The tenor of this year’s RSA Conference was about opening doors, not closing them. While previous conferences had huddled around topics like encryption, network access control, SQL injection prevention and stopping terrorism, this year’s focus was personal iPhones and iPads on business networks, and the threat of activist reprisals from the Internet hive mind known as “Anonymous.”
At the network to the programming level, everyone was talking about externally controlled devices accessing internal networks. Whether the control of those devices is wielded by an employee (as in the case of an iPad), or by an outside party accessing a controlled data stream (as in an API), this year’s RSA Conference made it clear that restricting network access is no longer an option.
That means practices like white-listing—blocking access to all websites except those sanctioned by IT—are being removed by necessity. As one executive speaking on a panel hosted by Cisco quipped, “I don’t care if the senior VP is looking at porn anymore.”
Christopher Young, senior vice president of Cisco’s security and government group, said that this revolution is, at its heart, about a change in the usage of technology in our lives.
“The big trend we’re all dealing with is about the seamless integration of technology into all of our lives,” he said. “What we need to go along with this is a transition to the seamless integration of security into our lives. Security is cumbersome for the average users, and they’ll go to great lengths to avoid it whenever they can. That presents us with a major problem: Do we lock it down, or do we free it up?”
At the Wednesday afternoon keynote sessions, the topic veered away from personal devices on private networks, and sailed into the murkier waters of hacktivism. In a panel discussion with PBS NewsHour correspondent Jeffrey Brown, the rise of Anonymous was discussed. Eric Strom, special agent with the FBI, said that Anonymous is an entirely new problem for the agency.
Whereas the criminal underworld is insular and difficult to penetrate, Anonymous is wide open and inviting, said Strom. Additionally, Anonymous tends to be staffed with much younger members.
“They’re very open about what they want to do, whether it’s intrusion, or hacking into something,” he said. “That’s the tipping point for us. If they’re just complaining about something, they have every right to do that. It’s when they take that step across the line, or hack into a system and go after someone in law enforcement and their family, that’s when we step in.”
Strom said that much of the work that’s been done at the FBI around Anonymous attacks involved outreach to the companies that have been targeted. “The positive side is that the FBI has been very proactive with companies,” he said. “A lot of times, we’ll put companies in touch with other companies: prior victim with a potential victim. We’ll ask, ‘What’d you do to defend yourselves?’ ”
Grady Summers, vice president of customer success at security response firm Mandiant, said that Anonymous attacks are actually a huge wakeup call for many enterprises. He said that hacker threats used to target only systems that handled money or access control. Now, every system is a target, he said.
Anonymous has spurred many organizations to get serious about security, said Summers. “When we think about this problem, I think there’s not a person in this room who doesn’t know what they have to do to put up a better defense,” he said.
“Anonymous holds up a mirror to our neglect. The things they’re taking advantage of are SQL injections, default passwords, poorly configured Apache installs, real low-hanging fruit. I don’t think any of us have seen a smoking zero-day come out of Anonymous.”
Code and plugs
As far as development tools, RSA is increasingly focused on appliances and cloud-based security solutions. Some software-quality validation vendors were on hand, however.
Chris Wysopal, Veracode’s CTO and cofounder, said that code-quality scanning is becoming increasingly common in organizations that aren’t at the top end of the spectrum. He said that some companies are using Veracode as a validation service against third-party applications their employees are using on mobile devices. Some companies are also validating externally created applications that use their secure APIs to ensure security compliance.
Perhaps the most interesting and unique security product at the show came from a company called Pwnie Express. Its product-line includes mobile phones and extremely compact Linux computers than can be installed on-site to allow an attacker to access internal networks. Thus, a small wall wart-sized computer could be plugged into an outlet in your break room, and immediately provide someone with a Linux box on your wireless network. Be sure to unplug all unneeded white boxes at work, folks!