The next in our series of 2012 predictions posts comes from beautiful Gulf Breeze, Florida. Read on to see what AppRiver Senior Security Analyst Fred Touchette has to say about IT security trends in the New Year.
Courtesy of Fred Touchette, AppRiver senior security analyst:
Analyzing malware, cybercriminal activity and the Dark Market for a living can certainly make one a bit jaded, and perhaps a little suspicious of anything and everything digital. I am no exception to this rule.
The past decade has seen both the birth and the rapid growth of computer viruses, which ultimately formed an industry much like that of the legitimate business world. The Dark Market has its fair share of large organizations and self-starters, with the common goal to make money. Or, perhaps I should say take money.
Throughout the years, cybercriminals’ techniques have ranged from emails designed to phish personal information off of victims to highly technical programs that hide from their targets and siphon critical data without anyone being the wiser. I certainly don’t mean to scare people or hold up the “Abandon Hope All Ye Who Enter Here” sign, more so, I want everyone to be aware of the threats that are out there, what the bad guys are planning, and how to remain safe from digital threats. With a bit of vigilance and a dash of common sense, you can avoid becoming the next victim.
Here are a few things to watch out for in 2012.
• 2012 Prediction #1 - Mobile Malware Flip phones and other minimal-use phones are going the way of the dinosaur slowly but surely, and Smartphones are taking their place. In addition to the Smartphone, we’re also seeing tablet devices dotting the mobile landscape. Everything that a person once needed a computer to do can now easily be done on a mobile device. Whether it’s surfing the Web, social networking, gaming, or email, mobile malware has a growing number of possible infection vectors that will most certainly make their way out of the “Proof of Concept” realm and more into the mainstream. Platform specific malicious texts have already started making the rounds, as have malicious Apps within various App markets.
Mobile malware will continue to rise with increased threats targeting functionalities, such as exploiting browser vulnerabilities of those who are surfing the Web, sending malicious links within emails, and continuing to exploit vulnerabilities vis-a-vis old tried and true methods. The more tablet devices that steer owners into making streamlined purchases through company-specific stores, such as iTunes or Amazon, the more likely it will become full of account numbers and private data. The type of information Black Hats are specifically after.
• 2012 Prediction #2 – More Social Engineering No amount of equipment, gear, or money can stand in the way of what will likely remain the weakest component of any and all security systems – the human factor. Humans are notoriously trusting and maintain an underlying desire to help others in need. And, that’s why we remain easy targets.
Thankfully, the population at large is beginning to understand digital scams for what they are and have become wiser for it. Unfortunately, this level of general understanding has created stronger demand for more sophisticated threats. Custom crafted and multi-vectored social engineering attacks will continue to evolve and wreak havoc on victims, and certainly won’t be limited to botnet-borne, mass-mailed password phishers.
• 2012 Prediction #3 – Social Networking Scams A few years ago, the social network was a niche offering for technophiles. Today, nearly everyone has a Facebook account, if not several social networking accounts hosted on different sites. Since people and their money are established targets, cybercriminals will continue to go where the people are. Facebook and Twitter will remain popular sites to host malware campaigns posing as messages from “friends”. The ability of shortened URL services to make the final destination of these links unclear will also aid in the effectiveness of malicious campaigns. • 2012 Predictions #4– Targeted Malware Everyone is likely familiar with the infamous Stuxnet Worm, which originated from a very complex piece of code designed specifically to get onto the air-gapped network of Iran’s nuclear enrichment facility, seek out certain pieces of equipment and alter its processes ever so slightly in order to botch Uranium enrichment processes. Less people may be aware of Stuxnet’s cousin, Duqu which shared code with Stuxnet and masqueraded as a Microsoft Word document targeting roughly eight different countries in the same area of the world. These incredibly complex pieces of malware made their way to specific targets with incredible swiftness and accuracy. There’s no doubt that this type of attack, whether it be government sponsored or otherwise, will remain at least as prevalent if not more so in 2012.
• 2012 Predictions #5 –Hacktivism Groups such as Anonymous and LulzSec gained a lot of notoriety in 2011. Because of the highly publicized events from these two groups, we are sure to see copycat groups attempt similar acts. Whether they claim to be in the interest of the people, cause mischief, or a confused blend of both, major corporations or entities will likely be targeted. SQL injection has often been the technique of choice for data theft or Web defacements made in the name of hacktivism. It will be important for companies to fortify their databases and Web applications in order to better protect customers and clients.
In Closing Cybercrime, unfortunately, is not going anywhere since we increasingly rely on technological advancements for convenience and entertainment. I dread the day when my toaster routinely checks for updates on the Internet and accidentally pulls down a virus that’s programmed to burn my toast every morning. Or the day when the morning news displayed on my bathroom mirror is replaced with some sort of quasi-political message due to cyber shenanigans. The best thing we can all do is to watch our steps, keep our software up to date, use layered security, and keep it safe out there!
The July 15 deadline for RSA Conference 2012 speaking submissions is only a few weeks away. Senior Content Coordinator of RSA Conference Jeanne Friedman was nice enough to chat with me on the phone to get the scoop on the submission process. While many of us listened to the RSA Conference speaking submission webcast, there were a few things that I wanted to clarify.
Question: Can you explain what a track is? Can a speaker be in more than one track? Answer: A track is a certain category for a program. For example, “Hackers and Threats” is a track. For the first round of judging it does not matter what the topic is. For the second round submissions are placed into a category or track. There are 12 to 14 tracks.
Question: What is the least popular track? The most popular? Answer: The least popular track is “War Stories.” This track involves lessons learned sessions. “Professional development” is also small as well as “Mobile Application.” The most popular tracks always seem to be “Strategy and Architecture,” “Cloud,” “Hackers and Threats,” and “Identity Management.”
Question: Who are the judges? Answer: The judges are from outside vendors and are CISOs, lawyers, or experts in a particular field.
Question: What levels of submissions are most competitive? Answer: Intermediate has the most entries. For advanced it depends on the topic.
Question: How many submissions is too many? Answer: There is no specific number, however three good submissions in very different topics is best. Judges do not like to see the same speaker submitting multiple submissions because they like to give everyone a chance.
Question: Do you have to submit a pre-packaged panel or can you submit a panelist? Answer: You must submit a full panel. A good tip is to look around the agency to see if speakers can team up from different clients.
Question: You spoke about submitting an optional video. How “optional” is the optional video? Answer: It is optional. If a client has a speaker series, and they have poor ratings from previous conferences it is a great way to show the judges the speaker has improved. For new speakers it is a great way to show the judges how charismatic they are--to make the judges remember them. A tip for the video: use the three minutes to explain what you will talk about in your session.
Question: Following up on that, has the added video ever hurt a submission? Answer: The video has never hurt a submission. However, it can change a judge’s opinion in the submitter's favor.
Security PR pros are facing a hard deadline of July 15, when RSA Conference 2012 speaking submissions are due. As you may recall from last week, I highlighted sins for submitting speaking abstracts to the RSA Conference. In today’s post, I will finish up the series sins and discuss a few more tips.
7 Sins of Submitting (cont.):
5. Submit a session based on pure speculation and no evidence -- Without evidence, speakers will lose credibility with their audience. The presenter must be able to explain the actual implementation of what they are speaking about.
6. Submit a session that is completely inconsistent with the speaker’s bio or experience -- The judges are very conscious of the presenter’s title to ensure the session will not be too high level. They understand that acquisitions are happening frequently, so if the presenter has a marketing title you may want to consider teaming them up with someone more technical.
6a. Submit little detail on your session except your bio and title- Sessions are picked based on merit, and if your submission is not interesting it will be rejected regardless of how impressive the spokesperson's title or bio may be.
7. Submit a panel with people that never actually agreed to be on your panel -- RSA noted that this happens every year. If you cannot confirm that every person on the panel will participate by the July 15 entry deadline, the submission with be rejected. To ensure a complete entry (including all speaker bios and confirmation), lock in the speakers early, especially when working across time zones.
