Wednesday, 29 October 2008

RSA Europe 2008 Review

RSA Europe is said to be the most comprehensive information security forum held in Europe, with world leading expert speakers from the information security industry discussing and debating the hottest topics in security.
It was great to see this year's conference being themed on British cryptographer Alan Turing. Turing was part of a team of code breakers working at Bletchley Park during World War II, whom in complete secrecy quite literally saved thousands of lives by breaking encrypted messages. Today Bletchley Park is a museum open to the public, completely privately funded and yet a vital part of the security industry heritage. So it was really good to see Alan Turing being highlighted by the event, but I will save my thoughts on Bletchley Park for another post, although I do urge anyone interested in general information security, cryptography or history, who has the chance to visit Bletchley Park and/or donate to the cause.

For me the biggest highlight of the RSA Europe event this year was the Tuesday trio of keynote speakers. First up was Bruce Schneier’s, who spoke about The Future of Privacy.
I make no secret of the fact that I am a big Bruce Schneier fan, each time I have the privilege to attend one his talks or discussions, I am always left with at least one profound thought provoking or even view changing moment, which tends to stick with me, and the security guru's talk on privacy was no different. Bruce liken "data" as the industrial pollution of the information age, and rejected the “Security vs. Privacy” argument, citing the improvement in aircraft security since 911 as an example. He said we were simply safer on airplanes today because of two simple security improvements, namely locks on flight cockpit doors, and the fact passengers are now inclined to fight back. All the new privacy eroding so called security measures we have all come to accept at airports since 911, are not really a factor in improving security and safety. Bruce went on to describe the future of privacy, saying we live at a time where we all can see the thousands of cameras and ID checks as we go about our lives, but over the coming 5 to 10 years the cameras will get smaller and become invisible, while ID checks will occur in the background without our direct knowledge, thanks to technologies such as face recognition. Personally I have been debating the “Is privacy dead” issue, as famously coined by Scott McNealy (Sun) in the late nineties, with fellow security professionals for some time, but Bruce’s view is that privacy can be and must be saved. Privacy protection requires much better laws, of the same kind which prevents us today from living in a police state. As we get to grips with the evolution of the information age, new laws should and must follow to protect every one's privacy, we must think of it as a "Liberty versus Control" argument rather than "Privacy Vs Security". Bruce concluded by challenging everyone in the auditorium to not blur Privacy and Security, saying it is our responsibility as security professionals to safeguard privacy, and that generations from now, history will judge whether we were successful or not at this unique early juncture in the information age.

Bruce also announced his entry for a brand new hashing algorithm at the event, which I'll save talking about for another blog entry.

Next up on the podium was Ken Silva, the CTO of VeriSign, who painted a very interesting picture about the rapid expansion of the Internet, distributed denial of service attacks and the ways VeriSign are tackling the rapidly increasing bandwidth demand as result growth in both of these areas.

Ken highlighted not only were huge pools of brand new Internet users will be becoming online from areas such as Africa and India over the coming years, but there will be an explosion in direct Internet devices requiring high and fast bandwidth. For example Internet TVs are around the corner, which basically is a TV with an ethernet jack in back as opposed to an aerial or satellite dish, which will stream thousands of TV channels into the home from Internet. While “Voice Over IP” phones are expected to completely "take over" from traditional phones networks.

Ken produced some mind blowing stats, stating there are around 1.5 billion Internet users at present, which is expected to grow to around 2 billion users by 2011. In contrast to the security problem, there are around 300 million devices (PCs) attached to the Internet which have Spyware/Malware installed and operating. That's around 1 in 5 PCs, with around 150 million devices (and growing everyday) which have "bot" malware operating, a bot is an application controlled by cyber-criminals, which can be used to target unmanageable volumes of Internet traffic at specific websites, this attack is known as a Distributed Denial Of Service (ddos) attack and can shut down and crash web sites.

Finally Hugh Thompson, Chief Security Strategist at People Security, lit up the auditorium with his “Hackernomics” talk.

Hugh unearthed the changing economics of cybercriminal attacks and our security defence, underlining the general theme in the shift in attacks from the network to the application layer. Hugh is a world renowned figure in the world of application security, and I have to say I don’t think I have come across a more entertaining security speaker. I briefly spoke with Hugh offline, and I intend to feature more of him and "Hackernomics" in a separate blog entry.

This year at RSA Europe there was an overall focus on the rising threat trends within web applications and defending with good web application security. There was notable sessions by Fortify, who put together a professionally produced documentary film titled “The New Face of Cybercrime”, while the “Blinded by Flash” presentation by HP opened up the application security issues within Flash applications, which has been traditionally hard to test application security vulnerabilities against. Again I am intend to feature the latest threat within web applications in separate post in the coming days, as this post is getting rather long.

In all the RSA Eruope was as billed, the premier infosec event in Europe, and on personal level, I found the event great for "networking", meeting up and discussing security with new people, and some old faces from around the global with equal enthusiasm and passion about information security.

No comments: