Security Summit 2014 wrap-up: rebuilding trust
The security world has been rocked by Edward Snowden's revelations concerning the activities of the Western powers' spy agencies, and large-scale security breaches like Target and eBay.
Against this backdrop of malicious activity, this week's ninth annual ITWeb Security Summit, in Sandton, gathered over 500 senior executives responsible for IT security, with over 40 speakers discussing the most pressing concerns facing security professionals.
The overarching theme for enterprise security experts at Security Summit 2014 was one of evolution - away from point products and towards more effective security policies and practices. Whether the adversary is a well-funded intelligence agency, a criminal gang, or an insider, the focus was firmly on helping security execs to improve their ability to detect and mitigate threats as effectively as possible.
International speakers included big names such as Jacob Appelbaum, Charlie Miller, Christopher Soghoian, and Josh Thomas - security luminaries well-known to every local practitioner.
Appelbaum, who co-authored Cypherpunks with Julian Assange, of WikiLeaks fame, and has worked closely with Edward Snowden in revealing NSA documents to the world, exposed the realities facing companies and individuals in the era of surveillance and espionage. "What is needed is freedom for everybody, without exception, and obtaining that freedom will mean a push for open standards, free software, legal reform and open hardware, he concluded.
Christopher Soghoian, a well-known privacy advocate at the American Civil Liberties Union, brought the topics home, exploring the privacy risks and liabilities to which we are exposed.
Later in the day, a standing-room-only panel discussion, chaired by Appelbaum, delved into the details of SA's Protection of Personal Information Act and its implications for business.
The focus on privacy, liability, and governance formed one cornerstone of the summit, giving executives high-level views of the issues involved, as well as immediate action plans to improve security management within their organisations.
Charlie Miller, an American hacker renowned for his exploits against Apple mobile devices and his recent demonstration of vehicle hacking, now Twitter's top security engineer, highlighted the ongoing inadequacies of security products. However, he ended on a positive note by identifying signs of improvement, both in the technologies sold and the ways they are deployed and used.
His second session, demonstrating security exploits against cars, set the scene for further technical presentations, including sessions on phone hacking, insider attacks, and investigations into the technologies underpinning criminal hacking tools - and how to detect and disrupt them.
Haroon Meer, one of SA's internationally recognised security experts, used the Security Summit to issue a call for investment in security skills, reducing local dependence on international skills and products, and developing local expertise and technology to counter threats.
Meer's sentiments were echoed by other speakers, including Piet Pieterse, head of the cyber crime unit at the SAPS. His insider view of the SAPS roadmap for combatting cyber crime was one of several sessions analysing the nation's readiness for thwarting online threats.
Much is lost in translation when it comes to communicating information security, noted Steve Jump, head of corporate information security governance at Telkom. "Business wants to know how information security breaches will affect their bottom line, what it means to them, and who will know or care, and it is all in the words we use."
With corruption prevalent in SA, criminals can easily access networks with no hacking tools needed, noted Jason Jordaan, head of SA's cyber forensic laboratory special investigating unit. Organised crime simply makes use of the human element, he said, noting that where social engineering fails, it is relatively simple to use corruption to gain access to enterprise networks and data.
"You need to know your people well, and be alert to changes in their behaviour or lifestyle. You also need to keep them happy, and strive to instil a strong culture of ethics throughout the organisation."