RSA 2018: 15 Top Executives On The Single Biggest Security-Related Threat Businesses Face Today
What Should We Fear?
The cybersecurity landscape is littered with landmines ranging from the pervasiveness of identity theft to the destructiveness of nation-state attacks to emerging risks around quantum computing, operational technology and cryptocurrency mining.
But the threats encountered by security solution providers go well beyond the technical. They're also having to grapple with everything from complacency and product bloat to tighter budgets to a lack of repercussions and a loss of faith in the industry to keep people secure.
Here are the security-related threats that 15 security CEOs, channel chiefs and technical leaders attending RSA Conference 2018 think should be keeping CISOs up at night.
Credential Phishing
The easiest way to get into an organization is through a targeted credential phishing attack, where threat actors use information that's made publicly available on LinkedIn, Facebook and elsewhere to create a fraudulent profile of the victim, according to Joe Diamond, Okta's director of security products.
The process has become increasingly streamlined, Diamond said, as bad actors use open crawlers to build a profile of the end user, figuring out where the victim works and what they like to do. In addition to targeted credential phishing, hackers can also pursue broad-scale attacks using information that has been gathered in a more automated manner.
Both regular end-user education as well as quality security products are needed to address credential phishing, Diamond said. Secure email gateways play a major role in stopping credential phishing, according to Diamond, particularly when the system marks external emails right in the subject line.
Cryptocurrency Mining
Browser-based crypto mining is once again rearing its ugly head, with Avast recently identifying several applications in Google Play with built-in crypto mining, according to Arne Uppheim, Avast's director of product management for SMB.
One of the biggest threats for companies related to crypto mining is employees using company electricity and resources to install equipment on the company network, Uppheim said, introducing serious security risks in the process.
Companies should deploy endpoint protection products that detect crypto mining and scan for and discover anomalies on their network to help thwart this risk, Uppheim said.
Cybercrime
Cybercrime continues to get worse with each passing year, with identity becoming an important control plane as nation-state actors increasingly target individuals, according to Andrew Conway, Microsoft's product marketing general manager for enterprise mobility and security.
The scale of these attacks has grown in recent years, Conway said, with some companies having to go out of business if they're unable to restore critical information.
The first thing solution providers should do to thwart this is examine how they can do secure authentication, Conway said, deploying multifactor processes for valid accounts. From there, Conway said solution providers should ensure customers have good plans in place to get backups from the cloud and restore the system in a high-fidelity way.
Homograph Attacks
Bad actors are using homograph (or homoglyph) attacks to fool humans into clicking on someone else's domain by (for example) replacing Latin letters in a URL address with nearly identical looking Cyrillic ones, according to Mimecast CEO Peter Bauer.
Machines, however, struggle to identify homographs using traditional techniques since they see code rather than letters, Bauer said, and are therefore often unable to understand why humans are getting tricked.
Similarity and proximity rules can catch tricks within the Latin alphabet such as replacing an "m" with a "rn" in a decoy domain, Bauer said, since there's a form of logic that can be applied. But when the replacement character comes from a different alphabet altogether, Bauer said it's exponentially more complex since the character needs to both be decoded and compared to legitimate things.
Identity Theft
The average user doesn't assume they're being monitored by nation states and hackers even though they likely are, according to Forcepoint CEO Matt Moynahan.
For instance, Moynahan said a purported third-party HVAC vendor was able to access Target's point-of-sale system as part of the company's 2013 security breach even though there's no reason a HVAC vendor should ever have to touch that system.
"Once you let them on the system, there was no way to stop them," Moynahan said.
Organizations should make sure the inner workings of their network can be profiled in such a way that they can determine when identities start misbehaving and start accessing critical data in ways that they shouldn't, according to Moynahan.
Lack of Repercussions
Bad actors won't be deterred from launching cyberattacks until sovereign nations come together and ensure that there are repercussions for their behavior, according to FireEye CEO Kevin Mandia.
The anonymity that allows cybercriminals and nation-states to act with impunity can be pierced by countries joining forces and putting infrastructure and policies in place.
Mandia recommended establishing international rules of engagement that would allow hacking only for traditional espionage purposes and prohibit the theft of IP to make money as well as monkeying around with industrial control systems.
Although Mandia doesn't believe that true global extradition rules will ever be implemented, he said citizens of uncooperative nations could find themselves blocked from much of the internet.
Nation-State Attacks
Organization backed by nation-states have morphed in recent years into really organized cyberterrorist organizations looking for either data, money or IP, according to Matthew Polly, CrowdStrike's vice president of worldwide channels.
Attackers are most frequently from Russia, Chin, and North Korea, with the Chinese actors often looking for IP rather than money so that Chinese companies or the government can replicate or duplicate what the victim organization had done, Polly said.
Conversely, North Korean entities and attacks usually want bitcoin or money, Polly said, meaning that a WannaCry-style ransomware attack is typically what's coming.
