The European Business Conferences Group (EBCG) hosted its 2nd Annual Cyber Security Summit in Prague, Czech Republic on April 11th.
The two day conference was targeted at industry and business leaders from various sectors in an attempt to bring people together, especially here in Europe, to learn about cyber security issues.
The write up below is an overview of my experience at the conference and a summary of a few of the presentations I enjoyed.
Tom Brennan, Director at SpiderLabs, opened the conference with his presentation on vulnerability researching and what the focus should be as security professionals. He had some good insight into various security risks and vulnerability tactics; many of the vulnerabilities he mentioned were admittedly vulnerabilities the industry has been facing for years.
Cross site scripting, SQL injections, and spear phishing attacks are the bread and butter of vulnerabilities that companies still are not protecting properly against. However, he noted that some of these vulnerabilities can be the hardest things to defend properly against .
Tom had a thought provoking statement about planned obsolescence in the security industry and how the industry may be approaching things from the wrong angle altogether. This made me think about whether or not customers are being forceful enough in demanding quality products while giving good enough feedback to the providers.
Krisztian Piller presented on Information Systems Risk Management at the European Central Bank and what their best practices were. The highlight of his talk was the Anonymous DoS on their bank and the lessons learned from that experience.
One of the main takeaways though was that while security experts know certain things are a risk and feel that aspects should not be accepted, it is management that understands the full scope of what can and cannot be accepted in the company’s risk model. The idea was to prioritize risk and bring expertise to the table but allow management to make the right decisions and for security staff to support them in doing so.
What I took from the talk was the level of financial loss the European Central Bank will allow before considering something a “high” threat. Less than 1k Euro stolen is a low threat; 100k-500k Euro stolen is only a medium threat. That says a lot about the type of threats that they face and what level these incidents actually reach.
Thomas Hemker presented from Symantec and presented the idea that the security community has put a focus in the “wrong place.” He has seen a rise from 785k samples of malware a day in 2010 to over 1.8 million gathered per day currently.
His thesis was that signature based detection does not work anymore and that drive by downloads and unique hashes of adapting malware are making it increasingly hard to defend systems properly. It was his worry that one of the biggest vulnerabilities is mobile platform based malware; Android has the largest share of mobile malware.
The breakdown of malware infected devices was 19% US, 16% China, 5% Germany, followed by the remaining countries with a few percent each.
An interesting statistic was that 1 out of every 7 images and links on Facebook are infected with malicious code or redirects to malicious websites. His closing statement was that a focus on intelligence gathering and correlation in the various industries will be the only way to cause real security changes.
Mika Rintamaki works at If P&C Insurance and described the DDoS attack the company faced from the Allaple worm. His company has over 4 million customers and is very dependent on IT systems; a DoS for them stops their ability to process claims and handle requests from customers.
The attack was initiated on 22 Jun 2006 and the worm did not have a command and control server, once launched it could not be turned off. The interesting aspect of the presentation is that the way they handled the DDoS was by filtering/rejecting malicious packets which they could identify by an extra space the worm included in the Get/ HTTP 1.1 request.
By noticing this small change they were able to defend themselves against the DoS (which had been initiated by a disgruntled customer who was later arrested). Mika stressed the real lesson is the need to develop processes and readiness for such an attack before ever being faced with it.
To start off the second day Tom Brennan presented again on Trustwave Spiderlabs and their global security report. He broke down the 62 page report pointing out a lot of their findings conducted from over 2,000 manual penetration tests and 2 million network and application vulnerability scans.
Tom pointed out that 42.1% of malware types seen were Memory Parsers followed by 13.2% being keyloggers, 13.2% representing application specific attacks, and 2.6% of cases using rootkits.
A lot of the material at the conference seemed like common knowledge to security professionals but the use of specific data, like in Tom’s presentation, really drove the material home to the attendees that were from a non-security background.
The next presentation I attended was by Michel Oosterhof who presented on Incident Response for RSA. From the RSA perspective, 65% of organizations they interact with do not feel they have sufficient resources to prevent an advanced threat. Of the organizations surveyed, 83% believe that they have already been the victim of an advanced threat.
These numbers were very interesting but the most interesting aspect to me was that 85% of the noted breaches took weeks or more to discover. Although breaches going unnoticed is not a new concept, it seems the industry is failing in attribution and detection more so than any other area.
Michel stressed that the anti-malware techniques such as signature based detection are failing; a common theme throughout the conference.
I presented after Michel on the Future of Nation-State Cyber Weapons. In my presentation I described some of the interesting aspects and common themes behind Stuxnet and Duqu as well as their connection to each other through the Tilded platform.
The Tilded platform, named by Kaspersky security experts, resembles nation-state made weaponry in a number of ways. Primarily, the platform based approach is one that nations have been moving towards in the more traditional domains of warfare including aerial platforms.
The focus is on efficiency and the ability to make timely changes through updating payloads and stealth measures just as you would find in the addition of various weapons or sensors on an aircraft. I also spoke a little about the possibility of a third weapon based on the Tilded platform and what we could probably expect to see in terms of style, lessons learned, and target.
Ultimately I believe that SCADA/ICS systems will continue to be a lucrative target for nation-states, if not the first target in a wartime scenario.
After my presentation, Johan Rambi spoke from Alliander on smart meter technology as it relates to critical infrastructure and the lessons learned from its implementation in the Netherlands. The talk was very interesting in that it highlighted that cyber threats could induce rolling blackouts, or worse, through the manipulation of the data on smart meters.
His key takeaway was that a need for an ongoing security process is critical. Inspection, penetration testing, evaluation, and corrections applied to systems must be an ongoing process and stringent enough to give adequate protection to these systems.
From my perspective, the conference was a good meeting location for business leaders to get together and share information and lessons learned from industries that do not usually interact. It was not the style of conference that one might find at BlackHat, DefCon, Hacker Halted, or other more technical conferences yet it represented a great step in educating business leaders.
Personally, I felt the most important aspect of the conference was the ability to network with people from a wide variety of sectors. Establishing new connections, sources of information, and building friendships open up avenues for much needed information sharing.
The real takeaway was that no matter the conference style or location the importance of the cyber community must be placed on education. The conference echoed sentiments that could be found at any information security conference but the unique group of participants that gathered in Prague made for an overall great experience.