Insights from RSA Conference 2022

Banners advertising cybersecurity on houses, busses and everywhere. The city of San Francisco talks security in the week of RSA Conference. The event itself is really huge with many tracks in parallel. I even got lost one time at the expo which seems to be twice the size of the German it-sa. But I had to refill my stock of pens anyway after the break of in-person events caused by Corona 😉
However, I did not only bring home pens and shirts, but also new insights described in this article.

Threat Modelling made easy

Threat modelling often fails because methods are too complex. Alyssa Miller, one of the authors of the threat modelling manifesto, pointed out in her presentation that threat modelling can be easy and everyone is able to do it. We already do it every day like when deciding if we wear a mask at the conference or not. She also showed with the example in the picture above how natural language can be used to simplify threat modelling. At this point I was reminded about threat modelling requirements from the automotive cybersecurity standard ISO/SAE 21434 and whether they might be too detailed (cp. Anti-Pattern “Tendency to Overfocus” from Threat Modelling Manifesto). I will spend some more thoughts on this later on. There is definitely a tendency to focus (too?) much on details and methods in Automotive TARA (Threat Analysis and Risk Assessment).

Privacy on the rise, but still way to go

Privacy is definitely on the rise, also at RSA Conference. There was a keynote with the Chief Privacy Officers (CPOs) of Google and Apple and they pointed out that privacy has highest attention in their companies. But imho there is still way to go and most tech giants (except Apple) are struggling with practical implementation because their business model does not go well together with privacy. Google’s CPO Keith Enright mentioned consent as the gold standard. I disagreed in my presentation because “Consent on Everything” is often misused to legitimate processing of personal data. That’s why it became risk #4 of the updated OWASP Top 10 Privacy Risks.

Bruce Schneier‘s new book

Bruce Schneier presented contents of his new book that will be published in January. It’s about hacking, but not only about IT hacks. It covers cheating on systems and laws in general like the tax system or emission regulation and how AI could speed up finding such hacks. There is more information on his talk in this article.

Business Information Security Officers needed

Nicole Dove pointed out that BISOs (Business Information Security Officers) are on the rise and needed to support business teams in implementing cybersecurity. They should move from a “NO” to a “YES, and” attitude to get better results. There is also a video with Nicole where she talks about the role of the BISO.

Cybersecurity Workforce Gap

The cybersecurity workforce gap and how to address it was topic of several presentations. Bryan Palma proposed in his keynote “Soulless to Soulful: Security’s Chance to Save Tech” to come up with new ideas and collaborate across company-borders to close the workforce gap. He proposed the new campaign “I do #soulfulwork” because for many employees it is important to do something good and valuable in their work which is definitely the case in the area of cybersecurity.

Disinformation

The closing keynote “The Hugh Thompson Show” started very funny, but only to discuss one of the most serious topics in today’s world later on: Disinformation and how it threatens our democratic values. The panelists proposed several ideas on how to address it, but in the end they pointed out that education and awareness will be key to be able to challenge (fake) news and validate sources. They also recommended to talk to each other in real and not only on social media.

Are parents better security managers?

It has been a while since I have been posting here but my family and my job kept me quite busy. Especially my role as information security officer in my company with a successful ISO 27001 certification took its effort over the last couple of months.

Anyway new ideas regarding security and privacy are popping up in my head all the time and I am glad to find this moment to write one of them down and spread it.

This post is about a topic that I have been thinking for quite a while now. Being father of a 2 year old son I see quite some similarities between parentship and security management and I even think that being a parent made me also a better information security manager because I stay calmer in difficult situations like incidents.

As parents you have a lot more situations to deal with that need urgent response to some kind of incident like overfull diapers or your kid running towards the busy street etc. and you learn to and will stay calmer. You also sharpen your sense for what could go wrong – I call it my daily risk analysis. I regularly have to judge what my kid(s) can do like climb somewhere or play themselves outside and what I want to (try) to avoid them to do like run on the street by telling them not to do it and/or locking the fence.

Like in the role of an information security manager as a parent you will not be able to mitigate all risk because kid(s) should not be overprotected and parents do not have the time and energy to control everything. Also there are other stakeholders you have to consider like your partner or your employer that might have different thoughts on how much protection or time your kids need.

