RSAC 2015: RSA Conference (Day 3)

For me – today is part two of running the gauntlet with back-to-back meetings; for everyone else today is day three, easily described as the show’s apex. In other words, there’s a lot going on today at the conference, so we’ll start the day with a bit of news.

Hyatt resets Gold Passport passwords

On Tuesday, Hyatt alerted some 200 customers that their Gold Passport account had been flagged for suspicious activity, while the other 18 million members have had their account passwords reset out of an abundance of caution.

“As part of Hyatt Gold Passport’s routine monitoring of member account activity, we found a small number of accounts were accessed by an unauthorized individual utilizing member usernames and passwords,” the hotel chain explained in a letter to program members.

“We have no reason to believe, at this time, the login information was obtained through Hyatt Gold Passport, and we continue to analyze and monitor our systems. We have reached out to members we know have been affected to resolve any concerns.”

Smart devices linked to the rise of SSDP-based DDoS attacks:

In a report released yesterday by NSFOCUS, one of the anti-DDoS vendors here at RSAC, the company said that during the second half of 2014, smart devices are to blame for the rise in SSDP-based reflection attacks; while attackers have gotten smarter.

Simple Service Discovery Protocol (SSDP) attacks: Globally, more than 7 million SSDP-controlled devices are at risk of exploitation. Second only to NNTP-based DDoS attacks, SSDP were a problem towards the end of last year. NSFOCUS says that 30-percent of the SSDP attack devices were smart-devices.

Smart attackers create problems: Some 90-percent of DDoS attacks last less than 30-minutes, the report says. Yet, last year, one attack lasted 70-hours. The shorter attacks are said to be a means to improve efficiency as well as was to distract IT from the actual intent of the attack – often malware deployment or data breaches.

NSFOCUS is in the South Hall, booth 832.

InfoSec has lost its way when it comes to multi-factor authentication:

Shortly before RSA, a press release came across my desk from Duo Security, a firm known for authentication offerings, and often a cited alternative to larger enterprise offerings.

The press release focused on Duo Platform Edition, which the company is offering demos of in their booth (South Hall, #2345). The idea is to make multi-factor deployment and implementation easier than what it is now, and based on public conversations, that’s what they’ve done.

I don’t do product news, but considering RSAC is a business conference, 90-percent of the news this week is product-based in one form or another. However, Duo’s offering caught my attention because of something someone said.

When I hear security professionals discuss a product, I pay attention. They live and work in the trenches of InfoSec, so (for me anyway) it pays to learn about the tools they’re interested in. One researcher remarked that the install process for Duo Security’s 2FA was painless, taking all of five minutes to complete. Their previous experience was with RSA’s SecurID.

My logic is that if they liked that product, and this new one is supposedly easier, I figure it’s worth a mention. I’m not going to get into all the specs of the product though, all the details on are their website for anyone wanting to follow-up. The cost is $6 per user, per month.

“The solutions available now to address BYOD generally require a large security budget and a team of internal security experts. That’s just an unrealistic expectation for most organizations that have one or two full-time security folks. But the threat of data breaches is still top of mind for organizations of every size,” Jon Oberheide, Duo Security’s CTO and co-founder, told Salted Hash.

“Duo Platform, just like our flagship two factor authentication products, is super easy for IT admins and users alike. It’s a push of a button and you’re in. With the additional functionality that we’re offering in Platform, IT admins get more insight into what their users are doing and what devices they’re using from which locations. That’s really all most organizations need to deal with BYOD.”

Cloud Report finds high volume of compromised login credentials:

A report from Netskope, a vendor that tackles the challenges of Shadow IT, says that compromised credentials are continuing to haunt organizations. The report was released prior to RSA, but actually has some value to those attending given that many of them are facing SaaS challenges of their own.

The report’s findings are backed by anonymous data collected from the company’s customers, encompassing millions of users in hundreds of accounts globally, between January and March of this year. In addition, the report uses a confidence index, which is said to be a database of more than 5,000 cloud apps that were evaluated based on criteria adapted from the Cloud Security Alliance.

Netskope says that more than seven out of ten uploads from users with compromised accounts are to cloud apps with a confidence index rating of poor. Moreover, the report finds that more than twenty percent of logins to Salesforce come from compromised accounts.

The average number of cloud apps (both sanctioned by IT and unsanctioned) continues to grow, the study says. On average, organizations now use 730 cloud apps, which is a16 percent increase from the previous quarter.

The report, obtained here, is an interesting read. The bottom line is that Shadow IT isn’t something to panic over; it’s just a fact of life now. The key is obtaining some measure of visibility into what your users are doing, and how.

There’s an employment problem in InfoSec:

Another study that’s getting attention today is the one from ISACA and RSAC. The full report is here, but this section of the press release stands out:

“Based on a global survey of 649 cybersecurity and IT managers or practitioners, the study shows that 77 percent of those polled experienced an increase in attacks in 2014 and even more (82 percent) view it as likely or very likely that their enterprise will be attacked in 2015. At the same time, these organizations are coping with a very shallow talent pool. Only 16 percent feel at least half of their applicants are qualified; 53 percent say it can take as long as six months to find a qualified candidate; and more than a third are left with job openings they cannot fill.”

The sample size isn’t too big, but the issue is important. In February, Leviathan examined the problems with staffing in InfoSec, pointing out that there are more than a million positions unfilled globally. Their report is a must read for security leaders.