Thursday, April 26, 2007

Infosecurity Europe 2007 Day 2

I attended most of day 2. I did miss the Federated Security Implementation Forum because I had to run back home to take delivery of my new TV. Oh well, priorities right?

Here are the sessions I attended:

Session: A new solution to the problem of on-line identity theft
Speaker: Larry Hamid, CTO, MXI Security, A division of Memory Experts International
Audience: Mostly suits
Larry went through the typical things we all know criminals are after. Login details (including passwords), personal information, credit card numbers and so on. Essentially the things required for financial gain. He outlined the size of the problem (904 unique phishing attacks, 93% of all targeted attack were to home users) and the techniques used. Phishing emails, cousin domains (e.g., homographs (e.g., key loggers, session hijacks (e.g. man in the middle/browser attacks), web trojans (e.g. popups), hosts file poisoning, system re-configs (e.g. DNS server re-configs), pharming (e.g. DNS hijacking) and content injection phishing (e.g. web servers being compromised, cross site scripting, SQL injection). Some of the counter measures the industry uses to try to combat these threats are: risk based authentication (e.g. varying levels of access required for different actions or parts of a site), mutual authentication (e.g. a site telling you something about yourself to give you a level of confidence you're at the right place), hardware tokens, EVSSL, browser enhancements, Microsoft Cardspace and user education. Attacks are usually successful because it's difficult to distinguish real sites from fake ones and that users have to make too many trust decisions based on their own judgement. All this leads to the need for MXI Security's hardware device that does a lot of the work for the user. In essence, the device ensures that users cannot use sites unless the device knows about the site (via a pre-registered certificate I presume). There are also policies that can be set on the device to have it only selectively give up information about yourself on a site-by-site basis. The key here is that the device gives the user a way to mutually authenticate themselves with trusted sites before conducting transactions. Larry left the audience with the following final thoughts:
  • Security technologies must be portable, convenient, low cost, accessible to the consumer and only require simple upgrades to the web sites.
  • Hardware devices are not the end game, but MXI's device has set the bar pretty high.

My opinions:

  • I agree with the need for mutual authentication between users and sites. I've been sounding like a broken record over this issue of late.
  • I'm a little skeptical over how easy it really is to upgrade the web sites for use with MXI's device.
  • There's going to be a fair amount of overhead to maintain such a solution on both the user's part and the web sites. The biggest issue being the pre-registration process. Who's reponsible? What happens if something doesn't work? There's going to be plenty of finger pointing.
  • What about the legal issues? Who's responsible is something goes wrong? The consumer? The vendor? The owner of the web site?
  • Using such a device alone isn't the answer. It needs to be used in combination with other means of authentication. To put all your "keys" into a single device is very dangerous.
  • I like the ability to only give up selective pieces of personal information about yourself. This is actually one of Kim Cameron's laws of identity and makes perfect sense. Web sites need to learn that they don't need to know everything about users. They should only ask for what's required.

Session: Looking ahead: Business and compliance drivers behind role management's emerging importance in Identity Management
Speaker: Dave O'Brien, Courion Corporation
Audience: Mostly suits
Dave didn't say anything new for those familiar with the identity management space:
  • Roles are driven by compliance, internal audits and segregation of duties requirements. They are also a way of aligning business and resource management, allow for simplified access and that they also drive access policies. In other words, they are a focal point for entitlement management.
  • Some of the user access problems in identity management include: too much access, orphan accounts, sharing accounts. Roles help the business understand policies a little better and help make the identity management issues a little easier to deal with.
  • Organisation charts are not usually reflective of the way things run day-to-day in terms of operations and that multiple views of things like locations, business units and so forth can complicate roles.
  • Some obstacles:
    • Few applications have fine grained role management or authorisation models.
    • Lack of interest in role and identity management by lines of business.
    • IT complexity means role complexity.
    • A single business role typically maps to many IT roles.
  • Role creation is difficult to do manually. There needs to be a hybrid approach using both a top down and bottom up approach to the analysis around role definition.
  • Roles are becoming increasingly popular for managing user access policy.
  • Roles greatly enhance provisioning and compliance solutions.
  • The role management process should be automated.
My opinions:
  • Nothing ground breaking. It's all stuff we've all heard before and that anyone who has heard an identity management presentation would be able to recite back.
  • The title of the presentation begins with "Looking ahead". I'm not so sure this presentation does that. It just gives an overall picture with regards to some general and current role concepts.
  • The "Business and compliance drivers" part of the title didn't really get much air-time. The extent of the coverage was pretty much "yes, roles are important and it helps the business understand stuff and helps with audit and compliance". This doesn't tell me what the business and compliance drivers are. It just tells me that roles help to support the business functions. To be truthful about roles, most of the time business don't know why they need least from an IT perspective. It's usually some analyst or IT person that tells the business that they do because it will "streamline IT processes" or something to that effect.
  • The difficulty behind managing roles isn't so much what they are used for. It's how we figure out what they actually are when putting in an identity management or role based access control solution. That wasn't really covered. I'm not so sure anyone got much out of the presentation about role management's importance in identity management. All I got out of it was that roles are a difficult issue to deal with rather than why they are actually important. Role are important mainly because they make identity and access that much easier to implement and maintain. The main issue with roles has always been the difficulty in getting to the stage where the roles actually reflect reality. That's what the presentation should have dealt with. Perhaps Dave was a victim of the title of the presentation.
  • To really be true to the title of the presentation, it really should have been more focused on reporting, auditing, exactly how business use these to run their operations and how roles make it easier for IT and the business to meet these needs.
  • The presentation seemed to me like a standard identity management presentation with all the slides that had the word "role" on it and then got given the title so that the audience would think they were getting something other than a stock standard enterprise identity management presentation.

Session: Debate: Is network security dead?
Chair: John Riley, Managing Editor, Computer Weekly
Jason Creasey, Head of Research, ISF
Stuart Okin, Senior Executive, Accenture
John Reece, CEO, John Reece & Associates LLP
Paul Simmonds, Global Information Security Director, ICI
Audience: Mostly geeks
The debate went on for almost an hour with both sides putting up valid arguments. Instead of boring everyone with a transcript, what this debate boiled down to was whether you thought availability was part of security. If you did, then network security is not dead. If you didn't, then network security is dead. The main analogy everyone kept harping back to was the transport of bank notes. There is the payload (the money), protocol (transported using armored cars with guards) and the network (the highway or roads that are used). The "network security is dead" supporters talked about the fact that all the security is contained at the payload/data level. It's all about having a security protocol at the endpoints and having this wrapped in a secure transport mechanism in the process. Once done, the "network security is not dead" camp insisted that security needs to be in place on the roads (the network) to ensure its availability. If someone "blows up" the road, there goes the availability. Of course, there's other alternate routes to take if a path is blocked...but there still needs to be a level of network security to manage the risk effectively. Another point of contention was whether the Internet is actually secure. Most would agree that it's not, yet we transact over it everyday. Why? Because it's available. On the other hand, we still have firewalls and intrusion detection systems. Is this not network security? Can they be considered real security if they are there just "for show"? We still have network breaches and so forth. I won't go on as you can probably see the 2 sides to the argument and extrapolate the rest yourself. It comes down to QOS and availability. The main point is whether you think availability is inherently part of security.

My opinions:
  • The audience as I said were mostly geeks. In other words, network administrators made up a bulk of the audience. This is unavoidable in an information security conference in today's environment. In a few years, this will be vastly different as security moves up the application stack. More and more security professionals (such as myself) will not be network security pundits.
  • For those interested, the result was very much in favour of "network security is NOT dead". I voted for the losing side. As I said in my first point, I think this was because of the "biased" audience. They needed to believe it was not dead otherwise they would have to admit the fact that quite a few would be out of a job in the not too distant future if they don't start to focus on other security areas apart from the network.
  • Has anyone started to notice that most of the network vendors are starting to move up the stack? I've lost count of how many are adding content related technologies into their devices. Whether it's data, identity or some other variant, it's all about contextual network traffic and access controls based on content. No longer is everything based on packet headers.

