RSA 2014安全大会将于2月24日-28日在旧金山举办。围绕威胁最新趋势和安全产业前沿动态,本届大会共设置有大约20个议题,其中包括:安全分析、应用安全、云安全与虚拟化、密码学、数据安全和隐私、管理风险合规、黑客和威胁、安全中的人为因素、移动安全、政策和管理、安全策略、安全趋势和创新、技术架构等。
围绕上述议题,RSA2014安全大会共有300余场演讲或讨论。
安全分析和取证(Analytics and Forensics)
“安全分析和取证”议题,涵盖相关调查分析技术的应用,应用这些收集、保存数据的技术,是为了发现安全攻击或其他问题事件的来源,并发现和沟通未来防护的方式。
在RSA 2014大会上,围绕“安全分析和取证”议题的演讲共有15场,分别是:The Art of Attribution: Identifying and Pursuing your Cyber Adversaries(归因的艺术:识别并追捕你的网络敌人)、Computer Forensics and Incident Response in the Cloud(云中电脑取证和事件响应)、The Relevance of Government Cybersecurity Intelligence(政府网络安全智能的关联)、Using Big Data to Protect Big Data (利用大数据保护大数据)、'2nd-Wave' Advanced Threats: Preparing for Tomorrow's Sophisticated Attacks(第二波高级威胁:备战未来的复杂攻击)、Big Data's Potential in Helping to Secure the Internet of Things(大数据保护网络信息的潜力)、Mobile Analysis Kung Fu, Santoku Style (移动分析的功夫)、Targeted Security Analytics: You Know Where They are Going. Be Waiting(有目标的安全分析:你知道他们去哪儿,等着吧)、Using Automated Cyber Threat Exchange to Turn the Tide against DDOS(使用自动网络威胁交流扭转DDoS趋势)、Security by and for the People! (安全为人人,人人为安全)、Hunting for OS X Rootkits in Memory (在内存中寻找OS X Rootkits)、A Human Factor Interface for SIEM (SIEM的人性化界面)、Malware Under the Hood – Keeping your Intellectual Property Safe(被掩盖的恶意软件:确保知识产权的安全)、Collaboration across the Threat Intelligence Landscape(威胁智能合作)、Information Exchange on Targeted Incidents in Practice(有目标攻击事件中的信息交换)。#p#
应用安全(Application Security)
鉴于web和云计算应用的增长,“应用安全”议题聚焦于以下话题:安全设计、发展、部署,以及套装和定制化应用程序的运营。该议题将涵盖目前的最新威胁及其应对措施。
在RSA 2014大会上,围绕“应用安全”议题的演讲共有15场,分别是:Entropy, Random Numbers and Keys: What's Good Enough? (熵、随机数字和密钥:怎样算够好)、The NIST Randomness Beacon(NIST随机性警示)、Succeeding with Enterprise Software Security Key Performance Indicators (成功进行企业软件安全密钥性能指示)、Evaluating the Security of Purchased Software: Can We Find Common Ground?(评估商业软件的安全性)、Scaling a Software Security Initiative: Lessons from the BSIMM (衡量软件安全:从BSIMM得到的教训)、New Foundations for Threat Modeling(威胁模式的新基础)、DevOps/Security Myths Debunked(被揭穿的DevOps/Security迷思) 、DHS Cybersecurity Future Technology : Where We Go From Here(DHS网络安全未来技术)、RESTing on Your Laurels Will Get You Pwned、The Game of Hide and Seek, Hidden Risks in Modern Software Development (躲猫猫游戏:现代软件发展中隐藏的风险)、How We Implemented Security in Agile for 20 SCRUMs- and Lived to Tell - (如何实现灵捷安全)、Follow the Money: Security Researchers, Disclosure, Confidence and Profit(跟钱走:安全研究者、信心和利益)、Software Liability?: The Worst Possible Idea (Except for all Others)(软件责任?最糟的想法)、Writing Secure Software Is Hard, but at Least Add Mitigations!(写安全的软件不容易,但至少要缓解威胁)、Seven Habits of Highly Effective Security Products(高效安全产品的七个特点)。#p#
云安全与虚拟化(Cloud Security & Virtualization)
“云安全和虚拟化”议题包含:云中安全架构、管理、风险、迁移事宜、身份管理和案例研究。该议题的内容涉及:虚拟化部署模式、VM完整性、虚拟架构的安全。
