This panel featured Quentin Hardy (moderator), National Editor, Forbes Magazine; Marc Rotenberg, Executive Director, Electronic Privacy Information Center (EPIC); Michael Chertoff, Former U.S. Secretary of Homeland Security; and, Richard Clarke, Chairman, Good Harbor Consulting.
[refresh regularly until 2pm PST for live updates from the conference floor; please note that any errors of transcription or attribution are omissions due to the nature of this live blog]
[Mr. Hardy made a slip of the tongue and talked about "this great concert" instead of "this great conference."]
Mr. Hardy discusses information security issues related to boundaries, privacy, responsibility (govt vs industry)
Discussion of "Cyber Shockwave" by Mr. Chertoff. Counterpoints by Mr. Clarke: there is little difference between attacks from governments vs organized cyber-criminals.
Mr. Clarke: 20-30 nations have cyber warfare capabilities, including the US. Hackers "are stealing anything that's worth stealing," and later said "and we can't stop them." Mr. Clarke then points out the potential of cyberspace activities to increase tensions between countries.
Mr. Rotenberg: points to the need for a debate about what we (government) can and should do. "We need to come up with solutions that are smart." Later, he said "transparency and openness is very important."
Mr. Clarke: "the problem is that the government has discredited itself in the last decade. [...] The cyber command that's being stood up is NSA." Mr. Clarke said that the NSA is "the right organization to defend the military, the wrong organization to defend the public." He then mentioned that the government should not be in the business of snooping; however, it could, via regulation, ask the private sector (tier-1 or backbone ISPs) to do it.
When Mr. Rotenberg said this could be a slippery slope (my words) that would lead to commercialization, Mr. Clarke returned that that would be a role for government, to ensure that ISPs are not simply mining packets with deep-packet inspection (DPI) for pure commercial benefit.
Mr. Clarke: "The stuff [the IT & security technology] is obviously not good enough." Points back to how ISPs can help check for malware on-the-wire, before it hits the enterprise or the home.
[...]
Mr. Clarke: "Cyber-crime is not script kiddies anymore." He then argues the need to talk to other countries specifically about information security.
Discussion about whether the US is engaging in cyber-war activities. Mr. Clarke argued that it would be foolish to think that we are not. More discussion about attribution, preparation, and response.
Mr. Clarke: "Why is the electric power grid connected to the Internet?" He then points to FERC not having enforced regulation.
Mr. Rotenberg: "Privacy ends up being the collateral damage in the cyber-war battles."
Mr. Chertoff: "We are really bad at educating people at operational security." Points to the need to take into account the way people behave (not security people, the average person).
[...]
Discussion about the cyber pearl harbor, and Mr. Clarke said that we should not wait to act until a major event happens because instead every day, we have mini pearl-harbors. Mr Clarke: "We're prosecuting a very tiny percentage of cyber-crime."
Mr. Chertoff: this is a field in which "we need to attack the problem in multiple ways simultaneously."
With respect to cyber-espionage, Mr. Clarke said "we are losing our competitive advantage."
Showing posts with label keynotes. Show all posts
Showing posts with label keynotes. Show all posts
RSA 2010 Keynotes - Howard Schmidt
Howard Schmidt, White House Cyber-Security Coordinator
Jokes about the way to "register" for RSA back in the day, using pen, paper, & fax!
Be proactive! Compares security to fire-fighting & early days of fire-departments.
"How do we make things more resistant to the attacks that we're seeing?"
"You all are the ones making the difference," he said, recognizing the important roles that all of us here at RSA play.
Schmidt mentions his work to harmonize, make efficient, and make effective security across multiple areas of government. Refers to President Obama's May 2009 speech about our need for cyber-security.
"You can be FISMA compliant and not [be] secure."
"We'll beat them [i.e. our adversaries] because we will become stronger."
Jokes about the way to "register" for RSA back in the day, using pen, paper, & fax!
Be proactive! Compares security to fire-fighting & early days of fire-departments.
"How do we make things more resistant to the attacks that we're seeing?"
"You all are the ones making the difference," he said, recognizing the important roles that all of us here at RSA play.
Schmidt mentions his work to harmonize, make efficient, and make effective security across multiple areas of government. Refers to President Obama's May 2009 speech about our need for cyber-security.
"You can be FISMA compliant and not [be] secure."
"We'll beat them [i.e. our adversaries] because we will become stronger."
RSA 2010 Keynotes - Defeating the Enemy - The road to Confidence
10AM Keynote by Enrique Salem, president and chief executive officer of Symantec
We can't control what employees say about themselves; we can try to control what they say about the company.
2010 State of Enterprise Security Report: over past 12 months, 75% of companies in survey had had a cyber attack. 100% of companies had a "cyber loss" in 2009 (e.g. internal or external).
Some of the way hackers got in: IMs with malicious links or PDFs with malicious payloads.
[Here comes the "mobile" pitch]
2009 "Sexy Space" worm attack on the Symbian platform.
