Entries Tagged "security conferences"

Page 3 of 11

All Those Companies that Can't Afford Dedicated Security

This is interesting:

In the security practice, we have our own version of no-man’s land, and that’s midsize companies. Wendy Nather refers to these folks as being below the “Security Poverty Line.” These folks have a couple hundred to a couple thousand employees. That’s big enough to have real data interesting to attackers, but not big enough to have a dedicated security staff and the resources they need to really protect anything. These folks are caught between the baseline and the service box. They default to compliance mandates like PCI-DSS because they don’t know any better. And the attackers seem to sneak those passing shots by them on a seemingly regular basis.


Back when I was on the vendor side, I’d joke about how 800 security companies chased 1,000 customers — meaning most of the effort was focus on the 1,000 largest customers in the world. But I wasn’t joking. Every VP of sales talks about how it takes the same amount of work to sell to a Fortune-class enterprise as it does to sell into the midmarket. They aren’t wrong, and it leaves a huge gap in the applicable solutions for the midmarket.


To be clear, folks in security no-man’s land don’t go to the RSA Conference, probably don’t read security pubs, or follow the security echo chamber on Twitter. They are too busy fighting fires and trying to keep things operational. And that’s fine. But all of the industry gatherings just remind me that the industry’s machinery is geared toward the large enterprise, not the unfortunate 5 million other companies in the world that really need the help.

I’ve seen this trend, and I think it’s a result of the increasing sophistication of the IT industry. Today, it’s increasingly rare for organizations to have bespoke security, just as it’s increasingly rare for them to have bespoke IT. It’s only the larger organizations that can afford it. Everyone else is increasingly outsourcing its IT to cloud providers. These providers are taking care of security — although we can certainly argue about how good a job they’re doing — so that the organizations themselves don’t have to. A company whose email consists entirely of Gmail accounts, whose payroll is entirely outsourced to Paychex, whose customer tracking system is entirely on Salesforce.com, and so on — and who increasingly accesses those systems using specialized devices like iPads and Android tablets — simply doesn’t have any IT infrastructure to secure anymore.

To be sure, I think we’re a long way off from this future being a secure one, but it’s the one the industry is headed toward. Yes, vendors at the RSA conference are only selling to the largest organizations. And, as I wrote back in 2008, soon they will only be selling to IT outsourcing companies (the term “cloud provider” hadn’t been invented yet):

For a while now I have predicted the death of the security industry. Not the death of information security as a vital requirement, of course, but the death of the end-user security industry that gathers at the RSA Conference. When something becomes infrastructure — power, water, cleaning service, tax preparation — customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers.


The RSA Conference won’t die, of course. Security is too important for that. There will still be new technologies, new products and new startups. But it will become inward-facing, slowly turning into an industry conference. It’ll be security companies selling to the companies who sell to corporate and home users — and will no longer be a 17,000-person user conference.

Posted on February 22, 2013 at 6:03 AMView Comments

Sexual Harassment at DefCon (and Other Hacker Cons)

Excellent blog post by Valerie Aurora about sexual harassment at the DefCon hackers conference. Aside from the fact that this is utterly reprehensible behavior by the perpetrators involved, this is a real problem for our community.

The response of “this is just what hacker culture is, and changing it will destroy hackerdom” is just plain wrong. When swaths of the population don’t attend DefCon because they’re not comfortable there or fear being assaulted, we all suffer. A lot.

Finally, everyone at DEFCON benefits from more women attending. Women “hackers” — in the creative technologist sense — are everywhere, and many of them are brilliant, interesting, and just plain good company (think Limor Fried, Jeri Ellsworth, and Angela Byron). Companies recruiting for talent get access to the full range of qualified applicants, not just the ones who can put up with a brogrammer atmosphere. We get more and better talks on a wider range of subjects. Conversations are more fun. Conferences and everyone at them loses when amazing women don’t attend.

When you say, “Women shouldn’t go to DEFCON if they don’t like it,” you are saying that women shouldn’t have all of the opportunities that come with attending DEFCON: jobs, education, networking, book contracts, speaking opportunities — or else should be willing to undergo sexual harassment and assault to get access to them. Is that really what you believe?

And in case you’re thinking this is just a bunch of awkward geeks trying to flirt, here are one person’s DefCon stories:

Like the man who drunkenly tried to lick my shoulder tattoo. Like the man who grabbed my hips while I was waiting for a drink at the EFF party. Like the man who tried to get me to show him my tits so he could punch a hole in a card that, when filled, would net him a favor from one of the official security staff (I do not have words for how slimy it is that the official security staff were in charge of what was essentially a competition to get women to show their boobs). Or lastly, the man who, without prompting, interrupted my conversation and asked me if I’d like to come back to his room for a “private pillowfight party.” “You know,” he said. “Just a bunch of girls having a pillowfight….fun!” When I asked him how many men would be standing around in a circle recording this event, he quickly assured me that “no one would be taking video! I swear!”

