RSA Conference Europe 2012 Keynotes; day two part two

Keynote 3 – ‘Are we getting better?’ Why we don’t know.  What can we do about it?

Joshua Corman, Director Akamai Technologies

Change is constant;

–          Evolving compliance

–          Evolving Threats

–          Evolving Technology

–          Evolving Business

–          Evolving Economics

Historically most of our security time and budget went on understanding who is attacking us and how, and understanding our IT landscape.  Now since the onset of so much legislation 50% of security time and budget is spent meeting regulations.  In some companies this is closer to 100%.  Why?  Because the organisation might get hacked, but it will be fined if it fails an audit.

So in a world of ever increasing and evolving threats and increasingly complex systems our focus is diverted from true risk management and security.

Another reason to believe we are not getting better is that we are rapidly increasing our dependence on technology and software systems much more quickly than our ability to secure them e.g  Insulin pumps have been hacked to deliver lethal doses, Microsoft Windows is now in some cars, we rely on web sites that are still regularly hacked, etc.

Are our challenges are not technical but cultural?  For example the OWASP top 10 issues has basically never changed!  Why have we not yet solved any of these issues?

Why is this?

–          We have faith based security

–          We need evidence based security

–          However we have very little data and that we do have may not be for the genuinely most serious issues – we focus on what is visible, not importance.

–          Drunks and Lampposts! – we (and vendors) use data to prop up their views and desired message, not to show the true picture in the same way a drunk uses a lamppost for cupport, not illumination.

 

Collection of thoughts presented;

 

–          Vendors don’t need to be ahead of the bad guys, they just need to be ahead of the customer!

–          We have and accept buggy software

–          There is a lot of FUD (Fear Uncertainty and Doubt) and conversely Blind faith

–          We had the chance to do cloud computing better, but are already having the same types of conversation as before..

–          The security industry scores very high on the Maslow stress index..

–          Most companies and CISOs cannot stop standard Metasploit attacks, if we cant stop ‘script kiddies’ how can we expect to stop ‘grown up’ attackers? – HD Moore’s law..

What can we do about it? (in order of importance);

–          Pick one;

  • Make excuses
  • Make progress

–          Build defensible infrastructures including rugged software

–          Operational excellence – run IT well, understand what you have

–          Situational awareness

–          Countermeasures

Joshua has a very interesting blog covering these points and many others.  This can be found here;

http://blog.cognitivedissidents.com/

To summarise, Seek Knowledge, Make Progress, Collaborate with people, be unreasonable! J

Overall a great although sprawling and fast paced talk.

——–

Keynote 4 – Trust, Security and Society

Bruce Schneier

We as a species are very trusting, just having breakfast you effectively trust 1000s of people to have safely grown, prepared and server your food.  Society wouldn’t function without trust.  This is why we do security, security enables trust, and trust enables society.

There are two forms of trust –

–          Personal when you know someone, and understand some of their likely motivations and expected actions.

–          Impersonal, you trust / assume someone will perform tasks as expected – e.g. you trust a taxi driver to take you to the right place and not overcharge you (too much!)

In society we trust a lot of people and entities all the time to perform as expected and fulfil agreed actions.  This trust is for individuals, things / organisations that are physically there, and much more abstract organisations / functions.

Conversely in any system like this people can ‘game’ the system and act in untrustworthy ways.  Consider game theory and the prisoners dilemma.  People can be ‘defectors’.  However defecting only works if the defectors are not too successful, if defecting becomes too successful things, in this case society can collapse.

Security is how we keep the number of defectors to an acceptable level.  This does not mean zero, as getting towards zero becomes prohibitively expensive.

So how do we do this?  Societal pressures;

–          Morals – mostly comes from within our own head

–          Reputation – mostly comes from other people’s opinions of us

–          Laws – ‘formalised reputation’ where laws are not just government type laws, this also includes expected behaviour within your company, expected behaviours within a group or team etc.

–          Security systems

These pressures allow society to scale.

Society will use these pressures to find a balance / equilibrium between these pressures and defectors.  Usually not explicitly, but as an example if there is a lot of crime people will expect more time and effort to go into policing, when crime is very low they will ask why spend so much on policing when we have all these other issues..