Bonus Sin: The RSA Conference organizers urge vendors to avoid delegation of submission writing to marketing agencies. Now, Schwartz teams help their clients create RSA speaking abstracts all the time, and many of the abstracts we have worked on are accepted. I think the point of the conference organizers in bringing up this sin is to note how oftentimes a marketing organization or agency does not have the depth on a given topic necessary to complete a submission. The submission must be comprehensive, and oftentimes if the agency is left to compelte it, the shallowness of the submission comes through. In addition, if the presenter or presenters write their own abstracts, the writing will be more passionate.
At Schwartz, we have established a successful process of guiding our clients as they create their submissions, and often, as noted above, we write submissions or portions of submissions. Our process, however, is set up to avoid the pitfall that the conference organizers are worried about. The process ensures that the passion of each submission shines through and that the presenters contribute to the abstracts.
ULITMATE Mortal Sin: Don’t submit -- 2011 had a large number of first time speakers. Since the selection process is purely merit based, RSA encourages speakers at all levels to submit.
After the webcast opened up for questions, I found one question to be particularly interesting.
What is the likelihood of new speakers being accepted over past speakers?
Answer: The judges consider a few checkpoints when judging submissions. First, the judges look at the short abstract to see if they're compelling. Then if the short abstract catches their attention they move to the long abstract to see if the presenter can deliver upon what they say in their short abstract. The third important factor is the presenter’s bio. Does it match the session? Finally the last piece of information the judges consider is if the speaker has presented at RSA Conferences in the past.
If the speaker received good presentation scores at previous RSA Conferences, then it will help the submission. However, it reflects poorly on the submission if the speaker has poor scores.
Look out for my next blog post where I conduct a follow-up Q&A with Jeanne Friedman, senior content manager of RSA Conference.
July 15 may seem far away, but as highlighted by the presenters during the the RSA 2012 speaking submission webcast, this deadline will come up quickly. In addition to announcing that its call for papers is officially open, RSA held a webcast yesterday to answer some common questions about the submission process and to share some tips for getting accepted.
While many husbands and wives are relieved that the conference is avoiding Valentine’s Day this year, Jeanne Friedman, senior content manager of RSA Conference, noted one of the most important pieces of information right at the beginning of the webcast. Unlike last year, there will be NO extension on this year’s July 15 deadline. Friedman also advised to get your submission in early and not to wait until the last day to submit.
Among the many useful bits of information of the webcast, I found it particularly helpful to know how the selection process works and what the judges are looking for in a submission.
Here are a few things the judges look for: • A submission to be unique and compelling • A submission to pull from experience to share best practices and case studies • A submission to be geared towards security professionals with 9+ years of experience
Once a speaking session is submitted to one of the 23 topics, all the submissions go through a first round of judgment to weed out incomplete abstracts and submissions that are deemed, “product pitches.” The submissions are then placed into a track, or specific focus area, where two-three judges are assigned to review all abstracts for the final round.
In order to ensure a strong submission, Program Committee Chair Hugh Thompson and Friedman came up with “The 7 Mortal Sins and Wins of submitting (for RSA Conference).” In this section they clearly defined the do and don’ts of a good speaking submission. Below I have included the top reasons for rejection and the first three of the seven Mortal Sins.
Reasons for Rejection: • Incomplete submission • The submission is a sales pitch • The presentation is too basic • The long abstract did not include enough information • Multiple submissions on the same topic • If the presenter’s title does not match his bio (i.e. a technical presentation with a VP of marketing presenting) • If the presenter received poor speaker ratings in 2010
7 Sins of Submitting:
Ignore the long abstract- Do not copy and paste the short abstract into the long abstract. In addition to adding good detail to the long abstract it is recommended that speakers outline what they plan to cover in their session.
Submit a sales pitch- This could be considered by the judges a “mortal sin” and an easy way for your submission to get rejected. The delegates that attend the sessions are very sensitive to sales pitches and are most interested in a case study that provides insight and best practices on a topic.
Submit a superficial talk- If the talk is too high level speakers will lose credibility with the delegates. When creating a submission, speakers should ask themselves what specific insights they have to share on the topic they are submitting.
Be boring, bland or unoriginal- Keep in mind that the judges are real people and that they want to be captivated and entertained while learning something new. Remember that the judges have to read hundreds of applications and they want something that will stand out from the rest.
What with Stuxnet, the recent NASDAQ breach and the 2010 Aurora incident, there’s no shortage of cyber threat nightmares out there to keep even the most confident security minded executive up at night. Schwartz digital marketing services team talks with Mykonos Software CEO David Koretz, Xceedium’s CEO Glenn Hazard, and ESET’s Vice President of Marketing, Dan Clark, about outgunned white hats, the increasing rise and risk posed by compromised company insiders, and the dark side of social media.
WikiLeaks – It happened, now what? During yesterday’s “WikiLeaks: The Aftermath” panel, former Black Hat hacker and senior editor at Wired.com Kevin Poulsen claimed that WikiLeaks-style copy-cat sites are on the rise, but they’re taking a new direction. According to Poulsen, "Founder of WikiLeaks Julian Assange made exposing secret documents sexy.” Assange showed us just how much attention a disgruntled employee can cause and now organizations other than WikiLeaks are springing up to support the release of sensitive data.
Take, for example, the recent HBGary debacle. HBGary Federal was hacked by group Anonymous, which ended up publishing thousands of emails belong to company executives. But these aren’t just copying WikiLeaks--these are organizations that are developing technology to make their job easier by better transferring secured data.
When discussing WikiLeaks, the notion of a “cyber war” frequently comes into mind. Many are categorizing this recent attack as the leader that paved the way for a new era of cyber attacks to come in and cause massive damage to critical infrastructure. However, security experts debated this issue during a keynote yesterday. According to these experts, the public needs to fully understand what cyber war is and what it isn’t; the subject matter is perceived as black or white, with no room for gray in between.
Former U.S. Secretary of Homeland Security Michael Chertoff states, “I would consider something that destroys major systems an act of cyber warfare.” He also claimed that the U.S. government needs to work on establishing a more efficient structure of response to cyber attacks. In turn, this would require an increase in government IT security. “If people inside the government see something they don’t like, there needs to be a process for whistle blowing that protects the information in the right way,” said a former member of the U.S. National Security Council staff, Roger Cressey.
The WikiLeaks attacks are not just something of the past; hackers have seen the damage that was caused and that's only adding fuel to their fire. Groups are searching for ways to make their next big hit, especially on an organization that has no infrastructure and no funding. It’s a battle of the fittest, with the strong exploiting on the weak.
As we trek into the third day of RSA, we’re already noticing that many of our pre-RSA predictions are holding true – guess it’s our "sixth sense" for security trends. In an earlier post, my colleague Kristin Allaben suggested that in addition to cloud security, top themes at this year’s conference would include trends in government security and cyber warfare.
Yesterday’s highly anticipated Symantec keynote delivered by president and CEO Enrique Salem warned his audience that the worst of targeted cyber attacks is yet to come. A statement made by Salem left us, and surely the rest of the audience, feeling slightly unsettled referred to a recent, highly publicized targeted malware attack. “Stuxnet was the attack that moved the game from espionage to sabotage.” It seems as though the safety of our critical security infrastructure is at stake, especially with recent movements to the cloud and the replacing of PCs with smart devices. Is our growing adoption of virtualized environments ultimately letting down our protective barriers?
Art Coviello, EVP of EMC and president of RSA, doesn’t seem to think so and remains fairly optimistic. During his presentation, he claimed that virtualization is the silver lining in the cloud. Due in large part to a growing business demand, organizations are rapidly adopting cloud technologies. While this is great for the cloud industry, Coviello stated that it is causing growing concern for security practitioners who are in charge of governing and managing data in the cloud. Automation has become an essential part of enabling security in virtualized environments.
Rest assured though, there is light at the end of the tunnel. Coviello told audience members that the vendor community has been working to apply security principles to their solutions that will enable a secure, trusted cloud. Interestingly enough, we can expect to see predictive analytics being deployed in trusted cloud environments based on an understanding of normal states, user behaviors and transaction patterns.
Check back here tomorrow for additional coverage and highlights of this year’s RSA Conference. We’re interested to see if discussion will continue around security in the cloud or if something new will pop up.
