RSA Europe 2008 – Day 3

October 29, 2008

Today is the last day of RSA Europe 2008.  I have really enjoyed being here and have attended some very interesting sessions which I will be posting about in the near future.

Today’s agenda is shortened since the last keynote ends at 13:30.  For those who are interested, here are the sessions I will be attending.

Lessons Learned from Société Générale – Preventing Future Fraud Losses Through Better Risk Management
Joseph Magee, Chief Technology Officer, Vigilant, LLC.
This session explores how information security technology could have detected the fraud in this case and how it can be used to prevent it in the future

Virtual HIPS are Growing – Whether You Like It or Not
Brian O’Higgins, CTO, Third Brigade
This session analyzes three approaches to virtualized intrusion prevention, inlcuding host iontrusion prevention systems.  It discusses the advantages and disadvantages in the management and architecture of each approach and incldes attack demonstrations on virtual machines.

Crash Course: How to become a Successful Online Fraudster
Uri Rivner, Head of New Technology, RSA, The Security Division of EMC

Learn how to defraud your favorite financial service! Uncover the latest tools, methods and best practices! Scalable Phishing techniques; Crimeware you can afford; Defeating 2-factor authentication. Or – if you happen to be on the other side – use these insights to develop a better strategy for protecting your consumers agains fraud.

Don’t Bother about IPV6? Beware: It is Already in Your Networks
Andrew Herlands, Application Security Inc.
IPv6 is the next generation of IP addressing and is already enabled by default in several OSs: Microsoft Vista, Linux, etc.  Transition mechanisms are also in place and allow IPVv6 to run into tunnels over your esisting IPv4 network. This session explains the transition mechanisms, the threats and proposes mitigation techniques.

ICO – Higher Profile? Stronger Powers? More Effective”
Richard Thomas, Information Commissioner, Information Commisioners Office, U.K.
The landscape of information security is ever-evolving.  How can organisations learn from the mistakes of the past?  How do we manage the risks?  What does the future hold?  How is the role of the Information Commisioner’s Office (ICO) being strengthened?  What will be the ICO’s approach?  Richard Thomas will be discussing the lates developments and topical issues to answer these questions and more.

Security Cultures and Information Security
Baroness Pauline Neville-Jones, Shadow Security Minister, U.K.
Baroness Neville-Jones will assess the culteral problems in the Government’s handling of data.  She will make clear the pressing need to improve leadership, governance and accountability structures for data handling.  She will also assess the threats to the infomation networks on which Government Departments and critical sectors depend and will cal for the Government to give concerted attention to the security of these networks and systems – as part of which it must develop partnerships with the private sector.

Have a great day!


Technorati Tags:


Umm..its not a technology problem.

August 1, 2008

Richard Stiennon says:

So, yes, there is good security awareness training. But I do not include teaching Bobby in reception how to avoid being taken in by Kevin Mitnick. It is futile and silly to expect your average employee to become paranoid enough to ward off social engineering attacks. Rather than invest in posters in the elevators exhorting people to stop strangers in the hallway, you should be investing in better security technology.

I do not agree.  Read the whole article and then come back here. I’ll wait.

I’ve been reading Michael J. Santarcangelo, II’s book Into the Breach. I was lucky enough to get a preview copy. I will be posting in more depth what I think of this wonderful book, but I do want to offer the following from the introduction:

We face a human problem where people are the the problem. The problem is that people have been unintentionally, but systematically, disconnected from the consequences of their decisions. As a direct result, they do not take responsibility and are not held accountable.

I agree that technical controls are important and should be implemented where appropriate. However, I disagree that providing awareness training to our people is a waste of time and resources. It can probably be done better, but it still needs to be done. How can we, as information security professionals, expect our users to treat information with due care if they are not aware of the importance of that information and the appropriate way in which to handle it? I submit that we cannot. We must, therefore, help them understand both the nature of the information they deal with on a daily basis and the way to handle that information that ensures that it is kept secure.

That’s where I stand. I am really interested in your thoughts. What do you think about technical controls vs. awareness?


Technorati Tags: