IMI Security Summit in Northern Kentucky: awesome security conference

I presented today at IMI Security Summit on the topic of "Threat Analysis as methodology for deriving risk-based security tests of web application software". The conference gave me the opportunity to evangelize for OWASP and thanks to Dr James Walden that teaches Software Security at Northern Kentucky University. This is the second time that I give the talk at IMI security conference and I really love the organization of this conference and the quality of the speakers, Patrick Gray, Principal Security Strategist of CISCO ex co-ISSer (all great security folks come from ISS since we invented the first IDS, ditto: Gunther Ollmann, David LeBlanc, Chris Klaus founder, Tom Noonan CEO and me S/W lead engineer #? at the lucky IPO). Patrick is an awesome speaker and it is was worth going to the conference just for his talk: he can communicate the right message for wide audience of security folks with sense of humor and law enforcement insights: it is 100% right in my opinion that the main challenge we are facing today as security professionals, besides organized crime, is the increased imporance of the human factor (he refers is as the human firewall) as a way to mitigate social engineering attacks: with 300 million facebook users, the new generation Y proned to twitter-like private data sharing: we are facing a security challenge to scale that we as security industry and practitioners we need to respond with increased education/awareness and by developing better security technology controls .

During luncheon I loved the presentation from Dr Kevin Gallenger on his survey about information security:"State of IT Security 2009". The data shown matches previous surveys I have seen such as from Ponemon Institute, CSI-FBI and Verizon. For example it is shown that less then 60 % of organizations conduct a formal IT audit, hackers and employees are equally problematic (27%). Finally some good data, take as reference recent Ponemon-Imperva institute research that show that 71% of companies do not think compliance is strategic to security even if after experiencing at least one data breach. And also finally suspend the vendor bias belief that most of the attacks come from internal source when is at max 20-30 %. The part that I liked the most of the survey was the difference between "acquisition" of security and "adoption" of security in particular as related to policies/compliance. Most companies acquire security tools enact policies and even processed but they do not fully implement and/or enforce them: the survey shows for example that only 54% of companies do that. Financial services are the ones to score better in implementation mostly driven by compliance. The survey touches the problem of information security at the core: 44% of respondents indicated that they were unwilling to disclose the types of breaches. This is the main problem we face in security today. The lack of data on losses, fraud and incidents affecting business sectors so we can identify needs and opportunities to improve and make business case for security investments. In essence is like a mafia problem for security, "we all know but we do not say and keep within the family business in " cosa nostra" style... Nice we have SB (Senate Bill) 1386 enforced also in several US States to force companies affected by data breaches to public disclose and data loss event of customer's PII: in this cases, thanks to SB 1386, we can still factor business impact of a data breach such as for example: 100 million records of PII stolen at 25 $/piece (estimated at the cost to buy that PII on the black market) equals 2.5 billion $ impact. This is the data we need, to take the metrics to the next level of maturity, we need to correlate data breaches to business impact and fraud and monetize losses so we can make business like informed risk mitigation decisions. The other part of the conference I loved was to talk to Dr. Frank Braun (like Von Braun but his name is Frank..). I had a talk over a nice glass of Merlot wine and
Camembert cheese, nicely sponsored by Apple Inc on the business cases for information security. This is a topic I will be presenting at a security conference in Italy next week so I was very puzzled that Frank research covered already a lot of my research on business cases for software security such as ROSI, cost/benefit analysis and quantitative risk analysis as factors for making business cases.
I loved the conversation with Dr. Frank, later on, we shared some thoughts about business risk analysis, human factors in risk decision making and general bias, unbars decision making. Really loved the conversation at very high level, it was like when minds connect and elaborate for common good. What we elaborated was #1: business security is the most important factor to security #2 we need data that prove the point about business value of security #3 we need to approach security for the business taking into consideration of the context and culture of the "security decision makers". Most of security decision making by senior and executive management now days follows what "Gartner says" or what vendor days or what my competitor does. This is not rational thinking backed by quantitative data, it is something that is either purely qualitative, speculative or at best follow the herd mentality... So we need to get members onboard the new thought process for security management and recruit member of this new School Of Information Security, cost and fraud data driven approach, unbiased from Gartner and security vendor companies and their agendas. If you do would like to know more on what I mean for New School Of IS, I recommend reading Adam Shostack book.

My presentation (refer to our local OWASP chapter web page for further info) on risk based security testing was nicely received. I was glad to have the audience asking me a lot of questions after my talk: that to me means I raised enough interest on the issue: not doing good enough security testing as we should do. Hope people will go download the OWASP Testing guide (according to Software security "Illuminati" Gary McGraw, the best piece of IP from OWASP, even if comes from "communist" Italians...but I am not represented there by party affiliation..)