在RSA 2014大会期间,围绕“云安全和虚拟化”议题,共有14场演讲:Virtualization and Cloud: Orchestration, Automation and Security Gaps(虚拟化和云:配置、自动化和安全鸿沟);Shifting Roles for Security in the Virtualized Data Center(虚拟化数据中心中的安全角色转换);Cloud Computing in China: Opportunities, Challenges and Risks (云计算在中国:机会、挑战和风险);Survey of the Operating Landscape Investigating Incidents in the Cloud (对云中安全事件的调查);Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy (好篱笆带来好邻居:重新思考你的云战略);Dueling Banjos - Cloud v Enterprise Security: Using Automation & DevOps NOW(云安全:使用自动化和DevOps);Let Your Users Go Rogue(让你的用户胡闹去吧);Is the Cloud Really More Secure Than On-Premise(云真的比On-Premise更安全吗);Hijacking the Cloud: Systematic Risk in Datacenter Management Networks(劫持云:数据中心管理网络中的系统风险);Oh the PaaSabilities, Security in a Platform as a Service World ;Why AWS CloudHSM can Revolutionize AWS(AWS CloudHSM为何能变革AWS);Secure Cloud Development Resources with DevOps (用DevOps保护云发展资源);Applying Cryptography as a Service to Mobile Applications(将加密作为服务用到移动应用中);Cloud Application Security Assessment, Guerilla Style(云应用安全评估是游击战)。#p#
密码学(Cryptography)
密码学是不断变化的,这一聚焦于数学和计算机科学的学术论坛,将展示密码科学的相关最新论文。
在RSA 2014大会召开期间,将举办一系列的密码学术研讨会,包括:Welcome & Non-Integral Asymmetric Functions(非整数非对称函数);Public-Key Encryption(公共密钥加密);Hardware Implementations(硬件安装);Side-Channel Attacks(边信道攻击);Symmetric Encryption & Cryptanalysis(对称加密分析);Digital Signatures(电子签名);Protocols(协议);The PRNG Debate(PRNG讨论);Hash Function Cryptanalysis(哈希函数密码分析);Applications of Cryptographic Primitives等。#p#
数据安全和隐私(Data Security & Privacy)
“数据安全和隐私”议题涵盖分类、追踪和保护数据的策略和技术。该议题包括数据库安全、数据分类、加密、DLP和敏感数据面临的新威胁等。这个议题下的关键词有:隐私问题、大数据趋势、规则和策略。
在“数据安全和隐私”议题下,共有16场演讲:The Top Privacy Issues to Watch(警惕重要的隐私问题);Implementing Privacy Compliant Hybrid Cloud Solutions(部署混合云中的隐私问题);Data Encryption for Virtualized Enterprise(虚拟化企业的数据加密);Mission Impossible?: Building and Defending Zero-Knowledge Privacy Services(构建“零知识”隐私服务可能吗);From Data to Wisdom: Big Lessons in Small Data (从数据到智慧:小数据中的大教训);Let Go of the Status Quo: Build an Effective Information Protection Program(突破现状:构建有效的信息保护程序);Honeywords: A New Tool for Protection from Password Database Breach(Honeywords:防止密码数据库泄露的新工具);Castles in the Air: Data Protection in the Consumer Age(消费时代的数据保护是空中楼阁);Third-Party Cyber Security & Data Loss Prevention(第三方网络安全和DLP);Security vs. Privacy: Who is Winning?(安全vs.隐私:谁获胜) ;The Boundary Between Privacy and Security: The NSA Prism Program(隐私和安全边界:NSA棱镜项目);Is Your Browser a User Agent, or a Double Agent?(你的浏览器安全吗);Walking the Security & Privacy Talk(安全和隐私的对话); Moving from Compliance to Stewardship(从合规到管理);BYOD: An Interpretive Dance(诠释BYOD) ;How to Discover if your Company's Files are on a Hacker's Shopping List(如何发现公司文件是否被攻击者盯上)。#p#
管理风险合规(Governance, Risk & Compliance)
“管理/风险/合规”议题包括企业风险管理和合规。该议题包括:创建和部署风险管理架构,风险量化和管理等。
在RSA2014大会期间,围绕该议题的演讲共有14场:Business Control & Velocity: Balance Security, Privacy, Ethics & Optimize Risk(商业控制和速度:平衡安全、隐私、伦理和优化风险);Trust Us: How to Sleep Soundly with Your Data in the Cloud(相信我们:如何让云中数据高枕无忧);Achieving and Exceeding Compliance Through Open Source Solutions (通过开源解决方案实现合规);Adventures in Insurance Land – Weaknesses in Risk Pricing and Alternatives (保险领域中的冒险:风险定价的不足);To Regulate or Not to Regulate Cyber Security: That Is the Question(控制还是不控制网络风险,这是个问题);Your Product is Made WHERE? (你的产品在哪里造出);Information Security Policy for Users (Not