security Administrator (CCSA in NG and 4.1), Check Point Certified Security Expert (CCSE - NG), Citrix Certified Administrator (CCA), QualysGuard Certified, RSA Certified Systems Engineer (SecurID), Cisco Certified Network Administrator (CCNA), as well as a BA (Hons), and MSc.

21.45h : close of evening

22.00h : close of Hoogstraeten Hotel Museum

Practical Details

April 28th, Coudenberghmusem, entrance until 20h via BELvue museum via the Warandepark entry. (official address Koningsplein 1000 Brussel)
From 20h onwards entrance via Hoogstraeten Hotel.

Free to attend, upon prior registration and confirmation.
You are welcome to join just for drinks, to freely visit the museum, participate in the talks or do all of the above combined.

Registration is easy, but mandatory, please visit Special LSEC, ISSA Spring event at the Eventbrite website.

Please register for
Part 1 : 16.30h and onwards visit to the Coudenberghmuseum
Part 2 : 18.00h and onwards evening activities and visit to the BELvue museum (until 20h)

Limited places available, seats granted on first come, first serve basis.
Please cancel your reservation at least 48 hours in advance, in order for us to proceed to a waiting list.
No cancellation 48 hours in advance and no show, will result in a cost of 150 € for our organizations, that we will invoice you.

For more information, suggestions and other, please contact lsecspring @ lsec.be.

Looking forward sharing Spring Blossoms and Flower ideas.

Lecture on “Crypto and e-Voting: Homomorphisms, Zero-Knowledge Proofs, and Other Tricks of the Trade”, by Prof. Dan Wallach, Rice University

About

LICT, LSEC and secappdev.org kindly invite you to this talk that will take place on March 2nd, 2011 at 18:00.
The session is open for all interested parties.
Participation is free of charge, but advance registration is asked for by February, 27th.

Date: March 2, 2011
Time: 18:00 - 20:00 (Sandwiches are foreseen at 18:00. The actual lecture starts at 18:30)
Location:  K.U.Leuven, Dept. Electrical Engineering - ESAT, Aud A
Kasteelpark Arenberg 10, Leuven, Belgium

Program Outline

This lecture, which assumes a modest amount of cryptographic knowledge in advance, explains many of the cryptographic techniques necessary to build “end-to-end” secure cryptographic voting systems, including homomorphic Elgamal encryption, reencryption mixnets, and zero-knowledge proofs.

Bio of speaker:
Dan Wallach is an associate professor in the Department of Computer Science at Rice University in Houston, Texas and is the associate director of NSF’s ACCURATE (A Center for Correct, Usable, Reliable, Auditable and Transparent Elections). His research involves computer security and has touched on issues include web browsers and servers, peer to peer systems, smartphones, and voting machines. He has testified about voting security issues before government bodies in the U.S., Mexico, and the European Union, has served as an expert witness in a number of voting technology lawsuits.

Target Audience:
The lecture is targeting at students, researchers and other interested people with some knowledge of basic cryptography.
Organisation:
This lecture is jointly organised by LICT and secappdev.org.

Practical Details

Participation is free of charge but advance registration is asked for by February, 27th. (LICT event registration page)
Sandwiches will be provided at 18:00.

EEMA, and the Estonia Ministry of Economic Affairs and Communications have joined forces to produce a unique experience - the European e-Identity Management Conference, which examines the key challenges and strategies in effectively managing organisation, administration, employee and citizen identities.

The conference

The conference provides an ideal and rare opportunity for identity experts to share their experience and knowledge with others, through case studies, presentations, networking, Q&A sessions and debate; and for all participants to learn more about the most critical technical, business and legal issues in identity today. For example:

· What are the advantages and shortcomings of the different models of e-identity management?
· What are the main components of a secure ID management system?
· How do you solve the challenges of provisioning and de-provisioning?
· What are the challenges of federated ID management?
· What is the current position of “new technologies” ID? i.e. Mobile or Cloud
· How do you ensure interoperability of ID cards?
· How can you measure the effectiveness of your identity and access management (IAM) implementation?
· What legal parameters must you consider in implementing e-ID systems?
· How do you balance the need for ID management with Governance & Compliance Audit issues

Practical Details

EEMA’s 24th Annual Conference
08/06/2011 to 09/06/2011 - Tallinn, Estonia

13th edition of the international COSIC course! This course on computer security and cryptography is organized by COSIC, a research group from the Katholieke Universiteit Leuven and research team of the Interdisciplinary Institute for Broadband Technology (IBBT), in cooperation with LSEC - Leaders in Security and will be held in Leuven from Tuesday, June 14, 2011 till Friday, June 17, 2011.

Program Outline

Part I
Day 1: Tuesday, June 14, 2011
09:00 Welcome
09:10 Introduction Vincent Rijmen
09:40 Basic concepts Vincent Rijmen
10:40 Coffee break
11:00 Block ciphers and stream ciphers Vincent Rijmen
12:00 Public-key cryptography Frederik Vercauteren
13:00 Lunch
14:30 Privacy technologies Claudia Diaz
15:20 Coffee break
15:40 Hash functions and MACs Bart Preneel
16:30 SHA-3 Sebastiaan Indesteege
17:00 End of day 1

Day 2: Wednesday, June 15, 2011
Track 1
09:00 Secure hardware & side-channel attacks, Ingrid Verbauwhede
09:50 Privacy and Security: a Trade-Off?, Jos Dumortier
10:40 Coffee break
11:00 Entity authentication & key establishment, Bart Preneel
12:40 Lunch
14:10 Enforcing security policies on untrusted software, Frank Piessens
15:00 Computer security, Stefaan Seys
15:50 Coffee break
16:10 Public-key infrastructures, Bart Preneel
17:50 End of the first track of day 2

Track 2
11:00 Public-key cryptography: advanced topics, Frederik Vercauteren
11:50 Biometrics, Koen Simoens
12:40 Lunch
14:10 RFID hands-on, Philippe Teuwen
15:50 Coffee break
16:10 RFID hands-on, Philippe Teuwen
17:30 End of the second track of day 2,

--------------------------------------------------------------------------------
Part II
Day 3: Thursday, June 16, 2011
09:00 Graphical passwords and knowledge-based authentication, Paul Van Oorschot
09:50 U-prove, Ronny Bjones
10:40 Coffee break
11:00 E-ID security, Walter Fumy
11:50 Security for an international card payment system, Michael Ward
12:40 Lunch
14:10 Mobile payments, Marijke De Soete
15:00 Coffee break
15:20 Extension of card payments, Cristian Radu
16:10 Secure software installation and update, Paul Van Oorschot
17:00 eID in Belgium, Danny De Cock
17:50 End of day 3
19:30 Conference Dinner @ The Faculty Club

Day 4: Friday, June 17, 2011
09:00 GSM/3G algorithms, Helena Handschuh
09:50 Verification for cryptographic protocol implementations, Cédric Fournet
10:40 Coffee break
11:00 Standardization, Walter Fumy
11:50 Mifare plus and privacy preserving technologies, Marc Vauclair
12:40 Lunch
14:10 Telematics road pricing: building a secure and privacy-respecting solution, Michaël Peeters
15:00 Coffee break
15:20 PUFs, Helena Handschuh
16:10 E-voting, Danny De Cock
17:00 End of day 4

Practical Details

June 14 - 17th 2011, Heverlee, Belgium - KU Leuven
Auditorium “De Tweede Hoofdwet”, Thermotechnisch Instituut, Kasteelpark 41 - 3001 Heverlee
Registration and more information : visit https://www.cosic.esat.kuleuven.be/course

Full registration fee, part 1 + part 2 :  2000 €
Academic fee, part 1 + part 2 :  1000 €
Full-time student fee, part 1 + part 2 :  700 €
Full registration fee, part 2 :  1200 €
Academic fee, part 2 :  700 €
Full-time student fee, part 2 :  400 €

This fee included the books “Secuyrity Engineering (2nd edition), by Ross Anderson and “Modern Cryptography : Theory and Practice”, by Wenbo Mao

Registration before May 14th, early bird reduction of 10%

LSEC Members and partners receive an additional discount of 15% (on top of early bird reduction if registered before May 14th). Mention LSEC during registration.

Identity Management STIG at the Pre-Conference EIC Munich, Germany – May 10th

The EIC is one of the leading conferences in the field of Identity Management, reaching out yearly to all expert leaders in the domain throughout Europe. Typically attended by industry players, but also by end consumers and government officials, it gathered in 2010 over 550 delegates from all over the world. In depth discussions, new announcements and the IDM award are standard components. Organized as a yearly event by leading European market analyst firm Kuppinger Cole focused on EIC and Cloud Computing.

Download the STIG brief document with all relevant information and contacts.

Participate in the development of European Electronic Identity & Identity Management Expertise

The Security Innovation Network has been set up to facilitate the collaboration and working relationships between companies and experts in different areas of security in the UK, France, Belgium and Germany but is open to participation from other countries. In a series of interactive workshops, security experts will be challenged with current and future potential threats. Finally, there will be a focus on a converging landscape (physical vs electronic) and cross state borders.
You will be heard as experts about the future developments of electronic Identities, Identity & Access Management and related topics, in the domain of information security and physical security. Your guidance can help the physical security industry to better understand evolutions and requirements from the logical space.

Security Innovation Network Security Thematic Interest Group

This year, the European Security Innovation network has been invited to organize a session in the Pre-Conference activities, for a European Security Innovation Network STIG, on Tuesday May 10th from 9 until 1 PM.
It’s a unique environment to bring in both expert industry leaders, and our SME communities who are involved in either Electronic Identities, Access Management, Authentication,, Identity Management, or Cloud Computing Products and Services.

For the Tuesday morning STIG activity, we propose the following :
1. introduction by LSEC, Ulrich Seldeslachts as partner responsible for the WP Security of Information Systems, setting the scene, expectations
2. challenges in IDM in 2011, previewing the EIC
3. Elevator pitches part 1 : 10 minute company presentations, challenges, partner interests
4. Keynote by Kim Cameron, Microsoft (tbc)
5. Top Research Activities in IDM and related a collection and call for participation
6. Elevator pitches part 2 : 10 minute company presentations, challenges, partner interests
7. Workshop : Defining future challenges
a. User-centric, federated, Identity Service Providers will the winner take all?
b. Identity theft, is it a challenge?
c. Beyond the consulting? What’s in it for the vendors?
d. Mobile IDM
e. Open topic
8. Identify opportunities for Research Activities, International and Local Calls for Tenders and Research Projects, Identify some key Innovative developments in IDM

Practical Details

This event is inteded to European SME’s in the domain of Electronic Identities and Identity and Access Management, being product development companies (authentication, services, systems integration, consulting, ... ) system integrators or consultants. It is also accessible to larger organizations and associations from Europe and beyond in these domains.

Additional benefits for SIGNATURE partners or companies related to the SIGNATURE partners apply to participate at the full conference.

Please apply for registration and await for confirmation.
Visit the Security Innovation Network pre-EIC activity (http://eicstig.eventbrite.com) page at Eventbrite.
The pre-conference activity by LSEC and the Security Innovation Network are free of charge.
Registration and confirmation are required and will be checked upon entrance.

For more information, please download the STIG brief, or contact us directly.

Tradeshow, Seminars, Networking, ....

Infosecurity 2011 will offer a great way to explore the latest trends in information security, discuss with various experts, learn from peers and experts during the seminar sesssions.

LSEC Theatre - Best of LSEC 2010

On Thursday January 24th, LSEC will be hosting a number of interesting talks that were highly appreciated by the attendees of these seminars during 2010.
As a best of show, you’ll be getting a good flavour of the current challenges, opportunities by some of the best speakers and presentations by experts.

You are welcome to join any of these sessions during the show. Probably best to sign up via the Infosecurity.be registration system, or showing up during the show.

10.15 – 10.45 : Securing SAP & ERP Environment : Wouter Janssen, Axl & Trax
11.00 – 11.40 : Security in Industrial Automation : Wim Tindemans, Egemin
12.00 – 12.40 : Federated Identity Management : Marc Vanmaele, SecurIT
13.00 – 13.40 : SIEM: A Critical Component of Information Risk Management: Dimension Data, Stefaan Hinderyckx
14..00 – 14.40 : Straight from the Anti-Malware Labs: Attack’s technical evolution and sophistication, Toralv Dirro, McAfee
15.00 – 15.40 : Internet Security Threats in 2011 : Vincent Vanbiervliet, Sophos
16.00 – 16.40 : Six Lessons Learned for Effective Information Security Management, Ward Duchamp, Vinti-Q

Other interesting presentations facilitated by LSEC :

Infosecurity Trends in 2010, by Bart Preneel, Chairman LSEC and Head of COSIC, KU Leuven



Wireless Security Challenges by dave Singhelee, Researcher KU Leuven



The evolution of Identity Management by Tim Dunn, CA Technologies

Practical Details

Infosecurity 2011, took place March 23 - 24 2011, Expo Brussel
More information, please visit: http://www.infosecurity.be

The European eID Interoperability Conference
“Bridging the Identity Divide”
March 16-17 2011, Leuven, Belgium
Hosted by Verizon

Introduction

The last year has seen some dramatic industry developments and innovations; however, there are many issues that have still not been resolved. Now in its 6th year, this annual conference will address these and many other issues. Organised by EEMA, this conference acts as a neutral forum where industry, business and administrations can address specific areas of importance in the digital identity arena. It also facilitates the exchange of ideas amongst delegates who want to learn and build upon their knowledge in a relaxed, constructive environment. As one of the pioneers of Identity cards in Europe, Belgium is again the ideal venue for the European eID Interoperability Conference.
The conference will explore how the interoperability of European Identity is evolving in practise and the implications for governments, businesses and the citizen today.

