<

Past Conferences
3rd ISACA Athens Chapter Conference 2 & 4 November 2013

KEYNOTE PRESENTATIONS

Emerging IT Trends and their Implications to the Audit Profession
with Gregory Grocholski, CISA, Global Business Finance Director for The Dow Chemical – ISACA International President 2012-2013

Abstract:No one doubts or questions the impact of technology in social and business environments. The challenge for organizations will be to understand the risks, balance cost versus controls, and ensure critical assets are secured in a manner yet to allow for the optimal use of those assets. The audit profession needs skilled IT auditors to adequately address emerging IT trends, risks and the pace by which all of this is occurring.

Bio: Gregory T. Grocholski, CISA, is a global business finance director for The Dow Chemical Company, at the global headquarters in Midland, Michigan, USA. Grocholski has 30 years of experience with Dow serving in various capacities and managerial positions, including accounting, information systems, auditing, and controllers. Recently, he served as the company's chief audit executive leading the Corporate Investigations Services group and was accountable for Dow' worldwide audit activities in the Finance, IT, and operations areas.

ENISA and ISACA Workshop Addresses Cybersecurity Challenges for Telecom Operators and Regulators
with Dr. Christos Dimitriadis, CISA, CISM, CRISC, Group Head of Information Security, Compliance and Innovation for Intralot Group – Director at ISACA International BoD
and
with Dr. Evangelos Ouzounis, Head of Unit-Secure Infrastructure and Services, ENISA

Abstract: "On the 11th of June 2013 and during the ISACA Insights 2013, ENISA and ISACA have jointly organized a workshop related to today's cyber security challenges for telecom operators, ISPs, having cyber security experts, auditors, and national regulators analyzing the subject. Dr. Ouzounis and Dr. Dimitriadis will provide a summary of the results of the workshop and an update in relation to Article 13a of the European Union Framework Directive of Telecom Reform. Cybersecurity needs and strategies, as well as their relation to auditing will also be discussed describing a cross-industry approach."

Bio: Christos K. Dimitriadis, CISA, CISM, CRISC, is an International Vice President of ISACA. He also is the Group Head of Information Security, Compliance and Innovation for Intralot Group, a multinational supplier of integrated gaming and transaction processing systems based in Greece, managing information security in more than 50 countries in all continents. Mr. Dimitriadis has served ISACA as chairman of the External Relations Committee and member of the Relations Board, Academic Relations Committee, ISACA Journal Editorial Committee and Business Model for Information Security Workgroup. Mr. Dimitriadis has been working in the area of information security for 11 years and has authored 70 publications in the field. He has been providing information security services to the ITU, European Commission Directorate General, European Ministries and international organizations, as well as business consulting services to entrepreneurial companies. Mr. Dimitriadis received a diploma of electrical and computer engineering from the University of Patras, Greece, and a Ph.D in information security from the University of Piraeus, Greece. Christos was awarded in 2013 with the "John W. Lainhart IV Common Body of Knowledge Award" by ISACA International.

Bio: Dr. Evangelos Ouzounis is the head of ENISA's Resilience and Critical Information Infrastructure Protection (CIIP) Unit. His unit implements EU Commission's CIIP action plan, organises the CIIP exercises (e.g. Cyber Europe 2012/10, Cyber Atlantic 2011), facilitates Member States efforts towards a harmonised implementation of incident reporting scheme (article 13 a of new Telecom Package), and develops good practices for national cyber security strategies and national contingency plans. ENISA's Resilience and CIIP Unit runs also numerous other studies on cyber security aspects of critical sectors and services like Industrial Control Systems - SCADA, Smart Grids, Cloud Computing, Botnets and Interconnected Networks. The Unit also issues strategic recommendations and develops good practices for relevant stakeholders. Prior to his position at ENISA, Dr. Ouzounis worked several years at the European Commission, DG Information Society and Media (DG INFSO). He contributed significantly to EU Commission's R&D strategy and policies on securing Europe's infrastructures and services. Dr. Ouzounis was co-founder of Electronic Commerce Centre of Competence (ECCO) at Fraunhofer Institute for Open Communication Systems (FhG-FOKUS, Berlin, Germany). He led and managed more than 20 pan European and International R&D projects. Dr. Ouzounis holds a Ph.D from the Technical University of Berlin and a master in computer engineering and informatics from the Technical University of Patras, Greece. He was a lecturer at Technical University of Berlin, wrote 2 books and more than 20 peer reviewed academic papers and chaired several international conferences.

