Friday, May 29, 2009

ITWeb Security Summit - Day 1 Keynote Reflections

Bruce Whitfield did an excellent job of chairing the morning sessions. He managed to gather enough knowledge to challenge the speakers and get the audience involved in the round table. His question about the $1 trillion to Greg Day will go down in history. Craig Rosewarne asked Bruce the question that was on the tip of my tongue too. Bruce, as a Business Radio Presenter, has access to all of the top C level executives in South Africa and we wanted to know just how much they were concerned about Information Security. His feelings were "not so much" but he would follow this up on air.

Phil Zimmerman did punt his new product but leading on from that was an interesting talk about privacy. According to one of the delegates, South Africa is about to be flooded with video cameras all with the latest and greatest facial recognition systems. The government will use the "combating crime" and "stopping terrorism" excuses to do the roll out. While these are important in times of massive risk (such as the World Cup 2010), the equipment will stay. Phil is not from South Africa so he wasn't aware of the whole Mbeki, Zuma wiretapping tapdance but his talk largely was about how VOIP is less secure than normal phones but with encryption can be more secure.

Jeremiah Grossman
. Well.. a speech about how to hack free pizza.. what more can one say - amazing. I think the key takeaway from this speech is that technology is not everything. Hackers can use the technology in the correct way but exploit bad business plans. Jeremiah is very much at ease in front of a large audience and his speech is very polished and nice use of humor.

Greg Day made the fatal mistake of quoting the $1 trillion dollar figure for how big cybercrime is. This is maybe what his keynote will be remembered for. But. I think the key take-away from his speech is that trojans are so easy to compile and send out that signature anti-virus products are lagging. McAfee are trying to fix this by speeding up their signature system. They have also invested in an application white-listing product. Greg refered to this in passing but without going into details. I referred to the proliferation of trojans in my own speech, stating that the insider threat/ outsider threat is no longer up for debate. The point is that hackers are in your internal network. Its a given. Now, what are you going to do?

ITWeb Security Summit - Reflections (Part 1)


The ITWeb Security Summit has come to a close and it was amazing.

Unfortunately, being stuck in South Africa, I really don't have anything to compare it to but I thoroughly enjoyed to conference and look forward already to next years' event.

I highly recommend it to all business people, security professionals and technical security people.

(I was involved in the conference as a speaker but, really, honestly, truly, I would say this even if I wasn't involved.)

The only major criticism I have (as a speaker and delegate) is that the Management breakaway sessions were held in the main conference room which meant that you had a smaller number of people spread out in a large area which was rather dark. This meant that the speakers of the management stream were quite separated from their audience.

And, to nitpick - the breakfasts were not great. However, the lunches were amazing and the coffee was great.

Generally, everything moved well. The audio-visual systems worked fine. The microphones worked very well and the clicky things (to move slides) worked.

Registration was a breeze and the venue was perfect. (Aside from the Midrand early morning traffic, yuck!)

The speakers were very interesting, especially the ones from overseas and it was a treat to be able to understand what is happening elsewhere in the world.

Well done ITWeb!

Friday, May 22, 2009

Happy Birthday Important Blog Post

I just realised that its been a year since I posted a blog post - Information-centric Security is Dead.

Ironically enough, next week I am presenting at a Security Summit on, well, Information-centric Security.

The article, I believe is one of my most important ones. Information-centric security is not really dead. But it is a stepping stone. Read my last blog post and the one linked above together and you will see what I believe is the most exciting and important development in our industry, probably since Firewalls.

If you aren't busy next week Tuesday then maybe come see me talk. It'll be fun, I'll make jokes. Promise.

NAC and DLP - lets break them and put them together again

[NAC and DLP can be so effective together, they just need to be trimmed down]

So, Art Coviello's company (RSA) arranges the biggest and certainly the most important Information Security conference. And so he gets to give the Keynote. But, to his credit he is either brilliant or has brilliant people around him because his keynote is always interesting, ground breaking even. I believe that RSA certainly has the best vision in terms of Security.

But enough of that... lets get back to the topic of this blog. (Btw, if anyone from RSA is reading this - contact me for my details to send whatever SWAG you have to give me for the above... cash is best ;)...

Coviello's main points (in my opinion) are that Security tools are point solutions and don't play nicely together. This needs to change and they need to be more open. Following that, they can then start to specialize.

I guess this is sortof what Check Point were trying to achieve with OPSEC. You have "smart machines" that understand policy.

Think - Firewall Policy server, Anti virus server, IPS. Traffic is sent to these machines and they work out what needs to happen to the traffic - allow, block, log, etc. This is communicated to a dumb device like a firewall node which just follows orders.

Coviello names the functions as follows:

  • PolicyManagement
  • PolicyDecision points
  • PolicyEnforcement
  • PolicyAudit
So, assuming I am reading a file on how my company makes its secret widgets. I download the file from the server and the following information is available to the different systems around me:

My username,
The time,
My location by network
My location by GPS (not usually but why not?)
My PC's latest patches and antivirus level (From NAC)
MY PC's installed software
My PC's hardware (including USB devices)
Any IPS triggers

This information is in many separate databases that don't really interact but imagine if they did.

It would allow the system to make a decision to allow/block based on any of the above conditions or all of the above together. So, if I try to access a file from my desk but it is 1AM then maybe I am denied the file. If my antivirus is old then tough, no files are available.

Every piece of network equipment (including workstations and servers) can be PolicyEnforcement machines. Which means that if I try to access a file that I'm not supposed to then the Server will block the connection, the switch will block it too and my laptop will block it too. This may be over-protection, but it may not be.

So, you may have a DLP server and a NAC server and a centrally controlled personal firewall policy but really the enforcement for all of these is "Allow" or "Block" and network switches can do that already. So, all your systems need to talk and when they all agree on "Allow" then the traffic flows.

Exciting times ahead.

Monday, May 18, 2009

ITWeb Security Conference

[Our heroic writer gets interviewed by the Press and gets ready to knock some socks off at ITWeb Security Summit]

In the run-up to the ITWeb Security Summit, I have been interviewed about my Information-centric Security speech.

I'm looking forward to the conference. It will the first time that I am presenting and I think that this year is going to be great. There are a lot of new technologies and concepts that are going to make this year exciting.

At work I have been working hard at planning my next year and I am very excited about that too.

There is some Information-centric Security in there but lots of other stuff. It is going to be a busy year.