The Conference

Building on the success of our five previous European e-ID Interoperability Conferences, this two day meeting will include:
• Presentations by visionaries and experts who will discuss the vision of eID for both government and industry; including Dr Aniyan Varghese from DG INFSO, eGovernment, European Commission, talking about EU initiatives to facilitate cross-border services.
• Technical debates on the latest solutions available and how to implement them
• A choice of discussions on topics such as eID Legal and Privacy Issues, federated identity; eID in the Cloud; and standards and enforcement
• And don’t forget the networking!

In addition, delegates will hear case studies from experts who have first hand experience of implementing eID solutions, and understand the challenges and pitfalls.
This is a hands-on conference and all delegates will be encouraged to participate fully, so come and join the debate! If your remit has anything to do with eID, this is a perfect opportunity to expand your knowledge, network with peers and experts, and to take back to your organisation new knowledge and ideas that will be of real practical benefit.

Program Outline

For more information and registration, please visit : www.eema.org website.

10:00 Opening Plenary Welcome and Introduction Roger Dean EEMA
Welcome and Perspective of Business eID Application Challenges Peter Tippett Verizon
Latest European Union initiatives to facilitate the provision of cross border public services – a European Large Scale bridging action on eIDM Aniyan Varghese European Commission
The SSEDIC Thematic Network Daniela Merella Nestor
User Managed Access (UMA) - a Kantara Initiative Cordny Nederkoom Immune-IT Testprofessionals
Managing Multiple Identities Slawomir Gorniak ENISA
TBC Ashley Evans Verizon Business
14:00 The Business Benefits of National eID Cards and Cross-Border Applications Chairman Frank Leyman FedICT
Bridging STORK and ECAS European eID Interoperability for 350+ EC Information Systems Frédéric Poels European Commission
So What’s Different About the UK Mark King EADS/Cassidian
Practical Examples of Integrating eID into Web Applications Frank Cornelis FeDICT
The new German eID card and the European Dimension Volker Reible T-Systems International
16:30 The Business Benefits of eID Schemes Provided by Private Industry in a Global Economy Chairman Paul Donfried Verizon
Using a Global Validation Service for Interoperable Efficiency Jon Shamah NETS eSecurity
TBC . . . 

Day 2 -Thursday 17 March 2011

Time Agenda Title Speaker Company Biography
09:00 Federated Identity Chairman Stein Welberg Everett
Cataliyzing an Identity Verification Marketplace Matthew Gardiner CA Inc
Stitching Federations Together Across Sectors, Borders and Technologies Drives Business Forward David Simonsen WAYF.DK
Identity Federation Technologies: what standards are dominating Heiko Roßnagel Fraunhofer Institute for Industrial Engineering
09:00 eID Legal and Privacy Issues Chairman Jos Dumortier time.lex
Data Protection Challenges in Cross Border Exchange of Private Data Charles Bastos Rodriguez Atos Origin
Purpose-oriented and Policy-driven Federation of Credential Margarete Donovang-Kuhlisch IBM Deutschland GmbH
Information Sharing with User Managed Access/user Centric Web-resource Management System Mohammad Alam Fraunhofer SIT
11:00 eID in the Cloud Chairman . . . 
Establishing Federation Relationships Using International Trust Frameworks Don Thibeau Verizon
DigIdentity Innovation in Dutch eID Landscape Elisabeth de Leeuw Siemens IT Solutions and Services
User Authentication On-site and in the Cloud Anit Wohl SafeNet Inc
11:00 Current and Emerging eID Standards Chairman . . . 
On Secure Cross-border SOA Based e/mgovernment Systems Dr Milan Marković Mathematical Institute SANU, Belgrade
Using eID Documents with Standard Smartcard Middleware Marco Smeja Cryptovision
Certificate-based MObile Authentication and Security Bruno Quint CORISECIO GmbH
13:30 User Experiences and Future Perspective Chairman . . . 
Large Scale Electronic Identity Deployment and Use: issues and limits Liboor Neumann ANECT a.s. 
Lessons Learned from a High-trust Consumer Identity Initiative in the Dutch Insurance Industry Bob Hulsebosch Novay
A Vision of Next Generation Directory Ideas Speaker tbc . 

SSEDIC Side Activity

In addition to the Interoperability conference there are SSEDIC meetings taking place on 15 March - see http://www.eid-ssedic.eu for more information - and on Thursday 17 March in the afternoon after the conference closes, there is a STORK industry meeting.
To register for the SSEDIC meetings please visit http://www.eema.org.
Both SSEDIC and STORK meetings are at the same venue as the conference, open to all and are free of charge.

Practical Details

The conference fee is just €250 for eema members and €450 for non members, and there is a substantial discount of 25% if you register and pay by February 25th; so if you have not already registered, visit the website today (http://www.eema.org) for further details, the full agenda and to register.
Leuven, Ubicenter - Verizon

8-9 June 2011 – Tallinn, Estonia
The European City of Culture 2011

The European e-Identity Management Conference is Europe’s leading forum for this critical security application, tackling the key issues surrounding identity as a core enabler of today’s personal, business and government processes.

Organised by EEMA and this year hosted by the Estonian Ministry of Economic Affairs and Communications, this truly international forum provides a unique and rare opportunity for identity experts and security professionals to network with their peers and share knowledge through keynotes, panel discussions, case studies, roundtables & workshops.
Registration is Now Open!
Obtain your special early booking rate by securing your place today.

Visit http://www.eema.org/eidentityeurope for more information, registration and more detailed program.

European Data Protection : in good health?

For the full program and registration, please visit : http://www.cpdpconferences.org/

On Thursday January 27th, LSEC organizes a day on data privacy and data protection. Part of the CPDP 2011 Conference, this day will focus on the implications and practical experiences of data protection in Belgium and Europe.

During that day, the discussions will be slightly more focused on some of the practical implementations of the various applicable legislations and challenges by companies, organizations and government in applying them. Besides, the perspective will open up to the point when beyond the compliance to data protection regulations, there is also the aspect of protecting data (including private information) from intended or unintended misuse. During these sessions, we will also focus on some of the potential ways to deal with regulations from an operational perspective by presenting some methodologies, solutions and technologies and also their current challenges.
Finally the day will close with some views and discussions on how to practically deal with upcoming legislations, data leakage challenges and policy requirements by means of some innovative approaches, processes and technologies.

About the CPDP Conference

CPDP 2011 - Computers, Privacy and Data Protection is a three-day conference organised by academics from all over Europe, which has the ambition of becoming Europe’s most important forum for academics, practitioners, policymakers and activists.
CPDP 2011 is a place where these people can meet, exchange ideas and discuss emerging issues of information technology, privacy, data protection and law.
CPDP has grown steadily over the last 4 years. It has the most ambitious agenda so far with 12 panels, a pre-conference, a philosophical reading panel and a PhD-evening. In addition the 2011 edition includes 2 one-day events on ‘eHealth’ and surveillance and law enforcement, and a round table on body scanners. In total more than 150 speakers will contribute.
The conference takes place the same week as the 4th annual European Privacy Day (Friday 28th January 2011), which will see the organisation of a series of events around Brussels with the participation of the Vrije Universiteit Brussel. Furthermore CPDP is organising a range of side-events, which involve members of the CPDP Scientific Committee. Pecha Kucha Evening, Film screening of ‘Erasing David’, Privacy Party, Political debates will be the social events around CPDP 2011.
CPDP is organised by the Vrije Universiteit Brussel, the Université de Namur, the Universiteit van Tilburg, the Institut National de Recherche en Informatique et en Automatique and the Fraunhofer Institut für System und Innovationsforschung.

Practical Details

Business Track Data Protection and Privacy, Thursday January 27th, 2011.
Part of the CPDP Conference 2011
Computers, Privacy & Data Protection 2011 conference - European Data Protection : In Good Health ?
25, 26 and 27 January 2010 in Les Halles de Schaerbeek in Brussels, Belgium

For more information and registration please surf to: http://www.cpdpconferences.org/ or contact cpdpconference at lsec.be or download the program guide for the full conference.

Preliminary Program January 27th Business Track

8.45 AM – 9.00 AM Introduction by Paul de Hert Vrije Universiteit Brussel and Tilburg University (BE & NL) & Ulrich Seldeslachts, CEO LSEC (BE)

9.00 AM – 10.00 AM Overview of the European and local legislative maze impacting organizations, businesses and government on data protection & privacy
15 minute presentations & panel discussion Speakers :
- Paul de Hert (BE)
- Hans Graux from Time.lex (BE)

10.00 What do data protection officers and privacy officers have to deal with in 2011?
15 minute presentations & panel discussion
- Philippe Renaudière, Data Protection Officer from the European Commission (BE)
- Erik Luysterborg, EMEA Lead Partner Data Protection & Privacy Services (BE)

11.00 AM – 11.15 AM Coffee Break

11.15 AM – 12.15 AM Joint Session : Panel 9 Revision of the EU Data Protection Directive : The State of The Art

12.25 AM – 1.00 PM
Building a Data Protection and Privacy Model for Private and Public Cloud-Based Infrastructures John Sabo, CISSP, Director from CA Technologies, Global Government Relations (US)

Cloud computing and the many infrastructures which will use cloud computing services, such as networked electronic health systems, smart grid, social networks, federated identity management systems, transformational government and the Internet of Things, are accompanied by novel data protection and privacy risks, presenting both policy and technical challenges. This presentation will discuss activity underway to assess data protection and privacy issues that can become barriers to cloud computing deployments, with focus on an important cloud computing research effort undertaken by the World Economic Forum. It will also describe the work of the new Privacy Management Reference Model (PMRM) Technical Committee in the OASIS standards organization and provide an overview of how this proposed new standard can help both policymakers and technical specialists develop lifecycle privacy requirements and architect extended lifecycle, privacy-compliant systems.

1.00 PM – 2.00 PM Lunch

2.00 PM – 3.00 PM What are we trying to protect? Part 1 40 minute presentations and panel discussion
- Matthijs Van Der Wel from Verizon Business (NL) : an inside view on the 2010 Data Breach Investigations Report
- Joash Herbrink, Websense (NL)
- John Sabo from CA Technologies (US)

3.00 PM – 3.30 PM Coffee Break

3.30 PM - 5.00 PM What are
What are data protection technologies and how can they help in protection of data loss, privacy, data retention and suspected incidents.
Taking the example : the use of data monitoring platforms, dlp solutions, identity management solutions and proxies … how can they be of assistance when used properly … What is the future of data protection technologies and how do they relate to privacy? Is there use for privacy enhancing technologies?
15 minute presentations and panel discussion
- Gauthier Van Daele, Sophos (BE)
- Brendan Rizzo, from McAfee – Intel (UK)
- Claudia Diaz from KU Leuven University (ES)

5.15 PM – 5.30 PM

Concluding notes

Ulrich Seldeslachts, CEO of LSEC (BE)

This program has been organized by the CPDP and the European Security Innovation Network (SIGNATURE), a European project aimed at increasing competitiveness in the North West European market, supported by the EU INTERREG IVb program. This project is supporting innovative developments, facilitating R&D and facilitating trust amongst private companies in the regions, consisting out of the following organizations bringing together over 1350 companies in the region : LSEC (BE), SITC (UK), Systematic Paris Region (FR) and TeleTrust (DE). http://www.securityinnovationnetwork.com

In 2008, LSEC organized a seminar on Information Security Management Standards and the impact and interest for organizations interested in applying those. Two years later, we would like to understand what the current level of expertise, typical organizational structure, challenges, facilities and interests are of organizations, both enterprise and government in managing information security.

Security Management Seminar 2010

The aim for this seminar was not only to understand the current market situation, by means of best practices and real cases; but also in an attempt to find sufficient expertise to demonstrate the level of professionalism in this domain, and to present to companies and people challenged with the day to day operations a further guidance to professionalize their activities.

By means of presentations on IT and Information Security Management, a panel with respective CSO-CISO-CIO explaining their professional experiences, presentations on best practice guides and standards, cases and discussions; we had liked to gather an indication of the situation in Belgium.
Simultaneously, we are planning an industry-wide survey on the current market situation in Belgium on the responsibilities of Security within organizations.