Session: Reducing identity management costs during a period of rapid acquisitive growth
Speaker: Aaron Slater, Information Security Team Lead, Irish Life and Permanent
Audience: Mostly suits
Aaron was speaking as a guest of Passlogix. It was essentially a Passlogix customer presentation that outlined their experiences deploying the Single Sign On solution from Passlogix. Due to a few acquisitions, Irish Life and Permanent found themselves with a bunch of heterogeneous technologies and applications. They decided that they needed technology that could support multiple password policies, multiple login ID structures and that was also network efficient. The main project requirement was to enhance the user log on experience and as a result reduce complexity around having multiple log ons, passwords and password policies. It had to be invisible to end users, easy to learn and use and also require minimal training. Irish Permanent and Life defined "Single Sign On" as having automated one time log on, password change and error conditions. They also required support for legacy applications like the mainframe. They didn't see the need to synchronise passwords (as the provisioning solutions do) and they couldn't migrate everything to being web applications (apparently some vendors told them this was the only way). The short story is that they had an RFP process, which they got a short list from. They eventually went to the proof of concept stage with Passlogix and certainly didn't make it easy on them. Apparently, they had limited time, needed to integrate with Windows, web applications and the mainframe. The requirements were only given to Passlogix on-site. I won't give too much more away because I know that customers don't tend to like to have the minute details of their environments broadcasted to the crowd. Aaron finished by saying that the technology did what they wanted, although they had a few issues with some legacy applications which were poorly designed and were more difficult to integrate. There was one particular one which they put out of scope because it because too difficult. Aaron made it a point to note that it was not through a lack of functionality on Passlogix's part. Internally, he noted that there were a few issues with gaining support from the business and they also had to deal with a few last minute use case changes that they had to implement (Ian's note: Haven't we all had some experiences where the internal business became the biggest hurdle? It's actually quite common in my experience). Aaron also stressed the importance of getting the buy in from the development teams as they need to help with designing the solution for future changes and requirements. The most important outcome of the project was that they had happy users at the end of it. They got what they wanted with minimal pain on the users' part.

My opinions:
  • Nice to see a happy customer. A lot of the issues Aaron ran into are actually not unique to their situation. They are quite common in identity management project environments. Single Sign On projects actually tend to be quite successful because they don't have to "touch" as many least not at the deep technical integration level. Provisioning and access control systems on the other hand, that's another whole other story.
  • I'm not surprised that Irish Life and Permanent were happy. It's not like Passlogix would have invited an unhappy customer to speak on their behalf. That being said, these types of projects aren't always successful. There are the odd failures around and also technological challenges to be faced. On the whole however, Passlogix tend to have more happy customers than unhappy ones.
  • For those that don't know, anyone that buys IBM Tivoli Access Manager for Enterprise Single Sign On or Oracle Single Sign On, you're actually buying Passlogix's v-Go product.

Session: Guarding against data loss
Speaker: Greg Day, EMEA Security Analyst, McAfee
Audience: Mix of geeks and suits
Greg started off by giving a bunch of statistics about how important data loss is and the extent of the problem. Data loss in this case refers to breaches or stolen data usually by some internal means (some accidental, some malicious). He followed this up by outlining just how bad we all are about ensuring our data is safe and that 84% of UK companies place the data protection act as the number 1 compliance concern. Only half of the respondents to the survey expressed confidence in existing security measures to prevent data leakage. Add to this the fact that only a third of companies surveyed had a data usage policy in place and we get an idea of what a potentially huge problem this is going to be in the next few years. There are a few methods for data control:
  • Data policy
  • Encryption
  • Data leakage gateways
  • Endpoint controls
  • Digital rights management (DRM)
Data leakage gateways only monitor data at various point on the network and not where the users can actually get access to data (their desktops or laptops - essentially the endpoints). He also noted that DRM technologies only define who can use the data, not what can be done to it. To help define a data usage policy, we need to think about the following:
  • Where is the sensitive data?
  • Where are the boundaries (e.g. USB, printer)?
  • Are the users aware of the policy?
  • Not everything is "confidential". Beware the "cry wolf" syndrome.
End point data protection is the only real way to adequately monitor what is happening to your data. Data needs to be tagged, have policies applied to them (which are managed centrally) and a set of actions need to be defined with regards to responses to potential breach situations.

