Notes from the Expo Floor - Home
Security Trends from the Expo Floor
MAR 22, 2013 12:19 PM
A+ A A-


While conferences like RSA continue to grow in size and scope, take a few minutes and flip through the pages of your favorite news source and count the number of articles about hackers, malware, cyber-warfare, or privacy. We’ve been so quick to develop technology and devices that do cool things that we sometimes forget to make sure that those shiny new toys are, in fact, secure and safe. In using this year’s RSA as a snapshot of the trends in cyber-security, a lot of the focus falls into mobile end-point security, the secure cloud-as-anchor, and creating an insurmountable defense.

The Mobile/Business Dichotomy

By many accounts, the number of mobile-minded security representatives at RSA this year was nearly double from last year’s show. That makes sense as more and more employees are using their own phones to check their email and get work done (insert obligatory BYOD remark here). That wouldn’t be that big of a deal in and of itself, but if you combine that fact with the rise of “free” apps, you have greater potential for lapses in security.

Coming in from the enterprise side, you have companies like Appthority (voted as The Most Innovative Company of RSA - 2012). They work with enterprise mobile management plans, identifying risky behaviors in apps, separate from the device management policy for the business or organization. Additionally, they semi-frequently push out app reputation reports, identifying trends in the security and privacy of (mostly free) apps. I tend to agree with their statements near the end of the February report: “It’s generally perceived that Android devices are more ‘dangerous’ due to the increasing amount of Android malware. But in actuality, mobile malware infects less than one percent of apps. The real concerns should be over how mobile apps are handling personal info and company data.” [Full PDF here] In my humble opinion, privacy and individual data is exchanged for a free app way too often, and anybody who reminds the public about privacy concerns is doing a good thing.

Coming in from the enterprise-developers’ side, you have companies like Mocana (who also partners with Appthority in generating a stable knowledge base around apps) that support app developers by making them more secure (the apps, not the developers). Focusing not on protecting individual data but more on the organization’s data, their recently announce MAP program creates a container around mobile apps, assisting devs with tools and tech support. It’s true that security is a calling, and as such, it may not be in every developer’s mind to think about security when creating apps. When talking with Mike Siegel from Mocana, he stressed that their obsession is on the trends in security and privacy, noting that things like worrying about whether BYOD is happening is ridiculous: it’s happened already. Instead, looking back at the macro-level of the problem is the key. For many, security is viewed as a tax, but for Mike and his team, they look at security as an enabler, one that frees a team up to do more productive work. I actually like that way of thinking.

While we’re on the subject of malware and privacy concerns, it’s worth noting that anti-virus programs on desktops are fairly ubiquitous. We’ve long sought ways to keep our own data safe, but having anti-virus and anti-malware protection on our phones isn’t necessarily as widespread. Webroot has come into the game after not really cracking that large of a market share in the PC space. However, their approach to user security feeds on the ever-growing amount of existing data about trustworthy apps, leaving them with a lightweight (read: doesn’t impact Angry Birds) app on a smartphone, not only earning them a place on the Best Free Android Apps list from PC World, but also increasing their overall retail-security market share. While many people “in the know” will argue that the vast majority of malware-incidents on phones happen when people go “off the grid,” some people would prefer to be safe than sorry.


With the rise of mobile phones and tabs, there has simultaneously been a rise in anchoring data in the cloud, having a service host the data. Yes, I get it; there are other reasons to host data in the cloud, but follow me for a bit: more and more endpoints of our computing needs are met with small and lightweight devices. I don’t need a desktop to run programs anymore; I can access the information remotely, using one of hundreds of companies to host my mass amount of data (albeit for me, it would probably be mostly pictures of my son). Where the security implications come in is in figuring out how to access it easily and quickly without letting someone else—who doesn’t have permission to—access it.

The classic vision in my head about hosted services involves huge server racks down air-conditioned corridors, little blue lights flashing all around. Yes, that works for some, but for others, there has to be a way to protect the potentially valuable information stored on those servers. Firehost has a fairly robust service, and their security standards afford them several noteworthy options. They can protect data, complying with HIPAA and/or PCI DSS standards. More and more health data and online transactions need secure places to stay; it’s a fact that’s so obvious it’s probably invisible at this point. Additionally, if you ever have the chance to talk with them about their physical security measures, be prepared to conjure images of Mission Impossible-type security standards with gates, locks, and pressure-sensitive floors. It’s always nice to hear about that kind of stuff (on a purely techno-fetish level).

