Showing posts with label conference. Show all posts
Showing posts with label conference. Show all posts

Friday, April 27, 2007

Infosecurity Europe 2007 Day 3

Day 3 was slightly shorter in length than the previous 2 days. I suppose they wanted to allow for time to pack up. I also didn't find the presentations as interesting, so my notes were very brief. Here they are:


Session: Insider threats: Finding the enemy
Speakers:
Bob Ayers, Associate Fellow, Chatham House Information Security Programme
Stephen Bonner, Head of Information Risk Management, Barclays
Audience: Mix of suits and geeks
Summary:
Both speakers were very brief. They didn't take up the allocated time and pretty much just said that the insider threat was difficult to manage but to watch for signs and motivations that one may not expect. For example, revenge, personal vendettas, annoyed employees. They both used examples to illustrate their points.

My opinions:
Nothing really that insightful. Just a bunch of examples and mostly things that common sense will tell you...especially those who have a few years in this industry under their belt.


Session: Encryption strategies for complying with PCI-DSS and other regulations
Speaker: Andy Solterbeck, VP and GM, Commercial Enterprise Business Unit, SafeNet
Audience: Mostly suits
Summary:
Most regulations require or recommend that sensitive data is encrypted. Examples include personal, sensitive information such as credit card numbers or social security numbers. Critical data at rest will more than likely also be encrypted by 80% of all fortune 1000 companies. Apart from data in production environments, we should also consider data in test and development environments because it is quite common to gather this data from production environments in the first place. Any outsourcers used by companies should also be made to protect relevant data and this needs to be mandated when drawing up agreements with potential outsourcing providers. Andy went on to talk about key management systems (KMS) and the need to standardise on a single KMS. He noted that fundamental keys in the environment should be stored on hardware (e.g. HSM) and listed the points to consider for a good data encryption strategy: drivers, threat models, data, scope (laptop, file server, emails, database etc.), type of encryption, integration, scalability and impact on the environment.

My opinions:
  • Quite a high level presentation that didn't go into much detail. Not bad as an introductory presentation into the topic.
  • I noted that this presentation was the first time I'd seen the Tivoli logo on a non-IBM slide. Unfortunately, it was right next to CA, Oracle and SAP logos.



Session: Understanding the data leakage threat
Speakers:
Mark Murtagh, Technical Director, EMEA, Websense
Assaf Litai, VP Technical Marketing, Websense
Audience: Mostly suits
Summary:
The presentation started off by giving numbers on a survey conducted by Merrill Lynch which found that leakage of confidential or proprietary information was the biggest threat to organisations today. Data leakage technology was also found to be the most promising security technology. The most common ways for data to be leaked (Ian's note: not that we couldn't have figured this out) are: web, email, printer, endpoints (laptops, PDA, desktop), internal mail, corporate webmail and instant messaging. Leaks are classified into the following categories: Unintentional (non-malicious), intentional (non-malicious) and malicious. Traditional solutions dealt with this using entitlement/access controls, have some sort of threat focus instead of data focus, rely on keywords, generate false positives through data manipulation, have limitations on the type of data or communications channels handled and tend to block legitimate communications (Ian's note: this is obviously the marketing blurb to prompt us to conclude that Websense does all this in a much better way). The conclusion was to give the audience the "magic" path to protection: discover data, monitor data, protect data.

My opinions:
This presentation more blatantly marketed the technology than McAfee's did (summary above). But similarly, they both hammered home the point that data leakage protection is important and must be handled. I think we all know this. It's easier said than done.


Session: Two factor authentication without the pain
Speaker: Andy Kemshall, Technical Director, SecurEnvoy
Audience: Mostly geeks
Summary:
This presentation was basically a product pitch. SecurEnvoy's product uses SMS as their 2nd factor device but the difference is that they pre-load the codes you need before you actually ask for them. This gets around the delays experienced with "real-time" SMS and also the lack of reception in some areas (quite common in data centres because they tend to be "bunkers"). SecurEnvoy supports 1 time passcodes, reusable passcodes and passcodes which can be used only on specific days.

My opinions:
  • Looks to be a useful alternative to some of the other multi-factor authentication means. It's essentially just SMS factor authentication with a twist. I doubt it'll be the hottest thing on the market, but just another option to go with.
  • I can't help feeling that there's a way to game the system, but I'm sure the SecurEnvoy product team will ensure us that there isn't.
  • Don't lose your phone. If you do, it's essentially the same as writing your password down.



Session: The cross-border interoperability challenges and their possible solutions
Speaker: Mark Crosbie, Senior Security Technologist, HP
Audience: Mostly geeks
Summary:
The actual title on Mark's slide deck was "Experiences with eID. A holistic approach." Mark talked about the relationship between identities and contexts and how this makes it difficult to have a single ID. There is also a cost associated with deploying a single ID system and whoever pays for it will be unlikely to want to share that infrastructure. That being said, there's actually an EU recommendation for European citizen cards and also a working group working on testing the interoperability between ID cards from different countries so at least the issue is being explored. Mark finished off by listing various pre-requisites and success factors for cross boundary identity systems:
  • Political framework must be appropriate.
  • Set-up and provisioning of infrastructure (e.g cards, readers).
  • Building trust and acceptance by citizens and business users.
  • International experiences, standards and interoperability.
  • Financing and business case (e.g. who pays?).

My opinions:
  • This is certainly an interesting topic and area of study. It further supports the feeling that a lot of the European countries are more forward thinking with regards to identity than the rest of the world.
  • It'll be quite awhile before anything useful eventuates. There are too many political factors at play that need to be sorted out first.



Session: Securing administrative passwords
Speaker: Callum MacLeod, VP EMEA, Cyber-Ark
Audience: Mostly suits
Summary:
Yet another product pitch. Cyber-Ark's password vault handles all things to do with system administrative passwords including applications and scripts where they are used. Callum stressed that identity provisioning products cannot handle privileged accounts which is where Cyber-Ark comes into play.

My opinions:
  • I fail to see why anyone would want to buy a product specifically to manage privileged accounts. Maybe I've been caught up in enterprise identity management vendor land for too long, but the provisioning products on the market can actually handle privileged passwords. It's just a matter of mapping them to the right users (not necessarily a person, but some functional entity) and having the relevant policies applied. In this respect, they are treated like any other user with slightly different rules, policies and workflows. Perhaps Cyber-Ark does more. I didn't see a demo so I may be ignorant of the missing bits.
  • There's obviously a niche market for this. Either that or Cyber-Ark has REALLY good sales people. They even have partner relationships with IBM and Oracle, so someone somewhere must be doing something to sell this to customers and to get potential competitors "in-bed" with them.



Session: Achieving behavioural change through cognitive awareness of security
Speaker: Martin Smith, Managing Director, The Security Company
Audience: Mostly suits
Summary:
Very entertaining and engaging speaker. Great presentation, I dare say even better than Bruce Schneier (in style, not necessarily content). Martin basically told stories and sold the audience on the fact that it's all about behaviour, education and attitude. No amount of technology will a company secure. Only the people will. He outlined the following things:
  • For security to succeed, there MUST be senior management support through the use of an executive sponsor.
  • You gain by not losing. This is how security should be sold to management. Not as a cost centre, but an enabler. What you don't lose, you can use to increase and improve the bottom line.
  • Cars have brakes to go faster. The analogy here is that security is the brakes. Without it, you cannot go fast.
  • 98% of all security breaches target known vulnerabilities. Fix what you know and your risk to that much smaller.
  • The security department should be the whole company.
  • Security Awareness is the oil that makes the security machine operate.
  • Security is not about alligators. It's about the 1000 chickens. Essentially, this means it's the many little things that will make you insecure. Not the one big thing.
  • You only need to be more secure than your competition.
  • Good news travels up, bad news travels down. This is why senior management tend not to have a real and accurate view of security within the organisation.

My opinions:
  • I was pleasantly surprised by this presentation. A great presenter makes all the difference.
  • The issues brought up were not exactly new to me, but the way they were presented helped reinforce my knowledge. Stories and great, simple analogies help.
  • I agree with what Martin said...or at least most of what he said. I'm not so sure being more secure than your competition is good enough. What it does ensure is that there'll be someone else worse off than you, but that's not going to ensure good security practice on your part.



Day 3 was a little less interesting, but thankfully it finished off with the most entertaining presentation I attended over the 3 days.

Thursday, April 26, 2007

Infosecurity Europe 2007 Day 2

I attended most of day 2. I did miss the Federated Security Implementation Forum because I had to run back home to take delivery of my new TV. Oh well, priorities right?

Here are the sessions I attended:


Session: A new solution to the problem of on-line identity theft
Speaker: Larry Hamid, CTO, MXI Security, A division of Memory Experts International
Audience: Mostly suits
Summary:
Larry went through the typical things we all know criminals are after. Login details (including passwords), personal information, credit card numbers and so on. Essentially the things required for financial gain. He outlined the size of the problem (904 unique phishing attacks, 93% of all targeted attack were to home users) and the techniques used. Phishing emails, cousin domains (e.g. paypal-security.com), homographs (e.g. paypa1.com), key loggers, session hijacks (e.g. man in the middle/browser attacks), web trojans (e.g. popups), hosts file poisoning, system re-configs (e.g. DNS server re-configs), pharming (e.g. DNS hijacking) and content injection phishing (e.g. web servers being compromised, cross site scripting, SQL injection). Some of the counter measures the industry uses to try to combat these threats are: risk based authentication (e.g. varying levels of access required for different actions or parts of a site), mutual authentication (e.g. a site telling you something about yourself to give you a level of confidence you're at the right place), hardware tokens, EVSSL, browser enhancements, Microsoft Cardspace and user education. Attacks are usually successful because it's difficult to distinguish real sites from fake ones and that users have to make too many trust decisions based on their own judgement. All this leads to the need for MXI Security's hardware device that does a lot of the work for the user. In essence, the device ensures that users cannot use sites unless the device knows about the site (via a pre-registered certificate I presume). There are also policies that can be set on the device to have it only selectively give up information about yourself on a site-by-site basis. The key here is that the device gives the user a way to mutually authenticate themselves with trusted sites before conducting transactions. Larry left the audience with the following final thoughts:
  • Security technologies must be portable, convenient, low cost, accessible to the consumer and only require simple upgrades to the web sites.
  • Hardware devices are not the end game, but MXI's device has set the bar pretty high.

My opinions:

  • I agree with the need for mutual authentication between users and sites. I've been sounding like a broken record over this issue of late.
  • I'm a little skeptical over how easy it really is to upgrade the web sites for use with MXI's device.
  • There's going to be a fair amount of overhead to maintain such a solution on both the user's part and the web sites. The biggest issue being the pre-registration process. Who's reponsible? What happens if something doesn't work? There's going to be plenty of finger pointing.
  • What about the legal issues? Who's responsible is something goes wrong? The consumer? The vendor? The owner of the web site?
  • Using such a device alone isn't the answer. It needs to be used in combination with other means of authentication. To put all your "keys" into a single device is very dangerous.
  • I like the ability to only give up selective pieces of personal information about yourself. This is actually one of Kim Cameron's laws of identity and makes perfect sense. Web sites need to learn that they don't need to know everything about users. They should only ask for what's required.



