Monthly Archives: June 2010

Cloud Security Alliance Conference (Israel) – CFP

Posted on by
1

Just wanted to let you all know (as a member of the CSA-IL board) that we will be having a conference on September 2nd who’s title is “Cloud Security Technology and Innovations” in Tel-Aviv, Israel.

We expect to have great participation from all areas of the industry, are working on a great venue to host the conference, and are opening up the Call for Papers.

Please see the CSA-IL WiKi for additional information on how to submit for the CFP:

http://wiki.csail.dreamhosters.com/wiki/CSA_conference#Call_for_papers

Looking forward to seeing you all there!

FIRST and IL-CERT

Posted on by
2

Funny thing how I got to go to Miami last week…

So, one time, at security camp, I figured that there isn’t a whole lot of infrastructure in my back yard to really call a decent CERT. I have experienced that multiple times (and again and again) when handling major incidents that prompted incident handling in dozens of countries around the world, and when trying to do the same back home (in Israel), I got “bobkes”.

The thing is, there are currently two “CERTs” operating in Israel – an academic one (ILAN-CERT) which only server a portion of the actual academic networks in Israel (surprise surprise…), and CERTGOV-IL (which seems to be mostly in maintenance mode, and only server the government sites). Bottom line – if you want to report an incident that does not fall into these CERTs constituency (about 90% of the cases), you are out of luck…

So, just like the ever-optimistic fool that I am, I decided to give it a try and start a normal IL-CERT. Back at the time when I started to dance the political/bureaucratical dance I figured that it would be a good idea to present at FIRST2010 as IL-CERT would be alive by then. Ahhh, the optimism…

Months went by, emails flew, and meeting were held, and I arrived at the FIRST conference with only a glimmer of hope for a decent CERT. I almost dropped all hope for it, but then had a great time running into the FIRST crowd. Every time I got into a conversation with a member, I usually got the same question: “so, can I send you information on incidents in Israel? Because there isn’t anyone to send data to for years”.

Embarrassing. Nothing less (and to think that there was another Israeli “CERT” member onsite…). Long story short – I’m currently willing to put my hiney on the line and at least be able to say that I tried.

So here goes – I’m publishing an open call to anyone local who would like to participate and contribute to the IL-CERT. Also – if you need/want to report on any incident related to the constituency of a decent IL-CERT, please feel free to pass it my way until we set up the basic infrastructure for IL-CERT.

Wish me (us?) luck and godspeed. And thanks again to everyone who I met at FIRST-2010 and have reinforced my crazy endeavor.

Identity crisis

Posted on by
1

Here’s a common question I get asked a lot: “What technology should I use to secure my server/network/[some technology]?”

wpid-IdentityCrisis-2010-06-7-14-11.jpgThe question is usually presented by someone who’s in charge of “Security” in an organization. Now, I wouldn’t have had a problem with this if this was a technician, or a pen-tester of sorts, but I get really nervous when the CISO/CIO/Security manager is the one asking.

I think that this question is highly inappropriate for two reasons:

  1. You should not be looking for “technology”. Buying a product is not going to make you more secure or less secure.
  2. You should not be trying to protect a technology. Your servers, networks, routers, PCs, etc… are not the focus of information security. The information is…

Having been working with senior management – sometimes as an advisor/consultant, and sometimes as a “virtual CISO”, I know that this is not what we expect the CISO or security manager to ask. We expect business savvy, we expect an understanding of what the information assets are, what are the information critical paths, who owns the information and what is the impact of every asset on the business. We expect that the understanding of how each assets fits into the grand scheme of things would be clear to whoever is in charge of securing it, and we expect them to take into account what is the potential damage related to each of these assets (in terms of losing it, having it fall into the wrong hands, etc…).
For me (or us when talking as management) this is the only way to approach security. Funny how things get a little unclear when all you thought you needed to know was which vendor/product fits where in your topology, huh?

What strikes me as most peculiar is the fact that a lot of these security “professionals” find themselves in a self proclaimed identity crisis, having to deal with business requirements and financial understanding of how the business operates. and the weirdest thing is that they often choose to get back to what then “know” best – the technology side of things. Definitely not the way to make a move…

wpid-risk-blocks-2010-06-7-14-11.jpgI’m really hoping that all this preaching of “know thyself before you know your enemy” would help somehow, because right now unfortunately the situation at hand only brings us more business (not that I’m complaining). But seriously now – technology is fine and cool, but having the aptitude to know where it fits, not on an architectural level, but from a business perspective is the key to what we do. Get back to the drawing board, erase the network topology and start drawing the business one!

The community to the rescue again

Posted on by
Reply

I’ve had some hard time coming up with this post. I had the great opportunity to travel quite a bit lately – specifically to Berlin where basically EVERYBODY in security was at ph-neutral (have I thanked FX yet? I think so, but anyway – great con/party!).

It all started in Berlin when I realized what an amazing community we have. People from all over the world coming over for 3 days of sharing, networking and listening to talks (oh, and partying). I also have the great honor of calling a few of these guys friends. Friends that I know that I would be honored to help if they needed anything, and friends that I know I can “drop on” if I happen to get into a snag in their hometown. Friends that I only see in-person 2-4 times a year, but still consider them one of my closest.

I saw borders dissolve in an instant as politics, geography and history dropped in sight of a beer or a cool PoC demo on someone’s PC, and I had great conversations with people I just got to know and am sure will run into again in the future.

And then I got back home. I don’t need to mention the unfortunate events that took place a couple of days ago, and I’m not going to point fingers at anyone. Everyone had their agenda, some sides were more optimistic, some had better planning, some had better intent, but the end result is what it was. Sometimes as we say it’s better to be smart than to be right…

That was just a day before I flew over to Athens to talk at Athcon. People around me started freaking out, having the entire area feel like a barrel of gunpowder, and the media adding in some FUD to top it off. And then I recalled ph-neutral. A couple of hours later, a friendly cabbie and what looks to be a really cool con, everything is left behind. The community wins again, while politicians keep meddling with their agendas.

I just hope that more people could find such communities where borders are bridged, and religion/ethnicity/gender become irrelevant in light of a common cause/interest. I’m truly happy that I had a chance to debunk myths that I’ve had in my mind, and other people had in theirs, and really hope that this focus on a common interest could work elsewhere.
Now off to polish off my presentation for tomorrow. Stay safe out there!

Quick update [6/7/2010]: Athcon was fantastic! I’ve had a great time in Athens, had a chance to finally meet some really brilliant minds that I’ve been following for some time online, and was fortunate enough to experience the famous greek hospitality. I am reassured with my previous assumptions that all these politics are just the attempt of politicians to prove that they are worth their salaries (hint -they don’t). We just want to live our lives quietly – the only reason for some kind of army/politicians is to fend off anyone who wants to disturb this (terrorists).

Back to work now, as I need to start prepping for Miami next week…