IT Conferences 2013
IT2Trust Security Summit
at Brøndby Stadium
Post date: Nov 13, 2013 7:39:43 PM
Today Niels attended the IT2Trust Security Summit at Brøndby Stadium. It was hosted in the Klub Europa Lounge on the second floor and feature some good presentations in three tracks. Hence it was not possible to attend everything. The summit title was "IT-security from a higher perspective".
Due to late arrival of some speakers the event started a bit late, but one of the IT2Trust owners cut his opening remarks short, so the sessions could start on time. I fast heard David Jacoby - a security researcher at Kaspersky Labs - talk about the social aspect of security. He first showed a funny series of pictures about IT security normally works - everyone seemed to agree with that message. Then he shared with us the results of two experiments he had performed in his native Sweden. The first experiments involved pretending to be a business man, who had lost his papers, but was fortunate enough to have copies on a USB stik. In this experiment David visited 3 hotels, 6 government / municipal institutions and 2 private companies asking if they could print him copies of his papers on the USB stik. The USB stik only contained David CV as a pdf-file, but you properly know about the many exploits using weaknesses in Adobes widely used reader. At 2 of the 3 hotels the reception actually refused to help. The same happened at 2 of the government / municipal institutions and at 1 of the private companies.The third hotel, two of the government / municipal institutions and the other private company would print the file if David just e-mailed it to them. One just hope their AV and securities are up-to-date. In the second experiment David teamed up with Outpost24, and got permission from the IT manager at an important government institution to attempt to break their security. Within 3 minutes he was in the building by walking through the door with his phone to the ear saying loudly "Yes, I just got in. I will be with you in a minute" when someone else walked out of the building. After 10 minutes David had installed a Raspberry Pi as a backdoor on an unprotected router in a 1. floor printer room. After 30 minutes he had AD access thanks to a friendly employee, who clearly wanted to help this guy from IT, who was attempting to fix a network problem. How helpful are your employees to people asking for a little help? Unfortunately David did not exploit process plant or nuclear power plant facilities. I just wonder how much more secure they would be?
Later I heard SafeNet talk about their ProtectV hardware encryption in your physical or virtual data-center or in the cloud. Apparently their system works by have your encryption keys located physically in your data-center, but storing your encrypted data anywhere. This sound much like the SpiderOak solution, where data are encrypted on your computer with your key which never leaves your computer, and then pushed to SpiderOak servers. However, I couldn't help thinking about storage historical data from process plants. In stead storing data older than a week, which would properly not be needed in any incident investigation, then such older data could be stored encrypted indefinitely on e.g. the Amazon EC2. This would make it easier to share such data with analyst in the business department, engineers in the project department or even university researcher. It would require zero access to the DCS. I have heard that the hardware provided by Honeywell for storing such data is not cheap.
After a nice lunch overlooking the empty playing field I heard Swivel Secure talk about strong authentication. This involved a four digit pin code, just like you have for your bank card and/or credit card, and a 10 digit one time random number from which you extracted the one time key. The 10 digit number can be sent to your mobile phone or your login screen, since without your pin it is useless. If your pin is e.g. 1234, then you one time token is the 1st, 2nd, 3rd and 4th digit of the 10 digit number - which is only used once. If you insist, then the 10 digit number can be generated by a token. To me the PINsafe solution from Swivel Secure appeared much easier to use than the current two factor authentication systems.The last presentation of the day was from Bit9, which is a next generation security software provider - I hesitate to write AV-provider. The solution from Bit9 especially if deployed with FireEye will automatically stop completely new and to the AV unknown malware. Among the reference of Bit9 was ExxonMobil. However, earlier this year KrebsonSecurity reported that Bit9 had been hacked. So even their solution apparently has its limitations.
IDC Cloud Computing 2013
Post date: Jun 13, 2013 7:45:55 PM
Safepark Consultancy is a company, which makes extensive use of the cloud services provided by Google Apps. We are quite pleased with the many services provided by Google and how they support a small new company. However, today we attended IDC's one day conference in Copenhagen titled "Modernizing the Organization with Cloud and Converged Services" to learn how others are using the cloud to provide services.
Overall many of the presentations sounded much like the presentations about outsourcing, which we listened to more than five years ago, except that the word "cloud" was used in stead of the word "outsourcing". This is only on the surface and as far as the issues one have to consider when using the cloud. Cloud is a tool to quickly pursue new business opportunities to the quickness and ease of deployment of new services using e.g. the IBM SmartCloud, which you can try for free here.
The conference opened with a presentation by Anders Elbak from IDC, who used NIST definition of cloud computing available here. Nick Hyner from Dell talked about famous drink from Denmark, and the PocketCloud technology, which they acquired by buying Wise. You can get your own PocketCloud with 2 GB storage for free. NetApp talked about the importance of tying together the different types of clouds in a transparent manor.
However, what I really remember was Tim Waldron's story about a taxi driver in Munich. Some years ago the CEO of NetApp was in Munich and due to purring rain needed a cab to drive him just 200 meters from the hotel to a meeting location. The driver did this with great courtesy in a rather old car. Once back in the office the CEO told his secretary, that the company should use this drivers services as much as possible. Today more than five years later the taxi driver is a successful owner of a company with 8 Mercedes S-class cars and 44 employees. It all started by providing courteous service to a CEO. It is a small an wonderful world!
Rob McMahon explained the seven steps to become a successful cloud service broker: strategic plan, types of services, automate processes, SLA management, protection of services, assets management and risk assessment. Another speaker mentioned that the Danish company NNIT had successfully deployed a cloud in Denmark aimed at the pharmaceutical industry, and another that major international players appear interested in establishing facilities in Denmark. The conference was rounded off by two Danish companies explaining how they successfully deployed Microsofts Office365. As always in such cases I wonder why alternatives, such as Google Apps were not considered? After all the Danish media company Berlingske have successfully implemented Google Apps, and are currently exploiting ways to increase revenue from their internet services.
At Safepark Consultancy we just like Verizon take a pragmatic approach to cloud services. Exactly what this means will become apparent throughout the rest of the year.