Notes taken by: Theresa Payton, Fortalice, LLC.
Notable Quotables:
"Security providers have been going through hell in the last
12 months...Never have so many security firms been attacked directly...An
attack on one of us is an attack on all of us, but together we can all learn
from these experiences and emerge from this hell, smarter and stronger than we
were before...As Winston Churchill once said, if you're going through hell keep
going...We must fight back the only way we know how: through creativity and
innovation." Art Coviello, Jr. EVP,
EMC/RSA
“Many breaches were accompanied by alerts that went off during
the breach, but no one was paying attention.”
Avivah Litan, Gartner Analyst.
"In the not too distant future we anticipate that the cyber
threat will pose the number one threat to our country. We need to take lessons
learned from terrorism and apply them to cybercrime." FBI's director Robert Mueller
"Voice interception capability really depends on how much
processing power you have...But that's just a function of Moore's Law – the
faster computers get, the more data they can handle." Aaron Turner, cofounder N4struct
"It was interesting … you can't pay for penetration testing
like this...It was a motivating experience because you had white hats and
penetration testers trying to find vulnerabilities in our network. We treated
it as a learning experience."
Matthew Prince, CEO of San Francisco-based CloudFlare discussing how
LulzSec signed up for their service and then used it to gain access to the network
and their clients and wreaked havoc.
"You have my permission - signed, Jack Sparrow." LulzSec message to CloudFare when they asked
permission, under their corporate privacy policy, to share what happened to
them.
Top Topic Trends:
It’s all about mobile
BYOD Everywhere: Personal
devices at work are inevitable which also means increased risk for security
breaches -- more attack points
It also had a lot more leanings towards fraud vs. just a pure
security topic
Summary of Presentations:
Arthur Coviello, Jr
Executive Vice President,
EMC Corporation; Executive Chairman, RSA, The Security Division of EMC
Title: Sustaining Trust in
a Hyperconnected World
Hyperconnected world–consumers, friends, company/corporate supply
chains.
Beginning was a little flat but then Art surprised several of us
by acknowledging the violation of trust that occurred with the RSA hack
Key topics:
Technology outpacing company and government organizations ability
to manage and secure them
Showed a soldier in Afghanistan talking to his family at home
The number of Chinese is over a half billion people and they
spend at least two hours per day, on average, online
Employees have advanced technology as a part of their life, often
better then what IT organizations provide at work
Employees want and demand PSOD
Threat intelligence:
You must correlate internal and external sources of data at high
speeds to provide situational awareness
Big data is needed to give you contextual capability
Quotes:
·
We are woefully short on security resources
·
We need to focus on hiring analysts, consider
the military as a source
·
They need to be offensive in mindset
·
We are past the tipping point-personal and work
lives, devices, and technology are blurred
·
YOU CANNOT SECURE WHAT YOU DON'T CONTROL
·
"People in our line of work, security, are
going through hell (direct quote)"
·
Following our hack, we know our responsibility
to you
·
We are sharing our experience from the attacks
on us to help promote more security
·
Never have we witnessed so many high profile
attacks in one year
·
Never have we seen so many firms attacked
directly and used to target other firms
·
An attack on one of us is an attack on all of us
·
We can emerge from this "hell",
smarter and wiser then before.
·
We have to stop being linear thinkers adding
security controls to flawed models
·
Must acknowledge that our networks will be
penetrated
·
People will still make mistakes, attackers will
exploit them
·
We cannot stop attacks but we can reduce our
vulnerabilities
·
Few organizations review risk at the granular
level
·
Know your enemy
·
When the trees move the enemy is advancing.
Risk: he showed a picture of a woman putting on her
make up while driving and then a picture of a baby driving
Information sharing: legal constraints, distrust
People are refusing to wait for top-down constructs from
government or the security industry
Talked about FDR visiting Oliver Wendal Holmes in 1933 for
advice. Holmes responded "you are in a war, I was in a war. In a war there is only one thing to do, form
your battalions and fight."
They showed clips of President Obama talking about cyber security
"It's the great irony of our information age (cyber security
issues)"
Scott Charney
Corporate Vice President
Trustworthy Computing
Microsoft Corporation
TwC for our
Computing–centric Society: In the
ten years since Microsoft announced the creation of its Trustworthy Computing
(TwC) initiative--attacks have become more persistent; concerns about supply
chain and cyber warfare; and users are moving to the cloud.
