BSides Austin – Verizon DBIR, cloud security and the importance of randomness

Greetings from BSides Austin. The first talk of the day I was able to attend was delivered by Jay Jacobs of Verizon.

Jacobs presented “Digging into Data from the 2012 DBIR”, where he gave us an in-depth look at Verizon’s latest report. It was clear that Jay was intimately involved and was able to answer every question thrown at him.

Jay Jacobs at BSides Austin

There is a lot of fantastic information in this year’s report, and Jacobs was very helpful explaining the methodologies used. This is important as it is easy to draw incorrect conclusions when awash in a sea of statistics and data.

Cloud buttonI had the pleasure of sitting on a panel on cloud security with Jack Daniel, Michael Gough, Jarret Raim, Ganesh Padmanaghan, Michael Wilde and Eddie Garcia.

We discussed a lot of the challenges of migrating to the cloud and the importance of getting out in front of the desire for instant-on application availability.

The conclusion? We mostly agreed that IT must be an enabler and find a way to say yes, while maintaining a modicum of control. User agility is essential to being competitive and we must find a way to securely embrace it.

At the end of the day I sat in on David Ochel’s talk “Is your randomness predictable?”. Ochel discussed how random and psuedo-random streams are created and the importance of high quality randomness in cryptography.

The cloud is particularly vulnerable to predictable randomness and extra care must be taken to generate as much entropy as possible. Ochel’s talk was a good introduction to randomness and shed some light on doing it in the cloud.