In the lead up to the Biggest (security) Show on Earth, we chatted with some security experts to get their views on some of the big issues.
Hoping to trump last year's attendance of over 15000 delegates, this RSA Conference 2014 a the Moscone Center in San Francisco promises to deliver plenty of valuable insight and guidance. But what's happening in the security space at the moment? We spoke with Sanjay Mehta, the Managing Director of Trend Micro, Alexandru Novac, the Head of Cloud Architecture for BitDefender and Michael McKinnon, Security Advisor with AVG Technologies AU about some the big issues and changes they've seen over the last year or so.
Mehta told us that "On the commercial side, all the classic stuff is still in place but it's not that relevant in an overall, strategic direction. When you sit with someone in the C-suite – cloud is extremely topical with everyone in enterprise and government and targeted attacks. Everyone is realising that the classic defences are dropping in efficacy. They're still needed but not as effective as they used to be".
That's coupled with Novac and McKinnon's observations that ransomware, typified by the prolific rise of Cryptolocker, are increasingly a problem.
"What was particular important over the last year was ransomware. There were a couple of implementations before. There are two families of ransomware have raised things to a different level. First, there was the Police Trojan which would lock your screen and show a police notification that your computer has been seized because of accessing illegal content. This is very popular in Europe," said Novac.
As the revenue from this dried up, as victims discovered they could use removal tools to unlock their data the perpetrators escalated their efforts with new tools that could overcome removal tools and even the reinstallation of the operating system.
"This is a big development. Cybercriminals are still building on this idea. Hackers are working on do-it-yourself kits that allow anyone without programming knowledge to build their own ransomware tool and distribute it. Because of this, we expect a lot of ransomware to show up this year," Novac added.
Mckinnon described the rise of Cryptolocker as a big step up and saw a connection between this exploit and the rise of Bitcoin. "Here is a widespread emailed malicious attack that used social engineering to trick people into executing a file that encrypted all their data. It used a cunning DNS trick to use a server for the key exchange and then demand the ransom in Bitcoin. I wonder if the emergence of Cryptolocker had anything to do with the sudden spike in Bitcoin towards the end of last year". McKinnon also pointed to DDoS attacks as still being significant although he says they could be eradicated or mitigated if network providers took some responsibility.
"So much damage is being done, for example, through spoof traffic. If most major network providers were responsible enough to stop traffic from leaving their networks that they knew were coming from IP addresses they weren't responsible for then we would have spoof traffic on the Internet and cut down networks responsible for this kind of damage," he said.
Mobility and privacy were also highlighted a significant issues. According to Trend Micro, there are about three million pieces of Android malware in the wild with about 10% of those available through official app stores.
There's a lot more personal data available online via social media so it's far easier to find and target individuals where the criminals expect a return for their effort. And many mobile apps, even if they are not specifically malicious, can access data that they don’t really need resulting in the accidental proliferation of personal information.
So, what can aspiring CSOs does about this?
McKinnon says "Keep it real. Don’t get wrapped up in theoretical exploits. In the security industry there are two halves. One half focuses on academic research and what is possible. The other half focuses on response to active, real threats. There's a lot of marketing done around potential threats which is fine but you have to acknowledge, as a CSO, that if you're trying to control the budget that you can’t focus on technology for things that might happen. You need to spend more time on things that are proven to be real".
Mehta recommends taking a holistic approach.
"A lot of it still comes down to have a well-founded, overall security program. If you just try to take a technology approach it's not going to work. If you try to use just process - it's not going to work. Just people – it's not going to work. You have to do the entire thing."
"The other thing I'd ask CSOs to pay attention to is not only what you're going to do to get your shields up and people educated but pay a lot of attention to what you're going to do when something bad goes wrong. Far too many people are not paying attention to response - whether that's legal response, thinking about cyber-insurances, forensic response, public relations response, shareholder response. If you think about it after the event – you're toast".