RSA Europe 2009 – Day 2 Recap

by kriggins on October 22, 2009

in Conferences

Day 2's recap is going to be rather short and for that I apologize. I spent a good portion of the day tweeking and twiddling with my presentation. My presentation went well. No technical failures and I got all my points across. I would have been happier with it being a little smoother, but over all, I am happy.

I did manage to take in one of the keynotes, "The Underground Economy." Andy Auld from SOCA and Keith Mularski from the FBI gave an interesting talk about how the computer crime economy works. They spoke about the different forms of malware and spam, digital currencies, exchangers and then talked about the organized criminal networks that they have come across. A very interesting talk even if a number of the slides where rather difficult to see.

The next session I attended was "Is IT Risk Management Just a Fad?". I expected a talk that would compare and contrast what I call "checklist security" and information security risk management. Unfortunately, that was not the case and I did not really take anything away from this talk.

They final talk I attended was the "Collateral Hacking" panel. It consisted of moderator Hugh Thompson and panelists, Andrew Nash from PayPal, David Ostertag of Verizon Business Services and Ira Winkler of ISAG. From the description, the panel was going to talk about what happens when your co-tenant in a cloud is attacked, hence the title of Collateral Hacking. Unfortunately, it quickly lost its way and ended up being far off topic.



RSA Europe 2009 – Day 1 Recap

by kriggins on October 21, 2009

in Conferences

Yesterday was the first day of RSA Europe 2009 and I enjoyed it a great deal.

I ran into Brian Honan first thing in the morning and Craig Balding shortly thereafter.

I attended both opening keynotes and they were well done.

I particularly enjoyed Hugh Thompson's presentation.  He spoke about gateway data. This is data, that by itself, seems innocuous. However, it can be used or combined with other data to get more data or more access. He was speaking from the perspective of the data that we often put in public spaces such as Facebook, Twitter, blogs, etc. He also mentioned how on-line behaviors can be used to infer additional information. He classified this data into three different types:

  1. Direct Use - Public data that can be transformed
  2. Amplification - Conversion of public data to private data by bouncing it off a person
  3. Collective Intelligence - Collecting and correlating information from different on-line activities to deduce private information.

The last was the most interesting. He is doing a study which shows how the activities of individuals on LinkedIn can often be correlated to significant future events in the companies the individuals work for.

The next session I attended was 'How Information Security Careers are Changing.' This was an interesting session that looked at where are profession started and where it is going. This biggest take away for me was that where our profession used to be primarily technical, we have started to see a shift to a more differentiated situation where we have technical specialists, generalists, consultants and leaders. This means we both have more choices and have to be cognizant of the choices we make as we navigate our careers.

Brian Honan's talk on stealing an identity using purely public information was very enjoyable. About a year ago, a journalist challenged Brian to "steal her identity" using only publicly available information, no automated tools and only completely legal means. Of course, he didn't actually steal her identity, but through the information he found online, he was able to get a copy of her birth certificate, a completely legal activity in Ireland. Pretty much game over at that point. The message here is to be very careful what you put out there because it a) never disappears and b) can be used easily by the 'evil hackers.' He then showed us a number of automated tools like and maltego that can make this process even easier.

My final session for the day was Craig Balding's Cloud Security talk. Again, very well done. His talk was a great overview of the issues that exist. Craig is an engaging speaker and stressed that the first step to being able to effectively use cloud services in as secure a manner as possible, is to classify our data. Yup, an old song, but a tune that is even more catchy when considering cloud computing. Unfortunately, I had to cut out a little early, but will definitely be catching the rest when the recordings become available.

The last event of my day was the RSA Europe 2009 Security Bloggers Meetup. I have already written my quick recap post of that one and so will not repeat it here other than to say that I really enjoyed seeing old friends, meeting on-line friends for the first time and making some new ones.

If you happen to be here and would like to say hi, send me a note at or @ me on twitter. I am @kriggins there.


Reblog this post [with Zemanta]


Blogger Meetup Logo

Last night was the RSA Europe 2009 Security Bloggers Meetup. It was held at the Fountains Abbey Pub in London, UK and was a complete success.

Dale and I showed up at the pub at 6:00 to start setting up. With the help of Melanie from eclat marketing, we were able to get everything ready on time.

People started trickling in around 7:30 and we eventually had 30+ people all having a great time enjoying the chance to relax and talk with their peers.

Things clicked right along and the last of us left around 11:00.

I enjoyed making new acquaintances and talking with a number of people in person that I have interacted with on-line.

I would like to thank Dale Pearson ( for his invaluable help in arranging things for the meetup. Without his efforts, the event would not have been anywhere as successful as it was.

We would also like to express our sincere gratitude to our sponsors who allowed us to provide nibblies and drinks: | | | |

We are already looking forward to next year and hoping to make it an even bigger success!

Kevin, Dale and Benny


Hard to believe that RSA Europe 2009 and  the Security Bloggers Meetup is just around the corner. We have officially passed the less than one month mark.

On the news front, we have secured a venue. We have the second floor of a pub reserved for us so we can talk about securing that and breaking this as loud as we want

Invitations have been sent  out to the Security Bloggers Network. If you did not get one and want to attend, send an email to and we will get the details to you.

