10 Things You Need to Know About Digital Security
Tue, March 4, 2014 @ 12:00 am
Last week, the whole SecurityWatch team fanned out over the RSA Conference to get the latest about new security innovations, the latest technology, and what the security community is really talking about. Since most of you were sane enough to not spend the week at a trade show, here's our ten things you need to know about security right now.
10. RSA and the NSA
The National Security Agency was on everybody's mind at this year's conference, and it has been the biggest security story of the past year. And even though the RSA Conference is a distinct entity from the company RSA Security, the alleged multi-million dollar connection between RSA and the NSA was a frequent topic of discussion. RSA chairman Art Coviello dismissed the allegations in his keynote address, but called for reforms within the spy agency. In stark contrast to last year, fears about China took a back seat.
9. Buzzwords Killing Words
Once a word reaches buzzword status, it ceases to mean anything useful. Sadly, there were a ton of words like that at RSAC, where everyone was using the same words, but no one agreed on the definition. When it comes to threat intelligence, were we talking about indicators of compromise, or were we talking about enriching existing data with third-party sources? What exactly does "next-gen" even mean anymore? At this point, we should be at next-next-gen. How can so many products herald a security revolution? Does the the industry even knows what it is promising anymore?
8. When Toasters, Cars, and Coffee Machines Attack
The Internet of Things crept into the RSA Conference this year and everyone is worried over the prospect of securing them. The key takeaway—quite distressingly—is that we are not yet ready to secure all our devices, whether we are talking about household appliances, medical devices, or cars. Even so, some weren't all that concerned, saying that criminals weren't likely to try remotely controlling or crashing a connected car. It would be more likely that criminals would go "upstream" to compromise servers that use the Things, such as OnStar servers for cars, and monetize that.
7. Encrypt Everything
The answer from everyone on how to improve security—particularly mobile security—was encryption, encryption, encryption. Mobile apps are moving huge amounts of information around the Internet, and many developers are choosing not to encrypt those transactions, giving attackers and nation states plenty to look at. Again turning to the NSA, Co3 CTO Bruce Schneier posited that the agency probably has broken some form of encryption but can't process huge amounts of encrypted data. He said that the sheer amount of unencrypted information flying around is simply making it too easy for anyone looking to stockpile data.
6. There Are No Silver Bullets
We spent a lot of time talking about presentations and individuals at RSAC, but we shouldn't forget that the event is a trade show and that the show floor is packed full of vendors working to convince buyers that their product is the best around. Surprisingly, many security companies were still pushing the idea of silver bullets—a single-serving solution for any and all of your security problems. This is a little surprising given that the past year has demonstrated that there are numerous avenues for attacks, and that they can differ depending on who is behind them and what they are after. HP's Senior VP Art Gilliland suggested that companies stop searching for new weapons and take a more holistic approach to security. Most important on his list of improvements? Invest in individuals and improve security training.
5. Mobile AV Doesn't Work
While he celebrated the security community working with and within Android to make it better, Google's Lead Engineer for Android Security took a dim view of mobile security thus far. He said that Google's goal was to provide quiet, invisible security and suggested that security companies were more about getting attention and boosting sales. viaForensics CEO and co-founder Andrew Hoog also took issue with traditional security models on mobile. He pointed out that app sandboxing in mobile operating systems does a good job of securing apps but it also limits the ability of security apps to deal with threats. His solution? Give security developers access to root privileges.
I don't agree fully with either position, but rising mobile threats demand new ways of securing devices. Guarding against malicious apps isn't enough, and though the tools security companies are adding to their mobile apps are useful, they won't be enough forever.
4. Security in the Driver's Seat
We talk a lot about how security needs to be part of the organization's DNA, and how security teams can't just be reacting to crises or in firefighting mode all the time. The general consensus seems to be getting ahead of the threats, whether it is by having better security practices to close off avenues of attack or integrating with other teams to make sure security concerns are being considered right from the start.
3. We Need More People In Security
One of the things we kept hearing about was how there was a shortage of security professionals. Companies who traditionally didn't have to think about security—protecting their data or making sure their products were secure--are now struggling to find experienced security professionals. Government agencies are trying to attract the brightest hackers to fill their ranks. There is a skills gap, partially because we don't have enough people specializing in security, but also because companies aren't doing a good job recruiting.
We need more women in tech, and information security in particular. Sessions at RSAC focused on creating support structures to encourage women interested in infosec, but also to highlight some of their accomplishments.
2. Leaky Apps are Worse Than Mobile Malware
Defending against malware continues to be a focus for many mobile security companies, but that is by far not the only threat. Many attendees at the RSAC conference suggested that leaky apps—that is, apps that transmit users' personal data without encryption or in huge amounts—are a far greater threat to users. To readers of our Mobile Threat Monday coverage, this should come as no surprise. This year, we're looking forward to new tools like viaProtect to help consumers see what their apps are really doing. That said, watching someone tear apart, modify, and repackage an Android app in five minutes is a reminder that malware is still a problem.
1. Surveillance Is Not Going Away
Freshly minted FBI director James Comey made two things clear in his RSAC 2014 presentation: The FBI needs cooperation from business to fight cyber threats, but that electronic surveillance is here to stay. On one level, we all know this. We can't expect spies and cops to keep tapping phones when the bad guys are communicating with email and other tools. As a society, we need to accept that digital communications are a target, and perhaps a legitimate one. Similarly, the panelists in a fascinating roundtable of US intelligence insiders stressed that the NSA is not a "rogue agency" and that every other nation state is engaging in electronic surveillance. They also said that domestic spying needs to strike a better balance with privacy, and that people should not allow elected officials to use their "cover story" of plausible deniability for intelligence operations.