Cloud

RSA 2011: Day 3

As we trek into the third day of RSA, we’re already noticing that many of our pre-RSA predictions are holding true – guess it’s our "sixth sense" for security trends. In an earlier post, my colleague Kristin Allaben suggested that in addition to cloud security, top themes at this year’s conference would include trends in government security and cyber warfare.

Yesterday’s highly anticipated Symantec keynote delivered by president and CEO Enrique Salem warned his audience that the worst of targeted cyber attacks is yet to come.  A statement made by Salem left us, and surely the rest of the audience, feeling slightly unsettled referred to a recent, highly publicized targeted malware attack. “Stuxnet was the attack that moved the game from espionage to sabotage.” It seems as though the safety of our critical security infrastructure is at stake, especially with recent movements to the cloud and the replacing of PCs with smart devices. Is our growing adoption of virtualized environments ultimately letting down our protective barriers?

Art Coviello, EVP of EMC and president of RSA, doesn’t seem to think so and remains fairly optimistic. During his presentation, he claimed that virtualization is the silver lining in the cloud. Due in large part to a growing business demand, organizations are rapidly adopting cloud technologies. While this is great for the cloud industry, Coviello stated that it is causing growing concern for security practitioners who are in charge of governing and managing data in the cloud. Automation has become an essential part of enabling security in virtualized environments.

Rest assured though, there is light at the end of the tunnel. Coviello told audience members that the vendor community has been working to apply security principles to their solutions that will enable a secure, trusted cloud. Interestingly enough, we can expect to see predictive analytics being deployed in trusted cloud environments based on an understanding of normal states, user behaviors and transaction patterns.

Check back here tomorrow for additional coverage and highlights of this year’s RSA Conference. We’re interested to see if discussion will continue around security in the cloud or if something new will pop up.

Posted by Katerina Korfias on February 16, 2011 at 12:13 PM
| TrackBack (0)

Any RSA 2011 Surprises?: Vlogging from Moscone

With Schwartz representing almost two dozen security companies at RSA this year, we thought who would be better than our clients to share the latest security trends at the conference. Members of our digital marketing services team (which is already off to a highly successful year) spent the day at Moscone interviewing the brightest executives on the show floor. The results revealed that as we predicted cloud and mobile security are top of mind as companies explore new ways to control today’s blurry perimeter, but also uncovered a few surprising themes too….take a look.

Posted by Dara Sklar on at 11:33 AM
| TrackBack (0)

RSA 2011: Day 2

Yesterday there was a lot of interest in the Cloud Security Alliance Summit, especially since cloud security is still an unresolved security topic. Just take a look at this line waiting to get in!

The big news that came from this session surrounded the government’s plans to spend $20 billion on cloud security, at least according to the 2012 budget. Also from this discussion, there were four key areas identified as lacking in clarity when it comes to cloud adoption:

• Security
• Standards
• Procurement
• Governance

With these four areas in mind, cloud security has the appearance of remaining a consistent concern, especially when companies consider moving mission-critical applications to the cloud. To try to ease this fear, RSA announced that its Cloud Trust Authority would launch the beta of a cloud security platform later this year. The beta will offer combined identity management and compliance offerings, with the goal of providing a single, comprehensive set of protections for multiple cloud computing services.

Based on all the news we’ve heard surrounding the cloud, some key terms you will most definitely hear in presentations this week addressing this topic include:

• Government
• Trust
• Risk
• Security
• Concern
• Compliance
• Regulation
• Hesitation
• Privacy
• Data security
• Mission-critical applications
• Delivery methods
• Confusion
• Hack
• Forensics
• Malware

Cyber war is another hot topic and one with many concerns, especially since WikiLeaks and Stuxnet are fresh in our minds. There is a seemingly continuous stream of potential cyber war threats, though many people are unaware of how to define this phrase. To illustrate just how serious this concern is, RSA has attracted a number of high-level government representatives to speak. This year, Deputy Defense Secretary William Lynn III is presenting an opening-day keynote on the Pentagon’s cyber strategy.

Taking a quick look at new products, something to keep our eye on is the MasterCard “Display Card.” Although it looks and works the same as any other credit card, it is described as having a built-in display to enable cardholders to create a one-time password to enhance authentication. So we have to ask: is this going to protect cardholders from having their credit card information stolen when shopping online?

