It is now day three at the RSA conference and our Tripwire team have been busy attending some insightful sessions to share with you. The morning started off with a session from our very own Dwayne Melancon and other key influencers in the growth of the DevOps movement.
We’ve also had great turnout at our booth for our mini-sessions, as well. Kelly Kingman has also been quite a hit creating real-time visualizations at some of our presentations. Watch the video below to see her in action:
And here’s the final piece:
DevOps/Security Myths Debunked (ASEC-W03)
Session Abstract: As DevOps has become more popular, a lot of myths have arisen with regards to security and many opponents claiming that you can’t do security in a DevOps environment. This panel addressed a number of those myths and demonstrated how you can embrace DevOps and maintain the appropriate security profile for your organization.
Moderator: Dwayne Melancon, Chief Technology Officer, Tripwire (@ThatDwayne)
- David Mortman, Chief Security Architect and Distinguished Engineer, Dell (@mortman)
- Gene Kim, Author, IT Revolution (@RealGeneKim)
- Josh Corman, CTO, Sonatype (@joshcorman)
- Nick Galbreath, Vice President of Engineering, IPONWEB (@NGalbreath)
Anthony M. Freed (attendee): “This is a tough session to review in the sense that I am not the target audience, as I have become a fan of the concepts behind the DevOps movement, and how the idea of a rapid (and in some cases relentless) deployment in smaller increments than is most commonplace can actually improve operations tremendously and spur more innovation, and that the notion that this would undermine security is not really valid. IT was a great followup to laste year’s session with the same panel, who along with the moderator, can be considered some of the most important influencers in the DevOps movement. IF you want to lear more about DevOps, just go get Gene Kim’s book “The Phoenix Project” co-written with Kevin Behr and George Spafford – it’s a great place to start.”
Key takeaways from the session:
- Corman: “Complexity is the enemy of stability, as well as security.”
- Mortman: “More deploys a day is a ‘red herring’ for DevOps–its about sharing, not deployment.”
- Kim: “More control in configuration changes and testing may not be the answer.”
- Galbreath: “You can’t do security without having your house in operational order.”
Cybersecurity Framework: A Practical Guide to Manage Cybersecurity Risk
Session Abstract: The Cybersecurity Framework offers a prioritized, flexible, repeatable, performance-based and cost-effective approach to managing cyber risk based upon industry standards and best practices. Hear the practical aspects of using the voluntary Framework, such as business unit engagement, target profiles, and benefits and potential challenges from government and private sector perspectives.
- Robert Kolasky DHS lead for the Integrated Task Force, US Department of Homeland Security
- Samara Moore Director for Cybersecurity Critical Infrastructure, National Security Staff/ The White House
- Chris Boyer Assistant Vice President – Global Public Policy, AT&T Services Inc.
- Kevin Stine Manager, Security Outreach and Integration Group, National Institute of Standards and Technology
- Roberta Stempfley Acting Assistant Secretary, Office of Cybersecurity and Communications, Department of Homeland Security
- Ronald Ross Supervisor, Cyber Security, FirstEnergy Corp.
- Scott Saunders Information Security Officer, Sacramento Municipal Utility District
Anthony M. Freed (attendee): “This was one of the sessions I really wanted to see this week, and had hopes that the great panels and moderators would at the very least delve into some of the most pressing concerns around the recently released NIST Cybersecurity Framework (CSF), but the session was disappointing. It was about as informative as a brochure, and a small brochure at that. It seemed the panel was most concerned with reiterating that the CSF was not intedned to be a new standard, but a flexible set of guidelines to get critical infrastructure stakeholders all pointed in the right direction. They really missed an opportunity to discuss how they intended to incentivize early adopters and encourage meaningful participation on a voluntary basis, as well concerns over the cost of participation. They also failed to define what success would look like, as in what percentage of critical infrastructure entities should be participating in 3, 5, or 10 years, or how they should measure the improvement in security for those participants. Overall, it was not very informative.”
Buy Candy, Lose Your Credit Card – Investigating PoS RAM Scraping Malware (HTA-W01)
Session Abstract: In today’s economy debit/credit card transactions have replaced cash. Payment cards are quick, convenient and secure. PCI-DSS policies dictate card data must be encrypted if it is transmitted/stored. The Trackr malware family circumvents PCI-DSS compliance by scraping the RAM of PoS systems for card data. Trackr targets the back-end servers that process, store and transmit card data.
