Infosecurity Europe 2007 Day 3

Day 3 was slightly shorter in length than the previous 2 days. I suppose they wanted to allow for time to pack up. I also didn't find the presentations as interesting, so my notes were very brief. Here they are:

---

Session: Insider threats: Finding the enemy
Speakers:
Bob Ayers, Associate Fellow, Chatham House Information Security Programme
Stephen Bonner, Head of Information Risk Management, Barclays
Audience: Mix of suits and geeks
Summary:
Both speakers were very brief. They didn't take up the allocated time and pretty much just said that the insider threat was difficult to manage but to watch for signs and motivations that one may not expect. For example, revenge, personal vendettas, annoyed employees. They both used examples to illustrate their points.

My opinions:
Nothing really that insightful. Just a bunch of examples and mostly things that common sense will tell you...especially those who have a few years in this industry under their belt.

---

Session: Encryption strategies for complying with PCI-DSS and other regulations
Speaker: Andy Solterbeck, VP and GM, Commercial Enterprise Business Unit, SafeNet
Audience: Mostly suits
Summary:
Most regulations require or recommend that sensitive data is encrypted. Examples include personal, sensitive information such as credit card numbers or social security numbers. Critical data at rest will more than likely also be encrypted by 80% of all fortune 1000 companies. Apart from data in production environments, we should also consider data in test and development environments because it is quite common to gather this data from production environments in the first place. Any outsourcers used by companies should also be made to protect relevant data and this needs to be mandated when drawing up agreements with potential outsourcing providers. Andy went on to talk about key management systems (KMS) and the need to standardise on a single KMS. He noted that fundamental keys in the environment should be stored on hardware (e.g. HSM) and listed the points to consider for a good data encryption strategy: drivers, threat models, data, scope (laptop, file server, emails, database etc.), type of encryption, integration, scalability and impact on the environment.

My opinions:

• Quite a high level presentation that didn't go into much detail. Not bad as an introductory presentation into the topic.
• I noted that this presentation was the first time I'd seen the Tivoli logo on a non-IBM slide. Unfortunately, it was right next to CA, Oracle and SAP logos.
  

---

Session: Understanding the data leakage threat
Speakers:
Mark Murtagh, Technical Director, EMEA, Websense
Assaf Litai, VP Technical Marketing, Websense
Audience: Mostly suits
Summary:
The presentation started off by giving numbers on a survey conducted by Merrill Lynch which found that leakage of confidential or proprietary information was the biggest threat to organisations today. Data leakage technology was also found to be the most promising security technology. The most common ways for data to be leaked (Ian's note: not that we couldn't have figured this out) are: web, email, printer, endpoints (laptops, PDA, desktop), internal mail, corporate webmail and instant messaging. Leaks are classified into the following categories: Unintentional (non-malicious), intentional (non-malicious) and malicious. Traditional solutions dealt with this using entitlement/access controls, have some sort of threat focus instead of data focus, rely on keywords, generate false positives through data manipulation, have limitations on the type of data or communications channels handled and tend to block legitimate communications (Ian's note: this is obviously the marketing blurb to prompt us to conclude that Websense does all this in a much better way). The conclusion was to give the audience the "magic" path to protection: discover data, monitor data, protect data.

My opinions:
This presentation more blatantly marketed the technology than McAfee's did (summary above). But similarly, they both hammered home the point that data leakage protection is important and must be handled. I think we all know this. It's easier said than done.

---

Session: Two factor authentication without the pain
Speaker: Andy Kemshall, Technical Director, SecurEnvoy
Audience: Mostly geeks
Summary:
This presentation was basically a product pitch. SecurEnvoy's product uses SMS as their 2nd factor device but the difference is that they pre-load the codes you need before you actually ask for them. This gets around the delays experienced with "real-time" SMS and also the lack of reception in some areas (quite common in data centres because they tend to be "bunkers"). SecurEnvoy supports 1 time passcodes, reusable passcodes and passcodes which can be used only on specific days.

My opinions:

• Looks to be a useful alternative to some of the other multi-factor authentication means. It's essentially just SMS factor authentication with a twist. I doubt it'll be the hottest thing on the market, but just another option to go with.
• I can't help feeling that there's a way to game the system, but I'm sure the SecurEnvoy product team will ensure us that there isn't.
• Don't lose your phone. If you do, it's essentially the same as writing your password down.
  

