Wednesday, 16 January 2013

Symposium on Information Security Part Two

Following on from the morning overview, Marek now takes a look at the afternoon sessions.

Alex Stobart from Mydex- Citizen-centred personal Data stores. Mydex has been chosen to be one of 9 Digital Public Services. Mydex will provide Identity Assurance that empowers the individuals to manage their personal data and acquire proof of claim and verification about any aspect of their life and identity. Citizens can create a Secure Personal Data Unit, which allows them to collect information and within the control layer decide with which party it will share certain types of information. The difference with Mydex is that individuals self drive the personal data unit rather than it be controlled by an organisation.

How does information security impact innovation and collaboration? This topic was presented by Richard Higgs from Brightsolid company, The presenter used real client experiences, describing how the company could manage the innovative collaborative space within the cloud and still assure a level of security. Nowadays a lot of companies are moving most of their business or even parts to the cloud and are facing issues related to how co-workers collaborate on new projects. Moving infrastructure to the cloud companies need to increase security awareness for their employees as well. Brightsolid showed how their company could achieve that.

David Stubley presented Resilient Information Security: A New Approach to Assurance. Many organisations nowadays see computer networks and applications as the backbone for their business and as a result focus on the implementation of defences and preventing attacks. This approach has directly influenced compliance and assurance approaches, such as vulnerability scanning and penetration testing. We cannot achieve 100% security and allow the business to run flawlessly. This approach is becoming unacceptable for many businesses. David presented a new approach to assurance that would not only test the defences of an organisation but also test it resilience to attack.
The example showed on the presentation was a Java zero-day, which was publicly announced just a day before. At the moment the zero-day is being publicly discussed and is marked as High-risk by Oracle. Countermeasures are available. The question is how long this zero-day was available? This new approach to assurance would allow implementing the resilience into the management of Information Security and will enable organisations to deliver a balance between security and operational requirements.

As a result of this idea the Open Source Security Resilience Assurance Methodology (OSSRAM) was created. OSSRAM is an open source community looking at how to define this new approach to resiliency testing and assurance. The community is welcome to access the website and express their opinions.

Part of the symposium was the announcement of the Cyber Security Student of the year 2013, the first three finalists were: Charley Celice; Gordon Grey and Hector Grebbell, congratulations to all participants and winners.

Gordon Mullin from Memex presented Big Data, Analytics and Information Security. Gordon outlined the issues related to Big Data, how a company could take advantage of it, how and what models to use for sharing the amount of data and how to effectively implement the enforcement solutions using this data. Some of the examples showed how Big Data analysis could help the police effectively reduce violence during events. The Memex solution allows analysis of Big Data and provides relevant information to the right people.

Paul Thomas and Phil Strading from Microsoft presented Human Trust in Digital Life. This talk returned back to the e-Health topic and the potential role of e-Health to meet the higher demand of health and care service. These services, which are controlled by the public sector, are moving towards the sector consisting of family, individuals, and the commercial sector. This talk outlined the new technologies, processes and governance which need to take place in order to provide trust over the internet between individuals, third sector and statutory services. The program will help in UK to deliver a service for assisted living and manag the care system.

The last speaker was Don Smith from Dell SecureWorks who presented Governance, don't forget to lock your doors… Don outlined the problems that lie within the industry using live scenarios. One of their clients came under attack for some time. It was an un-known type of the attack with focus on a Java. The Java exploit was out for several months before it has been disclosed. As the exploit became disclosed it also became available to the public. There was still a time gap before the relevant companies released the patch to eliminate it. The other question raised is when the patch is available how long does it takes for organisations to deploy this patch to their environment? This scenario showed how vulnerable our data can be. They could be accessed maliciously using zero-day attacks and even when they are disclosed and patches made available there are still many companies that would be vulnerable to it.

Don as well as David before, mentioned the new Java zero-day disclosed by Alien Vault on 10 January.
David raised the question of how long was this zero-day wild on the Internet before the relevant organisations noticed?

Bill Buchanan closed the day thanking both speakers and the audience. I would like to say thank you for an opportunity to attend the Symposium and listen to professionals present their visions for the future.  Marek.

No comments:

Post a Comment