2nd Annual IIA/ISACA Hacking Conference

True Security Countermeasures

&
Internal Audit’s Virtual Vector

Summit West

500 West Madison Street (Ogilvie Train Station)

Downtown Chicago | Illinois

October 27th & 28th

Welcome!
We welcome you to the 2nd Annual IIA/ISACA Hacking Conference sponsored by
the Chicago Chapter of the Institute of Internal Auditors and the Chicago Chapter
of ISACA! Today’s sessions is titled “True Security Countermeasures and Audit’s
Virtual Vector”. Our goal was to present a two day event that contains the most
real world hands-on application of Hacking knowledge and skills that can be
applied to the Internal Audit/IT Audit/IT Security world.

By the end of this course, you will have a significantly greater appreciation for the
IT security landscape and how it impacts your organization. The combination of
professional practice information technology experts and the broad landscape of
IT vulnerabilities presented at this conference will increase the operational,
financial and IT auditor’s skill sets to integrate not only information technology
auditing technique, as well as, develop awareness of one of the most significant
changes in the risk profile of businesses today.

Thank You to Our Sponsors

We would like to warmly thank our sponsors!

Platinum

Gold
Course Outline
DAY 1: Tuesday, October 27, 2015
8:00 – 8:30 Registration and Continental Breakfast
Cyberthreat Landscape
8:30 – 9:20
Eric Brelsford, Special Agent, FBI
Global Honeypot Trends
9:35 – 10:25
Elliott Brink, Sr. Associate, RSM McGladrey
Tracking and Responding to Global
Cybercrime
10:50 – 11:40
John Bambenek, Sr. Analyst, Fidelis
Cybersecurity
11:50 – 12:30 LUNCH

Using Passive DNS to Uncover Network and

Server Parasites
12:40 – 1:30
Alan Clegg, Sales Engineer Farsight
Security, Inc.
The Secretive Zero-Day Exploit Market
1:45 – 2:35 Adriel T. Desautels, Partner & CEO,
Netragard, Inc.
Assessing Risk in a Breached World
2:50 – 3:40 Chris Gerritz, CEO & Co-founder, Infocyte,
Inc
Internal Audit Considerations for
Cybersecurity Risks Posed by Vendors
3:55 – 4:45
Joseph Kirkpatrick, Managing Director,
KirkpatrickPrice
Course Outline
DAY 2: Wednesday, October 28, 2015
7:30 – 8:00 Registration and Continental Breakfast
CISO Panel: Perspectives on addressing
today’s security challenges
Tina LaCroix-Hauri, President, Bradford Garrett Group
8:00 – 9:30 Waqas Akkawi, CISO, SIRVA Worldwide
Kevin Novak, CISO & IT Risk Officer, Northern Trust
Michael Phillips, EVP & CISO, Rosenthal Collins Group
Richard Rushing, CISO, Motorola Mobility

CryptoLocker Ransomware Variants:

Learn How to Protect Against Them
9:35 – 10:45
Ryan Nolette, Sr. Threat Researcher, Bit9
Software Security Metrics
11:00 – 12:00
Neil Bahadur, Managing Consultant, Cigital
11:50 – 12:30 LUNCH

Forensics for Auditors

1:00 – 2:00 Inno Eroraha, Chief Strategist, NetSecurity
Corp.
Welcome to the Internet of Insecure
Things
2:15 – 3:15
Chandler Howell, Director of Engineering
Nexum
A New Approach to Audit your
Company’s Threat & Vulnerability
3:30 – 4:30 Management Program
Paul Hinds, Managing Director, PWC
Stephen Asamoah, Senior Consultant, PWC
Sessions at a Glance: Day 1
Session 1: Cyber Threat Landscape
8:30 AM – 9:20 AM
In this session, the Federal Bureau of Investigation (FBI) will
provide their unique view of cyber threats, addressing who the
attackers are, their objectives, and how to best prepare for
attacks.

As Sun Tzu famously said: "If you know the enemy and know
yourself you need not fear the results of a hundred battles." The
FBI will provide insight that can help organizations understand
and respond to our common enemies in the cybersecurity space.

Eric Brelsford, Special Agent – Criminal & National Security

Cyber Investigations, FBI Chicago Division
SA Brelsford began his career with the FBI in 2003 in Milwaukee
where he started investigating cyber crimes. In 2006, SA
Brelsford transferred to Chicago where he has continued to
focus on cyber-crime investigations. During this time, SA
Brelsford has been the lead investigator on a variety of cyber
investigations including data breaches, cyber extortion, financial
account takeover, malware distribution, botnet operations, and
denial of service attacks.

