Highlights from the AISA conference in Sydney- Amazon, Apple and Google know more about you than your doctor or lawyer - and Commbank is jealous as hell.
The annual AISA (Australian Internet Security Association) National Conference was held at the Sydney Convention Centre on Wednesday November 9. Event sponsors from the exhibiting stalls dressed for the occasion, wearing hats in keeping with the theme.
Kicking off the day was Chief Security Technology Officer at BT, Bruce Schneier who spoke about the book he is currently writing and what he hopes it will achieve. "I'm writing a book about trust and security - it started out being a book about security but became a book about trust because in a lot of ways trust is the reason we do security. "
This year, the event followed a revolution theme and featured
presentations by industry experts Bruce Schneier, Michael Harte, John Stewart, Ruth Marshall, Marcus Ranum, Paul Henry, and Michael Jones as well as a panel session led by AISA Membership Director Benn Dullard.
On the topic of IT economics, Schneier spoke about network effects, and that "a network becomes more valuable to you the more people who are on it. One person with a fax machine is boring. Two people can fax each other. Once everybody has a fax machine, they become very
He also covered switching costs, which is the cost associated with going from one product to its competitor. "The higher your switching costs, the less you have to care about your customers." Because switching is so much harder when the cost is high, "the product or service has to piss me off so much more before I'm willing to pay that cost to switch."
Schneier referenced the notion of a lemons market, in which "bad products drive good products out of the market, and we see this a lot in IT, especially in security. There's a reason why the firewalls that won weren't the best ones. The IDS' that won weren't the best ones. Because the buyers couldn't tell the difference."
[[xref:http://www.cso.com.au/article/406999/commbank_cio_slams_idiotic_regulations/|Commonwealth Bank of Australia CIO Michael Harte]] discussed the
revolution in financial services and the challenges ahead for information security. "Personal data is the new oil."
"Customers want to retain control of their data and they want to know where their data is and what purposes we're putting it to. They want to believe that there's much greater transparency in the relationship."
"I'd make one request of this industry that you figure out a way to ensure that we have comments and real security for the cloud."
"We spend more money protecting our internal assets from our staff then we do protecting our assets from Russians and Brazillians that want to come and steal the money."
"We want to be open and participate in this network, the large glowing constellations are the organisations like Amazon and eBay and Apple and Google. They are, in fact, operating as financial service corporations.
They know more about you now than your doctor, than your financial planner, than your tax attorney."
In between sessions, guests had the opportunity to network with the speakers, as well as among themselves and visit exhibitors from various security vendors.
John Stewart, Vice President and CSO at Cisco spoke about "righting yesterday's security wrongs" and the lessons he has learned over the last 25 years in the industry.
"If people don't believe that they are being observed, it's quite possible they are going to behave a little bit worse than if they actually believe that they are being observed."
"I happen to think we're addicted to technology in this industry, which is okay, but it's something to be mindful of because if that's one of the lessons we created, we're going to continue to create this problem. "
"I would offer up that in the industry, for the most part, for 20 years, we have created asymmetrical problems. A USB thumb drive can actually take out the computer security infrastructure ... all of a sudden that tiny little $2.99 item has threatened national security.
Now that's a problem right there. If you spend all that money and $3 is all it takes (to own you), something is wrong."
Marcus Ranum, CSO at Tenable Security told attendees "It's not the cyberwar, stupid!"
"The issue with computer security is, if you're concerned about security just don't be so friction' stupid with your data. Don't run crappy software, don't use toy operating systems, don't use badly administered systems and look at your logs."
During the panel discussion, the issue of trust was raised, with Marcus confessing "I must be some kind of a nut or something because I do all of my banking at a small local bank because I know the people who are at the bank and I'll kick the crap out of them if they screw up my money.
I really try to avoid doing business with organisations that are so big that they can blow me off and that's why I don't bank with a large bank, because I actually can go to my small bank and go to the bank manager and say 'I'm puling my money out' because blah' - try doing that with Citi.
I don't think it really makes any sense to trust an organisation where there is no face that you can punch in."
Lumension Security and Forensics Analyst Paul Henry presented on evolving threats and practical endpoint security strategies.
"As soon as we started doing our banking transactions on our iPhones and our Androids, all bets were off. Bad guys are absolutely targeting them today. If you use an Android smartphone, you are 2.5 times more likely to run into malicious websites than you were just six months ago."
Google's Chief Technology Advocate, Michael Jones, wrapped up the presentations for the day, speaking about the Isolation of Insecurity in which he shared the company's perspective on the tension between togetherness and security, and his views as a futurist.
He stated that "the question of computer security is sort of a false question in the sense that life isn't secure" and "you have to find a way to live a measured life where you're comfortable with the risk you take, which means you're happy or at least satisfied with an understood level of insecurity."
He illustrated this point with the statistic that "over the last twelve years, one billion people have gone from being offline to online" which was a total change for computer security and brought with it some "safe sex-type issues about computers" because "before that it was always grown up people who used computers, reasonable people, appropriately qualified people, people who read instruction manuals."
"But now it's everybody so it's different. The character of computing in general has changed from an advanced, sophisticated adult - mature, educated kind of activity" to "this very different world of video games, cell phones, casual computing."
"It also changed very quickly," said Jones citing Google Earth's growth of one billion user in a twelve years as an example, and that unlike physical products, electronic products can be distributed instantaneously. But this still only applies for 22 per cent of humans - 78 per cent of people don't have a access to a computer or the internet. He estimates that by 2050, people will have 100 per cent access from birth.
Data breach disclosure laws were a hot topic on the panel, with Benn Dullard voicing the question "In australia we don't have any data breach disclosure laws, so would data breach disclosure laws help to improve security or do they just penalise the victims?"
Paul Henry exclaimed" With no data breach disclosure laws, you have no reported data breaches so obviously you're doing something right!" to which came the response "If it wasn't reported it didn't happen!"
Bruce Schneier offered his opinion:
"It doesn't just blame the victims, it blames the people who did the bad thing."
"One [purpose of breaches] is to give us data, because before the laws we had no idea how bad things were, actually we knew but we couldn't convince anybody. Now we have data, we can wave it in front of lawmakers and policymakers and say 'look how bad this is'. The other thing its supposed to do is embarrass the company that lost the data to a point where it becomes cheaper for them to improve their security.
Public ridicule as a way to increase the cost of having bad security. Now in the US when this law was passed it worked great. The first companies that had to disclose breaches were vilified in the press and they were all embarrassed and their stock price went down. It was a good lesson. Now that effect has been mitigated as you get more and more of these. When these come out three times a week, they are no longer news stories, and that public ridicule just doesn't hold up
because we're not that good at ridiculing someone three times a week - we have better things to do.
So the breach disclosure laws are good i'm in favour of them but their effectiveness certainly in the us has diminished over the course of their use because it just happens too many times and the public get inured to them."
When asked what the audience can do about the internet filter that our government is planning to introduce into the australian environment, Michael Jones said "Here's what i have said and what Google has said to the particular politician in question and to all who are soul mates with him - it doesn't work. It's not that you shouldn't do it or you should do it, or a freedom argument, it's just that simple like people in this room know that making a new domain name, a new URL takes, an automated way takes a 10th of a second.
So I can make them faster than you can put them on your list. I can make a new one for everybody I want to sell my viagra to or my child porn or whatever it is, legal or illegal, things that i'm doing, blocking URLs isa a foolish and pointless way to do it.
You're Australian, you're in security business, why don't you tell them? Say 'it just doesn't make sense. We, this organisation, AISA says this won't work. We're security people, this won't work do something different."