With keynotes and panel sessions ramping up today, be sure to check back here tomorrow for a recap on some of the hot discussion topics.

Posted by Kristin Forte Allaben on February 15, 2011 at 10:00 AM
| TrackBack (0)

RSA 2011 Kickoff: Day 1

And so it begins--RSA 2011 officially kicks off today. With a “Giants Among Us” theme, the 20th Anniversary of RSA is dedicated to celebrating the industry’s pioneers. This includes a look at the legacy of the RSA algorithm, the history of cryptography and computer security, and a look ahead to the future of the industry.

We’ve highlighted some of the key themes we expect to see come from RSA, some of which seem to be a repeat from last year. Just taking a look at the keynote session titles, anyone can see that cloud security still reigns as an unresolved security topic from RSA 2010. And with Stuxnet making such a splash, especially with the latest news of Anonymous claiming control of the Stuxnet virus, government IT security will once again be a primary topic.

Some additional things to keep our eyes on over the course of the week include:

• Government Information Security Today survey—Officials in local, state and federal governments who are charged with safeguarding IT were polled to determine their attitude when it comes to IT security leadership, vulnerabilities, regulations, budget challenges, skills and cloud computing. Data will be announced on Thursday in the session is entitled “Government Security: The State of the Union.”
• Collective Defense for Internet Health—Described as a new type of computer “check-up,” Microsoft's corporate vice president for trustworthy computing, Scott Charney, has challenged users worldwide to develop collective defenses to help protect Internet citizens from online threats. He presented the idea that the approach to handling online security issues should be modeled after the one used to address sickness in humans. More information on this idea is outlined in Charney’s whitepaper. This idea is likely to be carried into discussions specific to government IT security.
• Organization for the Advancement of Structured Information Standards (OASIS)—OASIS will be holding a KMIP Interoperability Demonstration, touching on policy-based centralized control in order to better manage cryptographic keys. In a recent article, managing encryption keys was described as “the Achilles’ heel of cryptography.”

Regarding specific items in the news, we've already seen a significant number of new product announcements.

Keep an eye on the Schwartz security practice's Tangled Web for a recap of news to come from RSA 2011.

Posted by Kristin Forte Allaben on February 14, 2011 at 10:28 AM
| TrackBack (0)

Black Hat 2010 Sessions - Day 2 Recap

Yesterday was the second and final day of Black Hat sessions and there were quite a few key topics that we’ve seen before.

Government
As the government continues to work toward implementing cloud solutions, there is continued discussion of cloud security, as well as cyber-warfare. We saw this in full force at RSA 2010, which we discussed in a previous post.

In his Black Hat keynote yesterday, former National Security Agency Director, retired Gen. Michael Hayden, addressed the need to define cyber-warfare since the term is loosely applied to anything relating to crime on the Internet. He explained the military traditionally operated in four domains: ground, air, water and space. Now, there is the introduction of the fifth domain: the Internet, the first man-made location for warfare. A clear definition of cyber-warfare will prove advantageous for us because it will enable the country to better understand what a cyberattack is and, therefore, know how to properly respond.

SSL
One of the biggest speaking points from Day 2 sessions revolved around weaknesses associated with SSL, which were highlighted in a number of sessions yesterday. In one session, two researchers highlighted the ability for hackers to take over a user’s account or take control of a website due to the way browsers implement HTTPS. Additionally, hackers are able to sniff around the edges of the encrypted information, picking up on clues to help them figure out what their targets are doing.

The session essentially highlighted that HTTPS alone will not stop bad things from happening due to the “breadcrumbs” left behind from secure browsing sessions that skilled hackers can easily follow.

Wallpaper
I remember the first time I wanted to change the wallpaper on my computer and my computer teacher (yeah, that’s true) was furious. I found myself, 30 minutes later, with a very basic understanding of the dangers of malicious downloadable content. Although it seems to be more common sense nowadays, downloading images and other content can still be a threat to users who believe they are using a secure application.

Take the mobile Android situation. A wallpaper application is said to be sending personal information from millions of Android users to a “mysterious Chinese website.” The finding was reported at Black Hat this week as part of the App Genome Project, a real-time database designed to keep mobile users safe by identifying security threats and providing insight into how applications tap into personal data.

