I once again had the pleasure and privilege to attend the RSA Security conference in San Francisco, CA. rsaconference.com/events/us18. The conference keynotes, sessions and sidebar conversations were a good opportunity to see what the hot topics in security are. I attended a broad selection of sessions. Here are five diverse observations that I came away with:
1. Not every business is ready for the GDPR: The EU’s General Data Protection Rule comes into force on May 25th, and based on the questions I heard asked, people are not ready. There are huge fines for non-compliance (larger of 4% revenue or 20M), so the scramble is now on to be in compliance. Interestingly, the recent Cambridge Analytica / Facebook controversy was used as “case study” in more than one conversation. That’s because GDPR is raising the bar globally and will have global impact on how privacy is protected not just in Europe. I found it encouraging that while some are struggling to comply only 5% considered it an impediment to innovation. Also I heard it stated “there cannot be privacy without security” and encryption is a baseline control for security.
2. Quantum Computing is real: Not only that, but quantum computing will start having real impacts soon. This year “quantum supremacy” will be reached.
What that means is that for the first time some algorithms will run faster on quantum computers than on conventional computers, simulating a quantum computer. Ok, that is not as impressive as the term sounds, but one speaker predicted that in about 4 ½ years, quantum computers will be able to run Shor’s algorithm to factor very large composite numbers into prime numbers (3 & 5 are prime numbers. 15 = (3*5) is a composite number). This now matters because the strength of RSA public key encryption is based on the intractability of factoring very large numbers into primes. As I discovered at the ICMC last year, there are lots of very serious people working on quantum-resistant encryption algorithms, so it is a bit of an arms race at the moment. Meanwhile, I will not be mortgaging my house to buy Bitcoin anytime soon. At least not until they get serious about implementing some quantum-resistant strategies.
3. Shift Left: I am not talking about politics here, but rather shifting security earlier into the development process. The idea is that it is 50 times cheaper for a developer to find and correct her own mistake, than for a hacker to find it in production. Here’s a quick strategy to shift left:
- Developers to utilize SAST on an ongoing basis: “Static application security testing (SAST) is a type of security testing that relies on inspecting the source code of an application. In general, SAST involves looking at the ways the code is designed to pinpoint possible security flaws.”
- SAST and IAST is run on the daily build: “IAST (interactive application security testing) is a form of application security testing that stems from a combination of dynamic application security testing (DAST) and runtime application self-protection (RASP) technologies. It is possible to use IAST without a DAST inducer, using QA testing as an inducer instead.”
- SAST, DAST and IAST is run at the end of every 2-3 three week sprint: “Dynamic application security testing (DAST) technologies are designed to detect conditions indicative of a security vulnerability in an application in its running state.”
- PEN testing is run by QA before release into production: “Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.”
Together, these steps will help detect ~80% of the security issues before they get into production.
4. SAN’s 5 Most Dangerous New Attack Techniques: This was one of my favorite Keynote Sessions, second only to the Cryptographer’s panel. Here are the SAN’s five for 2018:
- Repositories and Cloud Storage Data Leakage: protect your S3 buckets with passwords
- Big Data Analytics, De-Anonymization, and Correlation: Aggregation of data is more of a threat than ever
- Exploitability in ICS/SCADA: Intent & Method: the bad guys (states) are targeting critical infrastructure safety systems which used to be air gapped but are no longer
- Attackers Monetize Compromised Systems using Crypto-Miners: Stealing your CPU resources and causing global warming
- Hardware Flaws: Hardware is not flawless after all
Watch the full session: https://www.sans.org/the-five-most-dangerous-new-attack-techniques
5. Memory encryption: There are long-established and deployed solutions for protecting data at rest (Full Disk Encryption) and data in transit (TLS and IPSec), but the industry is not there yet when it comes to protecting data in use. The need to encrypt memory is becoming increasingly important with the move to virtualizing workloads and running them on other people’s computers that you do not own or control. The most obvious attack being to scrape the memory for the TLS or FDE key, compromising the full encryption scheme. I was encouraged to see a session on memory encryption, and some mentions here and there throughout the conference, but no transparent de facto solution has emerged yet. Maybe it will next year. I guess I will have to follow up on this at RSA 2019. Meanwhile, my money is on AMD’s Secure Encrypted Virtualization (SEV).
The WinMagic team came back energized and charged with inspiration for 2018. Feel free to share your thoughts on your top observations. Until next year!