innovation in the borderless world - …files.ctctcdn.com/7e2e4825201/0c20e2a9-5b92-4063... ·...

INNOVATION IN THE BORDERLESS WORLD

For more information, please visit www.isacauae.orgContact Ms Harneet at 0508679196 or [email protected] or [email protected]

The 9th annual integrated conference covering various aspects for managing the most important asset of an organisation - Information

2015

RISK | SECURITY | AUDIT | GOVERNANCE

Dates: 27, 28 & 29th Oct 2015 Workshop & Conference Venue:The Ritz-Carlton, Dubai.

LUNCH SPONSORGOLD SPONSOR OFFICIAL MEDIA PARTNERS

EARN UP TO23 CPE HOURS

WORKSHOP SPONSOR

For more information, please visit www.isacauae.org Contact Ms Harneet at 0508679196 or [email protected] or [email protected]

WORKSHOP PARTNER

App Security

MobilePayment

Dates: 27th Oct 2015Venue: The Ritz Carlton, Dubai, UAE

2015

Live Hands On Workshop

on a Dummy Mobile Banking

CPE’

s7Earn uptoSaket ModiCEO, Lucideus

Saket is the CEO of Lucideus Tech, a company involved in securing Enterprise Cyber Architecture from Cyber Attacks.

He has been awarded the title of “Indian Ambassador of Cyber” Security in Education at National Education Awards 2013.

As a Computer Science Engineer, Saket is an advisor to large fnancial institutions mostly across South Asia and Europe.

Speaker 2

Aditya ModhaVP, Technology, Lucideus

Aditya Modha, VP, Technology at Lucideus oversees critical technology projects and implementations at the company.

He comes with over 7 years of on ground experience & knowledge acquired by over 200 projects he has worked on for web & mobile application security assessment.

Featured Speaker Featured Speaker

Course OverviewThis is a one day course on learning how to perform mobile application security assess-ment based on the “OWASP Top 10 Mobile Risks”. This hands-on training is designed around the dummy internet banking application which contains vulnerabilities that were observed by Lucideus during daily application security assessments. The application will provide attendees a real-world scenario of common vulnerabilities in application involving financial transactions.

Platform: Android & iOS

The following will be the topics:

● Crash course on Android & iOS application permission model, APK file architecture and setting up the emulator.

● Reversing APK file package

● Investigating app permissions through manifest file

● Understanding, patching and runtime debugging smali code

● Importing SSL certificates and bypassing SSL pinning

● Intercepting traffic and network activity monitoring

● Exploring local data store

● Analyzing system logs

● Understanding components such as content provider, broadcast receiver and activity

● Classification of vulnerabilities based on “OWASP Top10 Mobile Risks”

Trainers

● Saket Modi, CEO, Lucideus

● Aditya Modha, VP, Technology, Lucideus

DURATION

Day1

2015

4ISAFE 2015 ︱ INNOVATION IN THE BORDERLESS WORLD

Eng. Ahmad has 11 years of in-depth experience in Information Security and Risk Management. He is currently the Director of Risk Management and Compliance at du Telecom. His prior work experience includes leading the Threat Intelligence Operations Center, the Research & Analysis section at aeCERT/TRA and leading the Enterprise Network Security function in Etisalat. Moreover, he is a board member of the UAE Science club. He is also the founder of the UAE Honeynet Chapter and an active member and volunteer in multiple security boards and working groups. Ahmad has a Bachelor’s Degree in Computer Engineering and has two Master’s degrees, Masters in International Business and Master of Science in Information Security.Ahmad Hassan MohdNoor

Director Risk Management & Compliance - DU

Topic: Automation of Risk Management Frameworks

Jeffrey Hare, CPA CIA CISA is the founder and CEO of ERP Risk Advisors. His extensive background includes public accounting (including Big 4 experience), industry, and Oracle Applications consulting experience. Jeffrey has been working in the Oracle Applications space since 1998 with implementation, upgrade, and support experience. Jeffrey is a Certified Public Accountant (CPA), a Certified Information Systems Auditor (CISA), and a Certified Internal Auditor (CIA).

