After opening remarks from John Lithgow, RSAC kicked off with a keynote from Dr. Zulfikar Ramzan, Chief Technology Officer, RSA entitled “Planning for Chaos.”
Ramzan centered his talk around making ripples and how a single event can have an effect across wide ranges. The common theme was “drawing connections, not lines.” He drove this point home by describing the effects of the 2011 Japanese earthquake and the ripple effects it created, the initial impact caused hundreds of deaths and thousands of injuries, but the ripple effect was much greater, with the aftershocks leading to tens of thousands of deaths, and subsequently leading to the meltdown of the Fukushima nuclear reactor, spilling radiation into the air, water, and ground. Ripple effects indeed.
Shifting to the cyber world, Ramzan commented on how it was proven that an SUV could be shut down remotely. He posed the question, “what happens when all cars become automated”? How about instead of stopping cars, the hacker speeds them up? Chris Young, from Intel Security, later mentioned that autonomous vehicles process over 4,000 GBs a day. To put that into context, that is approximately 800 HD movies a day. Young mentioned the issue isn’t so much the big data processing, but instead it is sweating the small stuff, and the small pieces of data that drive these large data sets. Young describes the weaponization of data. He asked, “what happens when small pieces of data are changed, or weaponized, in traffic control systems”? What’s the effect when all vehicles are autonomous?
The connections continue to grow, automation continues to grow. This connectedness and automation has great business potential, improving bottom-lines and efficiency. Employees can do work from anywhere, this can be seen as network boundaries go behind the office. More employees are working from home or remote locations, maybe a Starbucks down the street. So what’s connecting to those dispersed network, and are they safe?
This is a topic that can be seen throughout RSAC and isn’t limited to autonomous vehicles, it can be directly correlated to the Internet of Things (IoT) which certainly draws connections. The Mirai botnet attack showed the effect of weaponizing IoT. In fact, the Target right across the street has an “open house” (http://openhouse.target.com/) store which has on display various household IoT devices, including a programable dog food-dispensing bowl, a self-rocking cradle, and a smart soccer ball. Chris Young explains how these devices, or targets (no pun intended) can become cyber weapons. So what, you might ask. Is it just the fact that Lucky might get fed too much dog food and gain a few pounds? Maybe, maybe not. What happens when these devices can be used to then steal data from other connected devices or shut them down? What if this device is an employee’s laptop, or maybe now you can tell when someone is home and when they’re away? While it is important to know that your milk is expired and you can save that extra trip to the grocery store, consider its connectedness.
So what does this all mean for businesses? Ramzen mentions taking a step back and thinking in business-driven security. This means taking risk into account, and developing “what if” scenarios. Ramzen recommends simplifying what you can control, and planning for chaos through the ABC’s Availability (having resources ready), Budgeting (preparing and allocating budget for practicing and testing security), and Collaborating (working with other sources and gathering intelligence and lessons learned). These “what if” scenarios are extremely important in examining risk and disruption to the business. This means controlling and securing company owned devices, locking down networks, and potentially disconnecting a bit. At its heart many of these security concerns can be solved and mitigated through some basic best practices that have been described for years. This gets back to device and inventory control, network access control, and securing how data traverses your network. This means truly segmenting networks, locking down services and knowing what’s in your environment at all times.
A common theme throughout the conference is collaboration. This means reaching out to others and working with other like-minded organizations and security organizations to assess and redesign, if necessary, systems, while keeping the business upfront. This effort isn’t a single exercise, and should be continually evaluated and assessed. Devices are not becoming more secure, just more connected, we need to work together to ensure this connectedness does not affect the business.