"Malicious insiders are able to embed new malware in our environments..."
Speaking about the insider threat, Salem said "ultimately, you can never be sure who you can trust."
[nice animation of galaxy-like cloud]
Patching virtual machines should be easier to patch... patch once and all VMs should be updated.
Announcing "Data Insight" to solve data ownership problem to automatically determine data ownership, scan file shares exposed to all, and who is accessing what files.
[Video of Amazon.com CTO]
"Information will be our greatest asset."
Security is about "how do we securely manage diverse environments."
"If we work together, we can help the information economy reach its full potential."
Award for excellence in the field of Public Policy goes to: CSIS, Center for Strategic & International Studies for their work in the Commission on Cybersecurity for the 44th Presidency.
Aware for excellence in the field of Mathematics presented by Ron Rivest. Award goes to: Dr. David Chaum
We can't control what employees say about themselves; we can try to control what they say about the company.
2010 State of Enterprise Security Report: over past 12 months, 75% of companies in survey had had a cyber attack. 100% of companies had a "cyber loss" in 2009 (e.g. internal or external).
Some of the way hackers got in: IMs with malicious links or PDFs with malicious payloads.
[Here comes the "mobile" pitch]
2009 "Sexy Space" worm attack on the Symbian platform.
"Malicious insiders are able to embed new malware in our environments..."
Speaking about the insider threat, Salem said "ultimately, you can never be sure who you can trust."
[nice animation of galaxy-like cloud]
Patching virtual machines should be easier to patch... patch once and all VMs should be updated.
Announcing "Data Insight" to solve data ownership problem to automatically determine data ownership, scan file shares exposed to all, and who is accessing what files.
[Video of Amazon.com CTO]
"Information will be our greatest asset."
Security is about "how do we securely manage diverse environments."
"If we work together, we can help the information economy reach its full potential."
Award for excellence in the field of Public Policy goes to: CSIS, Center for Strategic & International Studies for their work in the Commission on Cybersecurity for the 44th Presidency.
Aware for excellence in the field of Mathematics presented by Ron Rivest. Award goes to: Dr. David Chaum
RSA 2010 Keynotes - Creating a Safer & More Trusted Internet
9AM Keynote by Scott Charney, Corporate Vice President, Trustworthy Computing at Microsoft
What changes in the cloud, and how end-to-end trust is affected by the cloud.
Traditional & more advanced threats. "Why is it so hard to understand the threat?"
5 issues:
1. Lot of bad actors & many different types
2. Many types of motives: espionage, cyber-warfare, predators
3. Attacks look the same, hard to figure out how to respond
4. Shared and integrated domain mingles everything into the cyber environment
5. Worst case scenarios are devastating and scary
"There are millions of botnets in computers around the world, and most of them are consumer computers."
[Slides show Waledac botnet geographic data and other diagrams from recent Microsoft report]
Microsoft used the court process, and blocked Waledac control domains.
[remove one head of the hydra and another one comes back]
Charnay talks about kid & mom getting the security dialog box and clicking OK.
Analogy with smoking (personal health issue and also health issue for others around you) and internet safety (making sure that you're not polluting the Internet space around you).
Now focusing on the cloud. Was your cloud platform creating with an appropriate Software Development Life Cycle that ensures security is built-in?
How will we do forensics in the cloud? Example of a hospital getting contacted by a hacker claiming to have some of the hospital's data. If this happened in the cloud, hospital may want to do its own forensics, but cloud company might not allow due to multi-tenancy issues.
Multiple IDs to avoid a national online identification database. Video of German "EID" card, to be rolled out in November 2010. Starts with in-person "proofing" (using govt issued documents), "U-Prove" technology by Microsoft. Shows a student "Erika" getting access to an online bookstore and leaving a comment "gutte Classe" (i.e. "good class") about one of her classes.
Patented crypto algorithms of "U-prove" will be released today, as well as preview code and APIs.
"The cloud has the potential to alter the balance of power between the individual and the state."
Starting with telephone (& wire taps), emails (stored records), over time, government gained more access to individual data.
What changes in the cloud, and how end-to-end trust is affected by the cloud.
Traditional & more advanced threats. "Why is it so hard to understand the threat?"
5 issues:
1. Lot of bad actors & many different types
2. Many types of motives: espionage, cyber-warfare, predators
3. Attacks look the same, hard to figure out how to respond
4. Shared and integrated domain mingles everything into the cyber environment
5. Worst case scenarios are devastating and scary
"There are millions of botnets in computers around the world, and most of them are consumer computers."
[Slides show Waledac botnet geographic data and other diagrams from recent Microsoft report]
Microsoft used the court process, and blocked Waledac control domains.
[remove one head of the hydra and another one comes back]
Charnay talks about kid & mom getting the security dialog box and clicking OK.
Analogy with smoking (personal health issue and also health issue for others around you) and internet safety (making sure that you're not polluting the Internet space around you).
Now focusing on the cloud. Was your cloud platform creating with an appropriate Software Development Life Cycle that ensures security is built-in?