Prior to joining the FBI, Agent Brelsford worked in the private

sector performing computer & information security consulting.
Agent Brelsford is currently assigned to a criminal computer
intrusion squad.
Sessions at a Glance: Day 1
Session 2: Global Honeypot Trends
9:35 AM – 10:25 AM
Many of my computer systems are constantly compromised,
attacked, hacked, 24/7. How do I know this? I've been letting
them. This talk will cover over one year of my research running
several vulnerable systems (or honeypots) in multiple countries
including the USA, mainland China, Russia and others. We'll be
taking a look at: a brief introduction to honeypots, common
attacker trends (both sophisticated and “script kiddie”), brief
malware analysis and the statistical analysis of attackers based
on GeoIP. Are there differences in attacks based on where a
system is located based on GeoIP? Different attackers use
different tactics. As part of this presentation, we will discuss the
tactics that have been seen in use on these systems.

Elliott Brink, Sr. Associate, RSM McGladrey

Elliott Brink (@ebrinkster) is an Information Security Senior
Associate for RSM based out of Chicago, IL with 4 years
experience in the industry. He specializes in internal/external
pentesting, web application testing, and social engineering
engagements. Elliott has been involved in penetration tests
domestically and internationally for fortune 500 companies to
organizations with less than 10 employees and manages the
penetration testing lab for RSM. He has spoken on this topic as
well as others at several information security conferences such
as DefCon, GrrCon, etc.
Sessions at a Glance: Day 1
Session 3: Tracking & Responding to Global
Cybercrime
10:50 AM – 11:40 AM
Every week we hear about another major breach or another
malware campaign that is defrauding business and consumers’
millions. Very rarely do we here of successful investigations and
prosecutions. This talk will focus on investigating cybercriminals
across the globe and some tools and techniques for participants
to implement in their own organizations.

Most malware uses DNS or Domain Generation Algorithms to

allow for communication back to the attacker. By reverse
engineering those means of communication, it becomes possible
to create near-time intelligence to track those adversaries as
they move around the Internet. This talk will discuss how to
create such surveillance as well as discuss the possibilities of
deception and counterintelligence inherent in this kind of
tracking.

John Bambenek, Fidelis Cybersecurity

John is a Sr. Threat Analyst at Fidelis Cybersecurity and an
incident handler within the Internet Storm Center. He has been
in security for 15 years researching security threats. He is a
published author of several articles, book chapters and a book.
He has contributed to IT security courses and certification
exams. John has participated in many incident investigations
spanning the globe, most recently part of Operation Tovar which
successfully ended Gameover Zeus and Cryptolocker.
Sessions at a Glance: Day 1
Session 4: Using Passive DNS to Uncover
Network and Server Parasites
12:40 PM – 1:30 PM
Malicious actors may create and operate unauthorized web sites
on corporate IT networks and servers. These parasitical sites
use corporate resources to host an insider's own home/startup
business. Unauthorized sites may also host "otherwise-
unhostable" content such as malware, phishing sites, pirated
software repositories, online child abuse materials, or
extremist/terrorist content.

Passive DNS is the perfect technical tool for finding these

unauthorized sites. In this talk we'll explain how passive DNS
lets an audit team find out what company IP addresses have
been used during the period being audited, and for what
domains.

Alan Clegg, Sales Engineer Farsight Security, Inc.

Alan’s focus over the last 10 years is technical training. Alan has
trained professionals through the Internet Systems Consortium,
InfoBlox, Info2Intel, and other organizations. Primary focus
areas are DNS, HHCP, and IPv6.
Alan has experience as a UNIX Administrator, technical support
engineer, and other roles throughout his career. Alan has
extensive experience with computer security issues and trends,
having dealt with compromised hosts, denial of service mitigation,
and documented and assisted in the implementation of network
systems best common practices.
Sessions at a Glance: Day 1
Session 5: The Secretive Zero-Day Exploit
Market
1:35 PM – 2:35 PM
The secretive zero-day exploit market and zero-day exploits
themselves are both misunderstood and misrepresented. Zero-
day exploits are dual purpose tools that take advantage of
existing vulnerabilities in software. Zero-day exploits are
valuable from the intelligence, law-enforcement, and even
corporate defense perspective.

