I got and ad from Microsoft about a security summit they were organizing. Since it was virtual, I didn't have to travel anywhere and the agenda looked interesting, I signed up.
The screenshot has Jim Moeller and Michael Melone from Microsoft and the summit host Josephine Cheng.
Quotes:
Question:
What's worse then being a victim of a cyber crime?
Answer:
Not knowing about it.
- Shawn Anderson, Microsoft
"Security is not a product, it's a technique."
- Michael Melone, Microsoft
"It's kinda like outrunning a bear. I don't have to be the fastest person, I just have to be faster than Mike."
- Jim Moeller, Microsoft, about infosec referring to Michael Melone sitting next to him
"At the end of the day, these types of crimes are borderless"
- Patti Chrzan, Microsoft
Discussion points:
There were a number of professionals speaking in this three hour session. I saw these couple of themes popping up constantly:
- Security hygiene
- Run patches to make your stuff up-to-date
- Control user's access
- Invest into your security, to make attackers ROI low enough to attack somebody else
- Security is a team sport!
- Entire industry needs to share and participate
- Law enforcement globally needs to participate
- Attacks are getting more sophisticated.
- 90% of cybercrime start from a sophisticated phishing mail
- When breached, new malware can steal domain admin's credentials and infect secured machines also.
- Command & control traffic can utilize stolen user credentials and corporate VPN to pass trough firewall.
- Attackers are financially motivated.
- Ransomware
- Bitcoin mining
- Petaya/Notpetaya being an exception, it just caused massive destruction
- Identity is the perimeter to protect
- Things are in the cloud, there is no perimeter
- Is the person logging in really who he/she claims to be?
- Enabling 2-factor authentication is vital
Finally:
Was it worth spending 3 hours? Oh yes! There were mandatory commercials for Microsoft products, but getting the update from people who work in the security field daily was definitely valuable. Given my personal interest in the field, lot of the talks were targeted towards non-security professionals. However, the infosec professionals managed to keep the talks interesting enough with their fresh information directly from the trenches.