Hacking by Numbers

The presentation
There is a difference between what is possible and what is probable, something we often lose sight of in the world of information security. For example, a vulnerability represents a possible way for an attacker to exploit an asset, but remember not all vulnerabilities are created equal. Obviously we must also keep in mind that just because a vulnerability exists does not necessarily mean it will be exploited, or indicate by whom or to what extent. Clearly, many vulnerabilities are very serious leaving the door open to compromise of sensitive information, financial loss, brand damage, violation of industry regulations, and downtime. Some vulnerabilities are more difficult to exploit than others and therefore attract different attackers. Autonomous worms & viruses may attack one type of issue, while a sentient targeted attacker may prefer another path. Better understanding of these factors enables us to make informed business decisions about website risk management and what is probable.

The speaker
Tom is a member of the WhiteHat Security team and a volunteer to the OWASP Foundation. Known as Semper Fidelis and as a voracious technovore who excels in solving technical and business issues, strengthening partnerships and cultivating new business relationships. Strong interpersonal skills with the ability to work in a team environment or independently to complete the mission a style acquired while serving with the United States Marines Corps.

Frequent conference speaker and regularly quoted in the media such as the Wall Street Journal, NBC & ABC News in NYC, USA Today, CRN and Dark Reading on technology topics.

Tom has led teams and delivered hands-on technical services for over a decade circumventing, defeating and otherwise thwart clients internal and external security controls for a multitude of public and private critical infrastructure clients. He has also contributed to successful dot-com start-up's, commercial and open-source projects. In addition to raw skill, he holds agnostic industry certifications including: Certified Information Systems Security Professional (CISSP), ISACA Certified Information Security Manager (CISM), National Security Agency, INFOSEC Assessment Methodology (IAM), and Certified Ethical Hacker (C|EH).