This is my final summary of Security World 2008 hosted in Hanoi, Vietnam. To read specific details of the two day conference scroll down to previous entries (infact it probably makes more sense if you start from the bottom and work your way up) - I hope you find the snippets of facts as informative as I did. Enjoy!
The general consensus from the experts and big ICT security companies is that just protecting networks from external threats is not enough. End-to-end security of data is the talk of the town along with the whole issue of "information leakage". In response the vendors are promoting their implementation of IPsec for data communication, NAC to verify workstations and deep stream packet inspection to stop web application hacks.
But also don't forget the small stuff, social engineering (getting employees to disclose sensitive info) and unsecured backdoors (eg. unauthorised WiFi access points) can circumvent all this expensive technology.
One thing is for sure - evolving network usage and evolving threats will keep everyone concerned with ICT availability and security in business for the foreseeable future.
Finally I would like to thank Payap University, International College (Chiangmai, Thailand) for giving me the time away from teaching to attend this exciting conference.
by tobyonline
Thursday, 20 March 2008
Security World 2008 - Afternoon Day 2
The final afternoon was taken up by a extended panel discussion - Strengthening Security Awareness and Deployment
The Chairman (Director of Vietnamese government department for IT) introduced the discussion by talking about protecting the financial and government systems and the challenges of ICT security to a rapidly growing infrastructure - one that until recently was isolated from the Internet.
The discussion started about the implementation of the law (in Vietnam) to be able to prosecute cybercrime, which is an ongoing process. This moved on to the implementation of international standards (ISO certification) for ICT systems and data security:
Thomas Parenty talked about trust frameworks and the basic three steps:
The discussion shifted to talk about The Common Criteria (CC)and how to implement this (the CC is a framework to specify security and testing) and FIPS (Federal Information Processing Standards).
A question was raised on how to convince the general public in the Asia-pacific region to use legitimate software so that they can get security updates. It was acknowledged that unlicensed software did provide vulnerabilities to viruses, spyware and hackers. Craig Johnson from ESET (NOD32) talked about the need to have a sliding scale of pricing for different countries and the importance to educate the market.
Directory of BKIS, Nguyen Tu Quang said the Vietnamese people are very dynamic and are great fighters and local security software can compete with overseas products. He mentioned how his company uses a local honeypot (target system to attract viruses) so that his local anti-virus is country specific.
The closing remarks were then given by Le Thanh Tam, the managing director of IDG Vietnam (the conference organisers) and gave a brief summary of the 23 presentations over the two days and thanked the contributors, sponsors and attendees.
by tobyonline
The Chairman (Director of Vietnamese government department for IT) introduced the discussion by talking about protecting the financial and government systems and the challenges of ICT security to a rapidly growing infrastructure - one that until recently was isolated from the Internet.
The discussion started about the implementation of the law (in Vietnam) to be able to prosecute cybercrime, which is an ongoing process. This moved on to the implementation of international standards (ISO certification) for ICT systems and data security:
- ISO27001 - a specification for an Information Security Management System and the controls that apply to different organisations.
- ISO27002 - guidelines to setting security controls.
Thomas Parenty talked about trust frameworks and the basic three steps:
- focus on business activity (what are the objectives)
- trust objectives (what must be true to complete these activities)
- create trust evidence (to make sure objectives are met)
The discussion shifted to talk about The Common Criteria (CC)and how to implement this (the CC is a framework to specify security and testing) and FIPS (Federal Information Processing Standards).
A question was raised on how to convince the general public in the Asia-pacific region to use legitimate software so that they can get security updates. It was acknowledged that unlicensed software did provide vulnerabilities to viruses, spyware and hackers. Craig Johnson from ESET (NOD32) talked about the need to have a sliding scale of pricing for different countries and the importance to educate the market.
Directory of BKIS, Nguyen Tu Quang said the Vietnamese people are very dynamic and are great fighters and local security software can compete with overseas products. He mentioned how his company uses a local honeypot (target system to attract viruses) so that his local anti-virus is country specific.
The closing remarks were then given by Le Thanh Tam, the managing director of IDG Vietnam (the conference organisers) and gave a brief summary of the 23 presentations over the two days and thanked the contributors, sponsors and attendees.
by tobyonline
Wednesday, 19 March 2008
Photo from Security World 2008
Georg Krause - Founder and CEO of CE-Infosys gives the low-down on espionage and then introduces encryption solutions that sense the physical surrounding environment (touch, temp, x-rays etc.) and are tamper proof! - picture quality is poor because this is just my web cam.
Security World 2008 - Morning Day 2
This morning had a series of presentations on security systems with a theme of evolving threats.
We heard from Nortel how the network has traditionally been used for data sharing, transport and storage. However, many networks are now having to cope with the delivery of IP telephony (VoIP) and multimedia applications. This is a new challenge as it is harder to secure with traditional firewalls and as Georg Krause (CE-Infosys) pointed out, is a blessing to spies; they only need to monitor one network, and the voice data is already digitised.
One recommended practice is to create virtual LANs and segregate the data from the voice/multimedia component to provide security and network availability. The general consensus during this conference is that data encryption is vital, even within the trusted zone of a network. Sukhdev Singh from IBM ISS outlined the three generations of security threats (1 viruses, 2 spyware & bots, 3 rootkits phishing & targeted attacks) and highlighted the fact that most companies security only addresses the first two generations. He then proceeded to scare the pants of everyone by highlighting the increasing use of embedded OS's (windows and linux) in vending machines, elevators, medical instruments and multi-function laser printers and then gave a case study of how an entire network was brought down by a snack vending machine!
by tobyonline
We heard from Nortel how the network has traditionally been used for data sharing, transport and storage. However, many networks are now having to cope with the delivery of IP telephony (VoIP) and multimedia applications. This is a new challenge as it is harder to secure with traditional firewalls and as Georg Krause (CE-Infosys) pointed out, is a blessing to spies; they only need to monitor one network, and the voice data is already digitised.
One recommended practice is to create virtual LANs and segregate the data from the voice/multimedia component to provide security and network availability. The general consensus during this conference is that data encryption is vital, even within the trusted zone of a network. Sukhdev Singh from IBM ISS outlined the three generations of security threats (1 viruses, 2 spyware & bots, 3 rootkits phishing & targeted attacks) and highlighted the fact that most companies security only addresses the first two generations. He then proceeded to scare the pants of everyone by highlighting the increasing use of embedded OS's (windows and linux) in vending machines, elevators, medical instruments and multi-function laser printers and then gave a case study of how an entire network was brought down by a snack vending machine!
by tobyonline
Security World 2008 - Afternoon Day 1
The highlights of the afternoon session of Day 1 were Vilaiporn Taweelappontong from PricewaterhouseCoopers, Bangkok giving her summary of the six different types of penetration testing (white-hat hacking) that can be used to test and then exploit the vulnerabilities of a network. She covered best practice and objectives of penetration testing, and cleverly advertised PwC's technology auditing services to boot.
This was followed by Joseph Chung from Citrix who continued on the theme of vulnerability of web apps.
We all know that web applications are becoming increasingly popular, but ironically they are the easiest to exploit (as mentioned by Vilaiporn) where standard network firewalls don't provide adequate protection. He gave a detailed summary of the main web app exploits, including cross-site scripting and SQL injection - and proceeded to introduce the need for application firewalls (from citrix, no less) that can dynamically learn and protect custom-built web applications.
There was also some interesting observations from ESET about user education being a major force in the fight against cyber crime.
by tobyonline
This was followed by Joseph Chung from Citrix who continued on the theme of vulnerability of web apps.
We all know that web applications are becoming increasingly popular, but ironically they are the easiest to exploit (as mentioned by Vilaiporn) where standard network firewalls don't provide adequate protection. He gave a detailed summary of the main web app exploits, including cross-site scripting and SQL injection - and proceeded to introduce the need for application firewalls (from citrix, no less) that can dynamically learn and protect custom-built web applications.
There was also some interesting observations from ESET about user education being a major force in the fight against cyber crime.
by tobyonline
Security World 2008 - Morning Day 1
This morning we heard from ten speakers on topics ranging from anti-virus to digital security CCTV. Nicholas Vreugdenhil from Nortel spoke about their vision to secure the "Hyperconnected Enterprise" - the new term to describe LAN, wireless, Mobile phone and internet techonologies that are now meshed together to provide an organisations IT network/applications. They expowse a four layer model to secure; access, communications, perimeter networks and core systems - using their portfolio of hardware/software systems.
Another interesting presentation was by Thomas Parenty (Hill & Associates) about best practice for business information system security. He highlighted how the emphasis in security has moved away from the system level (securing computers, servers and LANs) to the information level (data, access and communications). This is due to the collaborative nature of shared resources between partner oganisations, contractors etc. He gave a number of case studies and ended with a similar message to the Nortel Guy with the following recommendations: Protect the perimeter, Control information security, Control Information use.
This afternoon promises penetration testing, critical web apps and secure banking... ps the coffee worked!
by tobyonline
Another interesting presentation was by Thomas Parenty (Hill & Associates) about best practice for business information system security. He highlighted how the emphasis in security has moved away from the system level (securing computers, servers and LANs) to the information level (data, access and communications). This is due to the collaborative nature of shared resources between partner oganisations, contractors etc. He gave a number of case studies and ended with a similar message to the Nortel Guy with the following recommendations: Protect the perimeter, Control information security, Control Information use.
This afternoon promises penetration testing, critical web apps and secure banking... ps the coffee worked!
by tobyonline
Tuesday, 18 March 2008
Security World 2008 Opening Session
So why are all these big IT security companies decending on Hanoi, Vietnam for the next couple of days?
www.securityworld.com.vn
The opening remarks and the first keynote by various government ministers shows how serious vietnam considers ICT security. Vietnam is a booming economy and the number of computer users and websites has literally exploded since 2003. Unfortunately this has also resulted in a corresponding increase in viruses, hacked websites (347 major sites hacked in Vietnam in 2007), malware, rootkits and phishing attacks.
Network security is playing a game of catch-up, probably more so here than many other countries (due to the economic boom) with many new users and business who have little idea about online security.
Therefore the government and the financial sector are desperate to increase security (the attacks allegedly coming mainly from china) and the big security firms are here to provide their expertise and carve a place in this profitable niche market.
All reports and graphs I've seen so far show increases in computer systems users, internet access, websites and ATTACKS!
by tobyonline
www.securityworld.com.vn
The opening remarks and the first keynote by various government ministers shows how serious vietnam considers ICT security. Vietnam is a booming economy and the number of computer users and websites has literally exploded since 2003. Unfortunately this has also resulted in a corresponding increase in viruses, hacked websites (347 major sites hacked in Vietnam in 2007), malware, rootkits and phishing attacks.
Network security is playing a game of catch-up, probably more so here than many other countries (due to the economic boom) with many new users and business who have little idea about online security.
Therefore the government and the financial sector are desperate to increase security (the attacks allegedly coming mainly from china) and the big security firms are here to provide their expertise and carve a place in this profitable niche market.
All reports and graphs I've seen so far show increases in computer systems users, internet access, websites and ATTACKS!
by tobyonline
Security World 2008
It's only 8am and I'm already exhausted, no it's not because the Security World 2008 conference here in Hanoi is so fast paced (even though the schedule does make my head spin!) It's because the AirAsia flight from Bangkok was delayed by over five hours. I didn't get to my hotel until 2am this morning.
But despite the lack of sleep I'm excited by the prospect of the next couple of days. The conference is sponsored by Nortel, Hitachi, Symantec and includes some presentations by cisco, infosys, IBM, Microsoft just to name a few of the bigger players.
I'll be blogging at regular intervals over the next two days as long as my battery holds out, and updating what I think are the more interesting presentations and points from Security World 2008.
by tobyonline
But despite the lack of sleep I'm excited by the prospect of the next couple of days. The conference is sponsored by Nortel, Hitachi, Symantec and includes some presentations by cisco, infosys, IBM, Microsoft just to name a few of the bigger players.
I'll be blogging at regular intervals over the next two days as long as my battery holds out, and updating what I think are the more interesting presentations and points from Security World 2008.
by tobyonline
Wednesday, 12 March 2008
Web Security
A recent article of mine for WebGuruGuide about web site security and basic design principles.
...or read more of tobsblog at tobyonline.co.uk
...or read more of tobsblog at tobyonline.co.uk
Subscribe to:
Posts (Atom)
