Monday, March 19, 2012

RSA 2012 Conference notes


Notes taken by: Theresa Payton, Fortalice, LLC.
 
Notable Quotables:

"Security providers have been going through hell in the last 12 months...Never have so many security firms been attacked directly...An attack on one of us is an attack on all of us, but together we can all learn from these experiences and emerge from this hell, smarter and stronger than we were before...As Winston Churchill once said, if you're going through hell keep going...We must fight back the only way we know how: through creativity and innovation."  Art Coviello, Jr. EVP, EMC/RSA

“Many breaches were accompanied by alerts that went off during the breach, but no one was paying attention.”  Avivah Litan, Gartner Analyst.

"In the not too distant future we anticipate that the cyber threat will pose the number one threat to our country. We need to take lessons learned from terrorism and apply them to cybercrime."  FBI's director Robert Mueller

"Voice interception capability really depends on how much processing power you have...But that's just a function of Moore's Law – the faster computers get, the more data they can handle."  Aaron Turner, cofounder N4struct

"It was interesting … you can't pay for penetration testing like this...It was a motivating experience because you had white hats and penetration testers trying to find vulnerabilities in our network. We treated it as a learning experience."  Matthew Prince, CEO of San Francisco-based CloudFlare discussing how LulzSec signed up for their service and then used it to gain access to the network and their clients and wreaked havoc.

"You have my permission - signed, Jack Sparrow."  LulzSec message to CloudFare when they asked permission, under their corporate privacy policy, to share what happened to them.

Top Topic Trends:
It’s all about mobile
BYOD Everywhere:  Personal devices at work are inevitable which also means increased risk for security breaches -- more attack points
It also had a lot more leanings towards fraud vs. just a pure security topic


Summary of Presentations:

Arthur Coviello, Jr
Executive Vice President, EMC Corporation; Executive Chairman, RSA, The Security Division of EMC
Title: Sustaining Trust in a Hyperconnected World
Hyperconnected world–consumers, friends, company/corporate supply chains. 

Beginning was a little flat but then Art surprised several of us by acknowledging the violation of trust that occurred with the RSA hack

Key topics:
Technology outpacing company and government organizations ability to manage and secure them
Showed a soldier in Afghanistan talking to his family at home
The number of Chinese is over a half billion people and they spend at least two hours per day, on average, online
Employees have advanced technology as a part of their life, often better then what IT organizations provide at work
Employees want and demand PSOD

Threat intelligence:
You must correlate internal and external sources of data at high speeds to provide situational awareness
Big data is needed to give you contextual capability


Quotes:
·         We are woefully short on security resources
·         We need to focus on hiring analysts, consider the military as a source
·         They need to be offensive in mindset
·         We are past the tipping point-personal and work lives, devices, and technology are blurred
·         YOU CANNOT SECURE WHAT YOU DON'T CONTROL
·         "People in our line of work, security, are going through hell (direct quote)"
·         Following our hack, we know our responsibility to you
·         We are sharing our experience from the attacks on us to help promote more security
·         Never have we witnessed so many high profile attacks in one year
·         Never have we seen so many firms attacked directly and used to target other firms
·         An attack on one of us is an attack on all of us
·         We can emerge from this "hell", smarter and wiser then before.
·         We have to stop being linear thinkers adding security controls to flawed models
·         Must acknowledge that our networks will be penetrated
·         People will still make mistakes, attackers will exploit them
·         We cannot stop attacks but we can reduce our vulnerabilities
·         Few organizations review risk at the granular level
·         Know your enemy
·         When the trees move the enemy is advancing.

Risk:  he showed a picture of a woman putting on her make up while driving and then a picture of a baby driving

Information sharing: legal constraints, distrust
People are refusing to wait for top-down constructs from government or the security industry

Talked about FDR visiting Oliver Wendal Holmes in 1933 for advice. Holmes responded "you are in a war, I was in a war.  In a war there is only one thing to do, form your battalions and fight."

They showed clips of President Obama talking about cyber security
"It's the great irony of our information age (cyber security issues)"

Scott Charney
Corporate Vice President Trustworthy Computing
Microsoft Corporation
TwC for our Computing–centric Society:  In the ten years since Microsoft announced the creation of its Trustworthy Computing (TwC) initiative--attacks have become more persistent; concerns about supply chain and cyber warfare; and users are moving to the cloud.

Need to establish end to end trust
Trust in hardware, software, and identity
Ability to authenticate without compromising privacy
The need for alignment - sometimes tech has a solution but it is not economic
Sometimes government wants something, like protecting children from Internet predators, but there is no age verification on the Internet
He walked through Microsoft technology changes
How do we get users engaged in a way that makes sense - tell the user why they are getting a message, make it actionable
Windows 7 had bit locker to go for portable devices and encryption
Windows 8 has a signed bios and a trusted boot with remote review
Doctor’s office:  paper then paper and computer, now paperless
Forces creating change:
Data centric world:  BIG data
User created content
GPS / geolocation
Geolocation data is a problem from a privacy perspective
Need to balance societal benefits with societal risks
Discussed how privacy statements are not helping - insurance companies are looking at Facebook posts to fight insurance fraud
40 years ago, when we drew blood we never said we might use your DNA but we do
92% believe cybercrime laws need updating
6th circuit court of appeals says you have to have a warrant to request emails
If the data is in another country because of the cloud but involves a local crime, how do we get the evidence?
Does not like the term APT, likes persistent and determine
Even when we do security well, we don't do it at scale (all the time, everywhere)
Look at then teliasonera model that proactively wall off infected computers
Model: protect, detect, contain, respond
We have hard perimeters and soft centers
We need to use "least privilege" models
He is posting a whitepaper on this at Microsoft.com

Took a detour and went to the BSides technical conference next door
Keynote at BSides
Used Star Wars to talk about data exfiltration
The scene where the death star plans are stolen
Critical data placed on movable media (r2d2)
Disagreement on risk
Monitoring "knows" data is saving but no ability to understand, at a point in time, if they should stop the data movement
During data loss situation, many organizations go to business as usual


At B-Sides Conference
Panel with Amit Yoran, Kevin Mandia. Roland Clutier (spell?) and
Ron Gula (spell?)
Discussion: the end of security stupidity

Amit kicked off saying this would be a small, focused discussion
The discussion will focus on less mainstream efforts
Panel:
"I think Anonymous is the best thing to happen to our industry"
The series of exploits by Anonymous has heightened awareness for security needs
The list of stupid- its security of the operations
Security breaches are inevitable
Security software keeps getting dumbed down (think red light green light ) and that does not happen
Info sharing is not useful right now - 20 page documents are impossible to use
This our children's problem to solve
We buy all these tools but they only provide a fraction of coverage
Organizing use tools incorrectly
Many companies, large ones too, don't have internal forensics
There is a lot more surface area to attack now (mobile)
We don't do the basics - see the Verizon report and start there!
Concerned about the trend to scan for vulnerabilities and fix them and call it done
The government has been working on this, review SCAP
FISMA getting better
There is no XML sharing standard to scale info sharing across the private sector
The Common event enumeration needs improvement
IOC- indicators of compromise
Must be able to generate share info that is open and sharable.
Government should share electronically not in a report format
Need to better job documenting issues and follow ups "did you fix it?" even if legal says not to write it down
Almost every security vendor will be airing security data in the cloud
There are laws that restrict us from sharing
They give their vendors and developers a check list to follow when they handle data

Security goes mobile
Morgan Stanley research:
Feature phones used to outnumber smart phones
PC shipments shipped less, globally, vs. smartphones
Page views are on the rise
If an apple phone is a one for page views, on a blackberry it's half the views
People do 6.5 times page surfing on a Mac vs. smartphone
Tablets intensifies the access to the net
Google study of smartphones
Mobile is emerging on phones but consumers do not feel secure
Software security for mobile apps
Client side persistence so the app can access it And keep the app connected even if the signal drops

Permission models
Mobile operating systems are easier to support
We have a real challenge incorporating security into the phone app development process

What matters:
Sensitive user and app data
Environment and configuration
Old standbys like XSS and SQL injection
Local storage (SD card)
Communication (SMS, MMS, GPS)
Security features (permissions, backups)

