SCCongress2013review.html

<html><head><title>SC Congress 2013 review</title><meta content="text/html; charset=UTF-8" http-equiv="content-type"><style type="text/css">.lst-kix_oft2zk3h1kxu-4>li:before{content:"\0025cb  "}ul.lst-kix_phffwz6tz7gp-0{list-style-type:none}ul.lst-kix_phffwz6tz7gp-1{list-style-type:none}.lst-kix_dcvetu2j4z8t-1>li:before{content:"\0025cb  "}.lst-kix_phffwz6tz7gp-6>li:before{content:"\0025cf  "}.lst-kix_e2c41h592wl1-6>li:before{content:"\0025cf  "}.lst-kix_sa99usvb1xiw-2>li:before{content:"\0025a0  "}.lst-kix_mos0jdbrr7he-6>li:before{content:"\0025cf  "}.lst-kix_j0q0rkbag4vp-0>li:before{content:"\0025cf  "}.lst-kix_sa99usvb1xiw-5>li:before{content:"\0025a0  "}.lst-kix_eoup16cfirub-4>li:before{content:"\0025cb  "}.lst-kix_phffwz6tz7gp-8>li:before{content:"\0025a0  "}.lst-kix_j0q0rkbag4vp-6>li:before{content:"\0025cf  "}.lst-kix_oft2zk3h1kxu-8>li:before{content:"\0025a0  "}.lst-kix_8ip75jiqjl8x-3>li:before{content:"\0025cf  "}.lst-kix_39vcel35w7te-5>li:before{content:"" counter(lst-ctn-kix_39vcel35w7te-5,lower-roman) ". "}.lst-kix_8ip75jiqjl8x-6>li:before{content:"\0025cf  "}.lst-kix_39vcel35w7te-7>li:before{content:"" counter(lst-ctn-kix_39vcel35w7te-7,lower-latin) ". "}.lst-kix_phffwz6tz7gp-1>li:before{content:"\0025cb  "}.lst-kix_l6vy2v934trl-3>li:before{content:"\0025cf  "}.lst-kix_3ty6cqjy78w3-5>li:before{content:"\0025a0  "}ul.lst-kix_phffwz6tz7gp-8{list-style-type:none}ul.lst-kix_phffwz6tz7gp-7{list-style-type:none}ul.lst-kix_phffwz6tz7gp-6{list-style-type:none}ul.lst-kix_phffwz6tz7gp-5{list-style-type:none}.lst-kix_mos0jdbrr7he-1>li:before{content:"\0025cb  "}ul.lst-kix_phffwz6tz7gp-4{list-style-type:none}.lst-kix_8ip75jiqjl8x-8>li:before{content:"\0025a0  "}ul.lst-kix_phffwz6tz7gp-3{list-style-type:none}ul.lst-kix_phffwz6tz7gp-2{list-style-type:none}.lst-kix_1ff618ucjbcz-4>li:before{content:"" counter(lst-ctn-kix_1ff618ucjbcz-4,lower-latin) ". "}.lst-kix_1ff618ucjbcz-4>li{counter-increment:lst-ctn-kix_1ff618ucjbcz-4}.lst-kix_8ip75jiqjl8x-0>li:before{content:"\0025cf  "}.lst-kix_1ff618ucjbcz-2>li{counter-increment:lst-ctn-kix_1ff618ucjbcz-2}.lst-kix_3ty6cqjy78w3-6>li:before{content:"\0025cf  "}ol.lst-kix_39vcel35w7te-7.start{counter-reset:lst-ctn-kix_39vcel35w7te-7 0}.lst-kix_1ff618ucjbcz-7>li:before{content:"" counter(lst-ctn-kix_1ff618ucjbcz-7,lower-latin) ". "}.lst-kix_mos0jdbrr7he-0>li:before{content:"\0025cf  "}.lst-kix_3ty6cqjy78w3-7>li:before{content:"\0025cb  "}.lst-kix_mos0jdbrr7he-4>li:before{content:"\0025cb  "}.lst-kix_1ff618ucjbcz-5>li{counter-increment:lst-ctn-kix_1ff618ucjbcz-5}.lst-kix_39vcel35w7te-1>li{counter-increment:lst-ctn-kix_39vcel35w7te-1}.lst-kix_3ty6cqjy78w3-4>li:before{content:"\0025cb  "}.lst-kix_39vcel35w7te-3>li:before{content:"" counter(lst-ctn-kix_39vcel35w7te-3,decimal) ". "}.lst-kix_dcvetu2j4z8t-0>li:before{content:"\0025cf  "}.lst-kix_3ty6cqjy78w3-0>li:before{content:"\0025cf  "}ol.lst-kix_1ff618ucjbcz-6.start{counter-reset:lst-ctn-kix_1ff618ucjbcz-6 0}.lst-kix_e2c41h592wl1-5>li:before{content:"\0025a0  "}.lst-kix_8ip75jiqjl8x-4>li:before{content:"\0025cb  "}.lst-kix_3ty6cqjy78w3-1>li:before{content:"\0025cb  "}.lst-kix_dcvetu2j4z8t-2>li:before{content:"\0025a0  "}.lst-kix_dcvetu2j4z8t-4>li:before{content:"\0025cb  "}.lst-kix_1ff618ucjbcz-2>li:before{content:"" counter(lst-ctn-kix_1ff618ucjbcz-2,lower-roman) ". "}.lst-kix_sa99usvb1xiw-4>li:before{content:"\0025cb  "}.lst-kix_1ff618ucjbcz-8>li:before{content:"" counter(lst-ctn-kix_1ff618ucjbcz-8,lower-roman) ". "}.lst-kix_phffwz6tz7gp-2>li:before{content:"\0025a0  "}.lst-kix_oft2zk3h1kxu-0>li:before{content:"\0025cf  "}.lst-kix_j0q0rkbag4vp-5>li:before{content:"\0025a0  "}ol.lst-kix_39vcel35w7te-2.start{counter-reset:lst-ctn-kix_39vcel35w7te-2 0}ol.lst-kix_39vcel35w7te-4.start{counter-reset:lst-ctn-kix_39vcel35w7te-4 0}.lst-kix_e2c41h592wl1-0>li:before{content:"\0025cf  "}.lst-kix_sa99usvb1xiw-6>li:before{content:"\0025cf  "}ol.lst-kix_39vcel35w7te-8.start{counter-reset:lst-ctn-kix_39vcel35w7te-8 0}.lst-kix_3ty6cqjy78w3-2>li:before{content:"\0025a0  "}.lst-kix_eoup16cfirub-3>li:before{content:"\0025cf  "}.lst-kix_e2c41h592wl1-4>li:before{content:"\0025cb  "}.lst-kix_oft2zk3h1kxu-1>li:before{content:"\0025cb  "}.lst-kix_oft2zk3h1kxu-3>li:before{content:"\0025cf  "}ol.lst-kix_1ff618ucjbcz-2.start{counter-reset:lst-ctn-kix_1ff618ucjbcz-2 0}.lst-kix_39vcel35w7te-0>li{counter-increment:lst-ctn-kix_39vcel35w7te-0}.lst-kix_mos0jdbrr7he-3>li:before{content:"\0025cf  "}ol.lst-kix_1ff618ucjbcz-3.start{counter-reset:lst-ctn-kix_1ff618ucjbcz-3 0}.lst-kix_dcvetu2j4z8t-3>li:before{content:"\0025cf  "}.lst-kix_phffwz6tz7gp-3>li:before{content:"\0025cf  "}.lst-kix_sa99usvb1xiw-3>li:before{content:"\0025cf  "}.lst-kix_eoup16cfirub-7>li:before{content:"\0025cb  "}.lst-kix_3ty6cqjy78w3-8>li:before{content:"\0025a0  "}.lst-kix_39vcel35w7te-3>li{counter-increment:lst-ctn-kix_39vcel35w7te-3}.lst-kix_j0q0rkbag4vp-1>li:before{content:"\0025cb  "}ol.lst-kix_1ff618ucjbcz-4.start{counter-reset:lst-ctn-kix_1ff618ucjbcz-4 0}ol.lst-kix_1ff618ucjbcz-7.start{counter-reset:lst-ctn-kix_1ff618ucjbcz-7 0}ul.lst-kix_3ty6cqjy78w3-8{list-style-type:none}ol.lst-kix_1ff618ucjbcz-5{list-style-type:none}.lst-kix_e2c41h592wl1-1>li:before{content:"\0025cb  "}ul.lst-kix_3ty6cqjy78w3-7{list-style-type:none}ol.lst-kix_1ff618ucjbcz-4{list-style-type:none}ul.lst-kix_3ty6cqjy78w3-6{list-style-type:none}ol.lst-kix_1ff618ucjbcz-3{list-style-type:none}ul.lst-kix_3ty6cqjy78w3-5{list-style-type:none}ol.lst-kix_1ff618ucjbcz-2{list-style-type:none}ul.lst-kix_3ty6cqjy78w3-4{list-style-type:none}.lst-kix_39vcel35w7te-8>li{counter-increment:lst-ctn-kix_39vcel35w7te-8}ol.lst-kix_1ff618ucjbcz-1{list-style-type:none}.lst-kix_phffwz6tz7gp-7>li:before{content:"\0025cb  "}ul.lst-kix_3ty6cqjy78w3-3{list-style-type:none}ol.lst-kix_1ff618ucjbcz-0{list-style-type:none}.lst-kix_l6vy2v934trl-2>li:before{content:"\0025a0  "}ul.lst-kix_3ty6cqjy78w3-2{list-style-type:none}ul.lst-kix_3ty6cqjy78w3-1{list-style-type:none}ul.lst-kix_3ty6cqjy78w3-0{list-style-type:none}ol.lst-kix_1ff618ucjbcz-8{list-style-type:none}ol.lst-kix_1ff618ucjbcz-0.start{counter-reset:lst-ctn-kix_1ff618ucjbcz-0 