IT Governance and Emerging Trends
with Georges Ataya, CISA, CGEIT, CRISC, CISM, CISSP, Managing Partner at ICT Control - Professor at Solvay Business School – Past ISACA International VP

Abstract: Georges Ataya shall present major challenges of today's CIOS in terms of building infrastructure for tomorrow, information availability and how to run IT as a business. He shall present various frameworks and management methods including the escm sourcing framework, the IVI-CMF value creation framework, the agile concept and the need for adequate Enterprise and IT Architecture.

Bio: Professor Georges is the Academic Director of IT Management Education at Solvay Brussels School of Economics and management (Executive Education). He is also a Professor at the Master in Management delivering Enterprise Consulting workshop since 2006 and in charge of IT Governance from 2011 (Master Graduate study). solvay.edu/it. As a Managing Partner with ICT Control (a Brussels based firm) he is involved with consulting and Management advisory in the domains of IT Governance, Information Security Management, Enterprise architecture and sourcing management. Ictc.eu

Geo-Location: Risks, Strategies and Audit Aspects
with Urs Fischer, CISA, CRISC, CIA, CPA, Owner & CEO Fischer IT GRC Consulting & Training, Member of ISACA/ITGI's Nomination Committee

Abstract: Geo-location data, revealing an individual's physical location, are obtained using tracking technologies such as global positioning system (GPS) devices, Internet Protocol (IP) geo-location using databases that map IP addresses to geographic locations, and financial transaction information. Uses of the information are myriad, including direct marketing and context-sensitive content delivery, monitoring of criminals, enforcing location-based access restrictions on services, cloud balancing, and fraud detection and prevention. Geo-location technologies and their application, while offering social and economic benefit to a mobile society, raise significant privacy and risk concerns for individuals, businesses and governments. In this presentation you will learn about the risks involved, the strategies to response to this risks and the audit aspects to cover.

Bio: Since October 2010, Urs Fischer is working as an independent IT GRC consultant and trainer. He was vice-president and head of IT governance, risk management and IT-Security within the Swiss Life Group from December 2003 through September 2010. Prior to that the worked for 4 years as head of IT audit for the Swiss Life Audit Department based in Zurich, Switzerland. Since 1989, Fischer has worked in the IT Governance, audit and security areas and has gained extensive IT governance, risk management and information systems security work experience, especially in the finance and insurance area. In 2010, as recognition of his major contributions to the development and enhancement of the common body of knowledge used by the constituencies of ISACA in the field of IS audit, security and/or control and risk management, IS risk management certification, Fischer received the "John Lainhart IV - Common Body of Knowledge Award".

VoIP Forensics
with Dr. Vasilis Katos, CHFI, Associate Professor and Director of the Information Security and Incident Response Research Unit, Department of Electrical and Computer Engineering, Democritus University of Thrace - ISACA Academic Advocate

Abstract: VoIP services are becoming very popular and are adopted by many organizations and individuals. In this presentation, we will examine common security threats against VoIP infrastructures and the relevant forensic artifacts that can be obtained during an investigation in order to identify the threat sources. We will show how analysis can be performed over a popular Voice over IP (VoIP) protocol and propose a framework for capturing and analyzing volatile VoIP data in order to determine forensic readiness requirements for effectively identifying an attacker. We will establish that if forensic readiness processes and controls are in place, a wealth of evidence can be obtained, such as the private IP addresses of the attacker even during the presence of NAT services, as well as the type of end user equipment of the legitimate users and the attack tools employed by the malicious parties.

Bio: Dr. Vasilis Katos, CHFI, is Associate Professor and Director of the Information Security and Incident Response Research Unit at the Department of Electrical and Computer Engineering at the Democritus University of Thrace. Prior to this post, he was Principal Lecturer at the University of Portsmouth and tutor for the MSc in Forensic IT programme. Dr. Katos has worked as an expert witness in the UK and as a security architect for Cambridge Technology Partners (Novell, Inc.) for a period of two years. His research interests are in the area of digital forensics and incident response.

INTERNATIONAL SPEAKERS SLOTS

Cyber Crimes and the Cyber Criminals who Commit them - Example Investigations

with Mrs. Charlie McMurdie, Senior Cyber Crime Advisor, PwC, Former Head of Law Enforcement National Cyber capability, Police Central e-Crime Unit, Metropolitan Police-UK (1981-2013)

Abstract: TBA Charlie will present on a number of recent investigations conducted to identify and prosecute the offenders of cyberattacks. The motives for attack, the methods used and the harm caused. Case examples will cover successful prosecutions in the UK totalling over £1.2 billion in the last two years including hacktivist attacks on the financial sector, Security Services and industry, Organised Crime Groups stealing millions from UK banks and DarkMarkets which enable cybercrime as well as traditional crime such as the supply of drugs and firearms.

Bio: Charlie McMurdie is the Senior Cyber Crime Advisor at PwC. She is an acknowledged cyber crime and security expert. She has over 30 years' service in the Metropolitan Police where she built the Police Central e-crime Unit, now a world class cyber crime capability and the national cyber crime investigative and enforcement body in the United Kingdom. She is an internationally acclaimed authority and advisor on issues within government and industry in relation to the Internet, communication technology, computing and security sectors. Charlie's personal network spans academia, industry, government, law enforcement, and intelligence and security agencies internationally. Charlie advises cyber security teams across Forensics, Risk Assurance and Legal services and also lectures on cyber security matters at a variety of UK universities.

Advanced Persistent Threat vs Defenders: Why we keep losing this game
with Nikolaos Virvilis, CISA, CISSP, GPEN, Information Assurance Scientist, NATO Communications & Information Agency

Abstract: As both the number and the complexity of cyber-attacks continuously increase, it is becoming evident that current security mechanisms have limited success in detecting sophisticated threats. Stuxnet, Duqu, Flame, Red October and more recently Miniduke, have troubled the security community due to their severe complexity and their ability to evade detection - in some cases for several years, while exfiltrating gigabytes of data or sabotaging critical infrastructures. The significant technical and financial resources needed for orchestrating such complex attacks are a clear indication that perpetrators are well organized and, likely, working under a state umbrella. In order to address such complex threats, we have to redesign our defenses from the ground, focusing on defense in depth and big data analytics

Bio: Nikos Virvilis MSc, CISSP, CISA, GPEN, holds the position of "Information Assurance Scientist" at the Cyber Defense and Assured Information Sharing Division of NATO Communications and Information Agency in Netherlands. In the past, he has worked as an Information Assurance Consultant/Security Expert for Encode S.A. and the Hellenic Army. He got his Bachelor's degree from the Athens University of Economics and Business and his Master's from Royal Holloway – University of London. He is a PhD researcher at the Athens University of Economics and Business focusing on Advanced Persistent Threat Detection and Mitigation, under the supervision of Prof. Dimitris Gritzalis.

SPEAKING SLOTS

Using Data Analytics and Continuous Auditing for Effective Risk Management

with Iraklis Kanavaris,CISA, ISO 27001 LA, Supervising Senior Advisor, IT Risk and Management Consulting, KPMG Advisors A.E.

Abstract: Organizations are increasingly exposed to a variety of new risks such as growing compliance regulations, fraud schemes, operational inefficiencies and errors that can lead to financial loss or other operational risk, as well as, reputational damage. As a result, organizational efforts to adopt innovative ways to assess and manage risk and enhance performance are critical. Data analytics and continuous auditing/ monitoring have long been viewed as initiatives that can streamline business processes and mitigate business risks, by providing operational efficiencies, reducing costs and detecting potential fraud, errors and abuse earlier - all while providing a higher quality audit. It is also increasingly becoming a way for organizations to create value.

Bio: Iraklis Kanavaris has more than ten years of professional experience in Information & Communications Technology (ICT) and IT Risk Management. His primary professional focus is on the areas of IT GRC, IT Audit and Information Security. During his professional carrier, he has assisted many organizations, from various industry sectors, in the alignment of IT strategic objectives with key business objectives, the implementation of cutting-edge IT solutions, as well as, with the effective management of IT-related business process and security risks in compliance with regulatory frameworks (e.g. SOX-404). He has also extensive experience in the areas of IT risk assessment, IT attestation (SOC1/SOC2 and ISAE 3402), IT due-diligence and in the development of business continuity & disaster recovery plans. Mr Kanavaris holds a BSc in Computing and Management (University of Essex, UK), and a MSc in Information Technology for E-Commerce (University of Sussex, UK).

Sharing the Governance Burden
with Giorgos Gerogiannis, Datacenter & Cloud Solutions Manager, Unisystems A.E.

Abstract: "A problem shared is a problem halved, unless that problem is Governance. Outsourcing elements of your IT infrastructure to an external hosting provider necessarily demands a different approach to governance than with traditional dedicated environments. When the business no longer has direct access to its systems, compliance teams and governance boards must maintain certain standards of performance, security, confidentiality, integrity and availability from a distance".
Colin Bycroft regulatory expert
This requires an amount of cooperation that obviously depends on the demands of specific pieces of compliance. This cooperation requires input from the customer's business and technical experts, our architects, security experts and trusted third parties. We all have a role to play in protecting an application's infrastructure and data. At Unisystems, we believe that Governance is a shared responsibility between us and our customer. When we communicate and agree these roles and responsibilities we can work together on the basis of a trust relationship.

Bio: Giorgos Gerogiannis is an electronic systems engineer and holds several certifications, among which ITIL certification. He works in Uni Systems since 2002 and currently he is responsible for Uni Systems Cloud and Datacenter Solutions and the relevant offering across all industries.

Protecting from NextGen Hacking Targets: From Information-Driven Security to the Assurance of Everyday Life
with Dr. Emmanouil Serrelis, CISM, PhD (InfoSec), Information Security Expert

Abstract: Are your TV, washing machine and car protected from hacking attempts? Are you? Security threats are not just for financial institutions and information-driven environments any more. Hackers aim for everyday people - targeting commercial and consumer appliances. This session presents some of the most noteworthy next generation hacking targets, discussing what should other industries learn from information security-aware organizations as well as how they will build up a realistic risk reduction action plan.

Bio: Emmanouil Serrelis (BEng, MSc, MBA, PhD, CISM) is an Information Security expert lecturer with over 17 years experience in the areas of Information Technology, Telecommunications, Business Administration and Security Management. He has been an Information Systems Security Officer in a large financial institution and coordinator of numerous InfoSec projects (Private, Public, European, Applied and Research), member of Technical Committees and speaker at multiple scientific and technical conferences. He has been the author of various publications and his main research interests are Information Security Metrics, Management of Critical Information Systems and Secure P2P Electronic Financial Services.

Look into the Past, Unlock Your Creativity and Predict the Future
with Mr. Yiannis Lefkakis, ISACA Athens Chapter President

Abstract: Today and tomorrow are yet to be said. The greatest adventure is what lies ahead. The chances, the changes are all yours to make (J. R. R. TOLKIEN, The Hobbit). As the current year is almost gone, let us all share last year's activities and projects that distinguished and gave the Chapter international recognition and pride. The past gave us an identity but the future is not an inheritance. It is an opportunity, get engaged to the great team of ISACA Athens Chapter Leaders, inspire, create, fulfill.

Bio: Mr. Yiannis Lefkakis has 13 years of experience in the banking sector, in both auditing and operational areas where he held high managerial positions in Millennium bank and National Bank of Greece. He is currently working in Bank of Greece at the Department of Supervision of Credit and Related Institutions.He holds a BSc in Business Administration from University of Piraeus and an MSc in Internal Auditing and Management from London's Cass Business School (former City University). He is certified as CISA, CRISC and CFE. He joined ISACA back in 2001 and is a member of the Athens Chapter BoD since 2008. He set up the awarded Newsletter and has served in Education Committee, as Vice-President and is the current President and Marketing Coordinatorsince 2012.

Everything We Do About Security is Wrong
with Dr. Konstantinos Ap. Eleftherianos, Business Development Manager, Marketing, Enterprise & Business Customers, ΟΤΕ
and
with Dr. Konstantinos Papapanagiotou, Information Security Services Team Leader, ΟΤΕ

Abstract: Although during the recent years the awareness about security has increased, although more and more engineers specialize in security, and while the related investments have increased significantly, at the same time security incidents are increasing globally as well as their frequency and impact. In any other science or activity, the increase of investments and manpower would result in increased quality. As it seems this is not the case for security, where the opposite occurs. Therefore something we do wrong. The practices we follow should be reappraised.

