The security community is always pressured to jump to the next thing. So, it’s easy to guess what will likely dominate conversations at the 2023 RSA Conference later this month — geopolitical events/cyberwarfare and nefarious uses for ChatGPT. There’s a lot going on with respect to these topics and security, but in my opinion, they shouldn’t consume the lion’s share of attention.
As a community, I would rather we spend more time focusing on an area that we don’t talk enough about but should: the state of the industry. In other words, where we — as security practitioners, experts, and vendors — are right now, and what we need to do better.
Use the Conference to Chart Best Way Forward
Attacks and compromises aren’t going away. Instead, they’re growing and becoming more costly. Does this mean that, as defenders, we aren’t getting better at what we do? Or are attackers getting better at what they do, while we stay the same, not learning lessons based on our own experiences or from our peers? When we attend conferences like RSA, this is what we should be talking about.
This proposed topic is even aligned with this year’s conference theme: “stronger together.” Instead of jumping to the next thing, let’s take advantage of the opportunity to meet in person to look at some of the areas where the same types of compromises keep happening, and discuss how we can do better as a community. Here are a few suggestions.
Supply Chain Security
Supply chain attacks are nothing new; they’ve been around for years. In 2015, we saw hardware supply issues where motherboards were found to have malicious microchips in them. And a couple of years later routers and switches were compromised, affecting users in numerous countries. On the software side, not that long ago a spate of supply chain attacks on software from companies such as Accellion, Kaseya, and SolarWinds affected millions of users downstream. And with respect to source code, over the years we continue to see incidents of JavaScript, Log4j, Perl, and Python libraries being compromised, putting software companies that use them as part of their offering at risk.
Why do these types of compromises continue to exist? Are we not getting the message across that supply chain security is critical? Or is it being ignored? No one wants the government to step in and legislate things that don’t make sense without the industry putting in place the proper tools, processes, and standards to be effective. But that’s exactly what’s occurring because the need to reduce these risks is critical, and the security community isn’t being proactive enough.
Industrial Control Systems Security
Attacks on industrial control systems (ICS) are another classic example. There was Stuxnet in 2010, attacks on Ukraine’s power grid in December 2015 and December 2016, and then another, more damaging wave with WannaCry and, subsequently, NotPetya, which resulted in an estimated $10 billion in damages. Since the pandemic, we’ve seen attacks against pipelines, food and water supplies, and other critical infrastructure. And electrical systems and telecom providers have come under attack since Russia’s invasion of Ukraine.
We knew about the potential for damaging attacks as far back as the 1990s, when the Purdue Model, a reference data flow model for computer-integrated manufacturing, was developed for ICS security. Since then, we’ve made additional, significant advances in capabilities to secure critical infrastructure networks and systems and the federal government has numerous resources available to help. And yet these attacks continue.
Cloud Security
There are tons of cloud security vendors, and cloud providers also have their own security offerings, which continue to improve and change. But we still see outages due to a number of factors — bad configurations, unauthorized access, and insecure interfaces/APIs, to name a few. It’s similar to what we see happening on-premises; we’ve just moved these problems to the cloud, and now 45% of all data breaches happen in the cloud.
There are also many vulnerabilities that threat actors aren’t actively exploiting yet, but they will when the rewards are great enough. And as cloud providers proliferate, not all clouds are created equal. Diversity creates diverse problems, which makes cloud security even harder. It raises the question: Are cloud providers, users, and security vendors learning from each other?
Make the Most of In-Person Meetings
We’ve only recently started to get back into the swing of attending conferences and meeting face to face. Not only are these experiences more fun than online events, they also tend to foster more open communication and strong connections. Let’s use the opportunity to build relationships and start to get more information about existing threats and what people are doing about them.
As one of the largest gatherings of cybersecurity community members, RSA Conference also provides an opportunity for cross-pollination. When we talk to people outside of our own industry vertical and listen to what they’re doing and what they’re facing, we can gain even more insights. There may be a lot of overlap in terms of the threats they face and their approach to setting up their security posture that can be adapted for use in other industry verticals.
In-person conversations are an incredibly productive way to understand the state of the industry. So, enjoy the conference and use it as an opportunity to focus on what we can do better right now.
Source: www.darkreading.com