RSAC 2014: RSA Conference (Day 5)

Today’s the final day of the RSA Conference. But for the most part, unless it was to stay for the morning’s keynote, the vast majority of attendees have left San Francisco already. For the Hash’s final update from the show, I figured it would be a good time to recap some news, and leave you with the final talking point, which for today is user awareness.

According to Netskope, one of the vendors presenting from the show floor, 60 percent of the people they spoke with onsite were unaware of their organization’s cloud policy regarding applications, or they didn’t have one at all.

Related to that, those who spoke with Netskope said that out of all the applications that they use on a regular basis, the ones that they didn’t want their company to find out about were Dropbox, Twitter, and Facebook. (Gasp!)

According to Secunia’s Vulnerability Review, released earlier this week from the show, 76 percent of the vulnerabilities that impacted the most popular software last year affected third-party programs.  With that said, nearly 80 percent of all reported vulnerabilities last year had patches available the day of disclosure. So either patch management is too hard, or automatic updates are still being avoided for one reason or another.

One of the VPN vendors attending the show noticed the warning in the conference program about the free Wi-Fi access, including the fact that it shouldn’t be used without proper security. Armed with nothing more than a wireless sniffing tool, the CEO of Private WiFi, Kent Lawson, discovered massive amounts of unprotected traffic on the public network. To be honest, this is to be expected, but ironic given the nature of the show. On the other side of that, plenty of traffic was protected too.

So what was he able to see out in the open? Access to Apple, Google, MSN, and the LA Times to name a few, but he also observed surfing to a few NSFW domains. In the end, the point Lawson was trying to make was that even those aware of the risks can be lax at times, so reminders are necessary.

Or to put it another way, awareness training is vital to a security program, but it shouldn’t be a once-off event.

Awareness Training:

During a conversation before the start of the RSA Conference, Paul Martini, the CEO of iBoss, offered the Hash his thoughts on the good, bad, and ugly aspects of awareness training.

Good: (1) A good understanding of security best practices goes a long way. In some cases, it’s one of the most important and fundamental parts of good security practices. (2) The visible direct monetary cost in some cases is low. Sending a memo to the team from time to time about best security practices can have a big impact.Bad: (1) Keeping up with a regular security training newsletter can be challenging and time consuming. (2) Old habits are hard to break. If a user has a tendency of bad security habits (i.e. writing their passwords down), it may be futile to remind them not to do that even if it’s on a scheduled basis.Ugly: A full-blown security educational program can be a serious expense in time, resources, and money. This might be difficult to justify from a budgetary perspective especially since it’s hard to measure the return on investment.