- Chester Wisniewski, Senior Security Advisor, Sophos (@chetwisniewski)
- Numaan Huq, Senior Threat Researcher I, Sophos Inc.
Katherine Brocklehurst (attendee): “The session began with a discussion on how PCI standards lead to an acceleration in malware criminal innovation. The rundown of innovation in credit card fraud and deterrents went like this:
Stage 1: “Rubs” – This is where a carbon-copy rub would occur to allow the information to be stolen. Due to this method, the CVV code was created for the back of the card, instead of the magnetic stripe.
Stage 2: “CVV2” – Here there are two different CVV codes, one on the back and the other in the magnetic stripe. The ‘special code’ on the back of credit cards is a different one than the one printed on the back of the card. CVV codes are especially used for ‘Card not Present’ type of transactions. At this point, pinhole cameras installed at the PoS would capture the swipe of the card and often could catch the CVV.
Stage 3: “Chips” – This is really where we’re at now and these special encrypted chips embedded in the card are recommended for all credit card transactions.
“Usually, the theft of credit card information will be used to buy gift cards or prepaid credit cards–an easy way to get cash and monetize the CC information. Other times, they’ll buy high quality brands, like Apple, which have a higher resale (about an 80% monetization). Some want to try to duplicate the card and write the information onto a false card with a valid magnetic stripe that they can use for purchases.”
“In terms of malware, no specific clear method is known for how exactly the malware gets onto the PoS, most of which run XP. Although XP is being officially retired from support in April by Microsoft, there are still two more years for embedded XP, commonly seen in all sorts of PoS scanning devices. Getting malware onto the devices is guessed to be from spear phishing because ultimately, in order to make use of the malware on the PoS, the hackers have to have administrator rights.”
A few final cool finds about the malware itself, which we looked at the code on several samples:
- Hackers have begun to encrypt malware to make it tougher to reverse engineer, including anti-debugging in the case that reversing is being attempted. It will trigger a self-destruct before the researcher is able to get much insight.
- Curiously, the malware is delivered via an MSI, a Microsoft Windows Install wizard. My opinion is it might infer all sorts of ideas on how this could be used by someone with administrator credentials.
- The payload comes as a self-extracting file that extracts with a different footprint each time to avoid whitelisting defenses.
- Exfiltration is typically done by HTTP Post, FTP, and potentially TOR.
- Once in place, the malware reports back periodically and authenticates to its server. It can download new versions, updates and patches. If things go wrong, it can initiate auto-death. It reports on OS version, name of logged in user, bot code version, base 64 copy of the CC number, and even the PHP version if used. Clearly, the hackers have a sense of humor because the PCI version was 3.33.
Implementing a Quantitative Risk-Based Approach to Cyber Security (STR-W01)
Session Abstract: A risk-based approach to cyber security can yield credible estimates of annualized expected losses under different security policies. These estimates can take account of abrupt changes in attacker behavior, damage to intangibles and future vulnerability exploits. They can be used to determine defensive priorities and to justify security budgets. This talk lays out a five-phase program.
Speaker: Scott Borg, Chief Executive Officer, US Cyber Consequences Unit
Tim Erlin (attendee): Scott Borg presented a method for developing a quantitative risk analysis result without relying on the complex statistical methods that often result in failure, and the incorrect conclusion that quantitative risk analysis isn’t possible. The general process, which he presented in good detail, starts with mapping how an organization creates value, then assessing threat, vulnerability and consequences across that map. The overall message that we shouldn’t let the perfect be the enemy of the good in quantitative risk analysis was well received. Ultimately, a credible result that the CFO can understand will help drive effective countermeasures, not necessarily technical controls, in a cost-prioritized manner.
The Dark Web and Silk Road (HT-T07)
Session Abstract: The Government’s widely reported investigation of Silk Road has generated interest in the functioning of the “dark web” as a market place for illegal goods and services. This presentation discussed underground websites and certain publicly disclosed aspects of the Silk Road investigation.
Speaker: Thomas Brown, Deputy Chief for Cyber, U.S. Attorney’s Office, Southern District of New York
Edward Smith (attendee): “In this session Thomas Brown walked attendees through the process of identifying the alleged administrator of the illicit Silk Road ecommerce site, which quickly led to the site’s demise. First, Brown explained two high-profile technologies that enable the Dark Web: Tor and Bitcoin. Interesting to note that the “beta” of Tor was originally a project by the U.S. Naval Research Laboratory. As for Bitcoin, the price has fallen dramatically with the recent closure of the Bitcoin exchange site Mt. Gox that occurred this week.”
