This week I attended ETCSS 2010 on October 19 - 20 here in Knoxville. This was my first visit to this conference and differs significantly from the "training" conferences I usually attend. I heard a lot of different people talk about Info/Cyber Security with some conflicting points of view. Overall I would say the conference is well worth attending but don't expect a lot of technical information or demonstrations. Two of the elements that were quite exceptional were the mock court exercise where a real world case was on display with the defense attorney luring the prosecution into stating how much they relied on MD5 hashing and then demonstrating an MD5 collision. That was quite a cool moment and Craig Ball, the mock defense attorney, really did a great job.
I also really enjoyed hearing Dr. Ron Ross from NIST discuss Enterprise Architecture and "Defense in Breadth." Dr. Ross spoke well of the problems that some companies view as small "chinks in the armor" which are really more like "hey you forgot to put your pants on." As an example of this I will interject a personal recollection. I observed the following security posture sometime in the past. The organization fanatically wanted to protect their intellectual property and spared no, almost anyway, expense to do it. Some of their protective measures included Whitelisiting the Internet, reviewing EVERY email that left their domain, knowing EVERY document that was printed, and doing a great job of preventing unauthorized USB drives from being present on their systems. In contrast the same place used WEP for their wireless infrastructure, not the guest network either, one of the whitelisted sites was Facebook, and had the wireless had virtually no separation from their wired network. There was also zero separation of the network internally, once you had an IP address on the inside you could roam anywhere and no one would really know. They viewed the WEP problem as too expensive to overcome in the near future and an acceptable risk. As an attacker I would view this organization as having zero obstacles for me to overcome in order to get inside their network. Defense in Breadth would seek to teach organizations like this that cyber security is almost becoming an all or nothing. You either do it all and do it well or just don't try. I know this sounds like gloom and doom but with the proliferation of attack vectors and the automation of many exploits it's becoming really easy to circumvent protections that may have slowed down an attacker in the past. Kudos to Dr. Ross and NIST for pointing this out.
At the end of each day there was an expert panel that would field questions from the audience. The knowledge and skills of the panel members led to great advice on procedure and policy for your enterprise but they were unable to field a couple of technical questions from the audience. I thought that was funny since it appears that more and more the people in charge of cyber security were not ever in the trenches. A friend of mine in the industry, who was not at the conference, told me a couple of weeks ago that infosec has been overrun with parrots and talking heads that "retweet" what they hear or read sometimes without understanding what things mean. I certainly don't mean to imply that there is zero value for administrative/policy oriented folks, just there there needs to be a better balance in some cases. For example I once obseerved an organization where there were approximately 15 infosec people and 70% of them had zero technical background or ability. The technical people often had 2-3 different project managers trying to get info from them so the non-technical group could turn out status reports and updates that were relevant. It may have been more efficient to allow the technical folks to manage their own projects and time in addition to increasing the number of technical people. Perhaps there was some cost benefit in the model that was present however the security posture of the organization had suffered in the past because of it.
There were two talks on insider threats that were good. This is a serious problem that is not getting enough attention. I am definitely becoming a fan of the zero trust model where every node is a suspect. Unfortunately, some folks are viewing this as offensive and think the users of your network will have their feelings hurt but we need to get over that. First, it's not that you think they are all evil just that mistakes happen. Second, they are all evil or at least susceptible to coercion for a large some of money or perhaps extortion to protect their own interests. Either way you are just taking that responsibility away from the endpoint or user and providing the right environment which will reduce the insider threat.
Lastly, I saw a presentation that was a teaser for taking the SANS SEC 542 web application testing class that was more along the lines of demonstration and "how-to." That looks like a good course and, if I can, is definitely the next certification I would like to get. this talk talked about what web app vulnerabilities are common, what tools can identify them, and what can be done to mitigate or remediate these issues. For a one hour talk it gave quite a bit of insight and demonstration. Good job Jim Purcell!
Like I said earlier, overall the conference is good, well attended, and well organized. None of the talks were "bad", just stuff that wasn't new or that we have all heard a few times in the past. As always, a conference is a great place to meet people that are in your industry and build your social network to learn what may be working and not working in certain areas. I think I would like to a see a conference were people talk about what didn't work for them. Probably no one would be willing to talk about their organization like that but it would be cool to hear the honest side. It would be extra cool if people would say "we tried (insert product name) or (some architecture) scheme and it totally sucked, hackers ate our lunch for two weeks while we tried to fix it." Then they could detail how it was fixed.
I bring this up because I recently heard some decision makers saying "Well there are a lot more vulnerable targets than us, maybe the hackers will just leave us alone." This is typically in response to an audit finding or a vulnerability that was successfully exploited during a penetration test that isn't cheaply and easily fixed. I have also heard from cyber security "professionals" in the past but that is typically a response from a non-technical person.
Don't let your business be part of the bait ball.