Thoughts From The 2016 RSA Conference
Editor’s note: The 2016 RSA Conference was held February 29 to March 4 at the Moscone Center in San Francisco.
In the beginning of March, the RSA computer security conference celebrated 25 years of meeting to make and break data encryption and security issues world-wide.
In that time, the topics have moved from math and cryptography to personal privacy, the internet, and security of commerce and finance. It has also grown from a few dozen attendees to almost 40,000 this year. Clearly, computer and network security now impacts everyone.
The RSA Conference has something for everyone, having grown into varied and comprehensive forum reviewing security technologies, research, policies and regulations, hacking, forensics, and security best practices.
The State of Enterprise Security
Typically many reports from varied research organizations are released at or just before RSA. A study by Vanson Bourne shows that the vast majority of CEOs know they are spending millions on siloed security solutions that are insufficient to prevent or even recognize a cyber attack.
According to the study, encrypted network traffic is passed through without inspection and this is becoming a growing area for probes and the installation of backdoors and other malware.
Part of the problem is inadequate management of cyptographic keys and certificates. The Vanson Bourne study says that these are needed as the basis of trust for websites, virtual machines, mobile devices, and cloud servers, but they are often accessible to attackers who can then encrypt and shield their own traffic and move unimpeded throughout public and private organizations. The report adds, “... These controls are unable to inspect threats in encrypted traffic because the location of all keys and certificates is unknown or they can’t be securely distributed for decryption and inspection. This lets cyber criminals use keys and certificates to gain trusted status with security controls.”
Matters are getting worse because there is a growing market for code-signing certs and the growing impact of agile and DevOps practices lead to a proliferation of software repos, applications, servers and, now, containers. More objects and artifacts require more keys but many DevOps teams do not follow security best practices in managing those keys.
Adequate keys and trust management is also needed to combat the new trend to install bits of malware or backdoors into developer tools. In their SRO presentation titled, “7 top trends in cyber attacks for 2016,” SANS Institute experts Ed Skoudus and Dr. Johannes Ulrich noted that malware was showing up in developer tools like Apple's XCode.
Other Key Vulnerabilities
Skoudis noted a new trend among attackers to “weaponized” Windows PowerShell. This powerful System Admin tool can be easily exploited and provides direct access to .NET and the Win32 API and either one alone provides enormous attack surface. Since PowerShell is Installed by default and is white-listed on Windows 7, 8, and 10, malicious scripts evade detection and leave little footprint for forensic software.
There are many PowerShell exploit tools now available, such as Powerspoit and PowerUp, and even the famed Red Panda attack used some of these. Skoudis went further and described the "PowerShell Empire" framework with incorporates and integrates many of these exploit tools. The website Powereshellempire.com states, “Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.”
Since the Powershell limited execution policy is simple to bypass, Skoudis recommended many further controls to lock down PowerShell access and execution, including deep logging of script execution and use of the Win 10 AntiMalwareScan Interface (AMSI). Skoudis also recommended combining PowerShell 5's Constrained Mode with AppLocker's “Deny Mode” and “Allow Mode” for a kind of script white listing.
For more info on Powershell Empire, visit this SlideShare presentation.
Other big trends included rapid growth in crypto ransomware to make personal or corporate files inaccessible, and back-dooring developer tools to provide static passwords like one found recently in Juniper router software. Ullrich and Skoudus discussed the XCode Ghost hack that has compromised Apple developer tools which have, up to now, been trusted. But once those vulnerabilities and access points have been introduced, systems can be easily accessed and these exploits can be marketed on the dark internet. Enterprises should be aware of compiled software that may include malicious functionality but go unnoticed due to the relationship between Apple and developers.
Ullrich also raised the spectre of Raspberry Pi's attacking everywhere through "The Internet of Evil Things." He said the IoT is not just a “target” for its own sake anymore. Now Internet of Things (IoT) devices are used as attack platforms after they have been compromised. So the rapid proliferation of IoT devices with standalone operating system (OS) stacks represents a huge opportunity for creating Botnets, initiating DDOS attacks, and acting as network proxies for attackers.
The SANS Institute was formed in 1989 and has trained over 100 thousand information security professionals. SANS is one of the founding organizations and partners of the Center for Internet Security.
About Containers and Security
At a breakfast meeting for RSA attendees, Josh Bressers of Red Hat talked about the upside and the downside of using Containers for security. “Fundamentally, security is becoming a market driver, rather than an add-on, and container security will be part of that.”
