European Cyber Week à Rennes, day three

My key points for the last day of the C&ESAR conferences:

• The conference I enjoyed the most was "une autre vision de lq Cyber Threat Intelligence (CTI) by Airbus Cybersecurity. The motive is simply the reasoning behind the threat model and the cyberdefense strategy they showed and the during the presentation. 
• Regarding the threat model, covers all the steps from motivation to perform harm, compromising the target and exploiting the vulnerability.
• About the cyberdefense strategy, covered a complete approach with:
• Strategy: administrative decisions on the defense.
• Conception: use the imagination! Architects propose a solution to the security problems.
• Tactic: the defense. How are we going to defend? Made by the security engineers. How to correlate?
• Operation: BAU. SoC, CSIRT. Technical formation to personnel.  
• This gave me a lot to think about, because having a clear threat model allows to to have a vision of how to check an architecture for weak links and possible solutions to those potential problems. At some point, we would like to have granularity of the (virtual) network functions in order to have a flexible service composition and simple lightweight functions firing up when necessary. But the problem is the multiplication of the points of failure that are created. 
• An well, securing all those points of failures have costs in terms of money, processing time, memory, delay and latency... It is a trade off with the value of what I want to protect. What is the justification for such an investment?

The afternoon session was developed in Secure-IC. The topic was about the business of digital security. The subject was a little bit more administrative to my taste (or to my interest). Some isolated comments:

• Europe has no representative in the top 10 industries in the world: first 8 are USA, last 2 of the top 10 are Chinese.
• It is a shame that all is shaped by politics, being technology also affected by this.
• 90% of advertisement in the world is captured by Google and Facebook.
• Among the technical priorities in DGA plan, they want:
• Evaluation and orientation of COTS technologies.
• Improve architecture and the resilience of large systems (ships, aircraft…) taking into account the operational constraints. 
• LOL, this sounds like they are sharing some of the functional needs of 5G along with its enabling technologies. It is a fact that SDN and NFV would help to achieve these requirements. I am imagining right now network slices for ships, aircraft, hospitals, smart cities. In fact, as the speaker said, a ship, for example, is like a smart city! has its own energy source, water supply control, temperature control, CCTV, the crew.. a small scale city.

So far, I have more ideas, more questions, more reading to do and so much to learn; got to keep going.

Faire la pause: European Cyber Week à Rennes, day two

On day two, the approach was quite different but no less interesting: the topics covered training, penetration testing and protection from treats. Key points:

• Simulation environments are very important because of the several use cases, for example, you could use a simulation to recreate an attack by leveraging on virtualization and traffic generators to replay the packets and perform a post-mortem analysis. Other use is for training by using a virtualised version of the real products, topology and traffic generators and controls to provide a learning environment. Something analogous to a flight simulator. It is way cheaper that playing with the real equipment. This makes me remember when I learned about networking protocols using Packet Tracer or GNS3.
• Testing environments are really important to provide training for personnel in order to operate a platform properly and to make hacking exercises to find vulnerabilities in  the system. Specially this last part, involves not only the technical expertise on protocols and commands but also deals with the physical aspects of the infrastructure in buildings. All attack surface, (may be virtual, physical) is susceptible to be exploited and used as entry point to compromise an organization.
• Businesses do not wait for communication Service Providers to help to implement security procedures or protection plans. Businesses and companies are taking their first approach to the problem by deploying tests and self-penetration exercises. The network is just a data pipe. This insight makes me think about the role of the infrastructure provider or slice provider to a company... A telecom would care about what traffic the customer has inside the slice? My responsibility as a telecom operator is to provide the resources and guarantee the SLAs with my customer... the same way when we provided E1s, VPLS, VPNs...
• An authorized penetration testing is a procedure that involves a lot of administrative planning! even the presenters (from SODIFRANCE) told a fun anecdote about an "out of jail card" (pun from a Monopoly card. Everything has to be set up properly.
• The approach proposed by the presenter (from Thales Communications and Security) covered a test-bed for a service. I wonder if the same could be done for the infrastructure. I think it is possible, since virtualisation techniques span the different layers of the anatomy of a service.
• There is a saying that states that if the only tool you have is a hammer, all your problems would be shaped like a nail. The key point from the presentation of Franck Sicard is that people tried to apply the same techniques used to secure an IT system to an ICS (Industrial Control System). Every system, service, industry has its special equipment, protocols and processes. The security approach is different in each case.
• The future telecommunication architecture must have the means to provide administrative rights to create snapshots of a slice, in order to provide security features, rollback of configuration and resilience to failures. Could be interesting to think about this scenario.