---

Session: The cross-border interoperability challenges and their possible solutions
Speaker: Mark Crosbie, Senior Security Technologist, HP
Audience: Mostly geeks
Summary:
The actual title on Mark's slide deck was "Experiences with eID. A holistic approach." Mark talked about the relationship between identities and contexts and how this makes it difficult to have a single ID. There is also a cost associated with deploying a single ID system and whoever pays for it will be unlikely to want to share that infrastructure. That being said, there's actually an EU recommendation for European citizen cards and also a working group working on testing the interoperability between ID cards from different countries so at least the issue is being explored. Mark finished off by listing various pre-requisites and success factors for cross boundary identity systems:

• Political framework must be appropriate.
• Set-up and provisioning of infrastructure (e.g cards, readers).
• Building trust and acceptance by citizens and business users.
• International experiences, standards and interoperability.
• Financing and business case (e.g. who pays?).
  

My opinions:

• This is certainly an interesting topic and area of study. It further supports the feeling that a lot of the European countries are more forward thinking with regards to identity than the rest of the world.
• It'll be quite awhile before anything useful eventuates. There are too many political factors at play that need to be sorted out first.
  

---

Session: Securing administrative passwords
Speaker: Callum MacLeod, VP EMEA, Cyber-Ark
Audience: Mostly suits
Summary:
Yet another product pitch. Cyber-Ark's password vault handles all things to do with system administrative passwords including applications and scripts where they are used. Callum stressed that identity provisioning products cannot handle privileged accounts which is where Cyber-Ark comes into play.

My opinions:

• I fail to see why anyone would want to buy a product specifically to manage privileged accounts. Maybe I've been caught up in enterprise identity management vendor land for too long, but the provisioning products on the market can actually handle privileged passwords. It's just a matter of mapping them to the right users (not necessarily a person, but some functional entity) and having the relevant policies applied. In this respect, they are treated like any other user with slightly different rules, policies and workflows. Perhaps Cyber-Ark does more. I didn't see a demo so I may be ignorant of the missing bits.
• There's obviously a niche market for this. Either that or Cyber-Ark has REALLY good sales people. They even have partner relationships with IBM and Oracle, so someone somewhere must be doing something to sell this to customers and to get potential competitors "in-bed" with them.
  

---

Session: Achieving behavioural change through cognitive awareness of security
Speaker: Martin Smith, Managing Director, The Security Company
Audience: Mostly suits
Summary:
Very entertaining and engaging speaker. Great presentation, I dare say even better than Bruce Schneier (in style, not necessarily content). Martin basically told stories and sold the audience on the fact that it's all about behaviour, education and attitude. No amount of technology will a company secure. Only the people will. He outlined the following things:

• For security to succeed, there MUST be senior management support through the use of an executive sponsor.
• You gain by not losing. This is how security should be sold to management. Not as a cost centre, but an enabler. What you don't lose, you can use to increase and improve the bottom line.
• Cars have brakes to go faster. The analogy here is that security is the brakes. Without it, you cannot go fast.
• 98% of all security breaches target known vulnerabilities. Fix what you know and your risk to that much smaller.
• The security department should be the whole company.
• Security Awareness is the oil that makes the security machine operate.
• Security is not about alligators. It's about the 1000 chickens. Essentially, this means it's the many little things that will make you insecure. Not the one big thing.
• You only need to be more secure than your competition.
• Good news travels up, bad news travels down. This is why senior management tend not to have a real and accurate view of security within the organisation.
  

My opinions:

• I was pleasantly surprised by this presentation. A great presenter makes all the difference.
• The issues brought up were not exactly new to me, but the way they were presented helped reinforce my knowledge. Stories and great, simple analogies help.
• I agree with what Martin said...or at least most of what he said. I'm not so sure being more secure than your competition is good enough. What it does ensure is that there'll be someone else worse off than you, but that's not going to ensure good security practice on your part.

---

Day 3 was a little less interesting, but thankfully it finished off with the most entertaining presentation I attended over the 3 days.