My opinions:
  • Data protection software solutions are a very new area of information security. The networking vendors were the first to jump on the opportunity by monitoring data at network nodes and gateways, but the market is only in its infancy. The very large vendors aren't yet in this space (e.g. IBM, Oracle, Microsoft). McAfee look to be getting into it, but I'm not too sure what type of capabilities their product has or how mature it is. I'm not even sure they have any customers. Even Symantec don't look to be in this space yet, although it does look to be something they should logically be looking into. There are a few smaller vendors around that do various things with data and from various angles each with their own focus on this market.
  • We're going to see much more about this in the next few years. We talk about identity and access management being driven by audit and compliance. You could argue that the data loss prevention/protection market has even more business drivers when it comes to audit and compliance. PCI, data protection act, privacy concerns etc. are all at the top of our minds and you can be sure this is also right at the top of the list of security concerns not just for CIOs, CISOs and information security professionals, but for CEOs as well. The string of very high profile cases in the press of late to do with data loss has a lot to do with it (TK Maxx being the highest profile one from 2006). The regulatory compliance measures being mandated to combat data loss and leakage simply serves as the compelling reason to act.

Session: Optimise your infrastructure: new strategies for securing online communications
Speaker: Joe Fisher, VP of Product Management, Tumbleweed
Audience: Mostly geeks
I must admit I wasn't paying much attention. The presentation was too technical to keep my interest and many audience members obviously thought so too because quite a few walked out. Joe spent the whole presentation talking about Tumbleweed's technology and infrastructure and how to put them in a component diagram when you have all these messaging solutions. I still don't really know what the technology does. Looks to just apply policies across the environment about who can do things to messages.

My opinions:
  • My eyes were open, but I think my brain was asleep.
  • The speaker was not a very good presenter. He couldn't even make the material seem interesting. All in all, not a very engaging or confident speaker.
  • Have to feel sorry for the guy somewhat though. In addition to his lack of presentation skills and boring slides, he had to also contend with people wanting to get to the next presentation in a different room immediately following his. What presentation you ask? Read on.

Session: The psychology of security
Speaker: Bruce Schneier
Audience: Absolutely everyone
Security guru, author and geek celebrity Bruce Schneier spoke about what he knows best. How people think and how it affects security. How someone feels about security is more important that the actual security measures in place, at least from a usability perspective. A person who doesn't think a site is secure will not use it, despite the fact it may be the most secure system in the world. The opposite is true too. A system may have no security measures in place but if a person thinks it is secure, they will use it. This is a huge problem according to Bruce. He also talked about security being a tradeoff and all about acceptable risk. We don't wear bulletproof vests daily right? At least not where we all live. This is because it's not worth the effort. If we lived in Iraq however, we'd probably have to. Aspects of this trade off include:
  • Severity of the risk.
  • Probability of the risk.
  • Cost magnitude.
  • Effectiveness of the countermeasure.
  • The trade off itself.
Bruce then delved into psychology and some studies as examples. On the whole, we are risk averse when it comes to gain and risky when it comes to loss. For example, given a sure gain of $500 and a 50% gain of $1000, we pick the sure gain of $500. But given the sure loss of $500 and the 50% loss of $1000, we pick the 50% loss of $1000. We're also affected by the size of implications and how they are phrased. Take for example an action that has a 50% probability that will save 200 out of 600 people against an action that has a 50% probability that 400 out of 600 will die. We pick the one which saves 200 out of 600 people...even thought both options mean exactly the same thing.

He then covered a few other heuristics (e.g. probability, availability, cost) that affect the way people make decisions using some very interesting and revealing examples. I won't bore you with more details because you can read up on them yourselves or even better, go to Bruce's site. He pointed the audience at a specific related essay and also encouraged those who hadn't done so to subscribe to his email newsletter or blog.

He concluded by reinforcing that "security theater" is a big problem. You feel secure when you're not and you feel insecure when you are. Irrational thought has a lot to do with it because when were afraid, we'll do anything to make it go away. He reminds us that we need to think about psychological effects when analysing security decisions.

My opinions:
  • Very entertaining. He lived up to his reputation and I actually learned some things from his presentation. That's all you ever want when you give up some of your time to listen to the speakers.
  • There was a huge queue outside the theatre waiting to get in. It was by far the longest queue for the whole event. The auditorium was full and included people having to stand up. The overflow area outside (where there was a video screen broadcasting the talk) was reportedly also very crowded because that was where people stood if they couldn't get in.
  • Bruce was gracious enough to thank everyone for queueing.
  • I was one of the last ones to get in...that includes all the people who had to stand. Except because I got in there so late, they gave me one of the front row seats reserved for the press. Guess that they figured any press weren't there by then, they weren't showing up. Lucky me.

Well, that was day 2. Again, it was a little bit longer than I anticipated. I even shortened the summaries on purpose. At least I can't be accused of being too brief...can I?

No comments: