MISTI’s InfoSec World 2008 is a great conference. It’s one of the most enjoyable I’ve been to in a long time.

In addition to excellent sessions, I’ve made a number of excellent networking contacts.

Since I’ve been quite busy (in a good way) over the past few days, it’s taken me a bit to revise my conference notes. While there were so many excellent points made over the course of the last few days, here are some of (what I consider) the highlights.

You can expect more to be published over the course of the week. Here are my notes:

• If breached, get law enforcement to tell you cannot disclose in order to keep name out of the news
• Best possible security controls at lowest possible costs
• Certain controls are like hygiene - anything above threshold is subject to scrutiny
• Qualitative business case analysis - good times and in bad
• Striking the right balance between productivity, controls and quality
• Demonstrate that it’s a myth that security professionals are not good financially
• If you focus on controls and quality, then productivity follows
• Help desk calls as metrics to show impact of security change
• Help desk calls as metrics about where security issue are
• Bring in-house to squeeze commodities out of processes to optimize performance and cut costs, combine functionality with IT and automate
• Trade-off people for capital - take people and use them on higher order analysis - automate data gathering and use people to analyze it
• Focus on collateral processes to find procedural inefficiencies
• Eliminate variance from the environment
• Move from manual assessments to continuous assessments and automate where possible
• Data gathering automated: spend time on fixing and analysis
• Prioritize on reducing potential velocity for data leakage: data leaving firm, portable media, widely available
• Wherever possible, auto provision instead of a manual request
• Businesses should be able to take as much risk as possible without putting the firm at risk
• IT security is the execution and risk management is the governance and strategy
• Start thinking like a front office business person
• Forced shift to data centric controls from network security controls
• Information Security professionals are defenders of shareholder money
• make sure data flows are appropriate for relationship: no extra data in transmission
• Do third parties have insurance and are you named as beneficiary
• lot of fraud over instant messaging
• Beware of SMS messaging outside of the corporate network to commit fraud (ex., picture of screen [issue of volume])
• Physical Security controls for devices that may leak data: call center employees lock everything in locker before go into data center (physical control)
• Media disposal: all types of media - test environments, how do PCs get wiped - CD, DVD, cell phones and blackberries, fax, multi-function printers
• Beware of legitimate service contractors who may repair live, damaged drives. They have potential to bypass data wiping controls by leaving premises with damaged drive
• Metrics to communicate risks: loss magnitude, loss frequency (probable)
• Detection is key to controlling impact of loss: time
• In order to help make control third-party answers to information security questionnaires more certain: 1. Make it a legal document, and 2. Explain the criteria they need to demonstrate (are you doing x,y,z) in order to answer affirmatively
• Attackers are in tune with the inner working of the company: phishing attacks coincide with internal practices: ex., employee 401K choices
• Communicate vulnerabilities and risk without using FUD: use cold, hard data and financial impact
• Risks are real and becoming more apparent with public cases such as SocGen and TJX
• End point, data in transit, third parties, decommissioned equipment all areas with risk
• Determine best level for encryption: transport (SSL), entire DB, just certain fields, etc.
• Use a small footprint for storing sensitive data (centralize it)
• Security requirements depend on competitive position and legal/regulatory compliance standpoint
• Deploy controls concurrently with development due to scope of public nature of web code: don’t retrofit
• Know what projects are coming down SDLC pipe in order to get involved
• Concentrate on how vulnerabilities map to various types of risk (business, reputation, financial, etc.): 1.) Not all vulnerabilities are created equal; and 2. Some vulns map to more than one type of risk