-Kevin, Dale and Benny


Barcamp – Des Moines, IA – 2009

by kriggins on September 17, 2009

in Conferences, Educational


I have never attended a Barcamp conference, but have heard good things about them. There was one last year in Des Moines and it is happening again this year.

Date: Saturday, September 26, 2009
Time: 8 am - 10 pm
Cost: FREE (food too!)
Location: Impromtu Studio, 300 SW 5th Street, Des Moines, IA 50309

Center map

Go to the website for more information. You can register from the site or go here.



I participated in the Nebraska CERT Conference this week and gave a talk on Building the Perfect Backtrack 4USB Thumb Drive. Below is the slide deck from my talk.

Let me know if you have any comments or questions.



This is the presentation I gave at Secure360 2009 titled "Measuring and Communicating Risk using Factor Analysis of Information Risk (FAIR)."

As always, I am interested in your feedback.



Secure360 SecurityTwits Tweet-up

by kriggins on May 11, 2009

in Conferences

Secure360 starts tomorrow May 12th.

A group of @securitytwits are getting together tomorrow night at the Great Waters Brewing Co. at 7:00 p.m. I'm not sure where we are going to be in the place or how many of us there will be, but fun will be had 🙂

If you think you might be coming by, drop a note in the comments so we can keep any eye out for you.

Great Waters Brewing Company is located at:

426 Saint Peter St
St Paul, MN 55102

Here's a map:

Center map


Changing Security As We Know It - Software as a Service (SaaS) Has Arrived Giving Rise to Plethora of Security Applications

Philippe Courtot, Chairman and CEO, Qualys, Inc.

We are entering into a new world. The rate of innovation is continuing to accelerate.

The Inconvenient Truth. 50% of corporate data resides unprotected on PC desktops and laptops. 1 out of 10 laptop computers will be lost or stolen within 12 months of purchase. 29.5 days - it takes on average to eliminate half of knows critical vulnerabilities on corporate networks. This is only a .5 day improvement.

Securing the enterprise is getting harder and harder.

Why is security so hard? To many variables, too may security patches, long software release cycle, technology is moving too fast. The burden is all on the enterprise.

The Cloud Computing Era

Software as a Service (SaaS). Infrastructure and Platform as a Service (IaaS, PaaS)

Cloud computing answers the IT business needs of agile, 21st century economies.

Why is it so disruptive? No IT resources needed, a delivery model that scales, disruptive business model, easier to select vendors.

One of the biggest advantages is the ability to quickly and inexpensively try things without a large capital expenditure.

The current financial situation is accelerating the adoption of cloud computing.

Why has adoption taken so long? resistance to change, Internet limitations, i.e. browsers, etc., Internet bubble (.com bust),

There is a tsunami of Enterprise SaaS solutions now coming to a browser near you.

What about security? A counter intuitive reality. Security can be made more granular and invisible in the cloud.

Why is this possible? Security can become part of the fabric.

What are the implications for the security industry? Accelerated consolidation. Major shift in buyers. Buyers of today are the enterprises, the buyers of tomorrow will be the cloud providers. Emergence of new players.

It is not about the survival of the fittest or the biggest, but of the one who adapts!

What are the implications for the security professional? Resistance is not an option anymore. We will be dealing with more complexity. Still have to deal with the current complexity and at the same time deal with the cloud.

What are the missing pieces? Technology: a more security and advanced browser, stronger authentication federated in the cloud, secure open protocols and standards. Legal: sla's, audits and compliance, privacy, location and ownership.

Closing with embrace the change.


Securing the Smarter Planet

Brian J. Truskowski, General Manager, Internet Security Systems (ISS), IBM Global Technology Services (GTS)

1995 was when the first really themed RSA conference happened. A lot has changed since then.

We all need to remember one thing. Bad times are the opportunity for companies to become great companies.

In bad times, change is not only possible, it is necessary.

The winners are not just surviving right now, they are preparing.

A significant number of CEOs saw change coming, but that they couldn't manage it. Systems and processes are to rigid to manage change. Change required.

Business that embrace change are the ones that can excel in this type of environment. Ready to seize opportunities. Keep enterprises focused on values and goals.


He states that the security industries goals and values are misaligned.

Talking about IBM being everywhere and able to see broadly because of that.

They see the world becoming a smarter planet. Instrumented, sensors embedded everywhere. Interconnect, soon 2 billion people on the internet, 4 billion mobile users. Intelligent, data explosion, power new systems for analyzing and using this data.

Ubiquitous computing. Rapidly approaching the day when there will be more smart devices accessing the internet than PCs.

Every day 1 million people become cell phone users. Ticking time bomb from a security perspective. Mobile computing that is.

There is only so much you can do to mitigate security issues after it has been deployed.

Security must become a function that enables business activities by being inherently embedded in all facets.

If you can respond to change more effectively than the competition you will win.

Changing to discuss social engineering. Humans are the weakest link in the security chain. Social engineering still very effective.

"Humans are an infinite threat to information security."

We need to design systems and processes that are resistant to human deficiencies.

Reduce complexity.

Successful business will embrace smarter security.

Pushing security as a business enabler (I don't agree with security as an enabler.)

Security spending must be contained.

Change and collaboration will be required to move forward in reducing cost and complexity.

Reblog this post [with Zemanta]

{ 1 comment }