Multiple versions of the truth
With no security system impenetrable and the definitions of 'good guys' and 'bad guys' blurred, IT security professionals face a daunting task in securing data, delegates heard at the opening of the ninth annual ITWeb Security Summit 2014 in Sandton today.
The two-day event has attracted around 800 local and international information security professionals for in-depth talks on the biggest IT security risks facing the world today.
Noting the past 12 months had seen some of the most significant events the information security sector has ever witnessed, SensePost MD Charl van der Walt highlighted the recent Target breach, in which 70 million client accounts were compromised, even though the company's hardware was PCI-compliant.
"This is a complex and slightly terrifying new environment. Let's stop kidding ourselves, we can't stop all attacks," he said. "Let's focus on those we can stop and those posing the greatest risk to our specific organisations."
Keynote speakers Jacob Appelbaum, an independent international hacker and researcher; and Christopher Soghoian, principal technologist and senior policy analyst with the Speech, Privacy and Technology Project at the American Civil Liberties Union, focused on state surveillance and civil liberties in their opening talks.
They noted state surveillance is not only a privacy issue - it also presents a threat to the national security of countries, as well as to entire businesses that are built on a promise that the data they manage will be kept secure.
Speakers noted that if data can be accessed by state security agencies, it can also be accessed by anyone and used for any purposes.
Appelbaum commented: "Where Internet protocols are intentionally weakened because it is useful for one party, we forget this is useful for other parties too. This whole 'Black Hat/White Hat' thing is just too simplistic."
This whole 'Black Hat/White Hat' thing is just too simplistic.Jacob Appelbaum
Soghoian said: "What does it mean for an industry like yours, when you are promising to keep data safe or 'bad guys' out, when you can be given coercive orders to give governments access to this data?"
They also pointed out that hardware and software bought from nations with a vested interest in surveillance could easily have surveillance tools built in. Free and open source software and free and open hardware could present a solution to that exposure, they said.Haroon Meer, founder of Thinkst Applied Research, echoed this sentiment at a media briefing on the side-lines of the conference, saying South Africa is largely a technology consumer, and needs to develop a home-grown technology sector to avoid the risk of this kind of vulnerability.
Effective cryptography can also reduce the risk of monitoring and exposure, speakers said. However, they noted this could only be truly effective when applied across all communications tools - including landline and cellphone communications.