Session: Looking ahead: Business and compliance drivers behind role management's emerging importance in Identity Management
Speaker: Dave O'Brien, Courion Corporation
Audience: Mostly suits
Summary:
Dave didn't say anything new for those familiar with the identity management space:
  • Roles are driven by compliance, internal audits and segregation of duties requirements. They are also a way of aligning business and resource management, allow for simplified access and that they also drive access policies. In other words, they are a focal point for entitlement management.
  • Some of the user access problems in identity management include: too much access, orphan accounts, sharing accounts. Roles help the business understand policies a little better and help make the identity management issues a little easier to deal with.
  • Organisation charts are not usually reflective of the way things run day-to-day in terms of operations and that multiple views of things like locations, business units and so forth can complicate roles.
  • Some obstacles:
    • Few applications have fine grained role management or authorisation models.
    • Lack of interest in role and identity management by lines of business.
    • IT complexity means role complexity.
    • A single business role typically maps to many IT roles.
  • Role creation is difficult to do manually. There needs to be a hybrid approach using both a top down and bottom up approach to the analysis around role definition.
  • Roles are becoming increasingly popular for managing user access policy.
  • Roles greatly enhance provisioning and compliance solutions.
  • The role management process should be automated.
My opinions:
  • Nothing ground breaking. It's all stuff we've all heard before and that anyone who has heard an identity management presentation would be able to recite back.
  • The title of the presentation begins with "Looking ahead". I'm not so sure this presentation does that. It just gives an overall picture with regards to some general and current role concepts.
  • The "Business and compliance drivers" part of the title didn't really get much air-time. The extent of the coverage was pretty much "yes, roles are important and it helps the business understand stuff and helps with audit and compliance". This doesn't tell me what the business and compliance drivers are. It just tells me that roles help to support the business functions. To be truthful about roles, most of the time business don't know why they need them...at least from an IT perspective. It's usually some analyst or IT person that tells the business that they do because it will "streamline IT processes" or something to that effect.
  • The difficulty behind managing roles isn't so much what they are used for. It's how we figure out what they actually are when putting in an identity management or role based access control solution. That wasn't really covered. I'm not so sure anyone got much out of the presentation about role management's importance in identity management. All I got out of it was that roles are a difficult issue to deal with rather than why they are actually important. Role are important mainly because they make identity and access that much easier to implement and maintain. The main issue with roles has always been the difficulty in getting to the stage where the roles actually reflect reality. That's what the presentation should have dealt with. Perhaps Dave was a victim of the title of the presentation.
  • To really be true to the title of the presentation, it really should have been more focused on reporting, auditing, exactly how business use these to run their operations and how roles make it easier for IT and the business to meet these needs.
  • The presentation seemed to me like a standard identity management presentation with all the slides that had the word "role" on it and then got given the title so that the audience would think they were getting something other than a stock standard enterprise identity management presentation.



Session: Debate: Is network security dead?
Chair: John Riley, Managing Editor, Computer Weekly
Panellists:
Jason Creasey, Head of Research, ISF
Stuart Okin, Senior Executive, Accenture
John Reece, CEO, John Reece & Associates LLP
Paul Simmonds, Global Information Security Director, ICI
Audience: Mostly geeks
Summary:
The debate went on for almost an hour with both sides putting up valid arguments. Instead of boring everyone with a transcript, what this debate boiled down to was whether you thought availability was part of security. If you did, then network security is not dead. If you didn't, then network security is dead. The main analogy everyone kept harping back to was the transport of bank notes. There is the payload (the money), protocol (transported using armored cars with guards) and the network (the highway or roads that are used). The "network security is dead" supporters talked about the fact that all the security is contained at the payload/data level. It's all about having a security protocol at the endpoints and having this wrapped in a secure transport mechanism in the process. Once done, the "network security is not dead" camp insisted that security needs to be in place on the roads (the network) to ensure its availability. If someone "blows up" the road, there goes the availability. Of course, there's other alternate routes to take if a path is blocked...but there still needs to be a level of network security to manage the risk effectively. Another point of contention was whether the Internet is actually secure. Most would agree that it's not, yet we transact over it everyday. Why? Because it's available. On the other hand, we still have firewalls and intrusion detection systems. Is this not network security? Can they be considered real security if they are there just "for show"? We still have network breaches and so forth. I won't go on as you can probably see the 2 sides to the argument and extrapolate the rest yourself. It comes down to QOS and availability. The main point is whether you think availability is inherently part of security.

My opinions:
  • The audience as I said were mostly geeks. In other words, network administrators made up a bulk of the audience. This is unavoidable in an information security conference in today's environment. In a few years, this will be vastly different as security moves up the application stack. More and more security professionals (such as myself) will not be network security pundits.
  • For those interested, the result was very much in favour of "network security is NOT dead". I voted for the losing side. As I said in my first point, I think this was because of the "biased" audience. They needed to believe it was not dead otherwise they would have to admit the fact that quite a few would be out of a job in the not too distant future if they don't start to focus on other security areas apart from the network.
  • Has anyone started to notice that most of the network vendors are starting to move up the stack? I've lost count of how many are adding content related technologies into their devices. Whether it's data, identity or some other variant, it's all about contextual network traffic and access controls based on content. No longer is everything based on packet headers.



Session: Reducing identity management costs during a period of rapid acquisitive growth
Speaker: Aaron Slater, Information Security Team Lead, Irish Life and Permanent
Audience: Mostly suits
Summary:
Aaron was speaking as a guest of Passlogix. It was essentially a Passlogix customer presentation that outlined their experiences deploying the Single Sign On solution from Passlogix. Due to a few acquisitions, Irish Life and Permanent found themselves with a bunch of heterogeneous technologies and applications. They decided that they needed technology that could support multiple password policies, multiple login ID structures and that was also network efficient. The main project requirement was to enhance the user log on experience and as a result reduce complexity around having multiple log ons, passwords and password policies. It had to be invisible to end users, easy to learn and use and also require minimal training. Irish Permanent and Life defined "Single Sign On" as having automated one time log on, password change and error conditions. They also required support for legacy applications like the mainframe. They didn't see the need to synchronise passwords (as the provisioning solutions do) and they couldn't migrate everything to being web applications (apparently some vendors told them this was the only way). The short story is that they had an RFP process, which they got a short list from. They eventually went to the proof of concept stage with Passlogix and certainly didn't make it easy on them. Apparently, they had limited time, needed to integrate with Windows, web applications and the mainframe. The requirements were only given to Passlogix on-site. I won't give too much more away because I know that customers don't tend to like to have the minute details of their environments broadcasted to the crowd. Aaron finished by saying that the technology did what they wanted, although they had a few issues with some legacy applications which were poorly designed and were more difficult to integrate. There was one particular one which they put out of scope because it because too difficult. Aaron made it a point to note that it was not through a lack of functionality on Passlogix's part. Internally, he noted that there were a few issues with gaining support from the business and they also had to deal with a few last minute use case changes that they had to implement (Ian's note: Haven't we all had some experiences where the internal business became the biggest hurdle? It's actually quite common in my experience). Aaron also stressed the importance of getting the buy in from the development teams as they need to help with designing the solution for future changes and requirements. The most important outcome of the project was that they had happy users at the end of it. They got what they wanted with minimal pain on the users' part.

My opinions:
  • Nice to see a happy customer. A lot of the issues Aaron ran into are actually not unique to their situation. They are quite common in identity management project environments. Single Sign On projects actually tend to be quite successful because they don't have to "touch" as many systems...at least not at the deep technical integration level. Provisioning and access control systems on the other hand, that's another whole other story.
  • I'm not surprised that Irish Life and Permanent were happy. It's not like Passlogix would have invited an unhappy customer to speak on their behalf. That being said, these types of projects aren't always successful. There are the odd failures around and also technological challenges to be faced. On the whole however, Passlogix tend to have more happy customers than unhappy ones.
  • For those that don't know, anyone that buys IBM Tivoli Access Manager for Enterprise Single Sign On or Oracle Single Sign On, you're actually buying Passlogix's v-Go product.



Session: Guarding against data loss
Speaker: Greg Day, EMEA Security Analyst, McAfee
Audience: Mix of geeks and suits
Summary:
Greg started off by giving a bunch of statistics about how important data loss is and the extent of the problem. Data loss in this case refers to breaches or stolen data usually by some internal means (some accidental, some malicious). He followed this up by outlining just how bad we all are about ensuring our data is safe and that 84% of UK companies place the data protection act as the number 1 compliance concern. Only half of the respondents to the survey expressed confidence in existing security measures to prevent data leakage. Add to this the fact that only a third of companies surveyed had a data usage policy in place and we get an idea of what a potentially huge problem this is going to be in the next few years. There are a few methods for data control:
  • Data policy
  • Encryption
  • Data leakage gateways
  • Endpoint controls
  • Digital rights management (DRM)
Data leakage gateways only monitor data at various point on the network and not where the users can actually get access to data (their desktops or laptops - essentially the endpoints). He also noted that DRM technologies only define who can use the data, not what can be done to it. To help define a data usage policy, we need to think about the following:
  • Where is the sensitive data?
  • Where are the boundaries (e.g. USB, printer)?
  • Are the users aware of the policy?
  • Not everything is "confidential". Beware the "cry wolf" syndrome.
End point data protection is the only real way to adequately monitor what is happening to your data. Data needs to be tagged, have policies applied to them (which are managed centrally) and a set of actions need to be defined with regards to responses to potential breach situations.

My opinions:
  • Data protection software solutions are a very new area of information security. The networking vendors were the first to jump on the opportunity by monitoring data at network nodes and gateways, but the market is only in its infancy. The very large vendors aren't yet in this space (e.g. IBM, Oracle, Microsoft). McAfee look to be getting into it, but I'm not too sure what type of capabilities their product has or how mature it is. I'm not even sure they have any customers. Even Symantec don't look to be in this space yet, although it does look to be something they should logically be looking into. There are a few smaller vendors around that do various things with data and from various angles each with their own focus on this market.
  • We're going to see much more about this in the next few years. We talk about identity and access management being driven by audit and compliance. You could argue that the data loss prevention/protection market has even more business drivers when it comes to audit and compliance. PCI, data protection act, privacy concerns etc. are all at the top of our minds and you can be sure this is also right at the top of the list of security concerns not just for CIOs, CISOs and information security professionals, but for CEOs as well. The string of very high profile cases in the press of late to do with data loss has a lot to do with it (TK Maxx being the highest profile one from 2006). The regulatory compliance measures being mandated to combat data loss and leakage simply serves as the compelling reason to act.



Session: Optimise your infrastructure: new strategies for securing online communications
Speaker: Joe Fisher, VP of Product Management, Tumbleweed
Audience: Mostly geeks
Summary:
I must admit I wasn't paying much attention. The presentation was too technical to keep my interest and many audience members obviously thought so too because quite a few walked out. Joe spent the whole presentation talking about Tumbleweed's technology and infrastructure and how to put them in a component diagram when you have all these messaging solutions. I still don't really know what the technology does. Looks to just apply policies across the environment about who can do things to messages.

My opinions:
  • My eyes were open, but I think my brain was asleep.
  • The speaker was not a very good presenter. He couldn't even make the material seem interesting. All in all, not a very engaging or confident speaker.
  • Have to feel sorry for the guy somewhat though. In addition to his lack of presentation skills and boring slides, he had to also contend with people wanting to get to the next presentation in a different room immediately following his. What presentation you ask? Read on.



Session: The psychology of security
Speaker: Bruce Schneier
Audience: Absolutely everyone
Summary:
Security guru, author and geek celebrity Bruce Schneier spoke about what he knows best. How people think and how it affects security. How someone feels about security is more important that the actual security measures in place, at least from a usability perspective. A person who doesn't think a site is secure will not use it, despite the fact it may be the most secure system in the world. The opposite is true too. A system may have no security measures in place but if a person thinks it is secure, they will use it. This is a huge problem according to Bruce. He also talked about security being a tradeoff and all about acceptable risk. We don't wear bulletproof vests daily right? At least not where we all live. This is because it's not worth the effort. If we lived in Iraq however, we'd probably have to. Aspects of this trade off include:
  • Severity of the risk.
  • Probability of the risk.
  • Cost magnitude.
  • Effectiveness of the countermeasure.
  • The trade off itself.
Bruce then delved into psychology and some studies as examples. On the whole, we are risk averse when it comes to gain and risky when it comes to loss. For example, given a sure gain of $500 and a 50% gain of $1000, we pick the sure gain of $500. But given the sure loss of $500 and the 50% loss of $1000, we pick the 50% loss of $1000. We're also affected by the size of implications and how they are phrased. Take for example an action that has a 50% probability that will save 200 out of 600 people against an action that has a 50% probability that 400 out of 600 will die. We pick the one which saves 200 out of 600 people...even thought both options mean exactly the same thing.

He then covered a few other heuristics (e.g. probability, availability, cost) that affect the way people make decisions using some very interesting and revealing examples. I won't bore you with more details because you can read up on them yourselves or even better, go to Bruce's site. He pointed the audience at a specific related essay and also encouraged those who hadn't done so to subscribe to his email newsletter or blog.

He concluded by reinforcing that "security theater" is a big problem. You feel secure when you're not and you feel insecure when you are. Irrational thought has a lot to do with it because when were afraid, we'll do anything to make it go away. He reminds us that we need to think about psychological effects when analysing security decisions.

My opinions:
  • Very entertaining. He lived up to his reputation and I actually learned some things from his presentation. That's all you ever want when you give up some of your time to listen to the speakers.
  • There was a huge queue outside the theatre waiting to get in. It was by far the longest queue for the whole event. The auditorium was full and included people having to stand up. The overflow area outside (where there was a video screen broadcasting the talk) was reportedly also very crowded because that was where people stood if they couldn't get in.
  • Bruce was gracious enough to thank everyone for queueing.
  • I was one of the last ones to get in...that includes all the people who had to stand. Except because I got in there so late, they gave me one of the front row seats reserved for the press. Guess that they figured any press weren't there by then, they weren't showing up. Lucky me.



Well, that was day 2. Again, it was a little bit longer than I anticipated. I even shortened the summaries on purpose. At least I can't be accused of being too brief...can I?

Wednesday, April 25, 2007

Infosecurity Europe 2007 Day 1

The Infosecurity Europe conference started today here in London and I figured that I may as well take advantage of the free registration (if registered before last Friday 20 April) and attend to catch up with all the things I've missed while I've been making the move from Sydney to London.

I'll try to sum up the day, but keep in mind that it's late so I apologise if some parts don't flow and sound disjointed.

The main things I noticed walking around the exhibition and looking at the types of companies there were:
  1. The big Enterprise Identity Management (IDM) vendors were nowhere to be seen. No IBM (well, ISS were there, but that's hardly IBM Tivoli), no Oracle, no Sun, no CA, no BMC. HP were there, but they only had a mini-demo of their IDM software. Microsoft were there in force, but they were promoting all their desktop security wares (or at least it seemed like they were - I didn't bother visiting them). The only players that were present that can be said to have anywhere near the full IDM capabilities of the big vendors were Courion and RSA.
  2. Quite a few of the smaller niche/fringe IDM point solution vendors were there. Names like Passlogix, Imprivata, ActivIdentity, Centrify, Cyber-Ark, Entrust, Evidian and Gemalto to name a few. The most interesting thing I saw was that even though Cyber-Ark only just announced their partnership with Oracle in joining the "Oracle Extended Identity Ecosystem", their stand was promoting their partnership with IBM Tivoli!
  3. The network is back. Every man and is dog is promoting some sort of product that's hooked into the network somehow. I also saw NAC everywhere! Spam and email filtering were also big as usual. The one thing that everyone tied their solution back to was...
  4. Compliance and audit. All the vendors have caught on to the fact that the biggest business driver for security at the moment is fear. Fear of the auditors and the Governments. Fear of prosecution. Fear of data loss. It all gets tied back into being compliant to whatever standard happens to be floating around today. HSPD-12. Sarbanes-Oxley. HIPAA. COBIT. You name it, someone claimed to solve it. My eyes glazed over because the big IDM vendors have been talking about it for years. Now all of a sudden it's the greatest and latest "hot" thing and the smaller companies trying to make a buck have jumped on the bandwagon. Can't blame them though. It IS a real driver. Problem with this is that it all sort of converges and customers will now find it more difficult to sort the good from the bad and figure out who is telling the truth about their product and who is trying to pull the wool over their eyes in trying to sell them a piece of software/hardware to supposedly solve all their problems. In markets like this, we invariably lose some good solutions because they can't sell their product and the bad ones stay around simply because they can. Then we're all stuck with crappy software/hardware and the computing industry looks evil yet again.
Apart from the exhibitors trying to sell products, there's also the sessions that we attend to hopefully gain some value and insight and to learn something new. Of course, there's always mixed results and some end up being a waste of time while others are really good. Nothing new here. Anyone who's ever been to an industry conference can tell you this. The next question is of course...which sessions did I attend. Before I go on, I should point out that the insulation in the speaker breakout rooms was very poor. We could hear all the noise coming from the main exhibition area even with the doors closed. It must have made it very difficult for the speakers. Anyway, here's the sessions I attended today along with my opinions:




