I had the opportunity to attend the Cert-IST 2011 Annual Forum held on June 7, 2011 in Paris, France.
Cert-IST is a French CERT dedicated to the Industrial, Services and Tertiary sectors. They organize a yearly annual forum. Last year’s edition was mildly interesting. The most interesting presentation IMHO was given by a security professional working for Sanofi-Aventis about how they conducted their security awareness programs. In comparison, it would be an understatement to call this year’s edition an interesting conference as most presentations were really thrilling.
First of all, let me apologize to my non-French speaking readers as all the presentations were made in French. This year’s theme was “Security and Modernity: a Challenge for the Enterprise?” and questioned the numerous technologies and trends from the standpoint of security professionals, be it the Cloud™, the smartphone invasion, the traction that the BYOD (Bring Your Own Device) movement is gaining in the enterprise, social networks, or APT attacks.
There have been quite a number of very interesting presentations such as:
- Keynote “Security and Modernity” by Antoine GARAPON, Judge: CISOs continue to view Information Systems as a territory to defend while attackers act as sea pirates. They view the Internet not as land but as a body of water where they can sail, looking for preys. It is necessary that we, security professionals, look for a middle ground and get out of the “forbid everything not absolutely necessary” mindset. Otherwise, we won’t be able to cope with the challenges that we are facing (think new technologies).
- National Strategy for Cyber Defense by Patrick PAILLOUX, General Manager, ANSSI: very interesting feedback on the French Ministry of Finance’s attack and the resources ANSSI allocated for incident response. The attacks were not sophisticated but their perpetrators had important means and were highly organized. Mr. PAILLOUX insisted on the necessity of having a CERT-like capability or at least some sort of incident response in every company to help cope with the new threat landscape.
- Securing Mobile Devices for Enterprise Usage by Jean-Marie MELE, Security Engineer, France Telecom Orange: very good presentation on the technical and legal issues pertaining to BYOD (Bring Your Own Device). In France, a personal device is the property of its user even if it is used in a professional context. As such, it cannot be audited or submitted to a pentest without the consent of its owner. A number of Android vulnerabilities were also cited. It is necessary to follow such trends and adapt to them or risk being completely bypassed.
- Cloud Computing: Legal Questions by Jean-Marie JOB, Attorney: excellent presentation on the legal aspects of Cloud Computing. Who is responsible of data processing (and thus must make sure that personal data is processed according to the French law)? What are the important points to keep in mind before moving to the Cloud? What happens if personal data is handled outside of the EU?
If you’d like to dig deeper, read my full account (in French) and/or download the presentation materials online.
