ISF congress post 8: Information security – Where next?

Keynote with – Bruce Schneier (BT) and Quentyn Taylor (Canon)

This was a very free flowing discussion, but I have tried to capture the main points that were made;

Thoughts on the state of the security industry today; 

Quentyn – Things never change.  Technologies change, but we still have the same issues as always.  We seem to have a mentality of if I can just get the next best thing installed we’ll be secure.  We are obsessed with the new – the next threat, the next big issue – these meant new technologies and new things to base next years budget on.

  • Focus on the basics.  Verizon threat report – the vast majority of the issues are old and simple – related to patching etc. and not the latest advanced threats.
  • Look out for the new upcoming EU regulations.


Bruce – Some way things haven’t changed, some thing have.

  • Security is proving hard to sell.
    • Economic reason – It has got more complicated than the buyer can cope with.  Many specialised, niche products that are hard to understand if you are not an expert in that specific area.
    • Psychological reason – Greed is a much better sell than fear.  Security is fundamentally a fear sell.  Other tricks are magazine awards and reviews.
  • Cloud may not be new, but it is new that everyone is using it.  For cloud services we don’t ‘do’ security – we have to trust the vendors.  What O/S does Facebook use? Do you know? Do you care? – you don’t have to, but you have to trust them.  We have to trust the cloud vendors to be sensible, and this is fundamentally a law and regulatory issue, but there are some technologies coming along to help as well.
  • Without this trust things can go very wrong – since the recent NSA and encryption revelations, here have been many discussions around people doing their own thing for cryptographic solutions.  Doing your own encryption is almost always a disaster, but a lock of trust makes people do silly things.


Quentyn – Comment on the fear sell, in the 60s politicians promised to get us to the moon, now politicians promise to avoid disaster.

  • If there is a disaster at your company, do people take it and learn from it, or do people get blamed and fired?


Evolution of the CSO role and the complexity of the technology – is the CSO a translator to the board?

Bruce – yes in a way, someone needs to, and the most senior security person is likely best placed.  Communication skills are key.  Risk management is key.  Security is increasingly part of general risk management.

Quentyn – Dislikes the term CSO.  Rarely does the CSO sit properly on the board in the same way as CFO, CEO, CIO etc.  Is the role really C-level?  Both agree it probably isn’t, and the C implies more than CSO / CISO really / usually is.

Securing the supply chain, what are we going to do about it?

Quentyn – A lot of security people don’t read the company reports etc. and don’t really understand in detail the business they work for, so how can they secure the supply chain?

Bruce – This is fundamentally a trust issue – I have to trust the companies that supply me to do their jobs, so the question is how do we get this assurance (audit details, contractual details, external assessments etc?)  Do I need to include my supply chains audit reports in my overall audit report?

Quentyn – Example of Canadian bank discussion – we now have a requirement to audit, not to trust.  Question is how to get this from large vendors.

Bruce – There needs to be enough demand, and legal regulations to enforce this and make large brands such as Microsoft produce public audit and compliance reports for their customers.

Quentyn – Other side of this is what the vendor / service provider has to loose.  If a cloud provider, or mail processor or whoever is caught with someone in their business reading you data or mail, they stand to loose a huge amount of business if the trust in their service is lost.

Bruce – Largely agrees with this.  Trust can be regulated especially with government examples such as a drivers license, a certificate in a Drs office.


Some more detail on the EU data protection act;

Quentyn – the fines for this are now capped at either 100Million Euro, or 5% or corporations global revenue – which ever is larger.  This could mean huge fines for some breaches of this legislation.

Bruce – Reputation is a powerful reason for companies to act in a trust worthy manner, as well as fines.

Why is this a future issue, rather than the same as now

Bruce – if things are owned by you and run in house governments get less involved.  When you are using multiple cloud companies and data plus processing is global, government will regulate the providers much more.  This means more reliance on international laws, and getting better at combating international cybercrime.  We do seem to be getting better at this.  Yes there are bad actors and bad things happen, but things are no where near as bad as we (myself included) predicated.  We all bank online, we all bank on our phones, and we all know better!  However we do it because it’s actually relatively safe and we know this too.

