RSA 2017 – 5 Things to Think About
Every year since 1993, RSA has hosted one of the key computer and network security conferences, gathering some of the leading personalities in cybersecurity and cryptography to discuss the latest issues. This year it was held in San Francisco, and was the third time I had attended. I want to share some highlights that I thought particularly relevant. It’s a great conference and if you have any responsibility or interest in cybersecurity I definitely recommend you go, whether you are a vendor, system integrator or a user of video surveillance. If you weren’t able to go this year, then recordings of most sessions and keynotes are made available online.
Security Concerns about The Internet of Things
One of the hottest topics this year was the security concerns around IoT. Many speakers talked about the Mirai botnet, and some sessions even demonstrated how it works (because it is still out there). For those who don’t know, Mirai is malware that caused the two largest distributed denial of service (DDoS) attacks last year. In addition, it took down the DNS provider, Dyn, which disrupted global internet services including Spotify, Reddit and GitHub.
As most presenters pointed out, the biggest vulnerability to Mirai is having passwords hard-coded into devices such as routers, DVRs and cameras, so that users can’t change it even if they want to. There is a very simple and obvious solution: allow users to choose their own passwords (and even better, make users change the default password before the device can be put into use).
One reason why the Mirai botnet has generated so much concern is the fact that the botnet attacked critical infrastructure while leaving the device owners unharmed. There is little incentive for individuals or small organizations to take even basic precautions when connecting their devices to Internet, so vendors will have to take much more responsibility before shipping insecure products.
Ransomware was another hot topic, specifically referencing the attack on Washington DC Police. This is currently the #1 data-loss disaster for small and medium businesses: it exceeds the cost of accidental user-deleted data and is more common than hardware failure. As with real life ransom situations, experts recommend not to pay up as in the long term that should help reduce the potential value to the criminals involved. Although obviously this may not seem helpful to the individual business who has been caught in a ransomware attack. So, a number of corporations and organizations are sponsoring free-of-charge support for those who are affected (https://www.nomoreransom.org/). It’s worth noting that the statistics show that data will not be recovered in 25% of the cases regardless of whether the ransom is payed or not. As a result of this, Cyber Insurance is becoming more popular for large organizations. These insurance policies require specific security measures to be taken, but at the same time, often forbidden those organizations from making it public that they have it.
Regulation and certification
One question that came up again and again was whether it is possible for governments to regulate the Internet of Things to try and fix or reduce the gaping security holes currently present in a variety of devices. Unfortunately, many speakers agreed that this would be very hard to do. For example, who would have to be regulated? Manufacturers? OEMs? Service Providers? Installers? End-users? All of them are, in some way, part of the problem. And even one product will have a global supply chain that could frustrate any attempts at properly enforcing cyber security regulation. At present the, the best option appears to be self-regulation, although given the wide variety of internet-enabled devices being produced, that will be quite a challenge, too.
A related question was whether it would be possible to certify devices as being ‘secure’. Once again, the challenge is that there are so many different devices operating in so many different environments that there is no easy way to define what ‘secure’ is apart from within highly-specific scenarios.
A different approach that is already being put into practice is using current liability laws to sue vendors and service providers when they are shown to be negligent. Obviously, this is also a less than perfect solution, but it may at least force the issue to be taken seriously by targeting the bottom line of those companies.
In past years there was a distinct reticence for companies who had been attacked to let their customers or the relevant authorities know, to safeguard their reputation and reduce the chance of being sued or fined. This meant that cybersecurity companies and government agencies tasked with dealing with such crimes were left in the dark far longer than necessary, slowing their response, and leaving other organizations vulnerable.
I’m happy to report that the mood appears to be changing. The challenges involved, such as trust, nomenclature, meaning and semantics are being addressed; and tools to craft intelligence and the infrastructure to facilitate sharing are being developed. But, as was discussed, larger businesses and organizations are being encouraged to develop personal relationships with government agencies (such as the FBI) in order to get a faster response and assistance when attacked.
Connect or disconnect?
It might seem like an odd question in 2017, but do we really need to connect absolutely everything to the internet? This was brought up in a number sessions, with the slightly unsurprising response: “no”. Just because a device can be connected to the internet, doesn’t mean it should – organizations should careful plan of what they connect, where and why.
Up until recently the battle in cybersecurity seemed to be between the ‘good guys’ and the ‘bad guys’, with the latter always one step ahead. Now it seems that it is the technology that is one step ahead – often causing unintentional problems and vulnerabilities where none needed to exist before.