As a former zero-day exploit broker Desautels will discuss the

realities behind the zero-day exploit market, what zero-days are
and aren’t, and how they can be used. He will also discuss why
he supports regulation but is against the Wassenaar
arrangement as it stands today. The zero-day market is a
necessity and zero-days are here to stay.

Adriel Timothy Desautels, Partner & CEO, Netragrd, Inc

Netragard specializes in the delivery of realistic
threat, protective penetration testing services. Adriel is the
architect behind most of Netragard’s services. Adriel is well
known for his efforts towards building an ethical, legitimate and
legal 0‐day exploit market. Adriel ran Netragard’s 0‐day Exploit
Acquisition Program (EAP) from 1999 through summer of 2015.
Sessions at a Glance: Day 1
Session 6: Assessing Risk in a Breached
World
2:50 PM – 3:40 PM
Network intrusions have spiked in recent years resulting in
millions in financial losses, theft of intellectual property, and
exposure of customer information. The groups responsible for
these high profile attacks are organized and are able to persist in
your network without detection for months, even years. Yet even
with the threat of undetected compromise and zero-day attacks,
today’s risk and vulnerability assessments are still focused on
answering questions we already know the answer to (i.e., “Can
you be hacked?”).

In this session, Chris will: discuss the shortfalls of today’s

network assessments for use in enterprise risk measurement,
and, the need for new assessment approaches that answer
more critical questions (i.e. Are you hacked right now?)
Chris Gerritz, CEO & co-founder of Infocyte
Chris is a developer of proactive cyber security solutions focusing
primarily on breach discovery. Chris is a pioneer in defensive
cyberspace operations having served as initial cadre of the U.S.
Air Force’s elite Defensive Counter Cyber (DCC) practice. From
a decade of military service, Chris draws on both leadership and
deep technical experience serving in various roles such as
cryptographic systems maintainer, cyber warfare officer and Air
Force pilot. Prior to co-founding Infocyte, Chris served as the Air
Force Computer Emergency Response Team (AFCERT)'s first
Chief of DCC Operations.
Sessions at a Glance: Day 1
Session 7: Internal Audit Considerations for
Cybersecurity Risks Posed by Vendors
2:50 PM – 3:40 PM
Understanding the threat posed by vendors to your organization
 Identifying and quantifying vendor risks
 Recommended security measures for vendor risk
management
 Onboarding and offboarding control objectives
 Example audit programs for three common vendor types
 How to move beyond the test of non-disclosure
agreements to stronger tests that confirm control
effectiveness
 Recommendations for identifying and mitigating
cybersecurity risks
 Strategies to evaluate business impact from common
vendor types

Joseph Kirkpatrick, Managing Director, KirkpatrickPrice

Joseph holds CISA, CGEIT, CRISC and QSA certifications as a
certified specialist in data security, IT governance, and regulatory
compliance. He has delivered auditing and security assessment
services for more than 14 years. Joseph, Managing Partner of
KirkpatrickPrice, serves clients and stakeholders who are seeking
to understand compliance and regulatory requirements by helping
them navigate the complex world of data security.
Sessions at a Glance: Day 2
Session 1: CISO Panel – Perspectives on
addressing today’s security challenges
8:00 AM – 9:30 AM
In this session, top Chicagoland Chief Information Security
Officers will answer questions on a range of topics including:
 Security Trends
 Threat Landscape
 Data Security
 What success looks like for security leadership

Panelists will address the above topics and then receive

questions from the audience.

CISO Panel
Moderator: Tina LaCroix-Hauri, President & Co-Founder,
Bradford Garrett Group, Inc.
Tina leads the CISO Advisory Services Practice. As the first
executive level Information Security leader hired by both
Discover Financial Services (DFS) and Aon Corporation, Tina
understands the diverse skill set needed to lead as a global
CISO. Tina sits on the Industry Advisory Board of the Masters of
Science in Information Technology in the McCormick School of
Engineering of Northwestern University where she is also an
Adjunct Professor – Risk Management.
Sessions at a Glance: Day 2
Session 1: CISO Panel – Perspectives on
addressing today’s security challenges
8:00 AM – 9:30 AM
Panelists:
Waqas Akkawi, CISO, SIRVA Worldwide
Waqas is responsible for SIRVA’s information security program,
operations, and delivering information security and privacy
protection value to clients globally.
Kevin Novak, CISO & IT Risk Officer, Northern Trust
Kevin is CISO and a member of the Northern Trust Corporate
Risk Group. He is responsible for the security of Company and
Client information and for the management of information
technology risks across Northern Trust's global business. Kevin
joined Northern Trust in August 2011.
Michael Phillips, EVP & CISO, Rosenthal Collins Group LLC
Michael is the Executive Vice President and Chief Information
Security Office at Rosenthal Collins Group, LLC. In this capacity,
he serves as Co-Executive of the Information Technology Group
and senior adviser to the Chairman / CEO, providing insights on
various aspects of Operational Risk Management including
Information Assurance & Privacy Protection.
Richard Rushing, CISO, Motorola Mobility
Richard is CISO for Motorola Mobility and participates in several
corporate, community, private, and government Security
Council’s and working groups. Activities include setting
standards, policies, and solutions to current and emerging
security issues.
Sessions at a Glance: Day 2
Session 2: CryptoLocker Ransomware
Variants Are Lurking “In the Shadows”,
Learn How to Protect Against Them
9:35 AM – 10:45 AM
Recently, attackers employing a CryptoLocker variant have been
removing volume shadow copies on systems, disallowing the
users from restoring those files and then encrypting the files for
ransom. If a user cannot recover from backups, he/she is at the
attacker’s mercy.
In this technical session, we’ll discuss the ins and outs of
shadow copies, reveal how attackers are using them to encrypt
files for ransom and then discuss ways you can quickly, and
easily, detect and respond to these kinds of attacks.
Ryan Nolette, Sr. Threat Researcher, Bit9 + Carbon Black
Ryan draws from intense and active experience in Incident
Response (IR), Threat Research, and IT experience to add a
unique perspective of technical expertise and strategic vision.
Prior to joining Bit9, Ryan was a Technology Risk Analyst for
Fidelity Investments, where he was the malware expert for their
Cyber Security Group and focused on signature verification and
placement for all IPS devices, and provided non‐signature based
malware detection and prevention through manual auditing and
automated tools. Ryan earned a bachelor’s degree in
Information Security and Forensics from the Rochester Institute
of Technology.
Sessions at a Glance: Day 2
Session 3: Software Security Metrics
11:00 AM – 12:00 PM
Often, auditors must interpret the instantiation of how a set of
"must-do" items are getting done to make sure that they meet
the spirit of the person or entity requiring them. These items may
come from regulatory, statutory, contractual, business practice,
insurance, etc. sources and can be jeopardized by bad software.

This session is a journey into how to understand the

measurements being used for software security and how they
track progress against the must-dos or want-to-dos for your
organization. This presentation includes a look at the numerical
data that comes from a Software Security Initiative and how to
put that information in the context of determining whether your
organization is meeting the spirit of the must-do obligations for
your organization.

Neil Bahadur, Managing Consultant, Cigital

Neil has been with Cigital since 2011. Coming from a process
automation and penetration testing background, Neil looks at
every business process skeptically; paying special attention to
exploitable loopholes. Currently performing BSIMM
assessments, Neil leads enterprise-scale software security
initiatives, injecting security into SDLCs across several verticals
including financial, insurance, healthcare and retail. He believes
that while organic growth and volunteerism can be useful to get
started with process improvement, organizations must perform
application security on purpose to be truly successful.
Sessions at a Glance: Day 2
Session 4: Computer Forensic Jujitsu for
Auditors: Conducting Legally Defensible
Forensics Investigations
1:00 PM – 2:00 PM
Whether you are conducting or supporting the investigation of
illicit pornography, disgruntled employee, malicious software
outbreak, fraud, advanced cyber attack, or other sophisticated
zero-day targeted attack launched by China, the investigation
primitives are the same. The investigators or supporting casts
have to quickly identify and collect the most crucial evidence
wherever it may be – laptop, mobile device, server, desktop,
network, social media, or in the wild.

This session will provide guidance for conducting or overseeing

such investigations in a in a forensically-sound and legally-
defensible manner, and without preconceived ideas about the
guilt or innocence of the subjects.

