With the August 5th & 6th show fast approaching, we are continuing our series highlighting some of the coolest presentations that are scheduled to take place at Security BSides Las Vegas.
For those who don’t already know, Security BSides events are organized by-and-for the security community, attracts some of the most innovative security practitioners from around the world, and BSidesLV has the reputation for being one of the biggest events of the series.
We previously featured sessions on vulnerabilities in URL schemes, a talk on conference swag hacking strategies, a session on how to be successful in social engineering attacks, another on attacking Drupal, one titled IDS and NSM: Cut the Sh**!, and the last one on Pwning the Hapless or How to Make Your Security Program Not Suck.
Next up is a session presented by Anthony Czarnik titled No Info Sec Staff? No Problem, where he will share his proven methodology, including key, actionable recommendations to help you meet the challenge and manage IT risk to a level that is acceptable to your small business.
Czarnik’s security experience covers the roles of security engineer, project manager, partner/channels manager, practice manager, marketing and business development, giving him a perfect 360 degree background with which to lead an information security firm.
His initial role was pre-sales engineer for SenSage, a SIEM vendor, where he designed and developed the Cerner HIPAA prototype implemented at Kansas University Medical. He then joined Klocwork, an application security and quality development platform vendor.
Czarnik integrated Klocwork into clients’ S-SDLC, designed and led an e-learning courseware development project, and then after managing an information security practice for five years, he founded Czartek, an information security firm.
Previously Czarnik has presented at the Chicago chapters of Cloud Security Alliance, Security Meetup, Software Quality Improvement Process (SPIN), Mobile Security Meetup and numerous corporate webinars, and he also published an article on software security and the S-SDLC in the international publication hackin9.
Czarnik says that cyber attacks on small and medium size businesses (SMB’s) rarely make headlines, making it is easy for these IT organizations to develop a false sense of security, and that information security is becoming increasingly challenging as both IT complexity and the threat landscape are evolving at an accelerated pace.
“In reality, 40% of security incidents involved SMB’s; 1 in 5 reported being victimized during previous 24 months; 69% lost productivity, 65% lost information and 47% lost revenue. The risk is real,” Czarnik said.
Yet for many SMB’s, information security commonly becomes a secondary responsibility of IT leadership, whose primary responsibility is to provide IT systems and services. Software as a Service (in the cloud) and virtualization provide cost savings.
“Users demand systems that are easy to use and provide them with lightning-fast performance, while also accessing the network with their mobile device of choice (BYOD),” Czarnik continued. “Partners need access to your network or cloud application. These recent technological advancements have resulted in increasingly complex IT environments. As IT complexity increases, so does the challenge of information security.”
To compound your challenge, Czarnik says, the threat landscape is evolving and now includes web applications, advanced social engineering and internal threats.
“A data breach will have an impact on the entire organization. The responsibility is yours. That includes CEO’s and COO’s of small businesses who do not have internal IT staff either,” Czarnik said. “You can outsource security, but you can’t outsource risk, so it’s a daunting challenge.”
Czarnik’s session will address that challenge, and key take-aways will include:
- A proven approach to effectively managing the business risk inherent to information technology and systems
- Key factors in determining when to use internal resources and when to invest in 3rd party services
- Valuable yet inexpensive tools and trusted information sources
- How to uncover vulnerabilities before attackers do [many vulnerabilities that lead to exploitation are relatively easy to find and inexpensive to fix]
- How information security can also solve compliance mandates
- Effectively communicating security and risk with non-IT executives
“You will also get a glimpse into the future; a future where vendors are required to document industry standard security ratings, the first mature wave of data scientists raise network analytics to level well beyond today’s correlation effectiveness,” Czarnik said, “and as an industry, mad as hell, we will rage offensive security.”