Conferences

AusCERT 2014: Trusting Security – Conference Highlights

Fields marked with an * are required

Subscribe to our newsletter

James SankarJames Sankar, AARNet’s Director, Enterprise Services reports

This year was very different from previous years because the traditional threat-factor focus shifted localised issues to nation states, following the series of revelations from Edward Snowden.  There were many talks at technical to governance levels and the highlights here only relate to the sessions I attended. Therefore, this summary is by no means a complete representation of all the topics covered during the conference.

 

State of the nation for security

  • Attacks continue to be more sophisticated and targeted, more examples are being identified and monitored within Australia as a result of greater awareness via global law enforcement cooperation, especially where custom cloud services are being used for and to attack.
  • Predominant incentives for criminal behavior are financial gain or unfair competitive advantage, either by acquiring intellectual property or access to market sensitive information, or to disrupt operations and incur operational and reputational losses.
  • Security concerns highlighted were not solely restricted to technology. As we become more connected (over 1/3 of humanity is now on the Internet), the opportunity cost and access effort has decreased whilst the opportunity to impact has risen.
  • At the same time ARPANET design has consolidated to a fraction of solutions commoditized somewhat to UDP/TCP and Windows/UNIX across http/https and a small subset of protocols.
  • The open rules environment of standards committees and Request for Comments standards has increased the opportunity to use well-known systems differently and/or exploit lesser-known protocols and ports, firmware and hardware abstractions to bypass cryptography altogether without violating the security encryption cryptography or vendor security systems at all.
  • Design by committee on technical standards that are feeding into Government mandates based on committee compromise designs and exacerbates the opportunity for exploitation further, with or without access to data and compute power.

The new world order: expect to be compromised

The world today is an online environment where we must assume we will be compromised.  Instead of focusing on infrastructure hardening we need to explore other layers of the stack, such as:

  • Enterprise Integration of Identity Management,
  • Event Support,
  • Logs,
  • the use of standard naming conventions,
  • choice of poor default and recognisable passwords,
  •  and ineffective policy setting.

Recognise risk tolerance

Organisations also need to know who should have access to what data and to communicate to the CIO what the critical data or business critical event that depends on securing that data is to enable the CIO to divert resources appropriately, not after an incident.

Institutions need to recognize their risk tolerance and make smart decisions on security investment, to outsource or partner with experts under suitable clearance and non-disclosure provisions to lower the reputational risk profile.

Balance protecting disclosure with the benefits of access

Protecting disclosure needs to balance with the benefits of access to a trusted community to share incidents and resolution approaches to improve awareness and best practice without attribution.

An example of such a community is National Cyber-Forensics & Training Alliance (http://www.ncfta.net/) however, you have to commit active participation at quarterly peer group meetings, two–way collaboration and cooperation, the sharing of intelligence via technology enhanced methods, participation in the strategic and technical development of listed initiatives and agree to the non-disclosure of shared information outside of your own organization to the group in order to remain a member.

Social engineering of systems

The community noted the use of social engineering of systems themselves as a target attack opportunity. All this means that a multi-faceted approach to security is required.  Institutions must determine likely threat actors and scenarios in your own industry vertical, to also understand your institutional specific threats and asset values and to then bring these together into a plan for investment on enhancing technology, people (education) and processes at work, home or when travelling overseas.

It’s all about risk mitigation

At a board level this is all about risk mitigation, by applying suitable responses to highest risk impacts and likelihoods, for both the institution, its stakeholders and even the supply chain that you or they are depend on.

A role for gamification

Dr. James Fox gave an excellent talk on motivation and how to utilize gamification to deliver progress and feedback with the belief that companies will need to adopt in order to attract and progress through such mechanisms. However, the purpose and impact on individuals remains in the balance on positive versus negative outcomes.

New code audit approach to improve online ecosystem

Dan Klein also shared facts for the same errors in code and systems that continue to deliver vulnerabilities and exploits, but on a bigger scale than in the past. He advocates a new approach to code audit, review and check to proactively improve our online ecosystem.  Big Data offers lots of advances to benefit from, however, incentives for the good guys and more disclosures security and privacy risks will continue and grow.

Further reading:

 

 

 


Related Stories

Conferences / Network

Oct 5, 2017

Highlights from GLIF2017 Workshop down under

The 17th Annual Global LambaGrid Workshop was...

Conferences / Featured / Media Releases / Network

Sep 29, 2017

AARNet delivers 400Gbps for high-tech networking demo fest

Network engineers working on advanced academic and...

Conferences / Network / Videos

Aug 22, 2017

What are the R&E sector’s greatest networking challenges?

Managing the Internet of Things, supporting massive...