Last week I attended SecureCon. Here are a few rough notes:SecureCon Logo
  • At an attendance cost of $0 it was stunning value for money
  • Damn Vulnerable Linux is a really useful sample of cracking tools and information for the professional
  • Security attacks continue to get worse and there is serious money involved
  • Defence in depth (firewalls, OS patches, bandwidth throttles, user education, VLANS to separate traffic types, security zones, policies and policy updating, continues testing, application architecture and design for security,....)
  • Assume everything is evil, including traffic from your own network
  • Protect the data
  • Constant demands for new functions and access mitigate against closed security (e.g. Javascript is about to get access to the local file system)
  • New devices (e.g. mobile devices) and new services (in particular VOIP) increase the attack surface, sometimes by an order of magnitude.