More interest, more news, and more money are swirling through the cybersecurity industry than perhaps ever before. Data breaches make headlines, shape elections, and lead to Congressional hearings. Artificial intelligence tools wow the public and stretch the limits of the imagination.
And the 40,000 RSA Conference attendees pouring into San Francisco are not impressed. Cybersecurity is a profession, they say, not a circus.
We reached out to RSA speakers and attendees and asked what they think is the most relevant recent development in cybersecurity. They gave us a variety of answers, many with the central theme that companies and consumers should not believe the hype. Cybersecurity still is – and perhaps always will be – about seasoned professionals patiently applying good tools in a comprehensive way.
“The problem we’re seeing at trade shows recently is there is very little new,” said John Bambenek, a vice president at ThreatSTOP who lectures on cybersecurity at the University of Illinois. “We’re still trying to solve the same old problems in the same ways with newish looking packaging. What’s being overlooked is actually spending the time developing understanding of attacks, threats, and trends so models can be truly informed before making decisions.”
Caroline Wong, Vice President of Security Strategy at Cobalt, agreed. You can’t just turn the latest tools on and watch them vanquish threats. “There’s a big push in DevSecOps for more and more automation, but it’s critical to remember that when it comes to web applications and APIs, manual pen testing is required to discover vulnerabilities in application business logic. Automated scans often miss the most interesting security vulnerabilities.”
“Automated scans often miss the most interesting security vulnerabilities.”
– Caroline Wong, Cobalt
“Assuming that machine learning models and classifiers will work 100% of the time is setting your SOC up to fail,” wrote McAfee CISO Grant Bourzikas in an RSA blog post titled, “What humans do better than machines.” Bourzikas and McAfee Chief Human Resources Officer Chatelle Lynch will host a session at RSA on how innovation can help companies retain top talent. “Recruiting and retaining a diverse talent pool in cybersecurity today is so competitive,” Lynch said of her session. “Employees want to know they are at a company that strives for the latest innovation.” But that is always within the realm of human-machine teaming at McAfee, Bourzikas says. Shiny new tech must be paired with human analysis.
Many cited human decisions about data regulation – the opposite of whiz-bang security tech – as one of the main issues in cybersecurity today.
“The most important development in cybersecurity is Facebook’s reaction to the imminent enforcement of GDPR,” says Kevin L. Jackson, Founder and CEO of GovCloud Network. “The sound of Facebook’s leadership failure is deafening. The legal battles around data privacy and security will drive whatever happens across the entire cybersecurity landscape, including what technology is deployed.”
“The sound of Facebook’s leadership failure is deafening.”
– Kevin L. Jackson, GovCloud Network
Kathy Delaney Winger, a Tucson-based lawyer whose areas of practice include cybersecurity, concurred. “Businesses may be surprised to learn that they are obligated to comply with laws such as New York’s cybersecurity regulation and the GDPR – even though they do not fall under the jurisdiction of the enacting entities.”
“Far too many small and mid-size businesses simply underestimate the impact that the EU General Data Protection Regulation will have on them,” said Ben Rothke, principal security consultant for Nettitude.
GDPR preparation doesn’t have to be drudgery. Flora Garcia, a McAfee attorney writing about the regulations, has suggested GDPR can also stand for Great Data Protection Rocks. Data protection could even be a shared global citizenship effort along the lines of environmentalism, she says.
The data-protection revolution may even have us rethinking the nature of identity. “The identity industry is moving away from identity,” said Steve Wilson, vice president and principal analyst of Constellation Research, Inc. “What matters in authentication? Not who someone is, but what they are. You need to know something specific about a counter-party, like their age, or their address, or their credit card number, or their nationality, or some mix of these things. You don’t really need to know their identity. This is a very fundamental shift in thinking, and it’s just the beginning of a major regulatory push around data provenance.”
“The identity industry is moving away from identity.”
– Steve Wilson, Constellation Research, Inc.
Grounded data-protection hygiene and cybersecurity discipline that looks past the cool factor are not preventing RSA attendees from looking at the very latest threats. “These days, attackers are increasingly focused on cryptocurrencies – stealing them, mining them via cryptojacking or obtaining them as ransom,” said Nick Bilogorskiy, who drives cybersecurity strategy at Juniper Networks and was previously Chief Malware Expert at Facebook. “As companies do not usually have crypto wallets to steal, attackers turn to ransomware because it provides the best bang for the buck and is the logical choice for attackers to monetize business breaches. I expect ransomware and other cryptocurrency malware attacks to grow in popularity this year.”
But even the most quickly evolving threats are enterprises launched by people, aimed at people, and shut down by people. Raj Samani, McAfee’s Chief Scientist, says ransomware and its many forms can be beaten by people – if they get the right help. “The purpose of pseudo-ransomware is typically destruction, but we have seen evidence of its use as a diversionary tactic, and whilst it may appear as traditional ransomware the attackers are unlikely to provide any decryption capability regardless whether the ransom is paid. Either way, with actual ransomware or the decoy tactic, organizations need guidance to mitigate the risk.” Samani is speaking about pseudo-ransomware during his session on the topic at RSA.
Everything in cybersecurity may seem new, baffling, and roiling with change. But people can apply lessons of the past – such as with airport security changes after 9/11 – to find solutions in the future, said McAfee CEO Chris Young. “Smart security changed air travel from top to bottom. We need to bring a cybersecurity paradigm shift that is more collaborative, clear and accessible,” Young said of his RSA keynote on what cybersecurity can learn from those who keep air travel safe.
The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.
The post RSA Influencers Identify Cybersecurity’s Top Issues appeared first on McAfee Blogs.
Welcome to SF everyone! As the RSA Conference week begins, which really is a cluster of hundreds of security conferences running simultaneously for over 40,000 people converging from around the world, I sometimes get asked for local curiosities.
As a historian I feel the pull towards the past, and this year is no exception. Here are three fine examples from hundreds of interesting security landmarks in SF.
Chinese Telephone Exchange
During a period of rampant xenophobia in America, as European immigrants were committing acts of mass murder (e.g. Deep Creek, Rock Springs) against Asian immigrants, a Chinese switchboard in 1887 came to life in SF (just before the Scott Act). By 1901 it moved into a 3-tier building at 743 Washington Street. Here’s a little context for how and why the Chinese Telephone Exchange was separated from other telephone services:
Today when you visit Chinatown in SF you may notice free tea tastings are all around. This is a distant reminder of life 100 years ago, even for visitors to the Chinese Telephone Exchange, as a San Francisco Examiner report describes in 1901:
Tea and tobacco are always served to visitors, a compliment of hospitality which no Chinese business transaction is complete
At it’s peak of operation about 40 women memorized the names and switching algorithms for 1,500 lines in five dialects of Chinese, as well as English of course. Rather than use numbers, callers would ask to be connected to a person by name.
The service switched over 13,000 connections per day until it closed in 1949. Initially only men were hired, although after the 1906 earthquake only women were. Any guesses as to why? An Examiner reporter in 1901 again gives context, explaining that men used anti-competitive practices to make women too expensive to hire:
The Chinese telephone company was to put in girl operators when the exchange was refitted, and doubtless it will be done eventually. The company prefers women operators for many reasons, chiefly on account of good temper.
But when the company found that girls would be unobtainable unless they were purchased outright, and that it would be necessary to keep a platoon of armed men to guard them, to say nothing of an official chaperon to look after the proprieties, the idea of girl operators was abandoned.
“They come too high,” remarks the facetious general manager, “but in the next century we’ll be able to afford them, for girls will be cheaper then.”
Pacific Telephone Building
One of the first really tall developments in SF, which towered above the skyline (so tall it was used to fly weather warning flags and lights) for the next 40 years, were the Pacific Telephone offices. At 140 Montgomery Street, PacTel poured $4 million into their flagship office building for 2,000 women to handle the explosive growth of telephone switching services (a far cry from the 40 mentioned above at 743 Washington Street).
By 1928, the year after 140 New Montgomery was completed, the San Francisco Examiner declared “with clay from a hole in the ground in Lincoln, California, the modern city of San Francisco has come.”
It was modeled after a Gottlieb Eliel Saarinen design that lost a Chicago competition, and came to life because of the infamous local architect Timothy Pflueger. Pflueger never went to college yet left us a number of iconic buildings such as Olympic Club, Castro Theater, Alhambra Theater, and perhaps most notably for locals, a series of beautiful cocktail lounges created in the prohibition years.
Fast-forward to today and there are several windowless tall buildings scattered about the city, filled with automated switched connecting the city’s copper and fiber. One of particular note is 611 Folsom Street, near the latest boom in startups.
Unlike the many years of American history where telco staff would regularly moonlight by working for the police, this building gained attention for a retired member of staff who disclosed his surprise and disgust that President Bush had setup surreptitious multi-gigabit taps on telco peering links.
“What the heck is the NSA doing here?” Mark Klein, a former AT&T technician, said he asked himself.
A year or so later, he stumbled upon documents that, he said, nearly caused him to fall out of his chair. The documents, he said, show that the NSA gained access to massive amounts of e-mail and search and other Internet records of more than a dozen global and regional telecommunications providers. AT&T allowed the agency to hook into its network at a facility in San Francisco and, according to Klein, many of the other telecom companies probably knew nothing about it.
The job entailed building a “secret room” in an AT&T office 10 blocks away, he said. By coincidence, in October 2003, Klein was transferred to that office and assigned to the Internet room. He asked a technician there about the secret room on the 6th floor, and the technician told him it was connected to the Internet room a floor above. The technician, who was about to retire, handed him some wiring diagrams.
“That was my ‘aha!’ moment,” Klein said. “They’re sending the entire Internet to the secret room.”
Klein was last in Washington in 1969, to take part in an antiwar protest. Now, he said with a chuckle, he’s here in a gray suit as a lobbyist.
In some sense we’ve come a long way since 1887, tempting us to look at how different things are from technological change, and yet in other ways things haven’t moved very far at all.