Recap: RSA Europe 2008 Day 2

November 2, 2008

Hello again. Day 2 of RSA Europe 2008 was a busy one.  I attended several sessions during the day and then the Security Catalyst, Security Bloggers, Security Twits get together happened that evening. This post will only talk about the day.  The meet-up post will be later. Without further ado, let’s get to it.

‘The New Face of Cybercrime’ Film Screening and Executive Panel Discussion

Fortify commissioned the creation of a short film that explores what cybercrime looks like in today’s world. The film was well done and does a good job of showing that cybercrime is no longer about how many defacements malicious individuals can rack up. It isn’t about bragging rights on which systems were hacked.  Cybercrime is big business these days.

Those perpetrating it are doing it for money.  As such, they don’t want to get kicked out of you systems and don’t want anybody to know they are there.  It is a different world and we need to be vigilant and focused if we are going to be successful in protecting our enterprises.

Blinded by Flash: Widespread Security Flash Developers Don’t See
Prajakta Jagdale, Security Researcher, Hewlett-Packard

Prajakta’s session was an interesting one. She showed us how most current problems we find in web apps also exist in Flash based applications.  This includes things like XSS, cross-domain privilege escalation, data injection and others. She also showed some interseting things that can be done with some Action Script functions like onMetaData, a video related function, setClipboard, which does exactly what it says and runtime instantiation.

Of more concern is her finding of client side authentication and other client side issues in a disturbing percentage of applications.

The Future of Privacy
Bruce Schneier, Security Technologist and CTO, BT Counterpane

Bruce always has interesting things to say.  I will share that most of what he talked about is stuff that he has been talking about in his essays and on his blog. That being said, here are a few nuggets that resonated with me.

  1. Data is a byproduct of the information age – systems are not generating scads and scads of data on you because they are malicious. It just happens as more and more facets of our lives are moderated by computers. Think about email, telephone calls, credit card purchases, books bought via Amazon.  All of these generate data.
  2. Ephemeral data is now stored – In the past the conversation you had in the hall with your co-worker disappeared as soon as it was over. Now, with email, instant messaging, skype and other methods of electronic transport becoming more and more the primary method of communication, those conversations are sticking around.
  3. We aren’t in control of that data – We don’t have the ability to delete all the data that is being built up about us because we don’t control it. Again, this isn’t malicious, it’s just the way things are in the information age.

The rest of the keynote was quite interesting as he delved into many facets of what will be happening moving forward.

Herbert H. Thompson, Ph. D., Chief Security Strategist, Peope Security

Dr. Thompson gave a great talk that drove home even more that we are in an era where the motives of today’s attackers are no longer about the ‘cool’ factor.  It is a business and we are being faced with well financed and motivated attackers who are interested in what we have as opposed to just wanting to take us down. He posits Five Laws of Hacker Economics which is worth a read.  Good stuff.

Another good day at the conference.


Technorati Tags: , ,


Recap: RSA Europe 2008 Day 1

November 1, 2008

Hi there folks. I am home and somewhat rested from my trip to London for the RSA Europe 2008 conference. It was a great trip and i enjoyed the conference.  Below is a recap of my first day.  This is going to be long, so hang in there 🙂

Information Security: From Ineffective to Innovative
Arthur W. Coviello, Jr. – Executive Vice President EMC

If I had to compress Mr. Coviello’s talk into a few concise points, they would be the following:

  1. Concentrating all our information security efforts at the perimeter is an ineffective model in today’s world.
  2. The data we are tasked with protecting must become central to our thought processes when determining how to protect our enterprises.
  3. Information security must be business aligned.

Point number 1: Our perimeters have become quite porous.  This is by design.  As such, customers, partners and others have much more access to internal systems than ever before.  This means that perimeter defenses are inadequate in dealing with attacks that are targeted at the data contained in the applications which are published to the world.  It’s the old crunchy shell vs. chewy center problem.

Point number 2: As alluded to above, in many cases the data and applications most important to the enterprise are being published to the internet or to trusted third parties in such a manner that perimeter controls are next to useless in protecting them.  We must start thinking of ways to protect the data where it sits and ensuring that the applications we publish are developed as securely as possible.