0}ol.lst-kix_1ff618ucjbcz-7{list-style-type:none}ol.lst-kix_1ff618ucjbcz-6{list-style-type:none}.lst-kix_1ff618ucjbcz-3>li:before{content:"" counter(lst-ctn-kix_1ff618ucjbcz-3,decimal) ". "}.lst-kix_1ff618ucjbcz-0>li{counter-increment:lst-ctn-kix_1ff618ucjbcz-0}.lst-kix_1ff618ucjbcz-8>li{counter-increment:lst-ctn-kix_1ff618ucjbcz-8}.lst-kix_eoup16cfirub-1>li:before{content:"\0025cb  "}ul.lst-kix_e2c41h592wl1-5{list-style-type:none}ul.lst-kix_e2c41h592wl1-4{list-style-type:none}ul.lst-kix_e2c41h592wl1-3{list-style-type:none}ul.lst-kix_e2c41h592wl1-2{list-style-type:none}ul.lst-kix_e2c41h592wl1-1{list-style-type:none}.lst-kix_l6vy2v934trl-7>li:before{content:"\0025cb  "}ul.lst-kix_e2c41h592wl1-0{list-style-type:none}ol.lst-kix_1ff618ucjbcz-1.start{counter-reset:lst-ctn-kix_1ff618ucjbcz-1 0}ul.lst-kix_e2c41h592wl1-8{list-style-type:none}ul.lst-kix_e2c41h592wl1-7{list-style-type:none}ul.lst-kix_e2c41h592wl1-6{list-style-type:none}.lst-kix_eoup16cfirub-6>li:before{content:"\0025cf  "}.lst-kix_j0q0rkbag4vp-4>li:before{content:"\0025cb  "}ul.lst-kix_sa99usvb1xiw-6{list-style-type:none}.lst-kix_39vcel35w7te-8>li:before{content:"" counter(lst-ctn-kix_39vcel35w7te-8,lower-roman) ". "}ul.lst-kix_sa99usvb1xiw-7{list-style-type:none}ul.lst-kix_sa99usvb1xiw-4{list-style-type:none}ul.lst-kix_sa99usvb1xiw-5{list-style-type:none}ul.lst-kix_sa99usvb1xiw-8{list-style-type:none}.lst-kix_39vcel35w7te-2>li{counter-increment:lst-ctn-kix_39vcel35w7te-2}.lst-kix_39vcel35w7te-6>li:before{content:"" counter(lst-ctn-kix_39vcel35w7te-6,decimal) ". "}ul.lst-kix_sa99usvb1xiw-3{list-style-type:none}.lst-kix_1ff618ucjbcz-1>li{counter-increment:lst-ctn-kix_1ff618ucjbcz-1}ul.lst-kix_sa99usvb1xiw-2{list-style-type:none}.lst-kix_l6vy2v934trl-6>li:before{content:"\0025cf  "}ul.lst-kix_sa99usvb1xiw-1{list-style-type:none}.lst-kix_dcvetu2j4z8t-8>li:before{content:"\0025a0  "}ul.lst-kix_sa99usvb1xiw-0{list-style-type:none}.lst-kix_e2c41h592wl1-2>li:before{content:"\0025a0  "}.lst-kix_l6vy2v934trl-0>li:before{content:"\0025cf  "}.lst-kix_j0q0rkbag4vp-8>li:before{content:"\0025a0  "}.lst-kix_l6vy2v934trl-5>li:before{content:"\0025a0  "}ol.lst-kix_39vcel35w7te-6.start{counter-reset:lst-ctn-kix_39vcel35w7te-6 0}.lst-kix_j0q0rkbag4vp-3>li:before{content:"\0025cf  "}.lst-kix_mos0jdbrr7he-8>li:before{content:"\0025a0  "}.lst-kix_mos0jdbrr7he-2>li:before{content:"\0025a0  "}ul.lst-kix_mos0jdbrr7he-0{list-style-type:none}ol.lst-kix_1ff618ucjbcz-5.start{counter-reset:lst-ctn-kix_1ff618ucjbcz-5 0}.lst-kix_sa99usvb1xiw-0>li:before{content:"\0025cf  "}ul.lst-kix_mos0jdbrr7he-1{list-style-type:none}ul.lst-kix_mos0jdbrr7he-2{list-style-type:none}ul.lst-kix_mos0jdbrr7he-3{list-style-type:none}ul.lst-kix_mos0jdbrr7he-4{list-style-type:none}ul.lst-kix_mos0jdbrr7he-5{list-style-type:none}ul.lst-kix_mos0jdbrr7he-7{list-style-type:none}ul.lst-kix_mos0jdbrr7he-6{list-style-type:none}.lst-kix_39vcel35w7te-0>li:before{content:"" counter(lst-ctn-kix_39vcel35w7te-0,decimal) ". "}ul.lst-kix_mos0jdbrr7he-8{list-style-type:none}.lst-kix_oft2zk3h1kxu-2>li:before{content:"\0025a0  "}ol.lst-kix_39vcel35w7te-3.start{counter-reset:lst-ctn-kix_39vcel35w7te-3 0}.lst-kix_sa99usvb1xiw-8>li:before{content:"\0025a0  "}.lst-kix_l6vy2v934trl-1>li:before{content:"\0025cb  "}.lst-kix_mos0jdbrr7he-5>li:before{content:"\0025a0  "}.lst-kix_mos0jdbrr7he-7>li:before{content:"\0025cb  "}.lst-kix_eoup16cfirub-0>li:before{content:"\0025cf  "}.lst-kix_1ff618ucjbcz-3>li{counter-increment:lst-ctn-kix_1ff618ucjbcz-3}.lst-kix_1ff618ucjbcz-0>li:before{content:"" counter(lst-ctn-kix_1ff618ucjbcz-0,decimal) ". "}.lst-kix_39vcel35w7te-4>li{counter-increment:lst-ctn-kix_39vcel35w7te-4}.lst-kix_39vcel35w7te-1>li:before{content:"" counter(lst-ctn-kix_39vcel35w7te-1,lower-latin) ". "}.lst-kix_phffwz6tz7gp-4>li:before{content:"\0025cb  "}ul.lst-kix_8ip75jiqjl8x-4{list-style-type:none}ul.lst-kix_eoup16cfirub-4{list-style-type:none}.lst-kix_8ip75jiqjl8x-5>li:before{content:"\0025a0  "}ul.lst-kix_8ip75jiqjl8x-5{list-style-type:none}ul.lst-kix_eoup16cfirub-5{list-style-type:none}ul.lst-kix_8ip75jiqjl8x-2{list-style-type:none}ul.lst-kix_eoup16cfirub-2{list-style-type:none}ul.lst-kix_8ip75jiqjl8x-3{list-style-type:none}ul.lst-kix_eoup16cfirub-3{list-style-type:none}ul.lst-kix_8ip75jiqjl8x-8{list-style-type:none}ul.lst-kix_eoup16cfirub-0{list-style-type:none}.lst-kix_phffwz6tz7gp-0>li:before{content:"\0025cf  "}ul.lst-kix_eoup16cfirub-1{list-style-type:none}ul.lst-kix_8ip75jiqjl8x-6{list-style-type:none}ul.lst-kix_8ip75jiqjl8x-7{list-style-type:none}.lst-kix_1ff618ucjbcz-5>li:before{content:"" counter(lst-ctn-kix_1ff618ucjbcz-5,lower-roman) ". "}.lst-kix_dcvetu2j4z8t-6>li:before{content:"\0025cf  "}ul.lst-kix_8ip75jiqjl8x-0{list-style-type:none}ul.lst-kix_eoup16cfirub-8{list-style-type:none}ul.lst-kix_8ip75jiqjl8x-1{list-style-type:none}ol.lst-kix_39vcel35w7te-5.start{counter-reset:lst-ctn-kix_39vcel35w7te-5 0}ul.lst-kix_eoup16cfirub-6{list-style-type:none}ul.lst-kix_eoup16cfirub-7{list-style-type:none}.lst-kix_eoup16cfirub-5>li:before{content:"\0025a0  "}.lst-kix_1ff618ucjbcz-1>li:before{content:"" counter(lst-ctn-kix_1ff618ucjbcz-1,lower-latin) ". "}ol.lst-kix_1ff618ucjbcz-8.start{counter-reset:lst-ctn-kix_1ff618ucjbcz-8 0}.lst-kix_3ty6cqjy78w3-3>li:before{content:"\0025cf  "}.lst-kix_8ip75jiqjl8x-1>li:before{content:"\0025cb  "}.lst-kix_oft2zk3h1kxu-6>li:before{content:"\0025cf  "}.lst-kix_1ff618ucjbcz-6>li{counter-increment:lst-ctn-kix_1ff618ucjbcz-6}.lst-kix_39vcel35w7te-5>li{counter-increment:lst-ctn-kix_39vcel35w7te-5}.lst-kix_8ip75jiqjl8x-7>li:before{content:"\0025cb  "}ol.lst-kix_39vcel35w7te-8{list-style-type:none}ol.lst-kix_39vcel35w7te-6{list-style-type:none}ol.lst-kix_39vcel35w7te-7{list-style-type:none}ol.lst-kix_39vcel35w7te-4{list-style-type:none}ol.lst-kix_39vcel35w7te-5{list-style-type:none}ol.lst-kix_39vcel35w7te-2{list-style-type:none}ol.lst-kix_39vcel35w7te-3{list-style-type:none}ol.lst-kix_39vcel35w7te-0{list-style-type:none}ol.lst-kix_39vcel35w7te-1{list-style-type:none}ol.lst-kix_39vcel35w7te-1.start{counter-reset:lst-ctn-kix_39vcel35w7te-1 0}.lst-kix_sa99usvb1xiw-7>li:before{content:"\0025cb  "}.lst-kix_phffwz6tz7gp-5>li:before{content:"\0025a0  "}ul.lst-kix_oft2zk3h1kxu-8{list-style-type:none}ul.lst-kix_oft2zk3h1kxu-7{list-style-type:none}.lst-kix_e2c41h592wl1-8>li:before{content:"\0025a0  "}ul.lst-kix_oft2zk3h1kxu-4{list-style-type:none}ul.lst-kix_oft2zk3h1kxu-3{list-style-type:none}ul.lst-kix_oft2zk3h1kxu-6{list-style-type:none}ul.lst-kix_oft2zk3h1kxu-5{list-style-type:none}.lst-kix_e2c41h592wl1-3>li:before{content:"\0025cf  "}ul.lst-kix_oft2zk3h1kxu-0{list-style-type:none}ul.lst-kix_oft2zk3h1kxu-2{list-style-type:none}ul.lst-kix_oft2zk3h1kxu-1{list-style-type:none}.lst-kix_39vcel35w7te-4>li:before{content:"" counter(lst-ctn-kix_39vcel35w7te-4,lower-latin) ". "}.lst-kix_j0q0rkbag4vp-2>li:before{content:"\0025a0  "}.lst-kix_39vcel35w7te-6>li{counter-increment:lst-ctn-kix_39vcel35w7te-6}.lst-kix_dcvetu2j4z8t-5>li:before{content:"\0025a0  "}.lst-kix_e2c41h592wl1-7>li:before{content:"\0025cb  "}.lst-kix_oft2zk3h1kxu-5>li:before{content:"\0025a0  "}.lst-kix_j0q0rkbag4vp-7>li:before{content:"\0025cb  "}.lst-kix_l6vy2v934trl-8>li:before{content:"\0025a0  "}ul.lst-kix_dcvetu2j4z8t-8{list-style-type:none}.lst-kix_sa99usvb1xiw-1>li:before{content:"\0025cb  "}ul.lst-kix_dcvetu2j4z8t-7{list-style-type:none}ul.lst-kix_j0q0rkbag4vp-5{list-style-type:none}ul.lst-kix_dcvetu2j4z8t-6{list-style-type:none}ul.lst-kix_j0q0rkbag4vp-6{list-style-type:none}ul.lst-kix_dcvetu2j4z8t-5{list-style-type:none}ul.lst-kix_j0q0rkbag4vp-7{list-style-type:none}ul.lst-kix_dcvetu2j4z8t-4{list-style-type:none}.lst-kix_eoup16cfirub-8>li:before{content:"\0025a0  "}ul.lst-kix_j0q0rkbag4vp-8{list-style-type:none}ul.lst-kix_dcvetu2j4z8t-3{list-style-type:none}ul.lst-kix_dcvetu2j4z8t-2{list-style-type:none}ul.lst-kix_dcvetu2j4z8t-1{list-style-type:none}ul.lst-kix_dcvetu2j4z8t-0{list-style-type:none}.lst-kix_8ip75jiqjl8x-2>li:before{content:"\0025a0  "}ul.lst-kix_j0q0rkbag4vp-0{list-style-type:none}ul.lst-kix_j0q0rkbag4vp-1{list-style-type:none}ul.lst-kix_j0q0rkbag4vp-2{list-style-type:none}ul.lst-kix_j0q0rkbag4vp-3{list-style-type:none}ul.lst-kix_j0q0rkbag4vp-4{list-style-type:none}.lst-kix_39vcel35w7te-2>li:before{content:"" counter(lst-ctn-kix_39vcel35w7te-2,lower-roman) ". "}.lst-kix_eoup16cfirub-2>li:before{content:"\0025a0  "}.lst-kix_39vcel35w7te-7>li{counter-increment:lst-ctn-kix_39vcel35w7te-7}ol.lst-kix_39vcel35w7te-0.start{counter-reset:lst-ctn-kix_39vcel35w7te-0 0}.lst-kix_1ff618ucjbcz-7>li{counter-increment:lst-ctn-kix_1ff618ucjbcz-7}ul.lst-kix_l6vy2v934trl-4{list-style-type:none}.lst-kix_oft2zk3h1kxu-7>li:before{content:"\0025cb  "}ul.lst-kix_l6vy2v934trl-5{list-style-type:none}ul.lst-kix_l6vy2v934trl-6{list-style-type:none}ul.lst-kix_l6vy2v934trl-7{list-style-type:none}ul.lst-kix_l6vy2v934trl-8{list-style-type:none}.lst-kix_l6vy2v934trl-4>li:before{content:"\0025cb  "}.lst-kix_1ff618ucjbcz-6>li:before{content:"" counter(lst-ctn-kix_1ff618ucjbcz-6,decimal) ". "}.lst-kix_dcvetu2j4z8t-7>li:before{content:"\0025cb  "}ul.lst-kix_l6vy2v934trl-0{list-style-type:none}ul.lst-kix_l6vy2v934trl-1{list-style-type:none}ul.lst-kix_l6vy2v934trl-2{list-style-type:none}ul.lst-kix_l6vy2v934trl-3{list-style-type:none}ol{margin:0;padding:0}.c8{max-width:468pt;background-color:#ffffff;padding:72pt 72pt 72pt 72pt}.c2{color:inherit;text-decoration:inherit}.c6{padding-left:0pt;margin-left:36pt}.c1{color:#1155cc;text-decoration:underline}.c0{margin:0;padding:0}.c5{height:11pt}.c7{font-weight:bold}.c4{direction:ltr}.c3{font-style:italic}.title{padding-top:0pt;line-height:1.15;text-align:left;color:#000000;font-size:21pt;font-family:"Trebuchet MS";padding-bottom:0pt}.subtitle{padding-top:0pt;line-height:1.15;text-align:left;color:#666666;font-style:italic;font-size:13pt;font-family:"Trebuchet MS";padding-bottom:10pt}li{color:#000000;font-size:11pt;font-family:"Arial"}p{color:#000000;font-size:11pt;margin:0;font-family:"Arial"}h1{padding-top:10pt;line-height:1.15;text-align:left;color:#000000;font-size:16pt;font-family:"Trebuchet MS";padding-bottom:0pt}h2{padding-top:10pt;line-height:1.15;text-align:left;color:#000000;font-size:13pt;font-family:"Trebuchet MS";font-weight:bold;padding-bottom:0pt}h3{padding-top:8pt;line-height:1.15;text-align:left;color:#666666;font-size:12pt;font-family:"Trebuchet MS";font-weight:bold;padding-bottom:0pt}h4{padding-top:8pt;line-height:1.15;text-align:left;color:#666666;font-size:11pt;text-decoration:underline;font-family:"Trebuchet MS";padding-bottom:0pt}h5{padding-top:8pt;line-height:1.15;text-align:left;color:#666666;font-size:11pt;font-family:"Trebuchet MS";padding-bottom:0pt}h6{padding-top:8pt;line-height:1.15;text-align:left;color:#666666;font-style:italic;font-size:11pt;font-family:"Trebuchet MS";padding-bottom:0pt}</style></head><body class="c8"><p class="c4"><span class="c7">Summary:</span></p><p class="c4"><span>Conference Name: SC Congress Toronto (hosted by SC Magazine)</span></p><p class="c4"><span>Dates: Tues June 11 and Wed June 12 2013</span></p><p class="c4"><span>Location: Metro Toronto Convention Centre, Downtown Toronto</span></p><p class="c5 c4"><span class="c7"></span></p><p class="c4"><span class="c7">Overall summary:</span></p><p class="c4"><span>I was impressed with SC Congress 2013. The speakers were good, the content was current and helpful and the facilities were perfect for the size of the conference. My only complaint is with the food - compared to other conferences I have attended (Sector.ca, for example), the lunch food portions were small and the variety of breakfast food available was limited. Overall, I would like to attend this conference again next year.