How will we do forensics in the cloud? Example of a hospital getting contacted by a hacker claiming to have some of the hospital's data. If this happened in the cloud, hospital may want to do its own forensics, but cloud company might not allow due to multi-tenancy issues.
Multiple IDs to avoid a national online identification database. Video of German "EID" card, to be rolled out in November 2010. Starts with in-person "proofing" (using govt issued documents), "U-Prove" technology by Microsoft. Shows a student "Erika" getting access to an online bookstore and leaving a comment "gutte Classe" (i.e. "good class") about one of her classes.
Patented crypto algorithms of "U-prove" will be released today, as well as preview code and APIs.
"The cloud has the potential to alter the balance of power between the individual and the state."
Starting with telephone (& wire taps), emails (stored records), over time, government gained more access to individual data.
RSA 2010 Keynotes - Cloud & Security Svcs
8AM keynote at RSA by Arthur Coviello, Jr., Executive Vice President of EMC and President of RSA, also joined by David Cullinane (eBay), Paul Maritz (VMware)
Comments will appear in square brackets throughout the post. Refresh every few minutes to get updates.
[I feel like I'm in a movie theater, just no 3D glasses]
[Movie narrator: ]When we join forces, we are stronger, smarter, than alone, and that's why we come together each year.
[Now the go-go girls, dancing to "walk like an Egyptian"]
RSA Lifetime achievement award being presented to: Whit Diffie
Art Coviello, Jr., Executive Vice President of EMC and President of RSA:
"Because cloud computing represents a challenge as well as an opportunity, we have to be careful, we don't end up in hell."
Analogy between being blind and not being able to enjoy the benefits of the Guttenberg printing press. Then came Braille. In security, we have a similar opportunity to ensure that companies can reap the benefits of cloud computing.
CIO study 51% [only 51%??] sited security as the biggest concern about adoption of the cloud.
"People must everywhere be able to trust the cloud, even if they, literally and metaphorically, can't see it."
Focus on basics: People, Processes, & Technology
"Convergence of roles [due to cloud] will bring new challenges."
Video of Paul Maritz, CEO of VMware
Coviello describes four stages of going to the cloud:
1. Moving non-critical assets
2. Virtual enterprise
3. Enterprise develops internal clouds
4. Enterprise outsource their infrastructure... hybrid clouds
["GRC," "dashboard," and "compliance" used in the same sentence]
Discussion of co-tenancy issues, example of Coke vs Pepsi running VMs on same machine.
Goals for the cloud:
Gain visibility
Asses Security
Establish Trust
Prove Compliance
Video of David Cullinane, CISO of eBay
Coviello: "The cloud will turn the way we deliver security inside out."
Consider the evolution of currency systems
Barter -> Coins -> Paper currency -> Credit Cards & bonds/stocks
"Cloud computing will indeed complete the transformation of IT infrastructures unleashed by the Internet."
Excellence in the field of Security Practices award goes to: Malcolm Harkins (Intel)
Comments will appear in square brackets throughout the post. Refresh every few minutes to get updates.
[I feel like I'm in a movie theater, just no 3D glasses]
[Movie narrator: ]When we join forces, we are stronger, smarter, than alone, and that's why we come together each year.
[Now the go-go girls, dancing to "walk like an Egyptian"]
RSA Lifetime achievement award being presented to: Whit Diffie
Art Coviello, Jr., Executive Vice President of EMC and President of RSA:
"Because cloud computing represents a challenge as well as an opportunity, we have to be careful, we don't end up in hell."
Analogy between being blind and not being able to enjoy the benefits of the Guttenberg printing press. Then came Braille. In security, we have a similar opportunity to ensure that companies can reap the benefits of cloud computing.
CIO study 51% [only 51%??] sited security as the biggest concern about adoption of the cloud.
"People must everywhere be able to trust the cloud, even if they, literally and metaphorically, can't see it."
Focus on basics: People, Processes, & Technology
"Convergence of roles [due to cloud] will bring new challenges."
Video of Paul Maritz, CEO of VMware
Coviello describes four stages of going to the cloud:
1. Moving non-critical assets
2. Virtual enterprise
3. Enterprise develops internal clouds
4. Enterprise outsource their infrastructure... hybrid clouds
["GRC," "dashboard," and "compliance" used in the same sentence]
Discussion of co-tenancy issues, example of Coke vs Pepsi running VMs on same machine.
Goals for the cloud:
Gain visibility
Asses Security
Establish Trust
Prove Compliance
Video of David Cullinane, CISO of eBay
Coviello: "The cloud will turn the way we deliver security inside out."
Consider the evolution of currency systems
Barter -> Coins -> Paper currency -> Credit Cards & bonds/stocks
"Cloud computing will indeed complete the transformation of IT infrastructures unleashed by the Internet."
Excellence in the field of Security Practices award goes to: Malcolm Harkins (Intel)
Subscribe to:
Posts (Atom)
