RSA Conference 2012 post-mortem: IT security in a "precarious spot"

CSO - There was an unusual level of gloom at the RSA Conference this year, and for good reason: a number of the biggest and most respected security firms have been very recently breached, including RSA Security, VeriSign, and Symantec.

This wasn't the first year the IT security industry was embarrassed. Last year, HB Gary Federal was breached and that event consumed a considerable amount of talk at the show. That's not to forget the recent big name breaches at organizations such as Google, the U.S. Department of State and Nasdaq in recent years.

"There is a feeling that no matter what steps one takes, it can't be won. Systems can't be kept adequately secured," said a security executive at an international electronics manufacturer.

Whitfield Diffie, one of the pioneers of public-key cryptography would disagree. When speaking during The Cryptographers' Panel keynote at the 2012 RSA Conference about the breach at the U.S. Dept. of State in which U.S. Army soldier Bradley Manning allegedly passed classified data to the whistleblower site WikiLeaks, Diffie noted that many of the security controls worked, and for the breach to occur it required a trusted insider to conduct it.

He also noted that security's "failings" may be about perception. "Security moves from one failure to the next, while if you are on offense it moves from one success to the next," Diffie said.

Stefan Savage, professor at the department of computer science and engineering, University of Calif., San Diego, observed that many of the perceived failures of IT security may be because the industry, largely, views security as a technical problem.

"There is a massive human component to security. While there are lots of technical things behind spam and botnets, there are people behind all of that, and then there are people who make mistakes that many times let them [spammers and botnets] through," said Savage.

Savage provided an example where focusing dependencies other than technical have yielded results. For years, the industry has focused on trying to block spam and malware and shut down the domains -- yet spam and botnets continued to thrive. "We eventually discovered that banking is the weak point and that taking down the merchant accounts can be far more effective than taking down domains that can be easily replaced by the criminals."

Savage also noted the never-ending nature of cyber-crime. "We don't have proofs for ending war and conflict, and putting the prefix 'cyber' in front of it doesn't change the dynamic," he said.

Michael McConnell, former director of the National Security Agency, said during the Cloud Security Alliance Summit that the industry may need increased regulation. He said the IT security industry is at an awkward stage similar to when the government wanted to force auto manufacturers to build seat-belts. Not everyone wanted the regulation. "We are at a similar time in safety and privacy concerns, and we have to address these issues. Industry is going to have to accept some level of regulations," he said.

"I think we're in a precarious spot," said the security analyst at a regional telecommunications firm. "We're neither winning nor losing." Business is still moving online and there's no stopping that. And organizations are getting hacked, for certain. But there are risks in everything we do every day. We just need to learn how to better manage and protect what were doing."

Read more about cloud security in CSOonline's Cloud Security section.