This seminar “Security Management in 2010 – A Day On Security Management” offered the opportunity to listen to expert presentations, participate in panel discussions, sharing your expertise with peers , or any other type of witness, … during ,

Some of the following topics have been highlighted:
- Information Security Management, a good practice
- Information and IT Security, part of Risk Management, Information Management, Security Management, or an expert practice
- Panel discussion with CIO’s, CISO’s and CSO’s : the search for the white rabbet
- The CISO/IT Security Manager in Belgium and abroad
- The typical Information Security Organization
- A budgetary approach to Security Management
- Good Cop – Bad Cop : Security Manager – Audit & Controller : who’s who
- In- or Out? Should IT & Information Security Management
- Theory & Practice : Risk-IT, ISO27000, …
- …

Final Program

9.00 : Welcome & Registration

9.45 : Opening Notes & Introduction by Ulrich Seldeslachts, CEO LSEC

10.00 :  Six lessons learned for effective security management, by Ward Duchamps - Vinti-Q
A collection of best practices from more than 10 years experience in the field on security management, collected in 45 minutes.

Or visit : http://sixlessons.vinti-q.com/

Abstract : Despite all standardization efforts, Information Security Management remains - just like any other management discipline - a subjective matter. In this presentation Ward will reflect on some lessons learned that he collected during 10 years of field experience. Starting from “the art of getting things done through people”, this session puts business, people, standards and daily operations in a cohesive perspective that may inspire security practitioners to think about their management approach.

About : Ward is cofounder of VintiQ, a new company of senior security consultants that specialize in convincing the C-suite and business leaders to think positively about the risks related to information processing. With his in depth specialist knowledge combined with management capabilities and business insight he enabled several blue chip companies to manage information security in an effective and efficient manner. Ward is certified as CISM, CISSP, CISA, CGEIT and ISO27001 Lead Auditor. He holds a Master in Engineering and is in the process of obtaining the degree of MSc Information Security at the Royal Holloway University of London

11.00 : Risk-IT and COBIT in practice, by Dirk Steuperaert - IT In Balance

Abstract: Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues. Risk IT is a framework based on a set of guiding principles for effective management of IT risk. The framework complements COBIT, a comprehensive framework for the governance and control of business-driven, IT-based solutions and services.

While COBIT provides a set of controls to mitigate IT risk, Risk IT provides a framework for enterprises to identify, govern and manage IT risk. Simply put, COBIT provides the means of risk management; Risk IT provides the ends. Enterprises who have adopted (or are planning to adopt) COBIT as their IT governance framework can use Risk IT to enhance risk management.

Being one of the authors of both COBIT and Risk-IT, Dirk was also part of the Development Team of the “Risk IT Practitioner Guide”, a 135p guide published in 2009 on Risk Universe, Appetite and Tolerance;
Risk Awareness, Communication and Reporting; Expressing and Describing Risk, Risk Scenarios; Risk Responses and Prioritisation; Using COBIT® and Val ITTM

With all of this background and his personal experiences as both auditor and guiding companies in their efforts on implementing COBIT and Risk IT, Dirk is a unique expert in Belgium.

About : Dirk is Managing Director of IT In Balance BVBA, - delivering consulting services on IT Governance issues, focussing on COBIT and related frameworks, and including COBIT related training.
Dirk used to be steering committee member for COBIT within ISACA, the association for the development, adoption and use of globally accepted industry-leading knowledge and practices for information systems. He provided consulting support to ISACA as project manager of the development team for the new Risk IT framework and is currently performing a similar role for the new COBIT® 5.0 research initiative. Since 1997, Dirk has been active within PricewaterhouseCoopers (PwC), as a Director responsible for IT governance services. Earlier, Dirk has worked with ING and SWIFT, as engineer and IT auditor. Dirk has been studying Electronics Engineering at the university of Ghent and mastered in Computer Auditing at the Management School of the Antwerp University.

12.00 : Sandwich Lunch, snacks soft drinks & Coffee

13.00 : Security Management, a challenging metier?, by Olaf Jonkers, Belgacom ICT - Telindus

Abstract : Security Management is without a doubt a challenging “métier”, where different areas of conflict come together. In different market segments, the challenges seem to be different from a business point of view, whereas the IT-service implications often boil down to quite similar issues and solutions. From their longstanding IT-Service outsourcing contracts Belgacom provides insights on these issues, and how contractual obligations are enforced throughout an IT-Service catalogue and towards subcontractors. For this presentation, Security Managers from these contracts provided their insights, issues and solutions in order to manage security across an ICT Services Catalogue, and a complex delivery organisation

About : Olaf has been active in the field of Information and ICT Security for over 12 years. His roots lie within the field of PKI and cryptography, but his knowledge also covers network-specific as well as system-based security technology and tools. The processes governing the management of information security, including risk assessment methods, have been the centerpoint of the more recent years at Belgacom ICT, where he worked as a business consultant, focussing on ICT / information Security.”

14.00 : Information Security Governance in Practice, by Peter Houtmeyers - Consultant, TITANS Consulting

Abstract: Peter will be focusing on using the ISO 27000 family of standards to guide us through ways of governing Information Security in practice. From the various drivers to the choice of a good standard, understanding the changing shift in Information Security and by showing some concrete case examples on how to get to real implementations. He will walk us through the different steps of assessment, choice, implementation, certification up until audit, a practical guide for future Information Security Management practitioners.
About : Peter is a highly qualified senior level Information Security and Security Governance expert holding various certifications, including CISSP, CISA, CISM, CGEIT and ISO 27001Lead Auditor. After his career as an information security specialist at a leading inter-banking and financial telecommunications company, Peter joined as a senior security advisor in a distinguished security consultancy company in which he gained a considerable amount of experience in Incident Response Management, Compliance Auditing, Information Security Policy Implementation and the development and implementation of Corporate Security Governance frameworks. As an Information Security Advisor Peter was active as an advisor and consultant in the Information Security Governance practice, mainly delivering professional services for governmental, military, financial companies and automotive institutions on Information Security Management related projects. With a bachelor’s degree in informatics, Peter applies a structured and methodological approach in combination with clear and direct communication to deliver pragmatic high-quality results in line with client expectations. Peter lectures at various business schools and institutions in Belgium such as UAMS, Solvay Brussels School of Economics and Management and ISACA. In his spare time, Peter is a basketball enthusiast, and loves books related to IT and security. Prior to joining Branswijck, Peter had worked with ACROSS Technology as Principal Consultant, at Belgacom ICT - Telindus as Senior Consultant Information Security and as Senior Security Advisor with Uniskill. Prior to that, Peter was Security Administrator at SWIFT.

15.00 : Coffee Break

15.30 : Practical Experiences with implementing Security Management, Pierre Dewez, Devoteam

About : Married and happy father of four children, active in the field of information technologies for 13 years and member of the executive board of directors within Devoteam Belgium for global security and education related matters, Pierre has been Lead Auditor for management systems (quality, information security, IT service management and business continuity) and advisor in IT risk management for many financial, insurance or service delivery companies in Belgium and abroad (Germany, France, Luxembourg, Netherlands, Canada). Member of the Belgian federation of the technological enterprises (Agoria) and the JTC1/sc27 sub-committee, Pierre takes part as an international ITSMS, ISMS and risk management expert while contributing to the elaboration of recommendations intended to improve the contents and the relevance as of these international standards (ISO 20000, ISO 27001, BS 25999, ...) towards the market. Trainer and author of various articles and operational support tools relating to the information security audit and the IT service management, Pierre collaborates with other international trainers to the continuous improvement of the courses contents, audit activities and seminars associated with these practices around Europe and Canada.

16.15 : Panel discussion : the role of the Security Manager, CSIO and CSO in 2010

17.00 : Closing Notes

17.30 : Reception & Networking

18.30 : Special Evening activity : The future of internet networks and security by Nir Zuk, CTO PaloAltoNetworks

20.30 : Close of Seminar

Practical Details

Monday, October 25th 2010.

Day Seminar, from 9 am onwards, with closing special event from 17.30h onwards.
SAP Lounge, Vilvoorde
Participation : free to attend, if registered prior to October 20th. Afterwards : 150 € (excl vat) participation fee or cancellation fee. Free to attend for LSEC, VICTOR, EEMA, AGORIA, ISACA, ISSA, TeleTrusT, Systematic & SITC Members.

On Monday October 25th, LSEC in collaboration with Telenet C-Cure and Palo Alto Networks offer a special encounter with Nir Zuk, CTO of Palo Alto Networks.

Nir Zuk, founder and CTO of internet security start-up Palo Alto Networks, brings a wealth of network security expertise and industry experience to Palo Alto Networks. Prior to co-founding Palo Alto Networks, Nir was CTO at NetScreen Technologies, which was acquired by Juniper Networks in 2004. Prior to NetScreen, Nir was co-founder and CTO at OneSecure, a pioneer in intrusion prevention and detection appliances. Nir was also a principal engineer at Check Point Software Technologies and was one of the developers of stateful inspection technology.

Somewhat controversial

Not afraid of being somewhat controversial, an evening with Nir Zuk promises to be quite an experience. Nir is capable of seeing new challenges and brings new ideas around the table that

Passionate about technology, Nir started already at the age of 16 writing computer viruses ...
That led him to be recruited by a special unit for the military in Israel, his country of origin, specifically looking for whiz kids like him. After serving five years, he studied Mathematics at university and was recruited by Check Point in ‘94, developing the first stateful inspection firewall.

In ‘97 Nir moved to the US, continuing his carreer with Check Point Software and later starting Palo Alto Networks.

We have asked Nir to enlighten us about his views on the future of the internet, more specifically the challenges these bring in terms of security for companies, countries and people all together. Do current “solutions” to internet security really bring anything to the table, or are they just a patch on an every growing cancer of threats in cyber world. Is there a way beyond firewalls and antivirus and what to do against zero-day, or customized and targeted attacks.

Practical details

An evening with Nir Zuk, founder and CTO of Palo Alto Networks
Monday, October 25th in the SAP Lounge, Vilvoorde.

Registration from 17.30h onwards.
You can also participate during the LSEC Security Management Seminar that day. Please visit and register at http://www.lsec.be/index.php/whats_happening/event/security_management_2010/

An LSEC - Telenet C-Cure event in collaboration with Palo Alto Networks.

To register, go http://nirzuk.eventbrite.com

Together with our partner LAN News, we’re happy to invite you to the LSEC - LAN News Total Security Day, next Thursday, 21st of October 2010. ‘Golflife Center’ Sterrebeek, near Brussels Airport.

A view on a variety of network security vendors and an insight in the management of them by means of SIEM tools.
With the diversity of appliance vendors lined up, we are looking forward for an interesting perspective in the development of requriements for secure networks.

Program Outline

Explore the latest threats and vulnerabilities and discover potential solutions with the different appliance manufacturers. Get an in depth view of the practical implementation of SIEM tools from the leading experts Dimension Data.

09.00 Hr Registration and welcome
09.30 Hr Barracuda Networks: Barracuda WAF and NG Firewall - efficient Protection and Compliance. Joeri Van Hoof
10.00 Hr SonicWall: How Application Intelligence and Control enables network security in the wake of Web 2.0, Cloud Computing and Mobility. Luc Eeckelaert, Country Manager Benelux
11.00 Hr Trend-Micro: Virtualisation security & VDI Unleash your endpoints - Virtualisation Security without losing your freedom. Philippe Michiels.
11.30 Hr Array Networks: Secure , On-demand and High Performance Access. Featuring Secure Remote Access ; Site-to-Site Access ; Wireless LAN Security and Universal & Secure Access Policies. Simon McNally - Senior Sales Engineer, Array Networks EMEA. Presented by MMS-Secure.

12.00 Hr Thai Lunch

13.00 13.30 Hr Fortinet: Security as Simple as 1,2,3; Get Control, Get Optimized & Keep it Simple. Reduce the risk of human mistakes by virtualizing, consolidating and simplifying the ever more complex security infrastructures and management
14.20 Hr Dimension Data: SIEM: A Critical Component of Information Risk Management. Stefaan Hinderyckx, Security Director, Europe
14.50 Hr Cisco systems: Email and Web Security with Cisco IronPort. Jeroen Arends, System Engineer, IronPort Benelux
15.20 Hr A10 Networks: Changing the economics of application delivery. Hugo Prooij, Benelux Product Manager. Proposed by Exclusive Networks
15.50 Hr AEP Networks : The Battle for the Cloud. Rudolf Schucha, Communication Security Consultant
16.20 Hr End of Program and casual drink.

Practical Details & Registration

Total Security Day by LAN News, supported by LSEC
Thursday, 21st of October 2010 fro 9.30h onwards ‘Golflife Center’ Sterrebeek, near Brussels Airport
For more information and registration, please visit http://www.lannews.be/totalsecurity2010

The annual Security Research Conference (SRC) is a meeting place for security research, technology development and innovation stakeholders in Europe. It is also an important discussion forum for shaping the European security research agenda.
SRC’10 is part of the actions undertaken in the FP7 European Security Research Programme, aiming at the development of knowledge and new technologies to improve the security of European citizens while enforcing the competitiveness of Europe’s economy. Therefore, SRC’10 aims at facilitating the dialogue between research and innovation actors, policy makers and end-users.

Supported by the European Security Innovation Network

Attended by approximately 1000 security professionals, government institutions and researchers from all over the world, SRC’10 is part of the actions undertaken in the FP7 European Security Research Programme, aiming at the development of knowledge and new technologies to improve the security of European citizens while enforcing the competitiveness of Europe’s economy. Therefore, SRC’10 aims at facilitating the dialogue between research and innovation actors, policy makers and end-users.
Supported by the European Security Innovation Network, LSEC, Systematic Paris Region, SITC and TeleTrusT, will actively participate to this year’s SRC and further facilitate the development of commercial and research projects amongst its Members, with enterprises and governments.

