|Ever wondered what happens to your|
data when it ends up in one of these?
Heartbleed virus. Experience of this attack demonstrated that ISPs have an important role to play in assisting their users to preserve security. Indeed, any halfway competent ISP will know who is using its service, who is sending out bulk emails and spreading spam etc. Any software put out for consumer use should already be configured for security purposes, he added: it should not be necessary for consumers to have to do the job themselves -- though there is a discussion as to whether security settings should be a default setting or merely an option. If unsafe software were, for example, infected meat, national governments would be swift to prevent its importation, so why should software be treated differently? The comparison is not as strange as it seems: much medical equipment, for example MRI scanners, is software-driven. If it is insecure or cannot be operated properly, it can be dangerous. At any rate, it's axiomatic that all software that is supplied to Europe for use in Europe must be subject to European legal standards, notwithstanding that it may be compliant with its own home-grown legal standards.
|Not all intruders|
are so conspicuous ...
Finding evidence of new attacks is difficult, the speaker concluded, because you may be looking for something that hasn't yet happened and it can be tricky to discern relevant threat-related data from the noise that a network might in any event be generating.
In discussion, participants mentioned the exponential growth of reported computer fraud, which has taken place at a time when calls for greater information-sharing are still being made. The main issue here is not just computer security but perception management -- politician awareness is low and there are no votes in cyber-crime, of which consumers are insufficiently aware. Meanwhile, the potential profitability of data exfiltration and the low risk of detection make it an attractive proposition. Against this, insurance against cyber attacks is being increasingly tied to satisfying acceptable security standards, and business are running ahead of governments in protecting their data since their money depends upon it. Raising awareness among SMEs and start-ups is the wrong place to start: what they want is to be able to buy safe off-the-peg software that they can trust, rather than having to invest in developing their own protection.
Another speaker, who had worked for an international military alliance, spoke of cyber-security in various contexts, conceding that a big weakness of even the best policies and security systems was the fact that people are people and, even in a top security environment, will display human characteristics such as curiosity (eg plugging in a USB stick, contrary to security instructions, since they wonder what's on it).
At this point, this blogger absented himself so that he could revise his presentation, for delivery immediately after lunch.