The challenge of securing the enterprise has grown more complicated as companies extend their reach to partners, third-party service providers and cloud-computing resources, say a panel of experts that serve on the RSA Conference 2012 Program Committee.
We’re relying on attestation and I wonder if we need to get beyond this attestation model.
Chairman, RSA Conference 2012 Program Committee
Up until now, organizations have used a certain level of trust, relying on an attestation from their partners that their security systems are properly secured. But digital trust has eroded in recent years, partly because of high-profile data breaches over the last year that appear to have been conducted by a breed of attackers using a combination of technical and social engineering techniques, said Hugh Thompson, RSA Conference 2012 Program Committee chairman and chief security strategist at People Security. All attackers have to do is understand an enterprise’s outside partner connections or an employee’s social network contacts and create a convincing email message.
“It can be a compelling phishing email or sometimes a more elaborate ruse where they called someone on the phone,” Thompson said. “We’re relying on attestation and I wonder if we need to get beyond this attestation model.”
Thompson and several other members of the RSA Conference 2012 Program Committee shared their views with invited media recently on the current threat landscape and security trends they are seeing. Emerging threats, new security technologies and ongoing data security challenges in the enterprise often impact the annual security conference.
The RSA SecurID breach began with a malicious email titled “2011 Recruitment Plan" and contained a malicious Microsoft Excel attachment. Other high-profile breaches, including the HBGary Federal breach, also had social engineering components. But Ari Juels, chief scientist and director of RSA Labs, said social engineering will always be a constant problem. Researchers shouldn’t change course to focus on a single issue, he said. Instead, security technologies should continue to be developed to strengthen the trust relationship in Internet communications, better detect attacks when they happen and even anticipate when an attack is imminent.
“Social engineering is and will always be a problem, but we shouldn’t let it distract us from what are more fundamental, technical issues,” Juels said. “To some extent the whole issue is a red herring.”
Restoring digital trust could be a major theme that emerges at RSA Conference 2012 as RSA Chairman Art Coviello will take the stage to restore trust with RSA SecurID customers. In recent years, the annual conference has highlighted the data security complexities associated with cloud computing, the challenges associated with consumerization in the workplace and the increasing threats that nation-state attacks, hacktivist activities and cybercriminal gangs pose on corporate networks.
Better data collection and threat analysis is also becoming a hot topic. Security systems are collecting increasing amounts of data, but enterprises are having trouble mining that data for valuable threat intelligence information, said Todd Inskeep, senior associate at Booz Allen Hamilton. The issue not only affects intelligence gathering and analysis within an organization, but also intelligence sharing among enterprises within an industry and across industry sectors, Inskeep said.
“Information sharing remains a big challenge for a lot of legal and liability reasons,” he said. “A lot of [the] time business executives have trouble identifying what question to ask of their [data]. Nobody is quite sure how to frame a question and therefore analytics can’t pull it out for you.”
RSA’s Jules agreed that threat data collection, analysis and dissemination is a challenge that must be addressed. Academic researchers face the challenge of finding valuable threat intelligence data sets for their research, crippling their ability to contribute. Enterprises are naturally reluctant to share their data with outsiders and when they do, the data is not very useful to academic researchers, he said. It’s a technical, legal and social problem, Jules said.
Digital trust in mobile devices and other embedded systems is also beginning to decline, said Benjamin Jun, vice president of technology at Cryptography Research. In addition to smartphones and tablets, refrigerators, thermostats and other devices are increasingly collecting and using information, and the question of security and privacy is rarely being addressed, he said.
“The path to put security in is difficult,” he said. “This is solvable; there are ways to tag data in meaningful ways on these devices and ensure the right data is protected.”
View all of our RSA 2012 Conference coverage.