James Sankar, AARNet’s Director, Enterprise Services reports
This year was very different from previous years because the traditional threat-factor focus shifted localised issues to nation states, following the series of revelations from Edward Snowden. There were many talks at technical to governance levels and the highlights here only relate to the sessions I attended. Therefore, this summary is by no means a complete representation of all the topics covered during the conference.
The world today is an online environment where we must assume we will be compromised. Instead of focusing on infrastructure hardening we need to explore other layers of the stack, such as:
Organisations also need to know who should have access to what data and to communicate to the CIO what the critical data or business critical event that depends on securing that data is to enable the CIO to divert resources appropriately, not after an incident.
Institutions need to recognize their risk tolerance and make smart decisions on security investment, to outsource or partner with experts under suitable clearance and non-disclosure provisions to lower the reputational risk profile.
Protecting disclosure needs to balance with the benefits of access to a trusted community to share incidents and resolution approaches to improve awareness and best practice without attribution.
An example of such a community is National Cyber-Forensics & Training Alliance (http://www.ncfta.net/) however, you have to commit active participation at quarterly peer group meetings, two–way collaboration and cooperation, the sharing of intelligence via technology enhanced methods, participation in the strategic and technical development of listed initiatives and agree to the non-disclosure of shared information outside of your own organization to the group in order to remain a member.
The community noted the use of social engineering of systems themselves as a target attack opportunity. All this means that a multi-faceted approach to security is required. Institutions must determine likely threat actors and scenarios in your own industry vertical, to also understand your institutional specific threats and asset values and to then bring these together into a plan for investment on enhancing technology, people (education) and processes at work, home or when travelling overseas.
At a board level this is all about risk mitigation, by applying suitable responses to highest risk impacts and likelihoods, for both the institution, its stakeholders and even the supply chain that you or they are depend on.
Dr. James Fox gave an excellent talk on motivation and how to utilize gamification to deliver progress and feedback with the belief that companies will need to adopt in order to attract and progress through such mechanisms. However, the purpose and impact on individuals remains in the balance on positive versus negative outcomes.
Dan Klein also shared facts for the same errors in code and systems that continue to deliver vulnerabilities and exploits, but on a bigger scale than in the past. He advocates a new approach to code audit, review and check to proactively improve our online ecosystem. Big Data offers lots of advances to benefit from, however, incentives for the good guys and more disclosures security and privacy risks will continue and grow.