With Schwartz representing almost two dozen security companies at RSA this year, we thought who would be better than our clients to share the latest security trends at the conference. Members of our digital marketing services team (which is already off to a highly successful year) spent the day at Moscone interviewing the brightest executives on the show floor. The results revealed that as we predicted cloud and mobile security are top of mind as companies explore new ways to control today’s blurry perimeter, but also uncovered a few surprising themes too….take a look.
The big news that came from this session surrounded the government’s plans to spend $20 billion on cloud security, at least according to the 2012 budget. Also from this discussion, there were four key areas identified as lacking in clarity when it comes to cloud adoption:
Security
Standards
Procurement
Governance
With these four areas in mind, cloud security has the appearance of remaining a consistent concern, especially when companies consider moving mission-critical applications to the cloud. To try to ease this fear, RSA announced that its Cloud Trust Authority would launch the beta of a cloud security platform later this year. The beta will offer combined identity management and compliance offerings, with the goal of providing a single, comprehensive set of protections for multiple cloud computing services.
Based on all the news we’ve heard surrounding the cloud, some key terms you will most definitely hear in presentations this week addressing this topic include:
Government
Trust
Risk
Security
Concern
Compliance
Regulation
Hesitation
Privacy
Data security
Mission-critical applications
Delivery methods
Confusion
Hack
Forensics
Malware
Cyber war is another hot topic and one with many concerns, especially since WikiLeaks and Stuxnet are fresh in our minds. There is a seemingly continuous stream of potential cyber war threats, though many people are unaware of how to define this phrase. To illustrate just how serious this concern is, RSA has attracted a number of high-level government representatives to speak. This year, Deputy Defense Secretary William Lynn III is presenting an opening-day keynote on the Pentagon’s cyber strategy.
Taking a quick look at new products, something to keep our eye on is the MasterCard “Display Card.” Although it looks and works the same as any other credit card, it is described as having a built-in display to enable cardholders to create a one-time password to enhance authentication. So we have to ask: is this going to protect cardholders from having their credit card information stolen when shopping online?
With keynotes and panel sessions ramping up today, be sure to check back here tomorrow for a recap on some of the hot discussion topics.
While most security companies are pushing new products on the eve of RSA, the Schwartz Communications team took a different approach to secure coverage for Cryptography Research. We pitched reporters for pre-show conversations to discuss the show and learn about CRI’s business, focusing on hiring challenges, and how this represents a significant issue for the security industry overall.
The strategy resulted in the following coverage, which ran yesterday on the front page of the San Francisco Chronicle’s Business Section.
The timing was great, and CRI now has a great piece to show off all week at RSA.
And so it begins--RSA 2011 officially kicks off today. With a “Giants Among Us” theme, the 20th Anniversary of RSA is dedicated to celebrating the industry’s pioneers. This includes a look at the legacy of the RSA algorithm, the history of cryptography and computer security, and a look ahead to the future of the industry.
We’ve highlighted some of the key themes we expect to see come from RSA, some of which seem to be a repeat from last year. Just taking a look at the keynote session titles, anyone can see that cloud security still reigns as an unresolved security topic from RSA 2010. And with Stuxnet making such a splash, especially with the latest news of Anonymous claiming control of the Stuxnet virus, government IT security will once again be a primary topic.
Some additional things to keep our eyes on over the course of the week include:
Government Information Security Today survey—Officials in local, state and federal governments who are charged with safeguarding IT were polled to determine their attitude when it comes to IT security leadership, vulnerabilities, regulations, budget challenges, skills and cloud computing. Data will be announced on Thursday in the session is entitled “Government Security: The State of the Union.”
Collective Defense for Internet Health—Described as a new type of computer “check-up,” Microsoft's corporate vice president for trustworthy computing, Scott Charney, has challenged users worldwide to develop collective defenses to help protect Internet citizens from online threats. He presented the idea that the approach to handling online security issues should be modeled after the one used to address sickness in humans. More information on this idea is outlined in Charney’s whitepaper. This idea is likely to be carried into discussions specific to government IT security.
Yesterday was the second and final day of Black Hat sessions and there were quite a few key topics that we’ve seen before.
Government As the government continues to work toward implementing cloud solutions, there is continued discussion of cloud security, as well as cyber-warfare. We saw this in full force at RSA 2010, which we discussed in a previous post.
In his Black Hat keynote yesterday, former National Security Agency Director, retired Gen. Michael Hayden, addressed the need to define cyber-warfare since the term is loosely applied to anything relating to crime on the Internet. He explained the military traditionally operated in four domains: ground, air, water and space. Now, there is the introduction of the fifth domain: the Internet, the first man-made location for warfare. A clear definition of cyber-warfare will prove advantageous for us because it will enable the country to better understand what a cyberattack is and, therefore, know how to properly respond.
SSL One of the biggest speaking points from Day 2 sessions revolved around weaknesses associated with SSL, which were highlighted in a number of sessions yesterday. In one session, two researchers highlighted the ability for hackers to take over a user’s account or take control of a website due to the way browsers implement HTTPS. Additionally, hackers are able to sniff around the edges of the encrypted information, picking up on clues to help them figure out what their targets are doing.
The session essentially highlighted that HTTPS alone will not stop bad things from happening due to the “breadcrumbs” left behind from secure browsing sessions that skilled hackers can easily follow.
Wallpaper I remember the first time I wanted to change the wallpaper on my computer and my computer teacher (yeah, that’s true) was furious. I found myself, 30 minutes later, with a very basic understanding of the dangers of malicious downloadable content. Although it seems to be more common sense nowadays, downloading images and other content can still be a threat to users who believe they are using a secure application.
Take the mobile Android situation. A wallpaper application is said to be sending personal information from millions of Android users to a “mysterious Chinese website.” The finding was reported at Black Hat this week as part of the App Genome Project, a real-time database designed to keep mobile users safe by identifying security threats and providing insight into how applications tap into personal data.
There is also more discussion of bug bounty programs, malware-infected SEO terms and ATM vulnerabilities.
As a result of the sessions at Black Hat, we’re likely to see continued discussion regarding the importance of (and need for) a definition of cyber-warfare and, as expected, continued advancements in cloud security as more industries turn to the cloud.
The first day of sessions is complete and hackers and security professionals are preparing for the Day 2 sessions. But before we get into what to expect, let’s recap some of the high points from yesterday.
Barnaby Jack’s ATM vulnerability discussion was, as we expected, one of the main highlights from yesterday. His discussion explored some interesting ATM attacks, labeled as dangerous because they affect multiple types of ATMs. Over the course of his presentation, he addressed two types of ATM attacks, one physical and one remote, the latter considered more dangerous because attackers can silently gather account information from anyone who uses the ATM.
The remote attack, which he named “Dillinger,” exploits a vulnerability that exists within the remote monitoring authentication process. Unfortunately, most ATMs made by a certain manufacturer have this authentication process turned on by default. A rootkit can easily be installed once the vulnerability is exploited. For the purpose of his demonstration, Jack installed a rootkit named “Scrooge” enabling the machine to spit out cash.
Additional highlights from yesterday’s speaking sessions include discussion of payment for researchers who identify vulnerabilities. This is a big discussion point for researchers following Tavis Ormandy’s public disclosure of the Microsoft vulnerability not too long ago.
Just like every argument, there are always two sides to the story. Microsoft and Cisco addressed the situation yesterday stating that “bug bounty programs” are not the best strategy for improving internet security. Other panelists, however, explained they thought it was a nice way for a researcher to be rewarded for identifying a vulnerability. Quite frequently, a researcher is offered little more than a “thank you.”
Department of Homeland Security prioritizing cybersecurity initiatives, although defining the scope and goals of these initiatives is proving to be more challenging and time consuming than expected.
Cell phones can indeed be hacked, especially those that utilize the GSM (Global System for Mobile Communications), the global standard for cell phone radios that was previously thought to be a “walled garden.”
With so much of the show’s anticipation met within the first day of speaking sessions, what can expect for Day 2? It is likely we’ll see continued discussion around vulnerability disclosure and Microsoft’s response to bug bounty programs, partnerships and other collaborations to ensure a common goal can be met when it comes to disclosing and fixing a vulnerability, and mobile device security and its impact on the enterprise network.
