IT2Trust Security Summit at Brøndby Stadium

posted Nov 13, 2013, 11:39 AM by Niels Jensen   [ updated Nov 22, 2013, 6:23 AM ]
Today Niels attended the IT2Trust Security Summit at Brøndby Stadium. It was hosted in the Klub Europa Lounge on the second floor and feature some good presentations in three tracks. Hence it was not possible to attend everything. The summit title was "IT-security from a higher perspective".

Due to late arrival of some speakers the event started a bit late, but one of the IT2Trust owners cut his opening remarks short, so the sessions could start on time. I fast heard David Jacoby - a security researcher at Kaspersky Labs - talk about the social aspect of security. He first showed a funny series of pictures about IT security normally works - everyone seemed to agree with that message. Then he shared with us the results of two experiments he had performed in his native Sweden. The first experiments involved pretending to be a business man, who had lost his papers, but was fortunate enough to have copies on a USB stik. In this experiment David visited 3 hotels, 6 government / municipal institutions and 2 private companies asking if they could print him copies of his papers on the USB stik. The USB stik only contained David CV as a pdf-file, but you properly know about the many exploits using weaknesses in Adobes widely used reader. At 2 of the 3 hotels the reception actually refused to help. The same happened at 2 of the government / municipal institutions and at 1 of the private companies.The third hotel, two of the government / municipal institutions and the other private company would print the file if David just e-mailed it to them. One just hope their AV and securities are up-to-date. In the second experiment David teamed up with Outpost24, and got permission from the IT manager at an important government institution to attempt to break their security. Within 3 minutes he was in the building by walking through the door with his phone to the ear saying loudly "Yes, I just got in. I will be with you in a minute" when someone else walked out of the building. After 10 minutes David had installed a Raspberry Pi as a backdoor on an unprotected router in a 1. floor printer room. After 30 minutes he had AD access thanks to a friendly employee, who clearly wanted to help this guy from IT, who was attempting to fix a network problem. How helpful are your employees to people asking for a little help? Unfortunately David did not exploit process plant or nuclear power plant facilities. I just wonder how much more secure they would be?

Later I heard SafeNet talk about their ProtectV hardware encryption in your physical or virtual data-center or in the cloud. Apparently their system works by have your encryption keys located physically in your data-center, but storing your encrypted data anywhere. This sound much like the SpiderOak solution, where data are encrypted on your computer with your key which never leaves your computer, and then pushed to SpiderOak servers. However, I couldn't help thinking about storage historical data from process plants. In stead storing data older than a week, which would properly not be needed in any incident investigation, then such older data could be stored encrypted indefinitely on e.g. the Amazon EC2. This would make it easier to share such data with analyst in the business department, engineers in the project department or even university researcher. It would require zero access to the DCS. I have heard that the hardware provided by Honeywell for storing such data is not cheap.

After a nice lunch overlooking the empty playing field I heard Swivel Secure talk about strong authentication. This involved a four digit pin code, just like you have for your bank card and/or credit card, and a 10 digit one time random number from which you extracted the one time key. The 10 digit number can be sent to your mobile phone or your login screen, since without your pin it is useless. If your pin is e.g. 1234, then you one time token is the 1st, 2nd, 3rd and 4th digit of the 10 digit number - which is only used once. If you insist, then the 10 digit number can be generated by a token. To me the PINsafe solution from Swivel Secure appeared much easier to use than the current two factor authentication systems.

The last presentation of the day was from Bit9, which is a next generation security software provider - I hesitate to write AV-provider. The solution from Bit9 especially if deployed with FireEye will automatically stop completely new and to the AV unknown malware. Among the reference of Bit9 was ExxonMobil. However, earlier this year KrebsonSecurity reported that Bit9 had been hacked. So even their solution apparently has its limitations.