The RSA Security Conference is the one international event I’m prepared to get to on a regular basis — It’s usually in San Francisco (or close by) which is great, but it’s also the main gathering point for IT security people from around the world and the place for taking the pulse of the industry. My first RSA Conference was in 1995 but what’s new in 2003?
Politics is still up there; PKI has pretty much vanished off the radar screen as it disappears into products and ROI remains. I attended a session on Intrusion Prevention, vs Intrusion Detection -— a topic dear to my heart after several years of questioning why people put in Intrusion Detection Systems (IDS) when they haven’t got a clue how to manage them or respond to an intruder alert. The learned panel at the session pointed out that we have to keep the bad guys out and have some sort of automated way of doing that. “That’s what firewall vendors were saying 10 years ago!” I observed to the wry smiles of those around me.
So keep an eye on new appliances which consolidate several security functions. Just make sure that the consolidation includes effective integration and that the products are flexible enough and sufficiently manageable to meet your requirements.
Concerns over critical infrastructure protection generated a significant amount of hype, just as they occasionally do here in Oz. With regard to intrusion prevention, it’s probably a good thing, even though cyber-vandals are a greater threat than Osama bin Laden’s script kiddies.
John Blomgren, a process engineer working for Rainbow/Mykotronx, was the only speaker at the conference to mention SCADA systems. If you don’t know what SCADA is, it probably doesn’t matter unless you’re concerned with the availability of gas, electricity, and water supplies or the integrity of food and drug manufacturing processes. SCADA are computer systems run by engineers mostly, and they are very vulnerable.
One example “Paul” (not his real name) used was of a hack that released raw sewage onto Sydney’s beaches on more than one occasion some time back. Paul reckons SCADA vendors and operators haven’t got a clue, either, at least when it comes to security. From what I’ve seen in Australia, I’d have to agree. Paul has a special phone number if you want to talk to him about Top Secret stuff, but you have to have a Top Secret phone. I’ve got an old Ericsson, but it works just fine! If you want Paul’s number, just give me a ring.
But remember PKI and what it was supposed to do for business over the Web? Did you ever buy one? Web services security and SSL-VPN are almost in the same space, except that they don’t really have any neat new technology behind them. The key message here is that your security (and business) objectives have to be incorporated into your system design before you start lusting after a particular technology.
So, was there really anything new in 2003? Not much, unless you consider the lone mention of SCADA. But it’s a different conference for every one, depending where you’re coming from (conceptually rather than geographically) and what you actually get to see. In 2003, it’s time to realise that information security is as diverse as any other part of the IT industry — databases, networking, application development — all have numerous sub-specialities and gone are the days when any IT security specialist can get across all the relevant issues to any sort of depth.
One thing that is new — at least in the sense that it’s finally gaining more recognition — is that it’s not the technology (stupid!), it’s the people and the management of IT security that really makes a difference.
And what was missing? The RSA conference covers things pretty well, but it is essentially a vendor conference and some things can get overlooked — like the commercial impact of the expiry of patents on RSA technology and the new cryptographic attacks on their products. All praise to the delightfully irreverent Adi Shamir — the ‘A’ in RSA — who last year told us how to hijack a plane with plastic cutlery and a tube of glue, and this year exposed a lot of the weaknesses in the algorithm he helped develop.
What was really missing for me, from an Australian perspective and from my role as chair of the Information Security Interest Group, was the problem of knowing who are the credible consultants and IT security professionals these days. The IT security industry in Australia was a lot smaller when I attended my first RSA Conference in 1995, and IT security specialists were not so much in demand.
These days IT security has made it onto the boardroom (and Cabinet) agenda, something we all hoped for those many years ago. But now we have the vexing problem of inexperienced wannabes posing as security specialists selling snake oil and shoddy work to unsuspecting and uneducated corporate management. There will always be scam artists taking advantage of the latest best thing. Now that IT security is out of the closet, it is increasingly important for the industry, professional organisations, and end users to get their act together to weed out the shonk artists.
This places an onus on employers and professional organisations to establish realistic evaluation criteria. This is something we are all engaged in at the moment, so watch this space for new and breaking developments.
Mark Ames is chair of the Australian Information Security Interest Group and the Information Security Research Centre at the Queensland University of Technology. He now runs ICT Risk Pty Ltd. Mark.Ames@ICTRisk.com.au