Hackers ‘winning by every possible measure’, security conference told

2015 will be the year of the ‘super mega breach’ warns president of security firm RSA

In 2014 the world saw huge data breaches, but 2015 promises to be the year of the "super mega breach", said Amit Yoran, president of security company RSA, in the opening keynote of the annual RSA conference on security.

Arriving on a blackened stage with a flashlight, he said: “My stumbling around in the dark is a good metaphor for anyone trying to protect digital infrastructure today.”

The fast-changing and pervasive technological environment that now runs businesses, governments and utilities, and also pervades daily life, means we are at “a critical inflection point not only for our industry, but for all mankind”.

“Technology will control its own destiny, the results of which we cannot predict,” he said. We are currently “in the dark ages of information security”. The past year “was yet another year in which we were reminded we are losing this contest.” Hackers are “outgunning the industry – they’re winning by every possible measure.”

READ MORE

Defensive mindset

Yoran said a major problem was that the security industry “has adopted a defensive mindset. We’re simply building taller castle walls and digging deeper moats.”

Protecting digital perimeters and instituting preventative measures are not bad in themselves, but just limited. “By their very definition, these tools are incapable of detecting the threats that concern us most.”

He recommended a list of techniques to address security issues more effectively.

First, he said, stop believing advanced security methods work. “No matter how smart or high our walls, focused adversaries will find their way over, under, around and through. We must adopt pervasive and true visibility everywhere” to be able to see threats from the cloud level down to individual devices.

He warned against rushing to clean up compromised systems without understanding the full scope of attacks, because once people start to bring in protective measures, “you’re tipping [hackers] off to what techniques you’re aware of, and [telling them] what they need to bypass”.

People also need to focus on where weaknesses originate. Malware is involved in fewer than half of attacks, he said. Instead, hackers often obtain poorly managed and protected usernames and passwords. A recent study by Verizon indicated that 95 per cent of the time, attackers used stolen digital credentials – personal identity information – "and simply walked in the front door", Yoran said.

Email

Organisations need to engineer external threat intelligence into their security approach, too, to move quickly to address attacks. He advised organisations to “do away with PDF and email sharing of important intelligence information”, as these forms of communications can be easily hacked.

Finally, he advised organisations to “prioritise limited resources for maximum impact”. Think about what matters most to your organisation, and what data and infrastructure is mission critical, and focus defences there.

Yoran said the real issue to tackle when it comes to security, however, “is not a technology problem. It’s a mindset problem.” Systems can help map and manage business resources, but managing them isn’t enough.

RSA as well as the industry as a whole, can’t “continue to sail with existing maps even though the world has changed”, he said.

Karlin Lillington

Karlin Lillington

Karlin Lillington, a contributor to The Irish Times, writes about technology