“Next, Thomas went on to explain how the alleged mastermind behind Silk Road, Ross Ulbricht AKA Dread Pirate Roberts, made several mistakes in concealing his identity—such as posts on public Internet forums connecting his real name to Silk Road. After the FBI arrested Ulbricht and confiscated data from the site, they discovered that the site enabled more than 1.2 million transactions for 150,000 unique buyers resulting in 1.2 billion dollars in revenue (and 80 million dollars in commissions for the site’s operator).”
“At the end of the session, Brown made an appeal for help from the cybersecurity community to assist the FBI in combating dark web sites like Silk Road with the promise of respecting the privacy and intellectual property of companies. Since the topic involved an ongoing criminal investigation, there was no Q&A following the session. My key takeaway from this session is the age old double-edged sword of technology—Tor and Bitcoin enable privacy and efficient e-commerce for the greater good, while also providing criminals with an easy way to escape the law.”
Redefining Identity in the Age of Intelligence – Driven Security (KEY-T01)
Session Abstract: Identity lies at the heart of online security—determining what we are able to access and how—but the rapid growth of cloud, social and mobile technology is pushing how we protect and manage identity to the breaking point. Those same technologies combined with the insight of Big Data, however, point the way to how we can redefine and recreate identity for the Age of Intelligence-Driven Security.
Speaker: Arthur W. Coviello, Executive Chairman, RSA
Sarah Wilson (attendee): “Arthur Coviello of RSA challenged governments around the world to adopt the following four principles pertaining to information security:
1. Renounce cyber weapons
2. Cooperate in the investigation and prosecution of cyber security crimes
3. Ensure economic activity and intellectual property rights
4. Ensure privacy
Coviello also challenged all of us in the security industry to advocate for these principles.”
Security Principles Versus the Real World (CISO-T07)
Session Abstract: Years ago, Saltzer and Schroeder identified a set of security principles meant to guide security design. Today, with computer security more important than ever, the question at hand is how these principles align with the real world (or don’t). This panel challenged academia (Matt Bishop) and security gurus (Marcus Ranum) against the real world CISOs from Aetna and Visa in a knockdown drag out fight.
Moderator: Gary McGraw, Chief Technology Officer, Cigital (@cigitalgem)
- Eugene Spafford, Executive Director of the Center for Education and Research in Information Assurance and Security (CERIAS) and Computer Sciences Professor, Purdue University (@TheRealSpaf)
- Jim Routh, CISO, Aetna
- Keith Gordon, Information Security & Risk Management Executive, Capital One
- Marcus Ranum, Chief Security Officer, Tenable (@mjranum)
Sarah Wilson (attendee): “This session was a lively debate between practice and principles in security. The debate highlighted the difficulties companies face trying to balance demands of the business (delivering value quickly) and the demands of security (which are challenging and time consuming). A key takeaway was the need for compromise using risk weighted decision making. I also really liked a quote from Eugene Spafford of Purdue University in which he said that security experts need to ‘avoid telling people what they can’t do and instead tell them how to do it securely and correctly.'”
Succeeding with Enterprise Software Security Key Performance Indicators (ASEC-T08)
Session Abstract: Rafal Los applies more than a decade of experience in various aspects of the security field to help clients meet complex security challenges. Focusing on strategic and tactical defensibility, Los assists clients with aligning security to the enterprise, developing operational efficiency, and measuring performance with effective KPIs. He is a recognized speaker, writer, blogger and contributor to open projects such as OWASP and the Cloud Security Alliance.
Speaker: Rafal Los, Principal, Strategic Security Services, HP Enterprise Security (@Wh1t3Rabbit)
Sarah Wilson (attendee): “In the presentation, Rafal Los encouraged the use of KPI’s to measure progress towards long-term security goals rather than the use of metrics that fail to provide insight. He defined good KPI’s as those that convey relative distance to a goal, and relevant to the organization and security. He suggested evaluating security items (such as an effort to integrate security testing early) against the following:
- Impact to development effort
- Impact to release
- Impact to up-time
- Impact to residual risk
- Impact to the business
He concluded the session by expressing that our challenge as security program advocates is to make it ‘easier for developers to do the right thing.'”
And be sure to join us at Tripwire’s RSAC Booth (3501) to get your free customized t-shirt printed on the spot, and listen to an array of in-booth guest speakers we have lined up. For the speaking schedule and information on how to obtain a free RSA Expo pass, see more details here.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock