InfoSecurity Conference 2005
Notes from the show.
I was lucky enough to be able to attend the InfoSecurity Conference yesterday at New York's Jacob Javits Center. Like most conferences/trade shows, the physical presence of vendors is really, well, lighter than you like. I remember attending PC Expo at Javits in years past. At the time, PC Expo would take over all of the Convention Center - just a massive amount of space. It would be worth spending one entire day, or more, at the show. However, now, you get confusing situations like the one I walked in on:
New York Shoe Expo Sign
The first thing I saw upon entering the Conference Hall were large signs welcoming people to the New York Shoe Expo. "OK", I thought, "where did they stash InfoSecurity?" In the other large portion of the hall, I found "TREX", a retail trade show (The "R" is for "Retail"!). So, to make ends meet, Javits has to fill all of their space when possible. Yesterday, that meant 4 separate shows at the same time! I finally found InfoSecurity, got my badge, and made my way in.
Once again, like many trade shows, there's not a lot being displayed that you haven't already heard about. I got to meet some people from SonicWall, who's firewalls I rely on. I also got some demos of their new SSL-based VPNs. I will admit that SSL VPNs are much higher on my radar now. Really impressive stuff. From there I wandered the relatively small floor looking for that dusty jewel that had the answers to all of my security issues. OK, I know nothing like that exists, but one can hope for a little something right? Whenever I found something interesting, though, I was universally told that it would only run in a "Microsoft environment" - meaning Active Directory and Windows clients. No Mac support, and no Linux, either. If this was a banking expo, I could understand. However, this is a security event. Perhaps Microsoft needs the most help in that arena, sure, I'll give them that. But security is so multi-faceted, so complex and has the need to cover everything - otherwise you may as well cover nothing - that I can't trust a vendor that doesn't have a multi platform strategy in place on some level.
One thing that makes security so difficult, and amazing, is that everyone has their own definitions. There were at least 4 different vendors extolling their "e-mail security products." To one vendor, that meant anti-virus. To another, that meant encryption. To another, that meant content filtering, and another might combine one or more of those with anti-spam.
Of course, the real draw for me was Bruce Schneier. Bruce, the security go-to-guy, gave the lunchtime keynote. For the uninitiated, Bruce Schneier is a security expert that started out as an encryption expert, has authored several books, and now has a security consulting company, CounterPane Security. I also highly recommend that everyone sign up for his monthly e-mail newsletter, "Cryptogram", as it's always a great read. I took some notes during his talk and thought I'd share the high points. I also got to ask him about the Sony Rootkit after his talk, which I'll get to later. Here are the main points from his talk:
What is creating the current security environment:
- The economic value of information - who is IT useful to?
- Law enforcement.
- Customer databases at companies.
- Networks as critical infrastructure - we haven't really thought of things this way before.
- Information drives the infrastructure.
- Important things now happen on the net (business transactions, etc.).
- Third parties controlling information
- Most information about you is not controlled by you.
- Amazon knows what you buy.
- Phone records.
- Choice-point.
- Don't need a warrant for seizure of information (where you would if the individual was in control).
- Criminals thriving on the internet
- Once, it was hackers and hobbyists - now problem is data theft and identity theft.
- Not only individuals, but large, organized criminal rings.
- Hackers can sell your data on the black market.
- The motivation has changed - it's not for 15 minutes of fame for defacing a home page, but for money.
- Ever-increasing complexity
- Complexity is the enemy of security.
- Things are getting complex faster than security is keeping up.
- Slower patching and faster exploits
- Problems used to pass via floppy disk, now issues pass quicker over the Internet.
- Patching has been slowing down for reliability, but that brings a window of vulnerability.
- Vulnerabilities exist in embedded systems that never get patched.
- We tend never to see more than 2/3 of all systems on the Internet patched.
- Sophistication of automatic worms
- This is thanks to criminals leading the charge.
- Polymorphic worms/multimorphic worms - more stealthy, more avenues of attack.
- Worms that target specific systems, use Google for reconnaissance.
- "Your security depends on the security of my mother." (Our security depends on the security of naive users, which is not in our control).
- Untrustworthiness of the endpoints
- Assumption is that you can trust the end-point, but that is less and less the case.
- If you can't trust the end-point, you can't trust authentication from that end point.
- The end user as the attacker
- More and more security systems are being designed not to help the user, but against the user. Like the Sony rootkit.
- Other systems can piggyback on hidden systems.
- DMCA prevents anti-virus companies from protecting your computer.
- Regulatory pressure.
- HIPPA, SarbOX, etc.
- Depending on your industry, you are forced to do certain things, and not do others.
- Typically brings up a companies security budget, but not necessarily for things that truly help - they exist to make auditors happy.
The overall picture is this:
- Things are getting more complex
- Things are getting worse
- The drivers for security are political, not technical
- Security is about economics, not computer science.
Economics:
- Means trade-offs - all security is a trade-off.
- Security means costs, inconvenience.
- Security is a risk business. Technology security is a low risk/high cost event, making it difficult to put a dollar figure on, unlike traditional risk analysis (as used by an insurance company).
- Externalities
- A decision make by someone other than the decision maker.
- On the net, losses due to externalities don't affect the business, but their customers.
- This affects how security gets implemented and used - it's a cost/benefit trade-off.
The solution is to convert the cost to be a internal cost for the origin of the problem - like passing a law or allowing the victims to sue. Make the externalities costly, and make them internal.
How do we solve all of this?
- We need a "holistic approach to security"
- Understand the security problem and the stakeholders
- Understand the trade-offs, both security and non-security trade-offs
- Typically, the non-security trade-offs are more important.
- Align the economic incentives
- Implement counter measures to reduce risk
- Iterate this process..."It'll be different in 6 months"
- Security is a process, not a product.
- Not a technological process
Of course, just reading the high points isn't the same as hearing Bruce speak about it, but it's worth a read. After my entry about the Sony Rootkit, I exchanged e-mail with several people, one of whom said that having to educate end users was a losing battle. When I asked Bruce about his feelings on the issue, he had the same point of view, saying that "as long as the computer is more than an appliance we've failed." And I agree, however that's not the reality we live in, so I piped up again asking how we deal with the current reality from a security standpoint. The answer? "We can't." I asked him how he dealt with his mother's computer. "I visit her once a month a clean all of the crap off of her machine." A losing battle indeed. I still feel that we must educate where we can.
It was a great Bruce Schneier talk. And overall, it was a good show. Certainly, not one to go far out of your way for, but good to attend if you're already in the area. There were no real breakout solutions that I saw offered. There were the typical anti-virus and anti-spam products, of course. And there were a bevy of products that let you lock down Windows workstations. While they offered a little more granularity than what you get with ActiveDirectory and group policy, I didn't feel that most admins would be willing to add that into the mix to add functionality to the capabilities they already had. Those products certainly aren't on my list of things to recommend. As you may know, I don't recommend that, in a business setting, end users run with any elevated privileges. One thing that will become much more important is security for mobile devices. And that's a super tough nut to crack, with the many different mobile platforms out there, plus the fact that end-users will typically have their own devices.
If there's anything that I can hope for, it's that events like this just get people to think about security a bit more. And if those people are techs that then go educate others, then so be it. That's the reality of today, and we need to work within the framework of what is real, and take steps toward where we'd like to be. Looking forward to next year's event!