From the RSA Security Conference, which took place from the 24-28 February in the Moscone Center in San Francisco, USA. We were 2 participants from Conscia, and the following is a summary of our experience.
The first thing that comes to my mind is the width of sessions. Going from deep technical sessions on methodology for IOT penetration testing to more managerial sessions on how to maintain your cybersecurity team. For me, this is very positive and enables me to pick the sessions that I find most interesting. And picking the most interesting sessions can be very challenging. There are several hundreds to pick from and sometimes you better pick some that contradicts or challenges your belief. E.g. Do not go to your normal vendor presentations but pick one from a competing vendor to hear their point of view.
Secondly none of the sessions I attended gave me directly practical steps but was more inspirational for me. And by that, I mean that it is not a course on setting up new technology but more a conference that gives you a lot of input and makes you think about a lot of things. And I guess that is what conferences make you do?
Also, because the conference attracts more than 40.000 IT-security professionals there is a lot to see in the expo but also a lot to meet with. We took the opportunity to meet up with our partners to share news and opportunities.
The theme this year was the human element. Some of the presentations related to this like awareness training, but for me this was not a comprehensive theme. The sessions were built from a lot of other perspectives and I found that great.
#1 Human Element
As stated above the theme for RSA was the human element. Some of the key notes touched on this and one of the keynotes stated that we should democratize security and realize that users are not stupid. We can keep on doing awareness training, but it is not working. It is not because users are stupid or trying to bypass security. So, we should simplify the design and have an open culture.
It was also pointing out that we should stop blaming the users. An example was given with typhoid Mary. Stop blaming the people eating the food but look at the cooks and by that it meant that it is the companies developing the software that are responsible – not the end users.
Another keynote highlighted the fact that it was now possible to produce two different documents with the exact same SHA-1 hash value and this could be done in 1 minute with quad computing. Very expensive (estimated at 50.000 USD) but still possible. The presenter stated that we should not consider our encrypted documents for being safe. They could possibly be decrypted in 5-10 years.
#2 IoT/OT/ICS Security
Another big element this year was IoT/OT/ICS security. I attended a presentation by @Andy Greenberg – the author of Sandworm. A book I previously have recommended which describes his hunt for the Sandworm group behind malware attacks and that turns out to be nation based out of Russia.
We need to get the OT security in order and apply basic security principles.
#3 Tales from the frontline
This was also a title for one of the sessions where leading threat researchers discussed the last year of cyberthreats.
The Chinese state sponsored hackers were described as the best in the field, but that Russia might be back due to the Olympic ban and therefore would rise the activity in regard to the Olympics.
Hackers are now going for service providers because they will have access to the real target. It is sometimes easier to hack the service provider and then jump to the real target.
Also, the financial motivated hacker is now using the tools of the nation state hackers and being very well rewarded with 6-8 figures amounts in one hack.
The way to prevent this is to patch your vulnerabilities and then test your systems and settings. Many tools are not implemented correctly and tests like red teaming can help identify this.
#4 Hacking exposed
The trends from 2019 was ransomware, ransomware and ransomware! New countries are entering the scene: North Korea, Iran, Vietnam and Pakistan.
And the new actors are not only doing it for the money. They also steal intellectual property (IP).
#5 Extracting secrets from password managers
If I should mention one technical presentation, it would be the one describing the security of password managers. He had tested 1Password7, 1Password4, Dashlane, Keepass and Lastpass. The password managers were tested in locked state, unlocked state and not running. It was possible for him to recover the master password in some of the products so be aware of your password manager and protect your computer.