Jeffrey has worked in various countries including Austria, Australia, Brazil, Canada, Germany, Ireland, Mexico, Panama, Saudi Arabia, and United Kingdom. He is a graduate of Arizona State University and lives in northern Colorado with his wife and three daughters.

Jeffrey currently teaches the MISTI class “Auditing Oracle’s E-Business Suite.” He has been teaching on this subject since 2004.

Jeffrey is currently working on two book projects. He is writing a book that will expand on his first book and will be called Oracle E-Business Suite Controls: Foundational Principles. His other new book will be called Auditing Oracle E-Business Suite: Common Issues. Both are expected to be released by the end of 2015.

Jeffrey’s first solo book project “Oracle E-Business Suite Controls: Application Security Best Practices” was released in 2009. He has written various white papers and other articles, some of which have been published by organizations such as ISACA, the ACFE, and the OAUG. Jeffrey is a contributing author for the book “Best Practices in Financial Risk Management” published in 2009.

Jeffery HareCEO, ERP Risk Advisors

Topic: Innovative ways for auditing application security for Oracle E-Business Suite

Featured Speakers


Leonard has over 15 years of experience in Information, and Corporate Security gained in telecommunication, enterprise and banking industries. He has been in several different roles within security profession such as information/cyber security, corporate security, project management, consulting and business development.

He led Enterprise Governance and Security practice for a global consulting firm. Prior to that, he was with Barclays Capital as the Head of Information Security Risk & Operation, Asia Pacific. Leonard spent over ten years in Nokia and Nokia Siemens Networks. He was responsible for securing Nokia businesses across the region. During his tenure with Nokia Siemens Networks, he provided professional security services for regional telecommunication carriers to secure their networks. Public recommendations were received for the projects.

Leonard has been volunteering in several security associations since 2003. His longest service is with ISACA Singapore Chapter where he has been elected as Chapter President twice. Leonard has also served ASIS International Chapter as Honorary Chairman for three years. He served in various Councils and committees at a global level.

Leading information security associations, such as (ISC)2 and ASIS International, have recognized his efforts. He was awarded Information Security Leadership Achievement (ISLA) in Senior Information Security Professional category in 2011 and Professional Certification Board Regional Award in 2014. Previously, National Infocomm Competency Centre (NICC) has awarded Leonard with ‘IT Specialist of the Year’ in 2005. He was instrumental in achieving K. Wayne Snipes 2013 award for ISACA Singapore Chapter being the best very large chapter in Asia

Leonard holds Master of Computing from National University of Singapore (NUS) and Bachelor of Engineering, Industrial Engineering from Universitas Trisakti. Leonard regularly delivers presentations in the region and beyond.

The talk will start with how hacks are evolving from hacking as a prank to state sponsored APT attacks. Some case studies of real world APTs will be discussed and their working will be explained followed by a couple of live demonstrations of live hacks on systems. The talk will end on a defensive note with pointers on some recent innovative solutions that large companies are adopting to in order to secure themselves from the new age cyber threats.

Saket is the chief executive of Lucideus - an enterprise cyber security service company headquartered in India and serving clients globally. He was awarded the title of “Indian Ambassador of Cyber Security in Education” at the National Education Awards 2013. Over last 5 years he and his team have been conducting training and consultancy sessions across the globe. Saket was a part of the Government of India’s committee constituted in 2014 for preparation of the national vocational course on Cyber Security. He is a visiting faculty on subjects of information systems and security at multiple universities in South Asia and North America, including IIT-Bombay & IIT-Kanpur. He serves as advisor to reputed banks, oil & gas companies and e-commerce portals in designing and deploying safe cyber architectures for their business. He writes a column on technology & security for The Economic Times.

