Next Event
Our next 3 events will be as follows:

- July 23rd: "Startup Opportunities in Information Security" (details)
- September 3rd: half-day security seminar, details to be announced
- September 17th: special event, details to be announced

For details on our July 23rd event, or to register, please see here.
Future Events
Our programme of events for 2009 includes 4 half-day seminars, a number of regional meetings and several special events. Although planning for many of these events is already underway we would welcome suggestions for speakers or topics related to information security and in particular we would like to hear from Irish security professionals interested in speaking at an ISSA event.
Recent Events
Microsoft Special Event

On June 10th we held a special event with Microsoft focusing on the upcoming security enhancements in the Windows platform and Microsoft's security work in Dublin.

Our first speaker was Dave Northey, Principle Systems Engineer with Microsoft Ireland, covering the security improvements Microsoft have made in Windows 7 and Windows Server 2008 R2. Dave's presentation covered new features such as Bitlocker to Go, DirectAccess and AppLocker as well as enhancements to Network Access Protection, User Account Control, event logging and Rights Management Services.

Frank O'Keeffe, Regional Information Security Manager with Microsoft IT and long-time ISSA Ireland member, then outlined how Microsoft manages security, including an overview of their various security groups and how internal security relates to product security. Frank also discussed Microsoft's processes for developing security strategy, for deploying new security controls and for risk assessment and management.

Our final Microsoft presentation was from Elda Dimakiling and Francis Allan Tan Seng of Microsoft's Malware Protection Center. Elda and Francis outlined Microsoft's anti-malware efforts and presented details of their work on the Conficker worm. Their presentation included analysis of the spread of Conficker internationally and in Ireland as well as the methods used by the worm to spread and obtain updates.

To close this meeting two ISSA members gave brief presentations on tools they have used to secure Windows systems. Paul Collins, head of IT with Hypo Real Estate Group, discussed MSAT (Microsoft Security Assessment Tool) which helps to measure and benchmark their security controls, including against peers in similar industries. Robert McArdle of Trend Micro then demonstrated 5 tools which can help to identify and remove malicious software: Process Explorer, Process Monitor and Autoruns from Microsoft, Ice Sword from "PJF" and GMER from gmer.net. Robert has posted a summary of these tools on his blog.


May 5th Seminar

Our May meeting was a half-day seminar which focused on two topics: Voice over IP and Critical Information Infrastructure Protection.

Voice over IP Security was addressed in two presentations from Aidan Lynch and Sean Heelan. Aidan is a senior consultant with Ernst & Young Risk Advisory Services who has has worked on numerous security engagements for organisations including several VoIP security assessments. Aidan's presentation introduced VoIP technology, the protocols involved and typical corporate deployments, while Sean Heelan of Oxford University went into further detail based on his research on VoIP security vulnerabilities.

Protecting Critical National Infrastructure was the topic of Hart Rossman's presentation, covering the US approach to national-level cybersecurity and some of the recent developments in this area. As CTO for Cyber Programs at SAIC, one of the world's largest scientific, engineering & technology contractors, Hart was able to give a broad overview of this area from it's early origins to the latest developments.

A panel discussion on Critical Infrastructure in Ireland and beyond followed Hart's session and included representatives of ESB and AIB as well as a guest speaker from the UK's Centre for the Protection of National Infrastructure. The panel discussed the differing approaches to critical infrastructure protection in Europe and the US as well as the prospects for greater attention at Irish or EU level to the protection of CII.

This meeting closed with a series of Lightning Talks: short, informal presentations from ISSA members on a wide range of security topics.


February 17th Seminar

In February we held a half-day seminar featuring 4 Irish experts and covering the following topics:

Ensuring Security of In-house Applications: Colin Bell is an application security expert within IBM's Rational Appscan team (formerly Watchfire) where he manages the "AppScan onDemand" security testing service. Colin has over 22 years IT experience, primarily in application development roles, and for the past 8 years he has specialised in application security testing. Prior to joining IBM Colin developed and managed a service within Sun Life Financial which was globally responsible for their internal security testing services. At our February meeting Colin's presentation addressed the security of in-house applications with a comprehensive discussion of application security focusing on how security testing can be built into internal development processes.

Legal Issues in Information Security: Philip Nolan is a partner in the commercial department of Mason Hayes & Curran, one of Ireland's leading commercial law firms. Philip's knowledge and experience in technology, communications and privacy law have made him one of the top Irish solicitors in these areas and the perfect speaker to address legal issues in information security. On February 17th Philip discussed the legal issues that affect information security professionals in Ireland, from privacy issues such as employee monitoring to contract questions and updates on relevant HR and data protection legislation.

Implementing ISO27001 in a Windows Environment: Brian Honan is an Irish security professional who runs BH Consulting, a specialist IT and information security consultancy, and is a regular speaker on information security issues. Brian's particular area of expertise is the ISO 27001 standard for information security management systems and at our February meeting Brian outlined how 27001 can be implemented using Windows technology. Drawing on his recent book, "Implementing ISO 27001 in a Windows Environment", Brian's presentation explained the standard's technical control requirements and showed what they mean for the secure configuration and management of a typical Windows systems.

Effective Security Awareness Programmes: Mike Harris is one of Ireland's most senior security professionals and a popular speaker who has contributed to several past ISSA events. As Director of Risk Advisory Services with Ernst & Young Mike has worked with many organisations to improve their security and on several occasions has filled security management roles on an interim basis. Mike's presentation on February 17th addressed one of the most difficult management challenges in information security: building effective security awareness programmes. Drawing on his experience of both consulting assignments and in-house roles Mike explained how to structure an effective programme, how to select appropriate messages, how to develop or source content and how to measure effectiveness over time.


November 28th Seminar

On November 28th we held a half-day seminar covering a wide range of topics and featuring a record number of speakers for an ISSA event.

Our first speaker was Eamonn Sheeran, Information Security Manager with Intel Corporation and long-standing member of ISSA. As a senior member of Intel's Information Risk Security group Eamonn is responsible for a wide range of security projects both in Ireland and across other Intel locations. On November 28th Eamonn outlined Intel's approach to information security and in particular their concept of "secure outsourcing".

Sara McAneney and Mark McDonagh then spoke on Network Behaviour Analysis, a technology which has been described by Gartner as being "about higher level of visibility in the behaviour of your network to cover gaps left by signature based mechanisms". Mark is a senior consultant with Netfort Technologies, an Irish security vendor whose products include NBA features, and at this meeting he introduced NBA and discussed the differences between it and other forms of network monitoring. As Information Security Officer at Trinity College Dublin Sara uses NBA data to assist with both network security and operational management, both of which she demonstrated in her presentation.

Mark and Sara were followed by a series of short "war stories" from the world of digital forensics. Attendees heard from Andy Harbison of Deloitte, Chris Taylor of Espion, Donal Keating of Microsoft, Rene Hamel of KPMG and Simon Collins of Ernst & Young. Following these five presentations the speakers took questions from the audience on a wide range of topics relating to digital investigations and computer forensics.

Our 4th session at this meeting covered disk encryption and media control products, focusing on the deployment of these products in Irish organisations. Cathal O'Donnell of Trinity College spoke about his experience with disk encryption in his most recent role at another Irish organisation and gave extremely helpful examples of the issues he encountered, decisions made, etc. Dave Whelan of Mazars then presented his experience with deploying both disk encryption and media control solutions in Irish companies, focusing in particular on the management and cultural issues that can arise.

In our final session of the day Owen O'Connor presented the results of the 2nd ISSA / UCD Irish Cybercrime Survey. This brief presentation covered the background to the survey and the major findings from this year, including a discussion of several notable data points in the results. The difficulties of collecting this type of data were also discussed as well as the limited resources available to ISSA in conducting this survey and the need for a different approach if this research is to be repeated in future.


PCI-DSS: Protecting Credit Card Data

On October 16th we held a seminar on PCI DSS, (the Payment Card Industry Data Security Standard), one of the most important pieces of security guidance for companies handling credit card information. More so than any other initiative in recent years, PCI DSS has provided concrete requirements for securing sensitive information, helping to improve security and protect consumers. This success, combined with a high profile around the world, has meant PCI is now seen as a potential model for future standards, making it relevant even for organisations not currently in scope.

Our speaker for this event was Owen Connolly, Principal Security Specialist with O2 Ireland. Owen has tremendous experience with PCI, having spent several years helping with O2's PCI project and more recently acting as a trainer for SANS on their PCI DSS courses. At this meeting Owen reviewed the background to the PCI standard and explained its requirements. More importantly Owen shared his experience of implementing PCI in an in-house security role and the lessons learned over the past few years. Since October marked a major revision to PCI DSS Owen's presentation also discussed the changes in version 1.2 including the aggressive schedule for their introduction at the end of 2008.


Protecting Against Data Theft, May 26th 2008

Our second event in May was also our first regional event and was held at Limerick Institute of Technology on May 26th. This special event was titled "Protecting Against Data Theft" and focused on the type of asset theft breaches which are affecting an increasing number of Irish organisations.

Our first presentation was from Owen O'Connor, founder of ISSA Ireland and author of the ISSA / UCD Irish Cybercrime Survey. Owen's presentation covered ways for organisations to avoid falling victim to asset theft security breaches, the assessment of potential breaches (since not every asset theft represents an information security breach) and finally a process for responding when a breach does occur.

Our second speaker was Jeff McCann, an Information Security Consultant with Dell who has an extensive background in systems management, project management and information security. On May 26th Jeff discussed information security skills and the options for training, certification & education in Ireland, including his own experience moving from mainstream IT roles into information security.


Meeting Compliance and Audit Requirements while Minimising Effort, May 23rd 2008

In May our chapter meeting looked at the intersection of information security and systems audit and the burden of demonstrating compliance with regulations and standards. Our 3 speakers at this event reviewed the rapidly growing list of regulations and other audit requirements facing information security professionals, ranging from laws such as Sarbanes Oxley to partner requirements such as PCI-DSS, not to mention voluntary certifications like ISO 27001.

Eoin Fleming leads the financial services security practice for HP Services and was formerly Chief Security Architect for HP Ireland. Eoin recently worked with a number of customers to automate compliance checks and at this meeting he outlined the possibilities and limits of automated compliance.

Mike Harris is Director of Risk Advisory Services for Ernst & Young and has worked in information security for over 10 years. At this event Mike spoke on the topic "Achieving Compliance by Improving Security", looking at how to develop overall security framework based on a standard such as ISO 27001 and how this can both improve security and demonstrate compliance.

Sean Carey is Head of Internal Audit at Postbank, Ireland's newest bank recently launched by An Post and Fortis Bank. Sean has a keen interest in information security and on May 23rd gave an auditors perspective on information security, explaining how best to demonstrate compliance internally.


Security Breach Reporting and Impact, February 22nd 2008

The topic of our February meeting was security breach reporting and featured 2 visiting speakers discussing the impact of security breaches in the context of mandatory public reporting. This meeting was well attended and featured a lengthy Q&A and discussion period, including discussion of the Irish Blood Transfusion Service announcement earlier in the same week and details of new attacks on disk encryption disclosed on the previous evening.

Our guest speakers were Phil Dunkelberger, CEO of PGP Corporation and long-time supporter of ISSA, and Achim Klabunde, policy officer with the European Commission. Phil is a well-known Silicon Valley entrepreneur and headed the original ?PGP Inc? start-up formed in 1996 to commercialise PGP encryption. Following the purchase and subsequent abandonment of the PGP technology by Network Associates, Phil led a buy-out in 2002 and formed PGP Corporation which has since launched a highly-successful suite of encryption products and grown to over 300 employees. Achim heads the team responsible for privacy and trust within the EC Directorate General for Information Society and Media, where his recent work includes the privacy and security aspects of the EU regulatory framework for electronic communications.


Security Metrics and Measurement, January 31st 2008

Our January chapter meeting focused on information security metrics, a timely topic as many organisations seek to justify security investment or improve information security management systems.

Our guest speaker was Vicente Aceituno, vice-president of ISSA Spain and one of Europe's leading experts on security metrics. Vicente is the author of the Information Security Management Maturity Model (ISM3), a framework for information security management systems which focuses on defining practical and measurable security goals. Vicente has published several articles on security metrics, for example in the ISSA Journal and "ENISA Quarterly". Outside of metrics Vicente has recently published his first book, "Seguridad de la Informacion", and is the organiser of the "FIST" information security conference in Spain.


Note: Attendees and ISSA members can request slides from past meetings by emailing info@issaireland.org.