Last week I attended the 1st Annual Critical Infrastructure Protection Conference in Calgary. It was the first year of the event so the attendance was a bit low, but the quality of speakers was excellent:
- Stephen Flynnis Barack Obama’s Homeland Security Advisor and author of The Edge of Disaster. He offered a captivating presentation on infrastructure security, arguing convincingly that the new battle-space is no longer military, but rather in civil infrastructure and economic zones. But, despite the hype around national security, the larger threats of extreme weather, pandemic flu and other natural disasters should be of a greater focus for government security and readiness. He believes in building in resiliancy– robustness, resourcefulness and recovery — into critical infrastructures to limit the impact of disruption, whether that disruption comes from man or nature. A benefit of this approach is that it empowers individuals to act proactively and reactively against threats in ways that have not yet properly been explored.
- Patrick Grey, the Senior Security Strategist at Cisco and a 20 year FBI veteran, spoke on a variety of Internet security topics. He maintains that the biggest threats — bots, phishing and other malware — can be best defeated by user education and awareness. 75% of network breaches are due to human factors. He also notes a change in the type of attacks being witnessed. A few years ago, crippling worms were fairly common, and widespread network attacks proved difficult to prevent. Now, hackers are much more economically motivated and specific targets (e.g. financial organizations) are being attacked in systematic ways. Data breaches are now being tracked (primarily due to mandatory reporting legislation in most US states) and significant actions are being taken against companies that leave information exposed and do not report it to authorities. For example, Choicepoint was fined $15 million for a data breach that affected 163,000 people.
- Michael Legary, Founder and Chief Innovation Office at Seccuris Inc., spoke on the vulnerabilities found in virtualized environments (servers and virtual appliances). He contends that there are often poor controls ‘at the boundary’of the virtual machine and the system hardware, with drivers available to allow hacker access to all components. DOS-induced failures are possible, even with secured and managed applications, if VM maximum resources are not configured properly. Vitual networks are inherantly complex, and are not anticipated in many network security architectures. Several virtual machine rootkits — SubVirt and Blue Pill are examples — now are available to compromise systems. Security vulnerabilities in VMware, the leading solution of virtualization, are emerging; last week alone there were 16 security vulnerabilities documented. Solutions lie in improving controls, among them: limiting access to the host; hardening the operating system; firewall VM service ports; disallow file sharing between hosts; VM monitoring and reporting; and time synchronization to one source (to support audit activities). Finally, Mr. Legary challenged the lower TCO claims for virtualized services — actual delivery costs may be much higher if all security measure and risk avoidance costs are considered.
- Barry Kokotailo, an independent security professional, provided an entertaining talk titled “Anti-Surveillance or How Not To Get Caught’. A number of tools were demonstrated including: data scrubbers, steganography software to embed secret data in innocuous carrier files; secure and hidden data storage tools; anonymous SMS messaging sites; and assorted USB-based portable applications.
For a full list of speakers visit the Speakers’ Bios page. I’ll post the link to presentations when they become available.