Android vulnerabilities

Intents on androids are a "message"

Intent hijacking: android leaves these open
Intent spoofing
Sticky broadcasts
Insecure storage - their storage is open and readable, use local persistence instead.
--Was problem that citi had. Citi held info persistent on the storage and it got copied to iTunes and hacked
--Kindle app saves e books on sd card which is insecure
Insecure communications - twitter tweets go in the clear
SQL injection -
Promiscuous privileges- developers ask for more permissions then they need

DEFCON findings
Mainstream apps susceptible to vulnerabilities:
Eg 50% intent hijacking


Wednesday sessions
Keynote
Mcafee CTO
Evolution of cyber attacks from ego to weaponry to purpose

Didn’t take notes…

Panel: Fighting Botnets (Federal Govt track)
Moderator: Pete Fonash
Panelists:  Chris Boyer AT&T, Michael O’rierdan (spell?), Max Weinstein -stopbadware , Cheryl McGuire Symantec,

Fighting botnets
NIST will do a session on botnets on May 30 in MD
AT&T Working on a tool to help consumers check their computer and clean it.
All the ISPs in Finland notify their customers if they are infected
Arbor networks and shadow server track botnets
Andy Purdy recommended that maybe NCCIC could play a role in helping

Thursday

Vetting mobile apps for the war fighter

Panelists:
Angelos stavos from GMU, Bret Michael NPS, john viega e-perimeter, Hart Rossman, Tim Grance

Commercial mobile devices have a wide range of functionality and a very complex source code base
Model is too permissive
Applications draining battery too quickly
Fortify coverity and other tools test for bugs
No built in way to access the phone sub systems
If I want to play angry birds, I cannot opt out of being tracked and/or access to parts of my device
Security harder on mobile
To save time, you are typically permissive. There is a performance trade off.
App stores are evolving
We are creating an inside military and contractor community building apps on their own and for each other
Really need help with performance issues in the field
App stores are the new "intranet" for these groups

Paul Vickie
Predicts malware top target for criminals
Tremendous amount of innovation on the "vicious side"

Mark Bowden
Conficker authors were "leading out space" on Internet that could be used for spying and cyber warfare
It was "like owning real estate on the internet"

Policy and govt
Moderator is rear admiral Michael a brown now RSA
Mary Robidoux-NSA
Lee Rock DHS
Major General David lacquement DOD
Pete Cordero FBI

Concerns:
Information sharing at lightning speed
Cyber command stood up 2 years ago: monitor, direct and synchronize DOD cyber and full spectrum ops, 7 million computers to defend with 150 staff

Q: How does us cyber command define "actionable"?
A: must be a threat against us, look at NSA and law enforcement, review whether it is immediate or near term.  The timeline we shoot for is a proactive one vs. reactive.   24 hours on average.  A few might take weeks. Have other positioned solutions or per approved actions.

Q:  how about DHS?
A:  mentioned Einstein monitoring and we look at avg of 23 billion packets per day and distill it down into actionable intelligence. The internet does not sleep.   Everyone expects the govt to push info out ASAP but we have to validate it first

DIB pilot:
DOD had a pilot for sharing classified info with defense contractors
This moved over January 15 to DHS pushing info to ISPs and private sector
Joint cyber security services pilot is underway to push info out and learn about the process flows
We want to make sure we are not duplicating existing efforts

NSA talked about the enduring security framework

Lee quotes:
We need to make sure we vet the info and ensure it’s credible before we notify people
Biggest hindrance is public’s perception that govt. has instant response to threats
A lot of info is digested daily
When you call on one of us, you call on us all
None of us will be successful if each unit defines success only for itself - success for us cert is at the DHS and government wide level


FBI Pete Cordero
FBI collaborates daily with NCTA
I would like to go to a more "counter-terrorism" model where we fight the adversary up front
They have field agents co-located in several countries to help fight and track down cyber criminals

DOD major general David lacquement
Objective timeline-gather info, develop mitigation scheme, BEFORE enemy deploys threat

NSA
If you looked at us two years ago, we were great at tracking and caring for victims
We are focused on turning that info into actionable intelligence to proactively defend against the threat

