I attended the RSA conference this year, as I always do, and spent most of the time talking with attendees and clients about what they were learning and trends they were seeing. Here is a summary of what we discussed.
Although mobile security concerns seems to be a theme, I tried to dig deeper, and it seems that more than a few people are concerned about the upcoming changes to Facebook’s currency model. Facebook plans to force all users to use “Facebook Credits”. The worry is that since Facebook is on virtually every smartphone in the world, the digital wallet may come to the consumer faster than expected via facebook. The Facebook credits system is similar to PayPal or Google Checkout; however, since mobile phones don’t normally contain identity information they haven’t really been targeted. Once faceobok account can store credits, like a bank account, having a mobile virus or Trojan that steals your facebook login/password will be akin to stealing your bank account username and password. I think we have heard this story before…
The cloud is always a hot topic but it seems as if nothing has changed. It is all about cost savings and whatever cost to security. As Dave, CSO from eBay put it. Vivek Kundra, whitehouse CIO, plans to save over 20billion by moving to the cloud and when you are saving 20 billion, who lets security get in the way?
Other people were more realistic and have conceded that the cloud will happen and they need to have data classification and risk management processes in place to ensure the *right* date moves to the cloud. A couple cloud vendors mentioned that they will need to educate their customers on how to do risk management and data management so that their customers can securely move to the cloud. This is a departure from the “We don’t talk or tell you about our security processes” stance the cloud vendors had last year.
Also, Symantec is making a big splash with their .cloud initative which is a marketing rebranding of all their cloud offerings including cloud based endpoint protection, cloud email encryption and filter, and cloud based web filtering. While the moniker may be funny and many have laughed at it, it is simple and effective. AV.cloud sounds much better than “cloud based anti-virus”. Marketing changes aside, not much has changed in terms of the technology behind the solution but Symantec is committed to heavily investing into .cloud and becoming the premier cloud security services provider in the world.
As I met with attendees and vendors, I asked if CIOs were adding cloud security services into their ROI analysis when moving their data to the cloud, almost everyone said no. Is this an indicator that cloud services don’t apply to the enterprise or perhaps the security CIOs want is ”real security controls” on the platforms, operating systems, and databases in the cloud rather than just moving their security tools from on-premise to the cloud? It seems to me the only people looking at cloud security services is the SMB.
The reality of the situation is that there is no such thing as a 100% secure place on Earth. IT security professionals can only do what they can to make things as secure as possible. There is no computer security defense that will succeed every time, forever, or as I say when presenting at conferences “You cannot buy your security at the local best Buy”. (NOTE: If you have an indepth udnerstanding of heypots, you can skip this post)
Because of my interaction and association with the Honeynet Project I am frequently asked what benefits honeynets can provide to the normal everyday IT security engineer. Simply put, honeypots provide us with early warning so we can be vigilant and prepare our defenses accordingly.
Additionally, honeypot data is a great way to loosen the purse strings of corporate managers who are hesitant to dip into the company budget. You can make a case for a larger IT security budget by showing them the attack data on the honey pot – who is attacking, how they are attacking, how often, and, most importantly, what damage they could potentially do to the enterprise if the proper defenses are not built. Actual data speaks louder than any verbal argument.
Here’s an analogy to help you understand the importance of honeypots.
Imagine you are tasked with defending your king’s castle from an impending enemy attack. But you don’t know who the enemy is, where they are coming from, how many there are, or what kind of attacks they will use. They may use spears, rifles, or just sharp rocks. They may attack on horseback, with catapults, or maybe with tanks.
So what kind of defenses should you build? A 30 foot tall wall surrounding the castle or a moat? Should you put archers in the towers or build turrets? Maybe you should just pile up a few sandbags and hope for the best. Maybe the real problem is the village idiot on the inside… =)
Without knowing anything about the impending attack, you do not know what an appropriate defense would be. You may dig a futile trench around your castle while the enemy attacks with stealth bombers. Or you may encapsulate your entire castle in an impenetrable crystalline dome while your five attackers sling rocks at it. The latter defense may work, but your king might not be too happy with you for wasting his whole treasury on an unnecessarily robust defense.
A Honeypot is perhaps like a decoy paper version of your castle set up a mile before your actual king’s castle. The paper castle has no value, but you can see what attacks your enemy uses when they attack it, and thus prepare accordingly.
Honeypots allow you to understand what kind of attacks you can expect. With this knowledge you can allocate resources to defenses appropriately, without under or overspending. Now, with all that said not everyone can run out and install a honeypot and solve their problems. Honeypots require a lot of maintenance, watching, and i fnot properly installed you can actually decrease the security of your network.
If you don’t want to take the chance of hurting your own security posture, there are services that will configure and run honeypots for you and provide you with their data. Symantec and McAfee offer such services.