Issue link: https://securitytechnologyexecutive.epubxp.com/i/690996
10 SECURITY TECHNOLOGY EXECUTIVE • May/June 2016 www.SecurityInfoWatch.com TECH TRENDS B y Ray C o ulo m b e Ray Coulombe is Founder and Managing Director of SecuritySpecifiers. com and RepsForSecurity. com. Ray can be reached at ray@SecuritySpecifiers. com, through LinkedIn at www.linkedin.com/in/ raycoulombe or followed on Twitter @RayCoulombe. I n March I attended for the first time in five years the RSA Conference, the world's largest cyber security conference, with nearly 40,000 people attending. Sadly, representation from our indus- try was noticeably lacking and many security peo- ple I have spoken to have never even heard of this important event. I did connect with Rodney Thayer, our indus- tr y 's leading white hat product and network vulnerability tester and PSA consultant; how- ever, excluding IT and dedicated cyber vendors, only Verint and HID had a corporate presence at the show. Regardless, there were a number of important takeaways from the many ses- sions I attended and vendors I spoke to: Cloud applications and security solutions are abundant and increasing. That more applications are migrating to the cloud is unquestioned. Competent cloud vendors now have a power- ful array of tools to help mitigate out- sider threats — for example, black- listing an IP address making repeated attempts to access a site application within a short time period. In many cases, security for a cloud applica- tion may be superior to what users can provide for themselves. Lesson: Choose your cloud vendor well and understand what security features they offer. Behavioral and situational analy t- ics are two promising tools of the trade. Behavioral describes how someone uses an inter face, what they nor- mally access and established pat- terns of behavior. Situational deals with the location someone appears to be logging in from. Both of these are additional candidate means of authentication. IoT is scary. Depending on the pro- jections you believe, there will be around 50 billion connected devices by 2020, a tenfold increase over today's number. It appears that, once again, we will witness implementations and marketing hype around their usefulness outpacing the many needed security efforts to protect them. The consensus view of the con- ference was that the industr y is ill-prepared Cyber Vulnerabilities Galore My recent trip to the RSA Conference left me with a queasy feeling for our industry (continued on page 14) for IoT from a security perspective — so many devices to hack, so little time. Education is key. While no cyber solution is perfect, and multiple layers of defense should be employed in a protection strateg y, there is low -hang ing fr uit that can be har vest- ed. Take spear phishing attacks for example, where users are prompted by custom-crafted emails to click on malicious links. These can be addressed by education, mock exercises and constant reinforcement by the parent organiza- tion. This most common vulnerability should be the easiest to solve. Endpoint vulnerability must be taken seriously. One common hack mentioned was attacks on unsecured sur veillance cameras with default credentials via RTP por ts. T here are other ways to attack these and other security devices where proper setup and firmware maintenance have not been implemented. SCADA (Supervisor y Control and Data Acqui- sition) vulnerabilities keep corporate execs and policy makers up at night. Not only is old equip- ment infrastructure particularly vulnerable, but hacks upstream in the supply chain affect- ing original equipment before shipment from the factory have been documented. Many securit y products today rely on data- bases for their implementation, and they must be secured. There are numerous security solu- tions for cloud-based databases, for example Transparent Data Encryption (TDE) for Micro- soft SQL running on their A zure platform. Further, I was able to find encr yption solu- tions available to developers for local database applications. Is the government friend or foe in the security battle? There was no shortage of government speakers at RSA, including the Attorney Gen- eral of the United States and the Director of the NSA . All delivered the message that the government wants and needs the private sector to be a willing participant in fighting the cyber threat. It is ironic that this occurred while Apple and the FBI were battling it out in court over the right to access encrypted information on iPhones.