10 May 2011

ITWEB Security Summit 2011 - Part I

This year I am attending my second ITWEB annual security summit.  The event is the premier security summit in Africa.  There are numerous exhibitors and sponsors all waiting to tell us about emerging  security concerns and also to hopefully sell us something to plug the hole.

You can check the official site here http://www.itweb.co.za/index.php?option=com_content&view=article&id=38100&Itemid=2330

Here is my quick out takes from selected sessions.

Securing the cloud
  Caroline Wong, strategic security manager, Zynga Game Network.  Caroline will be discussing Zynga’s business drivers for using cloud services as well as security implications and mitigation techniques

Zynga is the company responsible for Farm ville and other Facebook social games.  They had to very rapidly grow infrastructure capacity.    She refers to as cloud services as "Fat Pants"  it has space for when you need it.

The main business drivers for moving to cloud are, speed , space,elastic, scale and cost.   The combination of those left them really no other option than using amazon cloud services.

Her main cloud challenges are:

  • Provider Transparency
  • Leakage or data loss
  • Account service hijacking
  • Data confidentiality
  • Availability
  • Vulnerability assessment

Her recommendation for negating cloud risk.

  • Use the cloud vendor provided security services
  • Find 3rd party or build your own extention or plugins for your cloud
  • Know you data and where you want to store it
  • Keep up as the cloud technologies matures

Her best quote " Perfect security is not possible"

Building a security ecosystem
  Robert Fly, head of Product Security team, SalesForce

Robert's presentation was interesting as it was from a providing a cloud perspective.  The main focus was around enabling your cloud consumers to build a scalable and secure services.  Basically they created a number of tools for their developers to use to cleanup and secure their code.  They had massive improvements and this is also his best quote.

"We did nothing.  We gave them the tools and they used it"

Security is not a single items it is a whole ecosystem that involves education, design, development and testing.

Stuxnet, Wikileaks and the militarization of computer security
  Patrick Gray, Host, RiskyBusiness Security News Podcast

Interesting look at how governments and military are using malware and security vulnerabilities.  Has an interesting comparison between the potential development cost of Stuxnet as a weapon compared with conventional ones.  It is more cost effective to have a digital war with offensive digital weapons.
Pretty grim - but then again he is from Australia.

His best quote: "Wikileaks is the Mother of all red herrings"

Life after Stuxnet: what business should know and do
  Rik Ferguson, director security research & communication EMEA, Trend Micro

This presentation had very little to do with stuxnet!
There were some really interesting out take form this.  Zero day vulnerabilities have reduced considerable over time, especially WRT to OS and Browsers.  The big problem areas are still the 3rd party apps that have a big monoculture base, like Adobe reader , flash and Java.

The interesting summary he brings across is that - although zero day exploits are important they are less important that re-mediating old exploits.

The key problem areas are in order or importance:

  • Social engineering
  • Insecure application environments
  • Cybercrime as a service
  • Commercially available attack toolkits
  • Rapid incorporation of new vulnerabilities

A large percentage of successful exploits rely on exploiting old unfixed vulnerabilities

A really insightful statistic is something like this....

 " 94% of infection root sources is HTTP.  It is a massively overlooked attack vector by corporate companies" 

Drive by exploits are when a machine is compromised through no additional actions other than visiting a site.

He has two great quotes

"Javascript is evil"
"It's all about the monoculture.  The cloud is the new monoculture"

Based on the last quote , he suggest big resource investment needs to be spend in designing and implementing security for cloud infrastructure, cloud data encryption, cloud applications and the endpoint revolution (no longer just windows PCs)

Hot To Beat the Recession: Become a Cyber Criminal
    Bradley Anstis VP, Technical Strategy M86 Security

This was a very candid look at what drives cyber crime, and how some many people are doing it.  Essentially it comes down to a 5 step process

  1. Select and buy your exploit kit
  2. Load up your exploit kit with malware you have bought
  3. Infect a target web site for drive by exploitation
  4. Track successful infection
  5. Manage your ongoing attack
  6. Monitor and maintain malware infection detection levels.
Since there are various parties involved here it is hard to be able to prosecute an single party for a crime.  For instance the exploit kit authors just write and sell software... The legitimate site that infected the user is an unknowing party to the crime....

Essentially it is a paint by numbers criminal activity.

Best quote: "84% of exploit web sites are legitimate sites that have been compromised."

There were of course many different presentations but since I cannot attend 3 at the same time, I have only commented on the ones I attended AND liked.

More tomorrow as the summit continues...

No comments:

Post a Comment