I wandered up to Kensington Olympia exhibition center today to spend some time at the biggest IT security event in the UK. I was a little underwhelmed to be honest. The speakers I saw in the technical arena were basically trying to pimp their warez and I wasn’t really there to be sold to. As an organisation, mine doesn’t have much to throw around and they’ve already invested in plenty of software and hardware to do the jobs they need. The speakers were really talking niche problems too.. Not real world enough for me to be hooked into their train of thought.
IT security tends to live a lot in the WOW factor of things, like for example, a new favourite story is you can freeze the memory of a laptop left in a cab, mount it into another PC which, with a package that’ll be available next week, will be able to read all the good shit out on your PC. Passwords for all your favourite websites, AD domain credentials, Cisco VPN client password hashes, etc etc. But they seem to skim over the chances that someone will be within reach of your PC geeky enough to be skilled in the above procedure in the first place, have a can of spray duster and live near enough to get the laptop to an environment to work on it, or a thermos mug of liquid nitrogen to dump the mem chip into etc. They do all require a pretty far fetched sequence of events to occur for someone to actually be able to sit there and say ‘I’ve got all your credentials’.
We all know that a PC hard disk that’s in the ‘hands’ of a hacker or cracker is compromised. You have to have a pretty incredible security policy, some VERY well trained and paid client OS build staff and a fair amount of monetary resource to be able to put up much of a fight to someone with direct access to your PC, or Server for that matter. The hackers and crackers of this world are always on the front foot, always having more time to dedicate to thinking outside the box and corporates are always playing catch up to the shouts and screams of all the security fraternity with things like the spray can story I’ve just mentioned. To top that corporate staff only work 7/8 hours a day, hacking and cracking to the discerned uber geek is a lifestyle, not a 9 to 5 job. Employees and software solutions find it very, very difficult to match that dedication.
So, I was more than a little disappointed in the Single Sign On and Web 2.0 threats talks I hung out in which were glorified sales pitches, which put me off going to any others.
I did gain a lot more though from speaking to vendors my organisation already has investment in, such as Citrix, IBM/ISS and HP particularly. The guys looking after the HP stand were really friendly and helpful, and the IBM/ISS techs were accommodating to my dumb ass questions about the kit I already look after of theirs! I did come away a little gutted that there really isn’t that much more to tell about the game I already administer and all the interesting stuff was more directed at other teams in my department. So I reckon I should stop guessing there’s more to it and squeeze more from our existing setup.
Hey ho, it’s off to work I go!