Auditors)(为用户而非审计者而定的信息安全策略);Buyer Beware: How to Be a Better Consumer of Security Maturity Models(如何成为成熟的安全模式购买者);Measurement as a Key to Confidence: Providing Assurance (权衡是安全保险的关键);Ending Risk Management Groundhog Day (终止风险管理中的“偷天情缘”);Reboot Your IT Threat Risk Assessment (TRA) Process in 20 Minutes(20分钟重启你的IT威胁风险评估);Technical Metrics Aren’t Enough: 10 Strategic Security Measures(光有技巧还不够:10个安全评估策略);Visualize This! Meaningful Metrics for Managing Risk(为风险管理带来有价值的评估);The Dichotomy of the System Administrator(系统管理员分身术)。#p#
黑客和威胁(Hackers & Threats)
“黑客和威胁”议题主要讨论黑客产业、高级威胁、新型漏洞、漏洞挖掘技巧、逆向工程,以及如何面对这些问题。该议题还包含了对最新威胁的讨论。
在RSA2014大会上,围绕“黑客和威胁”议题,共有20多场演讲:The Dark Web and Silk Road(Dark Web和“丝绸之路”);One Year Later: Lessons and Unintended Consequences of the APT1 Report (1年后:APT1报告带来的教训和结果);Effects-based Targeting for Critical Infrastructure (基于实效的关键基础设施攻击);A Deep Dive into the Security Threat Landscape of the Middle East(中东安全威胁深度研究);An Arms Race: Using Banking Trojan and Exploit Kit Tactics for Defense(攻防战:以其人之道还治其人之身);Cybersecurity the Old Fashioned Way: Pass Known Good Content(基于已知内容的网络安全传统攻击);Learning Malware Languages: Fun with Dick and Jane’s Malware(学习恶意软件语言);Cloud Ninja: Catch Me If You Can!(云忍者:有本事就来抓我呀);Whose IP Is It Anyway: Tales of IP Reputation Failures;How Microsoft, FS-ISAC & Agari Took Down the Citadel Cybercrime Ring (微软、FS-ISAC和Agari如何对付网络犯罪);Disrupting the Progression of a Cyber Attack(打乱网络攻击的步伐);Operation Olympic Games Is the Tom Clancy Spy Story that Changed Everything(奥林匹克运动会改变一切吗);They Did What?!? – How Your End Users Are Putting You at Risk(他们干了什么?你的用户怎么将你置于风险中了);A Hacker’s Perspective: How I Took Over Your City’s Power Grid(黑客:我是怎样窃取城市能源的)。
在“高级威胁”议题下的演讲还包括:Anti-Stealth Techniques: Heuristically Detecting x64 Bootkits(防窃技术:启发性地检测x64 Bootkits);Hardware Trojans and Malicious Logic (硬件木马和恶意逻辑);Security Response in the Age of Mass Customized Attacks(定制化攻击时代的安全响应);From Disclosing Existing Vulnerabilities to Discovering New Vulnerabilities(从披露已知漏洞到发现新漏洞);Buy Candy, Lose Your Credit Card - Investigating PoS RAM Scraping Malware ;C U SRF with Cross USer Request Forgery (CSRF新形式:CUSRF);Pass-the-Hash: How Attackers Spread and How to Stop Them(越过哈希:攻击者如何传播并阻止它们);DLL Side-Loading: A Thorn in the Side of the Anti-Virus (AV) Industry(DLL Side-Loading:AV产业的痛);Too Critical to Fail: Cyber-Attacks on ERP, CRM, SCM and HR Systems(攻击ERP、 CRM、SCM和HR系统);Bitcoin Is Here: How to Become a Successful Bitcoin Thief!!!(如何成功窃取比特币);Turning Medical Device Hacks into Tools for Defenders(将医疗设备攻击转变为防御工具);Hacking iOS on the Run: Using Cycript(用Cycript攻击iOS);Hunting Mac Malware with Memory Forensics (通过存储分析来找到Mac恶意软件);Now You See Me – Attacks with Web Server Binaries and Modules(对Web Server攻击的讨论);Eyes on IZON: Surveilling IP Camera Security (盯住IZON:监控IP相机安全)。#p#
安全中的人为因素(Human Element)
“安全中的人为因素”是安全界的前沿话题。该议题包含:内部威胁、社交网络/社会工程及安全意识。该论坛将论及人们的信任选择、防护个人安全的创新方式、传统攻击中的人为因素等。