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Here are my summaries of some of the more notable sessions that I attended:</span></p><ul class="c0 lst-kix_eoup16cfirub-0 start"><li class="c6 c4"><span>Day 1 - 9am - &ldquo;Addressing today&rsquo;s security challenges in the data centre&rdquo;</span></li><li class="c6 c4"><span>Day 1 - 9:50am - &ldquo;The Honey Stick Project: Opportunistic threats and human vulnerabilities&rdquo;</span></li><li class="c6 c5 c4"><span></span></li></ul><p class="c5 c4"><span></span></p><p class="c4"><span class="c7">Day 1 - Tues June 11 2013:</span></p><p class="c4"><span class="c3">9am - &ldquo;Addressing today&rsquo;s security challenges in the data centre&rdquo;, hosted by </span><span class="c1 c3"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fcongress.scmagazine.com%2Fpage.cfm%2FAction%3DVisitor%2FVisitorID%3D87%2FloadSearch%3D75965_13&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNHCEB22nr4xBc9XiqbWdcU15kkZuQ">Peter Cresswell</a></span><span class="c3">, senior solutions architect, Trend Micro.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Peter provided a good overview of the security challenges that face the industry today. Of particular interest to me was the Cloud Security Alliance GRC Stack Toolkit. GRC = Governance, Risk Management &amp; Compliance. The kit includes the following tools:</span></p><ul class="c0 lst-kix_3ty6cqjy78w3-0 start"><li class="c6 c4"><span>Cloud Audit</span></li><li class="c6 c4"><span>Cloud Controls Matrix</span></li><li class="c6 c4"><span>Consensus Assessments Initiative</span></li></ul><p class="c4"><span>The GRC toolkit can be found at </span><span class="c1"><a class="c2" href="https://www.google.com/url?q=https%3A%2F%2Fcloudsecurityalliance.org%2Fresearch%2Fgrc-stack%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNGSV91AvAotY8MZP14f-6DTl-nyDA">https://cloudsecurityalliance.org/research/grc-stack/</a></span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Peter talked about the types of attacks that are out there and he spent time reviewing Advanced Persistent Threats (APTs). A couple of resources that he referenced include:</span></p><ul class="c0 lst-kix_oft2zk3h1kxu-0 start"><li class="c6 c4"><span>Rik Ferguson&rsquo;s </span><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fcountermeasures.trendmicro.eu%2Ffrustrate-disrupt-evade%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNEL30bL_3e-sotyS-x5FEI3zfbeDg">Frustrate, Disrupt, Evade</a></span><span>&nbsp;post</span></li><li class="c6 c4"><span>ISACA.org&rsquo;s </span><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fwww.isaca.org%2FKnowledge-Center%2FResearch%2FResearchDeliverables%2FPages%2FAdvanced-Persistent-Threats-Awareness-Study-Results.aspx&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNFeE9dsnldKx_tCprGG7-38eV4j2Q">Advanced Persistent Threat Awareness Study Results</a></span></li></ul><p class="c5 c4"><span></span></p><p class="c4"><span>&lt;INSERT APT-Infographic-large.gif&gt;</span></p><p class="c5 c4"><span></span></p><p class="c4"><span class="c7">Day 1 - Tues June 11 2013:</span></p><p class="c4"><span class="c3">9:50am - &ldquo;The Honey Stick Project: Opportunistic threats and human vulnerabilities&rdquo;, </span><span class="c1 c3"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fcongress.scmagazine.com%2Fpage.cfm%2FAction%3DVisitor%2FVisitorID%3D69%2FloadSearch%3D75965_37&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNGdA_gF45s4cpkUmhePk0sPaLZE2w">Scott Wright</a></span><span class="c3">, @streetsec, security coach and consultant, Security Perspectives</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Scott&rsquo;s presentation was one of my favourites at SC Congress 2013. Here&rsquo;s a summary of Scott&rsquo;s presentation:</span></p><p class="c4"><span>&lt;quote&gt;In 2011, an experiment was conducted where &ldquo;lost&rdquo; smartphones were allowed to be picked up by the public in order to gather data about human threats to data accessible on those devices. What were the results?&lt;/quote&gt;</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Some additional links:</span></p><ul class="c0 lst-kix_8ip75jiqjl8x-0 start"><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fwww.symantec.com%2Fconnect%2Fblogs%2Fintroducing-symantec-smartphone-honey-stick-project&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNGXJrTKvkiFzPbhoyt1OYtBJg74pw">Symantec&rsquo;s Honey Stick project introduction</a></span></li><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fwww.streetwise-security-zone.com%2Fmembers%2Fstreetwise%2Fadminpages%2Fhoneystickproject&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNEwG91yqRzWuPpTMMJhBwtzat8K0w">Scott Wright&rsquo;s Honey Stick project overview</a></span></li><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fwww.symantec.com%2Fcontent%2Fen%2Fus%2Fabout%2Fpresskits%2Fb-symantec-smartphone-honey-stick-project.en-us.pdf&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNHuZZmwemIY0jjins6j5SQCxRDr8w">Symantec&rsquo;s Honey Stick project final report (pdf)</a></span></li></ul><p class="c5 c4"><span></span></p><p class="c4"><span>What a fantastic experiment! Scott shared some statistics from his experiment:</span></p><p class="c4"><span>Of all of the people that &ldquo;found&rdquo; the phones:</span></p><ul class="c0 lst-kix_sa99usvb1xiw-0 start"><li class="c6 c4"><span>50% of people offered to return the phone;</span></li><li class="c6 c4"><span>89% of people accessed personal data;</span></li><li class="c6 c4"><span>83% of people accessed business data;</span></li></ul><p class="c5 c4"><span></span></p><p class="c4"><span>I was interested &nbsp;to hear how Scott&rsquo;s work was funded by Symantec. This is a great example of industry funding some great independent research.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Scott also talked about the need to limit the collection of personal data during his research. In a project like this, the potential to capture photos, location info and behavioural information from those that took the phones could lead to embarrassing or otherwise awkward disclosures of data. Scott did a good job of avoiding the collection of personal info by stating which info he would and would not collect during his research.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Scott left me with a parting thought that still resonates: &ldquo;We still need more innovation in human studies. People pay attention to stories about other people.&rdquo;</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>And, Scott also left me wondering, &ldquo;what will Scott work on next?&rdquo;! I look forward to hearing about future projects.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span class="c7">Day 1 - Tues June 11 2013:</span></p><p class="c4"><span class="c3">10:55am - &ldquo;Information security adaptation: Survival in an evolving threat landscape&rdquo;, </span><span class="c1 c3"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fcongress.scmagazine.com%2Fpage.cfm%2FAction%3DVisitor%2FVisitorID%3D63%2FloadSearch%3D75965_16&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNFre-eBE6GTdj98rRl2-I1j1bmFpw">Carl Herberger</a></span><span class="c3">, VP of security solutions, Radware</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>This presentation (I couldn&rsquo;t find his exact slides, but I found </span><span class="c7">this alternate copy</span><span>&nbsp;from </span><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fwww.cio.gov.bc.ca%2Flocal%2Fcio%2Finformationsecurity%2FPS2013_pdfs%2FCarlHerberger_vendor.pdf&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNF64nfULIZAddupiRrNP8_5-Pk0Ew">this location</a></span><span>) provided a great overview of the current threat landscape. The presentation offered great statistics pertaining to brands that have been affected by outages over the last 18 months. Vendors include such names as Best Buy, Apple, Walmart, AT&amp;T, KPMG and numerous other large global brands. Carl&rsquo;s key message: nobody is immune.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Carl also shared some stories pertaining to threats, including a story about </span><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fnews.softpedia.com%2Fnews%2FAnonymous-Hackers-Threaten-Philadelphia-Officials-in-Property-Clean-Up-Scandal-294310.shtml&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNHCKKPp0e3YsDSDDcdwxnP0RETktg">Anonymous intervening in a property dispute in Philadelphia</a></span><span>.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Common cloud targets right now include:</span></p><ul class="c0 lst-kix_phffwz6tz7gp-0 start"><li class="c6 c4"><span>DNS</span></li><li class="c6 c4"><span>ISPs</span></li><li class="c6 c4"><span>CDNs</span></li><li class="c6 c4"><span>CA/CRL</span></li></ul><p class="c5 c4"><span></span></p><p class="c4"><span>If you look at the &ldquo;security trinity&rdquo;:</span></p><ol class="c0 lst-kix_39vcel35w7te-0 start" start="1"><li class="c6 c4"><span>Confidentiality</span></li><li class="c6 c4"><span>Integrity</span></li><li class="c6 c4"><span>Availability</span></li></ol><p class="c4"><span>Out of the three, availability is the toughest to deal with right now as it is the avenue being exploited by many attackers today.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fddoswarriors.com%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNFtQBLvJWBm9b82Cr6e6xWcaiqk2g">ddoswarriors.com</a></span><span>&nbsp;(aka </span><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fsecurity.radware.com%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNEYdE-i_xdl0VAa_UROAP-YQC9pag">security.radware.com</a></span><span>) offer some great insight and tutorials into this area.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Carl highlighted some of the various weaknesses that DOS attacks target right now. He referred to these by calling them &ldquo;Gartner Sep 2012: Anti-DoS &ldquo;BlindSpot&rdquo;&rdquo;. I couldn&rsquo;t find the Gartner reference online anywhere, but the slides were compelling in that they showed tools (firewalls, CDNs, etc.) and the attack types that were vectored against the various tools (vulnerability exploits, network flood, etc.). Very informative summary!</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Carl ended with a very compelling (and creative) way of viewing today&rsquo;s threat landscape. He explained the concept of </span><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fall-that-is-interesting.com%2Fpost%2F4956385434%2Fthe-first-zombie-proof-house&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNGfwn1VPUuzeWtJ3ubX--zjAdTsWg">the Zombie House</a></span><span>. The house has thick concrete walls that completely envelop the house in the event of a Zombie attack. Carl suggested that we wouldn&rsquo;t be happy if the concrete only closed 80% of the way, as this would still leave the occupants vulnerable. Similarly, we can&rsquo;t be satisfied with 80% protection from current threats, otherwise, we remain vulnerable to attack.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Overall, this was a fantastic presentation with plenty of great material.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span class="c7">Day 1 - Tues June 11 2013:</span></p><p class="c4"><span class="c3">11:45am - &ldquo;Big Data&rdquo;</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>This presentation was a panel discussion discussing big data </span></p><p class="c5 c4"><span></span></p><p class="c4"><span>I didn&rsquo;t take many notes at this session. There was plenty of good discussion, but nothing noteworthy.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>One funny quote from the session: &ldquo;NSA&rsquo;s Prism = the best data backup program ever.&rdquo;</span></p><p class="c5 c4"><span></span></p><p class="c4"><span class="c7">Day 1 - Tues June 11 2013:</span></p><p class="c4"><span class="c3">12:55pm - &ldquo;Keynote: Changing landscape of risk&rdquo;</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>This presentation offered a high level survey of the changing risk landscape. I didn&rsquo;t take many notes at this session. There was plenty of good discussion, but nothing noteworthy.