First Belgian Internet Security Conference Wrap Up

Yesterday I attended the first edition of a new event: The Belgian Internet Security Conference. It was organised by some key players from Belgian Federal organisations like the CERT.be, Belnet, FedICT. The goal of this one-day conference was to provide some security awareness to managers or deciders. This time, no hacking or technical presentations but clear facts about today’s security issues. By seeing the list of attendees, their goal was reached! The list of participants had 180 names and I think that most of the registered people attended. Visitors came from many different areas of business: universities, financial, transport, media, manufacturers despite the winter weather. It’s a good sign!

The day started with an interesting movie:

After the movie, invited speakers came to present their vision or ideas about the information security. The first speaker was Pascal Petry (security expert from the Prime Minister cabinet). He talked about the official vision of the Belgian government about information security. As computers are used everywhere today, governments must address cyber-defense at the highest level. It is always interesting to listen to some official feedback from authorities even if what they said must sometimes not be taken “as is“. Nothing brand new here. If they would like to fight cyber-crime, authorities must put resources on the table and this costs a lot of money. Not easy to do during those crisis times.

The second speaker was Aart Jochem (from Govcert.nl) who reviewed the case of Diginotar. Here again, nothing new! Everything has been said about this bad story. The interesting aspect of Aart’s talk was how the case was handled by authorities: from incident response to crisis coordination. Keep in mind: it’s better to communicate with a “we failed” message than no communication at all!

After a coffee break, Christian Van Heurck, the CERT.be coordinator, presented “Cyber security: who cares?“. Based on some simple questions answered with an internal voting system, the audience revealed interesting stuff about the communication of cyber incidents. Most organisations fail to report issues to CERTs. Christian explained the CERT.be structure and how they work. It’s very important to know how CERTs work and to trust them. The message here was: “Sharing is the key“.

Then followed a debate with actors on the Belgian IT landscape about the cyber security strategies and how they can impact on our daily life. Trying to increase the security level of citizens/users is good but this can have major impacts on the tools or the way we use them. A good (but always recurring) example are passwords. Again and again people fail to use good passwords. Is it too late? Can people be sued if using bad passwords? Those questions were debated by the participants. Interesting…

After the lunch, I attended a very interesting workshop proposed by the CERT.be: How to build your own CERT? Indeed, if you are working for a big organisation, it could be interesting to deploy your own CERT. By knowing your customers/your business, it could be very efficient to focus on security issues that really affect your business. Erik Vanderhasselt explained briefly (because it’s a huge topic) what are the basic requirements in terms of:

• Strategy
• Business plan
• Operations

During the workshop, I missed an interesting presentation by SWITCH: cleaning.ch. They explained how they detect malicious websites hosted on .ch domains. Once a malicious site has been found, the owner is contacted and has 24 hours (!) to reply otherwise, the website is blocked at DNS level during a few days. Hard but impressive!

After a last coffee break, I followed two other presentations: Stefan Lueders (CERN) explained why our security controls fail and Jacques Schuurman from XS4All presented the position of the Internet Service Provider about cyber security strategies. Very interesting how they have to deal with authorities.

What about this first edition? The number of visitors proved that security remains very important for most organisations. Most visitors were (as usual?) infosec professionals (high number of CISO’s per m2 ;-). The question is: how to apply what they learned into their daily job! Good news: the presentations are already available online!