On the road again for the sake of security. This trip brings me to Albany for the New York State Cyber Security Conference. This two day conference is geared primarily toward the public sector, but welcoming private industry and packed full of great topics from both public and private organizations.

The morning began with welcoming remarks and an animated hacking demonstration themed around X-Men, which consisted of using a Linux distro to disable an NT password, Internet-mining to find information about an individual, and WireShark to sniff packets. Wasn’t exactly technically deep, but certainly not boring powerpoint stuff and if anything was pretty entertaining (Indian guy in a Wolverine wig, nice).

The keynote was delivered by Philip Reitinger, National Protection and Programs Directorate for the U.S. Department of Homeland Security (what a mouthful). Without powerpoint (bonus!), he discussed quite a bit on the 60-day Review(pdf) and where DHS is challenged with cybersecurity. He also candidly highlighted some of the largest challenges facing security professionals:

• Hackers getting better not just at hacking but with sharing information at a rate security professionals cannot match.
• Defenses not keeping pace with threats.
• Cybersecurity as an issue of national security (which the president recently accepted responsibility for, a great first step).
• Fostering public-private information sharing.
• Establishing reasonable metrics.

Overall a thoroughly interesting and engaging discussion. He also pushed pretty hard for good IT people, (my boss stop reading here) if you’re interested in moving into the Federal space, now might be a great time.

The three tracks I chose were Ensuring Network Protection While Meeting Compliance (PII, HIPAA, etc.), Computer Network Simulators, and Motivating People to Adopt Security Practices. You’d think these would be horribly boring, but I have to say how impressed I am not only with the conference organization but with the quality of the talks. Yes, really, I stayed engaged all day. Let me share a few tidbits of info I found particularly interesting throughout the day:

• Information Security Officers must be allowed a seat at the executive table and involved in business decisions. (there is a heavy push to remove the “wall” of security as a sub-position of IT or an afterthought)
• 35.7 million records potentially breached in 2008 *reported* – imagine what the actual number is. Dizzying.
• In 2008, missing or stolen equipment accounted for 42% of reported breach events – the second highest was employee negligence at 16%.
• Heathrow airport in England averages 900 unclaimed laptops per week – and after reasonable time unclaimed are auctioned off.
• 1 in 10 people click through SPAM and become infected with malware. On the surface, that’s not much. But think of an organization with 1000 or more people.
• There are 500,000 different variants of malware currently, 20,000 new ones are created every day.
• Personal observation: Most admins don’t have a clue how base32 encoded data looks (scary).
• People will not embrace security policies if they reduce their productivity, feel threatened, or are negatively reinforced. [Innovaites, take special note here, I listened well to this one ]

Overall I’ve found the conference very well organized, technically awesome, and the people very welcoming. I also had a few great conversations with some of the sponsoring vendors. So far a great experience, and I’m looking forward to tomorrow. Until then, cheers from the Albany Pump House and my beer sampler.

P.S. I’ve been tweeting some of the conference, feel free to follow me.

Chris