There is also more discussion of bug bounty programs, malware-infected SEO terms and ATM vulnerabilities.

As a result of the sessions at Black Hat, we’re likely to see continued discussion regarding the importance of (and need for) a definition of cyber-warfare and, as expected, continued advancements in cloud security as more industries turn to the cloud.

Posted by Kristin Forte Allaben on July 30, 2010 at 9:48 AM
| TrackBack (0)

Black Hat 2010 - Anticipation Mounts

As speakers and hackers gather in Vegas for the 2010 Black Hat conference, there are many topics on people’s minds.

In much of the pre-show articles, there has been talk about cloud security, a topic that seems to resonate throughout security conferences this year (see previous post on RSA 2010). There is also discussion on wireless security, particularly as it pertains to mobile devices. This is most definitely an area of increasing importance as IDC forecasted that the mobile workforce would exceed one billion by the end of 2010, potentially bringing to light new security implications for enterprise networks.

Most prominently over the last few days has been discussion of the vulnerability within WPA2, currently the strongest form of WiFi encryption and authentication. The vulnerability, identified as “Hole 196," lends itself to man-in-the-middle attacks.

We can also expect to hear about:

• login security issues with Twitter and Digg and timing attacks,
• DNS rebinding that uses “Jedi-mind tricks” to enable JavaScript-based malware to penetrate private home networks,
• VPN security and management issues regarding out-of-date software and configuration issues, and
• thoughts regarding a rewards system for researchers from Microsoft’s Security Response Center (MSRC).

It appears, however, that the most highly anticipated session surrounds Barnaby Jack’s research into ATM vulnerabilities. As some may recall, this talk was canceled last year due to pressure from ATM vendors. Similarly, this year, a session entitled “The Chinese Cyber Army: An Archaeological Study from 2001 to 2010” was canceled due to outside pressures.

On a fun note, Black Hat attendees will also be participating in the Pwnie Awards, which recognize extreme excellence and incompetence in the field of information security. Some categories include Best-Server-Side Bug, Best Client-Side Bug, Most Overhyped Bug and Lamest Vendor Response.

For those of you preparing to head out to Vegas later this week for the array of speaking sessions, take the Black Hat Challenge. What one session would you attend?

Posted by Kristin Forte Allaben on July 26, 2010 at 9:49 AM
| TrackBack (0)

This is it: RSA 2010 -- Day 5

This is it. The fifth and final day of the 2010 RSA Conference, and it’s been quite a ride. Looking back, it’s clear the cloud takes the gold as the most discussed item, although government presence and increasing cyberthreats picked up speed in the latter half of the week, placing each at a tie for silver, especially since they seem to go hand in hand. Tim Greene of NetworkWorld wrote a very thorough article that explores each of these topics in greater detail.

Taking a look at the conversations yesterday, many revolved around FBI Director Robert S. Mueller III’s speech regarding the increasing threat of cyberterrorism. In his speech, he presented the idea that hackers will continue to enhance their skills and will eventually combine cyberattacks with physical attacks. Along with warnings of foreign nations supporting radical group recruitment via the Internet, Mueller advised any company that finds itself to be a target or victim of a cyberattack to turn to the government for help, promising business confidentiality and safeguards to privacy.

Continuing down the path of government presence within the cybersecurity realm, there are also some (perhaps not too outlandish) beliefs that the U.S. is involved in a cyberwar…and we are losing. Cybersecurity Czar Howard Schmidt denied the existence of a cyberwar saying it’s a terrible concept and further explaining that it’s an environment where no one can win. To reiterate what has been discussed in previous posts, Schmidt’s priorities for the year include better end-user education (something most security professionals say over and over again is a key area of improvement), information sharing and better defense systems.

There was also talk yesterday of the real benefit of using end-to-end encryption within the credit card industry, increasing ID theft within the healthcare industry and fraud. Interestingly enough, there were also discussions of robotics and the changes this advancement would introduce to society.

For the final day at RSA, anticipate continued discussion of increasing cyberthreats, but be prepared for a slight twist on the conversation, as many sessions today will discuss cybersecurity trends, digital forensics, encryption and identity/access control.

