The 2014 RSA Conference From A to Z

ClearPath Forward4 minutes readApr 10th, 2014

Over its 23-year history, the RSA conference in the USA has grown to become the largest gathering of security professionals in the world. The theme of the 2014 conference was “Share. Learn. Secure. Capitalizing on Collective Intelligence.”

In the spirit of sharing, learning, and securing, I offer here a few of the thought-provoking ideas from the conference.

Attackers: “Attackers aren’t smarter. It’s just easier to shatter crystal than to shape it.” ~ Kevin Mandia, Senior Vice President and Chief Operating Officer, FireEye

Bulk Data: Microsoft has never gotten an order from a Federal agency for bulk data. Microsoft only responds to requests for information about specific accounts, and the request has to have jurisdictional authority, because the location of data matters. ~ Scott Charney, Corporate Vice President, Trustworthy Computing, Microsoft

Consent of the Governed: The NSA did nothing unlawful in its surveillance; the program was approved by two Presidents and congress and overseen by the FISA courts. But that no longer seems sufficient for consent of the governed. ~ General Michael Haydn, former Director of the National Security Agency and Director of the Central Intelligence Agency

Cryptography: “Cryptography succeeds when it’s no longer the weakest link.” ~ Quoted by Ron Rivest (Vannevar Bush Professor, MIT) in the Cryptographer’s Panel

Data Breaches: “Data breach is the only crime where you have to apologize for being a victim.” ~ Kevin Mandia

Evolution: “Magnetic tape in a pizza box being carried out the door was a security concern in the 60’s.” ~ Jim Bidzos, President and CEO, Verisign

Front Page Test: When information about a covert activity leaks and ends up on the front page, can the organization and the President explain it in a way the American people find acceptable? The NSA and other organizations don’t seem to apply that test any more. ~ Richard A. Clark, former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the United States

HPPO: A way of resolving project disagreements: Highest Paid Person’s Opinion wins. ~ Peter Sims, author of Little Bets: How Breakthrough Ideas Emerge from Small Discoveries

Innovation: Managers think about what they expect to gain. Innovators think about what they can afford to lose. ~ Peter Sims

Intelligence Agencies: “All intelligence agencies around the world should do more to defend us and less to offend us.” ~ Art Coviello, Executive Chairman, RSA

_NSAKEY: A Windows Registry key that some bloggers thought proved that Microsoft was secretly in cahoots with the NSA. Microsoft’s unofficial response: “If we were secretly conspiring with the NSA, would we be so stupid as to call the key _NSAKEY?” Blogger response: “That’s what makes it so diabolical!” ~ Scott Charney

People: “People are the biggest vulnerability. It’s a bigger attack surface.”  ~ Kevin Mandia

Plussing:  A way of critiquing a project in positive terms. Pixar uses “plussing.” For example, initially Woody in Toy Story was a mean, angry toy. In the evaluation screenings, viewers expressed suggestions as, “I like it, and if …” (e.g., what if Woody were friendlier) rather than saying “I like it, but …” ~ Peter Sims

Quality Assurance: “Offensive software doesn’t go through QA, so it gets released faster than defensive software.” ~ Kevin Mandia

Security Awareness Metrics: There are two types of metrics: Deployment (e.g., 95% of the staff have taken the security awareness training) and Impact on Behavior (e.g., 70% of the staff were not fooled by a phishing attack sent to assess behavior a week after the training). Most organizations only collect the first metric. ~ Lance Spitzner, Training Director, SANS Institute

Zero-day Threat: “We urgently need anti-malware that is intelligent enough to spot zero-day threats and block them.” ~ Art Coviello

Tags-   ClearPath RSA Security