Conferences

AusCERT 2014: Trusting Security – Conference Highlights

Fields marked with an * are required

Subscribe to our newsletter

James SankarJames Sankar, AARNet’s Director, Enterprise Services reports

This year was very different from previous years because the traditional threat-factor focus shifted localised issues to nation states, following the series of revelations from Edward Snowden.  There were many talks at technical to governance levels and the highlights here only relate to the sessions I attended. Therefore, this summary is by no means a complete representation of all the topics covered during the conference.

 

State of the nation for security

  • Attacks continue to be more sophisticated and targeted, more examples are being identified and monitored within Australia as a result of greater awareness via global law enforcement cooperation, especially where custom cloud services are being used for and to attack.
  • Predominant incentives for criminal behavior are financial gain or unfair competitive advantage, either by acquiring intellectual property or access to market sensitive information, or to disrupt operations and incur operational and reputational losses.
  • Security concerns highlighted were not solely restricted to technology. As we become more connected (over 1/3 of humanity is now on the Internet), the opportunity cost and access effort has decreased whilst the opportunity to impact has risen.
  • At the same time ARPANET design has consolidated to a fraction of solutions commoditized somewhat to UDP/TCP and Windows/UNIX across http/https and a small subset of protocols.
  • The open rules environment of standards committees and Request for Comments standards has increased the opportunity to use well-known systems differently and/or exploit lesser-known protocols and ports, firmware and hardware abstractions to bypass cryptography altogether without violating the security encryption cryptography or vendor security systems at all.
  • Design by committee on technical standards that are feeding into Government mandates based on committee compromise designs and exacerbates the opportunity for exploitation further, with or without access to data and compute power.

The new world order: expect to be compromised

The world today is an online environment where we must assume we will be compromised.  Instead of focusing on infrastructure hardening we need to explore other layers of the stack, such as:

  • Enterprise Integration of Identity Management,
  • Event Support,
  • Logs,
  • the use of standard naming conventions,
  • choice of poor default and recognisable passwords,
  •  and ineffective policy setting.

Recognise risk tolerance

Organisations also need to know who should have access to what data and to communicate to the CIO what the critical data or business critical event that depends on securing that data is to enable the CIO to divert resources appropriately, not after an incident.

Institutions need to recognize their risk tolerance and make smart decisions on security investment, to outsource or partner with experts under suitable clearance and non-disclosure provisions to lower the reputational risk profile.

Balance protecting disclosure with the benefits of access

Protecting disclosure needs to balance with the benefits of access to a trusted community to share incidents and resolution approaches to improve awareness and best practice without attribution.

An example of such a community is National Cyber-Forensics & Training Alliance (http://www.ncfta.net/) however, you have to commit active participation at quarterly peer group meetings, two–way collaboration and cooperation, the sharing of intelligence via technology enhanced methods, participation in the strategic and technical development of listed initiatives and agree to the non-disclosure of shared information outside of your own organization to the group in order to remain a member.

Social engineering of systems

The community noted the use of social engineering of systems themselves as a target attack opportunity. All this means that a multi-faceted approach to security is required.  Institutions must determine likely threat actors and scenarios in your own industry vertical, to also understand your institutional specific threats and asset values and to then bring these together into a plan for investment on enhancing technology, people (education) and processes at work, home or when travelling overseas.

It’s all about risk mitigation

At a board level this is all about risk mitigation, by applying suitable responses to highest risk impacts and likelihoods, for both the institution, its stakeholders and even the supply chain that you or they are depend on.

A role for gamification

Dr. James Fox gave an excellent talk on motivation and how to utilize gamification to deliver progress and feedback with the belief that companies will need to adopt in order to attract and progress through such mechanisms. However, the purpose and impact on individuals remains in the balance on positive versus negative outcomes.

New code audit approach to improve online ecosystem

Dan Klein also shared facts for the same errors in code and systems that continue to deliver vulnerabilities and exploits, but on a bigger scale than in the past. He advocates a new approach to code audit, review and check to proactively improve our online ecosystem.  Big Data offers lots of advances to benefit from, however, incentives for the good guys and more disclosures security and privacy risks will continue and grow.

Further reading:

 

 

 


Related Stories

Conferences

Mar 28, 2017

AARNet attends Science Meets Parliament 2017

Three AARNet staff members were among around 200 members of the scientific community attending this year's annual Science Meets Parliament event (SmP2017) in Canberra on 21 and 22 March. The two-day gathering is hosted by peak body Science & Technology Australia (STA) and included a day of professional development, a...

Conferences / eResearch / GLAMs

Sep 16, 2016

Registrations are open for AARNet GLAMs workshop

Enabling Data Flow between HASS and GLAMs Workshop When: Friday 14 October Where: Pullman - Albert Park, Melbourne AARNet Presenters: Ingrid Mason. Deployment strategist (eResearch), Chris Myers. Solutions consultant (architecture and applications), Hilary Goodson. Strategic engagement (customer relations), Guido Aben. Director (eResearch) . We're holding a half-day Workshop will be held at the eResearch Australasia Conference...

Conferences / eResearch / Network

Sep 13, 2016

Registrations are now open for Science DMZ workshop

Registrations are now open for AARNet's Science DMZ workshop When: 10 October 2016, 9.30am to 4.30pm Where: Pullman - Albert Park, Melbourne Presenter: Chris Myers - Solutions consultant (architecture and applications) for AARNet. This is a pre-conference workshop for the eResearch Australasia Conference , on 10-14 October 2016. The workshop will give attendees an overview...