SRC’10 will showcase the importance of security research for citizens in view of the research agenda beyond FP7 and the 2020 perspective. Leading experts will give their view on the consequences and opportunities for security research following the Lisbon Treaty and facing new global security challenges. Special attention will be given to presentations of successful FP7 projects in the diverse security fields, involving in particular users and SME’s. A brokerage event and an exhibition will facilitate networking between companies, scientific experts, operators and policy makers from Member States Associated states and Third Countries.

To give the 5th edition of SRC a dynamic flavour, it is intended to organize live demonstrations in the fields of cargo security and crisis management, illustrating the multidisciplinary approach that is needed to resolve security issues.

SRC’10 is an event of the Belgian EU Presidency, organised with the support of the European Commission’s DG Enterprise, the Belgian Science Policy Office, the Federal Ministry of Mobility and Transport, the department of Economy, Science and Innovation of the Flemish Government and the public service of Wallonia.

Visitors to the SRC 2010 of the associations LSEC, Systematic, SITC, TeleTrusT or affiliated partners such as ECSA, ISACA, INTERREG and the EC are invited to the special networking event on September 23rd from 5.30pm and onwards. Request your entrance voucher at the European Security Innovation booth during the conference.

Register here for the European Security Innovation Network Brokerage Event on Thursday September 23rd from 17.30h onwards in Oostende at the Royal Promenade (restaurant Savarin), close to the conference venue. You can also pick up your Personal Invitation at the LSEC - Security Innovation Network Booth during the conference.

Program Overview

September 22nd Afternoon :
* Belgian Minister for Science Policy
* VP EC Commissioner Industry & Entrepeneurship
* Where do we stand with Security Research
* Maritime, Standardisation, CBRN

September 23rd :
* The continuum of internal and external security after Lissabon
* Security as a prerequisite for Prosperity
* Cybersecurity, Transport Security
* Critical Infrastructure, Social Dimension & Ethics,
* The view of Stakeholders
* Horizon 2020

Friday September 24th :
* European Security Research Programme
* Brokerage Events
* Increasing Security of Citizen, Infrastructures and Utilties, Intelligent Surveillance, Crisis
* Interconnectivity, Society, Research Coordination

Registration and More Information on SRC 2010

Practical details, the full program overview and registration for SRC 2010, please visit :the SRC 2010 website.

On September 10, LSEC organized a one day seminar on “The Future Internet & Network (Security) Architecture”.
Network Security is still one of the major components of any IT Security environment, and in most cases the most hardware intensive.

Over the last 20 years, the ways that people have been doing business and communicating all together have changed dramatically. Managing information flows has become a challenge in itself, and ensure that you remain under control of your information is even a greater challenge. At the same time those evolutions have brought a great deal of opportunities, not the least in the world of information security. During this seminar, we want to take a look into the future: what are the upcoming infrastructural changes ahead and how can we cope with them from a strategic perspective, to manage them properly and be ahead of the curb when it comes to securing them.

We want to address during this seminar was not only on :

- What are the new network evolutions ahead of us both mobile & fixed : IPv6, Ethernet, NGMN, service and content aware architectures, …
- What are the challenges of these new architectures in terms of security and risk management
- Are there differences in management (in house / outsourced), …
- What about virtualization (virtual appliances, cloud services and architectures, …)
- What about Trusted Computing in the Future Internet Architectures
- …

This day is scheduled to take place in Leuven, Kasteelpark Arenberg from 12 until 7 pm, with drinks, lunch and networking facilities included.

Final Program

12.00h : Welcome & Registration - Sandwich Lunch & Networking

13.00h : Introduction by Ulrich Seldeslachts, CEO of LSEC

13.10h : The Future of Borderless Network Security by Michel Kelkeneers, Cisco Technical Solutions Architect

Abstract : “Borderless Networks”, does this term signifiy a new network architecture built for new cloud computing requirements or is it just a new label for today’s LANs, WANs, and public network infrastructure? While market cynicism is certainly understandable, borderless networks isn’t a Madison Avenue creation; rather, this trend is extremely important and already well underway. It involves the current evolving use of the Internet such as the heavy use of rich internet content and video, mobile users and devices and consumerization of IT. According to analyst ESG, Current security defenses are a mismatch for borderless network security requirements, Borderless network security demands an architectural approach, Borderless network security architecture demands strong leadership and industry cooperation effort and The borderless network architecture will evolve in phases.

14.00h : The Next Step : Application Aware Firewalling, by Stijn Rommens; Palo Alto Networks

Abstract: For most enterprises Network Security has become a sprawl of solutions and appliances.  Stitching all of these technologies together whilst maintaining a uniform security policy along all, has become impossible.  Many trade-offs need to be made, being it less security, less throughput or higher latency.  A consistent view on what applications and possible threat vectors exist on your network is based on estimations or based on very expensive and complex correlation solutions.  Complexity is not the only issue, cost might even be a bigger concern.  Different vendors, different contracts, different licenses and all on a different cycle… Today you have a choice to have one simple policy and control tool that effectively can implement an abstract policy like ‘Marketing people should have access to Facebook all day long with a guaranteed bandwidth and via a preferred Internet connection whilst other people can have read-only access to Facebook at lunch time, only via the Cable or DSL connection.’

About : Stijn Rommens has over 10 years of experience in designing, teaching and maintaining Network Security solutions.  Stijn has taken the path of the field, through support and education to pre-sales.  Over the last 6 years, Stijn held the position of Systems Engineer at ISS, now part of IBM, Juniper Networks and today Palo Alto Networks.  The red line through his career is the thru network security evolution.  The result of that journey till today is his dedication to the Next Generation Network Security solutions.

14.45h :  Secure network provisioning on demand, providing secured Community of Interest based virtual networks based on the user (or his role) that logs on… , by Luc Leysen - Unisys

Abstract:Most network managers dream of reducing the complexity of their network infrastructure and the associated management effort, while having to cope with fading network frontiers.  Be it the consolidation of secret, confidential and restricted networks on a single carrier or a flexible response to ever changing demands to adapt the networks ad hoc to the business requirements while increasing the security level, a community of interest based approach Today can bring that dream to reality. Community of interest virtual networks can be provisioned based on the identity and the role of a user and remove the most of the need to reconfigure the physical network.

About : Luc Leysen has over 18 years of experience in designing and managing Information Technology and Security solutions. He is an expert in the area of building Information Security Architectures.
Prior to joining Unisys, Luc held architect and management positions in both the Belgian Armed Forces and the private sector. Within the Armed Forces he designed and managed networks and systems in a high security environment and represented his nation in international working groups related to intelligence coalition networks. In the private sector he assumed the roles of information risk manager and later security architect. In the past 8 years he has been working as Security Expert within Unisys driving Security Business Development and delivery in Europe with a focus on Identity & Access management.

15.30h : Coffee Break & Networking

16.00h :  How will our future networks and infrastructures be affected by malware? 80% spam and a zillion botnets?, by Patrik Runald, Senior Manager, Security Research,Websense Security Labs

What is the expected evolution of malware and “internet threats” in the future? Even more common attacks and increase in complexity of customized zero-day attacks? Or will we be able to defeat the bad guys in time?

Real time (content) security, not just a luxury, but a necessity.
- Why real time security beats traditional solutions.
- What is real time security according to Websense.
- Websense Triton, simplifying management, closing the point solution gap.
- True hybrid security solutions, cloud based scaling and knowledge, with on-premises power.

About :  Patrik Runald is a Senior Manager, Security Research at Websense Security Labs and has worked in the IT security field since 1995. Before joining Websense in 2009, Patrik did extensive research in the antivirus field and he was part of the team that made world wake up to the Conficker threat in 2008. He heads-up the US Websense Security Labs, the team within Websense that ensures that our 45 million customers are protected against all type of web- and email based threats

16.45h :  Is there a place for a UTM in this new world? by Malay Upadhyay, Cyberoam Senior Security Consultant

Abstract : Globalization, convergence, virtualization, mobile/wireless-based web devices, social networking and Web 2.0/Web 3.0 are some of the future trends that will take the online world by storm.

As a result, an organization’s network security architecture (NSA) will have to be reengineered to address newer forms of Internet threats.

The following topics will be covered during this session:

- Current Security Scenario
o Security Timeline from past till now
o Limitations of Existing Security
- Future Security Trends
o Scalable and Extensible Security Architecture
o Role of Application Layer Control
o Cloud Computing Challenges
o Mobile Malware
o Social Networking
And many more
- Desired Elements in Security Architecture

About : Working as a Sr. Presales Security Consultant in Cyberoam International Presales team, Malay Upadhyay is providing on-site, online technical support related to network deployments/installations, defining security loop holes and overriding them. He also conducts USP/webinar on various Cyberoam products Cyberoam UTM, Cyberoam EPDP, Cyberoam I-View, Cyberoam SSL VPN, Cyberoam central console and on technological presentations for distributors/partners/resellers.
Since his Bachelor in Computer Science in India followed by a Master in Internetworking in Sydney, Malay has 3 years of experience in Network Security, Routing & Switching that includes hand on experience on UTM (Firewall, VPN, Anti virus, Anti Spam, Multi link manager, Load balance & failover), various routers, switches & Security tools. He has been working as a part of International team handling Europe, Middle East & Africa. Malay has also experience in ethical hacking, Security Analysis, Internetworking.

17.30h : Secure DNS and the future secure network infrastructures by Jan Janssens, Managing Partner Sensirius

18.00h : Closing Panel & Notes, Networking Reception

19.00h : Close of Event

Thanks for attending.

The goal of the European Cryptography Day is to present the main research achievements of ECRYPT II over the last year. The program is complemented with some invited talks on topics related to the ECRYPT II research. It is an event aiming at ECRYPT II partners, associate members as well as anyone interested in information security and cryptology.

Program Outline

9.30-9.35 Welcome
> Bart Preneel (KULeuven)
9.35-10.00 Introductory Talk by Head of Sector, Trust and Security European Commission, DG Information Society and Media
> Dirk Van Rooy (European Commission)
10.00 Overview sessions different research domains
10.00-10.20 SYMLAB* overview talk; The Symmetric Techniques Virtual Lab
> Vincent Rijmen(KULeuven)
10.20-10.40 MAYA* overview talk; The Multi-party and Asymmetric Algorithms Virtual Lab
> Phong Nguyen (ENS)
10.40-11.00 VAMPIRE* overview talk; The Secure and Efficient Implementations Virtual Lab
> Tanja Lange (TU/eindhoven) and Christof Paar (RUBochum)
11.00-11.30—Coffee
11.30-12.05 SYMLAB Focus Talk; Algorithmic tools in cryptanalysis
> Antoine Joux (Université de Versailles)
12.05-12.40 MAYA Focus Talk; Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes
> Nigel Smart (University Bristol) and Frederik Vercauteren (KULeuven)
12.40-14.00—Lunch
14.00-14.35 VAMPIRE Focus Talk; Attacking Elliptic Curve Challenges with Diverse Emerging High-Performance Computing Platforms
> Tanja Lange (TU/eindhoven)
14.35 Invited Talks
14.35-15.10 Invited Talk 1; Bringing open audit elections into practice
> Olivier Pereira (Université catholique de Louvain)
15.10-15.30—Coffee Break
15.30-16.05 Invited Talk 2; The SHA-3 competition; status report
> John Kelsey (Nist)
16.05-16.40 Invited Talk 3; Physical Attacks
> Mathias Wagner (NXP)
16.40-17.15 Invited Talk 4; Hardware Intrinsic Security
> Pim Tuyls (Intrinsic-ID)
17.15-18.00 ECRYPT II General Assembly Meeting
19.00 Dinner

* Virtual Labs
SYMLAB= The Symmetric Techniques Virtual Lab
MAYA= The Multi-party and Asymmetric Algorithms Virtual Lab
VAMPIRE= The Secure and Efficient Implementations Virtual Lab

Practical Details

European Cryptography Day
8 September 2010, Auditorium Zeger Van Hee (De Valk) in Leuven city centre

More information and registration, please visit : https://www.cosic.esat.kuleuven.be/ecrypt/courses/openevent10/program.shtml

As one of the leading business applications in the world, an SAP-system is typically a complex environment that serves many business processes and support a variety of business decisions. It is typically integrated with many other applications and tightly integrated with applications servers and networks. Like with any similar type of environment, these applications are challenging from an Information Security perspective.
During this seminar, we want to focus on the general Information Security challenges with SAP, but also with some of the particular issues typically found with companies that work with SAP environments.
Some of our experts will be able to show and share some of their experiences, from and with customer environments.

Besides, we will also zoom into some of the typical business challenges such as GRC, Identity Management, R/3 Security, Single Sign On, Compliancy issues and Web Application Security, next to typical policy challenges such as Segregation of Duties, Access Management and ICT and Business Audit and Controls.

Some of the topics that will be addressed during this seminar :
- R/3 Security, BW Security, Enterprise Portal, CUA,
- Single Sign On,
- SOX/ SoD,
- OSS,
- HR Security
- Other SAP Apps
- GRC setup
- Identity Management
- Integration with other systems such as MS or Oracle databases and other applications
- Challenges for integration due to mergers or de-mergers
- …

Read the Datanews article on the seminar (in Dutch).

Download the CA SAP Security White Paper CA Technologies Improving SAP Security CA Identity 2010.pdf

Preliminary Program

9.00 : Registration & Welcome Coffee

9.45 : Introduction & Opening Notes

10.00 : Experiences Securing business information in SAP and managing user access risk effectively: Facing today’s challenges and adopting security standards with good practices , by Wouter Janssen, Axl-Trax

Abstract : Organizations deploying SAP solutions to facilitate their business rely heavily upon the correct processing, manipulation and reporting on business-critical information. Due to the integrated nature of mySAP ERP as well as the interconnectivity and interaction between different components in the information architecture, risk is the keyword that must be properly addressed.
The challenge of security SAP implementations is not new and dates back from the early 90ies when the ERP-component R/3 became available. Many organizations have grown a good practice in securing what is important to them, others have learned the hard way. Business drivers, threats and risk appetite have shifted in recent years and during this presentation, the trends and good practices in managing user access risks effectively will be discussed

About : Wouter Janssen CISSP CISA CISM CGEIT CFE is a security specialist working as a director for Axl & Trax in Belgium. Working in the security consulting and audit field for many years, he has combined his technical skills and security knowledge with business insight and experience to assist customers in finding tailored solutions for security challenges.
He has over 10 years of professional experience in the areas of IT security, identity & access management, SAP security, governance, compliance and control. He has been involved in and managed large-scale IT security projects and advised various multinationals across Europe.

10.50 : Vulnerabilities of SAP systems : history and trends, by Fred van den Langenburg (ERP Security) and Joris van de Vis

Abstract : A modern SAP system based on the Netweaver based architecture may employ several different software components located on different servers and is connected to the Interne. This means that a SAP Netweaver system has many more possible entry points or attack vectors1 than the older R3 systems which were not connected to the Internet. Modern SAP systems based on Netweaver are more vulnerable and prone to attacks than their R/3 predecessors.
During this presentation we will learn about the evolution of the potential threat vectors in SAP-systems, in order to get a better understanding on how we might learn from history to avoid similar mistakes in the future.

About : Fred van de Langenberg has been working as a freelance SAP technical consultant for the past 13 years for various multi-nationals including Heineken, Shell, Ericson and Philips. His experience also includes working for IT companies such as Atos Origin, IBM and currently T-Systems. Over the years he has acquired in-depth knowledge of SAP systems through hands-on experience. In addition to being an all-round SAP Basis consultant, he is also a certified ABAP programmer. The introduction of the SAP Netweaver platform brought new challenges in the field of security which triggered his interest in SAP platform security.

About : Joris van de Vis has been working in many technical roles. Next to developing and working as a Netweaver Technical consultant his special interest goes out to the SAP Security domain. He helps customers securing their business by hardening their SAP platform. He is also a SAP vulnerability researcher. Over the past 10 years he has been working for large fortune-500 companies like Philips and Heineken and he helped several governmental departments with implementing SAP Security related solutions.

11.40 : Coffee Break & Networking

12.10 : Building an enterprise-wide GRC solution with the SAP environment at the core, by Chris Van den Abbeele, Atos Origin

Abstract : Session abstract:
Organizations today are looking for ways to leverage their investments in SAP by extending their SAP policies to other non-SAP systems.
This session present how to extend the reach of SAP Access Control, SAP Process Control and SAP Risk Management to build an enterprise-wide GRC solution that includes non-SAP applications.

In particular, this session covers a solution which spans SAP- and non-SAP applications, that enforces Roles Based Access Control, alerts in near-real-time if access to enterprise systems violates business policies, shows how roles granted in SAP can be easily mapped to non-SAP systems, and how roles granted in non-SAP systems can be mapped back into SAP, while respecting the defined restraints like Separations of Duty and business approvals.

All too often, we see enterprises take a siloed approach to solve tactical issues. When new compliance regulations, eg PCI, arise, a new project is put into place to solve that specific need.

At TechEd on October 13, 2009, SAP and Novell announced the expansion of their global partnership to include the delivery of integrated governance, risk, and compliance solutions. As a dedicated integration partner of both SAP and Novell, Atos Origin is in a privileged position to turn this vision into a working ensemble.

The modular approach presented in this session shows how to drive towards a consistent, sustainable enterprise-wide GRC strategy that reduces risk, lowers costs and provides improved business performance.

About : Chris Van Den Abbeele is Solution Manager for Identity and Security solutions at Atos Origin. He is responsible for defining and managing the Identity and Access Management offering at Atos Origin Belgium.  Chris has over ten years experience in designing Identity and Access Management solutions.  He has a clear view on the technology, the market and the players.  Prior to joining Atos Origin, Chris worked as a Technology Specialist at Novell for about ten years.

13.00 : Walking lunch & Networking

13.45 : Keynote Address : Achieving comprehensive Security for SAP in a Heterogeneous Environment with CA and SAP, Phil Allen, Director Security Practice EMEA, CA Technologies

Abstract : Abstract: CA and SAP have been long term partners. This talk will explore how you can achieve comprehensive and effective security for SAP environments that are implemented in a heterogeneous environment.

14.35 : SAP GRC-AC implementation: challenges encountered at customer implementation, by Melissa Dielman Deloitte Enterprise Risk Services

Abstract : Segregation of Duties conflicts are an ongoing issue in audit reports, particularly in the context of SoX (Section 404) or similar legislation worldwide. SAP’s response consists of the GRC application suite “Access Control (5.3)”. A proper implementation should ensure that typical application-level fraud scenarios are identified and controlled.

Access control over key information assets and SoD compliance are among the most effective safeguards against fraud and mistakes, and a prerequisite for compliance to various regulations. SAP GRC Access Control consists of 4 modules, each with specific functionality to maximize this level of control. In our presentation, we will highlight the functionalities of the components and more important, the way they can efficiently interact together.

Where technically, AC projects contain few challenges, we know the great pitfalls lie elsewhere. The most difficult part of each implementation is the proper alignment of functionality with the enterprise’s (GRC) maturity level. Implementing a GRC application suite is not just implementing another tool, it is implementing a new culture; requiring a lot of input, effort and cooperation from the entire business.
Our best practice implementation consists of a phased approach. The goal is gradually evolving from a focus on getting clean, to remaining in control of the situation and staying clean. We will list the different phases to go through in order to simultaneously prepare business, IT and audit stakeholders for the ownership of a Risk controlled environment. We will also clarify the need for a diverse implementation team to ensure a successful implementation.
Summarizing, in this session, we (Deloitte ERS) will elaborate on our strategy of implementing a suitable customized instance of SAP GRC Access Control. We will include various lessons learned from passed implementations, focusing on the different challenges encountered and analysing root cause of both successful and failing implementation projects.

About : Melissa is Senior Manager at Deloitte-ERS in the Security & Data Privacy department. She is responsible for the SAP Security service offerings & teamlead. Over the years Melissa has a built a solid expertise in SAP authorization management & GRC, having participated and led different size projects in Belgium and Europe. Her education, interests and working experience allow her to get a combined view on all components of the SAP Security management, from business processes, risk & control to technical implementation perspective.

15.15 : Coffee Break

15.45 : SoX/ SoD or GRC setup, by Paul Albertini, Manager, KPMG

Abstract : Understand and resolve the insecurities with your ERP system. Understand the basic security threats and see a live demo of how insecure some sytems can be. Learn how to protect your vulnerabilities and find some solutions that can help protect you also further in the future.

About : Paul is a manager in the Antwerp practice of KPMG Advisory. He is specialized in advisory services in the fields of ERP Advisory. Over the last years Paul was involved in several SOD projects. For these engagements he assisted clients in their strategy, building the business case and performing project management activities as well as developing security policies and procedures. Paul is also a member of the Information System and Control Association (ISACA) and a certified information system auditor (CISA). Other main certifications that he obtained in his career can be summarized as follows: SAP Solution Architect and Prince2.

16.35 : Aligning access rights in SAP R3 & BW through a uniform authorization concept, by Pieter Lenaerts, Deloitte Enterprise Risk Services

Abstract : Companies have been investing in increased security restriction, monitoring & ownership in their daily transaction systems due to the increased attention to Good Governance in the Data & Fraud protection area, and the growing legislative requirements (SOX, Basel II,..). To enable this drive, a SAP R3 environment offers one of the most flexible and therefore complex authorization mechanisms on the market. SAP BW adds to this complexity with an additional security layer controlling access to data.

SAP BW, being mainly a reporting tool, is easily overseen as a key information provider on business sensitive data, financial results & HR information. As a consequence SAP BW security is often perceived to be less sensitive while it is imperative that the access rights between SAP R3 and SAP BW are aligned across the different authorization environments.

This presentation intends to give a broad audience, from BW project management via BW developers to R3 authorization specialists, a conceptual overview of the main role design strategies made possible by the new BW authorization mechanisms to secure access to data, and compare these strategies in the long – operational – run. It will show some of the do’s and don’ts based on hands on experience aligning authorizations for R3, BW and SAP Portal. To ensure your BW concept works for your business we will highlight the different stakeholders and their role in this process.

About : Pieter is Senior Consultant at Deloitte-ERS in the Security & Data Privacy department. Starting as IT auditor, Pieter has expanded and increased his knowledge on SAP security & GRC to become a true expert in this area. He has conducted projects on SAP security within R3, BI & CRM and specializes in automation of SAP authorizations maintenance.

17.00 : ABAP backdoors and compliance killers, by Andreas Wiegenstein, Managing Director & CTO Virtualforge

Abstract : based upon the experience of having reviewed many SAP / ABAP applications, Andreas will present an overview of some of the most common and some of the more interesting security issues, being them real threats, leaks, backdoor channels, ... simply from the missing or incorrect authority checks, bypass mechanisms and other.

Andreas Wiegenstein has been working as a professional SAP security consultant for 8 years. He performed countless SAP code audits and has been researching security defects specific to SAP / ABAP applications. Andreas has spoken at SAP TechEd on security on several occasions and is co-author of the first book on ABAP security (SAP Press 2009).

17.50 : Panel Discussion

18.30 : Closing Notes, Reception & Networking

19.00 : Close of Event

Practical Details

Auditorium Kasteel, Kasteelpark Arenberg, 3001 Heverlee
Tuesday, September 7th, 2010
Day Seminar : from 10 AM until 6 PM
Free to register for enterprises and industry. Non-SAP customers, systems integrators and consultants (without operational SAP-systems) will be invoiced 150 € (ex VAT) participation fee.

Thanks to Eventbrite for supporting our Registrations

The yearly Global Security Week, the second week of September is already taking place for the third time in Belgium. A busy week full of activities, great speakers, a lot of
interested attendees and excellent discussions on topics such as Security Management, Security for systems such as SAP and the future Network Architectures, or an update on Cybercrime and how to prevent from becoming a victim of it.

Register now to one or more of these activities, and revitalise your summer holiday spirit into the challenges of managing security.

• 07.09.2010 : SAP & Security, Governance Risk & Compliance with SAP
• 08.09.2010 : ECrypt II - European Cryptography Day
• 10.09.2010 : The Future Network (Security) Infrastructures
• 14.09.2010 : Security Management 2010

Looking forward meeeting you there.

Berlin, 20 May 2010 - In 2010, the ISSE (Information Security Solutions Europe) is again organized by TeleTrusT in co-operation with eema (Independent European e-Identity & Security Association), and ENISA (European Network and Information Security Agency). The ISSE 2010 is as a combined event with the GI-"Security 2010”.

Since its founding, it has been the approach of the ISSE to promote development and dissemination of trusted computing concepts and of information and communication security in Europe. International experts from industry, research and politics exchange ideas in an interdisciplinary dialogue on technical, organizational and legal aspects of information security. The ISSE has a firm place in calendars of important IT security conferences since 1999.

TeleTrusT Germany is responsible for the ISSE program committee and, along with its partners, for the ambitious conference program.

For the ISSE 2010 until now over 100 submissions were received. The program offers 54 lecture slots and another six slots in German Workshops organized by TeleTrusT. A total of 70 speakers is expected, including five keynote addresses. These keynote speakers are invited:

- Thomas de Maizière, Federal Minister of the Interior, Germany
- Neelie Kroes, Vice President of the European Commission and European Digital Agenda Commissioner
- Scott Charney, Corporate Vice President of Trustworthy Computing, Microsoft, USA
- Michael Hange, President, Federal Office for Information Security, Germany
- Udo Helmbrecht, Executive Director, European Network and Information Security Agency (ENISA).

The GI-"Security" comes up with 36 presentations.

