You might say there are two specialties within the job classification of con artist. Somebody who swindles and cheats people out of their money belongs to one sub-specialty, the grifter. Somebody who uses deception, influence, and persuasion against businesses, usually targeting their information, belongs to the other sub-specialty, the social engineer." -Kevin Mitnik

In today's world confidence scams present quite possibly the highest threat to security with in the business world. Control of information, withholding and leaking, can lead to massive failures and losses depending on how skilled the attacker may be. In combination with disinformation and propaganda, social engineering can as fatal as or even lead to loss of customer and shareholder confidence.

iSCSI is insecure. SCSI calls have traditionally been used from an IDE hard drive to the motherboard (the grey ribbon inside your computer). iSCSI takes all the benefits of SCSI and the connectivity of IP to provide large volumes of storage dynamically to any machine, any time, over any IP network. While iSCSI brings a tremendous amount of connectivity benefits, it simply has ignored security. Any protocol or product that controls large volumes of critical data should strongly support the core principles of security, including authentication, authorization, and availability. Unfortunately iSCSI does not support these aspects very well nor does it enable many of these principles by default. Furthermore, vendors like Microsoft, Cisco, NetApp, and EMC are pushing iSCSI into the market, but are failing to address the security issues that their customers will face.

The iSCSI Security presentation will contain three specific sections to educate users about the drastic security problems that are being overlooked with iSCSI storage. The presentation will include an Introduction/Protocol Overview, a description and demonstration of iSCSI Attacks, information on the iSCSI Defenses for each attack identified, and a short Conclusion. The presenter will described the security weaknesses, issues, and exploits concerning authentication and authorization and will follow-up each discussion with a demonstration of the actual attack. iSCSI attacks will show how 300 gigabytes of data can be compromised over the IP network without a single username of password. The attack demonstration will show how application and operating system security is important, but should not overshadow storage devices. The demonstration will also show that a compromise of a storage device can be equal to compromising 10 to 20 applications and/or operating systems combined, both of which are accessible over the IP network.