Next Event
We are currently finalising our next event which will be an evening seminar in Dublin, details will be announced soon.
National Conference: May 11th and 12th
Since 2003 ISSA Ireland has organised dozens of security seminars for Irish security professionals. In May of this year we will host our largest event yet: a two-day conference being held at the Royal College of Physicians of Ireland (RCPI, Kildare Street) on May 11th and 12th.

We are very excited about this event and will be announcing further details in early February, at this point we are delighted to announce our first three speakers: Ed Gibson, Fred Piper and Dennis Jennings. Schedule details, speaker bios, topics and attendance details will be posted to this website shortly.
Recent Events
March 3rd 2011: Stuxnet Seminar

On March 3rd we held a special event on Stuxnet, the network work which was apparently designed to sabotage industrial control systems and which is reported to have targeted the Iranian nuclear weapons programme. Our speaker at this event was Patrick Fitzgerald, Senior Security Response Manager with Symantec in Dublin. Patrick discussed the discovery of Stuxnet last year, its capabilities and the research to date on its origins and purpose.
2010 Events
Cloud Security Seminar

On November 25th we held a free half-day seminar on cloud computing security. For this event we put together a panel of experts as follows:

Craig Balding is the founder of cloudsecurity.org where he blogs about Cloud Computing and Security. Craig is a co-host of the Cloud Security podcast and has presented at Black Hat Europe, eCrime London and the World Cloud Computing Summit.

Ruth Lynch is research IT team lead in UCD IT Services. Having worked for a number of years in the networking area she is now responsible for the delivery of research enabling services including HPC Clusters, Virtual Servers, Storage and Collaborative Services. Ruth's team is responsible for the use of cloud services at UCD, in her talk Ruth discuss how UCD is using the cloud with a particular emphasis on the security and data protection issues surrounding the cloud and their deployment at UCD.

Oisín Tobin is a Ph.D. Candidate in the Law School in Trinity College Dublin, where he explores the legal regulation of cloud computing and the interaction between law and technological and commercial innovation. Oisins talk focused on some key issues at the interface of law and security in the cloud with a particular emphasis on service availability.

Philip Nolan is a partner in the commercial department of Mason Hayes & Curran, one of Ireland's leading commercial law firms. Philip's knowledge and experience in technology, communications and privacy law have made him one of the top Irish solicitors in these areas.

Adrian Davis has been with the Information Security Forum since 1999 and is responsible for both program and project management across a range of information security issues. He has delivered both managerial and technical projects for the ISF, focusing on topics such as information security management; the role and skills of the CISO and CSO; key performance measures; cloud computing; instant messaging; and patch management.

DNS Security Seminar

On July 22nd we held a special event on DNS Security to coincide with the publication of the signed root zone. This event took place two years after Dan Kaminsky's research highlighted flaws in DNS and one year after the Eircom DNS issues in July 2009. Both of these events highlighted the fragility and insecurity of DNS, demonstrating the need for security enhancements such as the DNSSEC security extensions.

Our main speaker was Dr James Galvin of Afilias, the Irish-headquartered DNS infrastructure company. James leads Afilias' participation in IETF and other standards activities, particularly around DNS security and reliability. As the operator of major top-level domains such as .ORG, .INFO and .IN, Afilias has taken an active role in the development and adoption of DNSSEC, culminating in the signing of the .ORG domain. Prior to joining Afilias James was Executive Director of the ICANN Security and Stability Advisory Committee, served as a volunteer leader with the Internet Society and worked with Trusted Information Systems (developers of FWTK) where his team developed the first public domain DNSSEC implementation. He has participated in IETF standards activities for over 21 years and has worked on DNSSEC since its earliest stages of development.

James introduced the DNSSEC standards which aim to address the types of issue highlighted by Kaminsky and experienced by Eircom. As DNSSEC is adopted it will be possible to prevent man-in-the-middle attacks involving websites, email and other services as well as to provide new services based on end-to-end DNS security. Attendees heard about the background to DNSSEC, the changes which have been made to implement it and the steps an organisation would need to take to protect their domains with DNSSEC. James' presentation particularly focussed on the operational challenges of managing DNSSEC keys and the changes needed for domain maintenance.

Following James' presentation we heard from a number of local experts regarding DNSSEC in Ireland. Rob Gallagher of HEAnet outlined HEAnet's early DNSSEC experience and their plans for further deployment within Ireland's education and research network, again highlighting the operational changes associated with DNSSEC and recommending OpenDNSSEC for automation. Billy Glynn of the IE Domain Registry discussed the status of DNSSEC in the .ie top-level domain and presented highlights of his research into client readiness. Finally Wilmer van der Gaast of Google discussed Google Public DNS, the alternative DNS resolver service which launched at the end of last year and which includes several security features aimed at protecting against cache attacks while DNSSEC is being deployed.

May 27th Event

Our May event was held in Dublin on May 27th and included two presentations.

Chris Boyd, Senior Threat Researcher at Sunbelt Software, spoke on "Surviving Web 2.0 in the workplace". More than ever, businesses are under pressure to jump onto the social networking bandwagon with sites such as Twitter and Facebook proving invaluable for both marketing and communications. This talk provided advice on taking ownership of corporate brands in light of the dangers arising from business Web 2.0 sites.

Mathieu Gorge, CEO and founder of VigiTrust, discussed the impact data privacy laws and regulations are having on information security. Mathieu's talk provided an update on international privacy legislation and other security mandates affecting information security, including new and forthcoming regulations in Europe and the United States.

March 4th Event

On March 4th 2010 we held a public event with two excellent speakers covering very timely subjects.

Peter Lennon of the Department of Health and Children spoke about the proposed Health Information Bill and in particular the information security, data protection and other information governance issues surrounding electronic health records in Ireland. As assistant principal officer in the Legislation Unit of the department Peter has been closely involved in drafting the Health Information Bill, in gathering external views through a detailed consultation process and in examining international experiences around e-Health records. Peter has also written extensively on this topic, including authoring the book "Protecting Personal Health Information in Ireland: Law and Practice", and was therefore the perfect speaker to discuss one of the most important and far-reaching information protection projects in Ireland.

Damian Gordon, lecturer in the School of Computing at Dublin Institute of Technology was our second speaker at this event. Damian has attracted significant press coverage for his research into "Hackers in the Movies", looking at the portrayal of computer hacking and hackers in film. As a lecturer at DIT for over 9 years Damian has used examples from film to illustrate computer science lectures and while discussing security topics became interested in the depiction of hacking specifically. At our event Damian reviewed his analysis of over 50 individual films featuring hacking of some description, stretching from the 1950's to the present day, as well as covering many television programmes featuring hacking and security issues.
2009 Events
Academic Showcase Special Event

On November 10th we held a special Academic Showcase event in Dublin, focusing on academic teaching and research in lreland. This event highlighted the range of security programmes which exist in Irish universities and Institutes of Technology, with presentations from educators and researchers working on information security around Ireland. This event was the first in a series of ISSA academic initiatives planned for 2010.


Joint Event with Enterprise Ireland

On November 4th ISSA co-hosted with Enterprise Ireland an event entitled "Infosecurity for the 21st Century". This free event looked at trends and recent developments in information security as well as opportunities for Ireland. This event featured keynote speeches from Melissa Hathaway and Steve Riley and also served as the launch event for Enterprise Ireland's "InfoSecurity Ireland" initiative.


September 3rd Seminar

Our half-day quarterly event on September 3rd covered a range of topics:

Las Kelly drew on his extensive industry experience in delivering our first presentation on embedding security into an SDLC and Project Management Life Cycle. Las is Head of IT Security with Bank of Ireland Group and has a wealth of experience in information security, including several years as Information Security Manager for the Emirates airline.

Raj Samani then spoke on "The Price of Privacy: the Threat of Social Engineering". Raj has been involved in information security for over ten years, working with some of the largest private and public sector organisations in the world. Raj is currently working as a Security Consultant in the UK and was previously EMEA Technical Manager for Qualys. In addition, Raj is currently the Vice President for Communications in the ISSA UK Chapter, after previously working as the Mentoring Chairman for the UK Chapter for two years.

Our next presentation, on "a layered approach to protecting sensitive data", was from Captain Keith Sweeney of the Communication and Information Services unit within the Irish Defence Forces. Keith is responsible for information security and discussed his layered approach to protecting sensitive data in an environment and network that differs from the typical corporate environment.

Our final session consisted of short demonstrations of various hacking attack methods and advice on how to defend against these types of attack. Demonstrations were given by James Dunne of Deloitte, Dermot Gannon of RITS, Fiona Walsh or Ernst & Young and Damien Moran of Deloitte.


Startup Opportunities in Information Security

In July we held a special event to highlight opportunties for new Irish security companies, aimed at Irish security professionals who are finding themselves out of work or are in danger of losing their jobs this year.

Our first speaker, Joe Drumgoole has over 23 years experience in the Irish IT industry in a career that has included in-house roles with Oracle and Bank of Ireland, several years in Irish startups such as CR2 and Cape Clear and most recently his launch of online storage firm Putplace. On July 23rd Joe shared his thoughts on the outlook for Ireland's technology sector, the need to foster a domestic startup culture and the feasibility of launching technology startups in Ireland.

Since Ireland is fortunate to have several successful security startups we also heard directly from the CEO's of several domestic startups about their early experiences. Speakers in this panel included Mathieu Gorge of Vigitrust, developers of PCI compliance management software; Cian Kinsella of Digiprove, an Irish company focused on the protection of digital content; and Patrick Smith of FraudHalt, developers of innovative anti-fraud technology. These case studies covered the early development of each business and lessons learned.

Following our CEO panel the seminar looked at the support available for new startups. Pat Byrne of Enterprise Ireland outlined EI's experience in supporting technology startups and the core competencies needed to develop successful businesses. He also discussed specific schemes relevent to security startups including Commercialisation of Research & Development (CORD) grants, Innovation Vouchers and the work of the High Potential Startup Unit.

Our final expert was Dr Ciara Leonard of NovaUCD, the innovation and technology transfer centre at UCD. Dr Leonard explained the direct startup support available from local enterprise boards and campus incubator programmes such as those at NovaUCD, DIT's Hothouse and the M50 programme at IT Tallaght. Her presentation also covered the potential for partnership with third-level institutions and the investment options for startups including government agencies such as EI, angel investors and venture capital firms.


Microsoft Special Event

On June 10th we held a special event with Microsoft focusing on the upcoming security enhancements in the Windows platform and Microsoft's security work in Dublin.

Our first speaker was Dave Northey, Principle Systems Engineer with Microsoft Ireland, covering the security improvements Microsoft have made in Windows 7 and Windows Server 2008 R2. Dave's presentation covered new features such as Bitlocker to Go, DirectAccess and AppLocker as well as enhancements to Network Access Protection, User Account Control, event logging and Rights Management Services.

Frank O'Keeffe, Regional Information Security Manager with Microsoft IT and long-time ISSA Ireland member, then outlined how Microsoft manages security, including an overview of their various security groups and how internal security relates to product security. Frank also discussed Microsoft's processes for developing security strategy, for deploying new security controls and for risk assessment and management.

Our final Microsoft presentation was from Elda Dimakiling and Francis Allan Tan Seng of Microsoft's Malware Protection Center. Elda and Francis outlined Microsoft's anti-malware efforts and presented details of their work on the Conficker worm. Their presentation included analysis of the spread of Conficker internationally and in Ireland as well as the methods used by the worm to spread and obtain updates.

To close this meeting two ISSA members gave brief presentations on tools they have used to secure Windows systems. Paul Collins, head of IT with Hypo Real Estate Group, discussed MSAT (Microsoft Security Assessment Tool) which helps to measure and benchmark their security controls, including against peers in similar industries. Robert McArdle of Trend Micro then demonstrated 5 tools which can help to identify and remove malicious software: Process Explorer, Process Monitor and Autoruns from Microsoft, Ice Sword from "PJF" and GMER from gmer.net. Robert has posted a summary of these tools on his blog.


May 5th Seminar

Our May meeting was a half-day seminar which focused on two topics: Voice over IP and Critical Information Infrastructure Protection.

Voice over IP Security was addressed in two presentations from Aidan Lynch and Sean Heelan. Aidan is a senior consultant with Ernst & Young Risk Advisory Services who has has worked on numerous security engagements for organisations including several VoIP security assessments. Aidan's presentation introduced VoIP technology, the protocols involved and typical corporate deployments, while Sean Heelan of Oxford University went into further detail based on his research on VoIP security vulnerabilities.

Protecting Critical National Infrastructure was the topic of Hart Rossman's presentation, covering the US approach to national-level cybersecurity and some of the recent developments in this area. As CTO for Cyber Programs at SAIC, one of the world's largest scientific, engineering & technology contractors, Hart was able to give a broad overview of this area from it's early origins to the latest developments.

A panel discussion on Critical Infrastructure in Ireland and beyond followed Hart's session and included representatives of ESB and AIB as well as a guest speaker from the UK's Centre for the Protection of National Infrastructure. The panel discussed the differing approaches to critical infrastructure protection in Europe and the US as well as the prospects for greater attention at Irish or EU level to the protection of CII.

This meeting closed with a series of Lightning Talks: short, informal presentations from ISSA members on a wide range of security topics.


