ISF congress post 8: Information security – Where next?

Keynote with – Bruce Schneier (BT) and Quentyn Taylor (Canon)

This was a very free flowing discussion, but I have tried to capture the main points that were made;

Thoughts on the state of the security industry today; 

Quentyn – Things never change.  Technologies change, but we still have the same issues as always.  We seem to have a mentality of if I can just get the next best thing installed we’ll be secure.  We are obsessed with the new – the next threat, the next big issue – these meant new technologies and new things to base next years budget on.

  • Focus on the basics.  Verizon threat report – the vast majority of the issues are old and simple – related to patching etc. and not the latest advanced threats.
  • Look out for the new upcoming EU regulations.

 

Bruce – Some way things haven’t changed, some thing have.

  • Security is proving hard to sell.
    • Economic reason – It has got more complicated than the buyer can cope with.  Many specialised, niche products that are hard to understand if you are not an expert in that specific area.
    • Psychological reason – Greed is a much better sell than fear.  Security is fundamentally a fear sell.  Other tricks are magazine awards and reviews.
  • Cloud may not be new, but it is new that everyone is using it.  For cloud services we don’t ‘do’ security – we have to trust the vendors.  What O/S does Facebook use? Do you know? Do you care? – you don’t have to, but you have to trust them.  We have to trust the cloud vendors to be sensible, and this is fundamentally a law and regulatory issue, but there are some technologies coming along to help as well.
  • Without this trust things can go very wrong – since the recent NSA and encryption revelations, here have been many discussions around people doing their own thing for cryptographic solutions.  Doing your own encryption is almost always a disaster, but a lock of trust makes people do silly things.

 

Quentyn – Comment on the fear sell, in the 60s politicians promised to get us to the moon, now politicians promise to avoid disaster.

  • If there is a disaster at your company, do people take it and learn from it, or do people get blamed and fired?

 

Evolution of the CSO role and the complexity of the technology – is the CSO a translator to the board?

Bruce – yes in a way, someone needs to, and the most senior security person is likely best placed.  Communication skills are key.  Risk management is key.  Security is increasingly part of general risk management.

Quentyn – Dislikes the term CSO.  Rarely does the CSO sit properly on the board in the same way as CFO, CEO, CIO etc.  Is the role really C-level?  Both agree it probably isn’t, and the C implies more than CSO / CISO really / usually is.

Securing the supply chain, what are we going to do about it?

Quentyn – A lot of security people don’t read the company reports etc. and don’t really understand in detail the business they work for, so how can they secure the supply chain?

Bruce – This is fundamentally a trust issue – I have to trust the companies that supply me to do their jobs, so the question is how do we get this assurance (audit details, contractual details, external assessments etc?)  Do I need to include my supply chains audit reports in my overall audit report?

Quentyn – Example of Canadian bank discussion – we now have a requirement to audit, not to trust.  Question is how to get this from large vendors.

Bruce – There needs to be enough demand, and legal regulations to enforce this and make large brands such as Microsoft produce public audit and compliance reports for their customers.

Quentyn – Other side of this is what the vendor / service provider has to loose.  If a cloud provider, or mail processor or whoever is caught with someone in their business reading you data or mail, they stand to loose a huge amount of business if the trust in their service is lost.

Bruce – Largely agrees with this.  Trust can be regulated especially with government examples such as a drivers license, a certificate in a Drs office.

 

Some more detail on the EU data protection act;

Quentyn – the fines for this are now capped at either 100Million Euro, or 5% or corporations global revenue – which ever is larger.  This could mean huge fines for some breaches of this legislation.

Bruce – Reputation is a powerful reason for companies to act in a trust worthy manner, as well as fines.

Why is this a future issue, rather than the same as now

Bruce – if things are owned by you and run in house governments get less involved.  When you are using multiple cloud companies and data plus processing is global, government will regulate the providers much more.  This means more reliance on international laws, and getting better at combating international cybercrime.  We do seem to be getting better at this.  Yes there are bad actors and bad things happen, but things are no where near as bad as we (myself included) predicated.  We all bank online, we all bank on our phones, and we all know better!  However we do it because it’s actually relatively safe and we know this too.

Microsoft vs. Apple – we all thought it was better to have freedom to run what we want, yet Apple has less vulnerabilities than Microsoft.  (no mentioned of historical user base etc.).  However the downside of this is when Apple owns the device and manages the device, how do you know what is in memory?  How do you know if files have really been deleted etc?

 

Discussion around mobile devices, use and Data

Bruce – The difference with phones is that while they are just small computers, you carry them all the time so they are more easily lost.  He is more scared crossing boarders with his smartphone than any other device as with Apple, he has no visibility of what is really on the device or in the devices memory.

 

Where are we going with Apple vs. Android – which will win – controlled walled garden (Apple style) vs. openness and freedom.

Bruce – likely more control and less freedom, sadly.  Users want security to be invisible, and don’t really care, us IT security types are not representative of normal users!

Quentyn – Agree’s, saw a headline about iPads not winning because IT managers don’t like them, he thought it was a joke headline..

Should security drive business decisions?

Bruce – No, we should influence them, but not drive them.  And we are annoying.

Quentyn – we’re the no no no department..  But seriously, should influence and be involved, but not drive.

Were are we going, are things getting better?

Bruce – yes we are getting better, and we are improving at teaching security.  However the problem is IT is expanding, so medical IT, cars, smart grid etc. are all learning the same painful issues – of course it’s secure, what do you mean you can hack a car? then they get hacked, then we have to secure them.

