SAN FRANCISCO—A hacker war erupted just before the start of the RSA Security Conference at the San Francisco Moscone Center on February 14-17. The Federal arm of well-known security consulting company, HBGary, succumbed to a sophisticated social engineering attack by the Anonymous hacker group that accessed and sent HBGary’s internal emails and customer information to Bit Torrent.
Also leading up to this annual conference were several other interesting cyber events that commanded attention:
• The peaceful transfer of power in Egypt wherein social Networking was identified as the key instrument for a mostly-peaceful transfer of power in Egypt.
• A widespread attack called Night Dragon against Exxon and several other oil and gas companies on the heels of Stuxnet’s targeting of specific SCADA control systems within Iraq’s nuclear plants.
The churn of these and other cyber events was felt at parties and meetings and on the showroom floor where the predominant theme was one of pending disaster.
“If you ask them, half the people at this conference would say the next big threat landscape is digital 9-1-1 involving SCADA control systems,” said Dan Holden, director of H-P Security’s DV (Digital Vaccine) Labs, during an interview. “But people forget that small yet highly vulnerable browser, which is still the major cause of most exploits.”
Holden’s group sponsored a pwn2own contest at Cansec West hacker conference in Vancouver last March (2010). In the contest, every major brand of browser was broken easily and quickly using multiple zero days the browsers were vulnerable to.
Browsers are a big problem because they are everywhere, including and in particular on phones, which are increasingly problematic for Executive Security Firm, the Guidry Group.
“On the kidnap and ransom side, cell phones are making it increasingly difficult to protect our executives and their families,” said Michael Guidry, founder and CEO, during a mobile symposium panel held outside of RSA on Tuesday. “Youngsters are twittering where they are with their families and their chats can be intercepted. And smart phones can be hacked and used as recording devices to steal intellectual property during executive meetings.”
In addition to browser and e-mail risks, Rob Smith, founding CTO of Mobile Active Defense, says that applications are also a serious concern. Apple cannot vet each of the tens of thousands of applications hosted at the iTunes store beyond ‘does this application work as it says it does?’ As a result, he says, logic bombs and time-released attack code can be hiding in the games, which can then go off after the applications been approved and posted to the iTunes store.
As risks get more complex and persistent, and as demand for access, mobile and even cloud applications continue to rise, organizations need to rethink security on every level, say experts.
So far, that thinking has led to new standards and work to unify security and embed it into operations wherever possible. For example, IF-MAP (Interface for Metadata Access Points), part of the Trusted Computing Group’s Trusted Network Computing (TNC) binds security state of end points to access controls and requests under the SOAP architecture. Version 2.0 of IF-MAP includes frameworks for industrial control systems, smart grid and cloud environments.
Using open standards and other technology, vendors are trying to unify security and operational controls where it makes most sense.
For example, in the authentication and access control space, vendors such as five-year-old SecureAuth have developed access control management frameworks that take away the complexity of managing access through multiple applications. SecureAuth CEO Craig Lund says it took two years to develop their technology, which takes advantage of ActiveDirectory to create a one touch provisioning of access across web, VPN and cloud applications.
In addition to access controls, there are many areas in which consolidation is occurring to help make security management and compliance easier. These include advanced firewalls and end point management, with such enhancements announced by Check Point and Lumension, respectively. Security management and continuous monitoring by companies such as NetWitness, Splunk and H-P/Fortinet/ArcSight are also evidenced across other vendors in these categories.
While many may not think of these improvements as glittery and new, the fact is we’re buried in too many security products to sanely manage risk in this increasingly open, consumer-driven and hostile environment. Whatever the industry can do to streamline its security and compliance operations, the better the chances of improving the IT experience for all users by enabling secure, compliant lines of business.