Will this conference never end??? Actually, although my brain is almost at saturation point, it was quite an enjoyable day.
My first session was titled “Public Cloud Security: Surviving in a Hostile MultiTenant Environment”. Certainly not for the faint of Security heart. The presenter (an architect from Microsoft Azure), defined 3 computing eras: mainframe, client/server, and mobile/cloud. Obviously, we are in the relatively early stages of the 3rd phase. The number one concern of IT leaders related to cloud is, not surprisingly, Security.
The Cloud Security Alliance has defined the “notorious nine” security concerns about the cloud. You can read more at https://cloudsecurityalliance.org/research/top-threats. Here’s the main thing about cloud: in order to be scalable, cloud vendors have to architect their systems in a very homogeneous way – same hardware, same o/s, same hypervisor, etc. This introduces a LOT of concentration risk (if you have one vulnerability, you have LOTS of them). It also means that you cannot assume that you can trust the hardware/software of the providers, and that attackers are anonymous and diverse. So, the session focused on what can be done, both by providers and customers, to mitigate these risks. I won’t focus on these mitigants now, but here’s the thing: IT groups (and security) have made assumptions that off-premises cloud providers are inherently less secure than on-premises in house architecture – but are they really??
The second session blew my mind. It was a presentation titled “practical attacks against MDM solutions”. In this session, the presenter did a live demo of how to hack an iPhone, how to hack a Container solution on that iPhone, and how to hack an Android. In each case, he was able to hack the phones in about 3 minutes, and gather so-called encrypted email, and to take control of the microphone and camera of the iphone. All with publicly available commercial software. Guess what, they’re cloud services, known as TaaS: Trojans as a Service. Now, in all cases the phone had to be infected via a Phish in order to get the software installed, but he wouldn’t eliminate the possibility that the malware could be inserted remotely, either. There are not commercially viable solutions available to prevent these kind of attacks – we’re dependent on PEOPLE to NOT respond to a Phish. You know those QR codes used by companies to so easily direct you to their website?? Be careful with those…
So I stumbled from that session to a session about implementing security in Agile/Scrum software development practices. There were some key takeaways from this session, mostly to do with having a Secure code baseline, doing dynamic testing, and training developers how to hack their own code. To be honest I would have paid more attention if I wasn’t concerned that someone was hijacking my iphone camera…
I then went to a session called “Privacy Reboot”. Here’s the nickel tour: Privacy is not dead (if it is dead, think of it like a cat who has not yet exhausted all nine lives), it is simply being reworked and has not yet stabilized in the latest technology environment (aka Social Media).
Now, I know that at this point you are feeling sorry for me for having to sit through all this stuff… so I will remind you that I spent lunchtime sitting in the SUN (I couldn’t resist rubbing that in).
The keynotes seem to be getting (mostly) better as the week progresses. This afternoon, we started with Peter Sims who has written a book called “Little Bets”. This is a book about innovation (not security) and about how we should take lots of small, low risk actions rather than waiting for a Big Bang success. Beethoven did it, Pixar did it, and even comedians do it. We have to allow for, and be comfortable with, failure – to go “from suck to non-suck”. At Pixar, they avoid the HIPPO effect (the Highest Paid Person’s Opinion counts) by implementing “Plussing”. That is, you don’t immediately dismiss an idea, instead, you say “Yes, and…” and then “what, if..”? I know, that is as clear as mud. Get the book.
Two VPs (one was a woman even!!) from Cisco then did a presentation about the “Internet of Things” (IoT – see my post about your fridge attacking you for more info on this). Here’s the gist of the presentation – all these “things” are now internet-connected, and internet-aware. This connects people, process and data in new and interesting ways (think of how enStar works in your car, for example). The IoT will PERSONALIZE the internet. So, for Security, we need to get visibility to all these devices and networks and data and identities, we need to have realtime threat analysis, and we need the ability to act on that analysis in realtime. Not surprisingly, the industry is a bit short on talent right now… They also suggested that we have to ASSUME COMPROMISE, and have things PROVE THEY ARE TRUSTWORTHY.
Kevin Mandia, of Mandiant-the-chinese-are-attacking-us fame, presented his 2014 report. In summary:
– There are no risks or repercussions to cyber-actors
– Future conflicts will have a cyber component
– Cyber-actors target people as an attack surface – this makes Security a decentralized problem
– The “theatre of war” is asymmetrical – offense develops faster than defense, and defenders have to defend EVERYTHING
– Cyber crime is the only crime where the victim has to apologize for being a victim
– The risk of disclosure of a breach is very high (more than the risk of the breach itself)
– Security awareness erodes in an organization over time after a breach (“vigilance fatigue”) and the bad guys adjust
– The goal of Security, then, is to eliminate the impact of a breach, and shorten the time from alert to when it is fixed.
Phew!
Lastly, Scott Harrison did a fabulous presentation on the creation of Charity: Water. He is not a Security dude, he runs this non-profit with a goal of getting clean water to world-wide communites. More explicitly, to get access to clean water to 100 million people in the next 10 years. Did you know that for every $1 spent on clean water, it returns $4 to $12 in economic benefit? You can check it out at charitywater.org – really really amazing stuff.
Tomorrow is the last day of the conference. I hope there isn’t anything else new to scare me.