Close Menu

Session Abstracts And Bios


Can Johnny Finally Encrypt?: Introducing PassLok for Email

Francisco Ruiz
Illinois Institute of Technology


Everybody wants to use encryption to secure their email, but hardly anybody does because current encryption programs, such as PGP, are so incredibly hard to use. A number of commercial offerings have appeared recently that get around the issue by means of special servers that handle both email and keys. But this forces the user to trust a third party. In almost all cases, the user cannot even be sure that encryption has taken place. PassLok for Email, which has just entered beta, has been developed to make key management so simple to the users that they are not even aware that it is taking place. This has been done without compromising security or forcing users to trust a third-party server.

Can we do better than F5 image steganography?

F5 image steganography is over 15 years old, and yet it is still the best we have. Current efforts to detect its use in a jpeg file take advantage of F5's tendency to alter the histogram of jpeg coefficients, which contain a larger number of zeros after processing. In this talk, we will go over methods to defeat this approach, culminating on a variation of F5, available as part of the PassLok Privacy app, where the jpeg histogram after stego injection remains nearly unchanged from that of the original image.

Presenter's Bio:

Francisco Ruiz is Associate Professor of Mechanical and Aerospace Engineering at Illinois Institute of Technology. In addition to Energy, he has had a passion for cryptography for a few years, culminating in a few security apps available in the market. He is a two-time recipient of IIT's Excellence in Teaching Award as well as several research-related awards. Having founded the IIT Invention Center a few years back, he is still in some demand to speak at international conferences on the methods one can use to come up with truly creative, potentially patentable ideas.


Cloud Security risks comparison private data center - What's the right decision?

Adel Alqudhaibi
Ministry of defense in Saudi Arabia


This presentation provides some security guidance on situations where particular flavors of Cloud Computing are the best option or not for a governance, an organization and normal user. My presentation will discuss the cloud computing from different sites and services. Furthermore, it should be a comparison between cloud and private data center and what is the best choice to choose with indicates to security recommendations that will help to protect private data earthier in cloud or private data center.

Presenter's Bio:

Networking manager at Ministry of defense in Saudi Arabia and currently graduate student at Lewis university.


Determining Security Best Practices for Critical Infrastructure Protection: A Communication Sector Overview

Matt Plass
Lewis University


The basis of this study was to determine how security frameworks designed utilizing the public-private partnership model aid in the identification of suggested security best practices for a communications provider’s critical infrastructure within the United States. The themes generated during the completion of this study-enforced ways that critical infrastructure partner organizations could identify suggested security best practices. These themes also opened up additional avenues for future research surrounding additional methods for identifying suggested security best practices such as security awareness and education.

Presenter's Bio:

Dr. Mathias (Matt) Plass is currently an Assistant Professor Management Information Systems (MIS) at Lewis University in Romeoville, Illinois. Prior to his role at Lewis he was the Lead Security Engineer for Joliet Junior College (JJC). As a leader on the IT Security and Risk Management team, he was responsible for managing disaster recovery, governance and compliance, and maintaining the risk management posture of the organization. Prior to joining JJC, he served as the Principal Security Engineer for WOW – Cable Internet and Phone, Technology & Security Manager for Home Run Inn Inc., and as a programmer with Safeco Insurance, Castle Metals and Chicago Title and Trust. He is a certified information systems security professional (CISSP), ethical hacker (C|EH), penetration tester (CPT), and network professional (Network+). He received his doctor of science degree in Cybersecurity from Capitol Technology University in Laurel, Maryland in 2015; a master of science degree in Information Assurance in 2012 from the University of Maryland University College in Adelphi, Maryland; and his bachelor of science degree from the University of Illinois at Chicago in 1996.


Help 'Them' Understand What You Do

Edward Marchewka
Gift of Hope


It is a challenge to get funding, resources, and respect many times. A main reason for this is that information security is, largely, not understood. This session will present some ideas to tell your story to help "them" understand what information security professionals do. Beyond that we'll take a look at how it fits in with the business so that we can ask for resources, be it, time, people, or money. Throughout this session we'll draw in risk as well and discuss how that fits into our story.

Presenter's Bio:

Edward Marchewka is the Director of Information Technology for Gift of Hope Organ & Tissue Donor Network. Before joining Gift of Hope Edward was the Enterprise Information Security and Server Operations Manager (CISO) for Chicago Public Schools. He is also the creator of CHICAGO Metrics™, a platform to help manage your company's key IT and Information Security risks. Edward has completed, from Northern Illinois University, an MBA and an MS in Mathematics and, from Thomas Edison State College, a BS in Nuclear Engineering Technologies and a BA in Liberal Studies. He also holds a Certificate in Nonprofit Management from the Kellogg School of Management at Northwestern University. He is a member of (ISC)2, AITP, ISACA, and a Board Member with the Chicago InfraGard.


