You can check the official site here http://www.itweb.co.za/index.php?option=com_content&view=article&id=38100&Itemid=2330
Here is my quick out takes from selected sessions.
Securing the cloud
Caroline Wong, strategic security manager, Zynga Game Network. Caroline will be discussing Zynga’s business drivers for using cloud services as well as security implications and mitigation techniques
Zynga is the company responsible for Farm ville and other Facebook social games. They had to very rapidly grow infrastructure capacity. She refers to as cloud services as "Fat Pants" it has space for when you need it.
The main business drivers for moving to cloud are, speed , space,elastic, scale and cost. The combination of those left them really no other option than using amazon cloud services.
Her main cloud challenges are:
- Provider Transparency
- Leakage or data loss
- Account service hijacking
- Data confidentiality
- Vulnerability assessment
Her recommendation for negating cloud risk.
- Use the cloud vendor provided security services
- Find 3rd party or build your own extention or plugins for your cloud
- Know you data and where you want to store it
- Keep up as the cloud technologies matures
Her best quote " Perfect security is not possible"
Building a security ecosystem
Robert Fly, head of Product Security team, SalesForce
Robert's presentation was interesting as it was from a providing a cloud perspective. The main focus was around enabling your cloud consumers to build a scalable and secure services. Basically they created a number of tools for their developers to use to cleanup and secure their code. They had massive improvements and this is also his best quote.
"We did nothing. We gave them the tools and they used it"
Security is not a single items it is a whole ecosystem that involves education, design, development and testing.
Stuxnet, Wikileaks and the militarization of computer security
Patrick Gray, Host, RiskyBusiness Security News Podcast
Interesting look at how governments and military are using malware and security vulnerabilities. Has an interesting comparison between the potential development cost of Stuxnet as a weapon compared with conventional ones. It is more cost effective to have a digital war with offensive digital weapons.
Pretty grim - but then again he is from Australia.
His best quote: "Wikileaks is the Mother of all red herrings"
Life after Stuxnet: what business should know and do
Rik Ferguson, director security research & communication EMEA, Trend Micro
This presentation had very little to do with stuxnet!
There were some really interesting out take form this. Zero day vulnerabilities have reduced considerable over time, especially WRT to OS and Browsers. The big problem areas are still the 3rd party apps that have a big monoculture base, like Adobe reader , flash and Java.
The interesting summary he brings across is that - although zero day exploits are important they are less important that re-mediating old exploits.
The key problem areas are in order or importance:
- Social engineering
- Insecure application environments
- Cybercrime as a service
- Commercially available attack toolkits
- Rapid incorporation of new vulnerabilities
A large percentage of successful exploits rely on exploiting old unfixed vulnerabilities
A really insightful statistic is something like this....
" 94% of infection root sources is HTTP. It is a massively overlooked attack vector by corporate companies"
Drive by exploits are when a machine is compromised through no additional actions other than visiting a site.
He has two great quotes
"It's all about the monoculture. The cloud is the new monoculture"
Based on the last quote , he suggest big resource investment needs to be spend in designing and implementing security for cloud infrastructure, cloud data encryption, cloud applications and the endpoint revolution (no longer just windows PCs)
Hot To Beat the Recession: Become a Cyber Criminal
Bradley Anstis VP, Technical Strategy M86 Security
This was a very candid look at what drives cyber crime, and how some many people are doing it. Essentially it comes down to a 5 step process
- Select and buy your exploit kit
- Load up your exploit kit with malware you have bought
- Infect a target web site for drive by exploitation
- Track successful infection
- Manage your ongoing attack
- Monitor and maintain malware infection detection levels.
Since there are various parties involved here it is hard to be able to prosecute an single party for a crime. For instance the exploit kit authors just write and sell software... The legitimate site that infected the user is an unknowing party to the crime....
Essentially it is a paint by numbers criminal activity.
Best quote: "84% of exploit web sites are legitimate sites that have been compromised."
There were of course many different presentations but since I cannot attend 3 at the same time, I have only commented on the ones I attended AND liked.
More tomorrow as the summit continues...