I frequently speak via webcasts, at corporate events, and at conferences on topics related to information security, IT risk management, malware and online fraud. Here are some of my archived presentations.
How Attackers Use Social Engineering to Bypass Your Defenses
Why bother breaking down the door if you can simply ask the person inside to let you in? Social engineering works, both during penetration testing and as part of real-world attacks. This briefing explores how attackers are using social engineering to compromise defenses. It presents specific and concrete examples of how social engineering techniques succeeded at bypassing information security defenses.
The Use of the Modern Social Web by Malicious Software
See presentation slides with detailed notes.
Malicious software thrives in the richness of the social web ecosystem, which incorporates mobile devices, reliable networks, powerful browsers and sociable users. Read this briefing to understand how it makes use of the social web and how it offers lucrative benefits to malware authors and operators.
Learning to Live with Social Networks: Risks and Rewards
See presentation slides with detailed notes.
Social networking platforms, such as Facebook, Twitter and LinkedIn, are becoming an integral part of people's personal and business worlds. This presentation explores the key risks associated with on-line social networking. It discusses how policies and technologies can aid at mitigating these risks, and how they can also fail at protecting your employees, data, and company.
How to Respond to an Unexpected Security Incident
See presentation slides with detailed notes.
What if a security incident catches you unprepared? In such situations, stress leads to mistakes and poor decisions made in the spur of the moment. In this presentation, I discuss the key questions an incident responder should ask to gain control of the situation quickly and assertively.
Introduction to Malware Analysis
See presentation slides with detailed notes.
In this free 1-hour webcast, I outline the process for reverse-engineering malicious software. I cover both behavioral and code analysis phases, to make this topic accessible even to individuals with a limited exposure to programming concepts. You'll learn the fundamentals and associated tools to get started with malware analysis.
Malware Threats and Defenses That Work, 2009
View the slides and speaker notes (PDF)
Malicious software is an integral and dangerous component of many breaches. In this free webcast, I survey key characteristics of recently-seen malware, exemplified by recent bots, trojans, and browser scripts. I also discuss methods for fighting malware threats that stand a chance of being effective, offering my perspective on practical defensive controls.
Penetration Testing Beyond Front-Line Exploits
Locating and exploiting software bugs and configuration weaknesses are important aspects of a penetration test. Far too often security pros fail to go beyond the process of merely trying a series of exploits, and give up if none of those tests expose problems. A penetration tester should consider a wider range of vulnerabilities—those that reside in plain sight, within targeted applications, and behind the target's front-line defenses. In this presentation I highlight tools and techniques for going beyond the basic exploits-focused penetration testing methodology.
A Perspective on Malware in 2008
Not too long ago, the quarrels of mankind were confined to the physical world. When words weren't enough to settle disputes, contraptions such as the chariot, the bow, the gun, and the missile were employed. Now that our lives spill into the virtual world of the Internet, malware has become both the venue for illegitimate activities and the weapon for supporting illicit business models. Modern malware is written to bypass perimeter defenses, evade detection, and resist our efforts to disable it. In this webcast I survey the characteristics of today's malware, exemplified by recently-seen bots, downloaders, keyloggers, and malicious scripts.
Penetration Testing with Confidence, 2007
Penetration testing is fast becoming essential for IS professionals seeking to comply with security mandates, assess defensive IT infrastructure, and assure customers of privacy protections. At the same time, a poorly planned or executed penetration test can turn into a costly liability. Whether you're an experienced pen tester or a first-timer, this webcast will give you the insight you need to approach all pen tests with confidence. In this webcast I present 10 key issues you need to address for a successful penetration test.
Top Five Ways to Keep Users Safe from Today's Web-Based Threats, 2008
Stream or download MP3 recording
See the outline of the talk
In this webcast I outline the top five ways to defend against today's Web-based threats. I also discuss how to recognize botnet attacks and how to prevent your network from becoming a launching pad for spam.
Data Breaches and the Insider Threat, 2008: What to Do?
Organizations today have multi-layered defenses to defend against threats originating from outside the corporate network. Unfortunately, the majority of security breaches making headlines today involve information assets compromised as a result of an insider's actions—either accidental or malicious. In this webcast I survey publicly-announced data breaches tied to actions of a person within the company. I identify the key weaknesses in the security controls that have allowed the incident to occur, and present a high-level framework for mitigating the risk of such breaches.
Malware Analysis Shortcuts
View the slides and speaker notes (PDF)
As the complexity of malicious software continues to evolve, knowing how to analyze malware is becoming increasingly important. However, sometimes we may not have the time or the necessity to perform an in- depth examination of malicious code. In this webcast I discuss several techniques and free tools that offer shortcuts for malware analysis to identify key characteristics of executable files and explore malicious websites.
Browser Threat Landscape, 2006
This presentation examines the nature of threats that target the Web browser, reviewing three major categories of browser-oriented attacks. This talk presents an overview of the Web browser threat landscape to help organizations determine what browser-related risks to address.
Beyond Vulnerability Assessment: 10 Questions
View the slides and speaker notes (PDF)
This presentation explores common information security risks that organization face, and suggests 10 questions worth asking when establishing a robust IT security program. Attempting to go beyond traditional vulnerability assessment methodology, I reviewed security breaches that were publicly announced in early 2006, and addresses three types of attacks: inadvertent disclosure, attacks of opportunity, and targeted attacks.
Impersonation Attacks
In this presentation on impersonation attacks, I examined trends in technology and motivation behind phishing and spyware schemes. I presented several examples of impersonation attacks, demonstrating the increasing degree of complexity of software, motivation, and coordination associated with these scams. I also briefly reviewed the impact on the enterprise of such attacks, and discussed recent law enforcement actions that attempt to curb phishing-related crimes.
Phishing and Spyware Threats
A fellow Internet Storm Center handler Toby Kohlenberg and I were asked to present at the California Senate Committee on Banking, Commerce, and International Trade informational hearing titled Malicious Pop Up Ads and Phishing Scams: Is Your Financial Information Secure on the Internet? Our testimony focused on explaining the dangers associated with current phishing and spyware threats, and at discussing how they are affecting consumers.