Mobile Security: Trends and Emerging Threats

Sandra Rolnicki
Federal Bank of Chicago


Mobile devices are ubiquitous but how secure are they? Do we truly understand the risks we are taking with the vast amounts of data we capture, store and transmit when we use our devices? This presentation will highlight some of the trends in security across the mobile ecosystem from the physical device to the mobile network operators to the app stores to the apps we use everyday. We will discuss how emerging threats, such as mobile malware, are causing practitioners to change the way their approach to security. Whether you are a business developing or selling mobile services or a consumer of mobile services, you will benefit from hearing real-life cases that will help you reframe how you think about mobile security practices.

Presenter's Bio:

Sandra J.H. Rolnicki is part of the Supervision and Regulation (S&R) Department of the Federal Reserve Bank of Chicago (FRBC). She leads a team of risk management professionals who are responsible for assessing inherent and residual Information Technology (IT) and Operational risk at institutions within the FRBC’s portfolio and across the Federal Reserve System (FRS). She also participates in FRS initiatives on Vendor Risk Management and Cybersecurity. In addition, Ms. Rolnicki is a member of the instructor team with the FRBC’s Technology Lab, a hand-on training facility for U.S. and international regulators. She focuses on classes that feature topics such as Mobile Banking, Information Security Vulnerability Management and Virtual Currency. Prior to joining the FRBC, Ms. Rolnicki’s professional experience includes leadership roles in Internal Audit and Quality Assurance in the real estate, investment, telecommunications and consumer electronics industries. Ms. Rolnicki holds a Bachelor of Science degree in Industrial Engineering and a Master of Science degree in Information Technology, both from Northwestern University’s McCormick School of Engineering. She is currently pursuing a PhD degree in Management Science from Illinois Institute of Technology’s Stuart School of Business.


Non-Aligned Cyberspace: Track II Diplomacy & Multilateralism in a Balkanised Battlefield

Pukhraj Singh
Bhujang


Asia and Africa can spearhead a new era in cyber-diplomacy, installing an alternate power structure, by putting forth the neo-Nehruvian idea of a ‘Non-Aligned Cyberspace’ on an international stage. However, the geopolitical potential of intergovernmental cybersecurity arrangements remains underutilized as the modalities of the pacts never get defined. By ingeniously leveraging certain new technical developments in sharing cybersecurity metadata, these existing channels could become the facilitator for pan-Asian and pan-African cyber-regimes.

Presenter's Bio:

Pukhraj Singh represents an apex national security caucus that aims to institutionalize cyber threat intelligence sharing across sectors and verticals in India. It is being backed by decorated defence functionaries, strategic affairs experts, scientists and academicians. Pukhraj had played an instrumental role in setting up the cyber-warfare operations centre of the National Technical Research Organisation (NTRO), India’s technical intelligence agency.


Public Information & Fake News

Robert Tornbene
GATE America, Inc.


In today's changing times and speed of the news cycle, the increase in what is titled as "fake news", in accurate or just plain false has become a hot button topic both in the political world but with the general public. This presentation will explore fake news, how it can occur and the factors that contribute to it going viral at times.

Presenter's Bio:

Robert Tornabene is a law enforcement officer working with the Niles Illinois Police Department. In his 24 years in Law Enforcement Robert has worked in patrol, investigations and administration is presently serving in the capacity of Commander in the Administrative Division as Media Relations and Training Coordinator. Robert serves in the capacity of Public Information Officer for the Niles Police Department. Graduate in Northwestern University “Police School of Staff and Command”, Certified Public Information Officer, Social Media Manger Certified, FBI – Trained Public Information Officer State Certified Gang Specialist, State Certified Juvenile Specialist, State Certified Evidence Technician, Trained by Federal Bureau of Investigations in Domestic and International Terrorism, Trained in both basic, Advanced Reid Interview and Interrogation Techniques, Communications Tactics, Community Emergency Response Team Trainer, Terrorism Awareness, First Responders to Critical Incidents, Haz-Mat Awareness, Cops In Schools, School Violence Issues: Protecting Our Schools In Illinois, Terrorism Intelligence Specialist. Explosive Recognition: Bomb and Security Planning, and many more. Nationally certified I-SAFE Professional Development Trainer and Dignitary Protection Certified. Public Information Officer Trained.


Securing Secure Shell Interactive and Automated Access Management against Insider Threats

Paul Collier
Defense Contractor in the Cyber Community (representing self)


Secure Shell (SSH) is a highly popular tool among system administrators as it provides a full suite of remote management tools and robust security. However, it also provides insiders with anonymity to do harm against their employer. This discussion will focus primarily on SSH clients and will provide techniques to reduce anonymity while preserving the robust security that secure shell provides. It will incorporate peer reviewed real world scenarios and will be based on National Institute National Institute of Standards and Technology Internal Report (NISTIR) 7966, “Security of Interactive and Automated Access Management Using Secure Shell (SSH).

