Friday, May 20, 2011

ITWeb Security Summit - Wrap Up [Part One]

[Some good stuff from the conference]

I really wanted to write something longer but this will do for now. I just want to get something out there that is not a tag-cloud.

Stuxnet and Spy Wars
Patrick Gray from Risky Business Podcast and Tony Olivier both spoke about a world that we are only starting to understand now where Governments are playing with Information and changing the world with their own Malware and hidden online activities. Stuxnet, Anonymous, and HBGarry are all the catchwords that made each of these presentations fascinating. Richard Thieme continued and asked the big question - what side are you on? Tony urged the attendees to spread the word about what is happening as it is the Information Security community that is best equipped to understand what the implications are. Very interesting stuff.

Online Auctions
Glenn Wilkinson did some interesting research into how online auctions can be gamed. It was very interesting and well done to him. However, I think he missed out on an important point which I would like to take further. On my way home on the first day, my head was buzzing thinking about this talk and it hit me while I was battling some traffic along Sandton Drive - our corporate information is on the Internet and is up for Auction. "Cyber-criminals" have an amount that they are willing to spend to get our information. Information Security is really just one big auction of information. APT was a term that was thrown around loosely at the conference but I think that Glenn's talk is the only talk where it wasn't mentioned (even in jest) and yet his talk would have had the best definition of APT - it is where Information Security and Cyber-Crime are locked in a "war of attrition".

Fig Leaves and Haroon's Hammer
Haroon Meer is a great talker and I enjoyed his Lessig style presentation at the end of the conference. It was great that both of the closing talks both had calls to action which makes sense. I agree wholeheartedly with the problem that Haroon builds in his talk. The one question he asked which was along the lines of: Hands up all those here who are willing to put $1000 down on the table that they can protect their CEO's Information. No hands were raised. He then went through some excuses that InfoSec professionals use and rips them apart. His one quote "Your management is one 0-day from the worst day of their lives" was re-tweeted across the world and was the most popular quote from the conference. The next bit was more important though - "... and they don't know it and you (Information Security Professionals) have a duty to inform them". The bit of the presentation that I didn't agree with was the answer that Haroon provided. Haroon is a researcher so by the law of the instrument (or Maslow's Hammer) his answer is more research. I disagree. I believe that two things are necessary to get us out of where Haroon correctly paints us - 1. A fundamental change of the Internet and 2. a realisation that Information Security is rapidly becoming less and less about technology and more about Business. More technical research is also needed but I think that it is not everything we need.

Strange Trends and New Networks
My talk was very heavily based on Information I pulled off the Internet from Blogs. If you are passionate about anything at all then you should be looking for Blogs about that subject and Information Security is no exception - there are some amazing sources out there. The talk itself went off well and I had some very positive feedback from delegates as well as some comments which is always appreciated and allows the conversation to be taken further. I started off my talk by saying that if I had all the answers I wouldn't be doing Information Security because I'd be bored. Due to time constraints, I did skip some parts of my talk that I would like to pick up in my Blog so watch out for that soon.

And so...
Another amazing conference - one that was very worthwhile and I look forward to ITWeb Security Summit 2012.

Disclaimer - you may think that because I spoke at this conference, I am biased toward liking it. The opposite it true - because I am biased to liking it, I spoke at it.

Monday, May 16, 2011

ITWebSec Tag Cloud part 2

This is an updated to the previous post. I have cleaned up the data a bit. Again I left out the words "HTTP", "ITWebSec" and "RT" as these added nothing to the cloud and common English words such as "The" and "And". Including these words, there are 2307 different words. The top names (chosen by "@" in front) are: @itwebsec, @haroonmeer, @MushiD, @mattdoterasmus, @abaranov and @DeepPurple77.

The biggest ReTweeted phrase (by far) was: '@itwebsec: "Management don't know what security knows; that we're one 0day away from the worst day of their lives." #itwebsec' which is a quote from Haroon Meer's presentation.

As always - E&OE.

Previous tag made with TagCrowd and this one made with Wordle.

Wednesday, May 11, 2011

ITWebSec tag cloud

There was too much information at ITWeb Security Summit for me to make a sensible post of all of it just yet.

So, I thought I would hack something together. I ran a search against the latest 100 twitter comments: ,got the feed as XML. Grepped for "title", popped that into , fiddled the results a bit and:

Thursday, May 5, 2011

Miscellaneous Ramblings - Irony, Security Summit etc

I've been doing a lot of thinking recently about the last year. I basically run my professional year from ITWeb Summit to ITWeb Summit and around this time I think back over the last year about what has changed and what is new.

I find that InfoSec is cyclical and this year is the unexciting one. Last year we were dealing with iPads and their ilk and Cloud and SaaS and all that good stuff was starting to hit us. This year - we are dealing with iPads and their ilk and Cloud and SaaS and all that good stuff is starting to hit us - again.

I'm still looking very forward to the Summit and I always leave with at least one very worthwhile thought that will determine my next year. The international speakers are most worthwhile to see as they bring a perspective that we, at the bottom part of Africa don't usually get. The Internet makes the World smaller but seeing someone talk is so much more useful (powerful) than reading.

While looking through my blog list for some juicy nuggets for my talk I noticed two bits of irony that came through -

1. The DBIR was published with the first line mentioning how it seems that the hacker community has gone more underground and less big hacks with large amounts of data being stolen. Boom, a couple of weeks later and Sony is hit by just one such hack.
2. Brian Krebs publishes how it may be overkill but it is a good idea to use a non-Windows system to do online banking especially for small businesses because there are no trojans aimed at these systems. His next post is all about how someone is developing a trojan crafting tool aimed at these systems.

My speech this year is finally completed (albeit in draft for now) and is a mostly updated speech that I presented 2 years ago at a smaller conference. It is still very relevant and I will enjoy presenting my insights to a larger audience.

Please look for my talk in the program and support me if you are attending.

I have committed to the organisers to post at least 1 blog post per day of the event and 1 to sum up what good stuff I got out of the conference so look out for these.

Btw, Brian Krebs is at Krebs On Security , the DBIR is at Verizon Business Security Blog and the of course - ITWeb Security Summit 2011 . Reporting on Sony's Playstation Network hack is all over the Internet.