J Wolfgang Goerlich's thoughts on Information Security


I am available to speak on the topics of risk management, security information management, business continuity, cloud computing (IaaS), and DevOps. My current favorite talks to give are Bring Your Own Cloud and Whispering on the Wires. The Bring Your Own Cloud talk provides a case study on implementing private cloud computing and DevOps. Whispering on the Wires covers steganography, covert channels, and the #incog .NET library. Drop me an email if you would like me to speak at your event.

Presentations and Speaking Engagements:

Ohio Information Security Conference: Threat Models that Exercise your SIEM and Incident Response. This talk presents a case study on taking actual security incidents, creating threat models, and using the models to create red team exercises. The resulting red team exercises are then used to evaluate our technical controls (SIEM, vulnerability management) and incident response. Quarter by quarter, driving up the security posture. (March 12, 2014. Dayton, OH. Co-presented with Nick Jacob)

ConFoo: SDLC in Hostile Environments. What happens when end-users have the motive, opportunity, and skillset to attack our software? When two hacker conferences hosted a six week capture-the-flag contest, organizers learned first-hand how this impacts the software development life cycle (SDLC). We will discuss wins and losses, successes and failures, and hard lessons learned. (February 24 - February 28, 2014. Montreal, Canada)

BSides Columbus: Rapid Fire Threat Modeling. Everyone is talking about threat modeling. But when you get down to it, few are doing threat modeling. The reasons are simple: modeling can be complicated, there is conflicting information, and it is not clear what to do with the finished model. This session presents a pragmatic threat modeling exercise that can be accomplished in an afternoon. We will review how to find sources for threat models, communicating the findings, auditing and assessing the available controls, and driving change within the organization. In sum, this talk presents a practical approach to rapidly getting the most from threat modeling (January 20, 2014. Columbus, OH. Co-presented with Mark Kikta)

North Oakland ISSA: Practical Threat Modeling. (December 11, 2013. Auburn Hills, MI)

Eastern Michigan University: Information Assurance: Practical Risk Management. (December 3, 2013. Ypsilanti, MI)

Oakland University's Cyber Security Club: Surviving the Robot Apocalpyse. (November 21, 2013. Auburn Hills, MI)

Siouxland IT Symposium: Bring Your Own Cloud. (November 7, 2013. Sioux Falls, South Dakota)

SecureWorld Detroit: Game Time: Disaster Recovery and Incident Response. (October 17, 2013. Dearborn, MI)

ISACA: Attack Paths and Mitigations. Threats are the missing ingredient in many security programs. Defense-in-depth is dead. When defense is performed without an eye on the offense, the result is over-spending and under-performing. Risk management, too, is struggling. Executed without an eye on threats, a risk-based approach still results in a security breach. To successfully secure and defend networks, we must understand threats at the same level we understand our assets and vulnerabilities. This session presents a method for modelling threats and the path attackers take through our networks. Using these models, defensive strategies can then be defined and exercised. Organizations can then employ targeted defenses to mitigate the impact of security breaches. At the end of this talk, participants will leave with insights into developing a threat-driven security program. (October 16, 2013. Dearborn, MI)

Greater Detroit ISC2: Game Time: Disaster Recovery and Incident Response. Beat the clock. Table-top. Tag. Scavenger hunts. All are forms of games. All four can be applied to strengthening a team’s readiness. Take two of the ISC2 domains: Business Continuity and Operations Security. Both domains include disciplines for reacting to emergencies. Disaster Recovery, for example, is a planned reaction to an outage. Incident Response is a planned reaction to a security breach. With policies and plans in place, organizations must routinely practice in order to be ready for unplanned events. This session will present and discuss several games that organizations can play to improve DR and IR readiness. (September 24, 2013. Southfield, MI)

GrrCon. Beautiful models. We need beautiful models. Models attract and hold your attention. They excite you. They prompt action. And action, excitement, and focus is exactly what is needed to defend IT. By models, of course, we mean threat models. Intricate and beautiful, a good threat model tells a story. It indicates what we are protecting and where the attacks may come from. Done right, modelling highlights both the strengths and weaknesses of our IT. It becomes a means for strengthening and focusing our efforts. We need beautiful models to see what is and what could be. This session will explore threat modeling as part of the secure development lifecycle. A case study will be presented. The stories are real and only the names have been changed to protect the innocent. Beautiful Models answers the question: what is it that makes a threat model beautiful and actionable? (September 12-13, 2013. Grand Rapids, MI)

Grand Rapids IT Symposium: Bring Your Own Cloud. This session presents a pragmatic overview of cloud computing and bring your own device. Depending on who you speak with, cloud is either poised to lower IT costs world-wide or a security disaster and a compliance nightmare. People advocating to keep IT services in-house get labeled server huggers. People suggesting leveraging public cloud computing get tarred as outsourcers looking to cut jobs. And while the hype is that cloud is cheaper and that cloud is killing the data center, the reality is more nuanced. We need a middle a ground. How can companies realize the dream of public utility cloud computing, while retaining the service and security they have come to expect from in-house IT? The answer is a hybrid cloud computing. That is, combining the benefits of public utilities with the reliability of in-house IT departments. We will present how a Midwest investment firm evolved its in-house computing through two generations of private cloud, and is now building a third generation for launch later this year. The session is a case study in adopting consumer IT and adapting to IT trends. Lessons learned will be shared, along with a vision for how agile IT departments can succeed now and into the future. (June 19, 2013. Grand Rapids, MI).

Great Lakes InfraGard Conference: Securing Financial Services Data Across The Cloud. We came from stock tickers, paper orders, armored vehicles, and guarded vaults. We moved to data bursts, virtual private networks, and protocols like Financial Information eXchange (FIX). While our objective remains the same, protect the organization and protect the financial transactions, our methods and technologies have radically shifted. Looking back is not going to protect us. This session presents a case study on a financial services firm that modernized its secure data exchange. The story begins with the environment that was developed in the previous decade. We will then look at high-level threat modelling and architectural decisions. A security-focused architecture works at several layers and this talk will explore them in depth; including Internet connections, firewalls, perimeters, hardened operating systems, encryption, data integration, and data warehousing. The case study concludes with how the firm transformed the infrastructure, layer by layer, protocol by protocol, until we were left with a modern, efficient, and security-focused architecture. After all, nostalgia has no place in financial services data security. (May 16, 2013. Ypsilanti, MI)

BSides Chicago: Surviving the Robot Apocalpyse. (Note: the video recording is only of the last half of the talk.) The robots are coming to kill us all. That, or the zombies. One way or the other, humanity stands on the brink. While many talks have focused on surviving the zombie apocalypse, few have given us insights into how to handle the killer robots. This talk seeks to fill that void. By exploring software security flaws and vulnerabilities, we will learn ways to bypass access controls, extract valuable information, and cheat death. Should the unthinkable happen and the apocalypse not come, the information learned in this session can also be applied to protecting less-than-lethal software. At the end of the day, survival is all about the software. (April 27, 2013. Chicago, IL)

Henry Ford: Surviving the Robot Apocalpyse. (April 25, 2013. Dearborn, MI)

Source Boston: Punch and Counter-punch: Covert Channels in PowerShell. Alice wants to send a message to Bob. Not on our network, she won't! Who are these people? Then Alice punches a hole in the OS to send the message using some .Net code. We punch back with Windows and .Net security configurations. Punch and counter-punch, breach and block, attack and defend, the attack goes on. With this as the back story, we will walk through communications channels that defenders use and attackers abuse. The session will highlight three common covert channels, explore what makes covert channels hard to detect, and explain potential controls. Demonstrations will feature a PowerShell toolset. The software will be made available for creating your own Alice and Bob stories, and assessing your organization's security posture when it comes to covert channels. (April 17, 2013. Boston, MA)

Eastern Michigan University: Information Assurance: Whispering on the Wires workshop. (April 5, 2013. Ypsilanti, MI)

Motor City ISSA: Panel Discussion: Current Trends in the Cybersecurity Threat Landscape. In light of last week’s Islamic Cyber Fighter’s DDoS attacks on America’s financial institutions and the implication of nation-state sponsored cyberattacks this is a very timely topic to discuss. (March 21, 2013. Livonia, MI)

Motor City ISSA: Incident Management with PowerShell. Have you seen the latest scare? The Java 0-day exploit that allows attackers to execute code on your computer? Now scares come and scares go. But let’s suppose for a moment your servers were infected using this exploit. How could your administrators detect the attack? How would you recover? Even better, what could have been done beforehand and how could you prevent this from happening again? Incident Management, of course, is the security practice that seeks to answer these questions. In Windows server environments, PowerShell is the way Incident Management gets put into practice. This session will introduce InfoSec professionals and systems administrators to PowerShell’s security features. We will provide an overview of Incident Management and PowerShell. Then, using the Java 0-day exploit as a driver, we will walk through the lifecycle of an incident. The audience will leave with information on the policy and practice of managing security incidents in Windows with PowerShell. (February 21, 2013. Livonia, MI)

GrrCon: Punch and Counter-punch with .Net Apps. Alice wants to send a message to Bob. Not on our network, she won’t! Who are these people? Then Alice punches a hole in the OS to send the message using some .Net code. We punch back with Windows and .Net security configurations. Punch and counter-punch, breach and block, attack and defend, the attack goes on. With this as the back story, we will walk thru sample .Net apps and Windows configurations that defenders use and attackers abuse. Short on slides and long on demo, this presentation will step thru the latest in .Net application security. .Net tools that demonstrate the attacks and defenses will be released following the talk. (September 27, 2012. Grand Rapids, MI)

Motor City ISSA: Whispering on the Wires. The Internet opened communications and enabled this flat world where everything is but one click away. These complex networks make possible rich exchanges of thoughts and ideas, goods and services. But there is, of course, a dark side. Not all communications are productive. Not all communications are visible. Some are destructive, hidden, invisible. Some messages are whispered in secret. In this session, we will delve into ways attackers can hide their traffic using steganography and covert channels. Examples will be demonstrated and potential controls will be discussed. (September 20, 2012. Livonia, MI)

OWASP Detroit: Covert Channels and Controls in the .Net Framework. As the OWASP Detroit founder put it, "come watch Wolf talk about .NET and hiding stuff..." (September 12, 2012. Royal Oak, MI)

North Oakland ISSA: Turtles all the way Down -- .Net Software Security. Peel back the layers of abstraction, what do you find? Software. Feel through the fog of cloud computing and what is there? Software. What powers our devices? Handles our protocols? Drives our cars? What ties us all together? Software. Every layer of our technology stack is software. It is turtles all the way down. Few things are as germane to security as software security. We will delve into software security in this session. Using C# as an example, we will see how software in general breaks and how to protect Microsoft .Net in particular. So how do we protect software? Come find out. (September 12, 2012. Auburn Hills, MI.

Lunch and Learn. Bring Your Own Cloud. How can companies realize the dream of public utility cloud computing, while retaining the service and security they have come to expect from in-house IT? The answer is private cloud computing. That is, combining the benefits of public utilities with the reliability of in-house IT departments. In this session, we will present how a Midwest investment firm implemented DevOps on a cloud computing model. (August 22, 2012. Livonia, MI)

BSidesCleveland: Naked Boulder Rolling. Applying risk management and the security development life cycle to make security manageable. (July 13, 2012. Cleveland, OH)

BSidesDetroit: Naked Boulder Rolling. Every day we roll the boulder up hill. Every morning we find the boulder back down in the valley. Like Sisyphus, defenders face the daily challenge of getting all the systems secure and the morning realization that new vulnerabilities have crept in. It is so bad we say it is not if we will get breached but when we will get breached. Worse, defenders say most breaches are career ending events. Ouch. There has to be a better way. In this talk, we will cover using business impact and risk management as a driving force for prioritizing security efforts. This reduces the likelihood of a breach and prevents any breaches from being career ending event. We’ll round out the hour with a case study showing these principles applied to securing a million dollar website. Guaranteed, you will leave this talk a smarter boulder roller. (June 2, 2012. Detroit, MI)

Stir Trek: Running DevOps on a Microsoft Cloud. You have heard the rumors. DevOps is this touchy-feely culture thing where the developers run cowboy over the infrastructure using open source tools. But what if you are running a Microsoft infrastructure? What if you are in a highly regulated industry, say like finance? And what if you need to show hard dollar savings to support culture changes? Forget the rumors. We have the facts. In this session, we will present how a Midwest investment firm implemented DevOps on a cloud computing model. The tool stack is SharePoint, SQL Server Business Intelligence, and System Center. Let's get past the rumors and see how existing organizations are getting the most from DevOps and the cloud. (May 4, 2012. Columbus, OH).

GrrCon: How asteroids falling from the sky improve security. An asteroid fell from the sky and the data center is now a smoking crater. At least, that's the scenario that launches your business continuity planning. BCP asks the questions: what do we have, what does it do, what is the risk and what is the value? The answers to these questions are also essential build blocks of a risk management program. This presents an opportunity for the savvy information security professional. In this session, we will look at ways to co-opt business continuity to advance an organization's information security. (September 16, 2011. Grand Rapids, MI)

MiSec: How asteroids falling from the sky improve security. (August 18, 2011. Royal Oak, MI)

Storage Network World: Disaster Recovery Metrics: Beyond RTO and RPO. Many people consider only the recovery time and recovery point, RTO and RPO, when developing their strategies. This is a problem. Left unattended, certain characteristics of a recovery strategy will cause us to miss our recovery time. So it is important to look beyond the surface. To meet RTO, we must have sufficient time metrics. To meet RPO, we must have sufficient data metrics. And to balance the ongoing operational costs with the per incident costs, we must have supporting scalability metrics. This talk reviews the necessary metrics and considerations. (April 6, 2011. San Jose, CA)

Motor City ISSA: Practical Risk Management. The Motor City Chapter of the Information Systems Security Association (ISSA) will be hosting their September meeting with a presentation on Practical Risk Management. Their speaker, J. Wolfgang Goerlich, CISSP, CISA, is an information security professional with over a decade of experience in IT. Currently Mr. Goerlich is the Network Operations and Security Manager for a large financial institution in Michigan. In this presentation, Mr. Goerlich will describe some of the challenges he faced while developing an enterprise risk management program and explain how he ultimately solved them with a leading governance risk and compliance (GRC) technology. This presentation will discuss the practical implementation of GRC technology, discuss its uses, and review lessons learned. (September 18, 2008. Southfield, MI)

Lunch and Learn. Simplifying BCP Using OS and Storage Virtualization. (August 21, 2008. Livonia, MI)

Storage Network World: Simplifying BCP Using OS and Storage Virtualization. This session presents the evolution of disaster recovery. An institution responsible for billions in assets, Munder Capital Management’s information systems must be always available. Munder has been thru several BCP cycles as they went from tape to standby systems, from cold to hot sites. This session delves into the lessons learned from these DR strategies as well as presents their latest: use OS and storage virtualization to completely automate recovery. (April 7, 2008. Orlando, FL)

Out and About

I will be presenting at the CSA Nordic Summit and Security Culture Conference events in June, 2015.

Playing With

SimWitty #incog. #incog, or Incognito is a C# library for demonstrating steganographic techniques and covert channels. I am also playing with the PoshSec framework and scripts, specifically for implementing the SANS 20 Critical Security Controls.