For those of you traveling home this weekend, safe travels and we’ll see you next year.

Posted by Kristin Forte Allaben on March 5, 2010 at 10:01 AM
| TrackBack (0)

RSA 2010 -- Day 4

The government. Microsoft. Cyber threats. The bulk of conversation at the RSA Conference yesterday focused on these three topics. Let’s take a minute to explore each one.

The Government—As I mentioned in yesterday’s post, federal employees are stepping up to the mic to discuss cybersecurity and awareness to better detect and prevent cyber attacks. Between Einstein, the increasing adoption of the cloud and the still vivid memories of Aurora, there's little doubt of the widespread need for better cyber security. According to White House Cybersecurity Coordinator Howard Schmidt, the U.S. is ill-prepared for a cyberwar.

Lawmakers are making an especially hard push to advance a comprehensive cybersecurity plan, especially now with the U.S. cyber czar position filled. Based on Schmidt’s presentation earlier this week, we know the government is gearing up for a few things to occur over the next year:

1. Widespread adoption of cloud computing
2. Significant improvements in cyber security
3. Better working relationships between law enforcement and the private sector to more effectively fight cyber crime
4. Instant response plan for cyber-emergencies
5. Better transparency in government

Although each of these plans are stated with good intentions, it will be important for our government to remember one of the many lessons taught at RSA this week: avoid the excess hype surrounding a cyber threat and/or attack. Why? Because many dangers surround an overhyped threat, especially when you consider many consumers don’t really understand cyber threats.

On a “fun” note, however, Janet Napolitano, the Secretary of the U.S. Department for Homeland Security (DHS), announced a competition to encourage the industry’s “best and brightest” to think of creative ways to better enhance the security of computer systems and cyber networks. Known as the National Cybersecurity Awareness Campaign Challenge, ideas will be accepted through April 30, 2010. Winners will receive DHS funding to better promote the idea to a wider audience.

Microsoft—Scott Charney, Microsoft corporate VP for Trustworthy Computing, made a bold move yesterday, stating that the industry should consider taxing every PC user to better fund the fight against cyber crime. Needless to say, this was met with a variety of responses across the blogosphere and a flurry of activity on Twitter. Richi Jennings at Computerworld selected a few “gems” that he blogged about today in Computerworld’s IT Blogwatch.

Cyber Threats—As I stated above, many consumers do not understand cyber threats. Social networking enhances this misunderstanding as more and more people provide increasingly intimate details about their life on these websites. By providing potentially sensitive information, people make it easier for cyber criminals to better focus their attacks, making their attacks more successful.

For Day 4 at RSA, anticipate more discussion on cyber threats--what to do to prevent them, best tips on what to do when you’ve been hit, etc. We’ll also see some additional discussion regarding security standards and, per usual, discussion of the cloud.

Posted by Kristin Forte Allaben on March 4, 2010 at 9:19 AM
| TrackBack (0)

RSA 2010 -- Day 3

Cybercrime is a threat to both enterprises and consumers; it appears that no one is immune from an attack. As cybercriminals become more sophisticated, targeting their victims based on information obtained from social networking sites, it’s no surprise that cybercrime instills fear into many, especially as enterprises encourage the use of social networking as they learn how to use it to their advantage.

However, a strong word of caution was issued during a panel at the RSA Conference yesterday--security professionals were advised to be wary of the intensity with which they discuss threats. It is important that they find a balance between explaining the risks as well as the probability of an attack. Although some of the hype can encourage companies to re-evaluate their existing security practices, it could cause more harm than good. For example: the threat of stolen IDs, credentials and other sensitive data has many executives rethinking the approach to the cloud.

Once again, we saw the cloud take center stage as many conversations yesterday focused on the security of the cloud (and we can expect the same for today with a quick look at the daily schedule). With many people believing the cloud lacks sufficient security, they turn to the industry with expectations that security pros will “fix it.” Keep in mind, however, that fears and concerns of data security in the cloud are nothing new; this has been a primary reason for delays in adopting cloud computing for some time.