This is very similar in a business environment. You will usually not be able to mitigate all information security risks because cost and effort will be too high and too much restriction might have a negative impact on your business. Also time and ressources for information security are limited so that controls have to be prioritized according to the risk level.

But finally there is one huge different: when raising kids parents have to deal with a lot more safety issues than an average information security manager. And what is one of the most important thing you learn in your information security education? Safety (protection of human lives) is always more important than security 😉

Voices from it-sa

I was at the biggest German Security Expo and Congress it-sa last week. One of the highlights was definitely the speech of Edward Snowden (German report) in particular because the European Court of Justice declared Safe Harbor invalid two days earlier. I had a presentation about the OWASP Top 10 Privacy Risks and gave a radio interview for Deutschlandfunk about the importance of a holistic approach for information security. Furthermore heise TechConsult published an interesting study with 5 Steps for IT Security (in German) and recommends companies to spend 1% of their turnover for information security.

Cybercrime affects Germany most

According to the study Net Losses – Estimating the Global Cost of Cybercrime published by the Center for Strategic and International Studies (CSIS) Germany loses 1.6 percent of its gross domestic product (GDP) because of cybercrime. This is more than in all other countries. Second are the Netherlands with 1.5 percent followed by Norway and USA with 0.64 percent each. One reason for Germany’s high loss numbers could be the recent efforts to collect and publish cybercrime incidents, but of course also a lack of security measures in German companies.

Environmental Risk #1: Air Pollution

The World Health Organization (WHO) recently published a report with new numbers of dead people because of air pollution each year: 7 million worldwide – most of them because of stroke and heart and lung diseases.

This is more than twice as high as previously estimated and thus air pollution is the biggest environmental health risk now. And even in Europe 600,000 deaths are linked to pollution according to the WHO study and the German SPIEGEL reports that particulate matter pollution in some German cities like Berlin or Leipzig is significant.

Of course pollution is not a direct risk to data centers or IT equipment like an earthquake or flood, but it has a significant influence when it comes to sustain one of the most important resources for IT: Skilled people. Pollution already influences decisions about whether to outsource IT to certain countries especially in South-east Asia. It becomes harder to find employees from Western countries that are willing to build up a subsidiary or manage partners in these countries if there is significant pollution in this area.

And pollution might even be a risk to IT operations in case administrators are not able to leave their homes due to high Pollution if critical maintenance has to be done on-site. So pollution definitely becomes a topic for information security considerations and a gas mask might be standard equipment in your future emergency kit.

Tips against governmental surveillance

Many people currently ask what to do against governmental surveillance (NSA spying) and some managers even think that standard security measures are useless because “the NSA has access to everything anyway”. But there are other attackers besides secret services and there are also things you can do against governmental surveillance. Here is my list of the most important things to consider:

  • Use encryption. The NSA is not able to read all encrypted data with reasonable effort and if you use the algorithms and key sizes recommended by ENISA you are quite secure. Furthermore there are tools for anonymized internet browsing like Tor and JonDo.
  • Choose European IT companies instead of US IT companies. It will not only help to lower the likelihood that your data leaks to the NSA, but also to put some economic pressure on US companies. US companies themselves will demand to restrict governmental spying if they lose a significant number of customers or users.
  • Blow the whistle if you are aware of governmental back-doors in products or systems, unlawful eavesdropping or even attempted blackmailing. Media companies like the German SPIEGEL have set up guidelines for informants and sometimes whistle-blowing is the only way to point out serious deficits. But prepare to run and leave your family 😉
  • Request independent audits and product certifications that prove the absence of data leaks for governmental bodies. Choose trusted auditors.
  • Continue securing your assets because as a security consultant or manager you are mainly defending the reputation of your company. The NSA would not publish that they hacked your company. But if your customer data gets published or sold by cyber criminals, you will get huge media attention and this will damage your reputation and possibly your shareholder value. Furthermore you also have to comply with laws and regulations.

Note: There are governments from other countries besides the USA that have powerful secret services and support spying on private and company data and internet traffic without providing transparency. One self has to decide whom he or she trusts, and in how far eavesdropping is acceptable and helpful to fight terrorism.