10-09-12 | Blog Post
Online Tech attended, exhibited and spoke at the 2012 SecureWorld Expo in Detroit, Michigan last week. Here’s a recap of some of the sessions:
Day 1:
Opening Keynote – Rick Moy: “Security Product Considerations”
Key objectives of evaluations include security/performance needs, fitting into enterprise (policies and procedures), as well as the efficient use of funds and resources. Moy stated that ‘it used to be assumed that hacking is hard, now access is presumed’, underlining some of the changes in perspective with regards to security. It was implied that this was due to all the different and new avenues that people give information: from phones and computers to geolocation on mobile devices and social media outlets. He also noted that most devices that are used to track (for example, a camera at a stoplight) weren’t supposed to be on the Internet, but now they are, making them even easier to exploit.
One of the biggest takeaways Moy was giving was the importance of testing. Testing for vulnerabilities, while it can take time, money, and manpower, is worth the cost compared to a data breach. Testing your products before they’re rolled out can also keep your reputation intact – something that could make or break a business. In regards to this testing, he also made a point to mention that people should still have a mind for older methods that are being used to exploit systems. Moy explains, “Criminals are lazy too…old methods are still being used, because if something old will work, why spend money and time on something new?” He noted that oftentimes it’s as simple as repackaging an old invasion and making it work, instead of starting from scratch.
Brian Balow and Tatiana Melnik: “Bring Your Own Device: Policy Drafting and Best Practices within the Legal Framework”
Tablets were introduced by Apple in 2010, and it took no time for them to seep into most aspects of our daily life-including work. There are some really good effects of BYOD, like the potential to cut costs, but there are also very special security measures that are associated with them as well. Tatiana focused her talk on important points to think about when a company is deciding to implement a BYOD (Bring Your Own Device) environment. The policy put in place is essential in order to both protect the business as well as client rights. It’s important to identify some of the stakeholders in that policy: management, IT officers, IT staff, the legal department, as well as HR. Tatiana also explained that there are many other policies that tangentially affect BYOD:
Other things that are necessary to state in your policy are the supported devices, information about the reimbursement of costs, a list of approved applications, and what limitations the device itself can have (for instance, is it alright within your policy to have a device that has a camera on it?). There is also the question of who that policy pertains to, and the overwhelming answer was that it’s not just the employees. Interns, students, contractors and consultants should also be held to these policies, even if they’re interaction within a company is limited or unconventional.
Day 2:
Barbara Ciaramitaro: “Social Engineering Forensics”
This talk was focused on the different ways that a social engineer can try to get access into a company. It was broken up into many different groups:
Steve Aiello, Jake Gaitan and Kierk Sanderlin : “Industry Expert Panel: Network Security- Beyond Passwords and Firewalls”
The first question posed to the panel was whether or not they believed the firewall was dead. Everyone was pretty much in sync with the response that no, it was still alive and well. Kierk noted that the firewall used to something of a moat – a thing of external security sitting outside the network. He believes that the firewall is going to be moved into the network. Steve agreed, adding “I think what we’re seeing is evolution, especially with virtualization, just moving it closer to the asset.”
Kierk also spoke about the next gen firewall: “Next gen policy is more about the actual user now. It’s asking ‘who is the user that’s on this network?’ and then leveraging next-gen features based on the answer.”
Another question for the panel was what they thought the best bang-for-their-buck security measure was currently. Jake’s focus was on standardization and implementation, more of a focus on process. Steve went to speak about two-factor authentication and auditing. He asked the audience to a show of hands: how many people monitor successful logins? One to two people raised their hands. He explained, “Everyone tracks failed logins. I don’t care as much about failed logins. It means that things are working the way they should be. I care about the successful logins, when people actually get into the system.”
They were also asked about the progress of network security. Jake weighted the awareness of security being an essential part of this progress. Steve said that it has come a long way, and we’re going to see it mature a lot more. Kierk’s final note was to say that progress was showing itself to him by “Security having a seat at the table;” getting bigger budgets and more input within companies than before.
If you’re concerned with security and would like to learn more about technical, physical and administrative security measures your organization could take, visit our Secure Hosting section of our site.