Leonard OngInternational Vice President ISACA USA

Topic: Approach to an effective security metric program

Saket ModiCEO, Lucideus

Topic: The New Age Kill Chain of Hackers

Featured Speakers


Arun GeorgeSales Manager at HP Enterprise Security

Topic: Approach to an effective security metric program

Mr. Arun George is the Regional Sales Manager at HP Enterprise Security Products (ESP) division and is responsible for UAE, Oman and Bahrain. He started his career with Wipro Ltd and later moved to Dubai. During the 14+ years of Information Security experience, he built expertise on Multiple Security Technologies and conducted Vulnerability Assessments, Penetration testing, Compliance Audits, Enterprise Risk Management and designed Policies & Procedures. Mr. George’s professional certifications include CRISC, CISM, CISSP, GCIH, BS7799LA and ITIL-F. Mr. George has been a consultant to 5 Telcos in the Middle East on the design & implementation of their security solutions. He was involved in architecting security solutions and delivering professional services for Ministries, Banks, Airlines and Oil companies within GCC. He was the Project Manager for the BS7799-2:2002 certification of a Research organization in UAE, a major B2B portal in UAE and the IT department of a Group of Companies in UAE dealing with Automotive, Contracting, Manufacturing, Trading and Real Estate industries. He is also an international speaker and has spoken on various topics like ‘Web Application Security’ at the Muscat International Security Conference, ‘Information Security Policy Lifecycle’ at the Oil Companies conference, ‘BS7799 - A Case study’ at the BSi seminar etc.

Featured Speakers

Sanjay Khanna joined RAKBANK in September 2011 as Chief Information Officer where he is responsible for developing a vision for the Information Technology (IT) department, ensuring high quality of overall services to the Bank from the technology department, and establishing and maintaining an appropriate technological infrastructure with the Bank’s business partners. Prior to joining RAKBANK, Sanjay served as Deputy General Manager at ICICI Bank Ltd for six and a half years where during his tenure he headed various technology groups including International Banking Technology Group and the Shared Services Technology Group. He also spent seven years at the National Bank of Oman and six years with Deutsche Software (India) and his last designations, respectively, were Senior Managers of Systems and Senior Consultant.

Sanjay KhannaChief Information OfficerRAK Bank

Topic: Risk management in banking industry


Stuart Davis is Director of Mandiant in the Middle East, Turkey and Africa (“META”). In his role, Stuart Davis has responsibility for building and maintaining the META practice which consists of incident response, threat intelligence and strategic consulting. In this capacity Stuart also works very closely with governments entities in a trusted advisor role. Key focus in this region is to build up response readiness capabilities for organisations and improve their cyber defence capabilities. Failing that, a local Mandiant team and local presence gives direct access to Incident Response. Prior to Mandiant, Stuart was an engagement manager at Intel security a division comprised of McAfee and Foundstone services. He was responsible for helping customers build strategies, plan, design, implement and optimize their information security organisation to improving security programs and cyber defence capabilities Stuart received his bachelor’s degree in engineering from the University of Ireland, Galway. Stuart Davis,

Mandiant Director

Topic: Reimagining Security – How to Keep Pace with Attackers

Featured Speakers

Akash is “That Web Application Security Guy” with 10+ years of experience in Application & Network Security. Before starting his own company he was a technical lead for one of the leading American company in specializing in security software. He started in security working on web infrastructure for the government of India.

Akash is the founder and community Manager at null – The Open Security Group and Chapter Lead at OWASP Bangalore while founding The AppSec Lab a company focused on Application Security.

Some of the trainings/workshops by Akash include• Secure Web Programming 3 day training at Freecharge Bangalore 2015• Xtreme Web Hacking : 1 day workshop at nullcon Goa February

2012,2013,2014• Defending against OWASP Top 10 (PHP/.net/JavaScript) at Kieon

Bangalore August 2013

Akash MahajanFounder & Community Manager @ null

Topic: Building and running Secure Applications (Web/Mobile)

Some of the talks given by Akash include• Building and Operating Secure Applications In The Cloud (Web and Mobile) at Microsoft Accelerator Bangalore 2015• Security In The Cloud at HSTC2014, Hyderabad 2014• Web Security –The Good Parts at Microsoft Accelerator Bangalore 2014• Hacking Android Applictions at DroidConBangalore 2012• Securing a linux web server in 10 steps or less at RootConfBangalore 2012• JavaScript Gone Wild at jsFoo Bangalore 2011• PHP insecurity at Scaling in the Cloud Bangalore 2011• Recent Cyber Attacks at CTS ISRO Conference Bangalore 2011• Secure HTTP Headers at cOcOn Cochin 2011


