Note to future RSA Conference attendees: if you’re using the security conference’s unsecured WiFi, and you’re not using an encrypted email service, don’t send racy pics. The Security Operations Center (SOC) team will see them, along with your username and password, and they will make fun of you.
This wasn’t a huge problem at this year’s show, which took place last week in San Francisco — although I did notice a Vogue magazine download come across the network traffic monitoring screens inside the SOC. But last year, when the show coincided with Valentine’s Day and 35 percent of attendees didn’t encrypt their email, “those were pretty lurid emails,” said Percy Tucker, senior manager of systems engineering at RSA.
For the second consecutive year RSA and Cisco security analysts ran the SOC at the conference. They are not actually securing the network, but rather educating attendees about what a working SOC does. And, of course, it’s a chance to showcase both companies’ security technologies.
The SOC does, however, monitor real-time network traffic, and analysts alert conference organizers and Moscone Center officials if they come across any real threats. Last year this included a vendor giving out a VIP’s private information including a personal jet schedule.
This year, “some joker uploaded 1,700 malware samples” during a SOC tour, Tucker said. “He said, ‘Yeah, I did it.’ He thought it was funny.”
But before they knew it was a joke, “it tied up the resources of the SOC,” said Cisco SOC Analyst Jessica Bair. “We had to make sure it’s not an attack that will laterally spread.” A real-world SOC would use tools like Cisco Umbrella to block malware, she said. But these aren’t blocked at the conference because some sessions include demonstrations about how they spread, for example. Still, “these things can be malicious,” Bair added.
And because it’s a cybersecurity event, attendees are also keen to point out security flaws, like one on the conference app that exposed 114 attendees’ first and last names. An engineer disclosed the flaw via Twitter on Thursday, and it was quickly “contained,” according to an RSA Conference tweet.
Fun and games aside, there were some pretty heavy discussions at RSA Conference 2018. The event kicked off on April 16 — the same day that U.S. and U.K. government agencies issued a joint alert warning American and British organizations that Russian state-sponsored actors are targeting their network infrastructure devices, such as routers. The massive WannaCry and NotPetya malware attacks of 2017 cast shadows on nearly every keynote, with Microsoft President Brad Smith calling for a “digital Geneva Convention” to protect people from cyberattacks, McAfee CEO Chris Young warning that security breach fatigue could lead to a “digital 9-11,” and Cisco Chief Security and Trust Officer John Stewart saying “we are completely screwed, even more than we were last year.”
In other words, it’s not a good time to be a paranoid pessimist, which probably describes the vast majority of cybersecurity professionals.
Cryptoming: The Next Big Threat
The rise of cryptocurrency mining malware and botnet attacks on internet of things (IoT) devices came up in nearly every conversation with technologists at the event.
“We’re seeing much more in the IoT space,” said Nokia’s Kevin McNamee, who recently co-authored the company’s latest threat intelligence report. He noted the 2016 Mirai malware, responsible for the largest distributed denial of service (DDoS) attack on record, and said it is popping up in nearly every network he sees. “Attackers are using that same Mirai toolkit — it’s almost evolved to malware scanning as a service,” he said.
“The other thing becoming more and more common is cryptomining — even finding it on people’s phones,” McNamee added. While mobile phones don’t have as much processing power as a server, “I think [attackers] are going for economies of scale — 5,000 infected phones instead of two servers,” he said.
Symantec’s latest annual security threat landscape report published last month found detections of cryptocurrency coin miners grew by a whopping 8,500 percent in 2017. Hackers see it as a cheap and easy way to make money. It only requires a couple of lines of code to operate in addition to stolen processing power and cloud CPU usage.
“I’m hearing about cryptominig from customers as well as from investigators,” said Marc Spitler, a senior manager and co-author of Verizon’s recent data breach report. “If you think about it from an adversary standpoint and a value proposition for them, it makes a lot of sense. They are out to make money, and they can do it that way instead of ransomware.”
Back to Basics
So how can companies protect their networks? Spitler and several other security professionals advocated a back-to-basics approach focused on security hygiene like patching and segmentation.
“Things like security posture and hygiene are becoming a bigger topic,” said VMware’s Tom Corn, senior vice president of the security products group. He cited a Gartner analysis that displayed security controls and data protection models as a risk pyramid. “When you look across the security landscape, much attention is focused on advanced threat detection, which is critical but addresses the top of the pyramid,” he said. “At the bottom you have things like patching and segmentation, where you can address larger chunks of risk.”
RSA Chief Technology Officer Zulfikar Ramzan noted the popularity of threats like ransomware and spear phishing, and how these can be addressed through simple things like patching vulnerabilities and anti-phishing training for employees. “For the longest time people were getting so caught up in the Ocean’s Eleven-type of heists,” Ramzan said. “The reality of most of what we’re seeing is 7-Eleven-type smash-and-grab robberies.”
But even smash-and-grab robberies can be costly to businesses and their reputations — just ask Equifax.
And a week’s worth of cyber doom and gloom scenarios can be overwhelming. So when the paranoia fully sets in, and you become convinced that a hardware malfunction on your iPhone is actually a bug you got at the RSA Conference (true story), may I suggest taking deep breaths, or a yoga class, and definitely snapping a selfie with a fox.