Friday, April 6, 2012

Hurrah! There's a silver bullet for information security

Gene Spafford was supposed to give the Infosecworld opening keynote, but called in sick. He was replaced by Dave Kennedy. He started by restating the obvious, that we're throwing hardware, software, consultants, and ineffective pentesting at the problem and none of it is working. He described some interesting attacks, cloned a Website, discussed some social engineering attacks using information from LinkedIn and Facebook to impersonate an employee, and recounted connecting a device inside a keyboard that generated information to own the system. Then he said effective pentesting is the key to information security, and that the usual pentestsm are useless. I don't know how much distance there was between him as pentesting evangelist and salesman for his employer's Diebold's pentest practice. Kennedy is employed by Diebold and conducts pentests for a living. It sounded as though the only one who conduct pentests correctly is Diebold. (Kennedy's also involved in the Penetration Testing Execution Standard (PTES).)

While it's a reach to think that pentesting is the be all and end all of infosec, later in the conference a panel discussion between some enfants terrible made a different claim. After telling the audience that it was stupid and ineffective, they said that the solutions to the problem lie in hiring smart people, thinking outside the box, and reading log files.

A general theme was that risk trumped infosec; that is, determine what most needs to be protected, then protect it, rather than trying to protect everything. There's a trend toward the creation of Chief Risk Officers, with infosec reporting to them instead of CIOs, thereby removing some conflict of interest. Awareness continues to be important because "There's no patch for stupid." Good luck with that one.