A few months ago, Wired ran an article about how journalist Mat Honan’s personal accounts were hacked. It was an interesting article, but a lot of the information was content that many in the security industry were well aware of. At this year’s RSA, Honan and Matthew Prince, CEO of Cloudflare, spoke during a session called, "We were hacked: Here's what you should know." Speaking honestly about the UGNazi hack of Cloudflare, Prince talked about very practical aspects of security, both from a user’s perspective, and from a cloud-security perspective. Saying that he learned to stress the importance of two-factor authentication for Cloudflare’s customers, it was refreshing to chat with him after the panel. He talked about the importance of “looking at the seams for potential vulnerabilities” in a hosting service, as well as the importance of not forgetting to maintain the “forgot password” page on a site. He also spoke about the importance of companies to be forthcoming about breaches, saying that talking about “why” the breaches happen is incredibly important for the entire security industry.

While taking a new philosophical approach to security is definitely needed, one of the major concerns in the field is how to secure industrial systems. With Stuxnet and Stuxnet-like attacks getting mainstream media attention (combined with the rise of connected control systems), everyone is getting a little more concerned with how secure SCADA and other industrial control systems are. The guys and gals at Norman are working on that, and after picking up pieces of my brain after my conversation with them (you know, because they blew my mind), it’s rather fascinating to see some of the approaches in this area. Norman got the jump on many places, offering the first turn-key SCADA security product for industrial systems. Arguing that a “not if, but when” mentality is critical in protecting and ICS, their approach allows the controller of the ICS to have an ongoing awareness of the system without jeopardizing critical parts.

Defensive Measures

While no one is necessarily going to stand up and suggest that they were the person who started the quote, “The best offense is a good defense,” (mostly because that doesn’t really make sense) I feel that in the security field, it is a great adage to live by, especially if you twist your mind into thinking that “offense” in this sense is dissolving and disarming a potential attacker. I’m not speaking of active defense here; I’m speaking of metaphorically building an impenetrable defense that by its very nature deters attackers.

Many security professionals will remind the public that it’s not just the tech that they have to worry about as far as vulnerabilities are concerned; many times it’s the staff. Social engineering customer service is a fairly well-documented pastime for some, and Digital Defense’s strategy in dealing with it is pretty interesting. Their SecureED program uses an ex-writer for Saturday Night Live to make the security training a little more approachable and entertaining, easing the stress of employer-mandated training (which for some of my friends is less enjoyable than visits to the dentist). Sometimes it’s the little things that make the biggest difference, and if an organization can get everyone to know the basics of security without creating a mass increase in clean teeth, you’ve already made a big impact.

Sometimes you have to think about other ways to stop attackers before they happen. Paul Kocher, President of Cryptography Research, Inc., talked about the need to step back and look at the vulnerabilities on the hardware side of things. Paul touched on how people come into software faster than they’re necessarily trained, and hardware affords certain boundaries for security purposes. Suggesting that putting data “out there” is like unsafe sex (you will in fact catch something at some point), focusing on the most secure points of hardware can affect a large amount of change. “If you think about the medical field, specifically the old ‘tonics,’ you saw that anyone could sell anything. Eventually the profession caught up, and that’s what is happening in the security field.” In addition to seeing how easy it was to gather information leakage from a cellphone (the RSA algorithm, decrypted and pulled, using a copper wire, an amp, and a spectrometer), Paul gave some great points about some of the more fundamental problems in the field. Citing a massive shortage of highly technical workers, customers’ poor choice of security products, contracts devoid of security guarantees (or bonuses), and lawmakers’ inability at fixing problems, Paul is one of the good guys in the field.

Speaking of good guys in the field, Gary McGraw, CTO of Cigital, was super-busy at the show, moderating, meeting, and wielding a lightsaber (long story). If you know Gary, you know of the importance of secure programming, and Cigital’s Building Security in Maturity Model (BSIMM) looks like it should be one of the more important security programs for all sizes of organization. Stressing the importance of integrating a full security initiative into a business, the focus is on an all-encompassing approach to security, giving companies reference points for where they are falling behind and where they are succeeding, which seems like a much more efficient use of time and energy. Sometimes it’s good to know what you are doing right, so you can spend less time on redundant processes, especially when that time is better spent at shoring up defenses elsewhere in the company. I could see BSIMM becoming increasingly influential in the field moving forward.

Also noteworthy is the rise of the machine in the security industry. More and more firms are moving to intelligent-system-assistants in threat mitigation, analysis, and testing, and as the term “big data” slides down Gartner’s hype curve, you’ll probably see an increase in AI-applications in the field. It’s already happening (and happened in many cases), but from the expo floor, there’s still room to grow.

See you around.

[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment: