The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others. This conference is aimed mainly at government agencies. So it addresses the various compliance issues with which they have to deal.
Session 1: You Can take the sting out of ransomware.
Presentor: Michael Corby CGI Technologies, CISSP (apparently one of the creators of the CISSP cert and a founding member of (ISC)2 )
Points of interest:
- Security cannot keep up with malware vendors
- People are the problem
- Current methods eradicate the effects only
- The way to mitigate this is to “do your job”
- The cost of eradicating issues is large
- There needs to be a financial benefit to the malware purveyors
- What is ransomware
- Financial services
- Effects of headlines
- Do your homework
- Recovery examples
- Hollywood Presbyterian
- Chino Valley Med Ctr
- Methodist Hospital
"Stop Wagging your finger", start solving the problem - "decriminalize behaviors"
This was something that was extremely relevant and unfortunately too true in many institutions/businesses. The point here was that many of our users are more fearful of reporting an incident, than of the incident itself (the I'll get fired if I report this mentality). It is more than important to give every user the tools and motivation so that they will feel it is better to report a security incident than to hide one. You risk company assets (such as the network) if employees fear what will happen if they report a problem. Telling them that visiting a malware site is a "fire-able" offense, will not help when someone gets malware on their computer and ignores it for fear of being fired.
If updates/upgrades are not going to happen soon, then it is time to change the way you are spending your money. Lost time due to malware IS lost money. Not investing in the proper upgrades and updates will bankrupt a business. If there is a policy in place that must vet the update before it is rolled out, why is that policy there and is it worht being hit by wannacry ransomware because you were still testing the update? I bring this up as an example, because that is exactly what happened at my institution. The change procedure did not allow user initiated upgrades and the upgrade that would have protected desktops from getting the wannacry ransomware was never rolled out because it hadn't been properly vetted yet. Needless to say the day after the outbreak the update was rolled out to all devices. The moral is to put maintenance and testing in the project plan to begin with.
Ransomware is Like rain
The point was made that ransomware is like rain. There are three possible solutions to not getting wet, STOP the rain, Go somewhere else, Use an umbrella. Of the three, the most cost effective and the one most likely to succeed, is the last choice. This amounts to protecting yourself by putting appropriate measures in place (such as backups) so that when you get "wet", or hit by ransomware, you will have a way to recover.
Assuming you have followed the advice above. Your recovery process should be as follows. First and foremost, take immediate action by disconnecting/isolating the infected device. There should be a response procedure that includes a dedicated response team. The next steps are a little fuzzier, because they depend on what direction you wish to take. You may wish to contact law enforcement either before going any further (in case they wish to perform forensics on the system), or once you are back up and running - depending on the expense of downtime and whether you can substitute the infected box for another one.
Either once the law enforcement agency has given you the go ahead to restore, or if you have another device to restore to, restore from a clean backup. Whatever you do DO NOT pay the ransom, for a number of reasons. Primarily, you are not guaranteed that you will get your data decrypted, you are dealing with extortionists. The FBI suggest not paying the ransom. If you do pay the ransom and do get a working decryption key, you do not know that there is not a backdoor on your system that can be used to extort money from you again. If you do contact law enforcement, know that you may lose control of the situation. They will most likely confiscate your physical device. This may cause loss of any of your data on that device.
Some preventative measures that can help
- Keep all software up to date
- Have an Awareness training program specifying who to call
- Make sure AntiVirus / AntiMalware applications are set to auto update
- Manage administrative accounts actively (for instance, if someone leaves their administrative account should be disabled immediately)
- Enforce the Priciple of Least Privilege (PoLP) which states that one should give the least amount of priveleges possible for any user to do their job. Very few, if anybody, should be logging into their computer on a daily basis as an administrator.
- Disable Office Macros in email
I might add the original of the cartoon in the beginning of this article was used by this presenter.
Joys of Tech carton - The internet of ransomware Things ...
Takeaway: I thought this was an excellent presentation especially the ransomware=rain comparison.
Session 2 – All locked up and nowhere to go – Kaspersky
I didn’t take notes on this one for 2 reasons –
- it was more interesting and I didn’t want to miss what he was saying
- The presenter said he would send his slides (which he did)
The white paper by the same name is an excellent start on this topic
Session 3 – Cryptography (ASIA)
- Guessing attacks
- Medical trial (drug vs placebo)
- Turing test
- Zero Knowledge protocol
- Offline guessing attacks
- Electronic Voting protocols
- Why care
- Users often use weak passwords
- Provide formal model which captures knowledge
- Developed co saturation procedure provide static inclusion and equivalence
- Certain classes of intruder theories
- Blind signatures
- Homorphic encryption
- Public encrypt/decrypt
- 1st frame evolves by adding mapping
- 2nd frame tries to catch up
- Extensions are done in lock step
- Analysis tool like Maude-NPA
- Cryptographic protocol
- Describes executed by agents through a network where messages are part of the messages produced
RSA based Electro-optical secure cryptosysytem
- Coherent optical techniques for encryption
- Two dimensional fourier transform easily obtained at focal plane of a converging lens
- 2f system
- Why use optical?
- Parallel processing
- High speed
- Multiple dimensions (phase, polarization, wavelength, frequency of light) and use for encryption
- Double random phase encoding method
- Phase-truncated fourier transform (PTFT) scheme
- True asymmetric key encryption
Takeaway: Not only is cryptography changing in leaps and bounds, it can be really cool as well!
Session 4 – How to teach your organization to think stgrategically about security
I thought this session was going to be different, but boring different – I was wrong. The speaker was from the Gartner group. She was excellent. She spoke at length about the various types of problem solving that is creative and helps us “think out of the box” so to speak.
She used this graphic in her introduction slide:
The types are the Socratic Method, The Debate Method and using Blooms Taxonomy.
Socratic Method: Ask and Answer questions
Debate method: Formulate an hypothesis, hear opposing views, rebut opposing views, repeat …
I found it interesting that she was basically encouraging leaders to lead by being nurturers not bosses. Many institutions have an atmosphere where the head of a group is a boss and does not encourage his/her team to make those strategic planning decisions using such methods but rather hands down what will be and commands. The speaker also encouraged businesses to adopt the policy of the 5/7 whys. In this case, when one is told “We don’t do it that way.” The response is always “Why?” This process is repeated many times until the person who originally was so adamant begins to question why they are so.
Takeaway: There are leaders and there are Bosses. The leaders help their teams think about solutions and then make decisions, the bosses make decisions and tell their teams to carry them out.
And that was just the first day of a 2 day conference (the second day was not nearly as good).