Need to establish end to end trust
Trust in hardware, software, and identity
Ability to authenticate without compromising privacy
The need for alignment - sometimes tech has a solution but it is
not economic
Sometimes government wants something, like protecting children
from Internet predators, but there is no age verification on the Internet
He walked through Microsoft technology changes
How do we get users engaged in a way that makes sense - tell the
user why they are getting a message, make it actionable
Windows 7 had bit locker to go for portable devices and encryption
Windows 8 has a signed bios and a trusted boot with remote review
Doctor’s office: paper
then paper and computer, now paperless
Forces creating change:
Data centric world: BIG
data
User created content
GPS / geolocation
Geolocation data is a problem from a privacy perspective
Need to balance societal benefits with societal risks
Discussed how privacy statements are not helping - insurance
companies are looking at Facebook posts to fight insurance fraud
40 years ago, when we drew blood we never said we might use your
DNA but we do
92% believe cybercrime laws need updating
6th circuit court of appeals says you have to have a warrant to
request emails
If the data is in another country because of the cloud but
involves a local crime, how do we get the evidence?
Does not like the term APT, likes persistent and determine
Even when we do security well, we don't do it at scale (all the
time, everywhere)
Look at then teliasonera model that proactively wall off infected
computers
Model: protect, detect, contain, respond
We have hard perimeters and soft centers
We need to use "least privilege" models
He is posting a whitepaper on this at Microsoft.com
Took a detour and went to the BSides technical conference next
door
Keynote at BSides
Used Star Wars to talk about data exfiltration
The scene where the death star plans are stolen
Critical data placed on movable media (r2d2)
Disagreement on risk
Monitoring "knows" data is saving but no ability to
understand, at a point in time, if they should stop the data movement
During data loss situation, many organizations go to business as
usual
At
B-Sides Conference
Panel
with Amit Yoran, Kevin Mandia. Roland Clutier (spell?) and
Ron Gula
(spell?)
Discussion:
the end of security stupidity
Amit kicked off saying this would be a small, focused discussion
The discussion will focus on less mainstream efforts
Panel:
"I think Anonymous is the best thing to happen to our
industry"
The series of exploits by Anonymous has heightened awareness for
security needs
The list of stupid- its security of the operations
Security breaches are inevitable
Security software keeps getting dumbed down (think red light
green light ) and that does not happen
Info sharing is not useful right now - 20 page documents are impossible
to use
This our children's problem to solve
We buy all these tools but they only provide a fraction of
coverage
Organizing use tools incorrectly
Many companies, large ones too, don't have internal forensics
There is a lot more surface area to attack now (mobile)
We don't do the basics - see the Verizon report and start there!
Concerned about the trend to scan for vulnerabilities and fix
them and call it done
The government has been working on this, review SCAP
FISMA getting better
There is no XML sharing standard to scale info sharing across
the private sector
The Common event enumeration needs improvement
IOC- indicators of compromise
Must be able to generate share info that is open and sharable.
Government should share electronically not in a report format
Need to better job documenting issues and follow ups "did
you fix it?" even if legal says not to write it down
Almost every security vendor will be airing security data in the
cloud
There are laws that restrict us from sharing
They give their vendors and developers a check list to follow
when they handle data
Security
goes mobile
Morgan Stanley research:
Feature phones used to outnumber smart phones
PC shipments shipped less, globally, vs. smartphones
Page views are on the rise
If an apple phone is a one for page views, on a blackberry it's
half the views
People do 6.5 times page surfing on a Mac vs. smartphone
Tablets intensifies the access to the net
Google study of smartphones
Mobile is emerging on phones but consumers do not feel secure
Software security for mobile apps
Client side persistence so the app can access it And keep the
app connected even if the signal drops
Permission
models
Mobile operating systems are easier to support
We have a real challenge incorporating security into the phone
app development process
What
matters:
Sensitive user and app data
Environment and configuration
Old standbys like XSS and SQL injection
Local storage (SD card)
Communication (SMS, MMS, GPS)
Security features (permissions, backups)
Android vulnerabilities
Intents on androids are a "message"
Intent hijacking: android leaves these open
Intent spoofing
Sticky broadcasts
Insecure storage - their storage is open and readable, use local
persistence instead.
--Was problem that citi had. Citi held info persistent on the
storage and it got copied to iTunes and hacked
--Kindle app saves e books on sd card which is insecure
Insecure communications - twitter tweets go in the clear
SQL injection -
Promiscuous privileges- developers ask for more permissions then
they need
DEFCON findings
Mainstream apps susceptible to vulnerabilities:
Eg 50% intent hijacking
Wednesday sessions
Keynote
Mcafee CTO
Evolution of cyber attacks
from ego to weaponry to purpose
Didn’t take notes…
Panel: Fighting Botnets
(Federal Govt track)
Moderator: Pete Fonash
Panelists: Chris Boyer AT&T, Michael O’rierdan (spell?),
Max Weinstein -stopbadware , Cheryl McGuire Symantec,
Fighting botnets
NIST will do a session on botnets on May 30 in MD
AT&T Working on a tool to help consumers check their computer
and clean it.
All the ISPs in Finland notify their customers if they are
infected
Arbor networks and shadow server track botnets
Andy Purdy recommended that maybe NCCIC could play a role in
helping
Thursday
Vetting mobile apps for
the war fighter
Panelists:
Angelos stavos from GMU,
Bret Michael NPS, john viega e-perimeter, Hart Rossman, Tim Grance
Commercial mobile devices have a wide range of functionality and
a very complex source code base
Model is too permissive
Applications draining battery too quickly
Fortify coverity and other tools test for bugs
No built in way to access the phone sub systems
If I want to play angry birds, I cannot opt out of being tracked
and/or access to parts of my device
Security harder on mobile
To save time, you are typically permissive. There is a
performance trade off.
App stores are evolving
We are creating an inside military and contractor community
building apps on their own and for each other
Really need help with performance issues in the field
App stores are the new "intranet" for these groups
Paul Vickie
Predicts malware top target for criminals
Tremendous amount of innovation on the "vicious side"
Mark Bowden
Conficker authors were "leading out space" on Internet
that could be used for spying and cyber warfare
It was "like owning real estate on the internet"
Policy and govt
Moderator is rear admiral
Michael a brown now RSA
Mary Robidoux-NSA
Lee Rock DHS
Major General David
lacquement DOD
Pete Cordero FBI
Concerns:
Information sharing at lightning speed
Cyber command stood up 2 years ago: monitor, direct and
synchronize DOD cyber and full spectrum ops, 7 million computers to defend with
150 staff
Q: How does us cyber command define "actionable"?
A: must be a threat against us, look at NSA and law enforcement,
review whether it is immediate or near term.
The timeline we shoot for is a proactive one vs. reactive. 24 hours on average. A few might take weeks. Have other positioned
solutions or per approved actions.
Q: how about DHS?
A: mentioned Einstein
monitoring and we look at avg of 23 billion packets per day and distill it down
into actionable intelligence. The internet does not sleep. Everyone expects the govt to push info out
ASAP but we have to validate it first
DIB pilot:
DOD had a pilot for sharing classified info with defense
contractors
This moved over January 15 to DHS pushing info to ISPs and
private sector
Joint cyber security services pilot is underway to push info out
and learn about the process flows
We want to make sure we are not duplicating existing efforts
NSA talked about the enduring security framework
Lee quotes:
We need to make sure we vet the info and ensure it’s credible
before we notify people
Biggest hindrance is public’s perception that govt. has instant
response to threats
A lot of info is digested daily
When you call on one of us, you call on us all
None of us will be successful if each unit defines success only
for itself - success for us cert is at the DHS and government wide level
FBI Pete Cordero
FBI collaborates daily with NCTA
I would like to go to a more "counter-terrorism" model
where we fight the adversary up front
They have field agents co-located in several countries to help
fight and track down cyber criminals
DOD major general David
lacquement
Objective timeline-gather info, develop mitigation scheme, BEFORE
enemy deploys threat
NSA
If you looked at us two years ago, we were great at tracking and
caring for victims
We are focused on turning that info into actionable intelligence
to proactively defend against the threat
Keynote Robert Mueller, Director
U.S. Federal Bureau of
Investigation
Title: Combating Threats
in the Cyber World: Outsmarting Terrorists, Hackers, and Spies
Told story a woman reported her iPhone stolen. They found the
iPhone using find my phone
Our use of technology as an investigative tool
The very tools we need to stop them from hijacking cyberspace
Discussed mafia boy which had targeted CNN and others
He was 15 years old
Traditional crimes have moved online
Mercenaries are willing to strike anyone for the right price
FBI cyber - threats to our national security, al Qaeda has
created color, English magazine
One hacker recruiting video a terrorist says cyber war is the war
of the future
"there is no company that is immune" (to a breach)
We cannot confront cyber crime on our own
Global laws make it difficult to share info
Attribution is critical to preventing future attacks
He read "hamlets blackberry"
"we will minimize disruption to you....we will look for
protective orders to protect your confidentiality..."
