Endpoint security in the wake of the Google attacks.
Vendors may hype the attacks against Google and at least two dozen other companies as evidence that the attacks are becoming more sophisticated. However, security researchers generally tell a different story when discussing the latest attacks. In fact, most experts say the attack techniques used against Google are the same tactics seen in the past: a mixture of phishing and drive-by attacks targeting Web application holes and zero-day vulnerabilities. At least one panel discussion aims at trying to help security pros determine if some of the news has been overblown. "The End of the Internet as We Know It? Separating Reality From the Hype," with network security expert Dan Kaminsky of IOActive, Tom Cross of IBM Internet Security System's X-Force research team, Christopher Lee of the ShadowServer Foundation, and Dmitri Alperovitch and Sven Krasser of McAfee Inc. research, should help people better assess what's really going on. "We're seeing an automation of the attack techniques and a refinement of the attack process," said IBM's Cross in an interview last week. "[Cybercriminals] have developed better business processes and the more they automate the easier it is to recruit and retain less skilled people."
Keeping public and private clouds secure.
Virtualization and the software and infrastructure that it takes to create a virtual environment is the underlying infrastructure that makes up a "private cloud". This year all the chatter may be about private and public clouds and a hybrid approach. Calling everything "cloud" makes it difficult to understand what exactly you're talking about. According to some experts, some organizations may find creating a private cloud the next logical step after deploying a virtual infrastructure. Jim Reavis of the Cloud Security Alliance and Steve Riley of Amazon Web Services LLC will discuss "Industry Efforts To Secure Cloud Computing," ensure data integrity and design a cloud model that will withstand the rigor of an audit. "The differences come in with the accessibility and the elasticity of what is reported to be the cloud," said Ramon Krikken, an analyst with the Burton Group. "There is a difference between just virtualizing and creating an environment where all of your clients are highly mobile, elastic and scalable."
Cyberwarfare and critical infrastructure protection.
The new White House appointed cybersecurity coordinator, Howard Schmidt, and Janet Napolitano, secretary of the Department of Homeland Security, are scheduled to speak about the government's progress on defending systems tied to critical infrastructure and how the private sector can help. FBI director Robert S. Mueller will follow them later in the week. A recent report by the Center for Strategic and International Studies (CSIS) and McAfee outlined the central problem. The survey of 600 IT and security executives who work for many of the companies that run water treatment plants, oil and gas refineries and other critical infrastructure facilities, found a lack of confidence in their ability to defend against a cyberattack. About 40% of those surveyed expected a major incident -- an attack resulting in major consequences -- within a year, and 80% said they expected a major incident within 5 years. While government executives continue to call for more information sharing, no doubt attendees will be looking for less hyperbole and more indication of action this time around.
During a press briefing for the CISIS report, a telecommunications executive wasn't shy about his frustration with the government on information sharing. "We have meetings and we all smile at each other, but I don't take anything away from those meetings that are useful for me to protect our infrastructure," said Adam Rice, chief security officer at India's largest telecommunications company and ISP, Tata Communications Ltd. "We have a lot of intel that we can pick up off of our networks and we would be happy to share it with anybody who asks for it through the right channels, but in exchange, we would also like to get tangible threat information on where we can take our limited resources and apply it more effectively to get in front of these threats." Keep an eye out for ways that information exchange can happen between the government and the private sector without trampling on privacy issues or classified government information.