Notes from the Expo Floor - Home
Knights and Blacksmiths of Security
Brian Kirk
JUL 30, 2014 09:47 AM
A+ A A-

There’s a lot of talk about security around the office these days. I mean, that’s not really a surprise; we always seem to be talking about security. This time, it feels a little different. The Rock Stars of Cybersecurity event is right around the corner; we’ve got some people heading to Black Hat to promote IEEE Security & Privacy; and there are more cool things right around the corner (but aren’t necessarily public knowledge yet).

And sitting on my computer’s desktop is a file titled “Knights and Blacksmiths,” which is a sprawling 3,424-word mess of notes from my visit to RSA in February. I scanned it quickly to see if it needed to finally be recycled, but I paused. A string of pressing work issues sprang up, shifting my responsibilities to other matters (thereby preventing the article from being edited and posted in a timely manner), but some of the content still seemed relevant. It may be late, but I don’t think that the problem of security is not going to be solved any time soon.  

RSA had its share of controversy this year, and as much as I’d love to talk about random number generators, the NSA, and European fears of global spying, I think I’ll leave those discussions up to people with much more first-hand knowledge of the situation.

And with multiple exhibitors pulling out of the show as a form of protest, you’d never tell it from the volume of people and exhibitors on the floor. As usual, the show was immense, bringing in over 28,000 people and two full exhibit halls. I had the pleasure to lurk by, chat with, and spy on numerous exhibitors, but I couldn’t shake the words that I had heard months prior:

“The [expo] floor is full of Blacksmiths pretending to be Knights.”

I met with Chris Drake CTO of Firehost (he was CEO when I talked to him, but since then, that position has gone to Jim Lewandowski, letting Chris focus on what he likes to do. See this release for more info). I tried to water down my cynicism of the similar pitches that I’d heard from several companies, but he agreed, saying that there were still times when the industry can fall into the trap of being more of a blacksmith than a knight. Of course the companies pitch themselves as being knights, fighting the good fight and protecting us, our assets, and our livelihoods, but the issue comes down to sustainable revenue. Successful knights protect; successful blacksmiths rely on broken swords for the steady revenue streams of dented armor. To be fair, I love the guy. He talks a big game, but he’s backed it up. (Just look at the time where they started hosting Kevin Mittnick’s site).

The reason I wanted to talk to Firehost was because I was intrigued by their Superfecta report. It mentioned a blackholing effect, and I wanted a little bit of clarification. Their report had shown a drop in attacks, which seemed counterintuitive, so after a little bit of digging, they discovered that by using an approach that doesn’t even acknowledge the presence of known disreputable IPs, they’ve had their own protected IPs become “invisible,” freeing up system resources for their customers. It was like a bunch of their sites had been cloaked from attacks, and I’ll leave the inevitable fictional re-telling of this (complete with the knights being paladins, casting spells of invisibility on the hosted websites) to my own personal diary. Not that I have one of those…

I left that meeting convinced that I was going to search for some of the other knights of RSA (but please, don’t consider this list as comprehensive; RSA is a big big big show).

One of my first stops was to chat with Cryptography Research. They always seem to be doing something crazy, and after Paul Kocher showed how easy it was to pull information leakage out of a physical phone last year, I knew I’d have to see what they were up to. Working on the hardware side of security, Paul suggested that it was because hardware is where there is no “lower level.” If you can make the hardware more secure, then you can treat all software as potentially malicious, and you’ll be, “architecting so good and evil can coexist.” Suggesting that many of the problems in industry aren’t from malice, but from errors used maliciously, Paul (and Cryptography Research in general) strives to strengthen and harden that area underneath, giving the most protection. (For more information on him discussing the benefits of smart cards versus magnetic strips, where he points to the dichotomy between hardware and software security, see this GigaOm article: http://securitywatch.pcmag.com/none/321110-rsac-chip-based-security-offers-best-bang-for-the-buck.)

Along those lines, Benjamin Jun (Vice President and CTO of Cryptography Research) talked about some of the concerns around the rise of the Internet of Things (IoT). He contends that we have four major security perspectives with the IoT: data at rest, data in transit, time and place, and endpoint security. With everyone talking about the rise of the Internet of Things (and the Web of Things, too, if we want to take it a step further. See this article and this article), parceling the security concerns in this way makes incredible sense. Do I need an Internet-connected garage door opener? The argument could be made that you do (although the Luddite in me starts convulsing from fear whenever I hear about smart toasters), but regardless, it’s still another layer of vulnerability to contend with. You need to protect the data from intrusion, but it depends on what type or state the information is in to begin with. What could someone do with logged data? What could someone do with live data? (Here is some interesting privacy-related research where smart meters shared data that could be decoded, enabling a scary level of knowledge with respect to content-viewing: http://nakedsecurity.sophos.com/2012/01/08/28c3-smart-meter-hacking-can-disclose-which-tv-shows-and-movies-you-watch/). Ben’s message boiled down to understanding those four types of potential holes in security (and how protection methods might subtly shift).

Continuing the thread on proper perspectives (and expectations) with respect to security concerns, I spoke with Bob Hinden, fellow with Check Point. He discussed the hype, promise, and some of the problems with software defined networks (SDNs) (His talk at RSA, "SDN & Security: Why Take Over the Hosts When You Can Take Over the Network" can be found here). Citing the ability for finer-grained control over the network as a key benefit for SDNs, Hinden’s talk balanced the hype around SDNs with some of the underlying concerns and problems with widespread SDN-adoption. With SDN applications and controllers having complete control of the network, they also share the vulnerabilities with the general purpose computing platforms on which they were built. In this way, compromising the controller actually compromised the entire network. Additionally, he stressed that the increased reliance on SDNs actually necessitates the deletion of the division between an organization’s network group and its security group. Network staff must bear (at least some of) the responsibility for the organization’s security policy.

It will be interesting to see how some of these developments impact and are impacted by the ever-changing security landscape. And we can only hope that more and more blacksmiths hang up their hammers for the sword and shield. 

FIRST
PREV
NEXT
LAST
Page(s):
[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment:
 
RESET