Along with my colleagues, I was able to attend this year’s RSA Conference held at the Moscone Center in San Francisco, and the experience was definitely enlightening, especially in terms of the current state of our industry.
“Security of Things” before “Internet of Things”
Many new technological frontiers have emerged through the years, and with them, the attack surface also widened dramatically. With the mobile computing boom, threats against critical infrastructure, and now the emergence of the Internet of Things, the industry is now struggling in trying to build defenses. For example, in Eric Vyncke’s talk about IoT, he discussed the risks around the Internet of Things, their impact on privacy and human life in general, and the need to address them. These risks, he said, are as critical as they are varied – with different devices, software, protocols all entailing different risks. He discussed different factors that need to be considered in securing the Internet of Things, such as the lifetime of the device (expected duration of device usage vs. expected duration of device security), its means of identification (device identity vs. group membership), the nature of the infrastructures it will be under, and others. Vyncke raised a very important point here, especially since a widespread adaptation of Internet-enabled devices will lead us to the same problems we have with mobile computing – wherein platforms were being developed faster than the means to protect them.
Two Sides of the Same Bitcoin
Uri Rivner’s and Etay Maor’s Bitcoin Thief Tutorial was a very entertaining threat-centric talk that oriented the audience on how Bitcoin works, how to handle them, and the opportunities that Bitcoin offers to criminals, both as a tool and a target. To bring the latter point across, they turned the audience into witnesses to a Bitcoin robbery through a real-time demo of a Bitcoin being stolen through a SpyEye variant. In the end, the duo recommended that even though Bitcoin brings about a lot of risks (the recent Mt. Gox incident being a prime example), it is still worth exploring, if only to understand the risks better, and most importantly, because it’s fun.
Fighting Fire with Fire
Ziv Mador’s and Ryan Barnett’s session took on a different approach on going to a new frontier, by encouraging the option of turning the bad guys against themselves. In their presentation, they showed how the security industry can use the very techniques used by cybercriminals to disrupt their routines. For example, they showed how code obfuscation – a technique frequently used in exploit kits to evade detection – can be used to prevent the webinjects done by ZeuS variants. The researchers admitted that the ethical and legal aspects of this concept may raise concerns, and that more research needs to be done.
Drawing Lines and Creating Norms
As expected, the matter of state monitoring was tacked onto various conversations throughout the conference. There were several statements about the topic, and most have said that they are willing to provide information to governments, given that it is legally justified, and is limited to specific information only (as opposed to bulk data). However, it is in the legal justification where the problem exists – the lack of clarity in terms of what is justified or not has created a lot of issues and will continue to do so. We are at a point in time where technologies allow a great deal of information gathering (to the point that it affects the concept of privacy), and this calls for a great need to establish standards and limitations. Until such is achieved, the tension around the issue is likely to continue.
Gone are the days of focusing on achieving complete security, and rightfully so. The question of whether there is a threat or not has been answered long ago, and the name of the game now is threat intelligence – gaining knowledge of threats and using that knowledge to act accordingly. Successful targeted attacks have taught us just how good attackers can get in infiltrating perimeters, and now the way to security is no longer achieved by just building the best walls, but through knowing who’s trying to get past them.