RSA Conference 2012 post-mortem: IT security in a 'precarious spot'
One lesson of RSA Conference 2012 is that we are neither winning or losing the security battle. So where do we go from here?
March 05, 2012 — CSO —
There was an unusual level of gloom at the RSA Conference this year, and for good reason: a number of the biggest and most respected security firms have been very recently breached, including RSA Security, VeriSign, and Symantec.
This wasn't the first year the IT security industry was embarrassed. Last year, HB Gary Federal was breached and that event consumed a considerable amount of talk at the show. That's not to forget the recent big name breaches at organizations such as Google, the U.S. Department of State and Nasdaq in recent years.
"There is a feeling that no matter what steps one takes, it can't be won. Systems can't be kept adequately secured," said a security executive at an international electronics manufacturer.
Whitfield Diffie, one of the pioneers of public-key cryptography would disagree. When speaking during The Cryptographers' Panel keynote at the 2012 RSA Conference about the breach at the U.S. Dept. of State in which U.S. Army soldier Bradley Manning allegedly passed classified data to the whistleblower site WikiLeaks, Diffie noted that many of the security controls worked, and for the breach to occur it required a trusted insider to conduct it.
He also noted that security's "failings" may be about perception. "Security moves from one failure to the next, while if you are on offense it moves from one success to the next," Diffie said.
Stefan Savage, professor at the department of computer science and engineering, University of Calif., San Diego, observed that many of the perceived failures of IT security may be because the industry, largely, views security as a technical problem.
"There is a massive human component to security. While there are lots of technical things behind spam and botnets, there are people behind all of that, and then there are people who make mistakes that many times let them [spammers and botnets] through," said Savage.
Savage provided an example where focusing dependencies other than technical have yielded results. For years, the industry has focused on trying to block spam and malware and shut down the domains -- yet spam and botnets continued to thrive. "We eventually discovered that banking is the weak point and that taking down the merchant accounts can be far more effective than taking down domains that can be easily replaced by the criminals."
Savage also noted the never-ending nature of cyber-crime. "We don't have proofs for ending war and conflict, and putting the prefix 'cyber' in front of it doesn't change the dynamic," he said.