Two weeks ago, I attended RSA 2013 Conference in San Francisco and was impressed by the number of participating security vendors. The addition of the Human Element and Breaking Research in the technical track sessions also provided a refreshing stroke to this year’s presentations.
Below are some of my experiences and insights on some noteworthy discussions involving security awareness, hacking back, and going offensive legally.
The 7 Highly Effective Habits of a Security Awareness Program
Samantha Manke and Ira Winkler of Secure Mentem discussed their views on the difference between security training and security awareness. They highlighted the importance of a security culture in companies in enabling employees to apply best computing practices on a daily basis, resulting to long-term security awareness within the organization.
They presented the results of their recent study conducted among Fortune 500 companies in the Health, Manufacturing, Food, Financial and Retail sectors. This study focuses on security awareness campaigns that companies implemented and how effective these were. They came up with key findings that lead them to create their 7 Highly Effective Habits of a Security Awareness Program, which are:
- Create a Strong Foundation
- (Have) Organizational Buy-in
- (Encourage) Participative Learning
- (Have) More Creative Endeavors
- Gather Metrics
- Partner with Key Departments
- Be the Department of HOW
My key takeaway for this session is of course the last part. We, the information security professionals, should be the “Department of HOW” and not the “Department of NO”. We must focus on how to allow users to do what they want safely, not simply saying no to our own customers and further locking down systems.
While I understand the need to establish dos and don’ts in company security policies, we should raise the bar and let security be a key part of solving business challenges, not an obstacle to it.
On Hacking Back and Going Offensive Legally
During the conference, I attended several sessions discussing intriguing concepts like hacking back and going offensive legally. One of the sessions was Highway to the Danger Zone…Going Offensive…Legally presented by George Kurtz and Steven Chabinsky of CrowdStrike. The discussion focused on the idea of active defense as a form of offense against targeted attacks affecting companies. They clearly differentiated this concept from hacktivism and online vigilantism. However, Steven Chabinsky, being a lawyer, also expounded on its complexities like the differences of laws and legislation in different countries, making the concept difficult to define as of the moment.
Another session that covered very similar ground was Is it Whack to Hack Back a Persistent Attack?. Trend Micro’s Dave Asprey moderated this session. He was joined by Davi Ottenheimer of EMC Corporation, David Willson of Titan Info Security Group and again George Kurtz from CrowdStrike. The panelists discussed the active defense/ hacking back phenomenon and its legal, ethical and business liabilities and complexities when practiced over the Internet.
My personal key takeaway from these sessions is the active defense concept entails risks and complications that may spur more problems instead of solving the situation. Instead, organizations, in particular security administrators, should have the correct mindset when it comes to targeted attacks and deploying an inside-out protection.
For now, I would stick with law enforcement agencies and private sector partnership as the best (and safest) path to combat targeted attack, exemplified by the Rove Digital Takedown last year.