Yesterday was the first day of RSA Europe 2009 and I enjoyed it a great deal.
I ran into Brian Honan first thing in the morning and Craig Balding shortly thereafter.
I attended both opening keynotes and they were well done.
I particularly enjoyed Hugh Thompson's presentation. He spoke about gateway data. This is data, that by itself, seems innocuous. However, it can be used or combined with other data to get more data or more access. He was speaking from the perspective of the data that we often put in public spaces such as Facebook, Twitter, blogs, etc. He also mentioned how on-line behaviors can be used to infer additional information. He classified this data into three different types:
- Direct Use - Public data that can be transformed
- Amplification - Conversion of public data to private data by bouncing it off a person
- Collective Intelligence - Collecting and correlating information from different on-line activities to deduce private information.
The last was the most interesting. He is doing a study which shows how the activities of individuals on LinkedIn can often be correlated to significant future events in the companies the individuals work for.
The next session I attended was 'How Information Security Careers are Changing.' This was an interesting session that looked at where are profession started and where it is going. This biggest take away for me was that where our profession used to be primarily technical, we have started to see a shift to a more differentiated situation where we have technical specialists, generalists, consultants and leaders. This means we both have more choices and have to be cognizant of the choices we make as we navigate our careers.
Brian Honan's talk on stealing an identity using purely public information was very enjoyable. About a year ago, a journalist challenged Brian to "steal her identity" using only publicly available information, no automated tools and only completely legal means. Of course, he didn't actually steal her identity, but through the information he found online, he was able to get a copy of her birth certificate, a completely legal activity in Ireland. Pretty much game over at that point. The message here is to be very careful what you put out there because it a) never disappears and b) can be used easily by the 'evil hackers.' He then showed us a number of automated tools like pipl.com and maltego that can make this process even easier.
My final session for the day was Craig Balding's Cloud Security talk. Again, very well done. His talk was a great overview of the issues that exist. Craig is an engaging speaker and stressed that the first step to being able to effectively use cloud services in as secure a manner as possible, is to classify our data. Yup, an old song, but a tune that is even more catchy when considering cloud computing. Unfortunately, I had to cut out a little early, but will definitely be catching the rest when the recordings become available.
The last event of my day was the RSA Europe 2009 Security Bloggers Meetup. I have already written my quick recap post of that one and so will not repeat it here other than to say that I really enjoyed seeing old friends, meeting on-line friends for the first time and making some new ones.
If you happen to be here and would like to say hi, send me a note at kriggins@infosecramblings.com or @ me on twitter. I am @kriggins there.
-Kevin