Quentyn – Think we need to wait 3-5 years to see if we are really improving.  Dick Cheney has raised a concern that his pacemaker could be hacked as it has bluetooth!

Bruce – Likely if you ask the vendor why the pacemaker has bluetooth, the answer will be ‘because it was on the chip we used’..

Bruce – issues often caused wham computers added to physical world – e.g. we are adding IP stacks to medical devices introducing a host of vulnerabilities and attack vectors that were not there before.  Imagine if your smart ridge got a virus – it wouldn’t be fun!

Five points / key trends to bring the discussion together;

  • Translator role between IT and business (CISO discussion)
  • Reputation and risk
  • Fines might work
  • Driving towards control – people will often give up control for convenience.
  • Building security in, especially as we add IT to more devices and features.

K

RSA Conference Europe 2012 Keynotes; day two part two

Keynote 3 – ‘Are we getting better?’ Why we don’t know.  What can we do about it?

Joshua Corman, Director Akamai Technologies

Change is constant;

–          Evolving compliance

–          Evolving Threats

–          Evolving Technology

–          Evolving Business

–          Evolving Economics

Historically most of our security time and budget went on understanding who is attacking us and how, and understanding our IT landscape.  Now since the onset of so much legislation 50% of security time and budget is spent meeting regulations.  In some companies this is closer to 100%.  Why?  Because the organisation might get hacked, but it will be fined if it fails an audit.

So in a world of ever increasing and evolving threats and increasingly complex systems our focus is diverted from true risk management and security.

Another reason to believe we are not getting better is that we are rapidly increasing our dependence on technology and software systems much more quickly than our ability to secure them e.g  Insulin pumps have been hacked to deliver lethal doses, Microsoft Windows is now in some cars, we rely on web sites that are still regularly hacked, etc.

Are our challenges are not technical but cultural?  For example the OWASP top 10 issues has basically never changed!  Why have we not yet solved any of these issues?

Why is this?

–          We have faith based security

–          We need evidence based security

–          However we have very little data and that we do have may not be for the genuinely most serious issues – we focus on what is visible, not importance.

–          Drunks and Lampposts! – we (and vendors) use data to prop up their views and desired message, not to show the true picture in the same way a drunk uses a lamppost for cupport, not illumination.

 

Collection of thoughts presented;

 

–          Vendors don’t need to be ahead of the bad guys, they just need to be ahead of the customer!

–          We have and accept buggy software

–          There is a lot of FUD (Fear Uncertainty and Doubt) and conversely Blind faith

–          We had the chance to do cloud computing better, but are already having the same types of conversation as before..

–          The security industry scores very high on the Maslow stress index..

–          Most companies and CISOs cannot stop standard Metasploit attacks, if we cant stop ‘script kiddies’ how can we expect to stop ‘grown up’ attackers? – HD Moore’s law..

What can we do about it? (in order of importance);

–          Pick one;

  • Make excuses
  • Make progress

–          Build defensible infrastructures including rugged software

–          Operational excellence – run IT well, understand what you have

–          Situational awareness

–          Countermeasures

Joshua has a very interesting blog covering these points and many others.  This can be found here;

http://blog.cognitivedissidents.com/

To summarise, Seek Knowledge, Make Progress, Collaborate with people, be unreasonable! J

Overall a great although sprawling and fast paced talk.

——–

Keynote 4 – Trust, Security and Society

Bruce Schneier

We as a species are very trusting, just having breakfast you effectively trust 1000s of people to have safely grown, prepared and server your food.  Society wouldn’t function without trust.  This is why we do security, security enables trust, and trust enables society.

There are two forms of trust –

–          Personal when you know someone, and understand some of their likely motivations and expected actions.

–          Impersonal, you trust / assume someone will perform tasks as expected – e.g. you trust a taxi driver to take you to the right place and not overcharge you (too much!)

In society we trust a lot of people and entities all the time to perform as expected and fulfil agreed actions.  This trust is for individuals, things / organisations that are physically there, and much more abstract organisations / functions.

Conversely in any system like this people can ‘game’ the system and act in untrustworthy ways.  Consider game theory and the prisoners dilemma.  People can be ‘defectors’.  However defecting only works if the defectors are not too successful, if defecting becomes too successful things, in this case society can collapse.

Security is how we keep the number of defectors to an acceptable level.  This does not mean zero, as getting towards zero becomes prohibitively expensive.

So how do we do this?  Societal pressures;

–          Morals – mostly comes from within our own head

–          Reputation – mostly comes from other people’s opinions of us

–          Laws – ‘formalised reputation’ where laws are not just government type laws, this also includes expected behaviour within your company, expected behaviours within a group or team etc.

–          Security systems

These pressures allow society to scale.

Society will use these pressures to find a balance / equilibrium between these pressures and defectors.  Usually not explicitly, but as an example if there is a lot of crime people will expect more time and effort to go into policing, when crime is very low they will ask why spend so much on policing when we have all these other issues..

Technology makes society more complex and is leading us through a tie of great societal change.

To summarise;

–          No matter how much societal pressure there is there will always be some defectors

–          Increasing societal pressure is not always worth it

–          We all defect at some times. No one is perfect.

–          There are good and bad defectors and it can be hard to differentiate.

–          Society needs defectors – we all benefit because some people don’t follow the norms..

K