Auscert 2005 Conference Day 1 Notes

Greetings again from the Sunshine Coast!

Well Day 1 of the conference went pretty well.  I spent the day attending various sessions and particularly enjoyed the keynote session.  In this session Bruce Schneier spoke about Security Design in regards to what works and what doesn’t.  What I got out of this session is a lot of the security problems we see today come down to people and not technology.  The majority of people do not work in technology like those of us in the geek world and they don’t care how it works or why it fails.  They just want it to work.  Some of the strategies he outline included:

  • Security is the weakest strongest link – meaning you are only as strong as your weakest link
  • Defence in Depth – Looking at a layered approach where people and process are the most important
  • Choke points – This is about channelling data through specific tunnels – I like the example he used about how the conference organisers got us to line up for registration in a single line!
  • Dynamic Security – This was really about reactive security policies

The next session I attended was the Ask the Panel experts session.  This was a great idea because we got to here real opinions about where the internet is going in the next 10 years.  Key points made:

  • The Internet was never really designed to do what it’s doing today – An interesting discussion got going on this topic
  • Most organisations don’t think 10 years out and are bound by their 3 fiscal year cycles.

The next session was Jesper Johannson’s session on security myths.  Jesper as usually did a great job of presenting the myths about security.  The interesting thing is he spent some time the use of passwords and suggested that instead of using the same password for 10 different logins it might be better to use a complex password for each; write them all down and store them in safe place.  Well Zdnet Australia picked up the story and headlined on their web site.  Personally I use eWallet to secure all my passwords both on my laptop and my PDA.  Internally at Microsoft we use 2 factor authentication for remote VPN access with the use of a complex password and a Smart-card.  We will be moving to the use of smart-cards for domain authentication in the future because ultimately passwords are not secure.

The next session I attended was another Microsoft session run by Jason Garms on Microsoft’s view of Spyware.  This was a good session that went through the history of spyware and where we think its going and what we are doing about going forward.  The new AntiSpyware Beta is a great step forward.

The rest of the day I spent on the Microsoft stand talking with customers and managed to sell a few people on Windows XP Media Centre Edition which was cool.

Then it was out to a nice Japanese dinner with some friends from the Vectra Corporation and a couple of guys from Adelaide bank.  Nice meal and good company as well.

The best thing that was announced at the end of Day 1 was that my team won the corporate golf day which was run on the Sunday!  I was very happy about this and we each won a $100 voucher to spend anywhere at Royal Pines and a copy of CA’s E-trust Pest Patrol 2005.  I’ll have a look at this and see how it compares to AntiSpyware.

Bye for now….