Check back in tomorrow for a recap of Day 2 sessions.
Today is the first day of the 2010 Black Hat Conference speaking sessions. Among the line-up of anticipated talks surrounding wireless security (specifically that of WPA2), mobile device security and ATM vulnerabilities, there is a slew of additional sessions that are bound to make some noise.
One of the noise makers is likely to be the session exploring how to intercept cell phone calls. Some interesting rumors of lawsuits caused eyes and ears to turn toward AT&T, but the company cleared the air, saying it will not interfere with the demonstration.
Although often passed up for obtaining credit card information, counterfeit checks are not a thing of the past. Although you may find yourself having flashbacks to the movie “Catch Me If You Can,” a discussion on how Russian hackers obtained images of checks from a number of retailers and other businesses is a high-tech version of the old story. A quick summary: Russian hackers found a way to utilize technology to make this low-tech crime even more dangerous. They have not yet been caught.
There will also be exploration into weaknesses of SSL, used by websites to protect data. One session on this topic will explore how to attack storage mechanisms to tamper with a SSL session. Another SSL presentation will focus on results of a study that analyzed SSL use to document configuration errors, which weakened thousands of websites.
There will also be discussion surrounding web application security, particularly as it applies third-party code, which includes such items as widgets, applications and advertising modules, all of which are very popular on web applications. These applications are meant to provide additional functionality for the user, but security implications across a variety of industries—including healthcare and finance—could result in infected users.
SEO has been a topic of growing importance for many companies over the past few years. With this in mind, it only makes sense that hackers want to jump on the bandwagon and will utilize SEO to push out malware. Taking a look ahead to DefCon, researchers will show just how important SEO has become to the “malware pushers.”
Check back in tomorrow for a recap of the Day 1 sessions and what we can expect for Day 2.
This year's Black Hat conference is considered to be the most popular to date, and tomorrow marks the first of two days of speaking sessions.
For those of you who participated in the Black Hat Challenge, you are aware that there are many sessions to choose from, and little time to see them all.
One of the most anticipated sessions is the Barnaby Jack ATM scams, which was mentioned in yesterday’s post.
But beyond ATM scams, there is a trend we’re seeing in sessions: mobile security. As I mentioned yesterday, IDC forecasted that the number of mobile workers will exceed one billion by the end of 2010. From a corporate perspective, enterprise network can be open to a number of vulnerabilities stemming from the use of a mobile device. From a consumer perspective, people can fall victim to various malware triggered by bugs in the device. For example, one of the anticipated Black Hat sessions will illustrate to attendees that the A5/1 encryption algorithm used by carriers such as T-Mobile and AT&T is weak and can be easily broken, something spies and security geeks alike have known for some time.
Jeff Moss, founder of Black Hat, explained that for many people, seeing is believing; unless people can literally see what’s possible when it comes to security threats and attacks, they won’t believe it. This specifically applies to corporate decision makers as they need to [visually] understand what is technically possible before they can make informed decisions regarding security.
But what it comes down to is this: no one can predict what the big news will be from Black Hat since there is always a wildcard, as Bob McMillan notes. With so many sessions in the queue and such an array of personalities in the same space, you can never quite tell what the news will be.
As speakers and hackers gather in Vegas for the 2010 Black Hat conference, there are many topics on people’s minds.
In much of the pre-show articles, there has been talk about cloud security, a topic that seems to resonate throughout security conferences this year (see previous post on RSA 2010). There is also discussion on wireless security, particularly as it pertains to mobile devices. This is most definitely an area of increasing importance as IDC forecasted that the mobile workforce would exceed one billion by the end of 2010, potentially bringing to light new security implications for enterprise networks.
Most prominently over the last few days has been discussion of the vulnerability within WPA2, currently the strongest form of WiFi encryption and authentication. The vulnerability, identified as “Hole 196," lends itself to man-in-the-middle attacks.
We can also expect to hear about:
login security issues with Twitter and Digg and timing attacks,
DNS rebinding that uses “Jedi-mind tricks” to enable JavaScript-based malware to penetrate private home networks,
It appears, however, that the most highly anticipated session surrounds Barnaby Jack’s research into ATM vulnerabilities. As some may recall, this talk was canceled last year due to pressure from ATM vendors. Similarly, this year, a session entitled “The Chinese Cyber Army: An Archaeological Study from 2001 to 2010” was canceled due to outside pressures.
On a fun note, Black Hat attendees will also be participating in the Pwnie Awards, which recognize extreme excellence and incompetence in the field of information security. Some categories include Best-Server-Side Bug, Best Client-Side Bug, Most Overhyped Bug and Lamest Vendor Response.
For those of you preparing to head out to Vegas later this week for the array of speaking sessions, take the Black Hat Challenge. What one session would you attend?
May is treating the Schwartz security team well. Last week, we were recognized with a SABRE Award in "Research for Publicity" for our work in "Research for Publicity" on behalf of Javelin Strategy & Research.
Schwartz and Javelin combined professional and social media to promote Javelin's annual identity fraud report, increasing media coverage 126 over previous years, and a whopping 97 percent of all articles emphasizing at least two key messages.
In addition to Javelin, some terrific Schwartz clients were recognized as SABRE Award finalists: antivirus and desktop security software provider ESET, medical device company Bioness and boutique healthcare investment services provider Leerink Swann. Although they didn't take home trophies, it's the first time the agency has emerged with four finalists in the SABREs.
In the interest of creating a new word, I wanted to address “vertical-ization”. What’s that? Well, it’s a concept that many PR and marketing professionals regularly encounter; selling or promoting a product or service within a specific industry.
Previous Tangled Web posts offer advice and best practices for interacting with security media and analysts to secure coverage and increase exposure among security experts. While those publications and events offer a direct route to IT security purchasing decision makers, security pros also look to vertical-specific resources. This is golden opportunity to highlight the benefits a product or service provides within various types of companies.
Developing a “Vertical-ization” Strategy To ensure that time and resources are spent wisely, begin by evaluating the current customer base. Are a majority of customers split among three or four verticals? Check with the sales force. What types of companies do they tend to target more than others? Many Schwartz security clients sell to companies in the healthcare, financial services, telecommunications, legal, education and public sectors; not surprising as these company types often manage volumes of data and security is a necessity. After indentifying top targets, prioritize. Good “vertical-ization” strategies should start small – focus on one or two verticals to begin and deliver consistent, appropriate content.
Customer case studies within a specific vertical are by far the most effective tool to achieve “vertical-ization” success. Most vertical publications run company spotlight sections and will accept full case studies as long as they haven’t been previously published. Others vertical publication editors will assign a reporter to interview a customer. Either way, the result is a feature that highlights industry specific issues addressed by your company’s solution. The added value – your customer is featured in a magazine read by his or her peers. Who doesn’t like that? Aside from case studies, press releases about significant customer wins in a vertical could get a brief mention and open a door for a case study down the line.
No solid case studies yet? No worries. By cultivating relationships with vertical media contacts, you could identify opportunities for customer or company executives to participate in interviews about an industry trend. At least one or twice a year vertical publications will plan to cover IT and what is trending as more often, security topics specifically. Pitch a customer or a company executive who can talk to industry challenges, new emerging threats and best practices.
Such was the approach the Schwartz team representing Layer 7 Technologies, a provider of security and management of Cloud and Web services, took. The team secured an interview for Adam Vincent, CTO, public sector, Layer 7 with Sean Gallagher of Defense Systems, a publication that reaches more than 34,000 military and government systems leaders and IT decision-makers in the defense and intelligence communities. As a result, the company CTO was quoted in a cover story about the Department of Defense’s development of a cyber command center. Vincent offered recommendations for effective cyber defense. See article here.
