Fear and loathing at RSA: Hacking, security and the limits of protection

There is danger everywhere you look in the cybersecurity space.

People are trying to steal your credentials or trick you into giving them important information. They are exploiting unpatched operating systems, locating security holes in applications and hacking into unprotected hardware.

You’re not paranoid, you’re told. Hackers, con artists and social engineers really are out to get you, and frankly you’re pretty helpless to stop them.

That was the message I kept hearing last week at RSA. You aren’t safe and you’ll never be safe. Yet the irony for all to see was that there were over 500 vendors trying to solve your security problems, trying to convince you that their tool was the exception that should make you safer. Welcome to the world of cybersecurity marketing.

Paranoia’s poison door

Perhaps the most discouraging message was that you have reason to be paranoid. That’s because hackers can knock on your network a thousand times. They can afford to be patient because they know all it will take is just one moment of weakness, and your network is breached.

It’s made even more difficult by the fact that today, it is likely not an individual hacker but well-financed criminal organizations or nation states with vast computing resources and some of the world’s smartest computer minds behind them. It’s not easy to battle that while running a profitable business, especially when Accenture reports that 45 percent of companies indicate having trouble finding qualified security experts to help them.

Failure is not an option.

“The science of securing something with 100 percent certainty doesn’t exist,” Hugh Thompson, chief technology officer at Blue Coat told a group of reporters last week at an RSA Roundtable event.

That doesn’t mean, however that there’s no hope or we should just throw up our hands. You just have to understand what you’re up against and find ways to measure the probability that a vulnerability is going to lead to an issue on your systems, while defending against the highest probability likelihoods.

Helpless, helpless, helpless

If you walk around a conference like RSA, you come to realize that this is a tough space. On one hand, you want to think that of the 500 odd vendors at the event producing products, that they will win some of the time — and they do.
At the same time, it’s hard not to feel at least a bit discouraged as you walk around the show floor and listen to the presentations.

Benjamin Jun, CEO at HFV Labs and former CTO at Cryptography Research, who also spoke at the RSA Roundtable was rather blunt in his assessment of the industry.

“We can’t secure cyberspace. We aren’t up to the task. Even if you can now, it’s constantly changing,” he pointed out. That said, he still believes we have the responsibility to do the best we can when it comes to security, while fighting the battle as hard as we can.

You see that kind of dichotomy quite a bit at RSA.

Still I look to find a reason to believe

Ultimately it’s not about perfection or having some sort of impenetrable defense because Jun and Thompson are right on that score. That’s never going to happen. It’s about finding ways to make your devices and networks as safe as you can.

As CrowdStrike CTO and co-founder Dmitri Alperovitch put it, there are a millions ways into a network, and your employees are often the weakest links. When companies conduct phishing tests, he said that five percent of users will click a malicious link, no matter what. It doesn’t matter how much training you give them. They continue to click them.

The hard part is not getting in, it’s figuring out what to do once you get in and that’s where the defender should have the advantage. Dmitri Alperovitch, CrowdStrike CTO

In spite of this, it’s not as hopeless as it sounds, Alperovitch said. While yes, there are a million ways to get in, it doesn’t mean that once inside hackers can destroy your network or get access to your most valuable data.

“The hard part is not getting in, it’s figuring out what to do once you get in and that’s where the defender should have the advantage,” he said.

That’s because you understand the nuances of your own network, or at least you should and that should help you control or monitor hackers once they are inside.

It’s also important to see the progress we’ve made as an industry, Alperovitch said, pointing out that the average time to discover of a breach used take an astonishing 4 years. Today the average is 140 days. It’s still way too long, but it’s certainly much better than over 1400 days.

A matter of trust

Forward without fear

It’s easy to forget that none of this tends to happen in isolation, yet companies tend to feel isolated. Instead of banding together against a common enemy, they instead try to fight alone. In many ways it doesn’t make sense to take this approach, but companies which don’t want to be seen as having weak security in the eyes of the public, likely don’t understand that on some level everyone is equally vulnerable.

The hardest part is scaling trust. Two guys and a beer doesn’t scale. Todd Inskeep, Booz Allen

“As somebody whose job it is to get retailers to share security information, the problem is almost entirely psychological. It’s not about liability,” says Wendy Nather, research director at Retail Cyber Intelligence Sharing Center. This leads to people sharing information one on one or using someone like her as a conduit to share security info instead of having an organized security sharing system.

As Todd Inskeep from Booz Allen put it, “The hardest part is scaling trust. Two guys and a beer doesn’t scale.”

HackerOne is a company trying to provide that scale, at least for software vulnerabilities with a bug bounty platform that pays hackers to find problems before they escalate.

“Having platforms and processes, dramatically mitigate the risks associated with sharing information,” says Alex Rice CTO at HackerOne. There clearly needs to be more systems like this to help companies understand common risks.

Games without frontiers

When you look at all the levels companies have to think about security, whether at the application, network, device or product level, there’s so much ground to cover and so many holes to fill. It’s a daunting task for any organization.

Even though it’s clearly an enormously difficult undertaking that doesn’t mean we don’t try. New companies are coming along all the time that provide creative ways of attacking security issues. The industry keeps changing and adapting, even as the attackers grow increasingly sophisticated.

In the end, a conference like RSA isn’t necessarily about fear and loathing. It’s about coming together to share information and ideas and figuring out the best ways to defend the industry against ongoing attacks — while keeping in mind it’s a chess match you won’t always win.