Last month we featured Information Security Management and BS7799, but the Black Hat Briefings, which visited Hong Kong in April, focussed on the complementary approach. BS7799 concentrates on the management issues, and the Black Hat Briefings are highly technical - forensic analysis of a hacked server or web exploits via SQL will make most managers eyes glaze.
Black Hat Briefings is a wonderful opportunity for technical staff to improve their skills and gain new perspectives, and this is applies not just to security-related staff. Your development team, naturally, concentrates on getting your applications working and available, but it is their oversights that create the buffer overflow vulnerabilities and insecure configurations that hackers exploit. They could certainly benefit from the paradigm shift of seeing how obvious the flaws are, and how easily hackers exploit them (this is "obvious" as in "why didn't I think of that", but in many cases, no tools beyond a browser were required). Some tolerance of eccentric behaviour is required, the speakers were almost exclusively younger than the business-attired audience, and dressed "casual" (or perhaps "scruffy"). Some took this "information warrior at the edge of civilisation" attitude too far - was it really necessary for Rain Forest Puppy to require the organisers to sign a non-disclosure agreement before he would reveal his real name so that travel arrangements could be made? Do his friends call him Rain, and should we address him as Mr. Puppy? The important point is to see the truth behind the distractions - the vulnerabilities and exploits covered are real, and many sites on the Internet, probably including the sites many of you are responsible for, are at risk.
However, many of the technical experts at Black Hat Briefings have difficulty in practical security for real organisations. This could be seen in statements like, "users should avoid executing ..." or others implying developers are responsible for buffer overflows, or that systems administrators are to blame for not applying security patches.. This is blaming the victim for the crime. The real question for organisations is, given that we have human staff and tight schedules, how do we minimise the cost of incidents? The keynote speaker, Bruce Schneier addressed this, saying that the way forwards is to think "risk management", not "threat avoidance".
Which approach do organisations need? Both: top-level support for a clearly defined security policy and delegation to expertise in specific technical areas so that the details are addressed.