He closed with "God bless"
Risk Management
RSA Breach exposed the once secret code of SecurID MFA token
devices
RSA Breach estimation of costs are over $66 million.
Sony Breach was estimated at over $180 million.
Ponemon Institute estimates the cost of a breach at $214 per each
record compromised
BYOD - Bring Your Own
Device
Why it can be good for you!
1. Cost
savings
2. “Better”
protection from lost devices - people notice their personal devices missing
before work-only devices
3. Improved
morale
4. Agility
and Resiliency
5. Improved
Productivity
Study by Symantec
Information Protection in
the Mobile and Cloud
Art Gilliand, Symantec
Dan Kaminsky, Chief
Scientist, DKH
RSA Conference 2012
Kaminsky does not “hate” passwords: "You know what's amazing about
passwords? They totally work...The fundamental 'win' of a password over other
technologies is its utter simplicity and mobility."
He noted that biometrics are easy to beat and used a bottle of
water to show how he left his credentials, his prints, behind.
He thought maybe a server should tell you what your password
should be.
"What's the most common password? “Password1”
He talked about APT and how he hates the term (I think it is
misused myself).
"As a researcher, there really isn't anything advanced about
this stuff."
Case Study Discussed:
Lulz Security signed up for CloudFlare’s service and then turned
around and used it to wreak havoc on their network and customers. Matthew Prince, CEO of San Francisco-based
CloudFlare noted that it was a horrible experience but a learning experience at
the same time.
CloudFlare runs a distributed content delivery network. 14 data centers worldwide with 30+ billion
page views a month. LulzSec signed up for service and launched a “denial of
service” attack on other Web sites, including Sony Pictures and the CIA for
about 3 weeks.
LulzSec used 7 different hosts over the 23 day period. Locations such as: Malaysia, Canada, U.S.A.
and Germany.
This was the kicker!
CloudFlare has a customer focused privacy policy. In order to discuss this case at RSA and
publicly, they had to ask LulzSec for permission to use the data the company
gathered. They sent an e-mail to the
address listed on the LulzSec account, they received the following reply: "You have my permission - signed, Jack
Sparrow."
Products Discussed at RSA
Certgate: encryption
capabilities to smartphones and tablets to add functionality for access
control, PKI, payment, data security and secure voice applications.
Trusted Logic Mobility and Wave:
combined solution that enables users to extend their security
architectures to cover mobile devices. The smartphone is a token to
authenticate the user. You can unlock
encrypted data on corporate laptop computer (I’m not sure if I like this or
not).
IntraLinks: lets staff
share content and collaborate with business partners beyond the firewall but
enforces corporate control, security and compliance requirements.
My1login: military-grade
encryption ‘vault' that manages, stores logins, passwords and PINs. Audited by HP
NaviSite cloud-based desktop-as-a-service (DaaS)
McAfee - Database Activity Monitoring, supports MySQL and
Teradata databases
NetIQ l-SIEM solution named Sentinel 7 with "actionable
intelligence"
FireEye - File Malware Protection System detects and eliminates
malware resident on file shares, web-based email, social networking, devices,
etc.
Fortinet - next-generation firewalls
Sourcefire - Intrusion Prevention System
WatchGuard launched two unified threat management (UTM)
appliances for full HTTPS inspection, VoIP support and options for application
control.
