SecureWorld Expo, Bellevue '06

I attended the SecureWorld Expo (www.secureworldexpo.com) conference at the Meydenbauer Center Oct 10 -11 of this week. SecureWorld is a security conference that occurs periodically throughout the year in cities in the region.

While there was no stated central theme for the conference featured prominently were the topics of regulatory compliance, holistic risk management, and the convergence of traditional, electronic, and information technology/information systems security.

Another personal take away, and constant Information Security (IS) industry theme, is the feeling that the IS security industry is behind the eight ball in the struggle against mountains of regulations, a growing powerful cyber crime industry that appears to be winning the current battle, and the constant struggle to educate, get resources, and make the case for IS within organizations.

Opening Keynote: "Cyber Security; A View from Washington, D.C.", Paul Kurtz, Executive Director of Cyber Security Industry Alliance

Paul was a Washington, D.C. insider before moving to his executive director position. He specializes in IS public policy and does a lot of testifying in front of congressional committees as well as working on IS issues with counterparts in the European Union. His presentation on the state of affairs in D.C. and across the country did not provide any great feelings of protection or future assurance but he did offer a call to action for IS professionals and the industry.

In Kurtz view, because of the rise in cybercrime and identity theft local, state, national, and international governments are starting to get involved in IS. Thirty US states now have laws for handling security and privacy theft and breaches. The bad news is that our federal government is very much behind and uneducated in IS and do not yet understand it well.

• He presented part of the quote from Senator Ted Stevens, R-Alaska, which he said he heard on the Daily Show. The quote was Senator Stevens attempt to describe the Internet in a June 28, 2006 speech about network neutrality. (Entire quote here) "Ten movies streaming across that, that internet, and what happens to your own personal internet? I just the other day got...an internet was sent by my staff at 10 o'clock in the morning on Friday, I got it yesterday. Why? [...] They want to deliver vast amounts of information over the Internet. And again, the Internet is not something you just dump something on. It's not a big truck. It's a series of tubes. And if you don't understand those tubes can be filled and if they are filled, when you put your message in, it gets in line and it's going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material."
• There are jurisdictional battles, congressional committees battling for ownership, no one committee addressing (which actually may be a good think in the long run according to Mr. Kurtz)
• The Federal government is taking an Ad hoc response to security and privacy , as opposed to the EU which is taking more of a holistic approach
• Different philosophical strategies exist. For example, in the US we have typically supported an opt-out approach (ie. User data is collected by default) for the consumer while as in Europe it is more of an opt-in approach
• There are conflicting and redundant regulations which cause confusion and costs for businesses and organizations and distract industry from urgent issues
• There is no single driver for government action. Things like financial scandals, ID theft, counter terrorism, proactive state legislation, and increased awareness are all motivating government to act

There is good that can come from all the government attention however:

• Regulations can level the playing field within sectors
• Create common standards across sectors
• Enable the gathering of statistics on IS issues
• Improved security (i.e. Sarbanes-Oxley)

As far as the outlook of for the foreseeable future, government involvement will produce:

• No federal data security bill this year. Too much other stuff going on in politics. Maybe next year.
• Continued ad hoc approach to the problem.
• Expect more government regulation
• Increased enforcement of information security via litigation
• Increased government regulations

Mr. Kurtz' call to action for IS professionals was to:

• Take a holistic approach to information assurance: confidentiality, integrity, and availability.
• Advocate for a holistic view in your industry
• Build security into your business and financial planning
• Adopt best practices (many of the standards and regulations have good practices)
• See security as a competitive differentiator
• Be vocal with government authorities. Get involved. Now is the time to affect positive change!

Session: "The New e-Business Venture: Organized Crime", Ernest Hayden, Enterprise Info Security, Port of Seattle

Mr. Hayden explained that he broke his back and was in a body cast at the beginning of the year (amazingly he seemed to bare no visible effect from that). Bed-ridden he began intense research about a topic that interested him immensely: cyber crime. Evidently his presentation has become quite well regarded and he has reviewed it with members of CIA and other law enforcement agencies. Some high lights:

• Traditional crime is now taking advantage of the internet in a major way. In a sense our powerful information and commerce tool has become a weapon being used against us.
  Organized crime has embraced the internet in a major way, in many cases forcibly removing “old school� hackers from their space. They are also distributed and international. Fueled in part by low unemployment and low enforcement in places like Eastern Europe and Africa.
• Extortion occurs more frequently than we think: "Pay us or we will hack/attack your site"
• It is estimated that to date there has been 62 Billion dollars in cyber crime
• Organized cyber crime resembles traditional organized crime but it is more anonymous and work virtually using the net to communicate secretly about drop points, conduct online training and recruiting, etc.
• Phishing is expanding significantly and many people (especially seniors) are getting victimized
• Mac's are not safe despite what many say. They are as insecure and also hold what cyber criminals want: your personal information
• The large on-line game sites are becoming targets. Criminals hack in and get personal information from the gamers and the game providers
• Botnets (software robots, or bots, which run autonomously and form a connected network of agents) are becoming increasingly harmful
• Cyber criminals are investing in research and development to develop their own spyware, etc. Now they are actively stealing the info, not just buying it from other hackers or criminals
• 69% of vulnerabilities come from web applications. This means they are attacking the desktop.
• A trend is that hackers hack into a network of a large company and then sell or rent access to that company to others to enable them to collect info, send spam, etc. There are even package subscriptions available! "You can have Starbucks, Microsoft, and AT&T this month for $29.95!"

