Article by Reg MacWilliams
I just got back earlier this evening from the 2nd annual Atlantic Security Conference - AtlSecCon, held in Halifax (Nova Scotia).
Before I go into the details, I want to once again thank Travis Barlow and the board members for a phenomenal job organizing it, bringing in great speakers from all over (despite the challenge of RSA conference at the same time), wide range of sponsors, and of course the overall great hospitality.
The speakers left no stone unturned. They were candid, revealing, and brutally honest. This wasn’t your your vendor of choice (no offense meant to any vendor I may deal with) coming in and trying to sell you something based on FUD.
There were many-a real life accounts of first hand breaches, the anatomy of how it happened, the trends, stories of the underworld, and what the future may (or may not) hold when it comes to security.
There were three constant points that I got:
- It is not a matter of if you get breached, it’s when you get breached
- Threats and vulnerabilities from yesteryear are still a threat to the majority of the masses
- The less you know, the more it’s going to hurt when you find out. And the more you know? Well, then you realize how much more there is out there that you don’t know
Some of the highlights for me include:
- Brian Krebs and his first hand experiences in dealing (living?) with the underworld to learn their ways, without them realizing it.
- I’m equally as astonished as Brian for the ratio of spam revenue earned (less than 10 million per year) compared to the investments made to block it (hundreds of millions). It’s some sort of quasi bizzaro world reverse insurance financial methodology.
- Common distaste for improper or over use of trend words – APT and “the cloud” for example.
- The not-so-subtle stomach punches to Anti-virus vendors. (I was going to leave this one out until a certain AV product decide to do it’s usual routine of hijacking my CPU and using 1.5GB of memory to merely attempt to do it’s update off an update server it could not connect to.)
- That being said, I did like the quote “AV is like a condom. It doesn’t always work, but not using one is foolish”.
- Jon Blanchard’s passionate and informative session on #Anonymous and Hacktivism. CMS exploits are far from uncommon, but he detailed one with a much wider range of hooks – political, security, outsourcing, protesters, etc.
- “There is actually no defense if you manage to piss off enough people”.
- “There is no patch for human stupidity”.
There were many more good presenters and points. There were two days of split management tracks which hit the majority of the industry concerns and risks..
If you’re IT professional, and not necessarily one with a security focus, attending a conference like this would be well worth it. At the risk of pushing FUD, the risks and threats are very true, alive, and active.
They will never go away, but that doesn’t mean the white hats should start waving white flags.
Cross-posted from MW Networking