2012 Detroit SecureWorld Expo Recap

Online Tech attended, exhibited and spoke at the 2012 SecureWorld Expo in Detroit, Michigan last week. Here’s a recap of some of the sessions:

Day 1:
Opening Keynote – Rick Moy: “Security Product Considerations”
Key objectives of evaluations include security/performance needs, fitting into enterprise (policies and procedures), as well as the efficient use of funds and resources. Moy stated that ‘it used to be assumed that hacking is hard, now access is presumed’, underlining some of the changes in perspective with regards to security.  It was implied that this was due to all the different and new avenues that people give information: from phones and computers to geolocation on mobile devices and social media outlets. He also noted that most devices that are used to track (for example, a camera at a stoplight) weren’t supposed to be on the Internet, but now they are, making them even easier to exploit.

One of the biggest takeaways Moy was giving was the importance of testing. Testing for vulnerabilities, while it can take time, money, and manpower, is worth the cost compared to a data breach. Testing your products before they’re rolled out can also keep your reputation intact – something that could make or break a business. In regards to this testing, he also made a point to mention that people should still have a mind for older methods that are being used to exploit systems. Moy explains, “Criminals are lazy too…old methods are still being used, because if something old will work, why spend money and time on something new?” He noted that oftentimes it’s as simple as repackaging an old invasion and making it work, instead of starting from scratch.

Brian Balow and Tatiana Melnik: “Bring Your Own Device: Policy Drafting and Best Practices within the Legal Framework”
Tablets were introduced by Apple in 2010, and it took no time for them to seep into most aspects of our daily life-including work. There are some really good effects of BYOD, like the potential to cut costs, but there are also very special security measures that are associated with them as well. Tatiana focused her talk on important points to think about when a company is deciding to implement a BYOD (Bring Your Own Device) environment. The policy put in place is essential in order to both protect the business as well as client rights. It’s important to identify some of the stakeholders in that policy: management, IT officers, IT staff, the legal department, as well as HR. Tatiana also explained that there are many other policies that tangentially affect BYOD:

• Acceptable Use Policies
• Security Policies
• Social media Policies
• Remote Access Policies
• Remote Working Policies
• Incident Response Policies
• Breach Notification Policies
• Privacy Policies
• Litigation Hold Policies

Other things that are necessary to state in your policy are the supported devices, information about the reimbursement of costs, a list of approved applications, and what limitations the device itself can have (for instance, is it alright within your policy to have a device that has a camera on it?). There is also the question of who that policy pertains to, and the overwhelming answer was that it’s not just the employees. Interns, students, contractors and consultants should also be held to these policies, even if they’re interaction within a company is limited or unconventional.

Day 2:
Barbara Ciaramitaro: “Social Engineering Forensics”
This talk was focused on the different ways that a social engineer can try to get access into a company. It was broken up into many different groups:

• Telephone Attacks – This could be a social engineer (SE) calling and impersonating a help desk representative, or even a member of management. Ciaramitaro explains that this isn’t a difficult task as long as they can keep confidence in their voice, and oftentimes they will have done some reconnaissance that gives them some data about the company that helps validate their request to the person they’re speaking to.
• Waste Management – Bluntly put: dumpster diving. This is a tool used by an SE in order to get more information about a company that can help them coerce a worker. One of the biggest reasons that this is successful, says Ciaramitaro, is because people are lazy. She even gives an anecdote about her husband telling her he wasn’t properly disposing of his paper because it was inconvenient to all the way over to the correct repository. She also mentioned working somewhere and receiving an email from her employer stating that it was costing too much money to shred all the paperwork that they were shredding, and to please only shred what was absolutely necessary. Laziness and inconvenience make it easy for the social engineer to find their way into a business.
• Mobile Devices – There are many ways that social engineers can use a mobile device, and most prominently they will use the medium of apps. This could be apps that look legitimate but aren’t, clicking on ads for different apps, or (the most sinister of all) apps touting security. App-oholics beware, it’s easy for a social engineer to plant malware on your phone with the lure of a new game or feature.
• Reverse Social Engineering -This is an interesting trick of the social engineer. The idea is that they sabotage the network, and place themselves in such a way as to be the most attractive avenue of solving the issue. Bam- all of a sudden they’re being invited into the network. They fix the trouble, and walk away with all the information they needed.
• Personal Attacks – Personal attacks are some of the most interesting, because the social engineer is focusing on human psychology to get the information they’re looking for. A guy comes into the office and walks up to a receptionist, soaking wet. He’s got a wet paper in his hand and explains that he’s here for an interview in fifteen minutes, and his resumé is soaked. He’s got a flash drive, could the receptionist please allow him to print off another copy? It’s heart-wrenching, and by playing on the heartstrings of another, effective. Ciaramitaro even goes into tools like Neuro-linguistic Programming, and mimic in order to use a target’s psychology against them.

Steve Aiello, Jake Gaitan and Kierk Sanderlin : “Industry Expert Panel: Network Security- Beyond Passwords and Firewalls”
The first question posed to the panel was whether or not they believed the firewall was dead. Everyone was pretty much in sync with the response that no, it was still alive and well. Kierk noted that the firewall used to something of a moat – a thing of external security sitting outside the network. He believes that the firewall is going to be moved into the network. Steve agreed, adding “I think what we’re seeing is evolution, especially with virtualization, just moving it closer to the asset.”

Kierk also spoke about the next gen firewall: “Next gen policy is more about the actual user now. It’s asking ‘who is the user that’s on this network?’ and then leveraging next-gen features based on the answer.”

Another question for the panel was what they thought the best bang-for-their-buck security measure was currently. Jake’s focus was on standardization and implementation, more of a focus on process. Steve went to speak about two-factor authentication and auditing. He asked the audience to a show of hands: how many people monitor successful logins? One to two people raised their hands. He explained, “Everyone tracks failed logins. I don’t care as much about failed logins. It means that things are working the way they should be. I care about the successful logins, when people actually get into the system.”

They were also asked about the progress of network security. Jake weighted the awareness of security being an essential part of this progress. Steve said that it has come a long way, and we’re going to see it mature a lot more. Kierk’s final note was to say that progress was showing itself to him by “Security having a seat at the table;” getting bigger budgets and more input within companies than before.

If you’re concerned with security and would like to learn more about technical, physical and administrative security measures your organization could take, visit our Secure Hosting section of our site.