Tuesday, December 30, 2014

Alfidi Capital at Data Connectors San Francisco Tech Security Conference 2014

Data Connectors has a full schedule of tech security road shows across America.  I attended their Tech Security Conference this December when it rolled into San Francisco.  I had to get my fill of cyber defense knowledge while I filled up on free coffee.  My completely subjective reaction to the many highly qualified IT presenters will now follow.

The electronic recycling industry is seriously big business.  It gets bad press when some recyclers resell hardware without wiping hard drives.  That's how pirates access unencrypted personal data.  The best recyclers chop up every electronic component, recover metals, and process hard cases into plastic pellets.  The State of California Department of Toxic Substances Control (DTSC) knows all about processing hazardous e-waste.  Recyclers in this state must register with DTSC.  They should also apply OHSAS 18001 and the relevant ISO standards if they're serious about recycling.  Clearing and overwriting old hard disks are less complete safeguards than physical destruction.  I'll remember that the next time I turn in an obsolete laptop for recycling.

WiFi networks should have commonly available design templates.  Lack of such templates is one reason municipalities have been stymied in their efforts to create free WiFi infrastructure.  Wireless Networking in the Developing World has obvious solutions for countries that do not have to overcome legacy land line infrastructure.  The Network Startup Resource Center (NSRC) published a number of administrative guides for Internet architecture.  Public domain WiFi design is an under-resourced area in telecom.  More attention from open source designers would speed WiFi adoption.

Cyber security pros should talk more about being proactive.  Lockheed Martin's Cyber Kill Chain process is the best definition of how business intelligence fits into cyber security.  Brian Krebs' Spam Nation offers insights into unwanted emails as attack vectors.  Enterprises developing their own apps still leave them riddled with vulnerabilities for the sake of convenience.  They should change that approach before the huge amounts of bandwidth their apps require for sharing files and videos become attack vectors.

Experts on hand claimed the titles of CIO, CTO, and CISO are becoming interchangeable.  That is lamentable.  I say they should be distinct in an enterprise.  Come on, it's simple.  The CIO is the overall IT boss with the CTO, CISO, and Chief Data Officer (CDO) as direct reports.  The CTO's portfolio includes the IT infrastructure, SDLC, hardware LCM, and the lead effort on DevOps.  The CISO handles security for the network and devices.  The CDO develops the data supply chain and supports the CTO's DevOps.  I totally disagree with one speaker who claimed a CDO can replace a COO.  Really?  Maybe in some software firms, but not in the rest of the economy.

One person mentioned that poor data center architecture invites external threats.  NIST's Advanced Encryption Standard (AES) is at best a partial solution; data centers cannot ignore physical security.  Perimeter barriers and physical gaps are not scalable security measures in large organizations.  None of the speakers mentioned knowledge management (KM), but that drives security classification and network access privileges.  There is no one universal technology stack but several baselines exist.  An open UMA is one way to manage access to parts of a stack but IT people need a fuller understanding of that protocol's privacy implications.

Email retention policies can look to legal guidance that varies by sector.  California's email retention requirements are clear for its state government agencies but less clear for the private sector.  FINRA and the SEC have detailed guidance for data retention in the financial sector.  Once again, there is no universally applicable standard.  The EU invalidated its Data Retention Directive this year over privacy concerns.  I cannot locate any industry association source for a data retention standard.

Data loss prevention (DLP) requires data loss detection (DLD).  If you don't know something's gone, you won't know how to recover it.  The SANS Institute has a white paper on DLD and DLP open source tools; use their search function with those phrases for good info.  A Web search of "DNS vulnerability" brings up reports from the SEI CERT, IANA, and a few tech experts.  Prolexic's Quarterly Global DDoS Attack Report provides regular threat updates.  The IT community has learned to police itself of spoofing with the Open Resolver Project.  Plenty of thieves want to get their hands on enterprise data.

Collaboration opens up a whole new can of worms now that the cloud and BYOD are norms.  Cloud Security Alliance members should have some idea of how to use ISO 27001.  US-based multinational enterprises must also know ITAR and other US government export controls apply to their cloud services, as does FISMA if they do business with Uncle Sam.  The financial sector figured out collaboration long ago with its FIX protocol, so IT pros should check with the FIX Trading Community to watch information exchange done right.

The Ponemon Institute's annual Cost of Data Breach Study makes the IT community's case to CFOs for investments in network security.  Advanced persistent threats (APTs) have a defined life cycle that only a conscious actor can maintain.  NSS Labs and ICSA Labs do plenty of independent testing for platforms at risk of breach.  The Anti Virus Information Exchange Network (AVIEN) and the Anti-Phishing Working Group (APWG) share knowledge in the fight against cyber crime.

I have noticed that the "Ed Snowden look" of scraggly facial hair and wire rim glasses is popular among techies.  It's even in ads for tech sector companies.  Brogrammers can relate to that image but it may turn off women who want IT careers.  Getting more women - especially attractive ones - into cyber security would be a really great thing.  Attending these Tech Security Conferences is the place for them to start.  I'd be happy to escort them in myself, if you know what I mean.