Infosecurity preview: Protect your assets

Information security has become a top priority for government and business, from the largest corporate to the smallest enterprise.

Information security has become a top priority for government and business, from the largest corporate to the smallest enterprise.

Valuable data has become concentrated as never before, making it a target for criminals and hackers. The theft of sensitive data can cause a loss of confidence in governments, a decrease in the value of companies, a failure to comply with legislation, or financial losses from fraud.

There has been a shift in security threats to business, with organised crime moving into the arena, using the tools developed by hackers, virus writers and spammers. The result has been a spate of highly publicised attacks, using techniques that are becoming more sophisticated, combining hacking, phishing, spyware, denial of service, botnets, worms and viruses. As the stakes become higher, the criminals will become more determined.

Information security is the defence against this growing threat, and it now affects every aspect of how we do business. Secure operations mean higher productivity and a real business advantage over competitors. 

Infosecurity Europe is dedicated to information security. With more than 300 exhibitors, the event is a comprehensive showcase for a diverse range of new and innovative products and services from information security suppliers. The event enables security professionals and business managers to establish a commercial justification for information security, refine their security policies, and select the most appropriate systems to support their security strategy.

More than 11,000 visitors are expected to attend this year’s event, with many travelling from overseas to participate in the free education programme that addresses both strategic and technical issues, drawing on the skills and experience of senior end-users, technical experts and case studies.

This year, more than 130 companies will use the event to showcase their products and systems, allowing visitors to arm themselves with the knowledge to defend their company against threats, and equip themselves with the latest technology and services.

There are 123 speakers in the education programme, with keynotes and seminars presented by experienced and respected professionals from the information security arena.

The 2006 keynote sessions at Infosecurity Europe bring together the industry’s leading independent experts, government officials and end-users from major corporations, and take an in-depth look at some of the hottest ideas in information security today.
Infosecurity Europe is free to attend, and visitors can be confident of the quality of content and educational value.

According to research by Infosecurity Europe, the top 10 issues of concern to chief security officers and CIOs are:

Compliance, governance, audit and security
Protecting reputation, brand and intellectual property
Internal threats
Professionalism and certification of security personnel
Identity management and preventing identity theft
Threats from new technology such as voice over IP, instant messaging and USB devices
Mobile, wireless and remote working
How much should be spent on security
What is essential to secure new ways of doing business?

The education programme at Infosecurity Europe reflects these concerns, and the opening address is by Lord Erroll on Identity: a Burning Political, Legal and Social Question. Focusing on cybercrime, Tony Neate, national e-crime liaison, Serious Organised Crime Agency chairs a panel on E-Crime: Who Got Caught Out?

Security specialists Leo Cronin, senior director information security, LexisNexis, Martyn Croft, head of corporate systems at the Salvation Army, Peter Pederson from Blue Square, and Stephen Bonner from Barclays Capital, will use case study responses to recent breaches to advise on how best to preserve reputation and brand equity.

Cronin said, “In order to address today’s online threats, companies must take into account the security posture of their customers and partners. Thieves and adversaries will continue to attack the weakest link in the chain, which could very well be the source of your revenue or a trusted component in your supply chain. Multi-factor authentication, better monitoring and posture assessments will be key controls in mitigating risk for the foreseeable future.”

This is supported by Croft, who said, “In today’s fast-paced, global workplace, the need for effective information security has not diminished, but rather has increased to the point where it is difficult to see how any organisation can work effectively without it.”
PricewaterhouseCoopers, together with the Department of Trade & Industry, will unveil the findings of the 2006 DTI Information Security Breaches Survey.

Chris Potter, partner at PricewaterhouseCoopers, which conducted the survey, said, “The last survey [released in 2004] showed that increased internet use by business, coupled with under-investment in security, had resulted in a big increase in the number of companies with security breaches and in the number of breaches each affected company suffered. At Infosecurity Europe, we will reveal whether these trends have continued and hopefully shed some light on the good practices leading companies are adopting.”

A keynote panel, chaired by independent consultant John Harrison, will address which certification proves you can do the job, and identify which qualification employers value the most.

According to panellist Allan Boardman, president of the London chapter of the Information Systems Audit and Control Association, certification does not guarantee you a job, but it helps to get you the interview. “Although a certificate is no substitute for experience, they are important differentiators, particularly as the information security profession matures.

“By hiring or retaining the services of a certified information security manager, the organisation shows that it has invested in a professional who is committed to demonstrating information security management knowledge and skills, and undertakes to maintain these through ongoing professional development,” he said.

The keynote on Mitigating the Enemy Within will examine case studies where internal breaches have occurred and will examine ways to prevent internal breaches.

Speaker Steven Furnell, reader in information systems security at the University of Plymouth, said that although  many security products implicitly highlight the risk of internet-based attacks and other external threats, there is significant potential for an organisation to face problems from within. Malicious insiders are in a better position to know what is of value and how to get it, and organisations will require a combination of technological and personnel-oriented countermeasures.

