Two themes jumped out at me from the RSA Conference this year, the first being one we’ve already discussed – about how companies need to help one another by sharing information about the threats they’re seeing and how best to respond. The second, voiced most strongly in the keynote by McAfee CTO Stuart McClure, is that protecting yourself is no longer possible. You will be hacked; the only question is what you’re going to do about it.
“It’s not a question of if but when. Victimization is inevitable,” McClure said. That echoed RSA Executive Chairman Art Coviello’s remarks in his opening keynote when he said companies need to “acknowledge once and for all, that our networks will be penetrated. We should no longer be surprised by this.”
Last year, with high-profile attacks on the likes of security firms including Stratfor and RSA itself, and on entertainment devices including the Sony PlayStation “was a mess, quite frankly,” McClure said. “This was the age and the year of really deflowering some organizations that really didn’t think they’d ever be pulled into this world of security and hacking and hacktivism,” he said, referring to entertainment players like Sony.
It takes three ingredients to create an effective hack, McClure said, the first being opportunity both in terms of devices and the vulnerabilities they present. Vulnerabilities include not only bugs but weak passwords and the ability to escalate privilege. And the number of devices “is going nuts,” he said. “By the end of the decade it will skyrocket in terms of the number of devices to be managed.”
The second ingredient is motivation, which once was simple ego but now is more financial or, in the case of hacktivism, political. The final ingredient is ability, and there’s no shortage of that. “The bad guys are getting smarter,” McClure said, noting the good guys are getting smarter, too, and putting their knowledge into technology “as best we can.”
McClure listed 13 threats that he is concerned about over the next 3 to 7 years. Highlights include social networks, which he called the “megaphone of megaphones” in terms of terms of creating opportunity for the bad guys. For example, American Express just announced Serve, a Facebook app that lets users send and receive payments online, a la PayPal. Using Facebook to make payments is “very interesting stuff,” McClure said. “Whenever I hear that I think, ‘Oh, no, I’m going to be busy.’”
Similarly, the idea of using mobile devices to make payments, an idea that is still in the formative stages, gives him pause. “When…currencies are on these devices, this is where you’ll see the explosion [of threats] on mobile and that’s coming very soon,” he said.
Attacks against certificate authorities, such as those against Comodo and Verisign, are also worrisome. Security technologies such as SSL and digital certificates all depend on the root of trust that these companies provide, McClure noted. “If this is compromised, our entire trust system, just throw it out the window.”
In terms of what we can do in the face of all this gloom and doom, McClure offered a few solutions. One was to get away from the idea of blacklisting, meaning identifying threats and blocking them, and move instead to whitelisting, where only applications that are specifically allowed can execute. That’s not exactly a new idea, but the technology to pull it off has improved over the years, as detailed in this CIO.com story.
Security features must also move down the stack, to the firmware and BIOS level, as opposed to the application and operating system level where most security tools play. That’s all well and good, but that one is squarely in the lap of the security firms and hardware vendors; not much customers can do about it.
Another recommendation is isolation. “Not just virtualizing the application or the process or thread, but isolating it 100% from other threads, processes and apps,” McClure said. “That is really the future. Control is the name of the game, being able to control privilege based on a confirmed identity, to control execution and whether a bad piece of software runs and infects.”
That, too, makes sense, and I suppose users can take some architectural steps to isolate applications and processes, but for the most part it’ll take vendor tools to make it happen.
But if victimization is inevitable, one thing customers should absolutely do is come up with a strong incident response plan. “Incident response, and a strong, well-tested [breach response] program is the number one concern I have,” McClure said. “By and large we don’t have those.”