Monthly Archives: May 2015

AtlSecCon 2015: signs of a truly future ready industry

Let’s be honest. Atlantic Canada isn’t the first place you think of when you want to #BeFutureReady. Events like the Atlantic Security Conference (AtlSecCon) are working hard to change that.

Before we go any further, I do have something to confess. I am one of the organizers of the conference. I wasn’t when it started five years ago, but I saw the potential even then.

The conference has grown steadily over the past five years, with this year being particularly notable with attendance at an all-time high and increased sponsorship from companies such as Dell. We also had world-class speakers like Mkit CEO Matias Katz, who came all the way from Argentina for the third year in a row.

Here are three future-ready takeaways from AtlSecCon:

1. The future is bright: Since its inception, student attendance has normally been low at AtlSecCon. This is most likely due to the fact that it happens over the span of two weekdays. It wasn’t the case this year. There were record numbers of student attendees from well-known educational institutions such as Dalhousie University and the Nova Scotia Community College (NSCC). This goes to show that institutions like these realize that best place to learn isn’t necessarily in a lecture hall. Networking with industry professionals can go a long way in helping to guarantee a bright future.

2. The future is female: AtlSecCon had an amazing volunteer crew this year, and they were all female NSCC students enrolled in various IT programs. As we all know, the “lack of women in tech” issue has been around for more than a few years. We at AtlSecCon have always recruited women to attend and speak at our conference. This year was no exception:

  • Well-known TED speaker Keren Elazari, Research Fellow at Tel Aviv University, spoke about the good that hackers can do.
  • Ksenia Dmitrieva, senior security consultant at Cigital, showed attendees how to use Content Security Policy to protect  Web applications.
  • Anna Manley (a fellow Cape Bretoner), an articled clerk at Sampson McDougall, asked the audience, “Can the police legally compel you to provide the encryption key for your encrypted laptop?”

3. The future is local: While we had no shortage of come from away* speakers, our crop of local speakers grows every year.

  • Ben Goodspeed, principal at Goodspeed IT Consulting, discussed formal mathematical methods in security research.
  • Paul Halliday, senior software developer at Critical Stack, talked about squert, a widely-used open source Web interface for network/enterprise security monitoring that Halliday built, in Nova Scotia.
  • Daniel Merritt, software development consultant at Merritt Consulting, introduced us to traffic logging in network forensics.
  • Peter Morin, senior specialist — IS Response at Bell, showed us how to take a forensic approach to incident response.
  • Colin O’Flynn, electrical engineering consultant, not only showed us the technical workings of side-channel power analysis and glitching attacks, but also how they apply to real systems, and what this means to those designing those systems.
  • Julien Savoie, network administrator at Universite Sainte-Anne, cut through the hype and answered some basic questions about Tor and how well it stands up in a post-security breach world.
  • David Shipley, director, Strategic Initiatives, Information Technology Services, showed us how the University of New Brunswick is using policy, practice and technology to enhance cybersecurity.

Do you think Atlantic Canada is future-ready now?

*Atlantic Canada slang

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site Power More. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

 

 

 

 

 

 

PenTest vs. VA: One Of These Things Is Not Like The Other

As a QSA, I’m often required to review the results of a vulnerability assessment and a penetration test as part of an overall security assessment. When I ask my clients for each report, I often get this response:

“Aren’t they the same?”

They aren’t. While somewhat similar in concept, they produce distinctly different results.

Penetration tests (commonly known as PenTests) are used to identify methods of exploiting vulnerabilities with the intention of finding security weaknesses in a system, potentially gaining access to it, its functionality and data. It’s a mainly manual process that can include vulnerability scanning and other automated tools. At the end of the engagement, an extensive report is generated. Its contains a description of each vulnerability verified and/or potential issue discovered. More specific risks that vulnerability may pose, including specific methods how and to what extent it may be exploited. Examples of vulnerabilities include but are not limited to SQL injection, privilege escalation, cross-site scripting, or deprecated protocols. PenTest engagements may last days or weeks depending on the scope of the tests and size of the environment to be tested. Tests may grow in time and complexity if efforts uncover additional exploits.

Vulnerability scans (commonly known as VAs) identify, rank, and report vulnerabilities that, if exploited, may result in an intentional or unintentional compromise of a system and/or network. Typically a variety of automated tools are used in combination with manual verification of identified issues. These tools list the potential risks posed by known vulnerabilities, ranked in accordance with NVD-CVSS base scores that are associated with each vulnerability. Scans usually take a short amount of time, which can range from several seconds to several minutes per scanned host.

A vulnerability assessment should be performed regularly to identify and remediate known vulnerabilities on an ongoing basis. A penetration test should be performed at least annually and after significant changes in the information systems environment to identify exploitable vulnerabilities in the environment that may give a hacker unauthorized access to the system.

While vulnerability assessments and penetration tests are a requirement for PCI DSS compliance, it would be beneficial for companies to include the procedures in their overall security program even if they aren’t required to be PCI compliant. When used in conjunction with each other, they are an excellent indicator of a company’s security posture.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site PowerMore. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.