SecTor 2017 Day 1 — CSA Summit
November 13th, 2017
Compass Security sent me (Ivan) and Bruno to the SecTor 2017 conference at the MTCCC in Toronto. We are staying in Toronto from Sunday to Wednesday, mainly attending the SecTor 2017 conference. On Wednesday we will heading to Vancouver BC for the rest of the week with meetings at the Simon Fraser University (SFU) and others. The purpose of our business trip is to find out the market situation in the field of information security, pen-testing, security education and incident response. Could this be a nice spot for the internationalization strategy of Compass Security?
CSA Summit
We really enjoyed the CSA summit on Monday November 13th 2017. CSA is playing an active role in information security with more than 88'000 individual and 300 corporate members.
GDPR is on the agenda in Canada
The first keynote speaker John DiMaria was letting the crowd know his insights and knowledge about the upcoming GDPR, the EU General Data Protection Regulation that is planned to become active in March 2018. It has been said every company dealing with international (European) clients must know and understand the new regulation. It is definitely something the Canadians care these days.
DevOps Talk by Rich Mogull
Personally I really enjoyed the talk by Rich Mogull and his view how Docker, Azure, AWS and the programmable cloud will change the world. Due to Rich, traditional pen-tests will might change and become part of the inner DevOps coding, testing and deploying cycle. He was stressing out the fact that Jenkins building services should hook and load programmable pen-tests to ensure performance, security and availability. I am not sure the average CSA summit visitor was able to follow his talk. Without my AWS and docker playing time I would not been able either. However, luck I have I played with this, it was really fun listening.
Cloud Consoles — the major hacker entry point
Due to a gentlemen I can’t remember his name, the AWS console must be considered as the main entry point for hackers. If you use Amazon cloud services as a company, his advice is to authenticate your staff through your Active Directory using ADFS. Thus, if the employee is leaving the company and his AD account becomes disabled or deleted, access to the AWS console would then be immediately denied. And from an organizational perspective, I really think this makes sense, assuming the employee was not having root or admin privileges in AWS and was therefore capable adding a hidden backdoor user to the AWS console.
Talk from Anil Karmel about NIST guide SP800–180
Anil Karmel is working for C2 labs and is a co-author of the recent NIST standard sp800–180 (Definition of Microservices, Application Containers and System Virtual Machines). As such, he introduced the NIST guide to the crowd. The standard was released back in February 2016, but is still in draft status. I was not fully convinced the draft is taking the latest movements of docker and micro-service based architectures into consideration. Nevertheless, Anil did a great job in his presentation and showed the crowd the importance of this topic.
Meeting Swiss People in Toronto
In the evening, we had the great opportunity to meet two Swiss people living in Toronto for the last 20 years. They are Canadian citizen now. It was our main goal to understand what it means for Swiss entrepreneurs investing into the Canadian market. The dinner in Yorkville, accompanied by a nice Cabernet Sauvignon, was a highlight at our second day in Toronto Ontario. I really appreciated the whole day and I am looking forward to learning more about the Canadian cyber security market this week. I keep you posted, if you wish.
