"I absolutely hate the term 'Cyber Pearl Harbor’,” announced Art Coviello, Executive Vice President of EMC Corporation and Executive Chairman of RSA, at the RSA Conference 2013 opening keynote. “I just think it's a poor metaphor to describe the state we are really in. What do I do differently once I've heard it? And I've been hearing it for 10 years now. To trigger a physically destructive event solely from the internet might not be impossible, but it is still, as of today, highly unlikely."
Coviello said that companies need to “stop looking for the hackers and start sharing data about the hack.” He asked, “Do we really need to see a smoking gun to know there’s a dead body on the floor? Sure we should continue to work to out the perpetrators, but for the most part, we know who they are.”
Coviello added that it’s not like nation states just started attacking us, “it has been going on for years. What's more disturbing to me is that we're moving beyond intrusion attacks to disruptive attacks." Although he didn’t officially name who, he warned that “the attacks are coming from a nation-state that sponsors terror” and “the disruption could potentially affect critical infrastructure.” Things might get worse before they get better. Coviello said, “Although collectively we are not winning, we haven't lost yet, either.”
The big topic was big data, including how it can bring big security problems. Regarding IPv6, Coviello believes since it could potentially “enable billions of devices to be connected, we will see more automated attacks that are destructive.” His intention was not to send a FUD (fear, uncertainty, doubt) message that the world is coming to an end, but to raise awareness of “the trend line, the trajectory we're on." Regarding big data vulnerabilities, Coviello warned, "Our attack surface and risk will be magnified in the coming years as a result. We have all have the ability to access large data stores because of cloud, but we're not the only ones that can access these data stores. Our adversaries will, as well."
“Stuxnet 0.5: The Missing Link”
Meanwhile at RSA, Symantec released a research paper [PDF] about an earlier version of Stuxnet had a different way to sabotage Iran’s nuclear-enrichment process. Liam O'Murchu, manager of operations for Symantec Security Response, concluded, “Stuxnet coders had access to Flamer source code, and they were originally using the Flamer source code for the Stuxnet project.” The paper included this Stuxnet 0.5 state flow diagram of the 417 device attack code.
Ars Technica wrote, “It injected malicious code into the instructions sent to 417 series programmable logic controllers (PLCs) made by the German conglomerate Siemens. Natanz engineers used the PLCs to open and shut valves that fed Uranium hexafluoride, or UF6 gas, into centrifuge groupings. Stuxnet 0.5 closed specific valves prematurely, causing pressure to grow as much as five times higher than normal. Under those conditions, the gas would likely turn into a solid and destroy the centrifuges, possibly even the sensitive equipment used to develop them.”
Other Stuxnet 0.5 discoveries included command and control servers that were made to look like a “Media Suffix” advertising agency with a creepy tagline of “Deliver what the mind can dream.”
Big data can bring intelligence-based security
Despite the fact that RSA’s Coviello talked about how big data can bring big security vulnerabilities, the RSA also made a case for “Big Data Fuels Intelligence-Driven Security” [PDF]. “In 2012, we collected one zettabyte of data. That’s the equivalent of 4.9 quadrillion books.” Yet, Coviello stated, “Less than 1% of data is analyzed and less than 20% of it is protected.” Big data, according to Coviello, needs to be sifted and to be analyzed. "It has the potential to transform our lives for the better. Business will become more efficient and productive." But "intelligent models can only succeed with better learning." The goal is a “single architecture to capture, analyze, and share data. Big data will transform security, but it must start with us."
The RSA Authentication Manager 8.0 platform
Since user authentication is also a “big data problem,” RSA released the RSA Authentication Manager 8.0 platform to provide new big data intelligence in user authentication. The press release stated, “Leveraging Big Data analytics, RSA Authentication Manager 8 is designed to provide deeper visibility into access control risk by building rich user profiles based on both device and behavioral characteristics to detect and permit normal behavior and challenge or block anomalous activity.” According to Manoj Nair, the general manager at RSA, "Identity can no longer be determined by a single factor or even multiple factors. Identity needs to be made from a rich profile with nearly every dimension you can learn about a user, their history and behaviors, and contrast that with behavior of their peer group."
So you find out your company, a part of America’s critical infrastructure, has been hacked. Who are you gonna call? Cyber 9-1-1—that is if DHS deputy undersecretary for cybersecurity Mark Weatherford gets his way. At RSA 2013, he asked, "Why are we still sharing information that we shouldn't? Why aren't some of the solutions we have today being used, put into place? Why are we still relying on passwords?" He said, “Just as security evolved from the mainframe to client/server architectures, so it must evolve for an increase in cloud computing.” Weatherford said we need more security innovation like cyber 9-1-1.