Preliminary Program

With special emphasis placed on case studies and innovative and robust security solutions implemented by European organisations, the event will focus on key security topics such as:
•Identity and Access Management
e-Identification, Biometrics, Smart Tokens, e-ID-Cards, e-Passports, RFID-Solutions, Infrastructure Solutions
•Security Management and Economics of Security
Risk Mitigation, Compliance and Governance
•Data Security
Security of Data in the Cloud, Data Leakage Protection, Enterprise Rights Management, Forensics, Security related Services
•Privacy and Data Protection in Cyberspace
Privacy and Data Protection Issues in Web 2.0 and Cloud Environments/Social Networks/Search Engines, Application of Privacy enhancing Technologies, Support of Transparency/Customer Awareness and legal Obligations, Concepts for Security Breach Notification
•Network and Mobile Security
Network-level Security Devices, Interconnectivity Devices, Protocols and Trends, Intrusion Prevention, Network Infrastructures, Management of Mobile Devices
•Hackers and Threats
Awareness Raising, Social Engineering, Protection against Mail and Web Attacks, Vulnerability Assessment, Penetration Testing
•Technical Solutions
Mobile & Wireless Security, Embedded Systems, Operating Systems, Virtualization, Endpoint Security Capabilities, Web Services Security
•e-Government – Governance and Policy
Emerging Regulations, Legislations, national Security, Law Enforcement, Government Procurement
•Enterprise Security Services
Authentication, Authorisation and Accounting, Governance, Risk and Compliance
•Emerging Applications
Object Rights – Management, Service oriented Security, Security enabled Technologies, e-Voting, IPv6
•Future of Security Aspects and Technologies
European IT-Security Projects, Open Source Software & Security, Ubiquitous Computing, Emerging Crypto Developments, Trusted Computing
•Critical Infrastructure Protection and physical Security
CERT/CSIRT – European and Global Developments, Resilience of Networks and Services, surveillance technics and analytics
•Cybercrime and Forensics, Fraud Detection & Prevention

Download the Preliminary Program.

TeleTrusT awards the “TeleTrusT Innovation Award” on the occasion of the ISSE. This annual award is given to applicants that have developed an innovative and trustworthy information technology, software or online service for use in industry, government or research. An international Jury will propose the winner using the following criteria:
- Is the security level of the application appropriate?
- Are the security functions integrated part of the application?
- Are the built-in security functions transparent to the user and fit for use?
- Is the application interoperable, ideally with European reach?
- Does the application contribute to economic stability (e.g. of the company)?

Practical Details and Registration

All details and registration are available at http://www.isse.eu.com/

This year, the ISSE/GI-SICHERHEIT conference and exhibition will be held at the Maritim Hotel in Berlin, Germany.
Venue Address:

Maritim Hotel Berlin
Stauffenbergstraße 26
10785 Berlin
Tel: +49 (0) 30 2065-0
website: http://www.maritim.de/de/hotels/deutschland/hotel-berlin/lage-anfahrt

It runs from October 5th until October 7th.

Kennisdag rond Informatieveiligheid bij gemeentebesturen en OCMW’s

V-ICT-OR organiseert op 25 juni, in samenwerking met de KHMechelen, een Kennisdag rond Informatieveiligheid bij gemeentebesturen en OCMW’s. Deze dag gaat door in ‘t Arsenaal te Mechelen van 9u tot 13u.

Inschrijven kan via : http://www.v-ict-or.be/content/shoptit_forms/record.php?ID=147&EVENT=331

Op het programma staat als keynote speaker Luc Beirens, Diensthoofd van de Federal Computer Crime Unit (FCCU), die het zal hebben over de werkwijze van hedendaagse computercriminelen die een bedreiging vormen voor de veiligheid van de computernetwerken van de overheid en voor e-government. Vanuit de politiepraktijk zal de heer Beirens een antwoord geven op onder andere de volgende vragen: Waar situeren zich de risico’s in cyberspace? Zijn we momenteel voldoende beschermd tegen cyberaanvallen? Hoe kunnen we ons wapenen tegen de dreigende gevaren?

Daarna worden er 2 parallelle tracks georganiseerd waarbij de ene track zich toespitst op het technische luik van informatieveiligheid bij lokale besturen en de andere track zich toespitst op het doordacht vormgeven van het IT-beleid. Onder meer volgende vragen komen aan bod

• Technologie
• Hoe makkelijk wordt het netwerk van uw bestuur gehackt?
• Wat zijn de veiligheidsrisico’s van SSL-VPN verbindingen voor thuiswerk?
• Beleid
• Hoe kunnen OCMW’s en gemeenten een gezamenlijk veiligheidsbeleid uitwerken?

De andere onderwerpen die aan bod komen op 25 juni, zullen spoedig volgen.

Prijs:

V-ICT-OR-leden & sponsors kunnen deelnemen aan 35 euro.

Niet V-ICT-OR-leden die werkzaam zijn in een overheidsorganisaties kunnen deelnemen aan 50 euro.

Niet V-ICT-OR-leden die werkzaam zijn in privé-bedijven kunnen deelnemen aan 100 euro.

Dealing with Identity Fraud and Identities in today’s society is an increasingly difficult challenge. We have a personal identity, but typically many electronic identities.
User names, passwords, a variety of tokens and appliances are a challenge to us on personal basis. But for a company, an organization or a government department that has to manage many user accounts and citizen identities, it could even be worse. Passwords get forgotten, an administrator has too many privileges, electronic identities get abused and data integrity is lost.
Managing identities in 2010 has become a real challenge. The reality of Identity Management in 2010 is that most companies today are still trying to understand why Identity Management would need to be important to them, the types of challenges that effective Identity and Access management can help resolve and how it fits within their organization. Companies that did embrace the concept of Identity Management, for reasons of Single Sign On, reduction of cost of IT support, more efficient use of resources, segregation of duties, or transparent but securely working with a variety of partners and organizations, … – those companies today should be looking into the potential of the reality of Federated Identity Management the challenges of Privacy and the opportunity to expand the functionalities and integrations of the Identities consisting out of many attributes and functions, or expanding into cloud systems. Technologies have matured and are specializing in specific services, Service Providers and System Integrators have further professionalized and deepened their expertise. Enterprises and government institutions are constantly increasing the ease of access and availability of systems to a wider area of users, thus reducing their own operational costs and empowering their business lines and still being in control of the activities and facilitating audits.

Read the following review in Uri’s blog : Private IDs – or – Time, space, and Leuven.

Final Program

Subjects for discussion :
- Back to the basics : why identity management is relevant to today’s business and government environments, cases, examples, best practices
- The business reasoning for Identity Management : cost reduction, managing controls, facilitating activities, ease of access and use
- The cost of a single project vs company wide deployment
- IDM, the new e-business?
- Governance of identity management projects : learning from experience
- Best practices
- Examples of federated identities
- Challenges towards the future : privacy, dealing with multiple functions, going towards attribute management
- The Sun behind the Cloud
- …

9.15 : Registration & Welcome Coffee
9.45 : Introduction & Opening Notes, by Ulrich Seldeslachts, CEO LSEC

10.00 : Experiences in managing Identities, in Belgium and abroad. The current status of Identity Management, by Wouter Janssen, Axl-Trax

About : Wouter Janssen CISSP CISA CISM CGEIT CFE is a security specialist working as a director for Axl & Trax in Belgium. Working in the security consulting and audit field for many years, he has combined his technical skills and security knowledge with business insight and experience to assist customers in finding tailored solutions for security challenges.
He has over 10 years of professional experience in the areas of IT security, identity & access management, SAP security, governance, compliance and control. He has been involved in and managed large-scale IT security projects and advised various multinationals across Europe.

Abstract :  Identity Management?; The identity management business case; The current status of identity management; Managing expectations; Challenges ahead; Lessons learned; Reflections

10.45 :  Shifts in identity management introduced by the cloud and virtualization, by Dave Vijzelman - Principal Security Consultant, CA Technologies

About : Dave Vijzelman has worked in several large heterogeneous environments and has a large experience in designing and implementing architectural RBAC solutions. His focus is primarily on RBAC strategies and role mining. Besides this, he also has a wide knowledge towards the technical approach regarding identity and access management (IAM) strategies. Previously he was as a Senior Information Security Consultant at Ascure where he was responsible for the architectural approach of analyzing and designing RBAC strategies for clients. Before this, he was an RBAC Consultant at BHOLD Company. Today, Dave is Principal Security Consultant with CA Technologies, supporting large associations in their Identity Management challenges.

His variety of experience has been proven in a number of business and industry sectors. In Switzerland, he designed and implemented an RBAC strategic tool for audit and control for a large insurance company in Basel. Also for a banking company in The Netherlands, he successfully implemented a RBAC tool primarily based to audit a Active Directory environment.

Abstract : The Cloud has multiple perspectives, each of which influences how security is managed. Your organization might consume Cloud-based applications and services, might provide Cloud-based applications and services, or even provide aspects of security from the Cloud to others. Organizations should not dismiss any of these roles out-of-hand, even if at first glance they seem different from past practices. The emergence of the Cloud might re-jigger existing markets as well as open-up new market opportunities. This session will focus on CA’s security management product strategies and how we enable all three of these modes of Cloud security, both now and with an eye towards the future.

11.20 : Coffee Break & Networking

11.40 : Identity Management in Practice – The case of a large Hospital in Flanders by Jeff Verhulst, Traxion

Customer Case: Identity Management @ AZ Sint-Lucas Gent, by Jeff Verhulst - Project Manager, Traxion

Abstract : Identity Management in practice, Identity Management in Health Care, Customer Case: AZ Sint-Lucas Gent

Outline presentatie:

Customer Case: Identity Management @ AZ Sint-Lucas Gent

- Identity Management in practice
- Traxion in practice
- Identity Management in Health Care
- Customer Case: AZ Sint-Lucas Gent
- Conclusions
- Questions

About : Jeff is currently project manager and IAM Consultant at Traxion. Previously he was IAM Solution Engineer at ACA IT-Solutions and ICT Engineer at Contineo. He did his master thesis at Janssen Pharmaceutica and was educated at the Katholieke Hogeschool Kempen, and Katholieke Universiteit Leuven . At Traxion, Jeff has moved towards business consultancy and is currently responsible for project management, functional and technical analysis.

12.15 : Federated Identities in Practice – The case of a large corporate company , by Marc Vanmaele, SecurIT

Abstract : Federated Identity Management has come to age: if not between disperse organisations, for sure within large enterprises as a means to overcome difficult Identity Management challenges. The presentation will illustrate multiple use cases, including the Belgacom case and POCs realised to demonstrate the integrating of Microsoft SharePoint servers at ING and the Flemish government.

About : Marc Vanmaele is the Founder and Managing Director of SecurIT, located in the Benelux and specialised in Identity and Access Management since 1999. In addition to its System Integrators role, the company sells its own software products, such as its innovative TrustBuilder® Identity data Services solution, on a worldwide basis in close cooperation with a network of partners in many countries. More info on http://www.securit.biz. Marc has over 30 years of experience in ICT with large organisations. He is a recognized authority in this field and renowned speaker at conferences over the past years.

12.50 : Walking lunch & Networking

13.45 : Keynote : The basics of an Identity and the Challenge of managing identities in the future, by Kim Cameron, Microsoft

About : Kim Cameron is the Chief Architect of Identity in the Identity and Security Division at Microsoft, where he champions the emergence of a privacy enhancing Identity Metasystem reaching across technologies, industries, vendors, continents and cultures.

Kim plays a leading role in the evolution of Active Directory, Federation Services, Identity Lifecycle Manager, CardSpace and Microsoft’s other Identity Metasystem products.

He joined Microsoft in 1999 when it bought the ZOOMIT Corporation.  As VP of Technology at ZOOMIT, he had invented metadirectory technology and built the first shipping product. Before that he led ZOOMIT’s development team in producing a range of SMTP, X.400, X.500, and PKI products.

Kim is a Microsoft Distinguished Engineer.  He grew up in Canada, attending King’s College at Dalhousie University and l’Université de Montréal.  He serves on RISEPTIS, a high-level European Union advisory body providing vision and guidance on policy and research challenges in the field of security and trust in the Information Society.  He has won a number of industry awards, including Digital Identity World’s Innovation Award (2005), Network Computing’s Top 25 Technology Drivers Award (1996) and MVP (Most Valuable Player) Award (2005), Network World’s 50 Most Powerful People in Networking (2005), Microsoft’s Trustworthy Computing Privacy Award (2007) and Silicon.com’s Agenda Setters 2007.

Kim blogs at identityblog.com, where he published the Laws of Identity.

14.40 : Why does a standard matter for Identity Management and how to apply them in an integrated world, by Marcel Rizcallah, Western Europe Security Strategy & Business Development, Oracle Consulting

About : Marcel Rizcallah is currently responsible for the Western Europe IDM & Security Service Line at Oracle Consulting. He is also heading the Security Practices in France and Switzerland.
He is in charge of defining the Security Sales Strategy and Business development for the Western Europe region, including packing the consulting offerings and methodologies, training the sales representatives, launching the go-to-market initiatives, liaising with Product management and working closely with License Sales representatives to sell the Security products (Identity management products and security database options).
He is also a thought leader in IDM & Security and has participated to different events in Europe (Assises de la Securité in France, IDC and Gartner events, etc.).
Prior to Oracle, Marcel was the head of Technology at Valoris, a leading European Consulting and System Integrator in BIW, CRM and Internet technologies, during 12 years (including 2 years in London).  He was responsible for business development and consulting on e-Commerce, Portal and Content Management, SOA/BPM, and Identity & Access Management. Before Valoris, Marcel was the CTO of Telino, an X400 messaging and EDI software company, and was responsible for Product Management and R&D during 7 years.
Marcel is the author of a book on LDAP directories in French (Annuaires LDAP - Eyrolles 2004), and translated in English (LDAP directories - John Wiley & Sons Ltd 2003).

