Alex Oldman's blog

InfoSec 2012 Conference review May 3, 2012

Last week I attended the Information Security 2012 conference at London’s Earls Court. The biggest event of its type in Europe, InfoSec event brings together security suppliers and customers, providing traditional sales opportunity, while giving delegates the opportunity to see other potential suppliers or participate in a programme of high-level presentations in four ‘theatres’ on a variety of topics. It’s also a good chance to meet up with other security professionals. The areas that seemed to have the highest attention were: Mobile Security (BYOD and MDM); “Big Data”; Advanced Persistent Threats; Advanced Evasion Techniques; and Security Information Event Management (SIEM). My particular interests for this show were in Mobile Security (Bring Your Own Device policy development/ Mobile Device Management), and Advanced Persistent Threat detection, avoidance and handling.

Mobile Security

iPads are taking off at a phenomenal rate in our working lives. There is a huge move in the way people expect to work. Last year the sales guys had to have iPad 2’s, just now the “new iPad” is the must-have executive toy, and really soon it’ll be the workers demanding them in the workplace. This Cultural Revolution has come as a result of as a blurring of boundaries between what is traditionally ‘work’ and what is ‘play’. The technology we want to use supports this lifestyle. Many of the people I communicate with on Facebook are important to me professionally. But not every work place realises this. Organisational policies need to keep up, while ensuring the protection of client and company interests. Where technology leads, security policy must follow.

Having conceded the inevitability of a BOYD (Bring Your Own Device) policy in my own workplace, I need to understand what the technology capabilities of mobile device management are. I had a demo of the new McAfee Enterprise Mobility Management Platform, which integrates with Exchange ActiveSync (part of Microsoft exchange) and McAfee’s own E-Policy Orchestrator, to support Apple iOS, Google Android, Microsoft Windows Phone and Blackberry’s. The impression I was left with is that the policy enforcement capabilities vary with the platforms (iOS is weak compared with say Blackberry) potentially leaving gaps between policy and enforcement capability. However MMP is the most rounded product I’ve seen to date (I’ve not seen many!). One feature I particularly like is the idea of a secure container on each device, for storing company data. This can be remotely wiped, which is much more discrete than whole device wiping. There was also the suggestion that individual emails could be labelled as ‘corporate’ or ‘other’ although this feature was not demonstrated, it shows how companies are thinking of how to classify corporate data on the move.

Deloitte gave an interesting presentation on Mobile Security trends. They identified that the trend for mobile computing is moving from data consumption to data creation. Deloitte suggested that there were difficulties related to regulation such as Financial Services Authority requirement on the auditing of every communication that result in a transaction. They also identified that expertise in Secure mobile application development is limited. These are all areas that as an industry we need to tackle if we want to enable a secure, mobile workforce.

Deloitte highlighted a case study of a major English utility provider. The study identified in a total user base of 120,000, a population of 30,000 mobile devices, including non-Blackberry devices. There were 25,000 users – indicating that many people have more than one device. The interesting statistic is that 20% of staff used mobile devices for work.

Advanced Persistent Threats

Advanced Persistent Threats are exactly as the name suggests. They are an on-going type of attack that is highly motivated and resourced and typically goes for high value assets. The best publicised attacks are on Iran’s nuclear weapons development programme (Stuxnet), and the hack of security company RSA, which ultimately led to the compromise of the defence contractor Lockheed Martin. The problem with APT is that even if you do detect and prevent one attack, ‘they’ will come again in another wave. ‘They’ are….Persistent.

I was therefore interested in developing my own knowledge of APT prevention, detection and response, which is already quite well researched.

Lee Lawson from Dell SecureWorks gave an entertaining overview of APT in the InfoSec Technical Theatre. I had a light-bulb moment at the suggestion of cutting communication with the command and control servers, as a way to defeat an infection. This session didn’t answer my main question, which is how to defend against APT as a general threat, but as a response plan it’s a no-brainer. This severing the head approach is already written in my botnet and malware outbreak response plans.

Other stuff

I had a quick demo of Netexpose by Rapid7, the same people that provide Metasploit security testing framework. Netexpose is a vulnerability scanner, but looks to be nothing more than a Nessus clone. Disappointing.

I saw a more detailed demo of Splunk’s Enterprise Security module, which will form part of a security posture initiative I am implementing at work. I hope to make Information Security Risk easier to comprehend, and therefore manage.

In general, InfoSec was an excellent conference, with a great balance between learning new stuff and exploring what I already understood.