Archive for the ‘Other’ Category

44con and Uncon

It’s been a busy week again.

I helped out  a few weeks ago on the panel choosing speakers for the Infosec track for 44con and subsequently got roped in / volunteered to run that track during the days of the con. A week before 44con happened one of the speakers failed to get a visa and I volunteered to fill the gap and spoke on ‘Intelligence-Led Cybersecurity’. It was an interesting process working out what I could talk about, how I could squeeze it into a 45 minute slot (With questions)  and then convincing my employers to let me talk publicly.

Cyber Cyber Cyber

The industrialisation of cyberwar and cyberespionage using techniques developed in the last decade of massive expansion in cybercrime has presented a serious challenge to the security industry.

The myriad breaches, whether at the lulz end of the scale or at the national security end of the scale, has highlighted the fact that while we as an industry may have been doing the component parts of information security for a long time we haven’t done it very well.

Cyberwar what is it good for? Absoutely nothing?

Cybersecurity is a very hot topic right now, for example:

· A contact in the UK government agency responsible for government information security has reported anecdotally that they have had more ministerial visits in the last 12 months asking about cyber than in the last 10 years for any purpose.

· A friend who is an audit partner in a Big4 accountancy firm in the UK has spent many years trying to get boards to consider information security, in the last six months he has seen an unprecedented groundswell of interest from board members asking about cyber. It’s one of their hot topic items right now and every board is asking him his opinion.

Infosec London, BsidesLondon & DC4420 – A busy few days

This week I dived back into the UK security industry outside my current little security silo to see what people were up to and see what I’d missed.

I made it to Infosecurity Europe 2011 on Tuesday afternoon. Infosec is a vendor exhibition, they’ve tagged on a set of lectures but they are basically vendor pitches in more of an infomercial style than on the exhibition floor. I loathe the experience on the exhibition floor at Infosec, the rampant commercialism and the lack of detail makes it a terrible place to learn anything new. It is however a great place to waste time talking to bug vendor sales people who know less about their products than you do and spend an afternoon ducking the slightly desperate gaze of the small vendors and professional service firms in the various ghettos in the rear corners.

That said I met a lot of good guys I hadn’t seen for months or years wandering around the corridors, Infosec does draw everyone out into the daylight and the coffee is a lot better than it used to be. The move the Earls Court has made it a lot more convenient and the local pubs are comfortable so it’s not wasted time. Someone is going to come up with a killer app for real world exhibition networking, finding who of your friends and colleagues are there when you are and where in the hall they are or which pub they are in that is going to shift the whole emphasis of exhibitions like Infosec.

I probably will stick to my schedule of every other year for Infosec in the meantime.

Wednesday I headed over to BsidesLondon, a new free security conference in London. It was in a great venue and I was a little blown away by the amount of new young security talent in the room, also surprised and heartened by the large number of Unconvention attendees lurking around the crowd. They opened with the statement there were’nt any security conferences in the UK, I think every Unconner I met told me about that 🙂 The content of the con was okay but I’m not at all sure I learnt anything new.

  • David Rooks talk on using risk as a way of communicating to the business about technical security flaws was as worthy as the subject’s been since 2000, good content but little that was new.
  • Chris Wysopal stood up for Veracode and told us how to translate security flaws into dollar estimates of risk. I really liked  his approach, I also now that if I was presented it as a client I if I wanted I could use the chained assumptions to undermine the argument which makes it pretty much state of the art these days, useful way of talking to the C*O but dangerous around security professionals with different commercial agendas. I was especially taken with his use of the dollar value of risk from other areas such as legal, compliance and the rest that are effectively competing for the controls budget with security. If we could aim for a set of metrics that not only tell us a dollar value for security risk held and legal risk held and compliance risk held but also the cost per $100 of risk to manage in those different areas then we might see security’s big problem. I’m pretty sure (In an unprovable hand-wavy sense) that  managing $100 of technical security risk costs a lot more than managing $100 of legal risk or compliance risk.
  • Stephen Bonner did a particularly entertaining talk on recruitment failures in Infosec, that man knows how to work a room 🙂
  • Steve Lord did a great if somewhat self-regarding talk on the life-cycle of the penetration tester through their career. I suspect it was a talk on Steve’s career as a pen tester but there were enough resonances there for the old crowd in the audience to chuckle all the way through

I like BsidesLondon and I would recommend it to new pen testers getting started and I think as it develops it will find a ‘house style’ but at the moment it was entertaining rather than enlightening. It was run incredibly well and has set a bar for future Uncons to do better. Hey if they can do it surely we can too 🙂

Wednesday night was Alien8s DC4420 for the month, it was a huge meet due to being in Infosec week but was full of a good crowd. DC4420 has interesting talks, Mu-bs slightly political take on sat card sharing was my highlight but is mainly a social event and a good time was had by all. I must make an effort to get 4420 more often.

All in all the UK tech security scene seems healthy, some new companies starting up to fill the spaces left by the recent acquisitions, good people still contributing good content. I’m definitely part of the ‘old guard’ now and that’s probably exactly right.



Twitter RSS