Sri Lanka, taken as a whole, isn”t exactly on the bleeding edge of IT security. In fact, if you follow the news, you’ll realize we get hacked a lot more often than we should, and almost all of those hacks are because of poor site security. It’s not as if the NSA or Lulsec lookalikes personally came down and pointed the cannons – more often it’s a very simple, very stupid breach of basic security.
Surprisingly, looking back over the past year, we’ve had a number of very fancy security conferences. Why aren’t these helping?
1. Castles In The Air
The world’s best cybersecurity conferences have on thing in common: valuable content. They’re generally large events, and usually feature everything from people hacking pacemakers to prove a point to the FBI talking on who hacked Sony. People discuss developments, safe practices, new hacker collectives and generally actual cybersecurity.
We, on the other hand, have light gatherings, usually at an expensive hotel to draw more people. Speakers take turns giving one of three short speeches – either on the Cloud, the whole bring-your-own-device-phenomenon, or general mishmash of best practices for keeping employees safe. At which point some person from a tight circle of large companies steps in to tell the audience how THEY are doing cybersecurity, and ends up giving a long-winded speech that turns out to be a business pitch for a new product.
These speeches are highly general and generally contain less hard facts than the average Wikipedia article, and they all have the same fault: it’s a meaningless repetition of the same information. There are few real-world examples given. None offer such simple advice as “Talk to your IT admin, ask them to upgrade your website’s CMS” or “Make sure your password isn’t admin123” or “Don’t give your office WiFi password to your son.” Rather, they talk in unreachable abstractions about the Cloud and the trademarked defence systems that Microsoft or Google have in place.
Practicality, please. How long does it take for an intruder to get into your secretary’s Windows XP computer that uses her son’s name as the password?
2. The People At the Bottom
In a country where most of the highest executives haven’t really had a brush with cybersecurity, raising awareness is a fine thing. However, at the end of the day, it’s the people on the bottom rung – the IT admins and the ethical hackers – that are on the firing line, so they should be invited there, and conferences should ideally be structured around helping them do their job better.
3. A Reluctance To Talk
When PRISM was hot news, it went so far an wide that eventually even the most clueless executives caught wind of it. Yet, at a local IT conference held not long after PRISM, I found no-one willing to talk about PRISM – certainly not the panel of experts up on the stage. No discussions. Not even a light chat about what was perhaps the biggest cybersecurity revelation of the past five years. iCloud? Nobody talked about how even the best cloud service is useless if you don’t have good password management in place. Obviously, nobody’s going to profit from a cybersecurity conference where everybody avoids the actual cybersecurity.
In hindsight, perhaps the best Sri Lankan cybersecurity conference I’ve ever been to was at the BMICH.
In the middle of a giant exhibition, full of landed Navy boats and people standing in line to touch a helicopter, there was a small shack with a couple of computers in it. One gentleman from CERT was showing a crowd of perhaps 20 people how a brute-force password attack worked, and how often you didn’t need to brute-force because people used words from the dictionary as their password – child’s play for a computer program. Those fifteen minutes were more useful than days spent hearing about how <Insert company name here> <insert cloud service here> gives you < better security / free chocolate / manna from heaven>.
Someone please find that man and put him in charge of everything.