Social Engineering and Client Side Exploits

Chris Nickerson, CEO, Lares
Topic: Layer 8 Attacks (Social Engineering)

Chris Nickerson is a Certified Information Systems Security Professional (CISSP) whose main area of expertise is focused on Red Team Testing and Social Engineering. In order to help companies better defend and protect their critical data and key information systems, he has created a blended methodology to assess, implement, and manage information security realistically and effectively. At Lares, Chris leads a team of security consultants who conduct Security Risk Assessments, which can cover everything from penetration testing, Application Testing and Vulnerability assessments, to policy design, Social Engineering, Penetration Testing, Red Team Testing and Regulatory compliance testing. Prior to starting Lares, Chris was Director of Security Services at Alternative Technology, a Sr. IT compliance at KPMG, Chief Security Architect at Sprint Corporate Security, and developed an enterprise security design as network engineer for an international law firm. Chris is a member of OWASP, ISACA Denver and is also a featured member of TruTV's Tiger Team, a reality television program showing the activities of actual penetration tests and active assessments.

The world of Information Security is changing. Budgets are tighter, attacks are more sophisticated, and the corporate network is no longer the low hanging fruit. That leaves web-enabled applications as the vector-du-jour, but that opportunity is quickly drying up as well. As attackers creep up the OSI Model looking for easier ways to steal your corporate assets, they are quickly making their way to the unspoken 8th layer, the end user. After years of hardening physical systems, networks, operating systems, and applications, people are now the target of the advanced hacker, and the cross-hairs are focused squarely on their foreheads, quite literally. Join Chris for a technical discussion of ‘wetware hacking’ techniques, and strategies to defend against it.

Joan Goodchild
Senior Editor, CSO Magazine and CSO Online.com

Joan has written extensively on the topic of social engineering and awareness training, and she has more than a decade of experience as a journalist.  Before joining CSO she was an editor with the Boston Business Journal, and prior to that she was a television reporter and anchor with stations in Maine, Massachusetts and Vermont. She is the recipient of an Edward R. Murrow award and a Scripps Howard National Journalism award, both for investigative reporting.

Dan Marcil, CISSP, CISA, OSCP
Information Security Administrator, Fuel Cell Energy, Inc.
Topic: Take a walk on the client side with Metasploit

Dan Marcil has over 10 years of experience designing, administering, and securing network systems. He is certified in multiple aspects of security and holds CISSP, CISA, MCSE as well as Offensive Security Certified Professional (OSCP) from the creators of Backtrack and OSSTMM Professional Security Tester/Analyst (OPST/OPSA) from the Institute for Security and Open Methodologies (ISECOM). He is a member of CT Infragard, ISACA Hartford, and has held multiple positions on the board of ISSA CT.

The open source Metasploit Framework has enabled both security researchers and script kiddies alike to “0wn" machines remotely for a few years now, however developments to this framework have enabled several new client side exploit techniques which bypass multiple layers of security. Watch step-by-step as Dan shows you exactly how attackers can quickly perform end-runs around common internal security defenses to compromise machines, and how you can defend against these types of attacks.

Charles Kaplan
Chief Security Strategist. Riverbed Technology (Formerly Mazu Networks)
Topic: Looking inside the perimeter:  Cutting box count and improving security at the same time with Network Behavior Analysis (NBA).

A security veteran for over 15 years, Mr. Kaplan has spent his career protecting electronic assets.  With years under his belt as both a CISO (Verisign and Breakaway Solutions), as well as an executive for security product and services vendors (Guardent, Mazu, norSEC), Mr. Kaplan is fluent in both the regulatory expectations placed upon practitioners today, as well as how to implement and run an effective security program.