Thanks to a draw run by the Greek Chapter of the ISACA, I got to attend the 3rd Athens International Forum on SecurITy (AIFS). This was the first time in years that I used a benefit offered by the Greek Chapter, which makes me regret that I had not taken more advantage of my membership previously. I guess I’ll have to make some time and fix this though.
AIFS – day 1
Since I did not pay for the event, I tried hard to attend most of the presentations and keep some notes on the talks that I liked. David Greer gave an interesting presentation on Security Strategies, the various definitions of Cyberspace (according to the point of view) and how in the cyberspace battlefield technology is an equalizer (in contrast to the kinetic / traditional warfare) covering everything from the Internet to powergrids to automated and interconnected devices that find their ways into our houses and then present a possible leverage for an attacker to use.
Spiros Liolis gave a fantastic and provocative presentation on how we people in the IT security sector are chasing a “chimera”: (1) no one is really in charge (2) there exists policy confusion (3) information classification is problematic (4) people think that technology will solve everything (5) BOFHs treat users like cattle and how you treat people bites back and (6) management is not really involved in the process. He also posed a very interesting question for those organizations that move on the “cloud”:
– Who audits the cloud?
Dr. Stefan Frei gave a presentation on the dynamics of (in)security. A presentation in which he analyzed over 30000 vulnerabilities reported in the CVE and in a way that makes one think “Why did not I think of that?”. Well as in all things it does not matter who thought of what and when, but who actually did something. And Stefan Frei did (and promised to continue doing) an extraordinary job. For example, ten years ago the top-10 vendors were responsible for half of the vulnerabilities. Today they are responsible for 20%. The insecurity gap can be more frightening. An exploit can be in the wild for 200 days (and more) prior to disclosure. I am looking forward to newer versions of this report to see how this trend evolves.
Lucas Cardholm gave a presentation on the cost benefit analysis of information security. This was accompanied by a whitepaper which I suppose will show up on the Ernst & Young web site sometime. For the impatient, a similar presentation describing the same methodology, and using high school math, is available here [pdf].
AIFS – day 2
George Simos talked about “All you need to know about ISO27001 in 30 minutes” and he managed to do it in less. One can spend
hours days talking about ISO27001. However in his 30 minute talk he managed to get the message through: ISO27001 is not a technical document, it is a management document. It is about Information and therefore above and beyond IT. When implementing it, one should be careful enough to implement only the controls that are needed and have repeated assessments which should produce comparable results.
George Raikos (from the ISACA Athens Chapter) gave a quick review of the newest set of standards from ISACA, the RiskIT (which is based on COBIT). A variation the given presentation is available here [ppt].
Joshua Leewarner gave a complete account of social engineering, why it works, the psychological factors used, how it works and examples of audits that he has performed that included social engineering, with and without the use of technology. From him I learned about PhishMe, a really interesting service if you want to “test drive” and educate your users.
Matthew Pemble talked about corporate and personal privacy on Facebook (and other social networking sites). Of particular interest to me was his reply to a question about the cost that is to a company an employee’s time on Facebook:
– I do not know; how much is the cost of a smoker employee versus a non smoker?
[ A friend faced a similar situation recently. His new CEO instructed that Facebook and Youtube be blocked and that he makes sure that the administrators actually do that. I told him that blocking sites does not lead to a productivity boost. People will find other ways to procrastinate, and what is even more funnier you will not know what they are and you will be forced to find out. ]
Matthew also pointed out that from a company perspective an employee’s Facebook activity might be relatively harmless (and therefore preferred) when compared to P2P, surfing porn, etc.
I think Daniel J Blander gave one of the best two speeches that I attended. He is one of the few speakers in IT that I have heard that clearly know the difference between the social network and the social network platform. IT people tend to think they are the same, because they did not think of networking much before the rise of the platforms. Which, at least for Greece, is weird given that “meso” and “vysma” describe getting stuff done, exactly because you know a key person or someone who knows a key person. Some advice that came out of this presentation is that you should join, use and understand social networks and platforms. The “instant” distribution of the medium should always be in your mind, plus the fact that the network never forgets. As an example he mentioned that one of the oldest posts that he had made still lives on and it was about firewalls. Indeed.
Was it worth it?
I have to admit that had I not been lucky in the draw, it would have been difficult for me to attend. I am satisfied that I attended though and now I am looking forward to the next AIFS. I regret that I did not sit around during the breaks and lunches, but work was withing walking distance and there was stuff that needed attendance.
What I did not like: I was really surprised that no one in the Security Metrics session mentioned the securitymetrics mailing list or the LinkedIn group. I was also surprised that one of the speakers recommended COPS and SATAN. Today? Only three people in the audience knew about Koobface. People doing security policies and processes need not be so detached from the “running code” reality. Your work translates to running code too.
Presenters who exceeded their time slot. If you wonder why the best presenters are always in time, it is easy: They are the best because they do not lose track of time. Rehearse your presentation. Think when you are in the audience: How long can you stay focused on a presentation? That long is how your presentation must last, for there is nothing that guarantees you that you are a better and captivating speaker. If you plan on saying that 70%-80% of the breaches come from insiders, please cite raw data and not another analyst’s report. If you plan to join the crowd that devotes a slide or two on the Russia vs. Georgia cyberwar, please find something new or a novel way to say what we already know. If your presentation is a survey (you know when it is) try to have at least one slide with something new. Do not spend half of your time-slot telling the audience of your past achievements. If you are that good either we know you already or we will look you up thanks to the amazing presentation that you will give (you did not).
Did I learn anything with regards to security? Depending on who asks the question I am tempted to answer no. However this was neither a trade show, nor an academic conference (which I like most because of either running code and/or theory). Did I learn useful things about my job? Of course I did! When trying to persuade management about an investment, do not talk about the cost of failure (for they will risk running with the legacy or unpatched system). Tell them instead about the cost of success. Executives love four color slides and “traffic light” coloring (green, amber, red) when identifying risk. You have to learn to place correctly the question. You are allowed to do guestimates on numbers, because that is what the other departments do too. Always try to show the positives when seeking for budget. Identify all the stakeholders and get them on your side. Learn to use Annex A of ISO27001. And a whole lot of details that connected “dots” in my mind (“ah, so that’s how it is done” flashes).
It becomes clear to me that security people need to read about Cybernetics. And emergence. Yes, that includes you the system administrator too. You too have to understand the dynamics of the organization you work for, not just the network. Awareness training was preached around, but I’ve established before why I believe it does not work. If you do not like to pay for the ISO27001, use the ISF standards.
I am changing my mindset on how I am thinking about these things and AIFS helped a lot (that or I am getting older). Do not forget: Conferences are about networking and exchange of ideas and I missed the “hallway track”.
That being said, I look forward to AIFS 2011.
PS: Angelos thanks for the coffee.