Technology makes society more complex and is leading us through a tie of great societal change.

To summarise;

–          No matter how much societal pressure there is there will always be some defectors

–          Increasing societal pressure is not always worth it

–          We all defect at some times. No one is perfect.

–          There are good and bad defectors and it can be hard to differentiate.

–          Society needs defectors – we all benefit because some people don’t follow the norms..

K

RSA Conference Europe 2012 Keynotes; day two part one

Keynote 1 – Big Data; Threat or Opportunity>

Philippe Courtot, Chairman Qualys Inc.

Big data is everywhere, not just Facebook, Google and CERN.  Organisations from the police with cameras constantly taking photos of license plates to log data from corporate systems and web sites.  Many companies are now having to deal with or plan to deal with big data in order to understand their systems, their customers, and their users.

What is driving this for ‘ordinary’ organisations?

–          Increasingly complex and virtualised IT infrastructures

–          Workload mobility

–          Bring your own device / computer

–          Cloud computing

All require increasing amounts of data to be collected and aggregated in order for an organisation to understand and ensure compliance of their environments.

Cloud computing is both aiding this by making the storage and compute power available to any business that has to deal with big data, and driving this through its scale, virtual and always on nature.

How do we ensure the security and understanding of these complex environments?  We must build security onto to overall cloud and application architecture.  Realise that the cloud has multiple ‘flavours’ from IaaS to SaaS and these are not all the same from a design and architecture perspective.  Stop talking and thinking about the cloud as just ‘the cloud’.

From an infrastructure perspective, cloud data centres are fractal, you need to understand what your assets are, but also realise many are the same for example storage and compute.  You can monitor all your compute nodes with the same method.  Monitoring needs to be in real time and to have analysis and intelligence built in.

If you are running web applications you need to understand how many you have, where they are and how they are being used.  Need to look at hardening and understanding this perimeter and correlate logs across these environments.  How do we manage code issues and potential exploits and varying methods of authentication?  Your developers working on new code and functionality, your support staff may not have enough code experience.  Do we need a new breed of operations support with reasonably in depth coding abilities?

Was Philippe referring to DevOps here?  This is newish, but not a new idea, many organisations are already using or setting up DevOps teams with the skill sets that were talked about.

Mobile devices are also driving both big data and management challenges to organisations.  We need to ensure they are all monitored and managed; Single Sign on, Privacy, Corporate policies.  How do we do this to 100s / 1000s / 1000000s of thin devices that cannot have thick very thick applications installed on them?  Cloud based services for bath device management and aggregation of the collected data can provide these solutions and scale as required.

How do we ensure security remains ‘front and centre’  as we move to the cloud and scale up?  Many existing enterprise point solutions do not scale enough or integrate well enough with the cloud.  This is being solved by providing managed security services from the cloud; Security as a Service (SecaaS).  Obviously blowing my own trumpet here, but this neatly links to my research with the Cloud Security Alliance on SecaaS!

For me the key message of this talk is that real-time ‘Big Data’ is a key element of tomorrow’s security.  We need to understand the implications of this and plan our security strategy to take advantage of this and the insight it will bring.

——-

Keynote 2 – The struggle for control of the internet

Misha Glenny – Author and Journalist

Control of the internet focusses on the debate between security and privacy vs. demand for freedom.  The US identifies four areas that need to be managed and prevented; Crime, Hactivision, Warfare, and Terrorism.

How do we balance the need for people to have freedom with the needs for safety and protection online?  Is the internet morally neutral?

Crime (cybercrime) quickly took advantage of the internet, from card detail sales sites such as Carderplanet and DarkMarket.  Carderplanet was set up >11 years ago.  Both these sites have since been taken down, but they paved the way for much more sophisticated criminal organisations.

Criminals now spend a lot of time watching organisations like SOCA and the FBI in order to understand them and anticipate their next moves.  So while those trying to catch the criminals are watching them, they in turn are being watched!  Hackers have accessed private police files to monitor current investigations and delete intelligence records etc.