Point number 3: Finally, Mr. Coviello said that information security must become business aligned.  We used to be fear driven, i.e. we must protect ourselves from the evil out “there”. That has morphed into our current situation where we are often compliance driven, i.e. regulation x must be complied with therefore we must do y. The next step is to be business driven.  We need to understand what the business needs to accomplish, what the keys to the kingdom are, and how to protect them in a manner that is risk appropriate and as unobtrusive to the user as possible.

I agree with all the points he made. It will be a challenge, but we will benefit greatly if we can become an integral part of the business process and start protecting the crown jewels instead of the walls that contain them.

Managing your own Security Career
Chris Batten – Managing Director, Acumin

Mr. Batten offered some insight into how to manage you information security career.  His prescription for managing your career is summed up in three statements:

  1. Know yourself
  2. Know others
  3. Do a gap analysis

Know yourself: If you don’t know yourself, i.e. strengths, weaknesses, goals, how can you plot a course to get you to where you want to go.

Know others: If you don’t know what others expect or how they perceive you, how can you navigate the course you have plotted to get to where you want to go.

Do a gap analysis: Once you know yourself, know others and have determined where you want to go, do a gap analysis of where you are now and what the next step is in your chosen course. Notice the next step part.

He mentioned that planning for ten years down the road is probably not the best use of your time.  Things change.  Another statement he made is the career path should be your career path, not the company’s career path for you.  Determine what you want to do and make that happen either.

A Dialogue with ENISA
European Network and Information Security Agency

In this press only event, ENISA presented two white papers, one which has already been published, “Security and Privacy in Massively Multiplayer Online Games“, and “Web 2.0 Security and Privacy” which will be released in the near future.  The summaries were both interesting.

I never realized that there was so much real money at stake in the virtual worlds that have been developed in the last few years. Time became short, so we did not have a chance to talk much about the Web 2.0 paper, but a couple points that were raised are that users are going to be faced with more and more behavioural marketing and that the browser is the new OS. Not suprising, but intersesting none the less. I will be reading up on it when it is pubished and will report back then.

While I went to several other talks, these three were the most interesting to me and this is long enough already 🙂 Updates for Days 2 and 3 will be along in the next couple days.


RSA Europe 2008 – Day 3

October 29, 2008

Today is the last day of RSA Europe 2008.  I have really enjoyed being here and have attended some very interesting sessions which I will be posting about in the near future.

Today’s agenda is shortened since the last keynote ends at 13:30.  For those who are interested, here are the sessions I will be attending.

Lessons Learned from Société Générale – Preventing Future Fraud Losses Through Better Risk Management
Joseph Magee, Chief Technology Officer, Vigilant, LLC.
This session explores how information security technology could have detected the fraud in this case and how it can be used to prevent it in the future

Virtual HIPS are Growing – Whether You Like It or Not
Brian O’Higgins, CTO, Third Brigade
This session analyzes three approaches to virtualized intrusion prevention, inlcuding host iontrusion prevention systems.  It discusses the advantages and disadvantages in the management and architecture of each approach and incldes attack demonstrations on virtual machines.

Crash Course: How to become a Successful Online Fraudster
Uri Rivner, Head of New Technology, RSA, The Security Division of EMC

Learn how to defraud your favorite financial service! Uncover the latest tools, methods and best practices! Scalable Phishing techniques; Crimeware you can afford; Defeating 2-factor authentication. Or – if you happen to be on the other side – use these insights to develop a better strategy for protecting your consumers agains fraud.

Don’t Bother about IPV6? Beware: It is Already in Your Networks
Andrew Herlands, Application Security Inc.
IPv6 is the next generation of IP addressing and is already enabled by default in several OSs: Microsoft Vista, Linux, etc.  Transition mechanisms are also in place and allow IPVv6 to run into tunnels over your esisting IPv4 network. This session explains the transition mechanisms, the threats and proposes mitigation techniques.

ICO – Higher Profile? Stronger Powers? More Effective”
Richard Thomas, Information Commissioner, Information Commisioners Office, U.K.
The landscape of information security is ever-evolving.  How can organisations learn from the mistakes of the past?  How do we manage the risks?  What does the future hold?  How is the role of the Information Commisioner’s Office (ICO) being strengthened?  What will be the ICO’s approach?  Richard Thomas will be discussing the lates developments and topical issues to answer these questions and more.

Security Cultures and Information Security
Baroness Pauline Neville-Jones, Shadow Security Minister, U.K.
Baroness Neville-Jones will assess the culteral problems in the Government’s handling of data.  She will make clear the pressing need to improve leadership, governance and accountability structures for data handling.  She will also assess the threats to the infomation networks on which Government Departments and critical sectors depend and will cal for the Government to give concerted attention to the security of these networks and systems – as part of which it must develop partnerships with the private sector.

Have a great day!


Technorati Tags:

RSA Europe – Day 2

October 28, 2008

Hello again people.

In a bit of a time pinch, so here is the agenda for the day for those who care 🙂

  • ‘The New Face of CyberCrime’ film screening and panel
  • Blinded by Flash: Widespread Security Risks Flash Developers Don’t See
  • Why Security Programs Fail
  • The Future of Privacy
  • Security in the Era of Identity 2.0
  • Hackernomics
  • DLP: What will be
  • The Many Faces of Social Engineering

Should be an interesting and busy day.


RSA Europe 2008 starts today…

October 27, 2008

Good morning everybody or at least those who are in a time zone similar to GMT 🙂  RSA Europe starts today and I am sitting in the press room scheduling out my day.  For those interested, my itinerary follows:

10:00 – Keynote – Arthur W. Coviello, Jr. – Executive Vice President EMC
Information Security: From Ineffective to Innovative

While security spending continues to rise, companies are not feeling particularly more secure today than they did five years ago.  Art Coviello will explore this paradox and share with us how focusing on the key variables of vulnerability, probability and materiality can enable us to effectively balance the risk/reward equation.

10:40 – Keynote – Panel – Moderator Christopher Kuner – Partner and Head, Hunton & Williams
Online Privacy and the World of Behavioural Targeting: Challenges and Options

A moderated panel discussion about the move towards behavioural targeting in advertising and what impact this may have on online privacy and security.

11:30 – Chris Batten – Managing Director, Acumin
Managing your own Security Career

Careers in information security are difficult to navigate as the industry changes at an ever increasing pace.  This session addresses the important skills, traits and knowledge one needs to find and keep the kind of position that challenges you and helps you grow while be well compensated.

13:15 – Amichai Shulman – Co-Founder & CTO, Imperva
Google-Hacking and Google-Shielding

Data leakage via search engines is an every increasing problem.

14:30 – Dennis McCallam – Chief Security Architect – Northrop Gruman
Out with Traditional Authentication and Protection – In with New Data-Centric Security and Aggregated Authentication

Dennis will demonstrate a cost-effective data-centric enterprise approach using user cases that show the operational flexity and significant advantages of this type of approach.

16:00 Neil Costigan – Technical Advisor, BehavioSec – Peder Nordstrom – CTO, BehviorSec
Why Settle with Conventional Authentication when Behaviormetrics Go Beyond it?

Behaviormetrics monitors a user’s session continuously to determine if that user is in fact the one associated with the credentials used for authentication.

There is a reception this evening and of course the exhibition hall is open all day. Should be a busy day.

Have a great morning, afternoon or evening as the case may be.


Headed to RSA Europe 2008

September 26, 2008

Cool news folks.  I am now an accredited press/analyst for RSA Europe 2008.  Even better, I’m going. Hotel reservations have been made and flights booked.  I am looking forward to attending.  This will be my first RSA and looking at the agenda, it appears that there will be plenty of interesting talks to sit in on.

More importantly though, I am looking forward to meeting and talking with other information security professionals.  I already know that several of the @SecurityTwits are going to be there.  Please drop me a note or leave a comment if you are going to be there.  I’m thinking a meetup might be in order if enough are interested.  If not, lunches and hallways are always available for meeting and greeting.

I look forward to hearing from you all.