Microsoft vs. Apple – we all thought it was better to have freedom to run what we want, yet Apple has less vulnerabilities than Microsoft.  (no mentioned of historical user base etc.).  However the downside of this is when Apple owns the device and manages the device, how do you know what is in memory?  How do you know if files have really been deleted etc?


Discussion around mobile devices, use and Data

Bruce – The difference with phones is that while they are just small computers, you carry them all the time so they are more easily lost.  He is more scared crossing boarders with his smartphone than any other device as with Apple, he has no visibility of what is really on the device or in the devices memory.


Where are we going with Apple vs. Android – which will win – controlled walled garden (Apple style) vs. openness and freedom.

Bruce – likely more control and less freedom, sadly.  Users want security to be invisible, and don’t really care, us IT security types are not representative of normal users!

Quentyn – Agree’s, saw a headline about iPads not winning because IT managers don’t like them, he thought it was a joke headline..

Should security drive business decisions?

Bruce – No, we should influence them, but not drive them.  And we are annoying.

Quentyn – we’re the no no no department..  But seriously, should influence and be involved, but not drive.

Were are we going, are things getting better?

Bruce – yes we are getting better, and we are improving at teaching security.  However the problem is IT is expanding, so medical IT, cars, smart grid etc. are all learning the same painful issues – of course it’s secure, what do you mean you can hack a car? then they get hacked, then we have to secure them.

Quentyn – Think we need to wait 3-5 years to see if we are really improving.  Dick Cheney has raised a concern that his pacemaker could be hacked as it has bluetooth!

Bruce – Likely if you ask the vendor why the pacemaker has bluetooth, the answer will be ‘because it was on the chip we used’..

Bruce – issues often caused wham computers added to physical world – e.g. we are adding IP stacks to medical devices introducing a host of vulnerabilities and attack vectors that were not there before.  Imagine if your smart ridge got a virus – it wouldn’t be fun!

Five points / key trends to bring the discussion together;

  • Translator role between IT and business (CISO discussion)
  • Reputation and risk
  • Fines might work
  • Driving towards control – people will often give up control for convenience.
  • Building security in, especially as we add IT to more devices and features.


Cloud Security Alliance Congress Orlando 2012 pt2

CSA STAR – lessons from an early adopter – Microsoft Director of Trustworthy Computing

The Trustworthy Computing Initiative had its 10 year anniversary in 2012.  Encompasses; Security – Privacy – Reliability – Business Practices.

Managing risk at all layers..

Thoughts –

–          If I move to a CSP and they have the same level of security as me, and I am saving money then I am being efficient

–          If I move to a CSP and they have better security than me I am mitigating risk

Help adopters understand why!

–          Adoption rests on clear and simple ROI

Microsoft ‘Cloud Security Readiness Tool’

Trusted cloud initiative – not there to sell product, just to help organisations (possibly everyone?) to be safer and more secure in the cloud.

This tool addresses the 10 key Cloud Security Control Areas from the CSA guidance.

The tool also allows you to select your industry, then maps this back to the regulatory bodies that are likely to regulate your industry.  This then maps the specific regulations and controls you will need to meet.

Considerations to aid adoption;

–          Consult guidance from organisations such as the CSA

–          Require that provider has obtained their party certifications and audits such as ISO/IEC 27001:2005

–          Ensure clear understanding of security and compliance roles and responsibilities for delivered services

–          Know the value of your data and the security and compliance obligations you need to meet

–          Ensure as much transparency as possible e.g. through STAR ( – suppliers such as Amazon and Microsoft already registered here.

This talk was much more about the Microsoft Cloud readiness tool than the CSA STAR (Security, Trust, and Assurance Registry), but was still interesting and I can highly recommend both the STAR registry for CSPs and consumers, and the Microsoft tool.


Advanced Persistent Response – Tim Kellermann – Vice President of Cybersecurity – Trend Micro

How might organisations learn from elite hackers?


–          52% of companies failed to report or remediate a cyber-breach in 2011 (retains plausible deniability, but we all trade with these companies)

–          A new piece of malware is created every second

–          Trend Micro evaluations find over 90% of enterprise networks contain active malware!

Targeted attacks are becoming increasingly common.  Attackers take time to gain intelligence about you and your networks.

Offence Informs Defence: The Kill Chain;

1. Reconnaissance


3. Delivery

4. Exploitation

5. Command and Control

6. Propagation

7. Exfiltration

8. Maintenance

Advanced Malware examples include;

– IXESHE – The attackers behind this advanced malware use compromised hosts inside organisations networks to control other systems.

– Jacksbot – bot malware that is multi-platform across multiple O/Ss including mobile. (check)

We need to conduct more tests and assessments of our environments, using Zeus, BlackHole exploit kit, Metasploit, Spy Eye etc.

Tactical trends in Hacking;

–          Professionalism and Commoditisation of Exploit Kits

–          Man in the Browser attacks becoming more common

–          Android Framework for exploitation (BYOD = BYOM (Bring Your Own Malware)

–          Proximity attacks realised (Microphones turned on in laptops / phones / tablets, Bluetooth attacks)

–          Mobile malware proliferation

–          Application attacks

–          Botnets migrating from IRC to HTTP

–          Attacks against Macs

Cloud security issues / considerations;

–          Server and VM integrity (virtualisation attacks, Inter VM attacks, Instant on Gaps)

–          Network and Intrusion management and monitoring in a cloud / virtual environment

Custom attacks need intelligent and custom defences.  We must recognise that APTs are consistent and part of ongoing campaigns.

Risk management in 2012;

–          Has the cyber security posture of all third parties been audited?

–          Is access to all sensitive systems governed by 2-factor authentication?

–          Does a log inspection program exist?  How frequently are they reviewed?

–          Does file integrity monitoring exist?

–          Can vulnerabilities be virtually patched?

–          In MDM and mobile management software utilised?

–          Do you utilize DLP?

–          Can you migrate layered security into the cloud environment?

–          Do you maintain multi level, rule based event correlation?

–          Do you have access to global intelligence and information sharing?

There was a lot to think about in this presentation from Trend Micro, and it nicely builds on / reinforces the points made both here and at RSA – the attackers are getting increasingly more sophisticated and we need to work hard to not just keep up but to try and get ahead of them.  The closing points under the heading ‘Risk management in 2012‘ are well worth bearing in mind when thinking about your risk management process / strategy.


Aligning Your Cloud Security with the Business: A 12-Step Framework

This talk was actually very light, but I thought I would share the 12 points they covered as the points around creating business cases and defining value in business not IT terms are worthwhile;

Implementing data centric security in the cloud;

Key ingredients – Data, Users, Business Processes, Clouds, Controls, Compliance


  1. Define business relevance of each data set being moved to the cloud
  2. Classify each data set based on business impact – must be business driven, not IT
  3. Inventory data – technical and consultative.  Mentioned that DLP one of the best ways to discover and maintain data inventories.
  4. Destroy (or archive offline) any unnecessary data
  5. Inventory users – into user roles / role types (can do other things as well like geography)
  6. Associate data access with business processes, users, roles
  7. Determine standard control requirements for each data set
  8. Determine Feasible controls for each cloud environment e.g. you can implement far less of your own controls in a SaaS environment vs. IaaS
  9. For each data set, identify acceptable platform based on the required controls and security level of the data
  10. Ensure only users that need access to data have access to it, and that this access is at the appropriate level
  11. Identify and Implement appropriate controls across each cloud environment
  12. Validate and monitor control effectiveness

So to summarise the presentation;

Start with the business context, not the security controls

Classify based on the business value, not the IT value!




RSA Conference Europe 2012 Keynotes; day two part two

Keynote 3 – ‘Are we getting better?’ Why we don’t know.  What can we do about it?

Joshua Corman, Director Akamai Technologies

Change is constant;

–          Evolving compliance

–          Evolving Threats

–          Evolving Technology

–          Evolving Business

–          Evolving Economics

Historically most of our security time and budget went on understanding who is attacking us and how, and understanding our IT landscape.  Now since the onset of so much legislation 50% of security time and budget is spent meeting regulations.  In some companies this is closer to 100%.  Why?  Because the organisation might get hacked, but it will be fined if it fails an audit.