在RSA2014大会上,围绕“安全中的人为因素”议题,共16场演讲:Security Awareness Metrics - Measuring Change in Human Behavior (衡量安全意识:人类行为的变化);Gamifying Security Awareness(安全意识游戏化);The Sixth Man: How Cybersecurity Awareness Programs Strengthen Our Defense(网络安全意识项目如何增强防御);Cognitive Injection: Reprogramming the Situation-Oriented Human OS(认知注入:改写状态导向的人类“OS”);Securing Boomers, Gen Xers and Gen Yers: Omg We Are So Different!(保护各代人:天哪,我们如此不同);Keeping Up with the Joneses: How Does Your Insider Threat Program Stack Up? (你的内部威胁是怎么累积而成的);It’s Time to Offer Facebook Logon to Your Customers(是时候向用户提供Facebook账号了);Social Media Single Sign-On: Could You Be Sharing More than Your Password(社交媒体单点登录:你的密码信息还在被共享吗);Helping People Walk the Narrow Path(助力简单生活);Changing User Behavior: The Science of Awareness (改变用户行为:意识的科学);Social Engineering: When the Phone is More Dangerous than Malware(社会工程:当电话比恶意软件更危险);How to Catch an Insider Data Thief (怎样抓住窃取数据的内鬼);Malicious Acrobatics on Social Media (社会媒体中的恶意伎俩);The Social Networking Battleground: Growth vs. Security(社交网络战场:增长vs.安全);How to Make a Security Awareness Program FAIL! (是什么让安全意识教育失败);Top Attacks in Social Media (社交媒体中的主要攻击)。#p#
移动安全(Mobile Security)
“移动安全”议题聚焦于BYOD管理、智能设备安全和IT消费化趋势下的策略、流程和技术。包括:移动恶意软件、应用威胁、设备管理和移动平台新威胁。
在RSA2014大会上,围绕“移动安全”议题,将有14场演讲:Finding Needles in a Needlestack with Graph Analytics and Predictive Models(利用图表分析和预测模型找刺儿);Mobile Devices Security: Evolving Threat Profile of Mobile Networks(移动设备安全:发展中的移动网络威胁);What Is the Future of Data Privacy and Security in Mobile? (移动数据隐私和安全的未来);Assume a Hostile Environment: Securing Mobile Data in the App(假想敌对氛围:在App中保护移动数据);Touchlogger on iOS and Android (iOS和 Android上的Touchlogger);Predatory Hacking of Mobile: Real Demos(移动攻击的真实演示) ;OTT, Virtual Carriers and the New Wave of Spam Threats in the 4G/LTE World(4G/LTE世界中的OTT、虚拟运营商和新一波垃圾邮件威胁);Android Security - Building a Secure Open Source Platform(安卓安全:构建安全的开源平台);Practical Attacks against MDM Solutions (and What Can You Do About It)(如何应对攻击者越过MDM管理);Why Mobile Should Stop Worrying and Learn to Love the Root(别再为移动担心,学着去爱Root吧);Rogue Mobile Apps: Nuisance or Legit Threat? (来势汹汹的移动APP:麻烦还是威胁);Lessons Learned from Physical Tamper-Response Applied to Client Devices (从客户设备Physical Tamper-Response学到的);Mobile Application Assessments by the Numbers: A Whole-istic View(由数字评估移动应用);Smartphone Privacy(智能电话隐私)。#p#
政策和政府(Policy & Government)
网络空间的安全属于国家和经济安全事务。各国政府都在发展策略,这些策略影响着公共/私人安全专业人员的工作。在“政策和政府”议题下,包含的话题有:立法、军事/法律、APT、主动防御、关键基础设施和政府角色等。
RSA2014大会上,围绕“政策和政府”议题,有15场演讲:Can Government Cybersecurity Policies Balance Security, Trade & Innovation?(政府网络安全政策能实现安全、贸易和创新的平衡吗);Facts vs. Fear: Foreign Technology Risks in Critical Industry Sectors(事实vs.恐惧:关键工业领域的境外技术风险);Updating the Law on Government Access to Your Online Data(为线上数据更新政府权限规范);Securing Our Nation's Data Centers Against Advanced Adversaries (保护国家数据中心免受高级敌人破坏);An Overview of the EO Cybersecurity Framework(EO网络安全架构概览);Meet the PCLOB: An Introduction to the Independent US Privacy and Civil Liberties Oversight Board(隐私和自由:PCLOB是如何运作的);Riding the Tiger – Harnessing the Power of Industry in Cyber Security(驭虎之道:借用网络安全产业之力);Watching the Watchers: Privacy Officers Inside the U.S. Government(监督监督者:美国政府中的隐私官);Cyber