Loading ...
MISTI’s InfoSec World 2008 is a great conference. It’s one of the most enjoyable I’ve been to in a long time.
In addition to excellent sessions, I’ve made a number of excellent networking contacts.
Since I’ve been quite busy (in a good way) over the past few days, it’s taken me a bit to revise my conference notes. While there were so many excellent points made over the course of the last few days, here are some of (what I consider) the highlights.
You can expect more to be published over the course of the week. Here are my notes:
- If breached, get law enforcement to tell you cannot disclose in order to keep name out of the news
- Best possible security controls at lowest possible costs
- Certain controls are like hygiene - anything above threshold is subject to scrutiny
- Qualitative business case analysis - good times and in bad
- Striking the right balance between productivity, controls and quality
- Demonstrate that it’s a myth that security professionals are not good financially
- If you focus on controls and quality, then productivity follows
- Help desk calls as metrics to show impact of security change
- Help desk calls as metrics about where security issue are
- Bring in-house to squeeze commodities out of processes to optimize performance and cut costs, combine functionality with IT and automate
- Trade-off people for capital - take people and use them on higher order analysis - automate data gathering and use people to analyze it
- Focus on collateral processes to find procedural inefficiencies
- Eliminate variance from the environment
- Move from manual assessments to continuous assessments and automate where possible
- Data gathering automated: spend time on fixing and analysis
- Prioritize on reducing potential velocity for data leakage: data leaving firm, portable media, widely available
- Wherever possible, auto provision instead of a manual request
- Businesses should be able to take as much risk as possible without putting the firm at risk
- IT security is the execution and risk management is the governance and strategy
- Start thinking like a front office business person
- Forced shift to data centric controls from network security controls
- Information Security professionals are defenders of shareholder money
- make sure data flows are appropriate for relationship: no extra data in transmission
- Do third parties have insurance and are you named as beneficiary
- lot of fraud over instant messaging
- Beware of SMS messaging outside of the corporate network to commit fraud (ex., picture of screen [issue of volume])
- Physical Security controls for devices that may leak data: call center employees lock everything in locker before go into data center (physical control)
- Media disposal: all types of media - test environments, how do PCs get wiped - CD, DVD, cell phones and blackberries, fax, multi-function printers
- Beware of legitimate service contractors who may repair live, damaged drives. They have potential to bypass data wiping controls by leaving premises with damaged drive
- Metrics to communicate risks: loss magnitude, loss frequency (probable)
- Detection is key to controlling impact of loss: time
- In order to help make control third-party answers to information security questionnaires more certain: 1. Make it a legal document, and 2. Explain the criteria they need to demonstrate (are you doing x,y,z) in order to answer affirmatively
- Attackers are in tune with the inner working of the company: phishing attacks coincide with internal practices: ex., employee 401K choices
- Communicate vulnerabilities and risk without using FUD: use cold, hard data and financial impact
- Risks are real and becoming more apparent with public cases such as SocGen and TJX
- End point, data in transit, third parties, decommissioned equipment all areas with risk
- Determine best level for encryption: transport (SSL), entire DB, just certain fields, etc.
- Use a small footprint for storing sensitive data (centralize it)
- Security requirements depend on competitive position and legal/regulatory compliance standpoint
- Deploy controls concurrently with development due to scope of public nature of web code: don’t retrofit
- Know what projects are coming down SDLC pipe in order to get involved
- Concentrate on how vulnerabilities map to various types of risk (business, reputation, financial, etc.): 1.) Not all vulnerabilities are created equal; and 2. Some vulns map to more than one type of risk
