The Other Side of Security
The Denver edition of Security BSides took place a few weeks ago in a garage turned art gallery on the far end of Denver’s emerging Santa Fe Arts District, right on the border between historic working-class neighborhoods and a rambling wasteland of building supply warehouses.
The nearly all-male crowd, dressed in jeans and black t-shirts or IT casual, started the morning with bagels and copious amounts of strong, dark Daz Bog coffee while discussing other computer security and hacking conferences they’d been to, or were planning to attend. Two full kegs from local favorite Breckenridge Brewery arrived shortly after noon.
BSides started last year as an alternative alongside DEFCON, RSA, and other big security events, and follows the loose “un-conference” model popularized by BarCamps a few years ago. As one of the BSides regulars explained, “this isn’t some square-ass, like, sit around, don’t talk to people thing.”
The presentation I enjoyed most was “Top 10 Ways IT is Enabling Cybercrime,” presented by Daniel J. Molina from Kaspersky Labs. He described how quickly threats are evolving, how many new threats are appearing every day, and explained that the targets aren’t always who you’d expect. “I don’t have cool stuff,” many companies think, “I don’t need to protect it.” To the bad guys, money is cool stuff. Private information is cool stuff. Contact lists are cool stuff. We all have that stuff.
Most security programs are still based on the idea that data stays in the physical data center. Your iPhone or your boss’s Blackberry proves that’s not true. The data on your device is, in most cases, worth far more than the device itself. Insurance doesn’t cover that. Corporate firewalls don’t surround it. To users, as soon as they leave the building (maybe sooner), that laptop or other device is treated as a personal computer, and they engage in risky behavior.
As we move to devices we don’t control, software-as-a-service we don’t control, social networks we don’t control, on and on and on, we allow insecurities we can’t control (and most likely can’t even detect) into our mission-critical business processes.
Another mistake he talked about is that the security industry overall focuses too much on protection, and not enough on detection or response. So we may not notice when the protection fails; if we do, we may not know what to do about it. We also leave information security as an IT responsibility, forgetting that the data as a whole belongs to the business as a whole — and for many companies, without the data, there is no business.
And finally: settling for compliance. Much like CAN-SPAM, the regulations on data protection are the minimum standard. It’s what you have to do to avoid going to jail, to keep the auditor off your back, to cover your (ahem) continued employment. Compliance isn’t enough to actually keep you secure, because even at their best the lawmakers can only write regulations for attacks they’ve already been told about. Compliance with regulations is the starting point, not the end goal. As an audience-member asked earlier in the day: how do you address the disconnect between the actual law or policy, the decision-makers, and reality?
As you can tell, much of this was intended for an enterprise IT crowd. My background is with ISPs and consumer internet services, so it was interesting to hear the differences and similarities in attitudes and approach. That question about laws, decision-makers, and policy certainly resonates when pondering email, spam, privacy, or email marketing.
There are so many security conferences these days that it’s hard to figure out which are worth attending, which are even worth paying attention to. Security BSides is new, it’s an upstart, the organizers are clearly learning how to run an event — but it’s real, almost gritty. The speakers and attendees are people who do things, who know things. They live in the same world as Charles Stross‘s fictional Bob Howard, though he also has worse things to deal with.
When they tell us to be afraid it’s because they’ve seen what’s actually happening out there, not just because they have something to sell. So this, in my mind, is one event series to keep an eye on.
If you’ll be attending DEFCON later this month, BSides has two days planned in Las Vegas immediately beforehand. They also have meetings planned this year in Kansas City, Atlanta, Dallas, and Ottawa.