“Insider activities can pose varying degrees of threat, and it is worth differentiating between opportunistic or misguided users who may misuse system resources, and genuine ‘enemies within’ who become the source of deliberate attacks and abuse,” Furnell said.

Richard Starnes, president of the Information Systems Security Association UK, will debate the case for and against security architectures based on the deperimeterised model. Other speakers at the debate are Nick Bleech, IT security director at Rolls-Royce, Dan Blum, senior vice-president and research director at Burton Group, Mark Waghorne, principal adviser, KPMG, and Paul Simmonds, global information security director at ICI.

Starnes said, “This panel is a debate from leading experts examining the case for and against the deperimeterised model. You will hear formal arguments proposing and opposing the motion. Is this model suited to the disparate workforce employed by many companies today? Listen to the arguments, ask the panellists questions, and round it off by voting for your winning team.”

Simmonds, a founding member of user group the Jericho Forum, said businesses had already been deperimiterised, but may not have realised it. “The deperimiterisation debate is at the heart of the discussion about what we want the internet to become, and whether we will have an internet tomorrow that we can trust.”

Blum explained how the market was moving forward. “Deperimeterisation is a fact of life, but it increases risks. Protections substituted for hard firewall separation generally have lower surety. If the perimeter is dead, long live zoning! With outer perimeters more porous, enterprises must create internal perimeters, and support personal firewalls as well.”

Keith Iremonger, critical national infrastructure protection consultant at the National Infrastructure Security Co-ordination Centre will lead a debate on whether the business advantages of VoIP outweigh the security concerns.

Speaker at the debate, Andrew Yeomans, vice-president global IT security director at investment bank Dresdner Kleinwort Wasserstein, said “DrKW sees potential advantages for VoIP, but secure deployment is still problematic as the underlying protocols are not inherently secure. So we must not only look at telephony vulnerabilities, but also flaws in the protocols, platforms, services and application code. The Jericho Forum is releasing a position paper on VoIP at Infosecurity Europe.”

Fellow speaker John Meakin, group head of information security at Standard Chartered Bank, said “VoIP represents a challenge and an opportunity. The opportunity is clear – huge cost savings and a flexible voice communications that parallel the internet data revolution. However, not enough clear and honest coverage has been given to the security issues surrounding VoIP. Hopefully this debate will contribute to filling that gap.”

The panel on Security Compliance from Conglomerate to SME, chaired by Jeremy Beale, head of e-business security at the Confederation of British Industry, will show how to implement compliance as an asset for an organisation.

Panellist Simon Briskman, partner at City law firm Field Fisher Waterhouse, said, “Compliance has become a universal issue, mandating standards in data integrity and system security. Yet the burden of compliance has driven companies away from the US markets and hampered SMEs. When does common sense become red tape? How far should regulation dictate security standards?”
You can also find out the five essential actions you should implement to secure the future of your business.

Commenting on the issue of patch management, Andy Kellet, senior research analyst at analyst firm Butler Group, said, “The key issues of efficiency and service delivery continue to plague the patch management sector, with suppliers racing to deliver patches. Whether we see these issues being replicated remains to be seen, but serious problems would be caused if organisations started to use the ‘grey’ industry out there for unofficial patches.”

“There is no such thing as an unhackable network,” said Robert Schifreen, author of Defeating The Hacker and the chairman of the hacking discussion panel. “But by understanding what makes hackers tick, you can increase the security of your systems by second-guessing them”.

Panellists at this discussion include penetration tester Ivan Ristic and Bob Ayers, associate fellow of the Chatham House Information Security Programme. As well as airing their views and offering advice on how to keep your network safe and secure, the panel will be taking questions from the audience.

Seven product specialists will put their products on the line in front in the “Lion’s Den”, and only one company will be left standing after a grilling from five senior buyers and authorities in the industry.

In addition to the keynote programme, there are also more than 60 free seminar sessions split into business and technical streams which explore the key issues facing organisations and the technologies available to address them.

Topics in the technical seminar stream include: Honeynets - How They Have Evolved,Anatomy of a Database Attack, What Hackers Know That You Don’t, Preventing the Top Five Insider Attacks, and Managing the Exposure Gap.

The business strategy seminar stream will focus on the challenges and issues facing management, CEOs and other board-level directors. Topics include: Prevention is Better Than Cure, Turning Your IT Department into a Profit Centre, and Consumer ID Protection – Who Foots the Bill?

Read article: A mark of accreditation

Read article: The inside track on hackers

Read article: Don't lose your best asset

Read article: Trying too much, too young

Read article: Changing users' behaviour

Read article: Fightback against phishing

Read article: Cautionary security tales



Read more on IT risk management