Presenter's Bio:

Paul Collier a defense contractor in San Antonio, Texas and have been working in cyber security since 2007. His primary focus is on solving and configuring the crypto-piece for hardware and software systems to enable them to leverage Public Key Infrastructures (PKI); which is also known as PK-Enabling. He has also planned new PKIs for large commercial entities. He has a CISSP certification (#350519). He holds an MBA in Project Management from Amberton University and 14+ years in Information Assurance and 6 years in USAF Operational Test and Evaluation of Space and C4 ISR systems.


Sexting Investigations and Appropriate Consequences

Richard Wistocki
Be Sure Law Enforcement Technology Training


The attendee will learn how and why our kids are involved in Sexting and ultimately become involved in Sextortion. We will examine the investigative process, a new cutting edge diversion program (JuvenileJusticeOnline.org) and how Law Enforcement curtails the spread of the Sexted images by submitting the images to the National Center for Missing and Exploited Children.

Presenter's Bio:

Detective Wistocki is the author of the "Illinois Sexting Law and Swatting Legislation" and is an expert in the field of sexting investigations and consequences. He is also a Law Enforcement Technology Instructor for the National Association of School Resource Officers (NASRO), Northeast Multi Regional Training (NEMRT) and the Department of Justice(DOJ). In addition, he created a webinar studio to train law enforcement remotely live throughout the United States in sexting and social network investigations and consults with schools across the country through his website www.besureconsulting.com and JuvenileJusticeOnline.org.


The Ethics and Economics of Risk: A Case of Privacy

Susan Lincke
University of Wisconsin - Parkside


It is standard for organizations to spend no more than they could lose due to risk. What happens if this protects the organization but leaves customers unprotected? If an organization also calculates risk from the customer perspective, this may lead to innovative products, a change in advertising, and more customers or higher-income products. Since this requires customer buy-in, it implies that customers need to also act responsibly. In many cases, an ethical organization may need to educate customers about their self-interest. This research briefly considers the ethical case of privacy involving mobile apps.

Presenter's Bio:

Susan Lincke PhD CISA is author of the text: Information Security: An Applied Approach. She is an Assoc. Professor at University of Wisconsin-Parkside. She was a recipient of a National Science Foundation grant dealing with information security and audit.


The Future of Credit Card Payment Application Security: PA-DSS vs P2PE

Joel Dubin
Coalfire Systems Inc.


The security of applications used for accepting credit card payments is at a crossroads. Traditionally, payment applications encrypt card holder data inside their applications, which still makes them vulnerable to exploits at merchants, even when compliant with the Payment Card Industry Data Security Standard (PCI DSS). Newer technologies, where the card number is encrypted at the point of swipe and never exposed to the merchant, such as Point-to-Point Encryption (P2PE) are gaining ground. The PCI Security Standards Council (PCI SSC) now has two standards covering both traditional and P2PE credit card payments. Which will win, PA-DSS or P2PE, or will the two co-exist? Which is really more secure?

Presenter's Bio:

Joel Dubin has been a PCI QSA and a PA-QSA for eight years and has conducted both PCI and PA-DSS assessments for companies and payment application vendors ranging from large companies to small mom-and-pop shops. He has conducted assessments in the US, Latin America, Europe and the Middle East and is well versed in the security trends in the credit card industry.


The Organized Mess and Business Ethics of Cyber Threat Intel

Ron Schlecht
BTB Security


As a community, information security practitioners know less but profess to know MORE than anybody in terms of the ACTUAL attacks methods, payloads, and vulnerabilities in the wild. Independently, the “industry” has some of the brightest people on this planet with access to unmatched resources and unbridled enthusiasm. So, as the world connectivity infrastructure continues to improve and attack surfaces increase, what can we do to work together to provide a cohesive, non-limiting view of threat intelligence. We’ll discuss the current state of affairs, the blind spots, the ugly warts, and develop a plan to arm us all as security freedom fighters.

Top 10 things to do right now to stay out of the news

Companies are being breached at an alarming rate. While some attacks have gotten more advanced, most are taking advantage of obscure default settings and simple misconfigurations to gain access to your network and escalate privileges. This talk will focus on the top security controls that can be implemented at low cost and low impact to your network, ensuring maximum ROI of your Domain Admins valuable time. Missing this talk could mean risking your company’s reputation.

Presenter's Bio:

Ron is a Certified Information Systems Security Professional (CISSP) and Certified Computer Examiner (CCE) with 17 years of experience in offensive and proactive security measures, threat mitigation, breach response and digital forensics, and over 18 years total experience in Information Technology. Ron is a Partner in the independent firm, BTB Security. Ron founded BTB Security after successfully developing and leading professional consulting teams and global security organizations. Ron has an extensively varied background performing jobs in law enforcement, intelligence, and information security/forensics. Ron has experience on various systems, devices and applications and areas of focused expertise include security assessments, security monitoring, incident response, forensic investigations/examinations, and security organization implementation and review. Ron also has over twelve years’ experience in the programming of various languages.