ITWeb Security Summit: Getting it wrong and failing [Part 1]
I could feel it. There was something in the air as I made my way through registration and found my seat. I was surrounded by the Best of the Best in the security industry. I just hoped that these guys were on the Good Guys side…
I was at the ITWeb Security Summit and the it was game time.
Chris Gibbons opened the event and throughout the day he expertly made sure that we all knew where we had to be and by when and he kept all the speaker on track ensuring that Day 1 was ran smoothly.
Charl van der Walt, Co-Founder and Managing Director at SensePos set the theme for the conference which was How Security Firms have Failed – its times to reinvent Information Security. Charl then took up through various recent hacking attacks and how they occurred. The one that stood out was the recent attack against Iran’s nuclear power which set them back 2 years. “This attack cost $2 million which is less then the US Air force spend per day.” confirms Charl.
The next big hack company’s name that came up repeatedly throughout the day with various speakers was Comodo. Comodo is an authority that sells secure certificates that ensures that the site is secure and legitimate (SSL). When Comodo was hacked it shook the industry as the hacker managed to issue himself valid SSL certificates in the name of big businesses such as Microsoft, Google to name but a few.
According to a study, 92% of attacks were not difficult, 86% discovered by 3rd party,96% easily avoidable. Mac Maleware has now becomes a reality: “If you been predicting Maleware will come to mobile for the past 10 years, you are finally right” joked Charl.
As technology progresses “The elephant in the room is that Security companies have failed. We have not delivered on info security.” Charl MD of SensePos.
Eddie Schwartz, CISO at RSA, The Security Division of EMC explained how there are only “2 categories: Breached or Not breached- the latter haven’t looked hard enough”. Eddie explained how the adversary has changed. It is no longer obvious what “Bad Guys” look like. They are not the one with the ski mask and the flash light coming in at night. The bas guys hide amongst the masses and look like everyone else. ”We need to understand what “Bad” looks like & look for similarities” confirms Eddie. The threat is continuously changing and depends on what business are doing at any stage “if you take a stand on any issue you might get into someone’s cross hairs”
The old way of thinking about the Risk Based equation is : Risk = Threats x Assets x Vulnerability. However this is the wrong approach as this equation is not solvable and is meaningless.
Quoting the Art of War: “When the trees move the enemy is advancing” Eddie explains that we cant wait to start investigating we need to be constantly analysing Big Data so we can predict movement.”worst case scenario is that the hackers are in your network and are flicking switches on and off”.
Eddie is a believer that we need to this strategically about Big Data – we need to think about handling and analysing “hundreds of terabytes of data.” so when it “hits the fan you can fix it” he asserts. Eddie also suggests building a team made up not just of Administrators but also a variety of skill sets in security including everything from coders to game theorists. Right team and process is critical.
Moxie was on a mission – an important mission. Moxie message was that the so called Security Authority that is responsible for “securing” the internet has failed as is out-dated.
Moxie focused on the Comodo attack which was officially explained as a state sponsored attack from Iran. However, upon closer investigation it seemed that the attack came from an IP address that was on Moxie’s server for his SSLSnif tool. What was more surprising was that this same IP address came from a introduction “how to” hack Video Clip. So it seems like the attacker was simply following video clip and managed to take down a major player.
When SSL was created the “Main in middle attack” was only theoretical. “We threw it in at the end. It was a bit of a hand wave” said Kip the person who wrote SSL at Netscape ! “another 4am decision” as Moxie calls it.
What was most surprising is that Comodo, the company that suppose to protect us from getting hacked, it itself got hacked no less than 4 times. With NO repercussion. No lawsuits.
So why did nothing happen to Comodo ? Why didnt people block its services when they got hacked ? The reason is that is that was done, then a quarter of the internet will not be able to visit your website. The way SSL certificates currently work is that you are locked in to trust those Certificate organisations forever. Can never change and so don’t have ability to move. EVER.
Moxie has created a solution for this problem called Convergence. More info is available at http://convergence.io/
Haroon Meer Founder of Thinks started his keynote by asserting that “Hope is not a strategy. You cant hope that you wont get hacked.”. Haroon stated that security has become very complex and the security firms have put the onus onto the user to be responsible for security. Why would people still click on links that they don’t recognise ? “You never see the true meaning of Phishing issue until you get your mother to do internet banking !” Haroon then recalls all the items you have to explain to mom. Don’t click on links, only open website that have a padlock for security, don’t use WiFi, only use your own computer etc. etc. etc. TOO HARD !
The security industry can not fall back on user’s lack of education. “Its not a crutch that we can use anymore”
Security experts make the users life very awkward by clamping on internet usage and email usage “for security reasons”. Users cant access certain files via email but can access Google Doc, Facebook file sharing, Dropbox. So why make it awkward for user?
Haroon is critical of the Antivirus companies. Whilst having an antivirus is important (calls is “Virus Tax”), these companies have failed the industry as they don’t stop Maleware until something bypasses their system and they are made aware of it and then the dissect it. “Opponent gets to see the whole chess board. I can get the same antivirus as you & tweak my Maleware to bypass it.” concludes Haroon.