The presentations, exhibitions and I-pad lucky draws continues...
Again here are some summaries form the better presentations.
Security strategies for a changing world: the balance between risk and user benefit
Sinisha Patkovic, Director, BlackBerry Security, Research In Motion
He explain how they have seen and defined three stages of of mobility
Stage 1 Mobilizing the mobile worker (Basic Email)
Stage 2 Mobilizing data centre value (starting to leverage business apps)
Stage 3 Redefine business practice with mobility
With every progression of stage there is increased risk as the sensitive data mobility increases.
The concept of smart phone or tablet or even user supplied laptop are defined as user-liable business-use devices. This is predicted to reach 61% or corporate user devices according to IDC.
Another concept to be aware of is "Rare event bias" this is the exclusion of certain problems because "it's a 1 in a million chance" This extend to "there is no exploit for this device that I am aware of so i am not going to do anything to prevent it..."
No matter how much you try the following remains true "Software cannot protect software" the idea is that no AV or similar product can completely protect a security weak application"
Vulnerabilities and malware: statistics and research for malware identification
Wolfgang Kandek, CTO, Qualys
Wolfgang gave a in depth product overview for the Qualsys product set. The non product specific best quote is
"90% of attacks are simple and not complicated or advanced, so by doing the basics right you greatly improve your security profile"
And of course the Qualsys product will help you identify not just the basic but also the advance vulnerabilities
Web security, the Google way
Parisa Tabriz, Information Security Engineer, Google Inc.
XSS (cross site scripting) is the most common exploit. To prevent this is hard because developers make mistakes and testing for this is hard. Scanning tools cannot get full application coverage. Manual auditingalso tends to be a once off check.
The richer the application the more user content types are typiucally stores For Google this is mail, images, HTML, multimedia, docs and others.
To help secure Google apps they have started using a vulnerabilities rewards program. Essentially if you find a weakness you tell google and they give you some money.
Her best quote " The Google vulnerabilities reward progrma has , since August 2010, paid out over $18 000 000 -- that is Jamaican Dollars (about $215 000 USD)"
Her closing points are:
Humans make mistakes. Make security the default.
The web is scary. Defense in depth
Security is hard by yourself. Work together
The CIA, the lead box at the bottom of the ocean.... and other stories
Allen Baranov, Information Security Analyst, SABMiller
He had a very candid look at how we put a lot of time and effort into doing the wrong thing. DLP stats: 20% of victims did not know that they had the data. 86% of breaches are not discovered by the victim.
Best Quote: "Your security vendor is lying to you"
His advice is to sensibly continue improving you approach holistically.
How to prioritise security initiatives based on real world case and statistics
John Yeo, Trustwave SpiderLabs' European director
Stat fest from Spiderlab's findings
- 85% of targeted data is payment card data - because it is the easiest to monetise.
- 66% harvested in the Transit phase
- 75% or targets are in the Food and beverage or retail industries
- 75% of targeted systems are POS devices, 11% employee workstations and only 9% are e-commerce sites
- 44% of data is exported via legitimate HTTP channel and 55% through malware channels
Some of the guides for moving forward.
- Develop a proper mobile security program
- Virtually patch web applications until problems are fixed (application firewalls)
- Eradicate clear text traffic
Fig Leaf Security - the lies we tell ourselves
Haroon Meer, researcher, thinkst Applied Research
"We build, secure networks we cant't protect"
"We write secure code that is not secure"
The take is simple. People do not even attempt to do thing securely form the ground up. There is then a perception that these things are impossible to achieve without buying a security package. The problem then is that we expect a software package to protect and inherently poor application or network.
"Management should not be involved when deciding to apply a security patch"
"Machines that have been compromised by a virus should not just be cleaned. It needs to be rebuilt from the ground up to be 100% trusted again"
An underlying theme through the talk is that it will be hard to do things thing properly but this is what you do to get a really good solution. Do not take the "easy route" and do not drop out, do it properly.
"Fig leaves" we hide behind
Stuff is lame
Academic self indulgence- only valid for academics
That does not impress me or "that guys has too much time on his hands"
There are no interesting problems
Stop hiding and get out there and do what matters.
It again was a very informative summit to attend, good quality speakers and presentations with relevant up to date information. If you take the time to chat to all the exhibitors and the speakers - when you can find them. You can learn loads not only about what they are selling but what the industry humm is at the moment.
A lot of the exhibitors also went to great lengths to ensure even us mere delegates got the concepts.