When To and When Not To Get Into the Sandbox As security vendors showcase wares at RSA each year, companies in various industries attend specific events to their verticals as well; National Retail Federation (NRF) for retail delivery vendors; HIMSS, MGMA, and AHIP for healthcare IT companies; BAI’s Retail Delivery for financial institutions, and so on. Attendees of these events are typically looking for technologies very specific to the respective vertical, so these events aren’t always an ideal fit for security vendors in terms of high volume lead generation. However, do consider attending have messaging and collateral dedicated to the vertical, are prepared to "talk the talk" that applies to that particular audience or event if you or want to schedule “quality” business development time with the vertical technology vendors. Lastly, consider using these types of events as an opportunity to schmooze customers in the given vertical by flying them in, wine and dine them and have them join you in your booth to chat with prospective customers.
Industry events are definitely a great way to increase brand awareness within a targeted vertical. One for instance: The Schwartz Healthcare IT practice group has gained significant momentum in recent years. While many of you were enjoying RSA in San Francisco, I was in snowy Atlanta (yes, snowy) at HIMSS – the largest healthcare IT tradeshow of the year. Colleagues and I talked to a handful of security companies that sent tradeshow teams to both events. While obviously most had a bigger presence at RSA, attending a vertical show has its advantages. Key topics at RSA this year included cloud security, cybercrime, and government security – so said our ‘feet on the street’. At HIMSS, specific concepts like health information exchange and meaningful use of technology to secure Federal incentives were the hot buttons. As a result, exhbiting security vendors were able to talk directly to healthcare IT pros, addressing security issues specific to their work environment and thereby generating immediately qualified leads.
Is creating or strengthening your presence in a particular vertical market a priority for your company? Tell us about your challenges by commenting below or contact Schwartz to help you build out your “vertical-ization” strategy.
Our three-part RSA recap comes to a close today, but not before delving into one final strategy:
• Leveraging research for media homeruns
Reporters are fans of research and statistics. Not surprisingly, one influential security journalist said much of his RSA 2010 news coverage centered around various research reports released during the conference.
Announcing significant research at RSA can be a show stealer as evidenced by botnet security company and Schwartz client, Damballa. The company conducted an analysis of the Operation Aurora cyber attack that victimized Google and dozens of other businesses. In collaboration with Schwartz, Damballa rallied to complete its comprehensive research report, prepare the accompanying press materials, and set the media strategy in time to debut its findings at RSA 2010. As a result, Damballa reached key influencers, both at RSA and beyond, with media coverage in BusinessWeek, CNN Online, Forbes, USA Today, a host of prominent blogs, and considerable Twitter chatter, among the highlights.
Vendors like Damballa benefit from having a deep bench of specialized security experts on staff. To capitalize on research capabilities for PR purposes, the first step is to determine what, if any, research is currently being done in-house, is planned for the near future, or could possibly be started with brainstorming assistance from Schwartz.
In the absence of formalized research projects in the works, Schwartz has a laundry list of recommended ways for security companies to tap into their market and customer analysis potential in order to produce stats and data. The concept of vendor-commissioned, independently conducted surveys and studies is a topic for another day. But for the purposes of this post, I will say that, at minimum, security companies should encourage their employees who interface with customers to keep an ear out for any new or noteworthy customer inquiries that may indicate an emerging trend. This type of trend identification and analysis helps to fuel the oh-so-important PR thought leadership campaigns we formulate and execute for clients.
Regarding in-progress research projects, Schwartz works with clients to determine which details can be made public, and moreover, their degree of newsworthiness. Chances are there are interesting nuggets contained within that can be extracted and shared with media in a compelling way. We specialize in distilling down the subject matter to find and prioritize key points that will be most interesting to press and strategic to your business. Then, we advise clients on when, where and how to effectively communicate this information.
So you’ve been holding your breath in suspense of RSA recap Part II? Well, time to exhale and read on! Today we cover two more RSA PR super strategies: lead generation and highlighting real-world implementations and benefits. For quick reference, you can flip back to Part I on building a rapport with press and supporting social media initiatives.
• Lead generation
News is a one of the biggest drivers of media interest at a tradeshow. Significant product news, specifically, is the kind of news that predictably drives leads when delivered to the right audience. From a traditional media relations standpoint, this means reaching targeted readers/viewers with purchasing power.
But first let’s look at things from the journalist’s point of view. Reporters anticipate that companies will announce news in conjunction with RSA and brace for the barrage of incoming calls, for example, about the latest and greatest of widgets to hit the market. However, they quickly grow numb to the onslaught of requests for attention (and annoyed by overuse of words like “revolutionary” by vendors). This in mind, companies must couple smart decisions about what news to announce and when, with aggressive yet structured PR efforts to differentiate themselves from the masses.
As the Schwartz RSA PR tip sheet suggests, take a look at your product roadmaps, customer pipelines, partner deals and other accomplishments, and make a call about which items would time best with RSA. Make sure the news relates as specifically as possible to IT security.
If there is concern that your news may be eclipsed at RSA, then it’s probably best to hold off. Small vendors might be wise to use RSA mainly as a relationship-building forum, rather than a platform for issuing news. On the other hand, if the particular news item can hold its own, then the conference could indeed be a good time to meet face-to-face with press to discuss it—and at minimum be mentioned in round-up stories that string together a summary list of vendor announcements from the show.
In advance of the announcement and the event, perhaps you consider offering a sneak peak of the news to media. This way, you have the chance to equip reporters with the facts while they still have time to stop and listen to you pre-RSA chaos.
The strategy for announcing news involves creating a press release on the selected accomplishments. A strong press release will include quotes from a customer, partner, and/or industry analyst to support the vendor’s claims stated within. Plus, press releases are great for supporting SEO. Schwartz works with clients to optimize press release content with the right keywords and keyword frequency, as well as proper linkages, SEO-friendly headlines, tagging, and more, to promote high organic search engine rankings.
The news then funnels directly into social media strategy with companies blogging and tweeting about it, among other things.
Final tip: When Schwartz clients met with media at RSA 2010, we counseled them to lead with the significance of their news and drill deeper as appropriate based on reporters’ wishes. “I am very excited to tell you about….” should be the start of each conversation.
Dark Reading Editor Tim Wilson brings up a similar point in the comments section beneath my last blog post. Tim’s feedback is worth calling out again here, as he reminds vendors to have an agenda in mind when they engage in tradeshow press meetings:
“One suggestion -- don't set up meetings (or blog, for that matter) unless you have a definite (newsworthy) agenda. We often get into a meeting and the vendor says, "do you have any questions?" and both sides sit and stare at each other. Bring something with you (besides "buy our product!") to discuss.”
• Highlighting real-world implementations and benefits
Customers are PR gold. The best forms of product and company validation for security vendors come from reputable third-party endorsements. Sure, cultivating customer references can be a challenge for some vendors, such as those in emerging growth stages. But all it takes is one reference to get the ball rolling. We at Schwartz are cognizant of the many sensitivities involved with convincing customers to go on-record. On the same token, we have lots of experience helping clients to start, structure and gradually grow their customer reference program. The goal is to get your customers to tell your story for you.
Here’s an example. The CIO at a financial services institution opens the newspaper or navigates to his favorite security news site where he sees a story that takes an in-depth look at the ways in which another CIO at a peer company has benefited from the use of a certain security product. This first-hand account of the technology’s return on investment strikes a chord with the reader since it’s delivered straight from the end user’s perspective. He now begins to consider a security purchase of the same sort and heads to the product vendor’s Web site for more info.
This type of story idea could likely have spun out of a meeting on the RSA show floor. It certainly helps press meeting requests to stand out from the crowd if vendors can offer a reporter the ability to speak with a customer at the conference—preferably one with particularly interesting deployment details to share, including ROI.
Not only was the Schwartz team busy at RSA 2010 facilitating these vendor-customer-media meetings. In many cases we worked with clients to capitalize on their customers’ show presence by filming video testimonials. By creating and posting customer testimonial videos to your company’s Web site (and YouTube as another option), prospects—like the bank CIO mentioned above—will be furthered impressed.
Video content usually features the customer talking about: --Why they chose to purchase a security product --How it fits into their overall security architecture/strategy --What challenges they faced beforehand that prompted the purchase --How the technology has helped them to save money, increase productivity, reduce risk, curb helpdesk calls, or whatever the benefits may be—to the degree they feel comfortable commenting
This exercise simply requires a flip cam and a willing customer participant. Logistically it works best to secure customer permission prior to the event.
Interested in more info on this topic? My colleague Mercedes Fereck goes into greater detail about how to best leverage customer relationships at RSA here.
Stay tuned for my final "Winning PR Strategies" post that will delve into "Leveraging Research for Media Home Runs".
As we close the book on RSA 2010, let’s take a look back at five strategic aims that, with proper planning and tactical execution, can yield significant PR successes from the security industry’s marquee event.
Today we will cover two of the five: 1) Building a rapport, and 2) Supporting social media initiatives.
• Building a rapport
Developing strong press and analyst relationships takes time, but face-to-face meetings certainly help to expedite the process. The RSA Conference provides a unique opportunity for security vendors to gain exposure to the most influential media, analysts and bloggers that matter to their business—all under one roof over the course of four days.
The simplest of RSA PR strategies is this: Introduce your company to as many key contacts as possible. For those who made media face time a priority at RSA 2010, we at Schwartz spent the preceding months working diligently behind the scenes to arrange show floor meetings.
From a press perspective, the payoff often includes both immediate and long-term benefits. In some cases, instant visibility for vendors comes from meeting with reporters who publish articles during the event that summarize key trends, hot companies and interesting news.
Take, for example, the botnet security company and Schwartz client, Damballa. An in-person RSA meeting secured by Schwartz for Damballa with veteran security analyst and Forbes.com blogger Richard Stiennon led to the company’s recognition as one of only six security vendors on Stiennon’s Forbes Online Best of Show RSA Conference 2010 list.
Then there’s the lasting effect. It takes only a few minutes at RSA to shake hands with a reporter and run through your company’s areas of expertise and value proposition. The resulting increase in name recognition will help to catapult you towards the front of the reporter’s rolodex. The long-term goal is to get writers to turn to you for expert opinions when soliciting story comments from people they consider to be thought leaders on the topic at hand.
• Supporting social media initiatives
Social and traditional media strategies go hand-in-hand. In tandem with RSA press meetings, companies can use the event as a strategic platform to expand their influence using social media channels.
On a case by case basis, we at Schwartz advise our clients on the level of social media engagement that makes sense for them. Many of our B2B security client companies focus primarily on blogs and Twitter.
A well-managed corporate blog provides a great forum for demonstrating your thought leadership and innovation to customers, prospects, partners and press members alike. In and around RSA, blog content would likely include write-ups on your company’s own news, as well as commentary on, and analysis of, industry news and trends cropping up during the conference. With many of our clients, Schwartz is regularly involved in offering counsel related to content creation, as necessary.
To maximize corporate blogging efforts, the Schwartz team shares posts with targeted media contacts. By encouraging online writers to include a link to your company’s blog and reference its content within their RSA coverage, this in turn, drives traffic—including prospects—back to your company’s Web site.
Tweeting from RSA adds merit to your media strategy as well. As outlined in the Schwartz RSA PR tip sheet, Twitter can be used to make short observations about RSA and drive people to your blog posts. Busy reporters, in particular, benefit from Twitter updates as many of them are tied up covering keynote sessions and may not be able to allocate time for booth meetings with vendors.
Case in point: AppRiver. Leading up to RSA, Schwartz encouraged relevant media and analysts to follow secure messaging solutions provider AppRiver on Twitter. Impressed by the quality of AppRiver’s RSA-related tweets, an influential security journalist, Forbes’ @taylorbuley, recommended to his sizable follower base that they tune in to @AppRiver on Twitter. As few as 140 characters can have a big impact on cutting through the RSA clutter and landing you serious street cred too.
Okay, two down and three to go! Stay tuned for my next post on lead generation, leveraging research for media homeruns, and highlighting real-world implementations and benefits.
Kelly Jackson Higgins is senior editor at Dark Reading, an online publication covering IT security. Tim Whitman from Schwartz spotted Kelly on the show floor of the RSA Conference last week and asked her a few questions about the show.
This is it. The fifth and final day of the 2010 RSA Conference, and it’s been quite a ride. Looking back, it’s clear the cloud takes the gold as the most discussed item, although government presence and increasing cyberthreats picked up speed in the latter half of the week, placing each at a tie for silver, especially since they seem to go hand in hand. Tim Greene of NetworkWorldwrote a very thorough article that explores each of these topics in greater detail.
Taking a look at the conversations yesterday, many revolved around FBI Director Robert S. Mueller III’s speech regarding the increasing threat of cyberterrorism. In his speech, he presented the idea that hackers will continue to enhance their skills and will eventually combine cyberattacks with physical attacks. Along with warnings of foreign nations supporting radical group recruitment via the Internet, Mueller advised any company that finds itself to be a target or victim of a cyberattack to turn to the government for help, promising business confidentiality and safeguards to privacy.
Continuing down the path of government presence within the cybersecurity realm, there are also some (perhaps not too outlandish) beliefs that the U.S. is involved in a cyberwar…and we are losing. Cybersecurity Czar Howard Schmidt denied the existence of a cyberwar saying it’s a terrible concept and further explaining that it’s an environment where no one can win. To reiterate what has been discussed in previous posts, Schmidt’s priorities for the year include better end-user education (something most security professionals say over and over again is a key area of improvement), information sharing and better defense systems.
There was also talk yesterday of the real benefit of using end-to-end encryption within the credit card industry, increasing ID theft within the healthcare industry and fraud. Interestingly enough, there were also discussions of robotics and the changes this advancement would introduce to society.
For the final day at RSA, anticipate continued discussion of increasing cyberthreats, but be prepared for a slight twist on the conversation, as many sessions today will discuss cybersecurity trends, digital forensics, encryption and identity/access control.
For those of you traveling home this weekend, safe travels and we’ll see you next year.
The government. Microsoft. Cyber threats. The bulk of conversation at the RSA Conference yesterday focused on these three topics. Let’s take a minute to explore each one.
The Government—As I mentioned in yesterday’s post, federal employees are stepping up to the mic to discuss cybersecurity and awareness to better detect and prevent cyber attacks. Between Einstein, the increasing adoption of the cloud and the still vivid memories of Aurora, there's little doubt of the widespread need for better cyber security. According to White House Cybersecurity Coordinator Howard Schmidt, the U.S. is ill-prepared for a cyberwar.
Lawmakers are making an especially hard push to advance a comprehensive cybersecurity plan, especially now with the U.S. cyber czar position filled. Based on Schmidt’s presentation earlier this week, we know the government is gearing up for a few things to occur over the next year:
Widespread adoption of cloud computing
Significant improvements in cyber security
Better working relationships between law enforcement and the private sector to more effectively fight cyber crime
Instant response plan for cyber-emergencies
Better transparency in government
Although each of these plans are stated with good intentions, it will be important for our government to remember one of the many lessons taught at RSA this week: avoid the excess hype surrounding a cyber threat and/or attack. Why? Because many dangers surround an overhyped threat, especially when you consider many consumers don’t really understand cyber threats.
On a “fun” note, however, Janet Napolitano, the Secretary of the U.S. Department for Homeland Security (DHS), announced a competition to encourage the industry’s “best and brightest” to think of creative ways to better enhance the security of computer systems and cyber networks. Known as the National Cybersecurity Awareness Campaign Challenge, ideas will be accepted through April 30, 2010. Winners will receive DHS funding to better promote the idea to a wider audience.
Microsoft—Scott Charney, Microsoft corporate VP for Trustworthy Computing, made a bold move yesterday, stating that the industry should consider taxing every PC user to better fund the fight against cyber crime. Needless to say, this was met with a variety of responses across the blogosphere and a flurry of activity on Twitter. Richi Jennings at Computerworld selected a few “gems” that he blogged about today in Computerworld’s IT Blogwatch.
Cyber Threats—As I stated above, many consumers do not understand cyber threats. Social networking enhances this misunderstanding as more and more people provide increasingly intimate details about their life on these websites. By providing potentially sensitive information, people make it easier for cyber criminals to better focus their attacks, making their attacks more successful.
For Day 4 at RSA, anticipate more discussion on cyber threats--what to do to prevent them, best tips on what to do when you’ve been hit, etc. We’ll also see some additional discussion regarding security standards and, per usual, discussion of the cloud.
Cybercrime is a threat to both enterprises and consumers; it appears that no one is immune from an attack. As cybercriminals become more sophisticated, targeting their victims based on information obtained from social networking sites, it’s no surprise that cybercrime instills fear into many, especially as enterprises encourage the use of social networking as they learn how to use it to their advantage.
However, a strong word of caution was issued during a panel at the RSA Conference yesterday--security professionals were advised to be wary of the intensity with which they discuss threats. It is important that they find a balance between explaining the risks as well as the probability of an attack. Although some of the hype can encourage companies to re-evaluate their existing security practices, it could cause more harm than good. For example: the threat of stolen IDs, credentials and other sensitive data has many executives rethinking the approach to the cloud.
Once again, we saw the cloud take center stage as many conversations yesterday focused on the security of the cloud (and we can expect the same for today with a quick look at the daily schedule). With many people believing the cloud lacks sufficient security, they turn to the industry with expectations that security pros will “fix it.” Keep in mind, however, that fears and concerns of data security in the cloud are nothing new; this has been a primary reason for delays in adopting cloud computing for some time.
RSA President Art Coviello said in his keynote yesterday that the industry faces one of the greatest challenges: securing the cloud. He explained, “Cloud computing can allow more energy and investment to be directed to a real innovative and competitive advantage, but the one thing that’s holding it back is security.” He also named some key areas that should be prioritized as the industry takes on this task:
Who gets access to what and gaining visibility in the cloud
Compliance
Insider risk
Privileged user control
Workflow
A final thought: With cloud computing seemingly the way of the future, there’s little doubt that the government will be included in this new trend. We’ve already seen some significant federal movement toward the cloud, as I mention in a previous post, but at RSA, this is taken to another level. A number of federal employees within the cybersecurity arena are stepping up to the mic to lead various discussions on how law enforcement and the private sector need to work together to fight cybercrime.
Unveiled yesterday was Einstein, the National Security Agency’s Homeland Security program to protect the U.S. from cyber attacks. The still-in-progress, more robust second version of the program is described as being “designed to look for indicators of cyber attacks by digging into all Internet communications, including the contents of emails.” Knowing hackers and cyber criminals view this industry as a business, it will be interesting to see what this leads to as hackers turn to their version of R&D to enhance their operations.
As was expected, much of the news from yesterday's RSA Conference focuses on the cloud, and specifically, the Cloud Security Alliance (CSA)’s four-hour summit. Kelly Jackson Higgins of Dark Reading wrote an article summarizing the summit and the CSA’s top seven threats to the cloud. An interesting point that came from this discussion is that data security still remains one of the key concerns for companies using the cloud. This begs the question: what type of encryption are you using and do you know how it works?
Some other news from yesterday includes an interesting tidbit on compliance. PCI and HIPAA are just two of the many compliance mandates that companies need to be aware of and abide by. The medical industry is increasingly turning to IT, emphasizing the importance of information security in compliance. Bill Brennerdiscusses the results of a survey illustrating that 41 percent of companies would fail a PCI audit. This makes one wonder: is a true, compliance-focused security solution available?
Today, we can expect a slight change in the focus of conversation. The cloud will still take center stage for most of the day as keynote sessions explore the security of the cloud. But with additional keynote sessions, seminars and panels aiming to discuss the Internet, virtualization and data breaches, we can expect an increase in the amount of coverage around the increasing sophistication of cyber threats and attacks, including specific mention of Advanced Persistent Threats (APTs).
Today is Monday, March 1, day one of the 2010 RSA Conference. The bustle of activity today is quite diverse as exhibiting vendors work hard to get their booths ready, some security professionals prepare for today’s seminars and other vendors begin to announce new offerings and products.
As I mentioned in an earlier post, there is much anticipation of news surrounding the cloud. Just this morning, there have been a number of announcements regarding new cloud offerings and products promising better malware detection and e-mail security.
Interestingly enough, we’re also seeing significant discussion of the cloud’s presence within the government. Matt Hines, an eWeek blogger, wrote an article this past weekend explaining that the government voice will “echo loudly” at RSA this year. Hines explained that in White House Cybersecurity Coordinator Howard Schmidt’s recent press conference, he stated that the coordination of federal cyber security efforts will be a leading priority. Following the recent “Aurora” attacks on Google, the combination of cyber crime and the availability of the cloud for federal institutions will encourage many discussions to look at the cloud’s impact on business productivity as well as data security.
As we turn our attention to RSA sessions, the cloud appears to be a key topic of discussion today. The four-hour Cloud Security Alliance Summit, beginning at 9:00 a.m. PT, will provide key information from industry experts about the state of cloud security. Cloud discussion continues early tomorrow with the first RSA keynote at 8:00 a.m. PT discussing Safety in the Cloud.
On another note, keep an eye on Adobe and Google. Knowing that a number of tomorrow’s sessions will focus on the latest types of cyber threats (such as the Advanced Persistence Threat, or APT, for short) and best practices to avoid falling victim to those threats, it will be interesting to see how these sessions tie-in the latest flaws with Adobe and how companies can better protect their networks with increasingly determined and more sophisticated attackers.
Just a few days away from the start of RSA 2010, it’s a good time to take a step back from the bustle of preparations and review some key trends that will likely be the focus of every conversation at the Moscone Center.
Just by perusing the titles of each of the sessions, it’s no mystery that majority of conversations will focus on the cloud, data security, compliance and end-user education. Jon Oltsik stated in a recent blog post on Network World that he believes security spending and compliance will be top of mind.
The security analysts at Securosis believe that compliance, cloud security and cyber crime will be primary discussion topics.
I had the opportunity to listen in on the annual pre- RSA Conference call today, where analysts Chris Christiansen of IDC, Khalid Kark of Forrester Research and Scott Crawford of Enterprise Management Associates each shared areas they think will most likely be key trends. They are summarized below.
Data security and the Cloud -- Crawford addressed data security within the realm of the cloud. Since the cloud was significantly hyped up throughout much of 2009, it’s not hard to believe that the cloud is a big topic at RSA this year. But with varying definitions, confusion as to what the cloud is and the disputes regarding the establishment of guidelines for compliance and data security within the cloud, it brings about a big question: Who owns the data? This makes one wonder if the next big threat to enterprises will involve data ransom. Anticipate all conversations to involve the cloud in varying degrees.
Social Media + Targeted Attacks = ??? -- We are all aware of the increasing sophistication of malware and various other cyber attacks. Simultaneously, we’re aware of the increasing presence of social media in our everyday lives. We constantly see updates from friends, colleagues and clients. So how is this relevant to security?
Christiansen borrowed a quote from Oscar Wilde that ties this all together: “There’s so little useless information.” Any publicly exposed information is relevant to someone, somewhere, and ironically for those so willing to share, is available for a price. Expect these conversations to revolve around the increasing sophistication of cyber crimes, advanced persistent threats (APT) and other new threat models and new attack targets (i.e. smartphone applications).
Social Media and the Enterprise -- According to Kark, organizations need to learn how to leverage social media and Web 2.0 to their advantage, while also being wary of the threat aspect that surrounds it. As Kark stated, “It’s a freight train coming and we need to learn how to deal with it.” Expect conversations on this topic to explore implementing social media guidelines for companies of all sizes.
End-user Education -- Majority of security professionals will frequently reiterate the importance of end-user education. But in a time of social media, when every ounce of information becomes a potential hook to an unsuspecting victim, an appropriate statement to keep in mind is: A company is only as strong (and secure) as its weakest link. Expect to find yourself in conversations discussing increased spending on employee security training.
So in summary, there are four overarching trends to expect at RSA this year, according to the analyts and early online coverage:
* Cloud computing/SaaS security and compliance * Data security and ownership * Next generation attacks to the enterprise * Education and security spending
It will be interesting to see how each theme plays out when the curtain goes up.
Posted by Kristin Forte Allaben on February 24, 2010 at 1:54 PM
| TrackBack (0)
An interesting fact about our resident female Tangled Web bloggers - We're all blushing brides-to-be. So, in honor of the upcoming nuptials for Tiffany, Kristin and myself, this post is dedicated to one of the most important relationships for security vendors – the customer relationship.
