April 2009

Cryptographer's Panel

Moderator: Ari Juels, RSA Laboratories

Panelists: Whitfield Diffie, Sun Microsystems; Martin E. Hellman, Standord Univercity; Ronald Rivest, MIT; Bruce Schneier, BT Counterpain; Adi Shamir, Weizmann Institute of Science, Israel.

I'm not sure how well this is going to work for a panel. We'll see. It will be starting in the next few minutes.

Here we go.

Ari mentions the catastrophic failure in risk management in financial securities.

Opening thoughts by panelists.

Diffie: Mentions some prominent cryptographers who have passed in the last year. He is bullish on cloud computing that represents a challenge to information security that we haven't really seen before. You have to put your best information out there or you are going to go out of business. How do you protect it.

Hellman: http://NuclearRisk.org. How risky is it? 1000 times riskier than a nuclear power plant near your home. Paper on site. "Soaring, Cryptography and Nuclear Weapons". Technology can be a great enabler and also a great danger. We have the power of gods and the maturity of 16 year olds. Human beings ignore risk until it is too late. Points out that many warnings were given about the financial issues prior to the recent issues.

Blarg. Computer malfunction. Lost update for last three. Current question: Are we headed for a infosec Pearl Harbor.

Bruce says no. Diffie thinks we are headed for more of a 911 instead of a Pearl Harbo. Adi says very low likelyhood, but could be very significant if it happened.

More computer difficulties. Missed question.

Lots of discussion about black swan events and also we need to be very careful where we spend our money because those monies only get so much increase in security.

Closing Statements:

Diffie: If you are doing security you count it as a cost center, "what can you do with 20% less". If you are doing cyber operations you are seen as a profit center, i.e. spying, "what more can you do with 20% more"

Ronald: Cloud computing going to be the focal area of a lot of our work. Terminology matters.  Optimistic about it. A lot of hard work to do to make it work right and securely.

Adi: Points out that the Conficker meets the criteria of 1 month or older and on over a million systems.

Bruce: Who should be in charge of cyber security? Nobody.  Top-down is not the right model. Distrubuted, i.e. everybody is responsible.

That's a wrap of the panel.

{ 0 comments }

Moving Towards 'End to End Trust': A Collaborative Effort

Scott Charney, Corporate VP - Trustworthy Computing, Microsoft Corporation

Used to prosecute cyber crime.

Applications continue to be vulnerable.

The threat landscape continues to evolve.

A very information dense slide is up right now that depicts end to end trust. Need Security/Privacy fundamentals at the bottom, then trusted stack and identity metasystem. All covered by an integrated management and audit function. All of this needs to work within the arenas of economic forces, social requirements, and political/legislative issues in alignment with them all.

Talking about Microsoft's Security Development Lifecycle. Mentioned the threat modeling tool released last year.

Trusted stack. This talk is very specific to what Microsoft is doing with their products and partners. While interesting, it is not what I intended as a live blogging exercise.  This will be the end of this particular keynote blogging effort.

{ 2 comments }

The New Security Agenda: Changing the Game

It is about information. It is the most valuable thing we protect.

We are in an environment of increasing complexity and risk.

When the internet was young we never thought about virtualization being available over the internet.

Realities:

• External threat environment is growing at an increasing rate and changing.
  • Moving away from mass distribution. Going to micro distribution. Targeted.
• The internet continues to change from and internal perspective. Insider threat.
  • Not all malicious. Many accidental.
  • Some are malicious.
• The current security model isn't working. It is time to operationalize security.
  • It needs to be risk based, information centric, responsive, and workflow driven.

Really pushing for workflow.

Blacklisting is important, whitelisting works too. New direction, reputation based security.

Closing remarks:

Visibility and Control. Skiing metaphor about leaning forward to maintain control. Back to workflow and automation.

That's it for the second keynote. The third keynote starts iat 10:00 am PST/3:00 pm EST.

{ 0 comments }

I am going to try something new here this morning.  I am at the RSA conference in San Francisco and have a table and power at the keynote! I am going to try and live blog the first keynote. If it goes well, I may keep it up for the rest of the mornings keynotes.

Here we go!

Time for the Edgar Alan Poe slide show. Won't be saying much here.

Title: A Common Call: Architecting  a New Information Security Landscape

Talking about cyber criminals. They out number us. They are organized and purposeful.

The vendor community must take the lead to combat them.

*note: I will not be providing any editorial comments, merely notes on what is being said.

Talking about fraud is threatening the existence of the information ecosystem, like pollution.

Now on to economic crisis. Technology can enable recovery.

Rapid transformation of technologies, social networking, virtualizaiont, commercialization of IT and mobile devices are having real impacts in today's IT world.

Current infrastructure evolved with not overarching plan. No process. It's a "leaning tower of technologies."

We must embrace a common development process for informstion security.

Focus on Information Risk Management

• Policy Management
• Policy Decision
• Policy Enforcement
• Policy Audit

Today's security products protect a defined element from a defined attack. Criminals work around it.

Breaking out each area from point products to show how making them broader in scope will help us protect information better.

The whole issue being to move from a point product based implementation to a system. Cannot be done with a suite of products from a single vendor.  Vendors must collaborate.

Have to do three things.

• Collaborate on standards
• Share technology
• Integrate and Embed.

Talking about EMC, Cisco and Microsoft collaborating, sharing and integrating.

Now talking about virtualization.

VMWare making a major announcement this morning. Keep your ears tuned.

Closing thoughts:

Industries usually grow incrementally, sometimes huge changes "tipping points" happen. Art suggests we are at such a "tipping point" right now.

Vendors must take the lead, but practitioners must demand it of them.

Proverb: "If you want to go fast, go alone. If you want to go far, go together."

Last part of the first keynote is a panel with Art Cavielo and senior executives from Microsoft and Cisco. Talking about collaboration. That is collaboration in vendor space, not collaboration "tools."

Oops. Typo in title. Thanks for @drinfosec for pointing it out.

Keynote 1 finished. I hope you found this interesting. I will be continuing this through the rest of the keynotes this morning. Each in its own post. The next keynote starts at 9:00 am PST/12:00 pm EST

BTW  - I would love to hear back from you if this is helpful.

{ 4 comments }