Session: Demonstration of New Techniques Hackers are Using to Beat Your Security
Speaker: Geoff Sweeney, Chief Technology Officer, Tier-3
Audience: Mostly geeks
Summary:
Geoff listed the typical security issues (compliance, unknown and internal threats etc.) and mentioned that today it is still common place to only have perimeter security (firewalls, IDS). The problem is that hackers use blended threats like social engineering combined with insiders/internal users and proliferate the distribution of malware and trojan downloads this way. He noted that enterprises need to know what's going on at all times and to monitor real time data against a measured behavioural baseline and track anomalies. Internal, unknown application threats are the "sweet spot" for threats. He summarised by saying organisations need a holistic approach, unified security management, real time response and mitigation to know what's happening, compliance focus and to remove the unknowns.

My opinions:
  • Where was the live demo?
  • It's still common place for perimeter security, but many organisations are at least thinking about or know about the other things out there. It's whether they implement it or not that becomes the real question.
  • Very "few years old" type of feel about the presentation. Many people would have heard this all before (I didn't see anyone taking notes). I certainly didn't learn anything new.
  • There was no mention of Identity and Access Management. How can someone talk about insider threats without even mentioning identity, entitlements and policies?



Session: House of Lords Science and Technology Committee Address: Internet Security
Speaker: Lord Broers, Chairman, House of Lord Science and Technology Committee
Audience: Mostly suits constantly fiddling with their Blackberry phones
Summary:
This was actually quite an interesting presentation. While it didn't give any answers, it gave an insight into what the British Government are actually thinking about and gives us a level of comfort that they are willing to try to solve a few of the issues around Internet Security for the UK in particular. Lord Broers began by giving a bit of background about the House of Lords and what they call Select Committees (of which there are several). He gave examples of some of the other things they have looked into like nuclear waste disposal, allergies and energy efficiency. In this case, it was Internet Security. The reasons given for this selection was the proliferation and expansion of broadband, Internet banking, spam, phising and pedophilia. Select Committees start with a "call for evidence".

They then get feedback and go through a bunch of "evidence sessions" to flesh out the responses. The next steps are to evaluate and analyse the information and come to a conclusion which results in a report that gets submitted to parliament for debate and hopefully appropriate actions. The parliamentary debates and the report are publically available. At this stage, they're at the end of the "call for evidence" step. Examples of the questions asked are as follows:
  • What is the nature of threats to private individuals?
  • What is the scale of the problem?
  • What can and should be done about awareness and attitudes?
  • What role should hardware and software play?
  • Who should be responsible?
  • How effective are IT governance initiatives?
  • Is the regulatory infrastructure adequate?
  • Is law enforcement adequately trained to respond to Internet crime?
  • Is cybercrime new or just traditional crime using a new medium?
  • How can financial institutions be given incentives to keep consumer private data secure? US banks are legally liable for consumer losses above a certain threshold while UK banks only do this out of courtesy to their customers.
  • Should there be formal targets for policing online crime?
  • Should the UK have its own version of the US Government's IC3?
  • Can software be better configured? Mandatory secure partitions perhaps?
There was also mention of a visit to various US government departments and US vendors to have a look at what the potential solutions solutions available were and also what worked and what didn't. Overall, Lord Broers was quite impressed by what the US has in place today.

Also noted was the varying levels of advice received from various UK institutions. For example, banks will tend to downplay risks while security vendors will tend to exaggerate the issues. The hardest part about the information analysis process is going to be trying to account for these varying degrees of interests and trying to standardise the opinions somewhat.

The presentation then veered towards some initial preliminary opinions that have been formed and will be explored further. These include:
  • Too much responsibility is placed on the end users. There needs to be more responsibility taken by institutions and the IT industry in general for the risks out there. Lord Broers used an example he was given during the US visit. The example illustrated the fact that the water supply is sanitised before being supplied for consumers use. Water is not served up poisoned and then have the responsibility of filtering and sanitising the water pushed to the consumer. In this respect, the Internet should be treated like the water supply.
  • Consumers have been made to accept that everything we do online is our fault and very little is reported. But if we get mugged, the first thing we do is go to the police. This type of behaviour needs to be encouraged when it comes to the Internet.
  • Technology is not yet mature enough, but in the long run the consumer should not be held liable for anything that happens to them online through fraud, phishing, security threats etc.
  • Running a bot net in the UK is not illegal (although using one to perpetrate a crime is). This is because grid computing is essentially a bot net and they are required by legitimate sources for things like research. What types of controls can be put in place to help alleviate the risks associated with a computing grid? Should there be a license issued to people that run bot nets for example? Can people be prosecuted for using someone else's resources without consent (e.g using your electricity if they use your computer as part of their grid without your permission)?
  • There needs to be more research centres focusing on this topic at UK Universities like there are in US Colleges.
  • There needs to be better education. e.g. Internet Security should be taught at schools.
  • Part of the problem is the generational gap. Only 30-40% of parents know what their kids do online.
The main point made at the end was that the Internet is a hugely beneficial resource that MUST be protected.

My opinions:
  • There are too many things mentioned to debate. I agree with some things, others I do not.
  • Some views are outdated. It is obvious the UK government are somewhat behind the 8 ball, but you have to give them credit for trying to do something about it.
  • I couldn't quite make sense of some of the concepts he was talking about. "Computer partitioning on computers to make the Internet a safer place"? Huh? I suppose he was just paraphrasing some concept and that was his way of understanding it.
  • It was interesting to at least see the types of questions the UK government are trying to address in this space. There are solutions to quite a few things on the list...others not so much. At least they went to a logical starting point (the US Government) to get a close look at some of the solutions in place. Now the UK just have to get off their butts and do something about it...but as with all bureaucratic processes, that's easier said than done.



