I just came back from Secure 360 conference in Minneapolis, MN. First, I’d like to thank the organizers for inviting me to be a "featured" speaker at the event. Just as in 2008, the conference was well organized and well attended as well - pretty much all 9 (!) tracks.
Day 1 started from attending Rich Mogul’s talk called “Putting the Fun in Dysfunctional: How the Security Industry Really Works.” His main theme was in use in economics and psychology (all the way to Maslow diagram :-)) to do analyze what happens in security industry. Some bits that caught my attention follow below:
We as an industry spend MORE on anti-virus+firewall than on ALL other security safeguards combined (!).
Many organizations are “reactive, but not responsive.” Just as others, Rich also likes to remind people that incident response trumps most other things in important; you can choose to not deploy a DLP tool (for example, no offence to any DLP vendors in attendance :-)), but you WILL respond to an incident (even if your IR plan = panic :-))
We deal MUCH better with short term risks than long term risk (also see Schneier saying similar things here); the chain “Fear –> wired response -> buy product” seems all but unbreakable
Compliance realigns economic drivers: risk of audit > attack. It was funny that in his view organizations need to pay attention only to those laws and regulations where penalties are actually imminent.
On top of this, controls to outcomes are not tied!! I also consider this to be one of the horrible holes in security today!
One of the curious point that I’ve seen before from Securosis folks is that “making us better at security” does not sell security tools and practices; even if it is MUCH better than current. What sells is fear of threats – of either hacking or fines.
Finally, feel free to ask Rich what is "Porn and email theory of security" :-)
Next, Marcus Ranum gave a speech on software suckage (“Software as a Strategic Problem”) was thought-provoking (and somewhat argument-provoking too). The main idea was: BOTH COTS AND outsourced software development is wrong for super-sensitive government/national security uses (He gave an example of a rumored outsourced code running in a JDAM…) – agencies need to go back to hiring, retaining and utilizing in-house staff. In this view, that is the only way to avoid future “nation-busting” security issues.
He contrasted two approaches: “write the software to solve the problem - from scratch” vs “use very flexible COTS software + spend forever configuring and reconfiguring it.” He also called for such custom software to aim for “zero maintainability + zero administration” – which to me sounded unrealistic for most evolving uses of software…
Finally, Marcus was also visibly upset that US government didn’t backdoor Windows :-) - it seems like a missed opportunity for easy world domination…
Here is some fun coverage of Marcus’s speech and the usual Slashdot idiocy that followed. The key quote is: “If the United States wants to remain competitive in the global economy and prevent widespread penetrations of its strategic, corporate and commercial networks, enterprises and government agencies should stop relying on commercial [A.C. – whether COTS or contracted/outsourced] software and go back to writing more of their own custom code” (read the comments too)
I ended day 1 at Gal Shpantzer presentation on USB isolation. The key idea was: given that most PC’s are owned (sad, huh?), how do we still use them for sensitive application like banking? He reviewed approaches such as dedicated PC vs "bubble" approach vs bootable approach on USB.
Day 2 started from my very own presentation “PCI DSS-based Security: Is This For Real? Using PCI DSS as A Foundation for Your Security Program.” The slides are embedded below:
It went pretty well, despite containing the picture of the devil while in Midwest :-)
Possibly related notes: