PPT3> A Review of the Usenix Security Symposium

PPT is no longer just a file extension for Microsoft Power Point files. For the purposes of my blog, PPT will denote "The Power of Positive Thinking". If you don't have slightly geeky tendencies, you may want to skip today's post.

So, overall it was a good week. While the commuting into and out of Boston was exhausting and expensive, the conference was well worth the effort. On Monday and Tuesday, I participated in a workshop called TCP/IP Weapons School led by Richard Bejtlich. We reviewed a lot of really cool tools for network hacking and defense. My two favorite tools were Fragroute and Metasploit. Fragroute is primarily used to obfuscate traffic, making it more difficult for security devices to recognize exploits over the wire. Like Nessus, Metasploit can be used to pinpoint vulnerabilities on a machine; however, metasploit allows you to actually bring the message home by allowing you to demonstrate the use of an exploit. While both Fragroute and Metasploit were developed for security research and awareness purposes, we all know that the tools are also utilized by 'the dark side'.

For me, the conference opened and closed with talks by two non-technical people. The first "How the iPod Shuffled the World as We Know It" by Steven Levy, Senior Editor and Columnist, Newsweek. While this was an interesting and entertaining topic, there really wasn't much relevance to network security. The later, "Covering Computer Security in The New York Times" by John Schwartz, The New York Times, was more germane and engaging. I may need to start actually reading this guy's columns. I'll still know more than him when it comes to security, but it's good to know what the general populous are being told about the issues that I care about.

Hands down, the most interesting, engaging, and frightening, talk was given by Greg Hoglund on "Advanced Rootkits". A lot of Greg's talk delved deeply into programming techniques for rootkits. He convinced me that there is currently no way to be fully protected against what an astute hacker can do to you. No amount of security software and network appliances can stop elite hackers from getting what they want from your computer. If you are interested in this topic, I highly recommend a visit to Greg's web site www.rootkit.com.

Jerry Brady, of Morgan Stanley, spoke to "Computer Security in a Large Enterprise". Jerry is a sharp guy. He spoke eloquently about the challenges of security in a large, multinational organization. One key issue that he mentioned is how difficult it is to patch systems in a multinational 24x7 operation with no allowance for downtime. Also, when you are part of a very dynamic and driven commercial entity, sometimes you have to be willing to accept a certain amount of potential IT security risk in order to meet the demands of the market. Risk acceptance is a huge part of the IT security paradigm these days. You are never going to mitigate all your risks (or vulnerabilities). However, you should do your best to identify them all, present them to management, and, as a company, figure out how much risk you are willing to accept in order to meet the goals of the business. Remember, an IT security person's ultimate concern may be IT security; however, that is not the ultimate concern of the business. IT security is there to protect the business's ability to pursue its real goals, and not get in the way of that.

Another highlight of the conference was Markus Jakobsson's talk on "The Human Factor in Online Fraud". It was amusing, amazing, and frightening, to hear the results of his study of (basically) human gullibility. This talk complimented a present paper on Spamscatter: Characterizing Internet Scam Hosting Infrastructure by David S. Anderson, Chris Fleizach, Stefan Savage, and Geoffrey M. Voelker, University of California, San Diego . The findings of both studies reinforce my goal of educating users on dangerous behaviors, protections that can be put in place on any workstation by most levels of user, and means of verifying site validity on the Internet.

Sadly, next year's Usenix Security Symposium is in California, so I probably won't be going. I'm not big into travel. Plus, there are usually budgetary issues in my organization that discourage people from going to conferences that involve travel unless there's a clear big payback involved. I don't know that I could make the case on this one. Then again, maybe I could. Still, I think I'll pass on the plane ride in this case.