Legislation: National Security & Corporate Responsibility Collide(网络空间立法:国家安全和公司责任冲突);Government x 2: State and Federal Collaboration on Cybersecurity(政府x2:网络安全中的政府部门合作);Cyber Battlefield: The Future of Conflict(网络战场:对抗的未来);View from the Inside: DHS Priorities in Cybersecurity(网络安全中的DHS优先权);Leading Cybersecurity: Technically Sexy, Programmatically Dowdy(领导网络安全:技术上丰满,程序上骨感);Risk and Responsibility in a Hyper-Connected World(超级联通世界里的风险和责任);Effects of Recent Federal Policies on Security and Resiliency Landscapes(最新安全政策效果)。#p#
安全策略(Security Strategy)
“安全策略”议题包含:企业安全架构中的策略、计划和新领域,实施成功的安全项目中的管理问题。该议题将涉及构建安全项目所需的架构和工具等。
RSA2014大会上,围绕“安全策略”议题的演讲共有16场:Response Plan Fitness: Exercise, Exercise, Exercise!(什么是好的计划:实践、实践、实践!);Security PR 101(安全PR101) ;Anatomy of a Data Breach: What You Say (or Don’t Say) Can Hurt You (解析数据泄露:说不说什么都可能受伤);Inflection: Security's Next 10 Years (改变:安全的下一个10年);Implementing a Quantitative Risk-Based Approach to Cyber Security(部署可量化的网络安全风险管理);Security of Large Complex Technical Systems(大型复杂技术系统的安全);10 Dimensions of Security Performance for Agility & Rapid Learning(10度安全法提升灵捷安全);The Steps Zurich Took to Build an “Effective” Information Security Program(Zurich保险集团是怎样构建有效信息安全项目的);How Joshua DoSed Jericho: Cybersecrets of the Bible(圣经智慧的安全启示);Criticality Analysis & Supply Chain: Providing "Representational Assurance"(关键要素分析和供应链);Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome(别悄悄的:去搞定令人惊奇的策略和队友吧);Mutiny on the Bounty: The Epic Tale of How Data Defeated Dogma(数据战胜教条的故事);Where Do We Go from Here, Now That Our Internet Is Gone?(互联网消失,我们将走向何方);Eight Conflicts Which Changed Cyberspace (改变网络空间的8种冲突);A CISO's Perspective: Protecting with Enhanced Visibility and Response(CISO视角:通过提升可见性和响应能力实现保护);The Role of a Cyber Mercenary (网络Mercenary的角色)。#p#
技术架构(Technology Infrastructure)
“技术架构”议题涉及:安全技术架构、策略等,包含:新技术趋势、网络/端点安全、企业权限管理、漏洞评估、IDS/IPS和物理/嵌入设备安全。
围绕“技术架构”议题,共有16场演讲:Ensuring Your 3rd Party Vendors and Partners are Secure(确保第三方供应商和合作伙伴安全);Building a Bunker for Business Assets and Processes(构建企业资产和流程的安全堡垒);Are Mobile Devices the Answer to the Strong Authentication Problem?(移动设备是强身份认证的解决之道吗);New Ideas on CAA, CT, and Public Key Pinning for a Safer Internet(CAA、CT和公共密钥安全新思路);The Future of Authentication: Different Approaches to the Same Goal(身份认证的未来:殊途同归);A Penetration Testing Maturity and Scoring Model (漏洞测试评估模式);Smart Grid Security: A Look to the Future (智能电网安全的未来);Beyond Information Warfare: The History of the Future of Security(超越信息战争:安全未来的历史);Tinker Bell SSL: Avoiding the Neverland Security Infrastructure(防止SSL成为摆设);Is the Security Industry Ready for SSL Decryption? (安全行业准备好SSL解密了吗);Make Way for the Internet of Things(为未来网络做好准备);SDN & Security: Why Take Over the Hosts When You Can Take Over the Network(SDN和安全);Babel Revisited: Lessons from an IPv6 Transition (IPv6过渡中的教训);Utilities and Cybersecurity - Myth and Reality (公共设施和网络安全:迷思和现实);Building and Extending Solutions with Hardware Trust(通过硬件信任构建安全解决方案);Malware Defense Integration and Automation (恶意软件防御集成及自动化)。