15.20 : Panel Discussion

15.40 : Coffee Break

16.15 : Federation is surrounded by a cloud of uncertainty… (Point of View on real-life Federation Services) by Jan Vanhaecht, Deloitte Enterprise Risk Services

About : Jan joined Deloitte and is more specifically active in the Enterprise Risk Services/Security and Privacy-group since June 2008. There, he is acting as a leading Identity and Access Management Architect. He is involved in major national and international projects. Next to the projects he’s involved in, he actively researches the possibilities of commercial IAM platforms and the integration of these platforms with major software components (ERP systems, Document Management Systems, …).
Amongst other projects, Jan is the lead architect of the awarded project “Identity Management at the Flemish Government” (Gebruikersbeheer bij de Vlaamse Overheid). This project allows for the Flemish Government to make applications available to partners (local government, education institutes, economic actors, …) in both a secure and fast way. Next to his experience in Public Sector, Jan is also active in private sector (especially financial services) as a trusted IAM expert.
Meanwhile, Jan regarded as a very senior expert in the fields of Identity Provisioning, Access Control Management, Role Management, Federated Identity/Access Management, IAM-GRC integration, ...

Abstract : Federation is surrounded by a cloud of uncertainty…although federation standards have been around for many years. Technically, federation projects face little or no challenges. But still effective, large scale federation projects are hard to find.
During this keynote, Jan Vanhaecht will discuss conflicting interests and problems he faced during actual projects. Based on his field-experience, Jan will analyze root cause of both successful and failing federation projects. From his Enterprise Risk Services background, he will focus on different levels of problems: technical implementation, information exchange and business level “trust” issues and how these issues were handled in a number of real-life projects.

17.00 : Identity Management integration in practice (File temporarily unavailable)- Prevent fraudulous access to IT assets, by Dominique LAIGLE - Senior Security Consulant, Bull

About : Dominique LAIGLE, Dominique is Senior Security Consulant at Bull in charge of recommendations and design of complex secure IT architecture.

Abstract: In most companies and/or organizations, ICT system and application administrators do have access to technical accounts. They therefore administer systems and applications through those accounts and not through their personal IT account. This is of course not compliant with recommendations but also not in line with most companies and organisation security policies. Following an internal audit, a large financial organisation has asked Bull to put in place an infrastructure that will prevent access to technical account while allowing auditors to track un-authenticated accesses to systems and application resources. Moreover, the infrastructure had to support a complete heterogeneous environment consisting of different UNIX platforms and several applications (like DB2, BEA, Oracle, MQ-Series, Swift?) The technical infrastructure that in scope of this project is based on MIT Kerberos and OpenLDAP while logging and auditing rely on OSSEC. This infrastructure offers furthermore the Single Sign On feature.The project is split into 3 phases:
• The proof of concept which aims at building, testing and, evaluating the technical infrastructure
• The pilot whose objective is to deploy the technical infrastructure on several hardware platforms, assess impacts on applications and evaluate the deployment process
• The final deployment, to be carried out on more than thousand servers.

17.35 : Closing Notes & Reception & Networking

19.00 : Close of Seminar

Practical Details

Managing Identities in 2010 & Federated Identities Seminar
Thursday June 17th, Leuven
Auditorium “De Tweede Hoofdwet”, Kasteelpark Arenberg, KU Leuven, Heverlee

Free to participate upon prior registration

A non-cancellation fee of 150 € will be charged upon non-attendance and non-cancellation at least 24 hours prior to the event, by sending an email to identities2010 at lsec.be and getting confirmation of your cancellation.

Thanks for participating.

BT Benelux and Skybox Security are pleased to invite you to an exclusive session featuring Bruce Schneier, one of the world’s leading experts on information security and Chief
Security Technology Officer of BT.
In addition to his keynote presentation, Bruce Schneier will participate in a panel session about Cyberwarfare with security experts Jo Basselier (Euroclear), Noël Van den Driessche
(KBC), Didier Verstichel (SWIFT) and Glyn Finan (Lloyds Bank). The discussion will be moderated by Richard Cross, Corporate Risk Manager at TOYOTA Motor Europe.
Glyn Finan (Security Solution Architect, Lloyds Bank) will share with us the eSecurity challenges that his company faced during the Lloyds-HBOS merger.
Justin Coker (VP - EMEA, Skybox Security) will share his view on “How to predict and prevent cyber attacks”.
This seminar will take place in the BT office in Diegem, from 09 -13hrs, and includes a networking lunch offered by our cosponsor Skybox Security.
We hope you will be able to join us at this exceptional occasion.

Agenda :
08.45 – 09.15 : Registration
09.15 – 09.25 : Introduction
Edwin Hageman, board member BT Benelux
09.25 – 10.00 : (Cyber)security
Bruce Schneier, Chief Security Technology Officer of BT
10.00 – 10.30 : eSecurity challenges during the Lloyds-HBOS merger
Glyn Finan, Security Solution Architect, Lloyds Banking Group
10.30 – 10.45 : Risk modelling and simulation, a behind the scenes look at how to prevent cyber attacks Justin Coker, VP EMEA, Skybox Security
10.45 – 11.00 : Coffee break
11.00 – 12.00 : Expert Panel discussion: Cyber-war: The missing ‘Peace’ or the next Great Distraction? Bruce Schneier, Chief Security Technology Officer of BT Glyn Finan, Security Solution Architect, Lloyds Banking Group Jo Basselier, Head of IT Security Management, Euroclear Noël Van den Driessche, Head of Information Risk Management, KBC Didier Verstichel, Director, Enterprise Security & Architecture, SWIFT Moderator: Richard Cross, Corporate Risk Manager, TOYOTA Motor Europe
12.00 – 13.00 : Walking lunch

Practical details :
- registration was on first come first serve basis,
- only accessible upon confirmation by BT Belgium of your attendance
- the event is now complete, no more registrations can be accepted
- should you be hindered in attending, please inform us at waragainstcybercrime at lsec.be as soon as possible,

Thanks for your understanding

The 2010 Information Assurance Symposium, (NIAS), will be held September 28th ­–30th, 2010 at SHAPE Headquarters, Mons, Belgium. The 2009 event was a resounding success with over 800 delegates and 50 exhibitors participating in the recently held event. The 2010 NIAS is poised to be even bigger and better with increased attendance and enhanced and exciting exhibitor opportunities.

NATO INFORMATION ASSURANCE SYMPOSIUM 2010

The NATO IA Symposium is an annual event between senior NATO IA Staff, NATO nations IA leaders and leading Industry IA providers to develop industry best practice solutions for NATO use. The NATO IA Symposium will bring together more than 800 NATO and Industry delegates to discuss innovative ways of meeting NATO’s IA requirements.

NIAS is the biggest IA event in the NATO calendar and this year the event promises to be bigger than ever.

This year the theme of the symposium will be:

Solving the challenges of delivering Information Assurance in a federated world

NATO is a coalition. It relies on federated IA services to provide a secure environment for today’s operations. The resolution to the challenges of the delivery of capability and effect through federated systems presents itself as a powerful theme for this year’s symposium.

Symposium highlights

Senior NATO and industry keynote briefings
Commercial vendor stands showcasing innovative IA Products
IA conference dinner sponsored by industry representation
Static displays from the 1st NATO Signal Battalion (1NSB)
Workshops covering the following areas:
• Cryptography
• Identity management
• Cyber Defense
• Cross domain working
• IA product acquisition
IA Golf Tournament (invite only)

As part of Belgium’s presidency of the EU, this coming 27th and 28th May, the Directorate-General Institutions & Population of the Belgian FPS Interior is holding an international symposium over two half-days in Brussels and devoted to identity management and identity fraud. In parallel, there will also be the presentation of the results of a site survey into the creation, registration and use of identity, conducted as part of a pilot project in eight European countries.

This is undoubtedly a large-scale event that will consist of a programme of internationally renowned presentations, combined with extensive periods for discussion and exchanging information.
A large audience of some 1500 attendees is expected over the 2 days of the symposium, made up as follows:

Target audience :
Belgian and foreign municipalities
Police services
The world of business
Social security
Febelfin
Representatives from the prison services
Organisations representing the homeless
Law and order
Members of the European Commission
Federations and representatives of notaries, bailiffs, lawyers, etc.
Topics and objectives
The topics for this symposium include identity as a whole, the identity card, its uses, misuses and optimisation in terms of security.

The main aim of the symposium, based on the site survey conducted in 8 countries, is to launch a European project in which identity fraud can be tackled as a Europe-wide focus of interest.

This pilot project needs to be extended to all 27 EU countries. The resolution is to create a platform to bring about this enlargement.

Biometric passports and driving licences will also be topics broached during the 2 half-days.

Program Outline Day 1 - May 27th

13.00 Registratie van de bezoekers, koffie en bezoek aan de standhouders

14.00 Identiteitsfraude next door door de Minister van Binnenlandse Zaken (t.b.v.)

14.10 Identiteitsfraude in de financiële wereld in ons land Michel Vermaerke (Febelfin)

14.25 Identiteitsfraude in de financiële wereld in Europa Pascale-Marie Brien (French Banking Federation)

14.40 Identiteitsfraude in cyberspace Luc Beirens (FCCU – Federale Politie)

15.00 How to prevent fraudulous access to IT assets Bernard Francis (Bull)

15.10 Koffie en bezoek aan de standhouders

15.30 “Waar gebeurd”; documentvervalsing Alain Boucar (Federale Politie)

15.50 ‘Identificatie in de strafrechtketen…, niet te onderschatten’ W.L. Borst (Ministerie van Justitie Nederland)

16.10 Use of Belgian eID to sign PDF documents Peter Schellemans (Adobe)

Thursday 27th May 2010 from 6.30 to 10.30 pm
Cost: 99.00 EUR (+ VAT 21%)
Location: Brussels

Participation at the gala dinner is subject to a charge. Attendance must be confirmed using the official online form under “registration” at the same time as confirming your attendance at the symposium.

Registration

Visit http://www.identityfraud.be/page/35/Registration_form_for_symposium_and_gala_dinner/

for practical details and registration.

LAN News & LSEC Total Security Day Luxemburg, May 20th

The Total Security Day in the Sofitel Hotel, Kirchberg (Luxembourg) is this year being organized by LAN News in cooperation with LSEC, Leaders in Security.
With the objective to provide an interesting perspective on future security challenges from a number of domain experts and technology providers. Insights on Virtualization Security, the future Security Infrastructures, Data Protection perspectives, Identity Challenges and Managed Security Solutions will provide an up to date view on current evolutions and potential threats for any company operating Information Technologies.

Intended to inform Information Managers (CIO’s, CISO’s, ...) and business line managers dealing with Information Technologies, and the IT-aware CSO’s, these talks will be highlighting some of the current challenges that any company is facing in today’s connected world, and increasing data production environment. During this day, you will be having the opportunity to meet companies like Cisco Systems, IBM, Sonicwall, Trend-Micro, Palo Alto Networks and Computer Associates in the mini expo and you can participate in the different technical seminars. Only for IT professionals, with lunch offered by our sponsors. With the strenghts of LAN News and LSEC combined, we will be able to bring you a well-balanced neutralized transfer of expertise and information, and a fine networking activity to be able to meet your peers and discuss challenges and opportunities.

Preliminary Program

• 09h00 – 09h30 Welcome, coffee and registration
• 09h30 – 10h20 SonicWall: Social Media & Next Generation Firewalling. How to deal with Twitter, Facebook, YouTube, Hyves etc… Luc Eeckelaert, Regional Sales Manager Benelux
• 10h20-10h50 Coffee Break
• 10h50-11h30 Palo Alto Networks : New Security Riscs with Enterprise 2.0. The Spotlight is on the Specific Applications, Riscs, Threats, and potential Rewards for IT. Franklyn Jones, Director of EMEA Marketing
• 11h30-12h20 Trend-Micro : Titanium Security ; the Notebook Security in Cloud mode.
• 12h20-13h30 Lunch
• 13h30-14h20 Cisco Systems: Methods for Improving Information and Computing Assets Security.
• 14h20-15h10 IBM: Issues related to virtualization and Cloud Computing. Johan Celis, Security Solutions Architect
• 15h10-16h00 Computer Associates: The Root of the Problem: Malice, Misuse or Mistake. Dave Vijzelman, Principal Consultant
• 16h00-16h50 McAfee :  Protect confidential data from unauthorized transfer out of the company -demonstration. Peter van Eeckhout, Senior Security system & networking Engineer
• 17h00 End of Program

Practical Details

- May 20th, from 9.30 - 18.00h
- Hotel Sofitel Kirchberg Luxemburg
- Free to attend upon registration here or at totalsecurity2010 @ lsec.be
- Cancellation fee of 150 € applies if not cancelled latest 24h prior to the event

LSEC and Microsoft want to invite you to this half day Microsoft TechNet seminar where you can learn more about the Microsoft Identity and Access Management portfolio. Together with our partners such asTraxion, IS4U and others, LSEC encourages people to attend this afternoon seminar to experience some of the technologies offered by Microsoft to manage identities within your organizations.