Sanjay Barthakur is an IT and information security expert with more than 25 years of real-world experience in developing information security solutions for the US Military, NASA and commercial organizations. A well-known authority on IT Security standards with the unique distinctions of being hands-on security design and implementation expert along with technical certifications like CISSP, CEH, Exemplar Global Certified ISO/IEC 27001 Lead Auditor, ISO 27001 Skill Examiner & Trainer. Sanjay has conducted information security trainings all across USA. He is a regular speaker for ISO/IEC 27001, NIST 800-53, PCI-DSS, HIPAA, and other technology and business issues, and he has addressed a diverse audience of technologists, policy-makers, front-line workers, and corporate executives. Additionally, his expertise includes router security, IPv6, VM-based secure systems, cloud computing, and mobile code security. He holds Cisco Certified Security Professional certificates. He received his B.E. (Hons.) degree in Electrical and Electronics Engineering from Birla Institute of Technology and Science (BITS), Pilani, India.

Sanjay BarthakurCountry Manager, ISC Global, USA & Principal, nextGRC, LLC, USA

Topic: Comparison of IT Security Standards

Featured Speakers

About 15 + years of work-ex in India and abroad, in the Information Security and Assurance domains. Industry experience spawns Projects, Manufacturing, Consulting, Airlines, IT industry. Areas of work include Security Strategy, Technology assessments, Information Security Management System (ISMS), Information Systems Audit, Application Security, Data Analytics and automation, Security Training, Security Operations. Presently @ Syntel, responsibilities include managing and oversight for security activities including Security Strategy, Security Services to customers, Web Application Security, Forensic Analysis, Security reviews and testing, Pen test, technical Programs on info Security and Security Governance

Contributed to the security and Information assurance profession globally. Have been a speaker at events in India and abroad (US, Europe and middle east). Have contributed to ISACA as a subject matter expert and leadership roles at the local, national and international levels.

Published articles in technical publications and main stream media.

Past -President of ISACA Pune Chapter, Member of ISACA India Task Force,

Sandeep Godbole General Manager Information Security, Syntel

Topic: IT Governance in the Digital Era


Dr Rama Subramaniam is CEO of Valiant Technologies Group with offices in the UAE, India, Sri Lanka and Mauritius. He consulting expertise and research interests are in the areas of information security, digital forensics, privacy, Infosec strategy and GRC. He is the current Global Chair (2014-2016) of the International Institute of Certified Forensic Investigation Professionals and Vice Chair of Information Security & Digital Forensics Research Foundation where he helped conceptualize and establish the Digital Forensic Investigation Professional (DFIP) certification. He served three terms as India’s country representative at the International Federation of Information Processing (IFIP), serving on their technical committee TC-11, dealing with security and privacy. He serves as Adjunct Faculty at the Universities of Dubai and Madras. He also serves as Chair of the Board of Trustees of the Center of Excellence in Digital Forensics, a twinning institution of the University of Madras. Dr K Rama Subramaniam

CEO, Valiant Technologies Group

Topic: Digital Forensics in the IoT era

Featured Speakers


CONFERENCE AGENDA

DAY 1: 28th Oct 2015

INNOVATION IN THE BORDERLESS WORLD

8:30am to 9:15am Delegate Registration & Networking

9:15am to 9:20am Opening of the Conference – National Anthem

9:20am to 9:30am Welcome address by T.S. Ravichandran, President ISACA UAE Chapter

9:30am to 10:00am Key note Address

10:00am to 10:30am The New Age Kill Chain of Hackers – by Saket Modi, CEO Lucideus

The talk will start with how hacks are evolving from hacking as a prank to state sponsored APT attacks. Some case studies of real world APTs will be discussed and their working will be explained followed by a couple of live demonstrations of live hacks on systems. The talk will end on a defensive note with pointers on some recent innovative solutions that large companies are adopting to in order to secure themselves from the new age cyber threats.

