William Shatner beamed down to the Keynote session and sang (sort of) a really bad version of “Lucy In The Sky With Diamonds”. Then, mercifully, he left.
Art Coviello, the Executive Chairman of RSA, gave the keynote speech, spending a lot of time discussing hacking, trust and morality. With a lot of quoting of President Kennedy, he called on governments everywhere to renounce Cyber Weapons, Cooperate on International investigations and prosecutions of cyber criminals, ensure Internet Economics are “unfettered” and IP Rights are protected, and ensure privacy of Citizens. A call to action, so to speak.
Scott Charney of Microsoft then reinforced this by suggesting that one of the reasons Security is such a tough field to work in is that there are no “norms” around acceptable internet/security use. He called for the equivalent of the Geneva Convention, or the Hippocratic Oath, for the Government and other practitioners – to establish a “sense of proportionality”.
Nawaf Bitar from Juniper Networks then followed, urging all to “Be Truly Outraged” (“Liking a Cause on Facebook is not outrage”). He insisted that we are complicit in the apathy around how governments, industry and users are allowing the Internet to be handled. He urged us to take an Active defence to disrupt the economics of hacking.
Lastly, there was a cryptographer’s panel. Four really really smart guys discussing the past, present and future of Cryptography. Nothing new here, I didn’t think. Of course, my ability to actually understand what was discussed was proportional to how far I could collectively throw the panel.
Overall, an interesting morning. The afternoon got better.
In a session titled “Securing the Big Data Ecosystem”, we were urged to take an IKEA model of security – Identify “sick” assets, Keep adequate records of asset problems, Evaluate assets daily, and Adapt until we see noted improvements. Essentially, in big data, we will have too many things to take care of at once, so a high touch approach is not scalable or practical. Instead, we should look for areas of leaks, tampering or loss events in “data lakes”, and focus on on that until things improve, or we “kill it”. We will need lot of Intelligence Analysis to do this (good thing OSU does this well!). The analagy was to treat the assets like “Cows, not Pets”. hmmm…
In a session titled “Measuring Change in Human Behavior”, Lance Spitzner from SANS reminded us that we should focus on a few key behaviors we want to change, instead of boiling the metrics ocean, and our training/awareness efforts should be measurable, repeatable and actionable. securingthehuman.org/resources/metrics is a place to start. Yup.
Then there was a panel discussing “How to Sleep Soundly with your data in the Cloud”. In short, they suggested we “bring our own security to the cloud”. Okay…. not helping me sleep soundly, guys. The elephant in the room was named as “okay, so you get comfortable with your cloud vendor – but what about the vendors THEY use?” Frankly, I’ve already lost enough sleep to worry about that right now!
To take away something more personal, I attended the session titled “Monitoring and Filtering your Child’s Web Use”. Comforting to know (not) that kids today have so many connections to the Internet that there is no real effective way to monitor kids use unless you’re a highly techy security geek who applies work controls to your own house (who would do that!!). Ethics of monitoring kids use to this degree was not discussed. Oh, and there isn’t much out there to review Chat and Peer-to-peer sessions (one lady suggested using a keystroke logger). The session should have been titled “There are no Parental Controls”.
Running from session to session is starting to make my head hurt. But, there are useful snippets in each session to make it worth it. Hard to believe it’s only Tuesday….