Tuesday, 25 April 2006

My work sent me to an Information Security conference last Thursday and it turned out to be pretty OK. At first I thought it was going to be a total bust, and it was all the way through lunch, but the afternoon speaker made the whole day worthwhile.

The conference consisted mainly of several security vendors, each taking a turn telling you what you should be afraid of and, strangely enough, they just happened to sell a product that would take care of it for you. Spam prevention via email, Trojan horses via instant messaging, firewall and intrusion detection systems.

Don’t get me wrong, all of these are valuable tools in a comprehensive information security arsenal, but none of the presentations were tempered at all. They geared more toward people wearing the management hat rather than the engineering hat. It was all terribly unfortunate and made for a very dull time.

The first keynote speaker, Dan Thormosgaard, spoke about “Implementing a Secure Wireless Infrastructure.” The subject had the potential to be very interesting, but as a speaker he was sleep inducing. By lunch time I was ready to go into a coma. After lunch it wasn’t looking too good either. Two more vendor presentations that were really no better than the morning sessions.

Finally, after the afternoon break (the breaks were surprisingly long too, 45 minute “coffee-breaks” and almost 90 minutes for lunch), the afternoon keynote speaker took the stage and rocked the house.

Ira Winkler is usually described as a “Modern Day James Bond,” which factors into his presentation a bit. He’s an engaging speaker that knows his topic and keeps things moving. He started out by saying that James Bond and the Jennifer Garner character from Alias are lousy spies, but that’s necessary to making movies and television shows entertaining.

Why are they lousy? They good guys get caught every time. And it’s not like the bad guys are rocket scientists either. How smart is it if, when you capture the person sent to stop you, that you tell them your master plan before you leave them with some time delay method to die from which the good guy can escape easily. And the good guys are clumsy and dumb enough to get caught by these jokers.

In the real world, the good guys seldom get caught. They have to keep it that way because if they do, they die almost instantly. So that’s why every TV and movie spy are bad at their jobs.

Then he segued into risk management, which is what information security really is. It comes down to a fairly easily expressed formula:

Winkler told three stories of security evaluations for which he has been contracted to break into a company and try to steal their most valuable assets. Most of the time those assets are in the form of intellectual property. Business strategy documents, financials, nuclear plant designs. In each case, most of his work was done via social engineering, rather than brute forcing his way into their network.

The point is that in the formula, threat never really changes. That’s other people, and you can’t control what other people will do. Likewise, you can’t really change the value of the asset. It’s worth what it’s worth, whether that’s $10 or $10 billion, and it typically goes up over time.

What you can manage is your vulnerability by enacting countermeasures. The trick is that there’s a sweet spot; a point where the price of the countermeasures exceeds the value of the asset. One example is a computer mouse. They cost around $20 these days. They’re essentially disposable when you consider the cost of securing and tracking them. If your Help Desk has to spend even 15 minutes dealing with them, you’re on the losing side of the equation.

On the other hand, if your business is financial management, and your company handles millions of dollars over the course of a normal business day, you care a great deal about the security and integrity of those assets. If they’re lost, you’re done. Kaput. But how much will the countermeasures cost compared to the vulnerabilities you face?

That’s the basic idea, anyway. To me, as a computer geek interested in network security both at work and at home, it was fascinating. 5 minutes into it, I had to buy a copy of his book, I was that impressed.

Mr. Winkler signed autographs after he was done and stopped to chat with each person for a couple minutes. Interested in what they do and what interests them most about information security. In my case, I work for a government subcontractor. He wrote in mine “Do a good job so I don’t have to!” I cracked up on the spot.

If you ever get the chance to see him speak, go. Don’t miss it. Drink the Kool-Aid. At least go out and buy the book.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.