Louisville Metro InfoSec Conference 

Last Thursday I took the opportunity to attend the 5^th Annual ISSA Louisville Metro InfoSec Conference held at Churchill Downs. This is a brief write up on my experiences and thoughts about the event. 

The keynote speaker was Marcus J. Ranum, who gave a talk on the realities of cyber-war and cyber-terrorism. To summarize what I got out of the keynote, cyber-war in his opinion is not as big an issue because a small country taking out part of a large country's information systems would be like sitting in a closet and sticking your thumb in Mike Tyson's eye (I loved his analogy). Sure, you may partly blind them, but you will have to suffer some major repercussions. In the case of the United States, that means a few thousand heavily armed Marines knocking on your door. As for cyber-terrorism, various critical pieces of our infrastructure are so varied that it would be hard to take out say the power grid all at once. His larger concerns are with the "death by a thousand paper cuts" scenario, many smaller less coordinated attacks that cause localized problems. These small occurrences could cause the government bureaucracy to react, which may cause more problems than the original act of cyber terrorism.  

        I stayed in the technical track for most of the talks. A special delight was Rohyt Belani's presentation "Phishing 2.0 Beyond Identity Theft". I though I knew all about Phishing before I went into the talk, but Rohyt showed me how Phising can be used for more than simple password collecting. His demonstration of Session Fixation using a completely real looking email was superb. Rohyt Belani also gave a talk later in the day on the security problems inherent in outsourcing. Cheap code is not always good code, and security often takes a back seat to putting in the lowest bid. He told us about WebGoat, a great project for learning about common web application insecurities. If you are planning an information security conference, I highly recommend you try to get Mr. Belani to speak.

         Chris Buechler gave a few quick demos of BackTrack, and was kind enough to mention my site.

         Matt Melis of the NASA Glenn Speakers Bureau, gave a long and fascinating talk on what happened with the Columbia accident. At first Mr. Melis' talk seemed off topic for an InfoSec conference, but what it really demonstrated is how complex systems can fall apart from small unexpected glitches. Bad assumptions were made with Columbia, resulting in bad consequences.

         Bruce Edwards of UofL gave a talk on policy creation. Much of that talk came down to the differences between corporate and educational environments and the challenges of open environments like universities. I have a paper on the subject some of you may like to read.

         All in all, the conference was very productive. Many professional InfoSec conferences degrade into vendors trying to sell their wares, and I'm glad that did not seem to happen in the talks I was in. I hope the annual conference continues to grow and that I see some of you there next year.