There have actually been worldwide ‘carder’ and other criminal activity conferences.  For example Carderplanet organised the first worldwide carder conference in 2002.  The invite to this conference also alluded to the fact that Carderplanet had a deal with the FSB (Russian secret service) would not interfere with their ‘work’ as long as they did not attack financial institutions, and if they would perform attacks on behalf of the Russian government / secret service as required.

The lines between government spies and criminals are becoming increasingly blurred.

Currently the UK secret service (Mi6 / Mi5) is dealing with ~500 targeted attacks every day.  This is up from ~4 per year 10 years ago!  The international spend in the west on cyber security is currently around $100 Billion per year.  This is set to double over the next few years.

The west wants to work with China and Russia to improve the situation; however they want to be allowed to manage the web within their borders in any way they like if they are to cooperate.  This obviously has issues with preventing freedom of speech.

Will the Web brak down into massive intranets?  Iran has already stated its intent to disconnect itself from the Web and set up just such an internal intranet.  China and Russia want to control and largely segregate their internal users from the rest of the Web.

We need original thinking to resolve these issues!

K

RSA Conference Europe 2012 – Developing Secure Software in the age of Advanced Persistent Threats

Talk presented by Dave Martin and Eric Blaze, both security officers from EMC.

March 2011 – RSA suffered a breach from an Advanced Persistent Threat (APT) type attack.  This was big news and many customers we affect, having to replace their RSA tokens etc.

Security groups in high tech organisation, with EMC being the example – Product security group and IT security organisation.  Where;

–          Product security is focussed on the security of the products produced by the business, deploying patches to customers etc.  This can be looked at as the products impact on the customer’s risk.  They at EMC work on the premise that the customer’s network where the product will be deployed has been compromised so security is paramount.  Secure development / code and application focussed.

–          IT security organisation is responsible for the security of the IT enterprise itself.  This can be looked at as the security impact on enterprise risk.  Generally tend to be much more infrastructure and system focussed.

The environment is changing – environments much more likely to be compromised in a subtle, planned, long term manner (APT) rather than the traditionally more blunt and opportunistic attacks / compromises.

What are the characteristics of these changes?

–          Single minded, determined and innovative

–          Targeting individuals over systems

–          Through reconnaissance will understand your processes, people & systems better than us

–          Will exploit ANY weakness

–          Countermeasures increase sophistication

–          Custom malware, NOT detectable by signatures

–          Are not in a hurry will take as long as it take

–          Goal is long term & persistent access

–          The perimeter has shifted, all systems now exist in a hostile environment

What are the implications of this?

Real attacks that have been publically reported have included;

–          Loss of intellectual property

–          Loss of cryptographic secrets

–          Loss of source code

–          Attacks against cloud services

Mandiant M-Trends 2012 reports that 94% of companies find out they have been compromised from law enforcement, and the median length of time from when a company is compromised to when the breach is discovered is 416 days!  Do you know your network is secure, can you report with confidence to your board and shareholders that you have adequate, intelligent monitoring and solid layered defence in depth in place?  Is your organisation aware of the risks at all levels?

We must assume that we are compromised! – the Security for Business Innovation Council in August 2011 stated;

“Consider that no organization is impenetrable. Assume that your organization might already be compromised and go from there.”

Technology providers must support this by adopting their product security strategy in the following ways;

–          Create an integrated governance model

–          Build intelligent monitoring into products

–          Design layered defence into products

How do they do this?  Product security and Organisational security must work more closely together to expand the SDL (Secure Development lifecycle) and collaborate on standards such as;

–          Source code management

–          Anti-counterfeiting

–          Cloud / Hosting

–          Supplier risk management

–          Software integrity controls

–          Make product strategy part of the enterprise risk strategy

–          ..

Make logging of events more intelligent; Build attack-aware software.

–          Leverage threat modelling within the software to log abuse such as Buffer Overflows and SQL Injections

–          Evolve from logging to debug code issues towards logging that is much more useful for detection for example by including anomaly and behaviour logging in program logic

–          Design software to integrate with and leverage the existing enterprise risk ecosystem – white lists, reputation awareness etc.

Incorporating layered defence into applications / services to resist APT type attacks can be done in various ways including;

–          Utilising split-value cryptographic authentication.  This is where Passwords are split and stored across two servers with one hosting part as an XOR’d random number and the other as a random number.  Thus the attacker has to compromise two servers and crack both parts within a small time window as a new random number regularly refreshed.

–          Assume source code is compromised – anything can be eventually reverse engineered;

  • Never hard code secrets,
  • Adopt a Secure Development Lifecycle,
  • Threat model for source code exposure,
  • Build integrity control into source code reviews
  • Pay attention to comments – we should comment for best practice and code support, but make sure things like ‘To do, must add security here’ are mot left in the code!

–          If you use agile methodologies, ensure you have a security based story.  Review the recommendations from SAFECode;

In summary we need to develop using secure methodologies and use the assumption that all systems are or will be compromised.

K

RSA Conference Europe 2012 – SSL is Cracked panel discussion

The panellists for this were;

Ivan Ristic; Director of Engineering, Qualys, Inc.

Marsh Ray; Senior Software Development Engineer, PhoneFactor

Gerv Markham; Governator, Mozilla

Phillip Hallam-Baker; VP and Principal Scientist, Comodo

Overall some great experience here including the guy who wrote ModSecurity and the guy who discovered the TLS renegotiation vulnerability..

The discussion covered the following topics;

Vulnerabilities / Attacks;

–          Protocol- based – TLS Renegotiation, weakness in CBC handling on web servers, Crime (TLS compression issue that can result in password exposure), BEAST (Browser Exploit Against SSL/TLS) tool.

–          Implementation-based (e.g. mixed content)

–          Practice based (certification authority bad practices)

Solutions and Remedies;

–          Those currently available (e.g. RC4 with TLS 1.0)

  • DV, OV and EV = Domain-Validated, Organization Validated, and Extended Validation SSL Certificates

–          Those in Development / Deployment

  • Online Certificate Status Protocol (OCSP) Stapling
  • HTTP Strict Transport Security (HSTS) – HTTP header that says from now on only connect to this site with HTTPS, never HTTP.
  • Content Security Policy (CSP) – way to manage the content you will accept from web sites based on declarative content statements in the headers.
  • Improved security and audit requirements for CAs (certificate authorities)

–          Those being Discussed (DANE, CAA, CT etc.)

  • DANE – DNS based Authentication of Named Entities
  • CAA – Certificate Authority Authorization (DNS Resource Record)
  • CT – Certificate Transparency (Issuance Logging)

Summary / Take away points;

–          Check Systems (Your Own and Those of Others) – Can go to https://www.SSLlabs.com and enter a URL to test its level of TLS/SSL

–          Analyse Code and Configurations for Vulnerabilities

–          “Tweak” System Configurations and Code

–          Support Implementation of Newer Versions of TLS and other emerging Protocols

–          Patch and/or Replace Systems

–          Web Security based on SSL/TLS Continues to Evolve and Improve

 

Overall this was an interesting and thought provoking discussion.  However, as is often the case, putting a bunch of passionate, opinionated and knowledgeable geeks on a discussion panel together resulted in a somewhat rambling debate.  This was very hard to capture / document in any detail, but hopefully the comments highlighting some current vulnerabilities and remedies being looked at will provide a starting point for you to do some further research if you are interested.

K

RSA Conference Europe 2012 – Moving your SOC beyond the bloatware

Talk from Amit Yoran of EMC/RSA.

Where SOC in the title refers to Security Operations Centre.

Everything is evolving;

–          Organisations are evolving and changing rapidly – cloud, BYOD, new systems, new devices, new operating systems, new regulations

–          Data is evolving rapidly – explosive data growth, big data

–          Threats are evolving rapidly, with actors from petty criminals to organised crime to terrorists to anti-establishment vigilantes (think Anonymous – Hactivists) to nation states.

Existing security systems are ineffective;

–          Signature based – from AV to anti-spam to firewalls to IPS tends to look for known things and behaviours (signatures)

–          Perimeter orientated – Firewalls, IDS / IP, router security etc. still make up much of the focus.  We are becoming more and more porous or boundary-less.

