Amazingly enough, in my time here at Network World I managed to avoid attending the RSA Conference – usually it was because I was still recuperating from CES in January, but also because we had other security reporters/editors covering the show.
But this year was different – I’m now helping coordinate videos for both Network World and our sister publication/site, CSO. In this new role, RSA attendance was a given, so off I went to San Francisco to coordinate video coverage for both sites. Here’s a bunch of videos and insights from the show:
1) Data Encryption is growing, but some things are still surprising
With a ton of headlines surrounding the fight between Apple and the FBI and the locked iPhone from the San Bernadino attack, encryption was big on people’s minds. Interestingly, a lot of the vendors didn’t want to go on the record on camera to talk about the specifics of the case. I got statements like this: “[Vendor X] believes that the issues raised in the Apple case are important for the industry to discuss. We feel that these issues have been fairly debated and the public discourse should continue.”
However, we did get some people on camera to discuss the case – in this video, CSO’s Steve Ragan talks with Zscaler CEO Jay Chaudhry about encryption back doors and if there can be a solution that makes both groups happy:
We were able to get a couple of vendors to talk about the use of encryption at companies, based on some of their surveys.
In this video, John Grimm and Peter Galvin from Thales e-Security give some comments and highlights from their 2016 report, indicating that more companies are moving their sensitive data to the cloud, as well as the big fear that employees making mistakes are the biggest threat to that data (maybe companies should stop using paper/Excel for their key management, also indicated in the report):
In this video interview with Vormetric, the big issue was a lot of companies not even knowing where their sensitive data sits. If you’re a CIO, CSO or a CISO and you start implementing an encryption policy, it’s probably a good bet that you start by figuring out where your data lives, as well as where it goes (my new favorite term is “data in motion”), including the cloud and mobile devices.
2) Social engineering heads to the boardroom
The way in for most cyber-attacks seems to be the phishing email, and the rise (and success) of Business Email Compromise (BEC) scams had many people talking at the show.
I was able to attend a session by Markus Jakobsson, CTO of ZapFraud, who gave a great presentation about what’s working and what’s not working in the world of phishing attacks. He talked a lot about the concepts of persuasion, and why certain things worked, but he also mentioned that the attacks are getting more targeted (aka spear phishing, or whaling). Attackers are getting information about their target via social media (if you connect with everyone on LinkedIn it’s likely that you’re connecting with a fake profile), then using that data to try and become more credible in their messages. Also out – bad spelling – if you thought that you could detect a phishing email based on typos, you’re out of luck: “Spammers learned how to spell in 2008,” Jakobsson said in his presentation.
I was able to interview Jakobsson on camera after his speech – here are some highlights about consumer and enterprise trends in social engineering:
My colleague, Steve Ragan, also interviewed someone about BEC and its implications for companies – in this video, Ragan and Joseph Opacki from PhishLabs talk about the growing sophistication of cyber-criminals targeting those high-profile business leaders.
A third video also highlighted the rise of targeted email attacks, as well as what employees can do to prevent a ransomware attack. Here’s Ragan chatting with Fred Touchette from AppRiver about increasing awareness of these schemes.
3) Behavioral biometrics are cool
It’s not just about your fingerprints, hand prints or eyeballs anymore – companies have ways to figure out that the way you type, move a mouse or draw on a tablet can be an identifiable piece of information.
It’s called behaviorial biometrics – the idea is that two people don’t draw a straight line, or put pressure on the tablet or move a mouse in the same exact way. These companies are hoping that their technologies will be implemented in web- and tablet-based applications in the future. What’s cool is that the behaviors can be detected beyond just the initial authentication session. Let’s say you log in correctly, but then in the middle of the session a bad guy gets in and tries to hijack the transaction – a behavioral biometrics system can notice that the actions of the user have changed significantly enough to trigger an alert or ask for additional authentication.
We got two video interviews around this topic. BioCatch was showing off its tablet-based scenarios to showcase behavioral biometrics:
In this video, we chatted with SecureAuth, who mentioned that they can detect how a person types differently or moves their mouse around.
4) Threats are all around us
Of course, we also got a chance to be scared out of our wits with all of the latest news about threats, how hackers are getting in, what they’re doing and how we can try to stop them.
In this interview, we chatted with Grayson Milbourne from Webroot, who gave us a download of the types of attacks people are seeing in the real-world (not just based on survey results, but actual customer data from Webroot gear). Basically, that signature-based system you’ve had for many years is pretty much obsolete:
Verizon was also on hand discussing their data breach report – we chatted with them about their new “digest” version, which aims to dig a bit deeper in to the world of data breaches (see video at the top of the page).