RSA Conference 2012 post-mortem: IT security in a "precarious spot"
CSO - There was an unusual level of gloom at the RSA Conference this year, and for good reason: a number of the biggest and most respected security firms have been very recently breached, including RSA Security, VeriSign, and Symantec.
This wasn't the first year the IT security industry was embarrassed. Last year, HB Gary Federal was breached and that event consumed a considerable amount of talk at the show. That's not to forget the recent big name breaches at organizations such as Google, the U.S. Department of State and Nasdaq in recent years.
"There is a feeling that no matter what steps one takes, it can't be won. Systems can't be kept adequately secured," said a security executive at an international electronics manufacturer.
Whitfield Diffie, one of the pioneers of public-key cryptography would disagree. When speaking during The Cryptographers' Panel keynote at the 2012 RSA Conference about the breach at the U.S. Dept. of State in which U.S. Army soldier Bradley Manning allegedly passed classified data to the whistleblower site WikiLeaks, Diffie noted that many of the security controls worked, and for the breach to occur it required a trusted insider to conduct it.
He also noted that security's "failings" may be about perception. "Security moves from one failure to the next, while if you are on offense it moves from one success to the next," Diffie said.
Stefan Savage, professor at the department of computer science and engineering, University of Calif., San Diego, observed that many of the perceived failures of IT security may be because the industry, largely, views security as a technical problem.
"There is a massive human component to security. While there are lots of technical things behind spam and botnets, there are people behind all of that, and then there are people who make mistakes that many times let them [spammers and botnets] through," said Savage.
Savage provided an example where focusing dependencies other than technical have yielded results. For years, the industry has focused on trying to block spam and malware and shut down the domains -- yet spam and botnets continued to thrive. "We eventually discovered that banking is the weak point and that taking down the merchant accounts can be far more effective than taking down domains that can be easily replaced by the criminals."
Savage also noted the never-ending nature of cyber-crime. "We don't have proofs for ending war and conflict, and putting the prefix 'cyber' in front of it doesn't change the dynamic," he said.
Michael McConnell, former director of the National Security Agency, said during the Cloud Security Alliance Summit that the industry may need increased regulation. He said the IT security industry is at an awkward stage similar to when the government wanted to force auto manufacturers to build seat-belts. Not everyone wanted the regulation. "We are at a similar time in safety and privacy concerns, and we have to address these issues. Industry is going to have to accept some level of regulations," he said.
"I think we're in a precarious spot," said the security analyst at a regional telecommunications firm. "We're neither winning nor losing." Business is still moving online and there's no stopping that. And organizations are getting hacked, for certain. But there are risks in everything we do every day. We just need to learn how to better manage and protect what were doing."
Read more about cloud security in CSOonline's Cloud Security section.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Desktop Apps White Papers | Webcasts