RSA President Art Coviello said in his keynote yesterday that the industry faces one of the greatest challenges: securing the cloud. He explained, “Cloud computing can allow more energy and investment to be directed to a real innovative and competitive advantage, but the one thing that’s holding it back is security.” He also named some key areas that should be prioritized as the industry takes on this task:

• Who gets access to what and gaining visibility in the cloud
• Compliance
• Insider risk
• Privileged user control
• Workflow

A final thought: With cloud computing seemingly the way of the future, there’s little doubt that the government will be included in this new trend. We’ve already seen some significant federal movement toward the cloud, as I mention in a previous post, but at RSA, this is taken to another level. A number of federal employees within the cybersecurity arena are stepping up to the mic to lead various discussions on how law enforcement and the private sector need to work together to fight cybercrime.

Unveiled yesterday was Einstein, the National Security Agency’s Homeland Security program to protect the U.S. from cyber attacks. The still-in-progress, more robust second version of the program is described as being “designed to look for indicators of cyber attacks by digging into all Internet communications, including the contents of emails.” Knowing hackers and cyber criminals view this industry as a business, it will be interesting to see what this leads to as hackers turn to their version of R&D to enhance their operations.

Posted by Kristin Forte Allaben on March 3, 2010 at 10:52 AM
| TrackBack (0)

RSA 2010 -- Day 2

As was expected, much of the news from yesterday's RSA Conference focuses on the cloud, and specifically, the Cloud Security Alliance (CSA)’s four-hour summit. Kelly Jackson Higgins of Dark Reading wrote an article summarizing the summit and the CSA’s top seven threats to the cloud. An interesting point that came from this discussion is that data security still remains one of the key concerns for companies using the cloud. This begs the question: what type of encryption are you using and do you know how it works?

Some other news from yesterday includes an interesting tidbit on compliance. PCI and HIPAA are just two of the many compliance mandates that companies need to be aware of and abide by. The medical industry is increasingly turning to IT, emphasizing the importance of information security in compliance. Bill Brenner discusses the results of a survey illustrating that 41 percent of companies would fail a PCI audit. This makes one wonder: is a true, compliance-focused security solution available?

Today, we can expect a slight change in the focus of conversation. The cloud will still take center stage for most of the day as keynote sessions explore the security of the cloud. But with additional keynote sessions, seminars and panels aiming to discuss the Internet, virtualization and data breaches, we can expect an increase in the amount of coverage around the increasing sophistication of cyber threats and attacks, including specific mention of Advanced Persistent Threats (APTs).

Posted by Kristin Forte Allaben on March 2, 2010 at 9:01 AM
| TrackBack (0)

RSA 2010 -- Day 1

Today is Monday, March 1, day one of the 2010 RSA Conference. The bustle of activity today is quite diverse as exhibiting vendors work hard to get their booths ready, some security professionals prepare for today’s seminars and other vendors begin to announce new offerings and products.

As I mentioned in an earlier post, there is much anticipation of news surrounding the cloud. Just this morning, there have been a number of announcements regarding new cloud offerings and products promising better malware detection and e-mail security.

Interestingly enough, we’re also seeing significant discussion of the cloud’s presence within the government. Matt Hines, an eWeek blogger, wrote an article this past weekend explaining that the government voice will “echo loudly” at RSA this year. Hines explained that in White House Cybersecurity Coordinator Howard Schmidt’s recent press conference, he stated that the coordination of federal cyber security efforts will be a leading priority. Following the recent “Aurora” attacks on Google, the combination of cyber crime and the availability of the cloud for federal institutions will encourage many discussions to look at the cloud’s impact on business productivity as well as data security.

As we turn our attention to RSA sessions, the cloud appears to be a key topic of discussion today. The four-hour Cloud Security Alliance Summit, beginning at 9:00 a.m. PT, will provide key information from industry experts about the state of cloud security. Cloud discussion continues early tomorrow with the first RSA keynote at 8:00 a.m. PT discussing Safety in the Cloud.

On another note, keep an eye on Adobe and Google. Knowing that a number of tomorrow’s sessions will focus on the latest types of cyber threats (such as the Advanced Persistence Threat, or APT, for short) and best practices to avoid falling victim to those threats, it will be interesting to see how these sessions tie-in the latest flaws with Adobe and how companies can better protect their networks with increasingly determined and more sophisticated attackers.

Posted by Kristin Forte Allaben on March 1, 2010 at 10:25 AM
| TrackBack (0)