This year's Information Security Forum (ISF) World Congress was held in Chicago, Illinois, and Fujitsu's James Gosnold was in attendance for SC Magazine.
The first day of the three-day event began with BBC royal and diplomatic correspondent Nicholas Witchell introducing former Nasa flight director Gene Kranz, who gave a powerful presentation entitled 'Failure is not an option' (the same name as his book) based on his experiences leading up to and then directing the Apollo 13 mission to the Moon.
Several parallels could be drawn with management of a security incident or crisis and how Kranz worked through the issues to successfully bring the crew of the Apollo 13 spacecraft back to earth, namely leadership, making difficult decisions based on solid data and having a strong team in place underpinned by a strong trust ethic.
Kranz said that he believed that the modern world is too risk averse, although went on to say that risk should be controlled and well tested. He also has a strong grasp of modern technologies having gone on to become a director of Nasa with the largest software inventory in the US outside of federal government.
Running one of the breakout sessions was Dr Geraint Price of Royal Holloway University on the latest developments in cyber security. Royal Holloway has been engaged in a ‘Cyber Security Club' since 2011, which includes well-known members of the government, academia and industry. They predicted that in six to eight months, a whitepaper on cyber security will be released. Price also introduced the VOME project that is bringing together academics and practitioners across many disciplines and is aiming to raise privacy awareness amongst the general public.
One point Price made was about the 'decline of reputational impact' and as more organisations ride out well-publicised data breaches with only a short term impact, the reputational damage is becoming less of a justification for increased security budget.
After a panel discussion on 'The role of government in security cyber space', held under Chatham House rules, Bobby Singh from the TD Bank Financial Group ran a breakout session on developing a security operations centre.
While the content was very detailed and comprehensive – I did wonder how many organisations actually have the resources to build a security operations centre to the specifications described by Singh, but if one did there were some good pointers here and aspects to consider such as should a SOC & NOC be separate? Is the scope nailed down? Will it be a governance or operational function?
The final session of the day that I attended was facilitated by consultants from PwC and presented a case study of how they used the ISF's ‘Standard of Good Practice' to first drive out requirements and then design a security architecture for one of their customers.
The second day of the Congress opened with a presentation from Derek O'Halloran of the World Economic Forum (WEF) on 'The view from the C-suite'. This included an awareness video (called 'companies like yours') and some headlines from its research on the increasingly 'HyperConnected World', where it was explained that with two billion connected people, more data will be produced in the next 12 months than in all of history. It was also estimated that there will 50 billion connected devices by 2020.
O'Halloran put forward the view that the human vulnerability is very much the main issue but that it is in the boardroom (“they don't get it”), security is still often under-funded. WEF survey results demonstrated that cyber security risk is the third most underestimated risk across all industries.
The WEF also saw very inconsistent survey results with many of the same boards ranking technology as a high risk and cyber security as a low risk.
Finally, the WEF will be releasing a document worth looking out for called 'Partnering for cyber resilience – Tools for the boardroom', which is intended to introduce some middle ground between C-level management and security staff.
The first breakout session I attended that day was given by Thomas Bernard from e-health Ontario, with magic tricks and a look at the lighter side of security. It certainly delivered that, with rope tricks being used to analogise challenges faced by security professionals.
Bernard is a big advocate of plain English in policies and risk documents, and he is also very experienced in incident management, stressing the value of getting all parties together once or twice a year and working through an incident, however painful. Bernard also added that "most significant incidents are caught by people, not by machines", which I thought a useful insight.
I delivered the second breakout session on 'Security monitoring on a budget', discussing how a set of very simple security incident and event management (SIEM) reports being reviewed on a daily or weekly basis could significantly improve the security posture of many organisations. Especially those who found delivering a fully-fledged monitoring and alerting service to be very onerous and effectively gave up, leaving the SIEM to all intents and purposes to gather dust.
Public key infrastructure inventor Dr Whitfield Diffie gave the second day's closing keynote on 'Possible futures in information security'. While very speculative, Diffie's first point was that the internet would not have been so successful had it been heavily secured at the outset in the 1960s.
Colourful soundbites aplenty such as 'society needs crime (and has always needed crime) therefore the internet must also need crime' and 'the move of society online is comparable to the move of society into cities 5,000-7,000 years ago (i.e. the significance is comparable)' made for an entertaining hour.
Diffie's opinion is that "the (current) security status of everything but cryptography is rotten" and then cited key management, operating systems and protocols as examples. Other problem areas that we (the security industry) are not good at is specifying what we want and writing good code, acknowledging that not all code can be the best code (and confining it) and that this has been unsolved for 50 years. He went on to sum this up saying "we still don't know how to program".
On the future, Diffie felt that the cloud uptake would increase the dependence of small players on large. Diffie is also looking to homomorphic encryption as the possible silver bullet for cloud computing, although he commented that it is slow and lends itself more to confidentiality than authenticity.
This led Diffie to discuss quantum computing, which would address the speed of homomorphic encryption and just as well, as it will also destroy modern cryptography. Diffie then reminded the audience that quantum computing has been promised by physicists for over 20 years.
Into the third day, quantum computing continued with the first breakout session presented on that subject by BT's Konstantinos Karagiannis, and how it will change security forever. This was essentially a 30-minute crash course on quantum physics, that particles "know when you are watching them and vanish". This particularly resonated with me.
Karagiannis told us about 'particle entanglement' and how it troubled Einstein before explaining that keeping particles in a 'state of super positions' (Qubits unlike bits can be in a state of zero, one or a superposition of both which – on chalkboards anyway – will allow Quantum Computers to defeat even 2,048-bit encryption in minutes) is the essence (and therefore challenge) for quantum computing.
There is a big QC race going on at the moment as nobody wants to be last. Significant recent developments in QC have seen the award of the Nobel prize to two scientists for proving a way to measure quantum particles without destroying them, and the launch of 'The Bell Labs of tomorrow', while the University of Waterloo opened its Quantum-Nano Centre earlier in the year. A company called D-Wave are also doing a lot of good work in this space.
The Congress closed with a keynote from Frank Abagnale ‘The original social engineer' (the film 'Catch me if you can' portrayed his life). He took the listeners through how he went from a 16-year-old lying about his age in order to command higher wages in manual jobs to defrauding airlines and banks to live a life way beyond his means before being caught.