Tuesday, October 21, 2008

NDSU IT Security Conference for K-20: Day 1

Tonight I am blogging to you from exotic Fargo, ND. One thing that I complain about frequently is the lack of Information Security conferences in the Midwest. Sure we might get one now and then in Chicago, but for the most part I think the Midwest gets ignored. I think the SANS institute considers this part of the world "flyover territory" because just about everything they do is on the east coast or in Vegas. Well if people wont bring the party to the Midwest, then North Dakota State University decided to just throw their own party. Thus, you have the IT Security conference for K-20. This is particularly nice for me because the conference focuses on IT security in education.

So far the experience has been mixed to be quite honest. My hotel room is great, and the rate was outstanding. I'm also really pleased that the elevator is fast. I'm the kind of person who doesn't want to waste my life waiting for the elevator, and I guess the people of Fargo feel the same way. On the other hand, the slot for putting my key card in the door of my room is really small and I miss a lot. That's irritating.

My main complaint for the day has been crowding, but that eased up in the afternoon. I went to a morning session on using Wireshark and Seccheck to identify and clean up malware infections. For some reason the room was completely packed, and the word on the street was that people who had signed up for one of the other pre-conference sessions sneaked into this one. So I didn't all of the materials and I had to sit next to a guy that kept making fun of me for using a Mac. I don't mind that he was making fun of me, but I was trying to listed to the woman give her presentation, not listen to some Santa Claus looking old man brag about his Dell D630 like he's running the Porsche of laptops. Other than the crowding, the presentation was pretty good. It was nice to get a refresher on using Wireshark, and I even picked up a couple new tricks. I also remembered some tricks that I had forgotten. I was a little disappointed though because I thought the presentation was going to discuss detecting malware using wireshark, and instead we were really using wireshark to verify that a machine was doing suspicious stuff. It is unlikely that I am going to sniff all of my network traffic and then go through it with a fine-toothed comb looking for weird activity, so I'm not sure that it is fair to say that you're detecting problems with Wireshark. The Seccheck stuff was pretty interesting too. With Seccheck you can get a report of the executables running on your machine and automatically run them through Virustotal. It was interesting, but to be honest if I have a machine that is infected with something, I'm just going to re-image it. She did mention that sometimes with servers or machines running specialty software you can't just re-image though.

The keynote speaker was Seth Fogie from Airscanner corp talking about evangelizing information security to your communities. This was a very good presentation. I think I came away with a few ideas worth exploring. He talked about the way that information security is branded and sold right now, and he sounded very much like the authors of New School of Information Security in that he was not fond of using Fear, Uncertainty, and Doubt to get things done. Then he went into some of the creative ways that people have been getting the message out about information security and described why these alternate techniques are better for us in the long run. The only downside was that the room was very crowded and there wasn't a place for everyone to sit.

After lunch I went to a presentation on Risk Management, and I was not terribly pleased. First of all, it was standing room only which really irritated me. Eventually they got more chairs in there, but I was already upset about how crowded the earlier sessions were. The speaker was talking about the basics of Risk Management, much of the same material that I go over when I talk to security classes on my campus about risk management. I was disappointed, however, that she didn't address some of the impossible problems that come with using Annualized Loss Expectancy. For example, how do you know that you have listed all of the possible threats that are faced by your assets, or even that you have listed all of your assets. Then there is the question of how to reliably record the value of your assets, and the probability that these threats will come to fruition. I asked her about this stuff at the end of the presentation and she admitted that ALE has some problems, and that's why she doesn't use it. Let me say that again, she gave a one hour presentation on the merits of using ALE, and she doesn't even use that system herself. OMG. Worst part was that she never did tell us what she does use that is superior to ALE. I had to leave right away after that because I wanted to get a decent seat in the next session.

The last session of the day that I went to was John Weaver of JBW group. I've had the opportunity to hear John speak before and he was very good. This presentation was also quite good. There were a lot fewer people in the room, and he allowed the presentation to turn into a discussion group rather than a lecture. That was a nice change of pace by the end of the day. We talked about some of the changes that came with the new version of PCI and some of the strengths and weaknesses of the PCI Data Security Standard. I was also able to pull him aside afterward and pick his brain about ISO vs. ITIL.

Anyway, I skipped the social hour and went across the street to the steakhouse and had a big prime rib. I'm so stuffed now. I'm going to play on my laptop for the rest of the night and then try to get some sleep.


Stephen Northcutt said...

Fly-Over Zone, nice turn of a phrase. Here is an event in Memphis:


Colorado Springs:

Salt Lake City:

And you get the idea, here is the list:

But you are right, we need to work harder on that. Drop me a note and let's see what can be done.

Black Fist said...

I hope you don't feel like I was picking on SANS in particular, as much I was picking on all of the security conferences in general.

I also think it's funny you said "turn of phrase" since they just made fun of that on Family Guy as I'm typing this. Anyway...

The links you provided look more like individual classes rather than security conferences. When I think of conferences, I think of things like RSA, Black Hat, or the SANS WhatWorks sessions. Training wise, I don't think that SANS has ignored the Midwest, and even if they did the @Home classes are good enough that it wouldn't matter. I took Security 508 with Rob Lee using SANS @Home and I think it probably made the class easier for me.