So in a world of ever increasing and evolving threats and increasingly complex systems our focus is diverted from true risk management and security.

Another reason to believe we are not getting better is that we are rapidly increasing our dependence on technology and software systems much more quickly than our ability to secure them e.g  Insulin pumps have been hacked to deliver lethal doses, Microsoft Windows is now in some cars, we rely on web sites that are still regularly hacked, etc.

Are our challenges are not technical but cultural?  For example the OWASP top 10 issues has basically never changed!  Why have we not yet solved any of these issues?

Why is this?

–          We have faith based security

–          We need evidence based security

–          However we have very little data and that we do have may not be for the genuinely most serious issues – we focus on what is visible, not importance.

–          Drunks and Lampposts! – we (and vendors) use data to prop up their views and desired message, not to show the true picture in the same way a drunk uses a lamppost for cupport, not illumination.


Collection of thoughts presented;


–          Vendors don’t need to be ahead of the bad guys, they just need to be ahead of the customer!

–          We have and accept buggy software

–          There is a lot of FUD (Fear Uncertainty and Doubt) and conversely Blind faith

–          We had the chance to do cloud computing better, but are already having the same types of conversation as before..

–          The security industry scores very high on the Maslow stress index..

–          Most companies and CISOs cannot stop standard Metasploit attacks, if we cant stop ‘script kiddies’ how can we expect to stop ‘grown up’ attackers? – HD Moore’s law..

What can we do about it? (in order of importance);

–          Pick one;

  • Make excuses
  • Make progress

–          Build defensible infrastructures including rugged software

–          Operational excellence – run IT well, understand what you have

–          Situational awareness

–          Countermeasures

Joshua has a very interesting blog covering these points and many others.  This can be found here;

To summarise, Seek Knowledge, Make Progress, Collaborate with people, be unreasonable! J

Overall a great although sprawling and fast paced talk.


Keynote 4 – Trust, Security and Society

Bruce Schneier

We as a species are very trusting, just having breakfast you effectively trust 1000s of people to have safely grown, prepared and server your food.  Society wouldn’t function without trust.  This is why we do security, security enables trust, and trust enables society.

There are two forms of trust –

–          Personal when you know someone, and understand some of their likely motivations and expected actions.

–          Impersonal, you trust / assume someone will perform tasks as expected – e.g. you trust a taxi driver to take you to the right place and not overcharge you (too much!)

In society we trust a lot of people and entities all the time to perform as expected and fulfil agreed actions.  This trust is for individuals, things / organisations that are physically there, and much more abstract organisations / functions.

Conversely in any system like this people can ‘game’ the system and act in untrustworthy ways.  Consider game theory and the prisoners dilemma.  People can be ‘defectors’.  However defecting only works if the defectors are not too successful, if defecting becomes too successful things, in this case society can collapse.

Security is how we keep the number of defectors to an acceptable level.  This does not mean zero, as getting towards zero becomes prohibitively expensive.

So how do we do this?  Societal pressures;

–          Morals – mostly comes from within our own head

–          Reputation – mostly comes from other people’s opinions of us

–          Laws – ‘formalised reputation’ where laws are not just government type laws, this also includes expected behaviour within your company, expected behaviours within a group or team etc.

–          Security systems

These pressures allow society to scale.

Society will use these pressures to find a balance / equilibrium between these pressures and defectors.  Usually not explicitly, but as an example if there is a lot of crime people will expect more time and effort to go into policing, when crime is very low they will ask why spend so much on policing when we have all these other issues..

Technology makes society more complex and is leading us through a tie of great societal change.

To summarise;

–          No matter how much societal pressure there is there will always be some defectors

–          Increasing societal pressure is not always worth it

–          We all defect at some times. No one is perfect.

–          There are good and bad defectors and it can be hard to differentiate.

–          Society needs defectors – we all benefit because some people don’t follow the norms..