–          Compliance driven – often at the expense of ‘real’ security and risk management.

Detection time is poor – many attacks go undetected for far too long.  How do we reduce this attacker free time or dwell time?

Focus needs to shift from I will stop breaches to I will be breached and how do we manage this and prevent / minimise damage.

Identified four impediments to change from the current;

–          Information deluge – too much information

–          Budget dilemma – so much hype and marketing, what do I spend limited budget on?

–          Cyber security talent – what talent do I have in my organisation, how do I leverage it, and scale the limited number of very talented peoples reach to work for the whole organisation?

–          Macro situational awareness – How are am I of my organisation, and of its wider operating environment?

So what can we do?

SIEM (Security Information and Event Management) has been a good start, but limited ability to deal with the complex, multi-faceted attacks of today.  Separating bad from good has become an increasingly difficult problem.

How do we understand what ‘good’ looks like.  Much more complex than just is it a valid login, ‘bad’ may be a complex set of apparently authorised transactions, that look very similar to ‘good’ activity.

Traditional SIEM is not enough –

–          Cannot detect lateral movement of attacks, or covert characteristics of advanced attack tools

–          Cannot fully investigate exfiltration or sabotage of critical data

–          Issues with scaling to collect, sort, and analyse large enough data volumes

Need better security analytics!

Incident response lessons learned;

–          Stop doing things that provide little value

–          Focus on securing the most important material assets to the enterprise and understand their risk exposure from people to processes to systems to data

–          Obtain a deeper visibility into what is happening on the network and what is known about the organisation and its users

–          Collaborate in real time with others more effectively and gain actionable intelligence

–          Measure performance across some established methodology or continuum (success, failure, compliance etc.) – but make them valid and don’t tune behaviour just to do well on the ‘test’!

Security operations require;

–          Comprehensive visibility

–          Agile analytics

–          Actionable intelligence

–          Optimise incident management

How do we improve understanding and analytics?

–          Security Analytics Warehouse

Scalable, centralised data warehouse for long-term data retention and deep intense analysis.

Visibility of – Logs, network data, raw content, reassembled content, enterprise events, enterprise data, flow, structured and unstructured data, host telemetry…

This must be backed with a powerful analytics engine to enable complex searches and analysis on these varied and large data sets.

This is a step beyond traditional logging / SIEM platforms.

Allows us to move to ‘active defence’ that gives the user ability to take action or automatically remediate common functions.  This turns a passive system into an active one, largely using existing infrastructure.  In turn this fuels actionable and effective workflows for the SOC.

Interestingly this talk links back to the those on SOA and big data from the service technology symposium, both identify the need to manage and analyse big data in real time or as near to real time as possible.  These points highlight how entirely disparate areas, in this case SOA / development and security, can have similar needs and come to the same conclusions.  Being able to meet the needs of your systems and application teams as well as your security team may help get your log correlation and analysis project approved.  Another reason for understanding your wider business teams and environment!

Also kudos to the presenter for remaining very vendor neutral despite working for RSA / EMC, there were hints of their products, but none mentioned and no sales pitch.

K

RSA Conference Europe 2012 – The Science Lab: Live RAT Dissection

Great talk and demo from Uri Fleyder and Uri Rivner on VNC based Man In The Browser (MITB) attack.  The talk started with some general observations of the current state of the malware market, then went into the demo.

Whys rats are spreading in the underground – We are moving to much more advanced underground supply chain.  This follows neatly from the Keynote talks around the ever increasing availability of advanced tools.

A great example is the Citadel Trojan kit.  Developed from Zeus – this was sold then source code leaked..  Citadel is a live ongoing project, with many add ons from GUI based Trojan development and deployment.  Citadel only costs $2399 + modules, yearly membership of the Citadel online ‘aap store’ costs as little as $125 per year.  Modules can be bought for low amounts of money such as

Log parser for $295

Automatic iFramer of FTP accounts from logs for $1000

Recent releases of Citadel include multiple enhancements such as injects directly from the control panel.

This highlights just how easy it is to get access to advanced malware creation kits, and how low the cost of entry currently is.

Demonstration of Man In The Browser (MITB) attack showing user accessing a compromised site.  The browser appeared to crash, then the user re-opened it and carried on working.  The user then accessed their bank and received a security warning saying that some checks were being performed to updated their machines security, these may take a few minutes, please do not close or refresh the browser window.

At the same time the criminal received a text telling him a new machine had been compromised.  He then logged into his Zeus control account to see what the machine was and which bot had infected it.

The next step is that the bank site asks the customer to input their credentials including pin + key code to access their account.  This is achieved by inserting java script into the banking page on the user’s browser.

From the malicious users machine the criminal has used VNC to log into the users machine and from their into the users bank account.  The user inputting their pin and code details will enable the criminal to perform a transaction on their account such as a funds transfer.  The criminal does this in the background while the user is waiting for the initial security checks, once the criminal gets to the point where they are stuck and need the users 2-factor credentials they then update the message to request these details as mentioned in the last paragraph.

The criminal is sent the username and password from the initial login;

https://twitter.com/ufleyder/status/255643717027913729/photo/1

Then the 2-factor code from the second message;

https://twitter.com/ufleyder/status/255646235078307840/photo/1

The criminal then sends a sorry site down for maintenance screen to the user again by injecting it via JavaScript to the bank page the user thinks they are accessing.  This is to try and allay any fears or concerns so the user (victim) does not immediately suspect something malicious has occurred.

This works because the user has gone to the banking page they trust, and as they typed the url or went to their saved favourite rather than clicked a link somewhere they assume all is well.

Another advantage for the attacker of this type of attack is that they appear to come from the users machine as they are going through a VNC (remote administration) connection to the users machine.  This circumvents and checks the bank (or whatever site) has in place to be more concerned about connections or transactions initiated from unknown devices.

According to European banks something like 30% of all fraud no comes from same device attacks like this.

Summary;

–          VNC embedded in Zeus clones is a dramatic escalation of the threat level.  Make sure your defences are ready!

–          Continuous monitoring is more resilient – e.g. user behaviour analysis, how fast is the user clicking and entering data, what is their pattern of clicks etc.

–          Don’t rely on identifying the device

–          Consider randomising, encrypting DOM space

–          Zeus and other clones are polymorphic, normal scans are not effective

–          Make sure your machines are getting all relevant patches

–          We used to rely on something you know, this is broken, now we rely on something you have, this is crumbling.. What next, something you are linked with behavioural analysis?

A lot to think about here..

K

RSA Conference Europe 2012 Keynotes; day one part two

Keynote 3 – Francis deSouza – Group president, Symantec – The art of cyber war, know thy enemy, know thyself

For many years IT was standardising on systems from the client to the server room.  Now we have BYOD, cloud etc.  IT is becoming more diverse with many more devices and data stored across multiple locations and hosting environments.

What does this mean for IT security?  What model do we need?

Historically IT security has been defence only and point / issue based. – you get viruses so install AV etc.

We need to look more holistically and look at how we defend against multi flanked attacks and advanced persistent threats.  Also consider how we can use the attack against the attacker or to catch the attacker (think Aikido).

What do we mean by multi flanked?  Attacks are now increasingly using multiple, seemingly independent attacks, many of which are just diversions so we miss the real attack.  When we are busy or focusing on a specific task we often miss obvious things.  Look up ‘how many times did the white team pass the ball’ for an example of this!

Phishing attacks are also getting much more advanced and sophisticated, these are now one of the primary ways attackers use to gain a foothold.

An example of this was a recent attack on a bank that used a phishing email to gain access to a bank.  The gang then launched a DDoS attack on the bank, while the bank was rushing around trying to keep their site up and prevent the attack being successful.  The gang then used the malware installed via the phishing email to steal bank and ATM details.  They then passed these to their monetising team who created ATM cards, distributed these to hired people who all went to ATMs, and withdrew cash.  This attack walked away with $9M in a couple of hours.

The attackers also do things like ensure they use cards in ways that look legitimate and at times customers (the legitimate card holders) are less likely to spot the use quickly.

