#RSAC2019: Reflections from the RSA Conference, Then and Now

Fourteen years after I attended my first RSA conference, I find many of the concerns more than a decade ago eerily similar to what is discussed today.

As my journey at #RSAC2019 has come to an end, I can't help but look at back to 2005 when I first attended RSA and gave a theater presentation. Back then, RSA had a record attendance of roughly 13,000 people. This year, attendance was roughly 42,500.

What struck me this year was that despite attendance growth and the increased attention on cybersecurity since 2005, I could give the same presentation I gave back then today.

Cooperation and communication never go out of style

My presentation in 2005 was top 10 things an organization can do to reduce risk. Specifically, I drilled in on the importance of cooperation between business units.

At that time, I had recently performed a security assessment for an organization in which it became clear that none of the business units communicated effectively with one another, whether it came to projects, vendors or employees. Unfortunate findings from the assessment included:

• Projects did not have security built in;
• Business units were not assessing vendor implementations; and
• HR and IT were not communicating when an employee left, which meant old accounts were not being removed from the organization's systems.

Today we see the same lack of cooperation, communication and processes. When I talk about security transformation, this is an area I bring up over and over and over.

Even more so than in 2005, organizations must adopt corporate and agile governance, policy alignment and key performance indicators. As the famous management consultant, educator and author Peter Drucker was often quoted as saying: "You can't manage what you can't measure."

Regulations take on larger meaning

Top of mind in 2005 was US federal data privacy laws, including the Sarbanes-Oxley Act of 2002 and the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

At that time, just as is the case today, federal regulations were driving executive interest in cybersecurity.

And the narrative hasn't changed.

Just think of the high-profile regulations that have passed since 2005. For instance:

• The Cybersecurity Enhancement Act of 2014;
• The 2015 Cybersecurity Information Sharing Act (CISA); and
• the EU General Data Protection Regulation (GDPR), the most important change in data privacy regulation in two decades.

In addition to these federal regulations, all US states have now enacted their own security breach laws requiring consumer disclosure when personal information is compromised, among other requirements.

Hardware was written on the wall

In 2005 people were concerned about security issues in hardware.

Fast forward to 2017 when we were introduced to Meltdown and Spectre vulnerabilities. What makes these vulnerabilities so horrible is their combination of depth and breadth; they apply to nearly every computing platform we use every day, and when successful, they allow the attacker to access your most valuable data.

Then in 2018 there was Intel's vulnerability in the Active Management Technology (AMT). Leaving AMT in an unknown, un-configured state leaves an enterprise environment vulnerable in many ways to very simply executed attacks. Once compromised by an attacker, any of AMT's features can be accessed, most notably:

• Remote power state changes (on, off, reboot);
• IDE redirection (boot to remote media designated by the attacker);
• VNC connections without user knowledge, which enables full control of the machine; and
• Full access to any network the endpoint is able to access.

Once those features are available, any number of attacks could take place, including remotely configuring AMT. The organization's AMT could even be updated to the attacker's own AMT configurations. Once one machine is compromised, essentially every client is compromised as well.

Some things never change… but we can

Other issues security practitioners had their eye on in 2005 persist today. For instance, back then advanced SQL injection into Oracle databases was a hot topic. Fourteen years later we're still talking about SQL injection, with injection being the number one most critical web security application risk.

The good news is we already know the solutions to these issues. It's simply on us to put strong governance, risk, compliance and security architectures into practice.

Security threats will always exist. But, with RSA conference attendance more than tripling since I went in 2005, I come back from #RSAC2019 knowing that even though the number of security incidents has increased, so too has the number of professionals ready and willing to do the hard work that's needed to combat them.