{"id":31,"date":"2008-07-09T23:48:40","date_gmt":"2008-07-10T03:48:40","guid":{"rendered":"http:\/\/jlg.name\/blog\/?p=31"},"modified":"2013-03-17T12:25:57","modified_gmt":"2013-03-17T16:25:57","slug":"cyber-security-conference","status":"publish","type":"post","link":"http:\/\/jlg.name\/blog\/2008\/07\/cyber-security-conference\/","title":{"rendered":"Cyber security conference"},"content":{"rendered":"<div>\n<p>In June 2008 I attended a \u201cCyber Security Conference\u201d in Arlington, Virginia.\u00a0 The format was two days of invited 35-minute presentations by big names in the government and government-contractor space.\u00a0 I only attended day two so I missed half the discussion.\u00a0 Here are some of the major themes from today\u2019s twelve speakers:<\/p>\n<ul>\n<li>Targeted phishing (a.k.a. \u201cspear phishing\u201d or \u201cwhaling\u201d\u2014can we as a community agree to stop coming up with terrible nouns like these?) was mentioned more often by more people than any other cyber security problem.\u00a0 Targeted phishing is a social engineering attack where someone learns enough about you (or your work environment) to send you a custom-made email.\u00a0 One example involved a newly-promoted CFO, where the evildoers read about the CFO\u2019s promotion in a newspaper and wrote a letter from \u201cHR\u201d asking (successfully) for personal information, passwords, etc., in order to set up the new executive\u2019s computer account.\u00a0 Four of the speakers mentioned phishing as one of the top problems they are facing on corporate and government networks\u2026<\/li>\n<\/ul>\n<ul>\n<li>\u2026which reminds me how two speakers complained that spending\/effort on cyber security is not well-balanced among the actual risks.\u00a0 Joshua Corman of IBM phrased it nicely by pointing out that cyber attacks merely for the sake of attacking (\u201cprestige\u201d attacks) ended in 2004; attacks since then appear to have been driven either by financial (\u201cprofit\u201d) or, more recently, activist (\u201cpolitical\u201d) motives.\u00a0 The problem is that the bulk of cyber security efforts\/dollars are going to thwart attackers that are easy to identify (worms, spam) leaving us exposed to more discreet attackers.\u00a0 (Of course, nobody had a ready solution for how to identify and thwart these discreet attackers\u2014a discrete problem.)<\/li>\n<\/ul>\n<ul>\n<li>However, two speakers independently mentioned anomaly detection as an it-continues-to-be-promising approach to cyber security, while acknowledging that the false positive problem continues to plague real-world systems.\u00a0 One of the core problems I\u2019d like to see studied involves the characterization of real-world network traffic (especially in military environments).\u00a0 Specifically, for how long after training does an anomaly detection model remain valid in an operational system: seconds? hours? weeks?<\/li>\n<\/ul>\n<p>Two talks I really enjoyed were from Boeing and Lockheed-Martin, in which a speaker from each talked about the organization and internal defense strategy (applied cyber security?) of his corporate network.\u00a0 I appreciate when companies are willing to share these kinds of operational details to make reseachers\u2019 jobs easier: storage companies take note!\u00a0 Unfortunately the talks were light on details but provided some interesting insight on email defense (#1: Outlook helpfully hides the domain name, aiding a phisher\u2019s task, so write filters to block addresses like \u201cjaggedtechno1ogy.com\u201d at the corporate mail server; #2: many spams or phishing attacks come from newly-created domains, so write filters for this too\u2014I\u2019ve mentioned previously that we should perhaps tolerate some inconvenience for the sake of computer defense, and these are good examples of that).\u00a0 Two questions I\u2019d like someone to answer:<\/p>\n<ol>\n<li>How can we coax corporate network managers to be willing to evaluate active response systems (e.g., attack the attacker) on production networks?\u00a0 It is probably much easier to do there (legally) than on government networks.<\/li>\n<li>When will corporate networks deploy the security support services (admission control, identity verification, key management) that allow application programmers to focus on their core competencies instead of being security experts?\u00a0 C\u2019mon, folks, it\u2019s 2008.<\/li>\n<\/ol>\n<p><strong>UPDATE:<\/strong><\/p>\n<p>Three people have mentioned that question #1 is unlikely to have an answer:<\/p>\n<blockquote><p>What are the corresponding real-world analogies?\u00a0 When is it legal for me, personally, to respond to a physical threat?\u00a0 Only when there is serious threat of harm to myself or someone else (or, in some states, my property). Otherwise, call the policy (or the military). I doubt cyber-society will act much different. But, this does beg the question of where are the cyberpolicy and cyberDoD!<\/p><\/blockquote>\n<p>And everyone agrees that question #2 needs to happen, like, yesterday:<\/p>\n<blockquote><p>I think that the best answer as to why it hasn\u2019t happened is related to cost. And, in this case, cost is directly related to usability for the sysadmins. If they can do username \/ password and be done with it, then they will. And they will only move to other measures if\/when they are required to (e.g., corporate policy, liability concerns, etc). However, if one could find a way to overlay this security goodness onto an existing network in a way that is no harder (and perhaps even easier) than username \/ passwords, then they might want to do it. Esp if this overlay then allowed for a tangible benefit in terms of increased security of everything else.<\/p><\/blockquote>\n<p>Thanks, Greg and Bryan.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>In June 2008 I attended a \u201cCyber Security Conference\u201d in Arlington, Virginia.\u00a0 The format was two days of invited 35-minute presentations by big names in the government and government-contractor space.\u00a0 I only attended day two so I missed half the discussion.\u00a0 Here are some of the major themes from today\u2019s twelve speakers: Targeted phishing (a.k.a. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[],"_links":{"self":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/31"}],"collection":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/comments?post=31"}],"version-history":[{"count":3,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/31\/revisions"}],"predecessor-version":[{"id":808,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/31\/revisions\/808"}],"wp:attachment":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/media?parent=31"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/categories?post=31"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/tags?post=31"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}