Over its 23-year history, the RSA conference in the USA has grown to become the largest gathering of security professionals in the world. The theme of the 2014 conference was “Share. Learn. Secure. Capitalizing on Collective Intelligence.”
In the spirit of sharing, learning, and securing, I offer here a few of the thought-provoking ideas from the conference.
Attackers: “Attackers aren’t smarter. It’s just easier to shatter crystal than to shape it.” ~ Kevin Mandia, Senior Vice President and Chief Operating Officer, FireEye
Bulk Data: Microsoft has never gotten an order from a Federal agency for bulk data. Microsoft only responds to requests for information about specific accounts, and the request has to have jurisdictional authority, because the location of data matters. ~ Scott Charney, Corporate Vice President, Trustworthy Computing, Microsoft
Consent of the Governed: The NSA did nothing unlawful in its surveillance; the program was approved by two Presidents and congress and overseen by the FISA courts. But that no longer seems sufficient for consent of the governed. ~ General Michael Haydn, former Director of the National Security Agency and Director of the Central Intelligence Agency
Cryptography: “Cryptography succeeds when it’s no longer the weakest link.” ~ Quoted by Ron Rivest (Vannevar Bush Professor, MIT) in the Cryptographer’s Panel
Data Breaches: “Data breach is the only crime where you have to apologize for being a victim.” ~ Kevin Mandia
Evolution: “Magnetic tape in a pizza box being carried out the door was a security concern in the 60’s.” ~ Jim Bidzos, President and CEO, Verisign
Front Page Test: When information about a covert activity leaks and ends up on the front page, can the organization and the President explain it in a way the American people find acceptable? The NSA and other organizations don’t seem to apply that test any more. ~ Richard A. Clark, former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the United States
HPPO: A way of resolving project disagreements: Highest Paid Person’s Opinion wins. ~ Peter Sims, author of Little Bets: How Breakthrough Ideas Emerge from Small Discoveries
Innovation: Managers think about what they expect to gain. Innovators think about what they can afford to lose. ~ Peter Sims
Intelligence Agencies: “All intelligence agencies around the world should do more to defend us and less to offend us.” ~ Art Coviello, Executive Chairman, RSA
_NSAKEY: A Windows Registry key that some bloggers thought proved that Microsoft was secretly in cahoots with the NSA. Microsoft’s unofficial response: “If we were secretly conspiring with the NSA, would we be so stupid as to call the key _NSAKEY?” Blogger response: “That’s what makes it so diabolical!” ~ Scott Charney
People: “People are the biggest vulnerability. It’s a bigger attack surface.” ~ Kevin Mandia
Plussing: A way of critiquing a project in positive terms. Pixar uses “plussing.” For example, initially Woody in Toy Story was a mean, angry toy. In the evaluation screenings, viewers expressed suggestions as, “I like it, and if …” (e.g., what if Woody were friendlier) rather than saying “I like it, but …” ~ Peter Sims
Quality Assurance: “Offensive software doesn’t go through QA, so it gets released faster than defensive software.” ~ Kevin Mandia
Security Awareness Metrics: There are two types of metrics: Deployment (e.g., 95% of the staff have taken the security awareness training) and Impact on Behavior (e.g., 70% of the staff were not fooled by a phishing attack sent to assess behavior a week after the training). Most organizations only collect the first metric. ~ Lance Spitzner, Training Director, SANS Institute
Zero-day Threat: “We urgently need anti-malware that is intelligent enough to spot zero-day threats and block them.” ~ Art Coviello