Monday, 15 October 2012

RSA Conference Europe 2012 Review

A conference is only as good as its speakers, specifically the speaker's subject matter expertise, presentation subject and presenting ability, in this the RSA Conference Europe succeeds where many others conferences fail miserably. The best InfoSec speakers do not regurgitate topics with arrogance, repeating empty messages to sell products and services. No, the best speakers converse with their fellow information security professionals at the same level, informing and exploring the latest and future issues that will matter to business. Speakers are not bound and gagged by their company sales and marketing reps, are free to share and open up new ideas, new thinking, new solutions, and so challenge thinking and generating discussion by security professionals and businesses influencers beyond the conference, which ultimately leads to improvements for society. Why? Because ultimately when businesses get information security wrong, it is everyone that ends up footing the impact, whether it is financial fraud or system blackouts.

You may call me an RSA Conference sycophant for my views, and rave about the amazing Black Hat, DEFCON and OWASP conferences, but as great as those conferences are, they only cover specific subjects, and not the whole field to which many information security professionals are confronting in their day to day roles.  And don't talk to me about any of the other ‘sales motivated’ IT security conferences, where speakers are practically sales people pedalling wares on the back of distorted views and misinformation.

It might be the Best Security Conference but it's not Perfect
I'm not a complete RSA Conference fan boy either, as the conference does need to evolve and improve in certain areas. The stand out is the conference’s perception as an "US Conference on tour", a view held by many European security professionals. Until the majority of the speakers speak with European accents, the conference can never truly feel like a European conference. This is important as there are some fundamental differences facing European Information Security professionals. In Europe privacy is strongly linked to information security, an EU citizen's right to privacy is increasingly being championed as an essential human right by EU politicians.  Rightly or wrongly human rights aren't regarded in quite the same way on the other side of the pond, hence death penalties, Guantanamo Bay and having your fingerprints taken like a criminal every time you visit. It is fair to say the US won’t be winning a Noble Peace prize any time soon.  Earlier this year the EU announced new privacy laws and regulations which will impact every European Information Security professional’s role in the next few years, yet there was very scant coverage of this at the conference this year.

2012 Conference Highlights
For those who didn't attend but are considering attending a future RSA Conference, here's a taste of my main highlights of the 2012 conference...

Wikipedia Founder Jimmy Wales

Taking time out of his honeymoon, the founder of Wikipedia, Jimmy Wales was 'the' keynote speaker at RSAC this year. The charismatic Jimmy did not fail to disappoint in entertaining, but his views with online freedom of information, was always going to be the stand out part of his talk, after his decision to take Wikipedia down for 24 hours in protest of a US bill. A bill in his words would have given the US government Chinese type censorship powers in controlling the Internet. The bill was dropped following the Wikipedia protest, which he was very proud of. Jimmy made it clear he was anti-piracy but said the called "snooping bill", SOPA, was just bad legislation. Jimmy's views can be summarised with his final words, "the biggest threat to online freedom of speech is bumbling regulators".

RSA Conference front man Hugh Thompson was in typical fine form, and as always one of the main highlights of the conference. Another entertaining speaker was Eddie Schwartz's (RSA CISO), particularly his flash presentation, which was very amusing even if you don't agree with his "privacy is dead" messaging. Eddie also presented an insightful talk about targeted user account hacking with real world examples.

Recognise the Hacked Football Club?

Joshua Corman is a star which continues to rise, posed the question whether information security professional weren't getting any better at security in Wednesday's keynote, in an industry challenging talk. I particularly liked it when he summarised one of the main problems of PCI DSS and security by saying, "businesses fear their QSA more than they do attackers". Joshua was also involved in a fascinating panel discussion on Anonymous along side Alex Empire, from the band Atari Teenage Riot, Parmy Olson, Anonymous Author, and Alan Woodward, Professor, Department of Computing, University of Surrey.

I saw a presentation by Bryan Sullivan (Microsoft & author of Ajax Security) on the latest application denial of service (DoS) attacks. With DoS coming back into fashion as a weapon used by hacktivists, Bryan focused on various the techniques and possibilities with application DoS. It was a highly technical talk which was right up my street.
Application DoS

Mitja Kolsek presentation on how to rob an online bank was an interesting one, although I wonder whether many banks today would be vulnerable to the types of attacks he outlined.
How to rob an online Bank!

Bruce Schneier, InfoSec's answer to Chuck Norris, talked about the psychology of trust within human society and how it relates to information security strategies. I have a confession to make, in that I broke out of the conference for a couple of hours on Thursday morning to listen to Bruce talk very frankly about cyber warfare, which was one of the best talks on the subject I've heard in a while, more on that in another post. But these kinds of things can happen at RSAC, you meet some very interesting folk which can result in some very interesting spin off discussions.

On Wednesday I saw an outstanding presentation by James Lyne of Sophos, who gave a lively talk about the maturing cybercrime business, showing how easily it is for anyone to buy cybercrime as a service, and demonstrating several attacks.

CrySyS Lab, the company which first detected and analysed the Duqu worm, presented a technical review of state sponsor malware, which included technical briefs on Flame, Stuxnet and Duqu.

Über Networking
Finally, arguably the best part of the RSA Conference is the networking. The conference provides a platform for both speakers and delegates to mix and discuss information security, debate and exchange ideas, and to have some good old fashioned fun. I met people I known in the industry for many years, and I made many new friends. This is always my biggest take home and main highlight from the conference.
 Great Networking at RSAC

RSA Conference Europe 2013 - Amsterdam
After six years of hosting in London, the RSA Conference Europe will be moving to Amsterdam in 2013, likely a decision based on engaging better with Europeans and putting more bums on seats. It is clear to me that a significant amount of delegates that attend the conference are from the European continent. But I do wonder whether some of my fellow UK rooted security professionals will be able persuade their bosses to send them to Amsterdam next year. I'll certainly intend to be there next year, heck I might even apply to present again.


Anonymous said...

Genuinely when someone doesn't know afterward its up to other people that they will help, so here it occurs.
Also see my webpage - museum of fine arts boston address

David K | ccie security said...

Thanks to the blogger. such post are necessary. Helps to get live updates on recent IT arena.