Last week I was invited to the first Belgian Internet Security Conference in Brussels to talk about our Malware Domain program. The conference was hosted by Belnet, our Belgian sister NREN. Belnet also runs the government CERT.be which invited to this event. Attendants were people rom organisations operating critical infrastructure. The event was very well attended and the mix of talks covered a broad spectrum. You find the slides on the conference website. Find below my thoughts on the different talks:
Aart Jochem: The DigiNotar Crisis – From incident response to crisis coordination
The DigiNotar case is now already some time back. But still today, this is an exceptional event. Aart describes this very well. Most of us think PKI == https, but that’s not true. Wherever certificates are used to assure the authenticity of an information exchange thinks break down, when the CA breaks down. The conclusions aren’t new though: Do your homework and pay attention to new developments.
In particular DANE (https://datatracker.ietf.org/wg/dane/) seems promising. Though I must say, DNSSec is a tricky business, so maybe DANE is not (yet) ready for prime time.
Christian van Heurck: Cyber security – who cares?
Since this was the first Belgian Internet Security Conference, Christian explained the concepts behind a CERT to the audience. A refreshing presentation of what we have known and lived for a long time. It cannot be stressed enough, that CERTs work different than most other organisations, in that they put a strong emphasis on informal collaboration.
Patrick Wynant: Internet banking security challenges and co-operation
Patrick gave a presentation on behalf of the Belgian finance industry, represented by Febelfin. Febelfin has a very good grasp of the issues, and understands whom it has to work with. I’m particularly impressed by their awareness campaigns, which addresses the general public in an surprising and entertaining way.
Stefan Lüders: Why Control System Cyber Security Sucks
Stefan told us about the issues surrounding control system security. Patching PCs is hard enough. But things get worse when it comes to control systems. After all you don’t want to patch an air plane during take-off, do you?
Jacques Schuurman: Cyber security strategies: An ISP’s perspective
Jacques told us about the dilemmas of an ISP: On one hand they see all the traffic of their customers, on the other hand you want to respect privacy. This isn’t easy to resolve, and at the end of the day society has to come to grips with what it wants.
Link to the conference slides (scroll down).