Friday, May 20, 2011

ITWeb Security Summit - Wrap Up [Part One]

[Some good stuff from the conference]

I really wanted to write something longer but this will do for now. I just want to get something out there that is not a tag-cloud.

Stuxnet and Spy Wars
Patrick Gray from Risky Business Podcast and Tony Olivier both spoke about a world that we are only starting to understand now where Governments are playing with Information and changing the world with their own Malware and hidden online activities. Stuxnet, Anonymous, and HBGarry are all the catchwords that made each of these presentations fascinating. Richard Thieme continued and asked the big question - what side are you on? Tony urged the attendees to spread the word about what is happening as it is the Information Security community that is best equipped to understand what the implications are. Very interesting stuff.

Online Auctions
Glenn Wilkinson did some interesting research into how online auctions can be gamed. It was very interesting and well done to him. However, I think he missed out on an important point which I would like to take further. On my way home on the first day, my head was buzzing thinking about this talk and it hit me while I was battling some traffic along Sandton Drive - our corporate information is on the Internet and is up for Auction. "Cyber-criminals" have an amount that they are willing to spend to get our information. Information Security is really just one big auction of information. APT was a term that was thrown around loosely at the conference but I think that Glenn's talk is the only talk where it wasn't mentioned (even in jest) and yet his talk would have had the best definition of APT - it is where Information Security and Cyber-Crime are locked in a "war of attrition".

Fig Leaves and Haroon's Hammer
Haroon Meer is a great talker and I enjoyed his Lessig style presentation at the end of the conference. It was great that both of the closing talks both had calls to action which makes sense. I agree wholeheartedly with the problem that Haroon builds in his talk. The one question he asked which was along the lines of: Hands up all those here who are willing to put $1000 down on the table that they can protect their CEO's Information. No hands were raised. He then went through some excuses that InfoSec professionals use and rips them apart. His one quote "Your management is one 0-day from the worst day of their lives" was re-tweeted across the world and was the most popular quote from the conference. The next bit was more important though - "... and they don't know it and you (Information Security Professionals) have a duty to inform them". The bit of the presentation that I didn't agree with was the answer that Haroon provided. Haroon is a researcher so by the law of the instrument (or Maslow's Hammer) his answer is more research. I disagree. I believe that two things are necessary to get us out of where Haroon correctly paints us - 1. A fundamental change of the Internet and 2. a realisation that Information Security is rapidly becoming less and less about technology and more about Business. More technical research is also needed but I think that it is not everything we need.

Strange Trends and New Networks
My talk was very heavily based on Information I pulled off the Internet from Blogs. If you are passionate about anything at all then you should be looking for Blogs about that subject and Information Security is no exception - there are some amazing sources out there. The talk itself went off well and I had some very positive feedback from delegates as well as some comments which is always appreciated and allows the conversation to be taken further. I started off my talk by saying that if I had all the answers I wouldn't be doing Information Security because I'd be bored. Due to time constraints, I did skip some parts of my talk that I would like to pick up in my Blog so watch out for that soon.

And so...
Another amazing conference - one that was very worthwhile and I look forward to ITWeb Security Summit 2012.

Disclaimer - you may think that because I spoke at this conference, I am biased toward liking it. The opposite it true - because I am biased to liking it, I spoke at it.