Last week was held in Marseille the first edition of Secutic Day PACA [1], a security conference, organized by Secutic. This one day event tagline was about securing the digital economy. While being a free and open to public event, it was mainly dedicated to IT managers interested to know more about security. The program gathered 24 great speakers who shared with the public the state of the art of security in various domain such as digital crime investigation, liability of IT managers, major today’s and tomorrow’s threats. Here is a sumup of the major ideas that some highly experienced people discussed.

About the legal risk for IT managers.

Some officials of the Gendarmerie Nationale together with Claude Leloustre, representing the Club de la Sécurité des Systèmes d’Information PACA (CLUSIR), reminded the legal aspects associated with the management of IT systems. Managing an IT network induces some liability. For example, when a company is providing internet access thanks to its IT system to employees, the company is liable for any illegal usage made by the users, unless a chart is signed with each employee (to be included in the hiring contract). Another example of binding aspects is that, it must be possible to any IT Manager in France to show logs of their IT systems and computing fleet over one year, on police request. And a last example of engaging aspect is the fact that IT system do record most of the time private information about employees and customers. Recording such information is submitted to privacy laws. Those laws require that recorded data are carefully stored, taking care that all treatment of data should be declared to the national commission related to freedom and computing (CNIL), no leak of data is accepted by the law (implying storage insuring integrity and confidentiality), data retention should be limited in time, and obviously owner of the data should be informed that it is. Missing any of those mandated feature could imply serious legal problems for the owner of the company (and/or its IT manager). While this information was valid only for the context of France, one can easily imagine that there are similarities in other countries. Knowing exactly this context, allows to better understand why it is necessary for IT Manager to have serious security policy to avoid this kind of problem. Protecting themselves against accidental failure to respect the law, or malicious attacks from any competitor, or black hats.

About the need to share and learn together

Marc Dovero @marcdov, presented the club 27001 association [2] and its rationale. This non-profit association is promoting the ISO 27001 range of specification, which provides with IT Security managers the basics for protecting their systems. What makes this association special is that informal discussions can happen regarding tested security solutions, benchmark result and also – what makes the state of the art progressing – solution failure. In addition, Marc reminded that security policy required to have a strategy endorsed by top management in big companies, and this could not be achieved without gathering serious arguments to invest in security. And this is where sharing experience, discussing solutions and different IT systems configuration could help.

Dominique Van Iseghem, representing a regional office of the french security agency ANSSI reminded that advices about recommended material (mainly based on their security merits) could be addressed to his department.

Other associations, such as the Computing Club from Provence [3] or Secutic, confirmed that the security was a topic that needed networking and informal discussion, together with educational material, to help IT managers and owner of companies to better understand the possible impact and solutions.

Finally, Julien Valiente, security consultant and teacher in Science Politique Aix en Provence presented two recent modules that were part of the cursus dedicated to future company leaders related to business intelligence, allowing students to better understand IT security attacks and required protection.

About the possible strategy to have robust IT systems.

Pascal Capuano from Phonesec helped the audience to get a direction in the possible strategy to protect an IT system by reminding two things : (1) measure the exposure to risk, meaning measure what would be the impact of an accident (natural or technical failure) or intrusion of the systems (exploit of a vulnerability raised by a configuration problem, a weak procedure or the unprotected usage of social engineering); (2) protect against the validated risk thanks to appropriate assurance, audit and technical measure. He listed the possible consequences of attacks such as leak of customer data, fraudulent or destructive usage of service. All of them having a direct of indirect implication such as brand degradation and financial loss – not to speak about legal aspects previoulsy metionned.

Paul Franquart – IT Manager of Marseille Harbor exposed a possible technical strategy for large companies. The strategy was relying on several key measurable aspects such as : a security policy maintained and improved over the time ; decision related to policy should be made after a serious risk analysis (meaning that quick and dirty patch management methodology should just be forgotten) ; all actors of the security share the liability ; and finally skills of involved employees or actors are certified and known. In addition he reminded the basic of the “in-depth defense” of IT systems, allowing to build a technical strategy where several independent barriers, are reducing chances to have a successful attack actually creating disaster.

Patrick Baldit @Pbaldit – IT Manager of ‘Commissariat à l’Energie Atomique’ in Cadarache had a different approach. He mentioned that being in a highly sensitive industrial context, with a large number of partners using his IT systems, he had to allocate priorities to protect data and have a constant and regular patching management. He highlighted that authentication of each user was one of his key concern, in order to get appropriate and accurate monitoring of their activities on his IT system.

And what about the small and very small business ?

Some representatives of small and very small companies were also present during this Secutic day and one of their key message was : yes, we are are managing data and also basic IT systems but, no, we don’t know what is a log, and we can not afford to have IT Manager. For those ones, there was no direct answer to support them, expect the outsourcing of their IT management, which does not include the liability transfer.

A next post will cover the threats related to the recent trends in IT service consumption such as BYOD and cloud aspects. Stay tuned !

[1] Secutic association @secutic , Secutic Day Provence Alpes Côte d’Azur Program http://www.secutic.fr/Programme , Secutic Day PACA video [fr]

[2] Club 27001 http://www.club-27001.fr/

[3] Club Informatique Provence Méditerranée http://www.cip-paca.org/