RSA Conference Day 1 - Tuesday

We are at RSA Conference in San Francisco this week, keeping current with the latest developments in the information security industry. We'll be summarizing the developments here in daily blogs, as well as live-tweeting the high points at our Twitter account @Path2Protection

Day 1 - Tuesday

Keynotes (just hitting the high points)

 Amit Yoran - CEO, RSA - "The Sleeper Awakes" ( @ayoran )

  • “If your security program is focused on compliance, you’re doing it wrong.”​
  • We need to be doing more proactive hunting for active threats already inside our networks.
  • Cybersecurity is as much a human problem as a technological one.
  • Advanced artificial intelligence technologies are an important tool, but will not be a panacea; we still need more competent, trained technical people to use these tools.
  • "In cyber security, our opponent isn't playing by the same game and they don't play by our rules: they don't even have rules."


Brad Smith - President and Chief Legal Officer, Microsoft - "Trust in the Cloud in Tumultuous Times" ( @BradSmi )

  • Highlighted the need for government policy to support privacy.
  • Toted out an antiquated mechanical adding machine to show the state of technology at the time when the laws now being used to govern data privacy were written. The point being that we need new laws to address the new challenges of security and privacy in our era.
  • Showed off Microsoft's new Windows Defender, an advanced anti-malware technology that will be integrated with Windows 10. This is set to debut in the fall.


Christopher D. Young - SVP, Intel Security Group - "Louder Than Words" ( @youngdchris )

  • Talked up industry cooperation, exemplified by the Cyber Threat Alliance.
  • "Competition is holding us back."
  • Discussed the importance of the Cybersecurity Information Sharing Act (CISA) and lack of progress in truly implementing it. “Most in the cybersecurity industry are reluctant because we’re all competitors.”


Admiral Mike Rogers - Director, NSA and Commander, US Cyber Command

  • "How do we create a network where resiliency and security are central design characteristics?"
  • "It's not about IF you're going to be penetrated, it's about WHEN you're going to be penetrated."


Cryptographers Panel

 GREAT and robust panel discussion/debate among some of the absolute giants of the field of cryptography over public policy regarding crypto, law enforcement, etc. Ron Rivest, Win Diffie, Martin Hellman, Adi Shamir, and Moxie Marlinspike. Adi Shamir argued that Apple chose a poor case to use as a battleground to challenge government decryption requests, whereas the rest of the panel took various degrees and perspectives on the opinion that Apple should prevail in the case. All five agree, however, that calls for universal or general backdoors are wrong-headed and should be opposed.

Moxie Marlinspike made two very important points:
  • Some argue (as Adi Shamir did) that a precedent set in the current iPhone case re: the San Bernardino case can be made of little impact by improving the technology so that Apple themselves would be technically incapable of complying. Moxie pointed out that the real key to the current case is the use of Apple's code-signing key(s) to sign the modified operating system requested by the FBI. The same types of keys are used by Apple to sign apps from the AppStore, which is how the security of that system works. A similar order could force Apple to sign and push a back-doored version of a communications app to a particular phone as an update, and there is no feasible way for Apple to make that technically impossible. Ultimately, a precedent in this case cuts to the heart of current models of trust in computing and security.

  • In a different case, this one involving the Juniper firewall code compromise. Part of that episode involved the use of dual elliptic curve cryptography, a cryptographic algorithm that was created by NSA with a weakness that NSA believed only they would know about and be able to exploit. However, eventually others discovered the weakness and exploited it, in the case of Juniper and some others. This is an excellent real-world example of the consequences of an export or backdoor that government thinks only they can use -- there is a very real danger that it will be discovered and exploited by other parties.


Breakout Sessions:

 "Bro, Do you Even Cybercrime? Key 2016 Trends"

James Lyne ( @jameslyne ) of Lookout, one of the first mobile-centric cybersecurity firms.

It's interesting that the upshot of this talk seemed to be that cybercrime is currently mostly using the same tactics they've been using for a while. So I guess the trend is, "no trend"?

​That's about all I have to say about this talk. He showed some interesting, but fairly pedestrian, examples of malware, exploits, and phishing. The lesson, I suppose, is that the basics like good patching and security awareness training are still essential and would go a long way to prevent cybercrime incidents.


Roles of Industry and Government in Cyber-Incident Responses

This panel discussion included representatives of government (White House, Homeland Security, and FBI) and the private sector (well, RSA, anyway). The decision to include two RSA executives (one as moderator and one as the sole non-government panelist) seemed questionable to me if the idea was to get a balanced view of how the roles of industry and government work together.

Michael Daniel, the Cybersecurity Coordinator at the White House, explained the goals of the program to create a unified framework for the federal government's side of responding to cyber security incidents involving private third parties. One key aspect is to ensure that roles are clearly laid out, so that no matter who you may initially contact for assistance within the federal government, they will get put in touch with the appropriate person or people to help them.

Andy Ozment, Assistant Secretary for Cybersecurity and Communication at DHS, talked about the differing roles of DHS and the FBI in cyber response. The analogy he used to explain was that of a response to a fire caused by arson: DHS' role is like that of a fire department, whereas the FBI is analogous to the police. DHS' job is to help deal with the destruction and consequences, whereas FBI is trying to find out who did it and bring them to justice.

Eric Spore, Deputy Assistant Director at the FBI and head of the Cyber Division, addressed the question of organizations' concerns for how they will be treated by federal law enforcement in the event they become involved in responding to a breach at the organization. He emphasized that one of the key considerations they employ is that the organization, and often its personnel, are the victims of a crime and need to be treated with respect and consideration.

Peter Tran, GM & Sr. Director – Worldwide Advanced Cyber Defense (ACD) at RSA, pointed out the importance of Executive Order 13636. This EO provides guidelines and policy for improving cyber security in critical infrastructure.

In talking about who to reach to for help, Mr. Spore stated that organizations should reach out to the federal official with whom they already have a relationship. This raises a good point, which is that any substantial-sized organization would do well to have the name and number/email of their local FBI cyber security agent.


Advancing Information Security Strategies in Higher Education
This was a great, smaller session with discussion among twenty participants, most of them CISOs or other senior infosec leaders at various colleges and universities. I got to sit next to the legendary Randy Marchaney of Virginia Tech, a big thought leader in infosec for higher education. We had a couple other CISOs of large universities and university systems present as well.

Key issues facing infosec leaders/professionals in higher education include:
  • A pay gap, in that they can seldom match the salaries offered in the private sector. 
  • Lack of ability to act in a directive, rather than advisory, capacity.
  • High, and multiple/overlapping, compliance requirements.
Other issues reflected challenges more common to commercial CISOs, such as:
  • Obtaining third-party security assessments and compliance.
  • Data governance process
  • CISO reporting chain -- directly to the CIO, or as a peer to CIO?

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more