report on AIFS

Thanks to a draw run by the Greek Chapter of the ISACA, I got to attend the 3rd Athens International Forum on SecurITy (AIFS). This was the first time in years that I used a benefit offered by the Greek Chapter, which makes me regret that I had not taken more advantage of my membership previously. I guess I’ll have to make some time and fix this though.

AIFS – day 1

Since I did not pay for the event, I tried hard to attend most of the presentations and keep some notes on the talks that I liked. David Greer gave an interesting presentation on Security Strategies, the various definitions of Cyberspace (according to the point of view) and how in the cyberspace battlefield technology is an equalizer (in contrast to the kinetic / traditional warfare) covering everything from the Internet to powergrids to automated and interconnected devices that find their ways into our houses and then present a possible leverage for an attacker to use.

Spiros Liolis gave a fantastic and provocative presentation on how we people in the IT security sector are chasing a “chimera”: (1) no one is really in charge (2) there exists policy confusion (3) information classification is problematic (4) people think that technology will solve everything (5) BOFHs treat users like cattle and how you treat people bites back and (6) management is not really involved in the process. He also posed a very interesting question for those organizations that move on the “cloud”:

– Who audits the cloud?

Dr. Stefan Frei gave a presentation on the dynamics of (in)security. A presentation in which he analyzed over 30000 vulnerabilities reported in the CVE and in a way that makes one think “Why did not I think of that?”. Well as in all things it does not matter who thought of what and when, but who actually did something. And Stefan Frei did (and promised to continue doing) an extraordinary job. For example, ten years ago the top-10 vendors were responsible for half of the vulnerabilities. Today they are responsible for 20%. The insecurity gap can be more frightening. An exploit can be in the wild for 200 days (and more) prior to disclosure. I am looking forward to newer versions of this report to see how this trend evolves.

Lucas Cardholm gave a presentation on the cost benefit analysis of information security. This was accompanied by a whitepaper which I suppose will show up on the Ernst & Young web site sometime. For the impatient, a similar presentation describing the same methodology, and using high school math, is available here [pdf].

AIFS – day 2

George Simos talked about “All you need to know about ISO27001 in 30 minutes” and he managed to do it in less. One can spend hours days talking about ISO27001. However in his 30 minute talk he managed to get the message through: ISO27001 is not a technical document, it is a management document. It is about Information and therefore above and beyond IT. When implementing it, one should be careful enough to implement only the controls that are needed and have repeated assessments which should produce comparable results.

George Raikos (from the ISACA Athens Chapter) gave a quick review of the newest set of standards from ISACA, the RiskIT (which is based on COBIT). A variation the given presentation is available here [ppt].

Joshua Leewarner gave a complete account of social engineering, why it works, the psychological factors used, how it works and examples of audits that he has performed that included social engineering, with and without the use of technology. From him I learned about PhishMe, a really interesting service if you want to “test drive” and educate your users.

Matthew Pemble talked about corporate and personal privacy on Facebook (and other social networking sites). Of particular interest to me was his reply to a question about the cost that is to a company an employee’s time on Facebook:

– I do not know; how much is the cost of a smoker employee versus a non smoker?

[ A friend faced a similar situation recently. His new CEO instructed that Facebook and Youtube be blocked and that he makes sure that the administrators actually do that. I told him that blocking sites does not lead to a productivity boost. People will find other ways to procrastinate, and what is even more funnier you will not know what they are and you will be forced to find out. ]

Matthew also pointed out that from a company perspective an employee’s Facebook activity might be relatively harmless (and therefore preferred) when compared to P2P, surfing porn, etc.

I think Daniel J Blander gave one of the best two speeches that I attended. He is one of the few speakers in IT that I have heard that clearly know the difference between the social network and the social network platform. IT people tend to think they are the same, because they did not think of networking much before the rise of the platforms. Which, at least for Greece, is weird given that “meso” and “vysma” describe getting stuff done, exactly because you know a key person or someone who knows a key person. Some advice that came out of this presentation is that you should join, use and understand social networks and platforms. The “instant” distribution of the medium should always be in your mind, plus the fact that the network never forgets. As an example he mentioned that one of the oldest posts that he had made still lives on and it was about firewalls. Indeed.

Was it worth it?

I have to admit that had I not been lucky in the draw, it would have been difficult for me to attend. I am satisfied that I attended though and now I am looking forward to the next AIFS. I regret that I did not sit around during the breaks and lunches, but work was withing walking distance and there was stuff that needed attendance.

What I did not like: I was really surprised that no one in the Security Metrics session mentioned the securitymetrics mailing list or the LinkedIn group. I was also surprised that one of the speakers recommended COPS and SATAN. Today? Only three people in the audience knew about Koobface. People doing security policies and processes need not be so detached from the “running code” reality. Your work translates to running code too.

