The annual RSA Conference in San Fransico is a huge event with many great topics. Hope these highlights are useful to you.
OSIsoft partner AlertEnterprise! wins 1st place at the RSA innovation sandbox. If you missed seeing AlertEnterprise! at the UC check them out online, very cool integration with PI Notifications. http://www.alertenterprise.com/
OSIsoft was invited to participate in the CERT/CC Vendor Forum. Most of the mainstream IT suppliers and security technology companies were represented and the meeting was very interactive. The most lively topic involved responsibilities for responding to bugs found in shared libraries (openssl, netsnmp, libpng etc...Microsoft used the term 'giblets' for libraries aquired over the years). There is an opportunity to keep track of product dependencies and first responders. Some time dependencies are nested and this affects timeliness of patches.
I applaud CERT/CC for bringing the group together. It's pretty clear the security tool vendors can offer some remediation, even if just a stop gap, until a patch is available or deployed. With the unfortunate demise of the PCSF vendor forum CERT/CC remains an appropriate resource to coordinate security bug response between vendors. The need for this role is likely to increase as AMI/SmartGrid technologies forces even more interoperability across industrial technologies.
Carnegie Mellon also presented on various initiatives at the Software Engineering Institute including secure code wiki at www.securecoding.cert.org (most content is for unmanaged code) and recent release of the DRANZER activeX fuzz tool (OSIsoft is working with this for the next release of ActiveView).
The 2009 RSA conference may be dedicated to Edgar Allen Poe because of his fondness for cryptography, but the value theme has been about collaboration. From IT vendors to NSA, open team work is a key discussion focus. Time will tell if actions follow words.
I liked this metaphor...cyber fraud is like pollution, we need to promote a healthy eco system and vendors need to take the lead.
Many of the technical presentations are about enabling collaboration – such as data leakage protection, cloud computing and federated access solutions.
Dependencies are forcing the issue. No power, no internet; no internet no power. How can this symbiotic relationship represent strength rather than an obvious vulnerability? Key note speakers suggest optimism that economic gains are enough to provide balance with safety, privacy and security concerns; we should consider a “good enough” approach to security. The minority view added a security threshold with enough diligence to prevent a “black swan” catastrophic event.
A sub theme is that point security solutions raise complexity. Collaboration is more than people. Point solutions need to function as part of the security infrastructure. From a PI System perspective, embracing Active Directory is consistent with this aspect of collaboration. Benefits not only include management of users and groups, but the user productivity of multi-tier single sign on (Kerberos) and simplified application of security policy.
The weather has been unseasonably warm. Could the hot air be coming from Washington DC attendees? Melissa Hathaway's keynote address regarding US cyber policy recommendations amounted to little more. We'll just have to wait until the 60 day report for the president is made public; she expects a very political discussion will follow.
The Rockefeller-Snow bill is already in play. Section 7 proposes licensing and certification of cyber security professionals with scope that includes critical infrastructure service providers. Some are lobbying for similar security certification for software engineers. A Farewell Dossier scenario comes to mind. Regardless the government is expected to use its power of procurement to force more security assurance into the software supply chain.
Legal worked its way into many other discussions as well. Allan Paller of SANS noted the stage is set for a huge increase in cyber litigation; suppliers are easy targets if application developers have not been trained in secure code. Microsoft's SDL includes training requirements and is now moving toward CBT style delivery, per Steve Lipner.
IO Active's Dan Kaminsky offered optimism about secure DNS. He views the international collaboration on DNS a huge success. Indeed the coming provisions for root certificates and keys could be the most practical mechanism to enable end to end IPSEC, encryption for email, and other crypto reliant services. The panel participants widely trashed X509 and SSL/TLS as too complex or otherwise compromised.
Another panel of cryptography experts framed the key management problem in a different light. Let's consider the case of encrypted archive files. Loss of the key represents a singular way to delete all your data, ouch! [:'(]
More tracks on software professionals. Many can talk security but are unable recognize a security bug. Microsoft's Lipner says new apps appearing everyday with no security. Vulnerability stats show applications are the target. See the CWE top 25 programming errors at Safecode.org or SANS. [in a later talk, it was suggested attacks are moving further up the stack and specifically targeting human interface components - seen as a combination of cyber and social attack, humans are the weakest link]
The critical infrastructure presentations echo the collaboration and holistic approach themes. Examples cited include convergence of physical and cyber defenses. Likewise jurisdictional problems (internal, public-private, state- federal, international) are hampering implementation of standards. At the same time convergence of technology and services are giving rise to new threats.
We all know log files are a mess. In the talk "IT Tower of Babel" Microsoft, Mitre and Oracle are collaborating on a common event enumeration (CEE.mitre.org) standard. It boggles my mind that OPC AE / UA would be left out of this effort.
Keynote from IBM's Brian Truskowski was excellent. I found many parallels to OSIsoft vision about survival, approach to security and how information is strategic to accelerate the pace of business. In one metaphor, Brian compared today's business environment to the titanic...just not designed for maneuverability. CEOs see the iceberg but can't change course.
He goes on to emphasize complexity is the enemy. Security needs to break out of the product mentality. Needs to be built-in and designed to enable activity; security as an afterthought add-on hinders action...results in drowning in cost and complexity. He notes that security is growing and nearing the ~10% of IT spending; this trend cannot continue. We need smarter security.
RSA saved one of the best for last. Fortify's Brian Chess and Cigital's Gary McGraw were awesome presenting "Building Security in Maturity Model". Ok, perhaps the title and BSIMM acronym need work. But they take this topic to heart. In summary, they said it's time for security professionals to quit making up advice. We want science not Alchemy. I think this rule should apply to anything named a best practice.
There is no magic crypto fairy dust and no silver bullets for security. We have to agree that security is an emergent property. To that end, the enlightened work to build security into the software lifecycle. But guess what...everyone has a SDL; what really makes a security initiative successful?
I won't spoil it here, the printed report may not be as entertaining as Brian and Gary's delivery but I highly recommend a read if you want to know the secret sauce. http://www.bsi-mm.com