General Info on 2007 VASCAN Conference


VA SCAN's fourth annual conference will be held on Thursday and Friday October 18-19 at Virginia Commonwealth University in Richmond, Virginia. Don't miss this opportunity to hear leaders in the IT security field discuss current issues and share ideas on effective IT security practices.

Who should attend?
IT managers, IT security professionals, technical staff, and auditors from Higher Education, K-12, Government, and Law Enforcement.

Only a few more days to register!
Conference Registration is $100. There will be no on-site registration. Sorry! Registration is NOW CLOSED.


Shon Harris will discuss the barriers and mistakes that almost every organization is making today with their attempts to develop a holistic security program, roll out a security governance framework, and integrate security into business processes. For more information on Shon, please visit her website.

Join David J. Bianco for TCP/IP Weapons School, VASCAN Edition. We will walk up the layers of the OSI model, examining packet traces that detail the various ways attackers abuse core TCP/IP functionality. David is president of Vorant Network Security in Williamsburg, Virginia. For more information on him, visit his website.

Things to Do in Richmond: You can
learn more about the Richmond area
including its history, culture and local
attractions by visiting

Conference Sponsors...
We thank our 2007 Conference sponsors.


Conference Logistics
The VA SCAN conference will be held in the Virginia Commonwealth University Student Commons on the Monroe Park Campus.

VCU Student Commons (conference will be on the second floor)

Monroe Park Campus (see Student Commons between Main St. and Floyd St. near Cherry St. and West Main Street Deck on Cherry St.)

Hotel Information
The following hotels are in downtown Richmond. All the rates listed below are per night and do not include tax. Hotels are filling fast, so please book your lodging ASAP! These hotels are NOT blocking rooms for us, but still have rooms available and accept state rates:

The Commonwealth Park Suites Hotel ($115 plus tax, ask for state/govt rate)
901 Bank St. (804) 343-7300. Currently they do have rooms available for 10/17 & 10/18

Comfort Inn Conference Center, Midtown ($77.00 plus tax, ask for state rate)
3200 W. Broad St. (804) 359-4061. Currently they do have rooms available for 10/17 & 10/18

Linden Row Inn ($95 plus tax, depending on room, ask for state rate )
100 E. Franklin St. (804) 783-7000. Currently they do have rooms available for 10/17 & 10/18

Parking is available at the West Main Street Deck. Parking passes will be distributed at the registration table each day. Note that if you are staying at the Doubletree Hotel Richmond Downtown, the VCU Student Commons is within walking distance.

Tentative schedule
October 18 and 19, 2007
Begins at 8:45 am on October 18.
Begins at 7:45 am on October 19.

Virginia Commonwealth University
University Student Commons
907 Floyd Ave, Richmond, VA

To Register
Reserve your spot today! Conference Registration is $100; pre-registration required. Sorry! Registration is NOW CLOSED!

To register as an Attendee, click here. NOTE: On the registration form, please be sure to indicate which sessions you anticipate attending. Also note that there is a laptop requirement for the technical training, TCP/IP Weapons School.

To register as a Sponsor, please click on the Sponsorship Tab above.

Laptop Requirements for TCP/IP Weapons School, VASCAN Edition.
Students must have a laptop with Wireshark/Ethereal installed, and an OpenSSH client. You can download Wireshark/Ethereal here.
Open SSH clients are available here.

To run the VM, the student will need the free VMware Player or Server or the commercial Workstation. You can download the free VMWare Player here.

The student laptop should have a wireless connection (802.11b or 802.11g) and preferably an Ethernet port to connect to a wired network. Wireless guest accounts will be provided when you receive your registration material at the VA SCAN Conference registration desk.


Day 1 - Thursday, October 18, 2007

8:45-9:45 AM Breakfast, Check-in -- Richmond Salons Foyer
9:45-10:45 AM Shon Harris -- Keynote address -- Ballroom
Developing a holistic security program, rolling out a security governance framework, integrating security into business processes: these are concepts that are discussed in articles, books, and at conferences. These are important components to any organization's security posture, but a utopia for most because hardly any of these organizations really knows how to accomplish many of these high-level goals. Shon Harris will illustrate why almost no organization is actually accomplishing these goals today.

Shon Harris will discuss the barriers and mistakes that almost every organization is making today with their attempts of accomplishing the previously mentioned goals. Each organization is painfully trying to develop "their own wheel" and are continually making the same expensive and time consuming mistakes.

Our industry is currently at an evolutionary point, pertaining to corporate security that needs to take the step out of chaos and confusion to the step of standardization and structure. Shon will go through how corporations currently address setting up security programs and fail. She will also explain the things that need to happen within every organization to stop this madness and enable every organization to be much more self sufficient and secure and make better informed decisions pertaining to all aspects of security.

10:45-11:00 Break in Richmond Salon
11:00 AM-12:00 PM Evaluating an Emergency Notification System: Features & Issues to consider -- Richmond Salons
Virginia Tech performed a brief, but thorough review of vendors and products in the area of Emergency Alert/Notification Systems in the Spring of 2007. Although initially part of a strategic investigation into advanced messaging technology, events in the fall of 2006 and April 2007 created a more focused approach. Product features and requirements for such systems, as well as local enhancements and integration with existing systems made at Virginia Tech will be presented and discussed at this session by William C. Dougherty.

BioPassword -- Richmond Salons
Strong Authentication: Why do you need it? What are your options?
Justin Kapahi will be presenting on the current state and challenges surrounding the use of passwords for desktop, servers, and remote clients. Justin will compare and contrast the user of token-based systems versus biometric systems. Finally, a new cutting-edge biometric strategy will be introduced.

12:00-1:30 PM Lunch in Ballroom
1:30-2:45 PM BREAKOUT -- Richmond Salons
Audit Track: ARMICS
Joseph Kapelewski, Asst. Director, Virginia Department of Accounts
An overview of the Commonwealth of Virginia's Agency Risk Management and Internal Control Standard (ARMICS). These standards provide guidance for establishing and assessing agency internal controls in order to more effectively manage risk and maintain accountability.
BREAKOUT -- Richmond Salons
Network Access Control
Panel Member Questions
Jesse Crim (VCU)
Michael A. Nicolaides (Virginia Beach City Public Schools)
Network Access Control (NAC) This technology allows only compliant and trusted endpoint devices onto the network and restricts access of noncompliant devices, which helps to prevent security threats and risks from infecting the network. This panel will discuss different approaches to NAC in terms of how it is implemented and supported on the panel's campuses. There will be time for questions and discussion with the audience.
BREAKOUT -- Richmond Salons
Sensitive Data
Darlene Quackenbush (JMU), Shirley Payne (UVA)
With continued reports of high-profile data breaches in universities, many are led to reassess current policies, practices and communication strategies around protecting confidential or sensitive data. The presenters will share projects and lessons learned from their universities, highlight resources available nationally and discuss the compliance concerns and other challenges that demand on-going engagement of persons throughout the university in data protection and security efforts.
2:45-3:15 PM Refreshments -- Richmond Salons Foyer
Last call for Open Discussion Questionnaires
3:15-4:30 PM BREAKOUT
Audit Track
Audit and Security Professional Certifications
Brian Daniels (UVA) and Kevin Savoy (UVA)
There are numerous professional certifications that are available to IT Auditors and security practitioners in the industry today. Which certifications are most relevant? How are they obtained? How challenging are they? This presentation will discuss many of the most popular certifications, as well as some of the lesser known. Certifications to be covered include CPA, CISA, CISSP, CISM, GCFA, vendors such as Cisco and others.
Virtualizing the Campus Network for Security
Bob Neale (VCU)
This presentation will discuss Virginia Commonwealth University's implementation of virtual networks using multiprotocol layer switching (MPLS) to enable us to quickly segment the network so that appropriate security policies can be implemented by groups of users anywhere on our network. Our flexible, divide-and-conquer network security plan will be described.