Presenters who exceeded their time slot. If you wonder why the best presenters are always in time, it is easy: They are the best because they do not lose track of time. Rehearse your presentation. Think when you are in the audience: How long can you stay focused on a presentation? That long is how your presentation must last, for there is nothing that guarantees you that you are a better and captivating speaker. If you plan on saying that 70%-80% of the breaches come from insiders, please cite raw data and not another analyst’s report. If you plan to join the crowd that devotes a slide or two on the Russia vs. Georgia cyberwar, please find something new or a novel way to say what we already know. If your presentation is a survey (you know when it is) try to have at least one slide with something new. Do not spend half of your time-slot telling the audience of your past achievements. If you are that good either we know you already or we will look you up thanks to the amazing presentation that you will give (you did not).

Did I learn anything with regards to security? Depending on who asks the question I am tempted to answer no. However this was neither a trade show, nor an academic conference (which I like most because of either running code and/or theory). Did I learn useful things about my job? Of course I did! When trying to persuade management about an investment, do not talk about the cost of failure (for they will risk running with the legacy or unpatched system). Tell them instead about the cost of success. Executives love four color slides and “traffic light” coloring (green, amber, red) when identifying risk. You have to learn to place correctly the question. You are allowed to do guestimates on numbers, because that is what the other departments do too. Always try to show the positives when seeking for budget. Identify all the stakeholders and get them on your side. Learn to use Annex A of ISO27001. And a whole lot of details that connected “dots” in my mind (“ah, so that’s how it is done” flashes).

It becomes clear to me that security people need to read about Cybernetics. And emergence. Yes, that includes you the system administrator too. You too have to understand the dynamics of the organization you work for, not just the network. Awareness training was preached around, but I’ve established before why I believe it does not work. If you do not like to pay for the ISO27001, use the ISF standards.

I am changing my mindset on how I am thinking about these things and AIFS helped a lot (that or I am getting older). Do not forget: Conferences are about networking and exchange of ideas and I missed the “hallway track”.

That being said, I look forward to AIFS 2011.

PS: Angelos thanks for the coffee.

9 thoughts on “report on AIFS

  1. People in such conferences (which IMNSHO are tradeshows) always preach about ISO27001 and how everyone should have it or at least implement it even without getting certified. However it is not a panacea and especially nowadays that it has nearly become a commodity, pretty much like ISO9001 (and I’m mostly talking about Greece).

    1. ISO27001 a commodity? According to a presentation only 20 organizations were certified in Greece in 2008. IMHO AIFS was not a trade show in the sense that no one tried to “sell” his company’s products or services via the presentations.

      BTW, I think everything has its place, but the practitioners of every something try overemphasize its importance.

  2. I’m pushing over the auditor’s tag and will talk as an external observer (I’m an external auditor and am not biased in any way).

    Commodity is something that is “nice to have”, ISO 9001 is mandatory for Greek businesses if they want to participate in public tenders of the Greek State and this is a reason that made it so popular, but there is a great amount of certified businesses that understood it’s real power as an Improvement Tool and continuous Evolution.

    This is why it became a widely adopted standard (i can’t say commodity because it’s not the proper word), however for 27001 this is not the case, it is a management system that can be adapted to any organization but needs commitment and resources, it is not easily certified but if it is adopted (even in specific business sectors of an organization) then this is a great step forward and when the organization is ready then the certification should be easy, you have to understand the purpose of it first and then decide if and how you’ll implement it.

    I was speaking with Daniel Blander for about half of an hour, great person and great opinions! George Raikos also is a great person, both of them are truly professionals.

    I like Kevin Henry’s keynote speech, he was the kind of speakers that magnetize their audience.

    1. Thank you for your comment! IIRC, it was 3 organizations in 2006, 5 in 2007 and 20 in 2008. Do you have any data for 2009?

      Unfortunately, I did not get to attend Kevin Henry’s speech.

      1. Actually 4 organizations in 2004.

        George Simos, this was the case a couple of years ago. Nowadays some public tenders will give you points for having 27001. As a result, consulting companies that massively implement 9001 projects also undertake 27001 projects in a similar way, thinking that if you have 9001 it does not require much effort to get 27001 and of course passing the same idea to their clients. Also I think that ELOT can provide ISO 27001 certifications so things will become easier eventually (if not already, I think you know what I mean).

        In total I can’t agree more with what you say, but I’m afraid things will change sooner or later, esp. in Greece.

        1. I’m keen to see the amount of Certifications for the next years also the recertifications and annual subsequent audits.
          Just for the record, ISO Standards are sharing a common base, that means that if you have ISO 9001 in place in your organization then some clauses of another standard will be covered from it, this is not bad at all it is preferrable and the ISO organization made the standards this way in order to offload and streamline the adoption of subsequent standards.

  3. Thanks for digging up another one of my old mail-list messages! :-)

    It was a pleasure to speak there, and the greatest reward is knowing that people enjoyed it, and it was useful for them.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s