Learning About New Attack Techniques at RSAC 2015

Posted on by Tony Kontzer

A funny thing happened on my way to a session at the RSA Conference Tuesday. Long before I got there, and as I was checking messages on my phone, I nearly walked right into the back of a line. But for what? There were hundreds of people standing in line in the concourse, and hundreds of others rifling through their conference guides trying to figure out what all of the hubbub was.Lines at RSAC 2015

I smelled a story. Or at least something that hundreds of people thought was important enough. Being the faithful guide I promised to be, I asked someone in line what the heck everyone was waiting for. Surely there was food at the end of it. Or maybe an iWatch giveaway. Or at least a CISO smackdown. Nope. It was a session on new attack techniques.

It's the kind of session I usually avoid because, not being a security guy myself, the shop talk goes directly over my head. But in this case, I am glad I followed the crowd. What I was treated to was a panel of the most energetic, fast-talking security geeks in the universe. Their job? To tell you about the most dangerous new threats out there.

First up was Ed Skoudis, CEO of CounterHack Challenges, which designs and operates challenges that help organizations identify people with interest, potential, skills and experience in security. Skoudis outlined a few types of attacks he's seeing become more prevalent. Among these was the so-called "dribbling data breach," in which the bad guys steal data and, instead of holding onto it or dumping it into the black market, they dribble it out in little pieces, a la the recent Sony breach.

"The reason this is more damaging is that the organization doesn't really know how to respond," said Skoudis. "It's much harder for us to deal with."

Skoudis subsequently spooked many in the audience (well, me, anyway) by talking about threats to the Internet of Toys. This is the growing population of Internet-connected toys parents are handing to their children, and which prevent a surprising number of vulnerabilities that can be exploited. Let me summarize by saying this: The next time your kid sets a doll on fire, it may not be her fault. It's quite possible that a persistent attacker caused the thing to overheat. You decide whether that is more disturbing than the possibility of the same doll blurting out a string of swear words (another possibility Skoudis brought up).

In all seriousness, though, corporate IT people might be interested in Skoudis' larger concerns about the vulnerabilities inherent in the Internet of Things, which he says have been made much more attractive by the bring-your-own-device explosion. "If you don't know it's there, you can't protect it," Skoudis said.

Then Johannes Ulrich, dean of research at the SANS Institute, added to the creepiness factor by talking about how cryptography has become the "frenemy" of security. It seems that bad guys, who had already become adept at engineering desktop crypto ransoms, have begun doing server side crypto ransoms. Ulrich told of companies that have detected intruders encrypting their data and figured that was a good thing until suddenly the encryption keys disappeared and their web sites displayed a message about a ransom to get the data back.

Next up was Michael Assante, director of industrial control systems at the SANS Institute, a well-known expert in assessing vulnerabilities in and threats to such systems. Assante says he's seen ICS threats progress from walk-ins, where the perpetrator introduces the threat with a physical device such as a memory stick, to delivery techniques such as spear phishing and water holing, which is like spear phishing without the need for social engineering.

As if all this isn't enough to make companies nervous, perhaps Ulrich's parting words of advice for security folks will do the trick. "Think scalability," he said. "Your network is not going to get smaller."

Translation: Unless you greatly expand your security capabilities, it's only going to get worse. Of course, given that most of you were probably in line for the session, you already knew this.

Tony Kontzer

, RSA Conference

Internet of Things

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community