Your security will fail, but is this the right attitude?
Are security basics getting lost under the cover of cloud and mobile?
The opening music stopped, and the introductory video finished playing, thereby kicking off the RSA Conference Europe 2011, held in London.
The opening video, a repeat from the RSA Conference in San Francisco in February, was designed to jazz up the audience of more than 1,200, exemplifying the innovations brought to light 35 years ago by the founders whose initials were used to form the company name.
What a difference time can make. During the period between the San Francisco and London events, RSA itself experienced a breach that exposed its SecurID technology, costing the company millions to replace the tokens.
With the breach acting as the elephant in the room, the initial tone set by the first two RSA keynote speakers was flat, if not serious. Their attitude showed humility. The reality: The security industry has failed us. Their guidance to the audience: Expect failure and be agile.
Is this the right attitude and message? I'm not so sure.
Despite the irony between the video and subsequent speeches, it was refreshing to see the transparency that RSA presented as it gave blow-by-blow details of its infamous breach.
RSA Executive Chairman Art Coviello and President Tom Heiser each shared their own thoughts regarding the attack, confirming that the attack was conducted by two groups, one of which was visibly attacking RSA while simultaneously shielding the other.
RSA claimed it was saved from a catastrophic breach through a combination of real-time monitoring, alerting systems, dedicated network security management, and a quick-to-act security response staff. The attack generated what proved to be a relatively weak alert that could have easily gone unnoticed.
However, RSA was able to analyze the alert to conclude that it was under attack.
“It is good that the alerts were available, as the attackers did a good job erasing their tracks, leaving little evidence of their presence on the network,” Coviello told conference attendees.
Driven initially by a phishing attack coming from a trusted source and targeting RSA employees, the attackers “switched connection techniques, used various forms of malware, and leveraged alternate attack origins,” said Heiser. “They were determined, persistent, and coordinated. It appeared that they spent a lot of time preparing for their assault, as they first exploited the people, processes, and procedures within the organization as a means to gain access to the real target: the inner-workings of the infrastructure, and ultimately the data."
John Howie, senior director of technical security services at Microsoft concurred with the RSA executives and later provided guidance on how organizations should have mechanisms that can generate alerts such as those identified by RSA. Howie recommended having a team ready to monitor and analyze the alerts, as this is what will ultimately determine the organization's ability to respond.
Monitoring is good, but, to-date, security firms have suggested that the best way to avoid an attack is to prevent it from occurring in the first place. Yet with social engineering methods apparently working well for these new-age attackers, they have become the easiest and most lucrative way for hackers to penetrate the organization.
This is difficult to prevent. For instance, an organization's employees and partners, even the smart ones who abide by strict security policies, will make mistakes. And, when they do, attackers will attempt to use their system to gain control of critical systems within the organization.
Once the attackers are in and have a good view of the technology landscape, they can do pretty much anything they want.
During an advanced persistent threats (APT) summit held on the Monday prior to the official conference opening, a number of financial institutions presented their own collective view – they claimed they are winning.
Large financial institutions spend an exorbitant amount of money deploying dedicated security systems and teams to combat attacks directly. They may find they are better equipped than most to protect, monitor and respond to security challenges. Certainly, financial institutions are doing a better job than any small, unregulated business could ever imagine – these large organizations have more money to spend, and they are spending it in spades.
Regardless of the amount of money spent on protection, the security industry is telling us that the security measures we have invested in will invariably fail. Even if machines are patched, an APT will take advantage of employees and partners to gain initial access. Once in, an APT will scour the network and the machines to ferret out unpatched (zero-day) vulnerabilities exposed on the network, and will then begin to work its way into the fabric of the organization until it finds the nuggets of data it is seeking.
Organizations without the resources of deep-pocketed financial institutions must take a different stance. They must eat the reality sandwich of being in a constant state of compromise.
For SMBs that don't have the budgets and the staff to function like a large organization, Eddie Schwartz, RSA's chief security officer, suggested that these businesses avoid investing heavily in staff and technology.
“They must look to outsource their security management, and maybe even move some of their business operations to the cloud where they can be managed more securely,” he said.
Regardless of the size of the business or the industry, or the types of data an organization holds, it's safe to say we are all getting mixed messages on how to handle protecting our intellectual property.
To date, we've been told to buy a bunch of security hardware and software and to put teams in place to manage it, monitor it, and respond to it. Now, we are being told that the attackers are much smarter than us and our technology, and that we need to expect failure. In other words, we will be breached.
We are being told that we need to be agile and to have a plan to successfully handle the imminent compromise to reduce the losses we'll inevitably suffer.
And with the introduction of cloud computing, we are now being advised to trust the security industry to provide us with a monthly subscription for ongoing infrastructure management, systems management, applications management, data management, and no surprise... security management.
Security failures may be our current reality, a fact that organizations are forced to deal with. However, the attackers are taking full advantage of our collective uncertainty and negative thinking, making the reality much more costly, much more poignant.
One would suggest that any loss, no matter how big or small, is a loss that can and should be negated. The right attitude and message shouldn't be to accept failure and loss.
Hopefully we can figure out the right model to follow sooner rather than later, getting the right message out and setting the right direction in systems and data protection such that the businesses we all rely on can operate more securely.