Aurora writes that DefCon is no different from other hacker cons. I had some conversations with people at DefCon this year to the contrary, saying that DefCon is worse than other hacker cons. We speculated about possible reasons: it’s so large (13,000 people were at DefCon 20), it’s in Las Vegas (with all the sexual context that implies), and it’s nobody’s home turf. I don’t know. Certainly the problem is rampant in geek culture.

Aurora also mentions the “Red/Yellow Card project” by KC, another hacker: warning cards that can be handed out in response to harassing behavior. The cards are great, and a very hackerish sort of solution to the problem. She gave me a complete set — there’s also a green card for good behavior — and I have been showing them to people since I returned. I haven’t heard any stories about them being given out to harassers, but I suspect they would be more effective if they were given out by observers rather than by the harassed. (Bystanders play a large role in normalizing harassing behavior, and similarly play a large role preventing it.)

Of course, the countermove by harassers would be to collect the cards as kind of a game. Yes, that would reduce the sting of the cards. No, that doesn’t make them a bad idea. Still, a better idea is a strong anti-harassment policy from the cons themselves. Here’s a good model.

More resources: here, here, and here.

Posted on August 15, 2012 at 8:57 AMView Comments

WEIS 2012

Last week I was at the Workshop on Economics and Information Security in Berlin. Excellent conference, as always. Ross Anderson liveblogged the event; see the comments for summaries of the talks.

On the second day, Ross and I debated — well, discussed — cybersecurity spending. At the first WEIS, he and I had a similar discussion: I argued that we weren’t spending enough on cybersecurity, and he argued that we were spending too much. For this discussion, we reversed our positions.

Posted on July 2, 2012 at 6:20 AMView Comments

Security and Human Behavior (SHB 2012)

I’m at the Fifth Interdisciplinary Workshop on Security and Human Behavior, SHB 2012. Google is hosting this year, at its offices in lower Manhattan.

SHB is an invitational gathering of psychologists, computer security researchers, behavioral economists, sociologists, law professors, business school professors, political scientists, anthropologists, philosophers, and others — all of whom are studying the human side of security — organized by Alessandro Acquisti, Ross Anderson, and me. It’s not just an interdisciplinary event; most of the people here are individually interdisciplinary.

This is the best and most intellectually stimulating conference I attend all year. I told that to one of the participants yesterday, and he said something like: “Of course it is. You’ve specifically invited everyone you want to listen to.” Which is basically correct. The workshop is organized into panels of 6-7 people. Each panelist gets ten minutes to talk about what he or she is working on, and then we spend the rest of the hour and a half in discussion.

Here is the list of participants. The list contains links to readings from each of them — definitely a good place to browse for more information on this topic. Ross Anderson, who has far more discipline than I, is liveblogging this event. Go to the comments of that blog post to see summaries of the individual sessions.

Here are links to my posts on the first, second, third, and fourth SHB workshops. Follow those links to find summaries, papers, and audio recordings of the workshops.

Posted on June 5, 2012 at 1:16 PMView Comments

Attack Mitigation

At the RSA Conference this year, I noticed a trend of companies that have products and services designed to help victims recover from attacks. Kelly Jackson Higgins noticed the same thing: “Damage Mitigation as the New Defense.”

That new reality, which has been building for several years starting in the military sector, has shifted the focus from trying to stop attackers at the door to instead trying to lessen the impact of an inevitable hack. The aim is to try to detect an attack as early in its life cycle as possible and to quickly put a stop to any damage, such as extricating the attacker from your data server — or merely stopping him from exfiltrating sensitive information.
It’s more about containment now, security experts say. Relying solely on perimeter defenses is now passe — and naively dangerous. “Organizations that are only now coming to the realization that their network perimeters have been compromised are late to the game. Malware ceased being obvious and destructive years ago,” says Dave Piscitello, senior security technologist for ICANN. “The criminal application of collected/exfiltrated data is now such an enormous problem that it’s impossible to avoid.”

Attacks have become more sophisticated, and social engineering is a powerful, nearly sure-thing tool for attackers to schmooze their way into even the most security-conscious companies. “Security traditionally has been a preventative game, trying to prevent things from happening. What’s been going on is people realizing you cannot do 100 percent prevention anymore,” says Chenxi Wang, vice president and principal analyst for security and risk at Forrester Research. “So we figured out what we’re going to do is limit the damage when prevention fails.”

Posted on April 27, 2012 at 6:53 AMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.