IMI Security Summit in Northern Kentucky: awesome security conference



I presented at the IMI Security Summit on the topic of "Threat Analysis as methodology for deriving risk-based security tests of web application software". This conference, gave me the opportunity to present for OWASP thanks to the invitation from Dr James Walden that teaches Software Security at Northern Kentucky University. This is the second time that I give the talk at the IMI security conference. The organization of this conference is very good as well as the quality of the speakers, one outstanding speaker to mention this year was Patrick Gray, Principal Security Strategist of CISCO and ex collegue of mine at the company Internet Security Systems.

Patrick Gray is truly an awesome speaker and presenter. I thought it is was worth attendingthe conference just for listening to his keynote. Patrick can communicate effectively to a wide audience of security folks, he gets people to think about security with simple messages, examples and with sense of humor. On the main message of his presentation, I think is 100% right in my opinion: the main security challenge the society as whole faces today besides combacting organized cybercrime, is the increased imporance of the human factor (he refers is as the human firewall) as a way to mitigate the new threats such as social networking threats and phishing. The new targets nowdays scale up to 300 + million facebook users and involve a new demographics such as a generation Y that is proned to use social networks like facebook and twitter.  As security industry and as security practitioners, according to Patrick we are challenged to respond to these new threats with increased education/awareness and the development of more effective security measures.

During luncheon, I attended the presentation from Dr Kevin Gallenger, "State of IT Security 2009". The survey data being presented are also in agreement on other surveys such as the ones from Ponemon Institute, CSI-FBI and Verizon on state of information security within organizations. For example, the survey shows that less then 60 % of organizations conduct a formal IT audit and that hackers and employees are equally problematic as source of attacks (27%). A recent Ponemon-Imperva institute survey. also shows that 71% of companies do not think compliance is strategic to security even after experiencing at least one data breach. Also, according to the same survey, internal sources of attacks are around 20-30 % of overall threat agents.

The part that I liked the most of the survey was the emphasis on the difference between "acquisition" of security and "adoption" of security in particular as related to compliance. Most companies for example, acquire security tools and produce security policies in response to compliance requirements, but they do not fully implement and/or enforce them: the survey shows for example that only 54% of companies do that. Financial services are the ones to score better.

The survey also touches the problem of incident disclosure: 44% of respondents indicated that they were unwilling to disclose the types of breaches. 

Two Weights-Two Measures

I believe that security incident disclosure is one of the main problem we face in information security today: because  we lack data on losses, fraud and incidents affecting different business sectors, we cannot identify needs and opportunities to improve security and make business case for new security investments to mitigate these risks.



But there are some exceptions, compliance with SB (Senate Bill) 1386 that is currently enforced in several US States for example, forces companies affected by data breaches to publicly disclose the losses including customer's PII such as SSNs. Thanks to SB 1386, we can still factor business impact of data breaches. For example, 100 million records of PII being reported as loss at 25 $/piece per record (estimated at the cost to buy that PII on the black market) equals 2.5 billion $ impact. I believe that only by factoring the business impact of data losses and fraud it is possible to make informed risk decisions.

I also had a nice conversation with NKU's professor Dr. Frank Braun. Dr Braun research covered business cases for software security such as ROSI, cost/benefit analysis and quantitative risk analysis as factors for making business cases. We shared some thoughts about business risk impact analysis and the human factors in risk decision making.  We mostly agreed that 1: business security is the most important factor to security 2 we lack data that prove the point about business value of security  and 3 there is a need to approach security from business perspective instead of technical perspective such as to take into consideration business impacts as well as the organizational culture of risk decision makers.

Unfortunately, most of security decision making nowdays follows different factors such as what "Gartner says" or what security vendor says or what my competitor does. Instead of rational thinking backed by quantitative data, we follow an apparoach that it either purely speculative of security business impacts or that follows the so called herd mentality...

Therefore we also concluded, that there is a need of a new culture for security management that puts the quality of securty data, expecially data on business impact of security losses as priority so it is possible to made informed risk decisions. This would require a change culture and a new School Of Information Security that put the focus on meaninful metrics such as the risk as business impact of data losses and fraud data. To know more on what I mean for New School Of Information Security, I recommend reading Adam Shostack book The New School Of Information Security.

My presentation ( please refer to our local OWASP chapter web page for further info) covered the topic of risk based security testing and was nicely attended by several folks. I had a lot of questions after my presentation, that I usually consider the best evidence that I raised enough interest on the topic being presented. I think most organizatons today are not doing good enough security testing as they should do. It is not enough to test for postive requirements to build secure applications, we need security tests that are driven by misuse and abuse cases. We also need to prioritize tests according to risks such to test first the ones that are most likely to exploit vulnerabilities and produce the largest impact. My presentation was also an opportunity to present the vs 3 of the OWASP Testing guide. This guide includes several security test cases that can be used to test for most commong vulnerabilities in web applications. The OWASP testing guide also includes information of testing tools (most of the them are OWASP tools) as well as techniques that can be used. The OWASP testing guide is considered by software security experts and thought leaders such as Dr. Gary McGraw, one of the best pieces of intellectual property ever produced by OWASP.