Monday, November 17, 2008

CSI 2008 - First Thoughts

So... my first impressions of this Computer Security Institute [CSI] 2008 conference here in National Harbor, MD - as follows:

  • Lots of people are here from all sorts of companies, and of all kinds of ranks, from all over the Americas (I saw name tags from Canada as well as the US; with CISOs, architects and engineers present)

  • The F5 "Email Station" kiosks - essentially a bunch of laptops which you can check email from. Seriously? At a security conference? And yes... there were people walking up and using webmail on these laptops. More proof that even with our own ranks, security people aren't paranoid enough - think keyloggers!

The morning's keynote was given in part by Brian Snow, of NSA fame. He had some bulletpoints I think would be good take-aways for everyone, my commentary is included:
  • "Better security" isn't a product we can sell to people, so it isn't happening effectively. Companies are in the business of making products (and selling them) and not securing you/us.

  • "Solving ahead" is a design process step by which we address all conceivable possible attacks against a "thing" before that thing is sent off for production. This process involves thinking many steps ahead of the initial attack and requires some smart people during the design phases... do you have those at your company?

  • An interesting topic (although not a new one) was brought back up about minimizing the contextual value of data - meaning, data stolen from one domain needs to be without value in another domain. How do we solve this issue? Credit card companies are already doing this with one-time use credit card numbers... what about other data?

  • Designers of software/hardware/stuff allow for bad decisions to be made by end-users. Why? This is a lot tougher to root out than you may think, people want those 'bad choices' in their options.

  • Learn to speak executive. If you don't have the ability to translate our "security geek" language into execu-speak you're going to continue to fail to make your point.

As a side note... are you an INTJ? How does that affect the way you design and solve problems? Think about it.

More soon...

No comments: