11 May 2011

ITWEB Security Summit 2011 - Part II

Day two of the ITWEB Security Summit 2011
The presentations, exhibitions and I-pad lucky draws continues...
Again here are some summaries form the better presentations.

Security strategies for a changing world: the balance between risk and user benefit
  Sinisha Patkovic, Director, BlackBerry Security, Research In Motion

He explain how they have seen and defined three stages of of mobility

Stage 1 Mobilizing the mobile worker (Basic Email)
Stage 2 Mobilizing data centre value (starting to leverage business apps)
Stage 3 Redefine business practice with mobility

With every progression of stage there is increased risk as the sensitive data mobility increases.

The concept of smart phone or tablet or even user supplied laptop are defined as user-liable business-use devices.  This is predicted to reach 61% or corporate user devices according to IDC.

Another concept to be aware of is "Rare event bias" this is the exclusion of certain problems because "it's a 1 in a million chance"  This extend to "there is no exploit for this device that I am aware of so i am not going to do anything to prevent it..."

No matter how much you try the following remains true "Software cannot protect software"  the idea is that no AV or similar product can completely protect a security weak application"

Vulnerabilities and malware: statistics and research for malware identification
   Wolfgang Kandek, CTO, Qualys

Wolfgang gave a in depth product overview for the Qualsys product set.  The non product specific best quote is
"90% of attacks are simple and not complicated or advanced, so by doing the basics right you greatly improve your security profile"

And of course the Qualsys product will help you identify not just the basic but also the advance vulnerabilities

Web security, the Google way
  Parisa Tabriz, Information Security Engineer, Google Inc.

XSS (cross site scripting) is the most common exploit.  To prevent this is hard because developers make mistakes and testing for this is hard.  Scanning tools cannot get full application coverage.  Manual auditingalso tends to be a once off check.

The richer the application the more user content types are typiucally stores For Google this is mail, images, HTML, multimedia, docs and others.

Poor application or browse behavoir can be exploted.  As an example if a web page element's content type is not set, browsers will switch to content sniffing to determine the type.  In the case of a PNG image file you can embed javascript in the file that will then be executed by the browser during the content sniff stage.

To help secure Google apps they have started using a vulnerabilities rewards program.  Essentially if you find a weakness you tell google and they give you some money.

Her best quote " The Google vulnerabilities reward progrma has , since August 2010, paid out over $18 000 000 -- that is Jamaican Dollars (about $215 000 USD)"

Her closing points are:

Humans make mistakes. Make security the default.
The web is scary. Defense in depth
Security is hard by yourself.  Work together

The CIA, the lead box at the bottom of the ocean.... and other stories
  Allen Baranov, Information Security Analyst, SABMiller

He had a very candid look at how we put a lot of time and effort into doing the wrong thing. DLP stats: 20% of victims did not know that they had the data.  86% of breaches are not discovered by the victim.

Best Quote: "Your security vendor is lying to you"

His advice is to sensibly continue improving you approach holistically.

How to prioritise security initiatives based on real world case and statistics
  John Yeo, Trustwave SpiderLabs' European director

Stat fest from Spiderlab's findings

  • 85% of targeted data is payment card data - because it is the easiest to monetise.
  • 66% harvested in the Transit phase
  • 75% or targets are in the Food and beverage or retail industries
  • 75% of targeted systems are POS devices, 11% employee workstations and only 9% are e-commerce sites
  • 44% of data is exported via legitimate HTTP channel and 55% through malware channels

A large problem is that a lot of data is still transfered as clear text on the wire.

Some of the guides for moving forward.

  • Develop a proper mobile security program
  • Virtually patch web applications until problems are fixed (application firewalls)
  • Eradicate clear text traffic

Fig Leaf Security - the lies we tell ourselves
  Haroon Meer, researcher, thinkst Applied Research

"We build, secure networks we cant't protect"
"We write secure code that is not secure"

The take is simple.  People do not even attempt to do thing securely form the ground up.  There is then a perception that these things are impossible to achieve without buying a security package.  The problem then is that we expect a software package to protect and inherently poor application or network.

"Management should not be involved when deciding to apply a security patch"

"Machines that have been compromised by a virus should not just be cleaned.  It needs to be rebuilt from the ground up to be 100% trusted again"

An underlying theme through the talk is that it will be hard to do things thing properly but this is what you do to get a really good solution.  Do not take the "easy route" and do not drop out, do it properly.

"Fig leaves" we hide behind

Stuff is lame
Academic self indulgence- only valid for academics
That does not impress me or "that guys has too much time on his hands"
There are no interesting problems

Stop hiding and get out there and do what matters.

The roundup
It again was a very informative summit to attend, good quality speakers and presentations with relevant up to date information.  If you take the time to chat to all the exhibitors and the speakers - when you can find them.  You can learn loads not only about what they are selling but what the industry humm is at the moment.

A lot of the exhibitors also went to great lengths to ensure even us mere delegates got the concepts.

No comments:

Post a Comment