As usual I was running late this morning. I have a lot of trouble falling asleep when I stay at a hotel for a security conference. So I woke up and just had a little time to wolf down breakfast before the first session of the day. Breakfast was pretty good, but there wasn't any coffee though. Grrr. I was grateful that the Holiday Inn of Fargo has some of the fastest elevators that I've ridden on. That might have been the difference between breakfast and no-breakfast.
I started the morning with a presentation on REN-ISAC. It was nice to see someone explain what makes REN-ISAC different from the dozens of other information sharing resources in the Information Security community. This is probably the closest I've seen to sharing some of the data that we would need to start building good metrics in the industry. The barrier for entry is pretty high though, considering that you have to get two people to vouch for you as being a good person. My first impression when I hear stuff like that is "Fine. I don't want to be in your club anyway." I'm not saying that I disagree with the decision, it's just my gut reaction to lash out at anything that is exclusive. Since I don't know people that are members of REN-ISAC, I probably can't join so that makes it worthless to me. But the presenter said that they are making changes to the way people join and soon I will be able to join a less-trusted tier of the organization without having to get two people to vouch for me. That seems a lot better than my first idea of standing on a street corner in Chicago with a sign that reads "Will do dirty things in exchange for REN-ISAC references."
After that I sat through a presentation on Windows Live @ EDU. This is a topic that is particularly interesting to me right now. There are several schools in our system that are looking to outsource their email. In a recent meeting one of the IT directors at a local school asked "Why am I paying money that could be going into the classrooms for a service that people want to give me for free." So I thought I should look at this in a little more detail. I have to say that I am fairly impressed. The basic service that is bringing people in the door I think is the email. Microsoft is offering 10 Gigs of storage, and our schools will be able to put our branding on the Outlook Web Access pages. Students will be able to get mail through the web, or they can use Outlook, or they can use any pop/imap client that they want. They can even get their mail from their mobile phones. Impressive, especially when you start syncing up your Global Address List and sharing distribution lists between your staff mail system and the students mail hosted by Microsoft.
Live @ EDU goes beyond just hosting email though. Student also get the ability to store their documents "in the cloud" meaning that they can work from anyplace that has an Internet connection. And it looks like it is pretty easy to setup synchronization between your folders in the cloud and folders on your devices (just in case you're not connected to the Internet). Collaboration on documents is easier because they can share their desktop with up to 15 other people, and they also get a web space which they can use to write an information security blog. There are still some questions that I'd like to have answered and didn't get time to go into. For example, what kind of logs will we have access to and how quickly can we get them. If a student is harassing another student over email, will we be able to verify that and will we get a timely response? I'm not interested in putting a ticket in with the help desk and waiting two weeks for someone to get me some log files, and I don't want to hear that I need to get a subpoena. All in all, it is worth further investigation.
Lunch was really good. They had a taco bar with all the fixings. However, I think they really dropped the ball in the beverage department. The only thing that was available was milk. Yesterday when they were serving cookies during the break they had pop, but then with lunch they only had milk. Doesn't that seem backwards to you? You should serve the milk with the cookies and the pop with the spicy meat.
In the afternoon I went to a presentation on Cyber War, Cyber Terrorism, and Cyber Espionage with Joe St. Sauver from the University of Oregon. To be honest, I wasn't terrible interested in this topic but I've seen Joe talk before and he is so knowledgeable that it almost seems criminal to not go see him. Joe's style of presentation is freaking amazing and I'd love to get this down. His slides are chock full of information. It's like reading a book, but he doesn't read the slides to you. He's free form in his speech, and it just happens to keep up with his slides. So if you get tired of listening to his voice, you can read the slides. When you're tired of reading the slides you can start listening to him again and you wont be lost. I was also pleased to hear him echo many of the sentiments of Bruce Schneier about terrorism. In many cases he said that things were overblown and many times we are choosing security theater over real security. I thought it was really interesting the way he defined the difference between cyber warfare and cyber terrorism. It all comes down to publicity. If the action is publicized then it is terrorism. If it's kept quiet then it is warfare. Terrorism is designed to strike fear into the hearts of people, so keeping an event quiet by not bragging about it or making videos doens't meet the needs of terrorism. Joe did make a great argument to explain why he views spam as a form of cyber warfare. It's an ongoing deliberate process that costs the US economy as much as $42 billion per year. That's almost as much as hurricane Katrina cost. If you ever get a chance to hear him speak, I highly recommend it.
So those were the highlights from day 2. I did go to some other stuff, but it wasn't really worth writing about. I saw a presentation on the Federal Rules of Civil Procedure and how that affects IT Security. Be afraid because if you get sued you are going to get blasted for not saving everything and having it indexed. Or you can spend a ridiculous amount of money just in case you do get sued. Develop some policies, but if you don't follow them to the letter, you're still screwed. Just go spend some money. There, now you've been to the presentation too.
Overall, I'm glad I went to this. At a minimum I feel like I need to support security conferences in the Midwest, and the price tag on this particular conference makes it ridiculous not to go. Good information at a good price. What more can you ask for?