February 17th Seminar

In February we held a half-day seminar featuring 4 Irish experts and covering the following topics:

Ensuring Security of In-house Applications: Colin Bell is an application security expert within IBM's Rational Appscan team (formerly Watchfire) where he manages the "AppScan onDemand" security testing service. Colin has over 22 years IT experience, primarily in application development roles, and for the past 8 years he has specialised in application security testing. Prior to joining IBM Colin developed and managed a service within Sun Life Financial which was globally responsible for their internal security testing services. At our February meeting Colin's presentation addressed the security of in-house applications with a comprehensive discussion of application security focusing on how security testing can be built into internal development processes.

Legal Issues in Information Security: Philip Nolan is a partner in the commercial department of Mason Hayes & Curran, one of Ireland's leading commercial law firms. Philip's knowledge and experience in technology, communications and privacy law have made him one of the top Irish solicitors in these areas and the perfect speaker to address legal issues in information security. On February 17th Philip discussed the legal issues that affect information security professionals in Ireland, from privacy issues such as employee monitoring to contract questions and updates on relevant HR and data protection legislation.

Implementing ISO27001 in a Windows Environment: Brian Honan is an Irish security professional who runs BH Consulting, a specialist IT and information security consultancy, and is a regular speaker on information security issues. Brian's particular area of expertise is the ISO 27001 standard for information security management systems and at our February meeting Brian outlined how 27001 can be implemented using Windows technology. Drawing on his recent book, "Implementing ISO 27001 in a Windows Environment", Brian's presentation explained the standard's technical control requirements and showed what they mean for the secure configuration and management of a typical Windows systems.

Effective Security Awareness Programmes: Mike Harris is one of Ireland's most senior security professionals and a popular speaker who has contributed to several past ISSA events. As Director of Risk Advisory Services with Ernst & Young Mike has worked with many organisations to improve their security and on several occasions has filled security management roles on an interim basis. Mike's presentation on February 17th addressed one of the most difficult management challenges in information security: building effective security awareness programmes. Drawing on his experience of both consulting assignments and in-house roles Mike explained how to structure an effective programme, how to select appropriate messages, how to develop or source content and how to measure effectiveness over time.


November 28th Seminar

On November 28th we held a half-day seminar covering a wide range of topics and featuring a record number of speakers for an ISSA event.

Our first speaker was Eamonn Sheeran, Information Security Manager with Intel Corporation and long-standing member of ISSA. As a senior member of Intel's Information Risk Security group Eamonn is responsible for a wide range of security projects both in Ireland and across other Intel locations. On November 28th Eamonn outlined Intel's approach to information security and in particular their concept of "secure outsourcing".

Sara McAneney and Mark McDonagh then spoke on Network Behaviour Analysis, a technology which has been described by Gartner as being "about higher level of visibility in the behaviour of your network to cover gaps left by signature based mechanisms". Mark is a senior consultant with Netfort Technologies, an Irish security vendor whose products include NBA features, and at this meeting he introduced NBA and discussed the differences between it and other forms of network monitoring. As Information Security Officer at Trinity College Dublin Sara uses NBA data to assist with both network security and operational management, both of which she demonstrated in her presentation.

Mark and Sara were followed by a series of short "war stories" from the world of digital forensics. Attendees heard from Andy Harbison of Deloitte, Chris Taylor of Espion, Donal Keating of Microsoft, Rene Hamel of KPMG and Simon Collins of Ernst & Young. Following these five presentations the speakers took questions from the audience on a wide range of topics relating to digital investigations and computer forensics.

Our 4th session at this meeting covered disk encryption and media control products, focusing on the deployment of these products in Irish organisations. Cathal O'Donnell of Trinity College spoke about his experience with disk encryption in his most recent role at another Irish organisation and gave extremely helpful examples of the issues he encountered, decisions made, etc. Dave Whelan of Mazars then presented his experience with deploying both disk encryption and media control solutions in Irish companies, focusing in particular on the management and cultural issues that can arise.

In our final session of the day Owen O'Connor presented the results of the 2nd ISSA / UCD Irish Cybercrime Survey. This brief presentation covered the background to the survey and the major findings from this year, including a discussion of several notable data points in the results. The difficulties of collecting this type of data were also discussed as well as the limited resources available to ISSA in conducting this survey and the need for a different approach if this research is to be repeated in future.


PCI-DSS: Protecting Credit Card Data

On October 16th we held a seminar on PCI DSS, (the Payment Card Industry Data Security Standard), one of the most important pieces of security guidance for companies handling credit card information. More so than any other initiative in recent years, PCI DSS has provided concrete requirements for securing sensitive information, helping to improve security and protect consumers. This success, combined with a high profile around the world, has meant PCI is now seen as a potential model for future standards, making it relevant even for organisations not currently in scope.

