Two sides of security
#BSidesLondon #Infosec - At Infosec (or Infosecurity Europe 2011 to give it the full majesty of its title, which no-one ever uses) it was all business. Security is a large industry, with expensive toys and big-budget services. Infosec is like any trade show: there are bright, impressive stands and bright, eager people who will impress on you that this is an industry with exciting solutions that are taking us safely into the new millennium.
Over at Security BSides London, it was still 1990. That’s not a reflection of the attendees or the event (although the percentage of beards and ponytails was much, much higher at BSides). It’s simply that, in spite of the new toys, concepts and protocols, for all that we have developed next-generation firewalls and algorithmic intrusion detection and behavioural analysis, security continues to be undermined by the very people tasked with enforcing it.
For example, there was a very funny presentation by Steve Lord of pen-testing firm Mandalorian, during which he recounted a number of war stories. In one of these tales, he’d reached the point where he’d pwned an administrator’s account at the target firm. “Can you guess what the password was?” he asked the audience. As one, the delegates chanted “password” - the correct reply.
That’s not an isolated example.
The fact is that security is difficult. IT systems are astoundingly complex. New vulnerabilities arise all the time as new techologies emerge, and many of these will be turned into exploits. The sad fact is, though, that pen-testers and malicious hackers alike will continue to gain entry to organisations’ systems through flaws that should have vanished years ago - including weak passwords.
BSides was an invaluable reality check - the flipside of Infosec. The latter is about boasting of solutions whereas BSides, attended mainly by pen-testers and infosecurity consultants, was a timely reminder that these solutions are far from perfect.
The presentations at BSides ranged from a demonstration how how a relatively clueless script kiddie could write an undetectable trojan, through tunnelling via protocols never intended for the task, to how to present the risk created software in a way that even business executives might understand it. It was, in short, about the very real, practical issues of security as seen by those on the front line.
I was probably a bit too sniffy about what goes on at Infosec - it’s an important event. The commercial component of the security business, as expressed by the show, is crucially important. A lot of what these companies do does work, and without it we’d be screwed. At the very least, these solutions provide a baseline of protection that keeps out the riff-raff. And if used properly (and there’s the rub) these products and services are capable of very high levels of security indeed.
But if the admin password for your shiny new next-gen firewall or IPS is ‘password’, then, really, why did you bother?