Containers hold significant promise for the enterprise but, for adoption to take off, security must be a priority, Bressears explained, and that starts at the operating system layer. “Even if you can boot securely, running an insecure container in an insecure environment doesn’t actually help anyone,” Bressers said.
Bresser noted that many companies in the Linux container space are developing and delivering container scanners to help identify issues like glibc, or Heartbleed. But these vendors aren’t actually certifying or controlling which containers their users are deploying. This means that while they are offering the tools for you to find such problems, when it comes to actual fixes, they may not have the expertise or the ownership to actually fix the problem.
“In short, container scanners are a paper tiger,” Bressers said. “They look fierce and they’ll roar to let you know that trouble’s on the way, but they fold like paper when you need them to do more than just scan.”
Bressers talked about the need for a trusted container registry. “Today, if you're using the public registry, it's comparable to finding a sandwich on a bench at the park. You can look at it, you can tell it has ham and lettuce, but I mean, it's a sandwich you found on a bench. Are you going to eat that?” As for the overall message around the container security, I'd suggest his blog post where the basic ideas are covered nicely.
VMware had a half-day session showing how network virtualization and software-defined data centers (SDDCs) allow for better application separation and more aligned security controls. Dr Dennis Moreau, a senior engineering architect at VMware, extended this model to containerization and showed how security policies could be more easily and more successfully implemented with network virtualization, in combination with containers and VMs.
Moreau spoke about problems with layered approaches to security and the proliferation of boundaries, rules, and artifacts in the enterprise environment. He said there were many, many approaches and data sources, and new threats and regulations lead to complicated requirements and governance.
"The principal problem we have in security isn't the lack of individual security technology, its getting different layers of security technology to work together,” Moreau said after his presentation. “Allowing them to be aligned on the right things, like workflows and services, despite the dynamics of modern applications, like load balancing and scaling up. Managing security by the anchors we currently have, like IP and MAC addresses, is becoming difficult and tenuous. The answer seems to be managing security around the boundaries of applications and services with segmentation.”
Moreau said that a micro-segment can be viewed as a bag of VMs with a clear network boundary and interface. We can now confine the inter-VM communication to just that network boundary and also use application white listing more effectively. "... We will no longer have to worry about the mismatch between server endpoint and network controls, we now have a single abstraction... Now we can anchor our protections to the same application boundary. whether for endpoint or network."
When that occurs, Moreau explained, then the Snort rules in the IPS and firewall rules and governance can now be focused on the specific app of the single micro segment being protected.
“This greatly simplifies the policy and the rules on any application we have. When these are spread across many applications, it’s unclear which rules apply to which app. Now if the components of an application are sitting on the same boundaries, we can reduce or eliminate [unexpected] side effects,” Moreau said, adding, “And we don't have to worry about breaking policies and rules when we need to change the application. That [fear] would inhibit our ability to be agile and reach business objectives. When I can simplify policy, I get the agility back and I can align all of my controls.”
“Segmentation on a service basis is precisely what is needed in a security environment that is increasingly Balkanized with every security product having its own identifiers, its own rule-sets. It’s own policy engines that create a semantic mismatch [and that keeps sec from being effective] I believe that having application segmentation helps us clarify and simplify that. And this is a security approach that is already beginning to take hold,” said Moreau in conclusion.
Rise of CASBs
John Stewart and Rajiv Gupta from Skyhigh delivered a presentation titled, “Centralizing Cloud Security in a De-Centralized World,” which advocated putting a security control mechanism in the cloud itself. Gupta said that 2016 is the watershed year for cloud deployments because of the rapid change in cloud adoption over the last three years, from opposition or delay to acceptance NimbleGen Design File (ndf) adoption.
Now 65 % of business leaders say cloud has equivalent or better security, Stewart said. He added that most security pros say that biggest barrier to using cloud security with this adoption is lack of security skills in enterprises. They are still using old techniques and architectures and also not using analytical software to find and rout threats. Many enterprise IT staff do not realize that their data is going through hundreds and possibly thousands of cloud services, yet there are few control points. Stewart added there were 1,154 services in use on average.
The Gartner Group has defined a cloud access security broker or CASB as a good fit for a central control point, instead of several individual management points.
Stewart explained that a CASB is not necessarily a box in a rack because the preferred deployment point is is a cloud service itself — a CASB in cloud — but enterprises may also need one in their Data Center on premises.
This is not a binary argument, said Stewart. “The trick is make it work at a good price point and with the security skills already present.”
Of course, being RSA, there was almost continual discussion in conference panels and some keynotes of the Apple vs. FBI clash. But a high percentage of former government leaders, and most current ones, offered nuanced support for Apple championing strong private encryption. That was one of the motivations behind the creation of the original RSA conferences. Strong crypto is a credo of most security professionals and viewed as a necessity for commerce. There were, however, some differing opinions on how to resolve issues of national security vs privacy.
One position argued that the FBI and US government only wanted to disable the content wiping feature that destroys an iPhone after 10 missed passwords. Turning off that single feature will not directly create a backdoor or give the government access. But it does allow someone with a supercomputer and a lot of time the opportunity to try billions of passwords and eventually open the phone.
That level of resources sounds like a nation state, but some well-endowed corporations also have this level of resources. The historical problem here is that the power to make and break encryption is no longer the sole province of national states and the national security argument is weakened because of it.
The NSA has long had a practical arrangement with American telecom companies that allowed for monitoring of overseas calls and, with court warrants, access to the records, and conversations of felons under investigation. The FBI case, in part, seeks to extend this arrangement to other tech services.
One panel discussing this conundrum was titled “Beyond Encryption: Why We Can't Come Together on Security and Privacy” and featured Michael Chertoff, formerly the second Secretary of Homeland Security and co-author of the USA Patriot Act and now executive chairman of The Chertoff Group; Trevor Hughes, CEO International Association of Privacy Professionals (IAPP); Mike McConnell, senior executive advisor, Booz Allen Hamilton; and Nuala O'Connor, CEO at the Center for Democracy & Technology (CDT).
Chertoff was a supporter of NSA-sponsored clipper chip in the 1990s and of encryption key escrow by the government. He said he is now very concerned about theft of industrial process and IP and favored “strong end-to-end encryption everywhere.” Chertoff emphasized that legal frameworks need to be better developed to protect individuals and to allow needed government operations. “Apple may make a commercial argument,” Chertoff said, “but they are protecting the general public.” Update: On March 21 the FBI asked for a two-week stay as they investigated an option from a third party, Israel's Cellebrite Mobile Forensics, mostly likely a Zero-Day attack that may weaken or break iPhone security entirely. Some industry analysts have suggested that Apple itself may have helped the unidentified 3rd party to avoid a Supreme Court review of a weak case for privacy as the iPhone was actually the property of San Bernadino county which has given the FBI permission to access its contents.
Trevor Hughes insisted that it was a “false choice of either-or on privacy and security. We have to achieve both.” He said we need more on-going discussion of where to draw the lines on these issues. As an example, he noted we have free speech but can't cry FIRE in crowded theater.
Nuala O'Connor said that our data is part of ourselves. “The presumption must be that data is ‘mine’ and would be so in law.” She added, “people who put privacy and security at odds are oversimplifying.”
Secretary of Defense Ashton Carter was another government official who told RSA attendees that he favored strong encryption for everyone. Carter also made a few DOD announcements during his visit to the conference. In a change of heart, the Pentagon is inviting a few friendly hackers to find computer and network bugs in its websites and, in another pro-industry move, Eric Schmidt, Google co-founder and chairman of Alphabet, will lead the DOD's innovation advisory board.
This link will access all presentations on the Cloud Security and Virtualization Track [CSV].
Going almost for free
The conference is expensive compared to most, costing $2595 on site. Tutorials cost more. An expo pass — which is $75 for early bird registrations — also includes most of the keynote sessions — not the first keynote session, sorry — and most of the industry and association sessions on the opening Monday plus access to the Innovation Sandbox demonstrations.
I call Monday the "Community Day" at RSA because organizations like the Cloud Security Alliance (CSA) and the Trusted Computing Group (TCG) present full day or half day sessions that are open to Expo pass holders, and these are really quite good. The CSA session also include lunch.
There was also a track for Cyber Safety for Parents and some company-sponsored tracks like the half-day session on network virtualization for security offered by VMware.
But you can attend for the price of your carfare or travel budget. Many security solution vendors offer their customers and those on their mailing lists registration codes for Free Expo passes in the weeks leading up the RSA Conference. The only caveat here is that the codes must be used by the Friday before RSA starts, otherwise they do not work. If you can't justify the steep price of the full conference, get a code and come as an Expo attendee.