Earlier this month the Schwartz Security Practice group created a tip sheet outlining ways to increase exposure among media and analysts at RSA. We often advise our clients to plan well in advance to determine if there is a strategic way to align a major news announcement with the conference. However, this is often the “best-case scenario” situation. In the absence of hard news, leveraging customers and having a contact at the show is a great way to generate media attention and deliver reporters information that is compelling, timely and could ultimately lead to great coverage in the future.
The vendor/customer relationship starts with popping the question: "Will you go to RSA with me?" No bling necessary, but covering travel, accommodations and an event pass is another story. That said, bringing a customer to RSA is an investment. A few tips and tricks to make this engagement valuable to people on both sides of the aisle:
-- Evaluate the relationship. Is this customer new or tried and true? While customer win announcements don’t generally receive a significant amount of press coverage, reporters would be interested to hear why a customer chose a specific product or service. This is an opportunity for vendors to provide a product update briefing to reporters through the customer interview, outlining an industry need and discussing differentiators. Don’t expect coverage immediately, but giving reporters access to customers goes a long way and will leave them wanting, and willing to wait for more. On the other hand, bringing a long-term customer to the show, especially if they can talk ROI, is media gold.
-- Consider vertical publications. Reporters’ time at RSA is limited, essentially running from booth to booth, attending sessions, catching up with industry pals and so on. It’s sometimes difficult to secure meetings with reporters from security publications. But those aren’t the only reporters and editors in attendance. An article that appears in a vertical publication – BankInfoSecurity, let’s say – may reach an even more direct audience if selling into financial institutions. A customer in that same industry will be compelling because they can speak to security issues specific to their line of business.
-- Maximize time with booth presentations. Customers’ schedules and their level of activity at RSA or in any media opportunities should be discussed and planned ahead of time. Understandably, talking with reporters about a cool new security application that he or she uses isn’t necessarily a customers’ top priority. When working with our clients on plans with a customer for RSA, this is important to keep in mind. Instead of filling an entire day – or four days – with interview after interview, scheduling a more formal presentation, which could be delivered at a booth, could drive traffic of not only attendees, (customer peers) but media as well. Integrate customers into booth sales demos or work with them to show a real life example of a technology in place.
-- Take advantage of the time you have with customers. More and more we are seeing reporters and editors looking for additional content for their sites and blogs. Consider recording video of a customer’s presentation or describing the company’s IT security strategy. We suggest that clients use video content on their own Web sites as well, which they can also distribute to a few key media targets. Also, when we join media interviews, we’re always taking notes. The information the customer reveals could trigger ideas for pitches down the line or could be the basis for drafting a case study.
-- Don’t forget to show a little love, in addition to being mindful of time. An obvious tip here, but showing appreciation for the time a customer spent at RSA is well…appreciated. If any coverage appears, send a hand-written thank you note, along with a copy of the article (perhaps even a framed copy).
Want more advice on building out a PR strategy for RSA – check out our webinar, featuring Schwartz's Ross Levanto and Tim Whitman and their special guest, Matt Hines of Core Security and eWeek Security Watch blogger.
As security PR practitioners, we at Schwartz are focused on increasing mindshare and market share for our clients through a number of avenues—one of these is an awards program.
Tailored to meet each client’s specific objectives, we assemble an annual calendar of award opportunities, ranging from industry awards to corporate, customer-focused, technology, local market awards, and more. Then, we track nomination deadlines and collaborate with clients to produce and submit strong entry materials.
When it comes to IT security-specific honors, the SC Magazine Awards are a top priority for most enterprise security technology companies who value recognition from SC Magazine as important validation from one of the industry’s top trade publications. Celebrating their 13th anniversary, the SC Awards highlight noteworthy achievements of professionals, companies and products that, according to the publication, “help fend off the myriad of security threats confronted in today's corporate world.” Throughout the years, the Schwartz Security Practice has produced a long track record of winning assists.
This year’s field of SC Award finalists awaits the 2010 winner announcements, which will be made on March 2 during RSA Conference week. An award win surely complements sound RSA PR strategies, such as those discussed in our recently held webinar. To obtain a copy of the RSA PR webinar, please contact securitypractice@schwartz-pr.com.
As a sponsor of the SC Awards Dinner & Presentation, Schwartz Communications would like to say congratulations and best of luck to all 2010 SC Award finalists. If you are planning to attend the March 2 awards dinner, we look forward to seeing you there! You’re sure to spot our colleague Ross Levanto on stage as a presenter.
Check back for continued RSA updates, along with SC Awards gala photos of the Schwartz RSA PR team and clients all dressed up in our formal wear.
"The RSA Conference Survival Guide: How to Achieve your PR Goals and Objectives"
Featuring Special Guest Matt Hines, marketing communications manager, Core Security Technologies
Tuesday, February 9, 2010 at 12:00 p.m. EST/9:00 a.m. PST
Calling all IT security marketing professionals! RSA Conference 2010 is swiftly approaching (March 1-5 in San Francisco). Do you have your organization’s RSA PR strategy in place?
Based on Schwartz Communication’s two decades of success helping dozens of security vendors achieve maximum visibility at RSA, we have designed a special RSA live webinar to help you quickly and effectively establish and meet targeted PR goals for the event.
In the IT security space, the RSA Conference is one of the premier trade shows, and for many vendors is considered a must-attend event. With thousands of IT security practitioners, experts, analysts, reporters, and vendor representatives converging on the Moscone Center in San Francisco this March, it is important for security companies to consider an RSA PR strategy. Whether or not a company is exhibiting at the event, there are ways to capitalize on the show for visibility purposes.
Schwartz Communications, the premier PR agency for IT security technology companies, will be hosting a live webinar titled, “The RSA Conference Survival Guide: How to Achieve your PR Goals and Objectives.” Led by two veterans of the Schwartz Security Practice--Ross Levanto, vice president and Tim Whitman, director of media strategy--the webinar will offer top tips from a PR perspective for success at RSA Conference 2010. Content will include both traditional and new media tactics for cutting through the event clutter to reach key influencers.
Joining the webinar as Special Guest will be security industry veteran Matt Hines. Matt is currently the marketing communications manager at Core Security Technologies, where he helps manage numerous aspects of the company’s overall public relations, analyst relations and social media programs. Prior to his arrival on the vendor side, Matt most recently spent time at eWeek (he still currently pens the Security Watch blog), InfoWorld, CNET and others. Attendees will have the opportunity to hear Matt share his unique perspective on having been both a journalist at the RSA Conference as well as a marketing professional from the vendor community, two very different hats for sure.
Please register here if you are interested in participating in the webinar to learn key factors that will help your company stand out from the hundreds of vendors expected to attend this year's RSA Conference.
Welcome to Tangled Web, the official blog of the Schwartz Communications Security Practice.
Every day, dozens of Schwartz public relations practitioners interact with members of the media, analyst and influencer communities on behalf of our vast security client roster to communicate how our clients help consumers and organizations of all sizes throughout the world with their IT security postures, policies and procedures.
When it comes to security, Schwartz has more eyes, ears and feet on the street than any other public relations firm. As a result, we truly have our finger on the pulse (note our aptly named blogroll) of the security marketplace and those influencers who make it tick.
We bring you Tangled Web, not as a one-stop shop for your daily security information, but rather a forum for our practitioners to share with you some of their thoughts of what they are seeing across the security PR landscape.
With that said, the Schwartz Communications Security Practice invites you to join us in this interactive, ongoing discussion. Through this forum, it is our desire to stimulate and continue communication about issues that are near and dear to you and to us…the intersection of security and PR.
Please visit us from time to time to read what is on our minds and to add your thoughts and experiences. After all, we are not looking to begin and end the conversation, but to stimulate and continue it.
We look forward to sharing some of our thoughts with you and hope that you will join us in the conversation. 2010 promises to be a very interesting year for security companies of all sizes. Wouldn't you agree? What are *your* thoughts?
Courtesy of Fred Touchette, AppRiver senior security analyst:
