Following on from the morning overview, Marek now takes a look at the afternoon sessions.
Alex Stobart from Mydex-
Citizen-centred personal Data stores. Mydex has been chosen to be one of 9
Digital Public Services. Mydex will provide Identity Assurance that empowers
the individuals to manage their personal data and acquire proof of claim and
verification about any aspect of their life and identity. Citizens can create a
Secure Personal Data Unit, which allows them to collect information and within
the control layer decide with which party it will share certain types of information.
The difference with Mydex is that individuals self drive the personal data unit
rather than it be controlled by an organisation.
How does information
security impact innovation and collaboration? This topic was presented by Richard
Higgs from Brightsolid company, The presenter used real client experiences,
describing how the company could manage the innovative collaborative space
within the cloud and still assure a level of security. Nowadays a lot of
companies are moving most of their business or even parts to the cloud and are
facing issues related to how co-workers collaborate on new projects. Moving infrastructure
to the cloud companies need to increase security awareness for their employees
as well. Brightsolid showed how their company could achieve that.
David Stubley presented Resilient
Information Security: A New Approach to Assurance. Many organisations
nowadays see computer networks and applications as the backbone for their
business and as a result focus on the implementation of defences and preventing
attacks. This approach has directly influenced compliance and assurance
approaches, such as vulnerability scanning and penetration testing. We cannot
achieve 100% security and allow the business to run flawlessly. This approach
is becoming unacceptable for many businesses. David presented a new approach to
assurance that would not only test the defences of an organisation but also
test it resilience to attack.
The example showed on the presentation was a Java zero-day, which was publicly announced just a day before. At the moment the zero-day is being publicly discussed and is marked as High-risk by Oracle. Countermeasures are available. The question is how long this zero-day was available? This new approach to assurance would allow implementing the resilience into the management of Information Security and will enable organisations to deliver a balance between security and operational requirements.
The example showed on the presentation was a Java zero-day, which was publicly announced just a day before. At the moment the zero-day is being publicly discussed and is marked as High-risk by Oracle. Countermeasures are available. The question is how long this zero-day was available? This new approach to assurance would allow implementing the resilience into the management of Information Security and will enable organisations to deliver a balance between security and operational requirements.
As a result of this idea the Open Source Security Resilience
Assurance Methodology (OSSRAM) was created. OSSRAM is an open source community
looking at how to define this new approach to resiliency testing and assurance.
The community is welcome to access the website and express their opinions.
Part of the symposium was the announcement of the Cyber Security
Student of the year 2013, the first three finalists were: Charley Celice;
Gordon Grey and Hector Grebbell, congratulations to all participants and
winners.
Gordon Mullin from Memex presented Big Data, Analytics and Information Security. Gordon outlined the
issues related to Big Data, how a company could take advantage of it, how and
what models to use for sharing the amount of data and how to effectively
implement the enforcement solutions using this data. Some of the examples
showed how Big Data analysis could help the police effectively reduce violence
during events. The Memex solution allows analysis of Big Data and provides
relevant information to the right people.
Paul Thomas and Phil Strading from Microsoft presented Human Trust in Digital Life. This talk
returned back to the e-Health topic and the potential role of e-Health to meet
the higher demand of health and care service. These services, which are
controlled by the public sector, are moving towards the sector consisting of family,
individuals, and the commercial sector. This talk outlined the new
technologies, processes and governance which need to take place in order to
provide trust over the internet between individuals, third sector and statutory
services. The program will help in UK to deliver a service for assisted living
and manag the care system.
The last speaker was Don Smith from Dell SecureWorks who
presented Governance, don't forget to
lock your doors… Don outlined the problems that lie within the industry using
live scenarios. One of their clients came under attack for some time. It was an
un-known type of the attack with focus on a Java. The Java exploit was out for several
months before it has been disclosed. As the exploit became disclosed it also
became available to the public. There was still a time gap before the relevant
companies released the patch to eliminate it. The other question raised is when
the patch is available how long does it takes for organisations to deploy this
patch to their environment? This scenario showed how vulnerable our data can
be. They could be accessed maliciously using zero-day attacks and even when
they are disclosed and patches made available there are still many companies that
would be vulnerable to it.
Don as well as David before, mentioned the new Java zero-day
disclosed by Alien Vault on 10 January.
David raised the question of how long was this zero-day wild on the Internet
before the relevant organisations noticed?
No comments:
Post a Comment