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span class="c7">Day 1 - Tues June 11 2013:</span></p><p class="c4"><span class="c3">3:30pm - &ldquo;Keynote: How hackers operate: Live demonstrations of current methods of breaching networks and stealing information&rdquo;, by </span><span class="c1 c3"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fcongress.scmagazine.com%2Fpage.cfm%2FAction%3DVisitor%2FVisitorID%3D65&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNF_S6kGZrvl2Y8wsu0XE12XuKnd1Q">Derrick Webber</a></span><span class="c3">, penetration testing and digital forensics team lead, CGI</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Derrick demonstrated some practical applications of the </span><span class="c1"><a class="c2" href="https://www.google.com/url?q=https%3A%2F%2Fwww.trustedsec.com%2Fdownloads%2Fsocial-engineer-toolkit%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNEpZMRcBcRJwghbvVqctSHZ7JK2ag">Social Engineering Toolkit (SET)</a></span><span>. He demonstrated how to conduct a phishing attack to obtain user login credentials for banking, Google and other sites. In a nutshell, here were the steps:</span></p><ol class="c0 lst-kix_1ff618ucjbcz-0 start" start="1"><li class="c6 c4"><span>Use SET to build a clone of a production website (the site looks the same, only it uses a different URL - wwwgoogle.com.cn for example)</span></li><li class="c6 c4"><span>Use SET to send a phishing email to your target, hoping that they will click the link to your clone website;</span></li><li class="c6 c4"><span>The target goes to the clone website and attempts to log in. At that point, the credentials are captured and the user is redirected to the legitimate website;</span></li><li class="c6 c4"><span>The user then logs in to the legitimate website, usually none the wiser that they just gave up their credentials to the bad guys;</span></li></ol><p class="c5 c4"><span></span></p><p class="c4"><span>Derrick mentioned using the </span><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fwww.exploit-db.com%2Fgoogle-dorks%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNEMqa2ForMNQmYRSA_j3ft4eRxXuQ">Google Hacking Database</a></span><span>&nbsp;to identify data that Google has crawled and would be useful in an exploit. It really is unbelievable how much publically available content is available - and Google has done a great job of indexing it and sharing it if you know how to search for it. For example:</span></p><ul class="c0 lst-kix_e2c41h592wl1-0 start"><li class="c6 c4"><span>inurl:&quot;/root/etc/passwd&quot; intext:&quot;home/*:&quot; - this will identify publically accessible password files;</span></li><li class="c6 c4"><span>&nbsp;filetype:ini &quot;This is the default settings file for new PHP installations&quot; - these files contain info that could help you compromise a web server;</span></li><li class="c6 c4"><span>site*.*.*/webalizer intitle:&quot;Usage Statistics&quot; - log files, anyone?</span></li></ul><p class="c4 c5"><span></span></p><p class="c4"><span>Finally, Derrick demonstrated using </span><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fwww.metasploit.com%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNFR4tplM90bVnccpwCNs5WGJl51Nw">Metasploit </a></span><span>to build a trojan, obfuscate attach it to the back of a legitimate exe file (think winword.exe, notepad.exe, etc.) and then deliver the file to an unsuspecting target.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Derrick shared a great slide on preventing exfiltration of data from hackers. It suggested using proxies, block ports, etc. I haven&rsquo;t seen the slides online yet, but if I find them, I will link to them from here.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Overall, this was an awesome presentation!</span></p><p class="c5 c4"><span></span></p><p class="c4"><span class="c7">Day 2 - Wed June 12 2013:</span></p><p class="c4"><span class="c3">9am - &ldquo;Extending to mobility platforms&rdquo;, hosted by </span><span class="c1 c3"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fcongress.scmagazine.com%2Fpage.cfm%2FAction%3DVisitor%2FVisitorID%3D78&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNGcv-fjgWUxX5Jd24oeleP40tuu0w">Daniel Legault</a></span><span class="c3">, senior IAM/security advisor and architect, IBM Canada &amp; </span><span class="c1 c3"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fcongress.scmagazine.com%2Fpage.cfm%2FAction%3DVisitor%2FVisitorID%3D94&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNHOl_2B84vgKFLtUrCHb2YS-04zMA">Mike Balneaves</a></span><span class="c3">, director, infrastructure engineering, OMERS.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>This session offered a high level policy overview of mobility deployment concerns. I found this session to be a great survey of the landscape. I was hoping for a more technical presentation, but, unfortunately, there was little in terms of in-depth technical information in this session.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span class="c7">Day 2 - Wed June 12 2013:</span></p><p class="c4"><span class="c3">9:50am - &ldquo;Keynote: Supply Chain + cyber intelligence + (insert bad country) = Risk&rdquo;, hosted by </span><span class="c1 c3"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fcongress.scmagazine.com%2Fpage.cfm%2FAction%3DVisitor%2FVisitorID%3D64&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNGHOnT6NuRen9moXJLXMi1iPaXTRw">Curtis Levinson</a></span><span class="c3">, U.S. cyber defense advisor to NATO</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Curtis was a great storyteller. He shared plenty of stories pertaining to the origins and history of Stuxnet and a Maryland Sorority girl who found herself ostracized after posting offensive material on Facebook.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Curtis summarized his presentation by warning us to be careful where we get our computer equipment from. Beware of the potential for manufacturers (whether foreign or domestic) to insert malware and other spying mechanisms into the supply chain, and ultimately, into your environment.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span class="c7">Day 2 - Wed June 12 2013:</span></p><p class="c4"><span class="c3">11:30am - &ldquo;Forensics&rdquo;, hosted b</span><span class="c3"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fcongress.scmagazine.com%2Fpage.cfm%2FAction%3DVisitor%2FVisitorID%3D78&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNGcv-fjgWUxX5Jd24oeleP40tuu0w">y </a></span><span class="c1 c3"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fcongress.scmagazine.com%2Fpage.cfm%2FAction%3DVisitor%2FVisitorID%3D25&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNFnVFf62GApiQs9L69hFTsbS4apfg">Ron Plesco</a></span><span class="c3">, managing director, cyber investigations/risk consulting, KPMG</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Ron provided a great presentation. He walked the audience through a few examples of malware, how they work and how to detect and clean systems that have been infected (rebuild!). I really want to get the slides for this presentation. I will link to them here if/when I obtain them.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Ron started by giving an overview of Leprechaun Lite, which is a 2 year old malware package that is used to intercept banking info. He explained how it worked and he walked through an example of the malware capturing user data.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Ron shared a fantastic </span><span class="c1"><a class="c2" href="http://youtu.be/t65WaPxPa1s">Jimmy Kimmel Anonymous video from YouTube</a></span><span>. Too funny! This video was referring to </span><span class="c1"><a class="c2" href="https://www.google.com/url?q=https%3A%2F%2Ftwitter.com%2FOp_USA_2013&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNH6KMp0tPgQy2Yh-4mXmjkw3QsreA">OpUSA</a></span><span>, which was supposed to occur on May 7 2013.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Ron summarized the best approach to stopping hackers: &ldquo;Think like a hacker!&rdquo; We (as in government, business infosec personnel, law enforcement, etc.) need to be skilled resources who think like hackers, not like PEN testers. That&rsquo;s the only way we&rsquo;re going to identify and fix threats before the damage is done.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Ron walked us through the investigation steps for an information security incident. The full steps are exhaustively highlighted in the </span><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fcsrc.nist.gov%2Fpublications%2FPubsSPs.html&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNH27daQJ8FWPkJ0k8vV6LSUPmeAuA">National Institute of Standards and Technology&rsquo;s</a></span><span>&nbsp;(NIST) </span><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fcsrc.nist.gov%2Fpublications%2Fnistpubs%2F800-61rev2%2FSP800-61rev2.pdf&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNFca7qeh7lOuxCynIc_gWaRK-jcOg">Computer Security Incident Handling Guide</a></span><span>.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Overall, this was a fantastic presentation: plenty of great material, articulate and engaging speaker and interesting topic.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span class="c7">Day 2 - Wed June 12 2013:</span></p><p class="c4"><span class="c3">12:30pm - &ldquo;Keynote: Embracing BYOD&rdquo;, by </span><span class="c1 c3"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fcongress.scmagazine.com%2Fpage.cfm%2FAction%3DVisitor%2FVisitorID%3D93&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNETf1LN5wPWsFgUlhFQMgmDQqTE4A">Tyler Lessard</a></span><span class="c3">, CMO, </span><span class="c1 c3"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Ffixmo.com%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNHnbi6MMAfWauFoQuMEByhdKGuQIw">Fixmo</a></span><span class="c3">.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>This presentation offered a high level survey of the risks and best practises pertaining to Bring Your Own Device (BYOD). I didn&rsquo;t take many notes at this session. There was plenty of good discussion, but nothing noteworthy.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span class="c7">Day 2 - Wed June 12 2013:</span></p><p class="c4"><span class="c3">1:20pm - &ldquo;Detecting modern malware in your environment&rdquo;, by </span><span class="c1 c3"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fcongress.scmagazine.com%2Fpage.cfm%2FAction%3DVisitor%2FVisitorID%3D21&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNHos-nMQL9IkL9KJuwrgzn9AefVMg">Iain Patterson</a></span><span class="c3">, information security officer, Trillium Health Partners</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>This presentation offered a high level survey of how to mitigate, detect, handle and remove malware from computer systems. The bulk of the presentation was fairly high level, discussing process, concepts and best practices.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>The last couple of slides were quite valuable, as they identified the tools that are helpful in detecting and mitigating malware. Iain offered two sets of tools:</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>The &ldquo;Security on a budget&rdquo; list:</span></p><ul class="c0 lst-kix_mos0jdbrr7he-0 start"><li class="c6 c4"><span class="c1"><a class="c2" href="https://code.google.com/p/security-onion/">Security Onion</a></span></li><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FIptables&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNFjQP3N5Ha3YMOWbSH678zS2_S1zw">IPTables</a></span></li><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fwww.splunk.com%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNE_WRZG14NeYJiX-3q_ba-lwNHb9w">Splunk</a></span></li><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fsyslog-server%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNHHt8ASI15vpa_YjsTnYaZMowsDrQ">Syslog Server</a></span></li><li class="c4 c6"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fwww.clamav.net%2Flang%2Fen%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNENEYKS-Rv0f0Eh_soEW63Vubs0xQ">Clam AV</a></span></li><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fsupport.microsoft.com%2Fkb%2F2458544&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNHIthwfq4G-hLXkfvT7OmX47Wj-kg">EMET</a></span></li></ul><p class="c5 c4"><span></span></p><p class="c4"><span>Iain also offered a great list of bigger budget tools. Unfortunately, I couldn&rsquo;t get the list. I&rsquo;ll be watching for the slides, at which point I&rsquo;ll update my list.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Ian&rsquo;s final slide highlighted some great tools for malware analysis:</span></p><ul class="c0 lst-kix_j0q0rkbag4vp-0 start"><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fanubis.iseclab.org%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNHeeJI5bWz5Ngu-YxhwIKfIBtlsLA">Anubis</a></span></li><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fwww.comodo.com%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNEWM9QjoPcODywrM984PuBNtuyibg">Comodo</a></span></li><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Feureka.cyber-ta.org%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNEQOvfPTX7TnaOLEvdosFrNzv-HXg">Eureka</a></span></li><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fvirusscan.jotti.org%2Fen&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNF9kjGeHXzvbNn_RMMmbF4oxzdBtg">Jotti</a></span></li><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fjsunpack.jeek.org%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNFlFygZwY6zNQxSA8uQTzWszRq02Q">Jsunpack</a></span></li><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fwww.threatexpert.com%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNF6UYUB7MPkY3sqGafqAYPsOqi6ZA">ThreatExpert</a></span></li><li class="c6 c4"><span class="c1"><a class="c2" href="https://www.virustotal.com/en/">VirusTotal</a></span></li><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fwepawet.iseclab.org%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNGf1ahD1svdfxVSy7qdWawNyIg2yg">Wepawet</a></span></li></ul><p class="c5 c4"><span></span></p><p class="c4"><span>Very valuable resources!</span></p><p class="c5 c4"><span></span></p><p class="c4"><span class="c7">Day 2 - Wed June 12 2013:</span></p><p class="c4"><span class="c3">3:55pm - &ldquo;Software security: Automation to scale your secure SDLC&rdquo;, by </span><span class="c1 c3"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fcongress.scmagazine.com%2Fpage.cfm%2FAction%3DVisitor%2FVisitorID%3D84&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNGMhgIF3uy4d9pRjejsuMe46F27iA">Nish Bhalla</a></span><span class="c3">, founder, </span><span class="c1 c3"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fsecuritycompass.com%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNE1fYz-SGuY_Wo-5mvvSP3zhoXCig">Security Compass</a></span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Nish provided an overview of project lifecycles and how each requires unique approaches to quality management, specifically relating to security.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>Nish provided a quick overview of the following project lifecycle approaches:</span></p><ul class="c0 lst-kix_dcvetu2j4z8t-0 start"><li class="c6 c4"><span>Waterfall (long planning)</span></li><li class="c6 c4"><span>Agile (Iterative)</span></li><li class="c6 c4"><span>Continuous Integration (no process / ticket at a time)</span></li></ul><p class="c5 c4"><span></span></p><p class="c4"><span>For all models, security requirements are inserted at the beginning of the project and/or product feature backlog. Security requirement verification occurs during regression testing.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>I really liked his presentation as it related security to the project management lifecycle, something that is often neglected when thinking about security (as security is often seen as a bolt-on for infrastructure or after the fact work).</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>One interesting thing to note: Nish was extremely casual with his presentation, venturing into the audience to present. I was sitting in the front row and for much of the presentation, he was located in the middle of the room speaking to the back half of the room, which required me to turn in my seat to pay attention.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>I was really impressed with the large library of security requirements that Nish displayed during the presentation. He directed us to </span><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fwww.safecode.org%2Findex.php&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNEBdqbhrWc9QEtlZ99Rf2cNIMOxpA">Safecode.org</a></span><span>&nbsp;where we can find an </span><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fwww.safecode.org%2Fpublications%2FSAFECode_Agile_Dev_Security0712.pdf&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNFy1RsKJ9GICgw_e9_t0FA3o-AFwA">exhaustive security guidance guide</a></span><span>, amongst other resources available on that site.</span></p><p class="c5 c4"><span></span></p><p class="c4"><span>As well, Nish directed us to additional resources at:</span></p><ul class="c0 lst-kix_l6vy2v934trl-0 start"><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Ffreecbt.securitycompass.com&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNGUJ1fStJIJd4rsOts-b9pi-2xdaw">freecbt.securitycompass.com</a></span></li><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Flabs.securitycompass.com%2F&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNGBF-mLORadh7foOFNOJhA1EAX0tg">labs.securitycompass.com</a></span></li><li class="c6 c4"><span class="c1"><a class="c2" href="http://www.google.com/url?q=http%3A%2F%2Fwww.sdelements.com&amp;sa=D&amp;sntz=1&amp;usg=AFQjCNFKhCBbMet-a_i0bX1w2IgV_whf0w">www.sdelements.com</a></span></li><li class="c6 c4"><span class="c1"><a class="c2" href="mailto:nish@securitycompass.com">nish@securitycompass.com</a></span></li></ul><p class="c5 c4"><span></span></p><p class="c4"><span>Overall, this was a great presentation and the resources that Nish suggested are quite valuable.</span></p><p class="c5 c4"><span></span></p></body></html>