RSA President Rohit Ghai on 'The Human Element'CISOs Need to Share Their Success Stories
While the cybersecurity industry has increasingly focused on the roles artificial intelligence and machine learning can play in thwarting attacks, the humans behind the algorithms remain both points of strength and weakness, says RSA President Rohit Ghai, who kicked off the Tuesday keynote presentations at the RSA 2020 conference in San Francisco.
Data breaches and cyberattacks create headlines and drive stories of security incompetence, irrespective of all the times when cybersecurity professionals help thwart or mitigate these incidents, Ghai says. That’s one reason the theme of the conference is "The Human Element.”
Ghai offered lessons learned from the 2018 ransomware attack against Atlanta, which ended up paying over $17 million for clean-up and recovery after deciding not to give into the demand of the attackers, who had originally demanded a ransom of $51,000 in bitcoin to unlock the systems.
Ghai says the important point to remember is that that the attackers did not achieve their financial goals, and the city, in turn, implemented better back-up and recovery systems.
"We don't have to win for the attackers to lose," Ghai says. "When we deny the attackers financial gain, they lose, since 70 percent of them are financially motivated. … In response to the attack, the city built a robust business continuity plan as part of their integrated risk management program. They realized that winning is not avoiding cyberattacks but business resiliency."
Ghai also addressed the expansion of the attack surface as a result of creating applications that do not take security into consideration during the development and production phases. This issue has been magnified by the growing use of cloud-based technologies, such as containers, microservices and open source orchestration tools (see: Next Cloud Security Challenge: Containers and Kubernetes).
"Yes, we need to continue to educate the users, but it is time to invite IT to our story as primary characters acting as the first line of defense," Ghai says. "This is especially true in the world of edge computing, where this is pervasive, and the advent of DevOps, where the speed of software development is increased along with vulnerabilities."
RSA's New Owner
Ghai only briefly addressed the pending sale of RSA to private equity firm Symphony Technology Group (see: Dell to Sell RSA to Private Equity Firm for $2 Billion).
He reassured customers and partners that RSA would continue to support and work with them, but he did not offer specifics on how the company would move forward under new ownership.
In another keynote address, McAfee CTO Steve Grobman pointed out that unpatched vulnerabilities remain a major problem.
He noted that the EternalBlue vulnerability within Windows, which led to the WannaCry ransomware attack of 2017, still remains one of the top vulnerabilities that McAfee researchers see exploited by attackers because many Windows devices remain unpatched nearly three years later.
Grobman also pointed to a newer vulnerability known as Curveball or Chain of Fools. It's a flaw in Windows that can allow an attacker to trick systems into thinking that certificates have been signed by a trusted authority. It can also be used to create main-in-the-middle attacks.
All it takes to exploit the Curveball vulnerability is about 10 lines of code, Grobman says.
If prompt patching is proving challenging, Grobman warns that the industry certainly will not be ready to address far more significant emerging challenges, such as attackers leveraging quantum computing.
Grobman noted that the federal budget for quantum computing research is only $30 million, despite the potential national security threat posed by bad actors potentially leveraging the technology.
"We need quantum-resistant algorithms as soon as possible," Grobman told the RSA audience.
Time for a New Model
In a final nod to the “human element” theme, Wendy Nather, the head of advisory CISOs at Duo Security, which is part of Cisco, noted that security professionals can't control what the end user is doing, including clicking on malicious links.
What's needed is a better way to design security into all processes, Nather says. "We are trying to secure with an unsustainable model, and it's time to break it and put it back together."