Rafal Lukawiecki is one of the best Information Security speakers I've seen as he's highly technical, a great communicator and is entertaining too. He consistently receives excellent feedback at events all over Europe including TechEd and ITForum. He's presenting a technical security seminar for TechNet in the UK on Tuesday 21st June and repeated on Wednesday 22nd June. The locations are being finalised. Full details together with registration details will be posted to http://www.microsoft.com/uk/technet in the next few days.
The seminar is described as follows:-
Secure and trustworthy electronic environment for conducting business is the number one requirement on almost every IT or operations manager’s lips. Unfortunately, the number of threats and attacks targeting e-business organisations is on the increase.
This full day seminar aims to equip IT Professionals who are in charge of designing, deploying and administering such systems with more structured proactive defences. We will present a number of practical suggestions, checklists and processes that you can use immediately to increase the security of your systems.
The day will begin with a process-oriented, “holistic”, view of security. We will then continue looking at both active (attack detection, hardening, filtering etc.) and passive (cryptography, PKI) modern forms of building security. We will finish the day with an overview of the concepts of digital trust (e-notary, time-stamps, trusted signatures, DRM etc.) that often form part of the future security-related plans of larger organisations.
The running order of the day is expected to be as follows:
Duration: 85 minutes
Audience: IT Pro
Abstract: "The tough realities of today make security of enterprise systems one of the highest priorities on most IT Professionals’ agenda. This conceptual, rather than technical, session will overview security from a holistic, process-oriented perspective. While still uncommon, this approach seems to best model the threats that affect our installations. This way of looking at security is based on risk assessment and worries about all aspects of the system equally: we do not want to be building bullet-proof steel doors in a house made of paper walls. After discussing the main challenges that make achieving optimal security difficult, we will concentrate on three process-based holistic approaches: OCTAVE, Simplified Security Risk Analysis, and Threat Modelling. Also in this session we will attempt at categorising all security technologies into active and passive approaches, thus providing a structure to the remainder of the seminar."
Title: "Active Security Common Practices"
Duration: 90 minutes
Abstract: "Starting with the concept of Defence-in-Depth we will look at all of the main aspects of the operational environment that require being secured using active technologies. We will look at the techniques and guidance available for securing applications, hosts and the network itself. Specifically, we will debate some of the challenges posed by in-house enterprise applications, as well as those provided by vendors such as Microsoft. While discussing the available security technologies, we will attempt to provide a fairly complete list of those that you should consider employing, including: Windows XP SP2, Patch Management and WU/SUS/SMS, ISA, Server Hardening Guides, IPSec, MOM, 802.1x/WPA, and Identity Integration. We will close this session with a brief discussion of the checklists of the ‘Top 10’ suggestions for securing the primary Microsoft server systems.”
Title: " Cryptography and PKI for Passive Security "
Abstract: “Holistic security uses both active and passive technologies. Cryptography is the mainstay of passive approaches, primarily used to protect the data layer in the defence-in-depth view. This session aims to provide a good technical overview of all of the foundational concepts of cryptography in order to enable a IT security professional to make better decisions regarding the technologies used for protection. We will, at first, explain the concepts of hybrid, symmetric and asymmetric cryptography before moving onto the subject of hash and digest functions in order to explain the problems found with today’s digital signatures. With that introduced, we will look at the X.509 certificate standard, SSL and smartcards and move onto a rapid discussion of all of the current encryption algorithms such as AES, TripleDES, IDEA, RC2, RC4, RSA, ElGamal, ECC, and briefly touching on quantum cryptography. We are not going to discuss each of them in detail – instead we hope to provide enough information to allow you to make better choices when deciding on the technologies to use.”
Title: "Digital Trust: Goals and Obstacles"
Duration: 50 minutes
Abstract: "Trustworthiness is as important as security of the system, according to its users, such as clients, employees and partners. Traditional paper-based trust increasingly has to be replaced with digital signatures and other legally-binding electronic forms of interaction between parties. PKI, Identity Management and Digital Signatures form the basis of Digital Trust. In addition, Time Stamp Authorities, Trusted Document Repositories and e-Notary Service are also vitally needed to build a usable infrastructure of digital trust. We will look at the standards and technologies that enable this concept, and, keeping with reality, we will point out a number of outstanding legal and social issues that may prevent your organisation from successfully adopting some principles of digital trust. We will also briefly touch on Digital Rights Management as an aspect of digital trust and its relationship to privacy protection. This session is likely to be of more interest to those working in the public sector, governments, and bigger enterprises interacting with a large consumer base, and consultants working with them.”