Session: Security and the Olympics
Speaker: Derek Wyatt MP, Labour Member for Sittingbourne and Sheppey & Chair of APIG
Audience: Mix of geeks and suits
Summary:
Not really much content to do with IT security. The focus was very much on physical security. There were no solutions presented, just a bunch of questions and considerations. Here they are:
  • Focus very much on muslim fundamentalists, specifically Al Qaeda.
  • There's political pressure to hire local resources, but invariably there will be a skills shortage which will force hires from other parts of Europe. Many will be from Eastern Europe. Considerations need to be made with regards to how our enemies might try to infiltrate the process via Eastern Europe, how to perform credential and background checks for these workers (as there is no common EU shared security system), what identity scheme to use, how to back this all up and how to cope with the fact there is no common database shared between the border protection, law enforcement and transport authorities.
  • The word "Olympic" cannot be officially used until after the Beijing Olympics. This means it is difficult to get anything started officially until 2009.
  • With an expected 15,000 media, 12,000 coaches and support helpers (physio, doctors etc.), 10,500 athletes and 100,000 spectators in Britain, how does one safely screen all the areas?
  • How do we double security on all the buses and the tube?
  • What security systems should be used?
  • When and where does screening start? 3 miles from venues? 5 miles? More?
  • Can the Oyster Card be used as an ID card? Is there a better system (e.g. like Nokia do in Finland with using mobile phones to identify people)? Of course, these aren't really options because neither is an official Olympic sponsor. Visa are! As a result, Visa are responsible for much of the security around the place too (apparently that's part of the agreement with the IOC).
  • What about the Paralympics? Will there be more of a threat because of a perceived lack of security focus?
  • How are aids (e.g. wheelchairs) screened?
  • Are the streets, walkways and public transport systems designed for that many disabled athletes and security people co-located in a centralised area?
There were more considerations, but you get the idea. Apparently the point was to point out the issues and provide business opportunity for us security professionals to solve.

My opinions:
  • Not much to say really. Most of the things we could probably have figured out ourselves...especially if you know London and its infrastructure (and limitations of).
  • It was a bit of a lazy effort in terms of giving a presentation. No answers. Just a bunch of very high level things that need consideration. Selling it as a "opportunity for business" was a nice excuse on the surface, but how many of us are "approved solution providers" to the IOC anyway?
  • I suppose to a certain extent, they can't give away too much information for fear of exposing weaknesses...but there's not much to give away when there are no solutions yet.



Session: ID Management and Biometrics Implementation Forum
Chair: Stuart Okin, Head of Infrastructure, Accenture
Panel:
  • Alastair MacWillson, Global Managing Partner Security, Accenture
  • Mark Kacary, Sales Director Enterprise Security, Aladdin
  • Marc Boroditsky, President and CEO, Passlogix
  • Nick Somper, Identity Management Lead UK and Ireland, Sun
Audience: Mostly geeks
Summary:
The session was sponsored by Accenture, so we were put through a marketing video at the beginning with customer testimonials about how good Accenture are at Identity Management services. Stuart begin by introducing the panel and then had Alastair give the initial presentation about Identity Management. I won't go into the details because he gave a pretty stock standard Identity Management presentation that I've seen just about everyone give. Heck, I've given variations of it to customers before (only ones who are new to the problem space). If enough people ask, I'll post my notes in a future post. He did make the distinction between user centric identity and enterprise identity (which he said was where Accenture's expertise lay) so you've got to give him credit for that. He also talked about the drivers and challenges (again, stock standard stuff) and said he thought that biometrics and identity management technologies would converge because as we move forward, the identity infrastructures will be in place and be more mature. The main industries that have an interest in biometrics and identity are (unsurprisingly) government and law enforcement. Accenture ar also starting to see interest in biometrics from healthcare and transportation. Alastair sees the biggest challenges to government and industry being more robust identity systems and having identity governance principles on how to deploy identity systems. Also, there needs to be consensus on social, legal, privacy and policy considerations as well as more collaboration within the biometric and identity communities to work on common challenges.

Then came the teaser/sales pitch to get people to come back for the next session where Accenture was going to show how they implemented the miSense system at Heathrow terminal 3. I didn't find it compelling enough to turn up for that session.

Once Accenture were done with their miSense sales pitch, the panel discussion session began with the differences between "small im" and "big IM". "im" being the point solutions like SSO and "IM" meaning Enterprise Identity Management and managing organisational user account lifecycles and entitlements. Mark from Aladdin suggested starting small to address the immediate needs and then moving on to the whole enterprise solution. Nick from Sun mentioned what he calls the "extraprise" meaning business partners, contractor access and mobile employees and how this proliferates the need for the biometric, multi-factor authentication solutions. Marc from Passlogix went a little off topic and suggested that people really should be approaching things through the analysis of use cases. He used a Passlogix customer as an example. A hospital that uses fingerprint access in the general hallways, iris scanners in the operating theatres and username/password from workstations where biometric technologies aren't installed (each providing a different "level of access").

The panel session then moved on to talk about standards and the fact that there are too many of them. Marc from Passlogix took the discussion further by stating that most biometric technologies are proprietary. Implementations have an application layer built on top of the biometrics to help manage this issue and provide integration points, but that means the customer is stuck with having to maintain this. Biometrics need to go the way of PKI where certificates from multiple vendors can be centrally managed by PKI management tools. Nick from Sun chimes in by stating that many customers are now updating their outdated Federated systems to newer, open standards-based technologies and thinks that biometric implementations will follow the same path where the adoption of standards will drive customers to upgrade their implementations to be more open. The question then came from someone else about what standards Aladdin will adopt given that they are not currently in the biometrics market, but have it on the roadmap. The answer was not a particularly convincing one. It was a long winded way of saying "it depends on what standards emerge".

The next question came from an "audience plant" or "Dorothy Dixon" as it's known in some circles. It was basically asking how to combat privacy concerns whenever identity systems are implemented. The answers all came back to it being down to having the right governance processes, policies and controls in place.

The final question asked the panellists to comment on where they saw the identity market going in the next 2-3 years. Alastair's answer was essentially that public pressure will force companies to implement identity management systems. Nick from Sun's pearl of wisdom was that companies would still be on the identity implementation journey and getting their "houses in order". He then went on a bizarre tangent and mentioned stem cells and how leaving your razor behind on holidays might pose a risk in future because people may be able to steal your identity through the DNA you leave on your razon. Hmmm...right. Moving on. Marc from Passlogix went around the question and instead gave some recommendations: Practice good identity hygiene, have a high degree of flexibility through the use of standards and look at fixing the high degree risk use cases first. Mark from Aladdin thinks that everyone will be re-visiting their authentication systems there will be new requirements.

My opinions:
  • Accenture didn't really show any thought leadership.
  • The Sun guy was a little bizarre and spent the whole session trying to sell Sun's technologies (by pushing all the relevant concepts that Sun's software fit well with). Oh, and well done telling everyone indirectly that Identity Management software from Sun takes 2-3 years to implement.
  • What was the Aladdin guy doing on the panel? They admit they don't even have a product! And his last comment was the he thinks people will buy more authentication technologies (obviously from Aladdin...or so he hopes).
  • Marc Boroditsky from Passlogix knew his stuff. He didn't even try to sell SSO (well, not as blatantly as everyone else was trying to sell their stuff). He was the most competent and convincing of the panel.



Session: Identity Management: Picking the right Tools for the Job
Chair: Merlin, Lord Erroll
Speakers:
  • Toby Stevens, Vice Chairman, BCS Security Forum
  • Maury Shenk , Partner, Steptoe and Johnson LLP & Head of European Legal Programme SANS
  • Andy Kellett, Senior Research Analyst, Butler Group
Audience: Mostly suits
Summary:
The session was split up into 3 separate presentations and a summary from Merlin, Lord Erroll.

Toby Stevens - Identity Mismanagement?

Toby began by talking about pseudonyms and how this concept protects our anonymity. This essentially takes us back to the early days of the Internet where no one really knew who anyone else online was and we all had multiple usernames and "identites" online. He defines identity management as being all about entitlement (what you can do), transactions (e.g. online services) and liability. When we talk about identity, we really mean something else. We don't really want to know who anyone is, just the bits of data that are required to provide assurance. For example, a customs officer wants to know our photo on our passport matches our appearance. It's not really about our name. It's actually all about identity assurance, not identity management. He likes the concept of federated identity and thinks there should be many disparate sub-systems all holding different bits of data populated by government, consumers and industry and kept accurate by the industry and consumers.

Maury Shank - Identity Management, a lawyer's perspective

Maury begin much the same way as Toby and had similar themes. He touched on legal implications of identity such as data protection law, human rights law, communications interception law, employment law, fraud and contractual obligations. Like Toby, he despises the term "identity theft" because in the context of the online world, it is really just our credentials that are stolen. Not our identities. Legal issues here are less significant and this is essentially traditional fraud using new techniques. He doesn't think there is a single "one size fits all" solution for identity. There should be many disparate identity sources and forms of identification for use with different purposes and in different contexts.

Andy Kellet - Realising real value from Identity and Access Management

There's not much to say about Andy's presentation. He gave yet another stock standard presentation, which was quite disappointing for an analyst. He even seemed to realise his slides were a waste of time because he skipped most of them by saying "yes we've covered that". He basically gave a few summary slides and ended with detailed slides of the summary points. Nothing thought provoking or new. His main point was that Identity projects are too complex as are the service delivery models.

Merlin, Lord Erroll summarised as follows:
  • There needs to be a good, secure way of providing electronic identity.
  • There needs to be a balance between centralised and de-centralised systems for identity.
  • There needs to be a level of anonymity in certain cases. For example, if you're calling up a government department to ask about a certain process, they begin by asking for an identification number. When they have that, they also have an indication that you're probably not doing something correctly (even if it's unintentional). This means they could potentially come after you for the unintentional offence. So what happens? People don't call to ask for help.
  • Do we really need to be identified everytime? We really just need to know that someone is authorised to do something.
  • The national ID card is not a bad idea. It is the national identity register that is the problem. It centralises all information relating to a person's interactions with the government. This means it can be tracked and opens people up to things like blackmail and so on.
  • There needs to be proper mutual authentication between consumers and institutions. Too often, institutions don't provide consumers with any authentication and expect us to trust they are who they say they are (Ian's note: I've mentioned this many times before, most recently in this post).
  • Having a centralised identity register still forces the government to provide "back doors". Active field agents (spies) will either need their details obscured or they may need multiple credentials/records. People on the witness protection program need to have their details changed and have to assume a new identity that is untraceable to their original one. Gender re-assignment operations also force a change to the system for that particular person's identity (although it's a little easier because it's just a name and gender attribute modification and should still be traceable to their original record).
  • Main point: One centralised database is not the answer. Smaller, distributed systems is the better way to go and federation plays a key part in all this.
My opinions:
  • All raise interesting and valid points and are good conversation starting points.
  • Did the Butler group guy lose his slides and was forced to pull out his slides from a few years ago?




Phew! That was a lot to write. Possibly my longest blog post ever.

That was my day in summary. Should be plenty here to digest and discuss. Feel free to post as many comments as you like.