Bio: Dr. Konstantinos Ap. Eleftherianos received the BSc degree in Physics and the MSc degree in Telecommunications from University of Athens, and the PhD degree in Computer Science from University of Athens (Dept. of Informatics). He has started his career in 1992 as an academic researcher in the field of Optical Communication, being engaged in several national and European research programmes in the field of high-speed optical networks. Since 1999 he has worked in large mobile and fixed telecom operators in South Eastern Europe (Vodafone, OTE, OTE International), holding managerial positions in Engineering, Technology, Regulatory and Business Development departments. He is currently Business Development Manager in the Enterprise & Business Customers Marketing Division of OTE. His main activity is the investigation of new ICT business development areas. He has been responsible for the elaboration and implementation of OTE's Business Plan for the provision of Information Security services to its corporate and business customers.

Bio: Dr Konstantinos Papapanagiotou is an information security consultant with more than 12 years of experience both as a corporate consultant and as an academic researcher. He is leading the team of information security consultants at OTE, offering services to the entire customer portfolio of Greece's biggest telecommunication provider. Prior to that, he served as Information Security Services Manager at Syntax IT Inc. He is also leading the OWASP Greek Chapter, and the OWASP Hackademic Challenges Project, while last year he organized the OWASP AppSec Research 2012 conference, one of the 4 annual global conferences of OWASP. He has been awarded with the WASPY Award for 2012. He holds a BSc and PhD from the Department of Informatics and Telecommunications, University of Athens and an MSc with distinction in Information Security from Royal Holloway, University of London. Dr. Papapanagiotou is a frequent expert speaker in international conferences, e.g. ISACA Athens Chapter, OWASP, etc

The OWASP Hackademic Challenges Project
with Dr. Vasileios Vlachos, Lecturer at Technological Education Institute of Thessaly – ISACA Academic Advocate

Abstract: The OWASP Hackademic Challenges Project is an open source project that helps students test their knowledge on web application security. The Hackademic Challenges implement realistic scenarios with known vulnerabilities in a safe, controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.

Bio: Dr. Vasileios Vlachos is a lecturer at the Department of Computer Science and Engineering of the Technological Educational Institute (TEI) of Thessaly. He is a senior R & D engineer at the Research Academic Computer Technology Institute (R.A.C.T.I.) of Patras, Greece. He was a member of the Digital Awareness and Response to Threats (DART) team of the Special Secretariat for Digital Planning of the Hellenic Ministry of Economy and Finance. Dr. Vlachos holds a Diploma of Engineering in Electronic & Computer Engineering from Technical University of Crete, an MSc in Integrated Hardware and Software Systems from the Department of Computer Engineering and Informatics of the University of Patras and a PhD in Information Systems Security from the Department of Management Science and Technology of the Athens University of Economics and Business. Dr. Vlachos has taught at the University of Thessaly, the University of Central Greece and the University of Piraeus. He is co-founder and coordinator of the DART-NGO (Non-Governmental Organization).

Conference Chairman

Dr. Dimitrios Gritzalis, Professor of ICT Security, Director of the M.Sc. Programm, Director of the Information Security and Critical Infrastructure Protection Laboratory, Dept. of Informatics, Athens University of Economics and Business

Bio: Dr. DimitrisGritzalis is a Professor of ICT Security, the Director of the M.Sc. Programme, and the Director of the Information Security and Critical Infrastructure Protection Laboratory, with the Dept. of Informatics of the Athens University of Economics and Business. He holds a B.Sc. (Mathematics, Univ. of Patras), a M.Sc. (Computer Science, City University of New York), and a Ph.D. (Critical Information Systems Security, Univ. of the Aegean). Prof. Gritzalis has served as Associate Commissioner of the Greek Data Protection Commission and as the President of the Greek Computer Society. For more than 25 five years he has participated in more than 100 research and consulting projects. His technical publications include 10 books and more than 150 papers. His current research interests focus on privacy in the social media, digital forensics, and critical information infrastructure protection.