Some interesting anecdotes that Mr. Hayden shared with us:

• Some hackers are selling patches to hacks that they have found before they are announced to the world and companies like Microsoft have their patches ready
• "Skimmers" are devices that are readily available and fit on card swipe machines like ATMs and case stations. These devices are not easily detectable and are able to store up to 750 card swipes in memory. Criminals then set up a camera and record users type in their debit card numbers associated with the numbers.
• "Computer Alchemy" – Organized crime is getting increasingly sophisticated in how they use their stolen information. Based on real data in their databases they create new identities, acquire credit card, etc, buy stuff, sell it, and then sell the identity and the cards.

Mr. Hayden says that organized crime in growing in its size and sophistication. He offers the following action items:

• Keep working on the classic security things: patches, layered security, etc
• Understand your threats well and communicate with your management
• Integrate security into your day to day activities. When attacked understand what happened and fix the process. Don't just remove the virus, etc.
• Engage peers and law enforcement
• Look at new products from a hacker's perspective
• Support legislation that goes after and persecutes cyber crime

Data Leakage Sessions

There were several sessions that I attended on data leakage from organizations. These sessions covered everything from laptop theft to internal employee stealing corporate information. It was impressed upon the audience that the problem is getting worse because of the complexity of organizations today: outsourcing to vendors, vendors in other countries with different laws and norms, the proliferation of tiny devices and mobile computing, too much access/trust given to internal employees, telecommuniting, etc. In addition, a lot of data leakage is innocent and unintentional.

Quote from one of the panelists that seemed to be verified by the other three: "The average large corporation has 10,000 data leaks per week".

One story: an employee at a financial company was taking credit card applications and at the last minute modifying the home address in the database to have the applications sent to the employee's home. They would then change the address back in the database so once they fraudulently filled out the application and got the credit card all the bills would go to the intended recipient.

Here were some of the general recommendations that I extracted from these sessions:

• Start from the top. It must be en edict and company culture to categorize, track, and control your data. If you don't start high and in big chunks the task of understanding what and where your data is may never get completed. Generally data is: financial, intellectual property, company data, customer/consumer data
• Define the data that you really care about and assign value to it 1) Ask "What is the data collected at each part of our business/organization?", 2) Ask "What is the value and legal liability of this data? What are the risks and exposures?", 3) Understand compliance obligations
• Define where your data is and where it is going. What is in structured storage, what is in transit, what is on devices?
• Get metrics to qualify and quantify your data and track how good a job you are doing
• There is no one solution to this issue, but within your organization you need to have a uniform common language for how you talk and communicate about your data/information
• Using technology: Enforce mandatory access control, scan your network for data that shouldn't be there, encrypt everything, track and audit access and usage
• However: use technology tools only to assist you in your holist approach. Technology alone will not solve the problem and no-one tool will do the trick for your organization in most cases

Compliance Sessions

Compliance is a huge issue for all sorts of organizations right now. One presenter describes it as the "Alphabet Soup" of compliance regulations and standards. Regulations differ in how prescriptive and how flexible they are and they overlap with each other in multiple way. Few of them are created with each other in mind but they address similar topics of information security and privacy, plus they change from year to year!

The overwhelming trend is that 10 years ago security was optional and bottom up (ie. Firewalls, etc). Today security and privacy is the law and top down (management is responsible). In addition, security and legal departments are now closely aligned. They have to be because of legal ramifications of non-compliance.

Standards and compliance regulations that were discussed throughout the sessions included: HIPAA, Graham Leach Bliley Act, ISO 17799, ISO 27000, SOX, ITIL, and PCI.

In short, all the sessions recommended against starting with a standard or regulation and to then try to match or adapt your organization to it. All trumpeted a top down approach in which organizations should first start with their own best practices and requirements and make sure those are in good alignment with their mission, goals, and requirements. Then, build a table or matrix, based on your established requirements, and begin to work in other standards and regulations. The outcome should be a table of which has been specifically adapted to your organization that works in the requirements for any standards and regulations that you must or have chosen to comply with. This matrix becomes your one set of controls to control all your requirements. This is critical.

All stressed that this is not easy. It gets down to a lot of detailed diligent hard work. Several attendees said they had been working on their table for three years and it was in constant change. There are templates and standards that some have tried to start with (i.e. ITIL was mentioned by many) but there were many speakers and attendees that advised against this. One size does not fit all. One SOX implementation will look entirely different from one org to the next. In short, compliance is just plain hard work and it's not going to get any easier (There was a mention that the IT Compliance Institute was working on some tool to help, though).

From a technology standpoint, there are some tools out there to help but technology should be used cautiously. Only automate things that you do well manually (i.e. Inventory of hardware and software, tracking of data, gathering and reporting metrics). Use tools to help with change management, which is a huge part of compliance.

Finally, a good general take away: While there are key people who ultimately own and control the company data, everyone within an organization is responsible for protecting information. You cannot success without this being part of your organization's culture. And you get to this point by educating people, getting organizational buy in, knowing your business processes and requirements, getting the policy in place, good communication, and measurement.

In Short, Great Conference

This is a great two day conference. I paid about $115 after my discount for being an ISSA member for the full two day conference and all the sessions. Plus lunch included! The keynotes and sessions were very good on average, and lots of great IS professionals, and vendors. I definely recommend this conference to anyone interested in inforamtion security!