In March I attended for the first time in five years the RSA Conference, the world’s largest cyber security conference, with nearly 40,000 people attending. Sadly, representation from our industry was noticeably lacking and many security people I have spoken to have never even heard of this important event.
I did connect with Rodney Thayer, our industry’s leading white hat product and network vulnerability tester and PSA consultant; however, excluding IT and dedicated cyber vendors, only Verint and HID had a corporate presence at the show. Regardless, there were a number of important takeaways from the many sessions I attended and vendors I spoke to:
Cloud applications and security solutions are abundant and increasing. That more applications are migrating to the cloud is unquestioned. Competent cloud vendors now have a powerful array of tools to help mitigate outsider threats — for example, blacklisting an IP address making repeated attempts to access a site application within a short time period. In many cases, security for a cloud application may be superior to what users can provide for themselves. Lesson: Choose your cloud vendor well and understand what security features they offer.
Behavioral and situational analytics are two promising tools of the trade. Behavioral describes how someone uses an interface, what they normally access and established patterns of behavior. Situational deals with the location someone appears to be logging in from. Both of these are additional candidate means of authentication.
IoT is scary. Depending on the projections you believe, there will be around 50 billion connected devices by 2020, a tenfold increase over today’s number. It appears that, once again, we will witness implementations and marketing hype around their usefulness outpacing the many needed security efforts to protect them. The consensus view of the conference was that the industry is ill-prepared for IoT from a security perspective — so many devices to hack, so little time.
Education is key. While no cyber solution is perfect, and multiple layers of defense should be employed in a protection strategy, there is low-hanging fruit that can be harvested. Take spear phishing attacks for example, where users are prompted by custom-crafted emails to click on malicious links. These can be addressed by education, mock exercises and constant reinforcement by the parent organization. This most common vulnerability should be the easiest to solve.
Endpoint vulnerability must be taken seriously. One common hack mentioned was attacks on unsecured surveillance cameras with default credentials via RTP ports. There are other ways to attack these and other security devices where proper setup and firmware maintenance have not been implemented.
SCADA (Supervisory Control and Data Acquisition) vulnerabilities keep corporate execs and policy makers up at night. Not only is old equipment infrastructure particularly vulnerable, but hacks upstream in the supply chain affecting original equipment before shipment from the factory have been documented.
Many security products today rely on databases for their implementation, and they must be secured. There are numerous security solutions for cloud-based databases, for example Transparent Data Encryption (TDE) for Microsoft SQL running on their Azure platform. Further, I was able to find encryption solutions available to developers for local database applications.
Is the government friend or foe in the security battle? There was no shortage of government speakers at RSA, including the Attorney General of the United States and the Director of the NSA. All delivered the message that the government wants and needs the private sector to be a willing participant in fighting the cyber threat. It is ironic that this occurred while Apple and the FBI were battling it out in court over the right to access encrypted information on iPhones.
While my own feeling is that the bad guys will simply find other devices for encrypted storage and communication should the iPhone’s security features be lessened (while those of us who continue to own these devices will suffer the consequences), it was pretty clear there are differing views within the government and by ex-government officials on this matter. Shane Harris, in his compelling book, @War, describes actions by the NSA which selectively share and withhold information from the private sector. These may either warn and help mitigate certain threats, or may keep an enterprise at risk for the sake of preserving tools and secrecy for broader national security.
Cyber security needs higher corporate priority. According to recent Gartner statistics shared at RSA, security was only the seventh-ranked priority of corporate CIOs, behind areas such as business analytics and digital marketing. It is likely that many of these CIOs are not aware that their networks may have been compromised or, perhaps, are relying on cyber insurance policies to keep them feeling protected.
As you may have guessed, I did not leave this event with warm and fuzzy feelings. I am astounded at the technical capabilities of those who are seeking to steal money and corporate secrets or whose objective is to reap havoc.
Those of us who specialize in electronic and physical security need to work to lessen the disconnect between our world and the cyber community. I believe that adopting and implementing cyber standards for security products is a good place to start.
Additionally, getting involved with your customers on good cyber hygiene, incorporating cyber requirements into project specifications, and further educating ourselves and our customers on cyber matters are important actions to take.
It is time to erase this disconnect, because we have a common denominator — it is called “security.”
Ray Coulombe is Founder and Managing Director of SecuritySpecifiers.com and RepsForSecurity.com. Reach him at [email protected], through LinkedIn at www.linkedin.com/in/raycoulombe or follow him on Twitter, @RayCoulombe.