Keynote Robert Mueller, Director
U.S. Federal Bureau of Investigation
Title: Combating Threats in the Cyber World: Outsmarting Terrorists, Hackers, and Spies
Told story a woman reported her iPhone stolen. They found the iPhone using find my phone
Our use of technology as an investigative tool
The very tools we need to stop them from hijacking cyberspace
Discussed mafia boy which had targeted CNN and others
He was 15 years old
Traditional crimes have moved online

Mercenaries are willing to strike anyone for the right price
FBI cyber - threats to our national security, al Qaeda has created color, English magazine
One hacker recruiting video a terrorist says cyber war is the war of the future
"there is no company that is immune" (to a breach)
We cannot confront cyber crime on our own
Global laws make it difficult to share info
Attribution is critical to preventing future attacks
He read "hamlets blackberry"
"we will minimize disruption to you....we will look for protective orders to protect your confidentiality..."
He closed with "God bless"




Risk Management

RSA Breach exposed the once secret code of SecurID MFA token devices
RSA Breach estimation of costs are over $66 million.
Sony Breach was estimated at over $180 million.

Ponemon Institute estimates the cost of a breach at $214 per each record compromised

BYOD - Bring Your Own Device

Why it can be good for you! 
1.  Cost savings
2.  “Better” protection from lost devices - people notice their personal devices missing before work-only devices
3.  Improved morale
4.  Agility and Resiliency
5.  Improved Productivity


Study by Symantec

Information Protection in the Mobile and Cloud
Art Gilliand, Symantec

Dan Kaminsky, Chief Scientist, DKH
RSA Conference 2012

Kaminsky does not “hate” passwords:  "You know what's amazing about passwords? They totally work...The fundamental 'win' of a password over other technologies is its utter simplicity and mobility."

He noted that biometrics are easy to beat and used a bottle of water to show how he left his credentials, his prints, behind.

He thought maybe a server should tell you what your password should be.

"What's the most common password? “Password1”

He talked about APT and how he hates the term (I think it is misused myself).

"As a researcher, there really isn't anything advanced about this stuff."

Case Study Discussed:

Lulz Security signed up for CloudFlare’s service and then turned around and used it to wreak havoc on their network and customers.  Matthew Prince, CEO of San Francisco-based CloudFlare noted that it was a horrible experience but a learning experience at the same time.

CloudFlare runs a distributed content delivery network.  14 data centers worldwide with 30+ billion page views a month. LulzSec signed up for service and launched a “denial of service” attack on other Web sites, including Sony Pictures and the CIA for about 3 weeks.

LulzSec used 7 different hosts over the 23 day period.  Locations such as: Malaysia, Canada, U.S.A. and Germany.

This was the kicker!  CloudFlare has a customer focused privacy policy.  In order to discuss this case at RSA and publicly, they had to ask LulzSec for permission to use the data the company gathered.  They sent an e-mail to the address listed on the LulzSec account, they received the following reply:  "You have my permission - signed, Jack Sparrow."

Products Discussed at RSA

Certgate:  encryption capabilities to smartphones and tablets to add functionality for access control, PKI, payment, data security and secure voice applications.

Trusted Logic Mobility and Wave:  combined solution that enables users to extend their security architectures to cover mobile devices. The smartphone is a token to authenticate the user.  You can unlock encrypted data on corporate laptop computer (I’m not sure if I like this or not).

IntraLinks:  lets staff share content and collaborate with business partners beyond the firewall but enforces corporate control, security and compliance requirements. 

My1login:  military-grade encryption ‘vault' that manages, stores logins, passwords and PINs.  Audited by HP

NaviSite cloud-based desktop-as-a-service (DaaS) 

McAfee - Database Activity Monitoring, supports MySQL and Teradata databases

NetIQ l-SIEM solution named Sentinel 7 with "actionable intelligence"

FireEye - File Malware Protection System detects and eliminates malware resident on file shares, web-based email, social networking, devices, etc.

Fortinet - next-generation firewalls

Sourcefire - Intrusion Prevention System

WatchGuard launched two unified threat management (UTM) appliances for full HTTPS inspection, VoIP support and options for application control. 

No comments:

Post a Comment