Speaking of Security – The RSA Blog and Podcast

Over the past few weeks, there have been several reports about the ways in which cybercriminals are making it harder to detect fraud by concealing what they’re doing as evidenced by a new kind of man-in-the-middle attack on Facebook users.

The bad guys are getting smarter, more creative, and more persistent, so what are we doing in response? I can’t tell you how sad it is to hear some of the things when asking how companies are shifting their security programs in order to combat advanced threats.

Information security professionals live in exciting times. It’s a constant battle of escalations between the new ways technology can be used to conduct business, and the new ways the bad guys can incorporate technology in their overall strategy to steal information. But make no mistake, people are the new perimeter.

A few months ago I had a conversation with a security professional working in a major US defense contractor. It was right after the attack on RSA. “Welcome to the club”, he said, “we’ve been hit by these APTs for years”.

So Ok, you think you know security. Riddle me this one… What does Jennifer Lopez and computer hackers who’ve attacked America’s defense establishment have in common? If you answered both are featured in this September’s issue of Vanity Fair magazine, you’d be right, and a true member of the all knowing security club.

In January 2010, at the turn of the decade, I wrote the following lines in my blog: “It will be an interesting decade from a cybercrime perspective. Employees are one of the weakest links in corporate security… The current defenses cannot suffice, and the industry must think of a new defense doctrine.” A lot of folks in the security space raised an eyebrow.

On the flight home from this year’s Gartner Security & Risk Management Summit, I reflected on some of the highlights of the trip. I look forward to this show every year due to the high level of customer engagement and great conversations. In looking for overall themes from the event I noticed, not surprisingly, a lot of emphasis around advanced persistent threats.

I was on a tour in Asia Pacific when I first heard the news about the attack. The investigation into this attack continues but I’m eager to share some information with you about it. Let’s first make sure everyone is on the same page. The number of enterprises hit by APTs grows by the month; and the range of APT targets includes just about every industry. Unofficial tallies number dozens of mega corporations attacked; examples are in the press regularly, and some examples are here, and here.

I have spent the past 6 years of my life running incidents of one flavor or another, whether it was a government or private sector system intrusion, a product vulnerability, or an infrastructure vulnerability or attack. Over the past two weeks I have participated in an incident and the response to the incident that was very different than anything I have personally dealt with before. This incident had two parts to handle: one, the protection offered by the security product RSA SecurID; two, the intrusion itself. This incident demonstrated a deliberate and responsible response by the company, RSA. RSA coordinated a collaborative effort involving the RSA customer community (both U.S. and International), the security community as a whole, law enforcement, and US-CERT.

This week’s Speaking of Security podcast reviews the key announcements from RSA at the recent RSA Conference.