I was up at Infosec on Tuesday. This is an Information Security exhibition at Earl’s court exhibition centre in London. The usual stuff. Hundreds of stands with steely eyed salesmen waiting for you to catch their eye so they can start reciting all the words they’ve memorised but do not understand. These days the stands all look pretty much the same as they have very few physical products to sell. Instead they sell “services”. They try to convince you that they’ve been doing this for years and the way they do this is to hire lots of attractive women to hand out leaflets and to dress al their salesmen in black polo shirts. Black, you see, means that they look look like hard core techy gurus….at least in the delusional minds of the sales and marketing staff who apparently run the event. This is the nub of the matter. While it’s true that information risk is evolving along with the systems and processes to control risk, in reality, in 2012 it’s a fairly mature cycle. ISACA were there promoting COBIT 5 and this has been developed so far now that it lists one area as “Ensure benefit delivery”. If we had time to audit that sort of thing then there would be no need for Infosec 2012.
Most of the presentations were packed and there were long queues to enter. I attended a few including quite good one on Spear Phishing. A Phishing attack is where an attacker sends an Email with an attachment or link which, when the user clicks on it, initiates a connection to The Internet and downloads malware to the target computer. These work because they fool a legitimate member of staff to initiate the attack and, as the user is already logged in, the attack bypasses many of the controls normally in place. Spear Phishing appears to mean a targeted phishing attack. This was of interest to me as I consider Phishing and Web Application Vulnerabilities to be high up there on the list of current threats.
Phishing attacks are hard to control as the code tends to be polymorphic but a company named PhishMe, Inc. had something quite clever. For a fee they will carry out a phishing attack on the staff at your company. However, if your user clicks on the attachment or the link then they will be presented with a warning and some training material on why they should be more cautious. The company collects statistics and the names of the people who are fooled. They claim that their service dramatically reduces the number of users who are fooled by phishing attacks.
One impressive innovation I saw was a tall orange stack of mini-safes named Charge Box each containing multiple mobile/smart phone charging connectors. The idea being that anyone low on juice could plug their phone in, close and lock the door, remove the key and wander around for a bit returning later to retrieve their freshly charged phone.
By lunch time the local pubs were heaving with besuited business types escaping Earl’s Court. I enjoyed a reasonable burger and pint in the Prince Of Tek on Earl’s Court Road.
At Earl’s Court 2 another exhibition was under way. This was Internet World and I found this to be more exciting. Less professional salesmen and more enthusiastic start ups, or so it appeared to me. A couple of companies selling their services to develop web apps, one with a starting price of less than a thousand pounds. Another company, named Mode360, were selling a contraption about the size of an old fashioned TV. This included a turntable, some lights and a Digital camera. The idea with this was that you plonk your product on the turntable and switch on. The machine then, rotated the product and photographed it through 360 degrees and the attached computer produces a file which can be embedded in a web page to allow your customers to rotate your product on line to get a better look at it. We’ve seen this with the way many mobile phones are sold online. The guy described this as a “money making machine”. He may have been right.