10:30am to 11:00am Automation of Risk Management Frameworks - by Ahmad Hassan Mohd Noor, Director - Risk Management & Compliance, DU

As organizations grow - the complexity of risk management frameworks increase as well. Complexity of business models also contributes to the complexity of risk management frameworks. One way to manage the complexity is to considerably increase the manpower of the risk management function. Another way is to leverage on automation to reduce the need for additional headcounts. This presentation will shed some light on the topic.

11:00am to 11:30am Networking Break with Tea/Coffee

11:30am to 12:00pm Approach to an effective security metric program - by Arun George, HP Enterprise Security

12:00pm to 12:30pm Comparison of IT Security Standards - ISO/IEC 27001:2013 & NIST 800-53 rev 4 – by Sanjay Barthakur, Country Manager, ISC Global, USA & Principal, nextGRC, LLC, USA

Many organizations realize that it is in their best interest to implement an existing information security standard rather than developing a customized information security framework. The most dominant information security standards today are ISO/IEC 27001 and NIST 800-53 standards. This talks will focus on the strengths and weakness of both standards and ways to pick the right standards for your organization.

• Brief history and background of ISO/IEC 27001:2013 standard

• Brief history and background of NIST 800-53 rev 4 standard

• Target Audience for ISO/IEC 27001:2013 standard

• Target Audience for NIST 800-53 rev 4 standard

• Similarities between ISO/IEC 27001:2013 and NIST 800-53 standards

• Difference between ISO/IEC 27001:2013 and NIST 800-53 standards

• What is the best security standard for your organization?

• Final Conclusions

2015


12:30pm to 13:00pm Risk management in banking industry – by Sanjay Khanna, CIO Rak bank

13:00pm to 14:00pm Lunch Break

14:00 to 14:45 Innovative ways for auditing application security for Oracle E-Business Suite – by Jeffrey Hare, CEO ERP Risk Advisors

In this session, Jeff will review the Oracle E-Business Suite security model, present common control challenges, and provide you an audit program for auditing common control deficiencies. This session will feature material from Jeffrey’s upcoming book Auditing Oracle E-Business Suite: Common Issues.

14:45pm to 15:15pm IT Governance in the Digital Era – by Sandeep Godbole, General Manager Information security, Syntel

Digital technologies are increasingly being embraced by the enterprise. These are game changers and some are now hygiene factors for the enterprises. Understanding this change and ensuring that the governance framework adapts to the changes is important for both the organization and the field of IT governance. Seeking the balance between change and a the robust principles is the key to sustained value from technology. The session would attempt to discuss the disruptive changes while evolving a supportive governance structure.

15:15pm Day 1 Close

CONFERENCE AGENDA

DAY 1: 28th Oct 2015

2015


9:00am to 9:30am Networking & Refreshments

9:30am to 10:00am Key note address - by Leonard Ong, International Vice President, ISACA, USA

10:00am to 10:30am Understanding and auditing the top fraud risks for Oracle E-Business Suite - by Jeffrey Hare, CEO ERP Risk Advisors

Fraud is on the top of everyone’s mind in the 21st century. In this session we will review the top schemes of committing fraud in Oracle’s E-Business Suite, how controls should be designed related to these risks, and how to audit the controls.

10:30am to 11:00am Digital Forensics in the IoT era – by Dr K Rama Subramaniam, CEO, Valiant Technologies Group

The advent of Internet of Things (IoT) heralds connectivity and reach beyond the now prevalent Internet architecture. With an estimated 20 billion “things” constituting IoT landscape by 2020, we are looking at a size, spread and variety that digital forensic (DF) investigators are not conversant with. DF investigators will be dealing with a population of 20 billion connected OoFI (Objects of Forensic Interest) which will land them in situations that will be much worse than the proverbial needle-in-a-haystack. One of the indicators that points to the limitation of contemporary DF investigation is the emergence of NBT – Next Best Thing Triage, an approach that is sure to challenge some of the long held beliefs in DF investigation. This session will present these emerging challenges and possible approaches to solutions. The session will also address the question as to why an IS auditor should be concerned with all these!