Operational Technology Attacks
Attacks in the operational technology world operate in a whole different dimension, with the stakes climbing from lost credit cards or Social Security numbers in the IT domain to impacts on plant floors, refineries, or city traffic lights in the OT sphere, according to ForeScout Chief Strategy Officer Pedro Abreu.
For instance, OT companies were the ones most heavily impacted by the June 2017 NotPetya ransomware, Abreu said, with cargo logistics behemoth Maersk becoming unable to its cargo off a ship and into the harbor, Abreu said, costing the company $300 million in the process.
OT systems typically weren't managed by the IT department or overseen by the CIO, Abreu said, with the plant floor manager typically deciding what network equipment to deploy there rather than the IT team. As a result, Abreu said security procedures were often limited to air gapping despite having printers and computers operating in environments that are operational in nature.
Overconfidence
The biggest threat to security is organizations becoming overconfident because they've purchased dozens of point products that aren't optimized, integrated, or designed for the cloud, said John Wheeler, IBM Security's vice president of services strategy and offerings.
Roughly four-fifths of all security investment is focused around prevention and detection, Wheeler said, with little thought given to threat insight or where critical information resides within an organization.
An organization's higher-level executives and legal and human resources departments need to have special administrator access and credentials since they're in possession of tremendous information around where the company is today and where it's going in the future, according to Wheeler.
Procurement Model Changes
Organizations used to buy cybersecurity products in perpetual licenses, meaning the cost associated with the license would usually drop by 90 percent after the license shifted into maintenance mode, according to Symantec President and COO Michael Fey. That price drop would create a nice gap in the CISO's budget to buy other security products, Fey said.
But over the last couple of years, organizations have shifted to procuring security products as a subscription, which Fey said increase in price every year rather than decreasing like licenses.
Between rising subscription costs, rising labor costs, cost-intensive regulations like GDPR and no more products shifting to maintenance, Fey said CISOs now find themselves struggling to provide an adequate level of security while staying within budget.
Q uantum Computing
AES-256 encryption has long served as one of cybersecurity's foundational building blocks since it would take a decade or more to break the code (or cipher), according to Brett Hansen, Dell's vice president of client software and general manager of data security.
But as quantum computing takes hold over the next several years, Hansen said there's a real cause for concern that the code could be broken in just weeks or months. This would undermine the foundation of how data is protected today, Hansen said.
In time, new technologies such as lattice-based cryptography might be able to address this challenge, Hansen said. In the interim, Hansen recommended that organizations with very high-risk information use dual encryption, which makes it exponentially more difficult to break in since the two encryption systems are placed on top of one another.
Ransomware
Roughly 60 percent of businesses that fall victim to malware or ransomware will go out of business due to the public notoriety, loss of confidence from customers, or loss of data, according to Hal Lonas, Webroot's CTO.
This fate can often by avoided through good digital hygiene, Lonas said, which includes the patching of operating systems and using the most recent versions of browsers.
Organizations should also adopt a layered approach to security, which Lonas said should encompass installing a next-generation endpoint to provide better protection. A network-layered defense system and valid threat intelligence are also vital in this process, according to Lonas.
Social Engineering
The manipulation of social sentiment through access to user behavior data has primarily been a problem in the political arena for now, but that's likely to change, said John Delk, chief product officer and general manager of Micro Focus's security product group.
Instead of building sentiment against a political sentiment, that same information and technique could be used to create an imbalance in favor or against a competitor in a particular industry, Delk said.
And while organizations have a continuity plan to bring machines back to life after a ransomware attack, response plans around social engineering (such as an attacker convincing customers that a company is going out of business) are typically limited to public relations, Delk said.
Companies are starting to implement platforms that monitor social media so that they can better coordinate their response, Delk said.
Talent Shortage
CISO are struggling mightily with finding, recruiting and retaining cybersecurity talent and find themselves increasingly turning to universities for a lifeline, according to Sanjay Beri, CEO of Netskope.
Organizations without sufficient cyber talent struggle with ingesting and operationalizing new products as well as implementing the security tools needed to defend themselves, Beri said. Many organizations lacking proper security hygiene simply need to get talent in place that can implement it, according to Beri.
"There's no shortage of hacker talent, or threats or villains," Beri said. "We need to fill the gap to counter it."
Techlash
Each high-profile cybe-attack and data privacy incident has resulted in people becoming uncomfortable in the physical world and losing faith in the cybersecurity industry's ability to keep them secure, according to RSA President Rohit Ghai.
Consumers are worried about having their credit card and personal information stolen online, getting shamed on social media, and getting digitally brainwashed through social engineering campaigns, according to Ghai. Companies in the industry therefore have an obligation to demonstrate that their technology, security, and public assurances are beyond reproach, Ghai said.
"Trust in data and technology is tenuous," Ghai said.