Staffing and Managing for Information Technology Security
Wayne Donald (VT) and Clay Calvert (UMW)
Colleges and universities are constantly facing the day-to-day threats that accompany a diverse user population. No matter the size of the institution, many of the same threats will find their way to the user community. Having available resources, which internal or external, to deal with these situations is essential to helping insure a safe and secure campus technology environment. This presentation will provide two perspectives on dealing with how to staff and manage technology security on your campus--from getting support on your campus to utilizing tools available for use in helping your user community.
4:30-4:45 PM Break -- Richmond Salons Foyer
4:45-6:00 PM OPEN DISCUSSION on Security Issues, Moderated by Randy Marchany
Topics may include: Attacking through IM, email, VOIP; data classification, content filtering, security mysteries, border firewalls, and others chosen through the "Open Discussion Questionnaires."
6:00-7:30 PM Reception in the Ballroom

Day 2 - Friday, October 19, 2007

7:45-8:30 AM Breakfast -- Richmond Salons Foyer
8:30-10:00 AM TECH TRAINING -- Richmond Salons
TCP/IP Weapon School
David J. Bianco
Do you want to do something with Ethereal/Wireshark besides inspecting normal traffic? Do you want to learn how networks can be abused and subverted, while analyzing the attacks, methods, and traffic that make it happen? Are you ready for technical, packet-centric training that really matters? If your answer to any of these questions is yes, join Richard Bejtlich for TCP/IP Weapons School, Black Hat Edition. We will walk up the layers of the OSI model, examining packet traces that detail the various ways attackers abuse core TCP/IP functionality.

What to bring:
Basic knowledge of TCP/IP. No time will be spent explaining IP addressing, ports, etc.

Students must have a laptop with Wireshark/Ethereal installed, and an OpenSSH client.
You can download Wireshark/Ethereal here:
Open SSH clients are available here:

To run the VM, the student will need the free VMware Player or Server or the commercial Workstation.
You can download the free VMWare Player here:

The student laptop should have a wireless connection (802.11b or 802.11g) and preferably an Ethernet port to connect to a wired network. Wireless guest accounts will be provided when you receive your registration material at the VASCAN conference registration desk.

Layer 2
- Ethernet
- Ethernet Emulation
- IP over Firewire
- 802.11
- ARP & ARP Trickery
- CAM Table Flooding
- Port Stealing
- Layer 2 MITM
- DTP & DTP Attacks

Layer 3
- IP
- Raw IP
- IP Fragmentation
- IP Options
- IP IDs
- Isnprober and Idle Scans
- Time-to-live
- Traceroute and Firewalk
- ICMP Messages
- ICMP Shells and Tunnels
- Gont Attacks

Identity Management in Higher Education
Jim Jokl (UVA)

This session will focus on a mix of the procedural, technical, and policy aspects of campus identity management. Included in the session will be a discussion of identity proofing processes, levels of assurance, authentication and directory systems used to support services, federation and federated identity, and interactions with entities outside of the campus boundary.
10:00-10:20 AM Break -- Richmond Salons Foyer
TCP/IP Weapon School

Where IT Security and Legal Compliance Intersect
Shon Harris and Scott David

If IPSec, TLS, MPLS, DRM, and AES are not confusing enough, what happens when we throw in encumbrance, pecuniary, and malum prohibitum?

Many security experts know that organizations do not fully understand how to roll out a security program and infrastructure in a cost effective and beneficial manner. Most security initiatives are carried out in an ad-hoc, confusing, time consuming, and expensive manner. But even at successful milestones throughout the security program roll out, most organizations do not realize that certain legal and liability risks have not even been identified -- much less mitigated.

It is too easy to get caught up in the organizational and technology components of information security and miss large legal liabilities that can damage or ruin an organization. The security sector and the legal sector overlap in ways that most companies, senior management, security consultants and even organizations' legal council do not fully realize.

You need to understand the intersections and overlaps of information security and legal protection to ensure that the chosen mitigation controls do not just provide coverage for a portion of the risk. The legal issues of information security is the new and daunting step in our society's digital evolution. Do you have full confidence that the security controls that are in place provide the necessary security and legal protection? If your answer is 'yes', then your organization is probably in much more danger than you fully realize.

Shon Harris, information security consultant, and Scott David, information security lawyer, will be illustrating how security and legal issues are really two sides of the same coin. They will also show you how ignoring one of these sides of the coin can be disastrous. They will go through the necessary steps that every organization should follow to maximize protection and minimize risk without negatively affecting the security budget.

Noon-1:00 PM Boxed Lunches -- Richmond Salon Foyer
TCP/IP Weapon School
VASCAN Framework/Mapping Security Standards Mapping ISO 27001/17799 Code of Practice for Information Security Management, COVA Sec.501-01 IT Security Standard, and the NIST standard to the new VA SCAN Framework
Darlene Quackenbush (JMU), Kevin Savoy (UVA), Kay Sommers (VCU)


Vendor Sponsorship for the conference is CLOSED.
Our sponsors in the past have expressed that they enjoyed the opportunity to network and socialize in a small setting. The conference is one and a half days in length. The first evening is a vendor-sponsored reception directly following the last track.

Gold Sponsorship - $5,000
Sponsor the reception ($5,000) (hors d'oeuvre, wine, beer and servers)

  • Name mentioned on the first day of the program (e.g., we want to thank "Sponsor ABC for their generosity in supporting tonight’s reception"). Logo on the VA SCAN website and on any printed programs. Table tents with vendor logo on lunch tables and break tables.Table space for product literature and demos.
  • Representatives are invited to network with the attendees during the reception.

Silver Sponsorship - $1,500
Sponsor breaks and/or lunch.

  • Name and logo on the VA SCAN website and on any printed programs. Table tents on lunch tables and/or break tables.
  • Table space for product literature and demos.

To reserve a sponsorship, please contact:
        Hope Adams
        VCU Technology Services
        Marketing & Communications Coordinator
        P.O. Box 843059
        701 West Broad Street
        Richmond, VA 23284-3059
        Phone: (804) 828-3653; Fax: (804) 828-2088; Email:

Thank you to this year's sponsors!


Reserve your spot today! The 360 Security Conference registration is $100; pre-registration is required. To register, click here. During the registration process you will be asked to select breakout sessions to give us a headcount for room assignments. Sorry! Registration is NOW CLOSED.

OPEN DISCUSSION on Security Issues Questionnaire. To facilitate the open discussion, please add your suggestions on this form and email to PDF download

Cancellation and Refund Policy
Email requests for refunds received by midnight October 1, 2007 will be granted. The email request should be sent to All funds, minus a $25 processing fee, will be returned to the registrant. You may alternatively designate a substitute to take your place by emailing After October 1, 2007, no refunds will be granted for any reason. No shows will not be refunded.

VASCAN will refund, in full, all payments to the registrant should the conference be cancelled.

Bios on Conference Presenters

David J. Bianco has been in the IT field for 16 years, and for the past 9 years he has concentrated on Computer and Network Security. He teaches and lectures internationally and his consulting clients include Fortune 1000 companies, Wall Street firms, public utilities and the US Military. His writing credits include being a contributing editor for Information Security Magazine. He is president of Vorant Network Security in Williamsburg, Virginia.

Clay Calvert is the Director of Information Technology Security at the University of Mary Washington. He started the position in February, 2007 as the first person in that role. His primary goals are to safeguard the centrally operated information systems; to actively protect the security, integrity, and privacy of data associated with them; and to ensure that all members of the University community are regularly and effectively informed about responsible management of data and information accessible via computers and related devices. Prior to UMW, Clay worked at the U.S. State Department as an engineer responsible for the network environment for the Secretary of State.

Jesse Crim is currently an Information Security Analyst for VCU in Richmond, VA. He has a Master's Degree in Information Assurance from Norwich University with an undergraduate degree in Information Technology with a specialization in Network Technology. With over 10 years of experience in the technology field and over twelve certifications in networking and security, Jesse has worked in Health care, Law Enforcement, and State and Local Government. He is currently a member of the FBI's InfraGard Division since 2004.

Scott David is a partner working with the electronic commerce, privacy and information security, intellectual property and tax practices at K&L Gates. He provides advice to firm clients on issues of compliance with federal and state privacy and data security laws; structuring of online contracts, terms of use, privacy policies and electronic payment and tax administration systems; intellectual property licensing and structuring; corporate, partnership and limited liability company organization and affiliation structuring; technology development and transfer; participation in standards setting organizations; international, federal, state and local taxation; and non-profit and tax-exempt status and related issues. He regularly counsels the firm's intellectual property, high technology, telecommunications, on-line commerce, power generation, construction, retail, manufacturing, service sector, health care, governmental, financial sector and other clients.

Prior to joining K&L Gates, Scott practiced with Simpson Thacher & Bartlett in New York City. Before attending law school, he worked as the production manager for a computer manufacturer in Rhode Island.

Brian Daniels, CISA, GCFA has been working in governmental IT audit for four years, working from both the external and the internal side. Previously he was an Information Systems Security Auditor for the Auditor of Public Accounts for the Commonwealth of Virginia. He is currently a Senior IT Auditor at the University of Virginia. Recent audits performed have focused on Wireless Security, UNIX and Windows Security, Router and Firewall Security, Disaster Recovery, as well as various computer forensic investigations.

He is currently in the finishing stages of a Masters of Business Administration with a concentration in Information Security through James Madison University.

A. Wayne Donald is the Information Technology Security Officer at Virginia Tech. It is a position he has held since 1998 to promote security issues throughout the Virginia Tech user community. He is responsible for areas of security awareness, user education, technology tools for security-related issues, a university-wide risk analysis program, and business recovery plans for Information Technology. In addition, the Technology Security Lab and the Information Resource Management department report to the Security Office. Wayne has been active in several professional organizations including VA SCAN, EDUCAUSE, SACUBO, and ACCS. He has presented papers, seminars, classes, and has been featured in national publications for his security-related role at Virginia Tech.

William C. Dougherty, a Virginia Tech (VT) alumnus, is the Assistant Director for Systems Support in the Network Infrastructure and Services area of the Information Technology (IT) unit at VT. Systems Support is responsible for hardware and system administration for many of the centrally provided IT systems including e-mail systems, backup and storage systems, and Banner related systems. Production control for research systems became part of Systems Support's responsibilities in December of 2005.

William served as chair for Evaluation Committee for Emergency Notification Systems and will discuss the process for selecting and implementing the system at Virginia Tech.

Shon Harris is the president of Logical Security, a security consultant, a former engineer in the Air Force's Information Warfare unit, an instructor and an author. She has authored two best selling CISSP books, was a contributing author to the book, Hacker's Challenge, and a contributing author to the book Gray Hat Hacking.

Shon consults for a variety of companies in the financial, entertainment, manufacturing, and retail sectors. She specializes in regulatory compliance, security governance, risk management, and enterprise security.

Shon has taught computer and information security to a wide range of clients, some of which have included RSA, Department of Defense, Department of Energy, West Point, National Security Agency (NSA), Bank of America, Defense Information Systems Agency (DISA), BMC, and many more.

Shon was recognized as one of the top 25 women in the Information Security field by Information Security Magazine, she writes security articles for Information Security Magazine, Windows 2000 Magazine and other leading industry journals.

Shon is currently writing a book on CISA and co-authoring a book on Regulatory IT Compliancy.

Jim Jokl is Director of Communications and Systems for Information Technology and Communications at the University of Virginia. He is a member of the Internet 2 Middleware Architecture Council for Education (MACE) and participates in the Common Solutions Group (CSG) and other similar organizations. He co-chairs the Net@Edu Integrated Communication Strategies (ICS) working group and coordinates the Higher Education PKI Technical Activities Group (HEPKI-TAG) sponsored by Internet2, EDUCAUSE, and Net@Edu.

Joseph A. Kapelewski, CGFM, CPA, CIA
Joseph has 17 years experience in many forms of auditing at various federal, state and local government levels and as a government contractor. He is a member of the AICPA and AGA and served three years on the AGA's National Executive Committee and was Chairman of the National Ethics Board. As part of the AGA Ethics Committee, he helped write the current Code of Ethics. He has also made significant contributions to a nuclear waste audit that resulted in an award for the Department of Energy, and he was an initial member of the State Internal Auditor Team implementing the "Fraud, Waste, and Abuse Hotline." Joseph implemented the distribution programs for indemnification programs for Tobacco Growers and Poultry Producers victimized by Avian Influenza.

Randy Marchany has been involved in the computer industry since 1972. He is currently the director of the VA Tech Security Testing Lab, a component of the university's Computer & Network Defense Initiative. He is also a member of the VA Tech Computing Center's Unix system management group. He is the coordinator of VA-CIRT,an incident response team comprising of IRT's from various VA state Universities. He is the author of VA Tech's Acceptable Use Statement which has become a model for the VA state university system. He has been a frequent speaker at national and international conferences such as SANS, IIA, ISACA, ACUA, Network Security, IEEE Symposium on Systems Management, NIST, US Forest & Wildlife Service, Computer Security Conference. DECUS-Canada. He's been the subject of articles in the Chronicle of Higher Education on security issues at university campuses. The SANS Institute has described him as the "best storyteller in the computer security field." He has taught professional development seminars on Unix System Management, Forming Incident Response Teams, Auditing Unix Systems, Auditing Internet Security for various professional groups such as ISACA, IIA, Ernst & Young and the SANS Institute.

He is a co-author of the FBI/SANS Institute's "Top 10/20 Internet Security Vulnerabilities" document that has become a standard for most computer security and auditing software. He is the co-author of the "Responding to Distributed Denial of Service Attacks" document that was prepared at the request of the White House in response to the DDOS attacks of 2000. He is a co-author of the SANS Institute's "Computer Security- Incident Handling - Step by Step" which has been recognized as one of the foremost publications on Incident Response. He is currently working on a new SANS publication which describes how to design Internet Security audit programs.

He is a coauthor of the Center for Internet Security's series of Security Benchmark documents for Solaris, AIX and Windows2000. These benchmarks are available for free and represent the first successful attempt to create a set of consensus documents with detailed steps for implementing system security.

He was a member of the White House Partnership for Critical Infrastructure Security working group that developed a Consensus Roadmap for responding to the recent series of DDOS Internet Attacks. He was a recipient of the SANS Institute's Security Technology Leadership Award for 2000.

Bob Neale has over 35 years of Information Technology experience starting with the Medical College of Virginia in 1970, followed by 26 years in various IT management positions at Reynolds Metals Company, then returning to VCU where he started his IT career in higher education. Since joining VCU in 2001, some of his key technology initiatives include: a cost effective disaster recovery plan, a service oriented Data Center, Technology Change Management, Enterprise Directory, and an IT Professionals intranet. Security specific projects include: mail virus and spam control, desktop management, network firewalls and intrusion prevention for critical servers, and an overall IT Security Program for VCU.

Michael Nicolaides is the Director of Information Technology at Virginia Beach City Public Schools (VBCPS). He has been in the IT industry for 19 years and has joined VBCPS in 2004 after spending the early years of his career in the private sector. His last post was as Vice President of Information Systems of Orbit Satellite Television and Radio Network, an international company with presence in Europe and the Middle East.

Michael’s has had hands-on experience in most areas of IT, including network engineering & infrastructure, software system development, telecommunications and project management. He has been in IT senior management positions for 10 years.

Michael holds a Master’s Degree in Computer Engineering and two Bachelors of Science Degrees in Computer Science and Electrical Engineering, all from Old Dominion University.

Darlene Quackenbush is responsible for information technology planning and policy development and is the Information Security Officer at James Madison University. In these roles she performs strategic planning, facilitates development of the university's information security program and administers technology policy formulation.

Shirley Payne is Director for IT Security and Policy at the University of Virginia. In this capacity she focuses on the continuous enhancement of information technology policies and security of the university's diverse and decentralized computing environment. She works in partnership with units and individuals across the university to formulate policies, assess security risk, establish strategic direction, provide security education and training, implement security safeguards, track security incidents, develop mission continuity plans, and related activities. She has many years of experience in information technology, most of which has been in higher education. She holds a bachelor's degree in Computer Science from Winthrop University and a master's degree in Management Information Systems from the University of Virginia.

Kevin Savoy, MBA, CPA, CISA, CISSP has over 20 years experience in IT operations and audit in government and private industry and is currently Director of Information Technology Audits for the University of Virginia. Previously, he was IT Security Audit Director for the Auditor of Public Accounts for the Commonwealth of Virginia. He also spent ten years automating retail and hospital pharmacies for two major pharmaceutical wholesalers. He has spoken on a variety of IT security and audit topics to several professional organizations.

Kay Sommers is currently Information Security Manager for Virginia Commonwealth University. Her responsibilities in this position include the development and implementation of a comprehensive security program that contains all the elements to safeguard information technology at the university.

To return to the VASCAN website, click here.

(c) 2007 Virginia Alliance for Secure Computing and Networking (VA SCAN)
Web Publisher: VA SCAN Web Team Site Hosted by Institute for Infrastructure & Information Assurance at James Madison University