11:00am to 11:30am Networking Break with Tea/Coffee

11:30am to 12:00pm Reimagining Security – How to Keep Pace with Attackers – by Stuart Davis, Mandianat Director (a FireEye company)

Threat actors’ tactics and motivations are evolving. Successful security teams continuously adapt to anticipate new tactics. That means adopting new approaches. FireEye’s Stuart Davis, will discuss how security teams can reduce the time to detect and resolve security incidents.

12:00pm to 1:00pm Building and running Secure Applications (Web/Mobile) – Part 1 by Akash Mahajan, Founder & Community Manager @ null

• OWASP (Open Web Application Project) Top 10 Risks for Web Applications.

• Use a framework to deal with real world security in spite of all the attacks out there.

• Look at becoming resilient, so in case something bad happens - recover quickly.

• Real world attacks and examples that can help you understand the threats better

• How do attackers find your domains and sub-domains?

• How do attackers find what you could be running, including directories?

• How do they get inside if your application is secure and well written?

13:00 to 14:00 Lunch Break

CONFERENCE AGENDA

DAY 2: 29 Oct 2015

2015


14:03 to 14:35 Building and running Secure Applications (Web/Mobile) – Part 2 by Akash Mahajan, Founder & Community Manager @ null

• Continue from last session

• See demos for every slide which covers theory

14:40pm Vote of thanks: by Hari Prasad Chede, Vice President, ISACA UAE Chapter

Schedule is subject to change without any notice

CONFERENCE AGENDA

DAY 2: 29 Oct 2015

2015

REGISTRATIONISAFE 2015 Conference

(27th, 28th & 29th Oct 2015)

Name: _________________________________________________________________________________________________

Organization: ______________________________________________________Title: __________________________________

Mailing Address: _________________________________________________________________________________________

City: __________________________________________________ Mobile: ___________________________________________

Day Telephone: ______________________________ Email: _______________________________________________________

Name to appear on the badge______________________________________________________________________________

Registering as Member or as Non-Member (Please tick one)

ISACA Membership ID (if ticked as Member): _________________________________________________________________

EASY STEPS TO RESERVE YOUR SEAT STEP 1: Take a print out and fill in the above registration form

STEP 2: Prepare the cheque in favour of Pivotal Consultancy and request for courier pickup.

STEP 3: Please scan the registration form along with the proof of payment (eg: cheque) and email it to Ms Harneet on [email protected] or [email protected]. Please indicate the correct address, mobile number and a block of time (four hours) to enable the courier company to pick up the cheque from you. For any other payment methods (online transfer or ATM deposit contact Ms Harneet)

For any other queries regarding the ISAFE 2015 and any other payment mode please contactMs Harneet: 050-8679196 between (10am - 6:00pm). SEATS WOULD BE RESERVED ON FIRST COME FIRST SERVE BASIS AND ONLY AFTER YOUR PAYMENT IS RECEIVED. FEE ONCE PAID WILL NOT BE REFUNDED IN ANY CIRCUMSTANCES. I have understood and agree with the conference details, terms and conditions. I would like to register for the same.

DELEGATEE SIGNATURE: _____________________________ DATED: ______________________

PRE LAUNCH REGISTRATION (on or before 30th June 2015)Member

(AED)

Non- Member

(AED)

Tick One

Pre-Conference workshop only 1 Day (27 Oct 15) 1250/- 1450/- O

Conference only 2 Days (28 & 29 Oct 15) 1350/- 1500/- O

Conference & workshop 3 Days (27, 28 & 29 Oct 15) 2400/- 2800/- O

EARLY BIRD REGISTRATION (on or before 30th Sep 2015)




REGISTRATION after 30th Sep 2015)




2015

innovation in the borderless world - …files.ctctcdn.com/7e2e4825201/0c20e2a9-5b92-4063... ·...

Documents