Kicked off by Kim Cameron, Distinguished Engineer and Chief Architect of Identity, in a wider identity conversation; the seminar will dive into the needs and IT challenges that Identity and Access management brings and how Forefront Identity Manager tackles these. In a final a technical overview, the Forefront Identity Manager will be presented with live demos.

Agenda

13:00 - 13:30 : Welcome and registration

13:30 - 14:30 : Wider identity conversation, by Kim Cameron

Kim Cameron is Chief Architect of Identity in the Identity and Security division, where he works on establishing a user-centric identity architecture for the Internet, and ensuring Active Directory, Federation Services, Identity Lifecycle Manager, CardSpace and Microsoft’s other identity products become its leading implementations.

14:30 - 15:30 : Microsoft Identity & Access Management: Business Needs and IT Challenges”, by Henk Den Baes

Today’s economy has increased the strain to run a lower-cost, more secure IT infrastructure that also enables workers to complete their work quickly and with flexibility. This situation can create a seemingly impossible challenge between workers who want the flexibility of a dynamic work environment and an IT department that needs greater control and manageability. When it comes to managing identity and access across an organization (or within the new organization formed by mergers), even the simplest things can introduce security (and policy) failures, multiply hidden costs, and leave both end users and IT personnel frustrated. As a result, there is proliferation of IDs and passwords. Users need to have different IDs and passwords associated with different resources creating challenges of password management and of course, loss of passwords or inability to access a resource triggers a help desk call. Every help desk call that is generated is a loss to the business in terms of time and agility.


15:30 - 16:00 : Coffee Break

16:00 - 17:15 : Forefront Identity Manager 2010: from identity synchronization to identity management, by Federico Guerrini

The session will provide a technical overview of Forefront Identity Manager (FIM) 2010. The product’s architecture will be covered, with emphasis on the new components that have been layered on top of the synchronization engine of its predecessor, ILM 2007. Live demos will be given in order to show how easily and effectively FIM 2010 can automate identity management processes within complex organizations, which require much more than pure data synchronization.

17:15 - 18:00 : Networking and Cocktail

For more information, please visit the Microsoft TechNet website.
Supported by the following LSEC Members : Traxion, IS4U, Microsoft

Practical Details

Date : Monday May 3rd, 2010

Location : Living Tomorrow, Indringingsweg 1 - Vilvoorde

During registration, you can type “LSEC” when asked for a registration code.

Don’t miss this unique opportunity and register now for this free event!



Register Now via the Microsoft webiste

BruCON is an annual security and hacker(*) conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Brussels, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. BruCON is a conference by and for the security and hacker(*) community.

The conference tries to create bridges between the various actors active in computer security world, included but not limited to hackers(*), security professionals, security communities, non-profit organizations, CERTs, students, law enforcement agencies, etc.....

LSEC at BruCON 2010

Participate the European Security Innovation Workshop on Friday September 24th, a workshop on potential threats and possible solutions of Cybersecurity and Information Security in general.

The workshop is part of the program of the SIGNATURE project, a cooperation between the leading Security clusters in North-West Europe.
The aim of the workshop is to discuss amongst experts potential research & development projects and to support innovation and the competitiveness of the region all together.

As leader of the work program on Information Security, LSEC will guide this workshop and ensure follow-through of potential outcomes for enterprises and researchers.

Preliminary Schedule and Program

Keynote: Memoirs of a Data Security Street Fighter by Mikko Hypponen

Presentations:
Automated 0wnage with Return Oriented Programming by Erik Buchanan
Creating a CERT at WARP Speed: How To Fast Track the Implementation of Your CERT by Brian Honan
CsFire: browser-enforced mitigation against CSRF by Lieven Desmet
Cyber [Crime|War] - connecting the dots by Ian Amit
Embedded System Hacking and My Plot To Take Over The World by Paul Asadoorian
Finding Backdoors in Code : Repelling the Wily Insider by Matias Madou
Fireshark - A tool to Link the Malicious Web by Stephan Chenette
GSM security: fact and fiction by Fabian van den Broek
Head Hacking – The Magic of Suggestion and Perception by Dale Pearson
NFC (Near Field Communication) Malicious Content Sharing by Roel Verdult
Project Skylab 1.0: Helping You Get Your Cloud On by Craig Balding
The Monkey Steals the Berries: The State of Mobile Security by Tyler Shields
The WOMBAT Project: Recent Developments in Internet Threats Analysis by Olivier Thonnard and Andy Moser
Top 5 ways to steal a company: Forget root, I want it all. by Chris Nickerson
Tor: Censorship Circumvention in the Real World by Jacob Appelbaum
You Spent All That Money And You Still Got Owned by Joseph McCray
Your Project: From Idea To Reality: Make A Living Doing What You Love by Mitch Altman

Workshops:
Cryptanalysis workshop: Breaking office encryption by Eric Filiol
Damn Vulnerable Web App by Ryan Dewhurst
Hardware Hacking Area: Learn To Make Cool Things With Microcontrollers! by Mitch Altman
Living with SELinux How to configure SELinux for your daily applications in CentOS/RHEL by Toshaan Bharvani
Lockpicking 101 by Walter Belgers (TOOOL.nl)
Malicious PDF analysis by Didier Stevens
RFID workshop by Philippe Teuwen
Seccubus workshop: Analyzing vulnerability assessment data the easy way by Frank Breedijk
The Security Innovation Network - Cluster of Clusters by Ulrich Seldeslachts
Events during conference:
The Hex Factor
Live Security Podcaster Meetup
Lightning Talks
Hardware Hacking Area with Mitch Altman and Hardhack.org

For abstracts and details of the presentation, please check: the BruCON website.

About BruCON

How did BruCON start?
BruCON is organized as a non-profit event by volunteers. A group of security enthusiasts decided that it was time in Belgium to have its own security and hacker conference. A lot of countries around the world have these kind of conferences to discuss and present research on computer security and related subject matters. We want to unite people who share the same passion and support the Belgian (research) communities, with BruCON as a yearly highlight. We are not professional organizers and started this as a non-profit organization. We all have full time jobs and dedicate a lot of our free time to this project. Everyone is welcome to join us and help!!

When and where is BruCON 2010?
To help us fund the conference, we are providing some excellent Training courses on 22 & 23 September and the Conference itself is on 24 & 25 September in The Surfhouse.

What are the rules of BruCON ?
There are no rules. But we ask you to refrain from doing anything that might jeopardize the conference or other attendees. BruCON crew members are there to answer your questions and help you wherever they can. It is unwise to do any illegal activities as law enforcements officers probably will attend the event as well.

What is there to do at BruCON?
BruCON offers a presentation track and some workshops by some very interesting and bright people bringing some of the most recent material in security research. The attendees of the conference can help us shape the event. We welcome anyone with some innovative research, a tool or just to present an interesting website to give a lightning talk or a workshop. If you want to give an additional workshop or need some space for your project, please contact us

Will there be hackers at BruCON?
We hope so!!! Many people have different definitions of what is a ‘hacker’. The only one we don’t agree with is the mass media definition of ‘Hackers’ meaning criminals that deface websites and break into networks also correctly known as ‘crackers’. “Hackers build things, crackers break them”. For us, examples of great hackers are Linus Torvalds or Steve Wozniak. Although security vulnerabilities in software are also discussed during BruCON, today this is called security research or white-hat hacking to improve our software and infrastructure.

(*)Hackers are “persons who delight in having an intimate understanding of the internal workings of a system, computers and computer networks in particular.” People who engage in illegal activities like unauthorized entry into computer systems are called crackers and don’t have anything to do with hacking. BruCON doesn’t promote any illegal activities and behavior. Many hackers today are employed by the security industry and test security software and systems to improve the security of our networks and applications. In addition, for the younger generations, we want to create some awareness and interest in IT students to learn more about IT Security.

Practical Details and Registration

BruCON Security Training : September 22nd - September 23rd

BruCON Security Conference : September 24th - September 25th

BruCON is held at the Surf House in Evere. It’s ideally located between Brussels National Airport (Zaventem) and Brussels North Railway Station.

The Surf House features a big auditorium, a lounge and several modular workshop rooms. In the auditorium, there are five huge screens to provide a panoramic view of the message you wish to convey. This area is perfect for holding presentations as the high-tech apparatus is a boon for efficient and professional communicating. In the lounge you can relax yourself in between the presentations and workshops and join us at the party on Saturday evening.

The location is easy to reach by train, bus, car or taxi. See below for more information.:

The Surf House
Rue Stroobants 51
B - 1140 Evere
Tel : +32 (0)2 243 03 85
http://www.surfhouse.be/

For Barracuda Networks premise-based gateways and software, cloud services, and sophisticated remote support to deliver comprehensive security, networking and storage solutions. The company’s expansive product portfolio includes offerings for protection against email, Web and IM threats as well as products that improve application delivery and network access, message archiving, backup and data protection.

Join Michael Hughes, VP Sales EMEA of Barracuda Networks, for his presentation on the benefits of Barracuda Networks Products and how they significantly reduce administrative overhead and costs.

This complementary event (including lunch, snacks) will highlight the following points:

•The importance of a Next Generation Firewall in modern IT-environments
•Effectively index and preserve all emails, enhance operational efficiencies and enforce policies for regulatory compliance
•Full local data backup combined with a storage subscription to replicate data to two offsite locations
•Application blocking and malware protection solution
•Protection against hackers leveraging protocol or application vulnerabilities to instigate data theft, denial of service or defacement of your Web site.
•Maintaining uptime, scaling data center capabilities to handle increased load, and protecting infrastructure from network vulnerabilities
•Secure, clientless remote access to internal network resources from any Web browser
•Cloud-based secure Web gateway, protects users from malware, phishing, identity theft, and other harmful activity online
•Eliminating spam and viruses from your organization
•Benefits of a central management
•Update on the existing Award Winning Barracuda Networks Portfolio
•Enduser Experiences

Timescale
11.30 Registration and LUNCH BUFFET
12.30 - 14.30 Presentations
14.30 - 15.00 Coffee break and snacks
15.00 - 17.00 Presentations
17.00 - 18.00 Networking Cocktail

WHEN :  April 20, 2010
TIME :  11:30 AM - 05:00 PM
WHERE :  Van der Valk Hotel Brussels Aiport - - - Brussels

Trade show and seminars on IT and Information security

Infosecurity.be offers ICT professionals an overview of the latest security technologies, products and services. More than 80 exhibitors guarantee a wide exhibition programme. Keynote speakers at the seminar programme are Eugene Schulz (Chief Technology Officer at Emagined Security), Noël van den Driessche (Head of Information Risk Management KBC Group) and Christofer Hoff (Director Cloud & Virtualization Solutions, Cisco Systems). One of the keynote activities is the Professional Development Cafe by (ISC)2. Infosecurity.be and (ISC)2 invite visitors to round table discussions and small groups discussions on professional development.

Infosecurity.be takes place on 24 and 25 March 2010 at Brussels Expo, at the same time as the trade show Storage Expo BE (data storage and management). A unique one-stop shopping opportunity: with just one visit, you can kill two birds with one stone! A visit to Infosecurity.be is, after registration, free of charge. To register yourself and go to the http://www.infosecurity.be website, click on the banner :

LSEC Security Innovations Booth

For the first time at Infosecurity.be, a special Innovations booth has been established. Innovative Flemish Information Security companies will demonstrate their most recent development at the LSEC Security Innovations Booth.

LSEC Security Innovations Booth

Flanders is a renowned for its centers of expertise on a global basis. With companies such as Verizon Business Solutions – Cybertrust (the former Ubizen), Vasco Data Security and Zetes, the Flanders security business is leading in many fronts. But also with innovative engineering such as AES encryption based on the Rijndael algorithm or the Belgian eID-card, Belgium has been a leader in Information Security.
At Infosecurity.be some of the newer developments will be demonstrated by companies such as Zion Security, a company amongst other things specialized in Application Security. Zion will demonstrate the use of its Web Application Firewall as a Service, an innovative service to protect websites in the cloud as a managed service. With GLOPASS (the Global Logical and Physical Access and Signing System) arrowUp is standing out from the crowds with a unique framework to connect logical access control and identification systems with a variety of physical access systems. Entering the building with your personal ID-card and seamlessly collecting information from the printer with the same card, or logging in to your pc to facilitate the ease of access and to reduce the cost of maintaining multiple systems. arrowUp will also demonstrate the Secure signature of important documents on the road with SafeSign for Blackberry devices. Traxion have been developing smart installations of Single Sign On systems for hospitals and enterprises. Easily integrating with Microsoft back ends, they facilitate the development of a wider identity and access management environment. eID Company have been building innovative applications based around the use of the Belgian eID card such as e-Voting (for polls or votes within companies or to facilitate elections of any kind) or setting up of electronic archives, or even easy to use electronic document signing tools. Not only secure signing of document, but als