Inno Eroraha, Founder & Chief Strategist, NetSecurity

Inno’s main responsibility is to position NetSecurity as “the brand
of choice for forensics, security, and training”, by delivering high-
quality, timely, and customer-focused solutions. Inno oversees
NetSecurity’s day-to-day operations, including the proprietary
HANDS-ON HOW-TO® training program and the state-of-the-art
NETSECURITY FORENSIC LABS. He leads the execution of
NetSecurity’s solutions and helps clients protect, defend, and
recover valuable assets from cyber attacks and computer fraud.
Sessions at a Glance: Day 2
Session 5: Welcome to the Internet of
Insecure Things
2:15 PM – 3:15 PM
The Internet of Things (IoT) is a term that is showing up more
and more and includes a wealth of devices which have
frequently been with us for some time, such as medical devices,
refrigerators, and even cars, but to which we are now are adding
network connectivity and integration with remote systems.
Chandler will provide a brief overview and definition of IoT, then
examine why security is frequently an afterthought in these
devices, the implications of weak IoT security, provide a
framework for understanding the implications of these security
issues, the provide some guidance on effective Controls and
Architectural approaches to manage the risks that these devices
are creating.
Chandler Howell, Director of Engineering, Nexum
Starting as a humble *NIX Sysadmin, Chandler worked up as a
C, perl, Java and eventually Rails coder. Sometime in the mid-
90's, Chandler landed in the world of Risk Management & IT
Security. Finally having found his place, Chandler has led, built
and been a member of security teams for everything from an
online dating site to Fortune 500 companies.
Chandler now manages a nation-wide team of approximately 20
Engineers providing Pre- and Post-Sales consulting and Training.
Sessions at a Glance: Day 2
Session 6: A New Approach to Audit your
Company’s Threat & Vulnerability Management
(TVM) Program

3:30 PM – 4:30 PM
The complexity of tools to protect a company’s IT assets
continues to grow. What is concerning is that most companies
cannot clearly explain the company's IT architecture, what tools
are in place to protect these assets and what capabilities these
tool possess to mitigate the risks identified. Even more
importantly, few organizations can assess if these tools are
properly configured and what gaps exist, based on the tools and
how they are configured.
Internal Audit needs to be able to articulate the threat vectors
that exist in their company and the TVM Program and tools in
place, and be able to audit these components to help ensure the
risks thought to be addressed are actually reduced.
Paul Hinds & Stephen Asamoah, PwC
Paul is Managing Director and leads a cybersecurity, privacy,
and IT risk management team. Paul also leads ERP security
and control design and implementation teams for SAP, Oracle,
and many other similar enterprise solutions. Paul has served as
the CAE, IT Audit Director and IT security director for several
Fortune 1000 companies.
Stephen is a Senior Consultant for PWC’s cybersecurity
practice. Stephen held prior positions at BMO Harris Bank as a
Security Advisor II, Security Administrator for Affinia and Security
Analyst for Community Health Systems.
Thank You
This is the 2nd Annual Chicago Hacking Conference and has been
developed, organized and presented in large part due to the efforts of
Jason Torres and Corbin Del Carlo. I would like to thank both Jason and
Corbin for their extensive efforts in creating this conference to educate
the profession on emerging trends in the IT Security arena. This
conference attracted well over 100 participants in 2014. In 2015, due to
the leadership of Jason, Corbin, and a team of volunteers from both the
IIA and ISACA Chicago chapters, registration has grown to nearly 200
participants. Please join me in providing a thank you for the efforts of
Jason, Corbin and the team for making this a successful new event for the
Internal Audit professional annual events calendar.

Sincerely,

Michael L. Davidson
Vice President of Education
The Institute of Internal Auditors, Chicago Chapter

We recognize the following individuals for their noteworthy efforts:

Jason Torres Corbin Del Carlo

Nathan Anderson Patrick Coffey

Richard Kokoszka Juilee Shinde

Scott Shinners
Our Sponsors
Platinum

McGladrey is committed to helping companies like yours

improve at every turn. Whatever the challenge, we strive to
understand your business and deliver objective advice and
high quality, customized services that help you make more
confident business decisions.

www.mcgladrey.com

Gold

Nexum, Inc. is a cybersecurity and networking company that

builds and secures global networks for organizations across
multiple verticals around the world. In addition to its Chicago
headquarters, Nexum has sales, training and support
presence in Kentucky, Michigan, New Hampshire, Ohio and
Wisconsin as well as the Security and Network Operations
Command Centers (SNOCC) in New Mexico and Illinois.

www.nexuminc.com

ThreatConnect, Inc. provides industry-leading advanced

threat intelligence software and services including
ThreatConnect®, the most comprehensive Threat
Intelligence Platform (TIP) on the market. ThreatConnect
delivers a single platform in the cloud and on-premises to
effectively aggregate, analyze, and act to counter
sophisticated cyber-attacks. Leveraging advanced analytics
capabilities, ThreatConnect offers a superior understanding
of relevant cyber threats to business operations. To register
for a free ThreatConnect account, or to learn more about
our products and services, visit:

www.threatconnect.com