In the diverse and fast-moving world of information security, it can be hard to get a firm grasp on the landscape of threats and challenges that face us. Depending on who you talk to, and what you read in the media, it’s possible to get wildly differing accounts of the state of the industry, and the malicious forces it does battle with every day.
Indeed, it can be easy to get carried away with some of the big stories that grab the headlines, which can easily make us paranoid. Should the threat of state-sponsored APTs keep us up at night? Will insecure BYO devices cause the downfall of civilization? Will vulnerabilities in Critical National Infrastructure allow our power and resources to be harnessed by international terrorists?
Perhaps it’s really spam emails promising free pizza that typifies the most common form of threat bombarding us from the dark side.
A good way to get the real picture, of course, is to talk to security professionals. An even better way is to get a lot of them under one roof with the promise of all-you-can-drink coffee, and a shedload of free sandwiches. That was (part of) the premise of yesterday’s IRISSCON 2014 – a day-long conference hosted in Dublin where a raft of leading industry figures from around the world took to the stage to impart their knowledge, share advice, and network with attendees afterwards .
IRISSCON’s packed itinerary promised back-to-back talks on everything from EC3’s fight against cyber-crime to the work of the Honeynet Project. The sheer range of subjects, ideas and technologies discussed was impressive – catering to the diverse make-up of the assembled audience.
The event was also a unique opportunity to learn more about the cyber-crime affecting Ireland. Brian Honan from IRISS-CERT (Irish Reporting and Information Security Service) announced a new partnership on the day between his organization and OpenDNS, the US provider of cloud-delivered security. Collaboration between the two groups will help in IRISS’s aim of protecting Irish businesses from malicious online activity, from malware to botnets. Indeed, Honan revealed that 2014 has seen a 12% rise in incidents affecting Irish organizations, with 75% motivated by organized crime.
Among the surprises from the rest of the day’s presentations were Gollum, magic tricks, and a wonderful analogy comparing the security industry to farm animals. Think less Animal Farm more Babe the Sheep-pig. All joking aside, IRISS-CON certainly delivered on its promise of presenting a range of different angles on the state of cyber-crime worldwide.
“Hacking has become an industry,” Robert Preedy of Cisco stated early in his presentation. This was reaffirmed later by McAfee's Raj Samani, who reminded all assembled that “information is the oil of the digital age.” The increasing industrialization of organized crime was a theme that pervaded many of the day’s speeches. Paul Gillen, Head of Cyber Operations, EC3, kicked things off with an analysis of Europol’s work in tackling illicit operations carried out on the Dark Web. Operation Onymous, a global law enforcement attack on TOR, had taken down between 30 and 50 illegal enterprises, he said.
Also discussed by several speakers was whether security professionals need to work on their human touch. “We need to focus on how we are communicating with people within an organization,” argued Sean Rooney of Integrity Solutions. “People are the weakest link – but we need to connect on a more human level.” Consultant Dr Jessica Barker suggested that “We need to engage people more and empower them more so they construct their own knowledge and want to change their behaviors.” Getting the security message across to non-IT specialists is a perennial challenge – but one that all professionals can relate to, it seems.
In addition, it’s clear from listening to many of IRISSCON’s presentations that we’re still struggling to safeguard against the basics. One Irish company lost €50k as a result of a phishing email in 2014, reported Brian Honan. Poor passwords, missing patches, vulnerabilities, out of date anti-virus software – all of these old favorites reared their ugly heads on the day. Honan put a lot of incidents down to a lack of monitoring. Indeed, the importance of log analysis was references by several speakers – and it sounds like this topic is only going to get hotter.
Finally, it wouldn’t be a security conference if we didn’t get to hear about the IoT. From the threat of data profiling that IoT might facilitate, discussed by UNICRI’s Francesca Bosco, to Raj Samani’s warning that “our supply chain is only going to get bigger,” it’s clear that security professionals are going to have a lot to combat in this emerging field.
One thing you’ll never get in this industry – or many for that matter – is total consensus. What conferences like IRISSCON do is drive home some crucial elements that should never be forgotten. The challenge of the infosec professional is not just safeguarding systems, but managing and responding to changing human behavior – as well as a technological landscape that manages to throw up new challenges faster than an already under-resourced industry can expect to deal with. As 2014 draws to a close, it’s only appropriate to reflect on what 2015, and beyond, will bring. Whatever it is, it’s certainly not going to be dull.