How do these gangs create these massive data centres of compute power yet remain invisible to legal organisations such as Interpol, the FBI etc.  Sophisticated organisations sell ‘bulletproof’ solutions hosted in one country, managed in another, sold in yet another etc.  This is a real market where actual marketing is used, and there is great competition and price pressure – it is a lot cheaper than you think!

There is also the ‘democratisation’ of cyber warfare tools – this follows neatly from the previous talk – increasingly complex and advanced tools are available more and more readily.

On the other side of this is the huge increases in what we are trying to protect – we have more and more complex systems and every growing data volumes.  The volume of data stored is likely to increase by 40 times from today’s levels by 2020!

What does this mean for the security industry?

We need to improve our intelligence;

–          What do they want?

–          What are our key information assets?

–          Out of all of our data which is critical, and which is ‘garbage’?

–          What is happening in your organisation?

–          How are the criminals working and what attacks are they using?

–          Look holistically – what is the campaign they are using, and what are the weaknesses of their campaign?

–          Who are the actors in the campaign?

Our intelligence and security need to be more agile – we need to improve our understanding of what is happening and the unknowns and unexpected things we discover.  Is our security agile enough to change to deal with these new and unexpected things?

Brief comment on having powerful defences and AV (well this is Symantec..)  Good point on reputation based computing – if we have never seen this file before should we trust it?

————-

Keynote 4 – Adrienne Hall – General Manager, trustworthy computing, Microsoft – Risks and Rewards in cloud adoption

Microsoft Security Intelligence Report release 13 is available for download as of today, and is available here;

http://download.microsoft.com/DOWNLOAD/c/1/f/c1f6a2b2-f45f-45f7-b788-32d2cca48d29/Microsoft_Security_Intelligence_Report_Volume_13_English.pdf

A great overview of the report can be found here;

http://blogs.technet.com/b/security/archive/2012/10/09/microsoft-security-intelligence-report-volume-13-now-available.aspx

Microsoft has also released some very helpful, open source, security tools;

–          Attack Surface analyser

–          Anti-cross site scripting library

http://aka.ms/securitytools

Microsoft recently commissioned a cloud computing survey.  This was carried out by an independent survey company so vendor neutral around current barriers and benefits.  The full results can be found here;

http://aka.ms/cloudsurvey

Unsurprisingly, perceived security risks are still the top barrier, however from those who have adopted the cloud 54% stated they have improved security along with 47% who managed to make cost savings on their overall security spend.  The perception and reality currently do not appear align..  How do we address these barriers?

Improve transparency;

–          Collaborate to share information and guidance e.g. Cloud Security Alliance (CSA)

–          Drive and support industry standards

–          Commit to transparency in cloud offerings

Microsoft has just released a cloud security readiness tool that can be found here;

www.microsoft.com/trustedcloud

This is a survey tool that will allow you to assess both the security of your current environment and your readiness for cloud adoption / migration.  This is a free tool that will help you plan a cloud migration regardless of the technologies or cloud providers you intend to use.  To ensure vendor neutrality this links in with and is based on the CSA Cloud Controls Matrix.

The output of this survey is a report for your organisation which understands controls relevant to your industry and regional location.

Talk summary – Stay informed; Embrace standards, best practices and transparency; Weigh the risks and rewards.

Overall this talk was lighter than the others and fairly Microsoft focused, but had some good points and highlighted some useful tools.

Note, at the time of writing the ‘aka.’ links are giving 404 errors, I have email Microsoft and asked for this to be resolved.

———-

Keynote 5 – Herbert Thompson – Program committee chairman, RSA conference – Security the human: Our industries greatest challenge

In security we set up situations where people are designed to fail especially if they are not security savvy or paranoid.

–          Links in emails – how do we know which are real and which are malicious?

–          What do we do about site certificate errors?

–          What do we do when a site wants us to download a file?

Security currently treats everyone the same regardless of knowledge or talent.  One size does not fit all.  Think of car insurance; you have to answer many questions, and the outcome is an insurance quote tailored to your risk profile.

We need to be the people that help the business understand the risk; enable them to make decisions and embrace change with a full understanding of the risks of doing so.

Very light talk, but great point around understanding and managing risk appropriately.

K