Our speaker for this event was Owen Connolly, Principal Security Specialist with O2 Ireland. Owen has tremendous experience with PCI, having spent several years helping with O2's PCI project and more recently acting as a trainer for SANS on their PCI DSS courses. At this meeting Owen reviewed the background to the PCI standard and explained its requirements. More importantly Owen shared his experience of implementing PCI in an in-house security role and the lessons learned over the past few years. Since October marked a major revision to PCI DSS Owen's presentation also discussed the changes in version 1.2 including the aggressive schedule for their introduction at the end of 2008.


Protecting Against Data Theft, May 26th 2008

Our second event in May was also our first regional event and was held at Limerick Institute of Technology on May 26th. This special event was titled "Protecting Against Data Theft" and focused on the type of asset theft breaches which are affecting an increasing number of Irish organisations.

Our first presentation was from Owen O'Connor, founder of ISSA Ireland and author of the ISSA / UCD Irish Cybercrime Survey. Owen's presentation covered ways for organisations to avoid falling victim to asset theft security breaches, the assessment of potential breaches (since not every asset theft represents an information security breach) and finally a process for responding when a breach does occur.

Our second speaker was Jeff McCann, an Information Security Consultant with Dell who has an extensive background in systems management, project management and information security. On May 26th Jeff discussed information security skills and the options for training, certification & education in Ireland, including his own experience moving from mainstream IT roles into information security.


Meeting Compliance and Audit Requirements while Minimising Effort, May 23rd 2008

In May our chapter meeting looked at the intersection of information security and systems audit and the burden of demonstrating compliance with regulations and standards. Our 3 speakers at this event reviewed the rapidly growing list of regulations and other audit requirements facing information security professionals, ranging from laws such as Sarbanes Oxley to partner requirements such as PCI-DSS, not to mention voluntary certifications like ISO 27001.

Eoin Fleming leads the financial services security practice for HP Services and was formerly Chief Security Architect for HP Ireland. Eoin recently worked with a number of customers to automate compliance checks and at this meeting he outlined the possibilities and limits of automated compliance.

Mike Harris is Director of Risk Advisory Services for Ernst & Young and has worked in information security for over 10 years. At this event Mike spoke on the topic "Achieving Compliance by Improving Security", looking at how to develop overall security framework based on a standard such as ISO 27001 and how this can both improve security and demonstrate compliance.

Sean Carey is Head of Internal Audit at Postbank, Ireland's newest bank recently launched by An Post and Fortis Bank. Sean has a keen interest in information security and on May 23rd gave an auditors perspective on information security, explaining how best to demonstrate compliance internally.


Security Breach Reporting and Impact, February 22nd 2008

The topic of our February meeting was security breach reporting and featured 2 visiting speakers discussing the impact of security breaches in the context of mandatory public reporting. This meeting was well attended and featured a lengthy Q&A and discussion period, including discussion of the Irish Blood Transfusion Service announcement earlier in the same week and details of new attacks on disk encryption disclosed on the previous evening.

Our guest speakers were Phil Dunkelberger, CEO of PGP Corporation and long-time supporter of ISSA, and Achim Klabunde, policy officer with the European Commission. Phil is a well-known Silicon Valley entrepreneur and headed the original ?PGP Inc? start-up formed in 1996 to commercialise PGP encryption. Following the purchase and subsequent abandonment of the PGP technology by Network Associates, Phil led a buy-out in 2002 and formed PGP Corporation which has since launched a highly-successful suite of encryption products and grown to over 300 employees. Achim heads the team responsible for privacy and trust within the EC Directorate General for Information Society and Media, where his recent work includes the privacy and security aspects of the EU regulatory framework for electronic communications.


Security Metrics and Measurement, January 31st 2008

Our January chapter meeting focused on information security metrics, a timely topic as many organisations seek to justify security investment or improve information security management systems.

Our guest speaker was Vicente Aceituno, vice-president of ISSA Spain and one of Europe's leading experts on security metrics. Vicente is the author of the Information Security Management Maturity Model (ISM3), a framework for information security management systems which focuses on defining practical and measurable security goals. Vicente has published several articles on security metrics, for example in the ISSA Journal and "ENISA Quarterly". Outside of metrics Vicente has recently published his first book, "Seguridad de la Informacion", and is the organiser of the "FIST" information security conference in Spain.


Note: Attendees and ISSA members can request slides from past meetings by emailing info@issaireland.org.