The RSA Conference closed just two weeks ago and I am still reviewing my notes from sessions, watching videos and referring to content from onsite conversations with peers in the industry. This was the most significant security conference I have attended; a record number of 43,000 attendees. The diversity of security roles was incredible; everyone was there including hackers, pen testers, policy makers, journalists, researchers and CISOs.
When looking back at the sessions and hot topics buzzing throughout the event, here’s what comes to mind:
“It starts with a pebble..
…a disturbance that generates ripples in every direction..” Zulifikar Ramzan CTO at RSA. Mr. Ramzan, kicked off the conference with an elegant keynote that described the ‘gap of grief’, which is the gap between security and business. He declared a wake-up call to security professionals to think of and talk about security as a business initiative. He also urged security professionals to ‘plan for the chaos’ through risk management, simplification, and planning for what you can’t control. His keynote was poetic but also deeply about the changing nature of security being more tightly integrated within business. The ripple effect was great as it made all the rest of the sessions and conference interconnect.
Hugh Thomson is an amazing story teller and security professional! If you learn best through context and enjoy humor, then be sure to watch his videos. The big take away from his session were the Big Questions that we should all be asking:
- How do you communicate the value of security to the enterprise (and management)?
- How do you rank risks?
- How do you reconcile security and compliance?
- How can you be proactive vs. reactive?
- What changes are likely in privacy laws and data privacy that affect the business?
- What happens when all data is lost and cannot be recovered?
- How are you adapting to new paradigms like IoT?
During his session, Mr. Thomson spent time on each question. Ask yourself these questions then ask others. You might be surprised at the differences you will hear and the additional questions/discussions they generate.
Security Investigative Journalists Speak Out
I attended a panel that included investigative cyber security journalists discussing hot topics such as hacking the election and the changing landscape of cyber reporting. Panelists included Nicole Perlroth from The New York Times and Andy Greenberg of Wired, just to name a few. While these journalists all were very tight lipped about what they would and would not say, they all collectively admitted to one thing; none of them would have predicted the impact of cyber security on the US Presidential election. It was as if the big news of cyber-attacks in 2016 had elevated all of their careers from off-beat cybercrime to the headlines. They all seemed caught off guard and suddenly became the go-to sources for investigating hacks and reviewing the impacts. It led nicely to the next session I attended that highlighted nation state hacking.
Hacking Exposed: Real-World Tradecraft of Bears, Pandas and Kittens
While it sounds a bit like a deranged zoo, CrowdStrike a cyber-security research firm gave names to hackers depending on their regions. Pandas are in China, Bears in Russia and Kittens for Iran. For example the DNC hack was attributed to ‘Grizzley Steppe’ a group of hackers associated with Russia. In this session facilitated by Dmitri Alperovitch and George Kurtz the audience was given a first-hand look at how both Chinese and Russian hackers create and deliver ‘payloads’ or malware via email attachments. In Oscar style, they awarded a winner Panda or Bear who had the most elegant attack. While the session was highly technical, it wasn’t beyond simple windows hacking. One of the most powerful payloads was sending an LNK file that looks harmless; however, it’s stealthily armed with PowerShell commands to install malware on a target machine. They demonstrated in minutes how these attacks were crafted and actually infected target virtual machines. They also added commentary on countermeasures which came down to limiting privilege on target machines. In closing, they sent session attendees to their booth where they were printing, ‘Fancy Bear’ and other cool T-shirt designs of malicious hackers. It is a fine line between spreading awareness and glamorized criminals.
Deep Impact: Explore the Wide-Reaching Impact of a Cyberattack
Presented by Daniel Soo and Mary Galligan from Deloitte, in this session I played the role of CISO at YKB Bank as part of a cyberwar gaming simulation that lasted two hours. Everyone else at my table played a different role at YKB, such as CEO, Head of Finance, and Chief Marketer and over the course of the simulation we were hit with a ransomware style attack for $1000 bitcoin (about 1.2 million USD). As a team we had to decide what to do; pay the ransom or come up with alternative strategies. As you might be able to imagine, although I was ‘playing CISO’ there were many actual CISOs and C level executives at my table so it turned into a debate on risk. We debated about whether we should pay or not, how we should mitigate the risk and what kind of security and infrastructure was needed. As the simulation progressed, our networks were taken down, customers could no longer transact data and ultimately we lost communications! It was disheartening to say the least as nothing we could do would stop the attack. This was based on a real case study, and certainly helped to add credibility and gravity to the situation. At the conclusion of the game we debriefed with Mary Galligan who was formerly with the FBI and had first-hand experiences working with customers in similar situations. What we found was that there is no standard on paying ransom, no guarantee and that leaves many businesses frustrated. The session further reiterated that it is difficult to determine credible threats; for example, is the extortionist a Cheeto eating kid in the basement, an organized criminal or a nation state attacker? Mary prompted businesses to create readiness plans on what they would do if faced with a ransomware attack including defining roles (who has responsibility for what), define technical mitigation strategies, and develop a public communication plan ahead of time. A nice dove tail to Zulifikar’s “plan for chaos” start.
In conclusion, there were also a number of other interesting forums and events like the ‘Innovation Sandbox,’ which included startup companies and even a pitch competition won by UnifyID presenting a new authentication system based on ‘implicit authentication’ or authenticating in real time based on multiple factors. Additionally, there was a ‘Capture the Flag‘ hacking competition sponsored by SANS. Overall, RSA 2017 provided an amazing variety of content and glimpse into just how far the ripples of cyber security extend. I look forward to attending next year!