RSA Conference 2012 Fearless Forecast – The Cloud of FUD

Next week, something insidious and life-choking will settle over the San Francisco Bay area and threaten everyone with confusion, nausea, and full loss of body hair.

The cloud of FUD.

For you South Park fans, yes, this is far more dangerous than the Cloud of Smug introduced in one of the classic South Park episodes (The Perfect Storm of Self Satisfaction). In the episode, the South Park residents begin to purchase hybrid cars (the Toyonda Pious) in large numbers, and their self-satisfaction in their eco-friendly ways creates a dangerous cloud of smug.  Unfortunately, the South Park cloud collides with two other clouds of smug, one from the general self-satisfaction of the SF Bay inhabitants and a rogue cloud from George Clooney’s Academy Award speech.  This creates the perfect storm of self-satisfaction with catastrophic results, destroying San Francisco and causing general havoc in South Park.

The RSA Conference is next week, and the amount of FUD in any normal RSA week can be problematic.  But this year, the IT security world is at an interesting crossroads.  The underpinnings of trust have been called into question through breaches of companies like Diginotar, and more recently, VeriSign.  Analysis released last week called into question encryption algorithms used by RSA, who is still reeling from a highly public breach last year. Studies indicate that breaches are on the rise, and targeted attacks (including the Advanced Persistent Threat) are hitting their mark with increasing frequency.  And we have no idea how many breaches are yet undiscovered and when we do discover them, we lack the tools to fully assess the damage.  The public disclosure of the VeriSign breach included language from VeriSign management that they were still not quite sure what had been stolen, in spite of the breach occurring in 2010.   Attacks like Duqu were illustrative of the growing sophistication in data gathering techniques to build even more sophisticated follow-on attacks.

We have entered a new phase in IT security to be sure, and all of this uncertainty will amplify the FUD volume to deafening levels.  That is because while there are several innovative companies offering real solutions to these new problems, the majority are scrambling.  When companies scramble in the IT security market, the result is a Perfect Storm of Self Preservation.  Those who lack real answers will look to duck and cover, and the predictable result will be epic volumes of FUD with a healthy undercurrent of smug.

Seriously, we should consider renaming the RSA 2012 exhibit area FUDapalooza! I am not talking about the usual “hamster wheels of pain”, “yes, I do that” (before a question is asked) level of FUD.  This will be highly advanced, super concentrated FUD.

For example, everyone, including the nice people that serve old, stale sandwiches in the lobby for $18, will have “The Solution for the Advanced Persistent Threat”.  Everyone will have the “Next Generation of Threat Protection” and “Your Weapon for Cyber Warfare”.  Companies that went the M&A route will have the “First Truly Comprehensive Security Suite/Platform”.  The large, “usual suspect” companies with the huge booths at the center of the floor will promise to plug the massive gaps that studies now show their own products to have.

I remember my first RSA Conference in 2005.  I was immediately struck by the signal to noise ratio (very little signal, copious amounts of noise) and lack of clear messaging and differentiation on the exhibit floor.  One of the more popular posts for this blog was about the animals you will see at RSA.  I can only imagine what 2012 will be like.

At the end of the South Park episode, Kyle points out to the citizens that driving a hybrid is really a good thing, but they have to learn to drive them without being smug.  The townspeople go back to their old gas guzzling cars, saying that “it’s simply asking too much”.  The RSA Conference could be an excellent place to explore ways to meet the new challenges we collectively face today.  Unfortunately, I think for most of my vendor comrades “it’s simply asking too much”, and most will instead take the Gladiator approach and unleash FUD hell.

The Cloud of FUD is coming.  Bring your Hazmat suit.

VeriSign Breached – Who Can You Trust Redux

It was reported by Reuters today (“Key Internet operator VeriSign hit by hackers“) that VeriSign has disclosed that the company was hacked in 2010.  This is significant at many levels.

First, VeriSign essentially handles the credentials for over half of all Web sites, specifically sites ending in .com, .net and .gov.  VeriSign executives could only say that they “do not believe” that the critical domain name services, leading many to speculate that VeriSign does not yet know the extend of the breach.  And even if the domain name services were not compromised, compromise of any of VeriSign’s other services could still represent significant risk to a very large number of companies and government agencies.

Given that VeriSign has not been forthcoming with details and frankly does not seem to know yet the full extent of the breach, the security of an enormous amount of Web sites is in question this morning.  I am not sure that this can be understated.  Depending on what we learn about this breach, the tectonic plates of online security may have just shifted significantly.

Second, the VeriSign breach is a huge blow to the topic of trust on the Internet (see  the blog post “Certificate Authorities Hacked – So Who Can You Trust?“).  This trust was already significantly impacted by the RSA breach last year and the compromise of several certificate authorities (CAs) such as DigiNotar.  But the aggregate affect of these breaches, in my opinion, is dwarfed by a compromise of VeriSign.  Consider that the “s” in “https” is based on Secure Sockets Layer (SSL) certificates, the majority of which are issued by VeriSign.  Suddenly the ubiquitous lock icon and green indicator of  web site trust suddenly do not feel so secure and trustworthy.  The past months have been filled with questions about the trustworthiness of SSL, and this breach will pour gasoline on that fire. In a broader sense, the article points out the RSA and VeriSign attacks are designed to undermine the fundamental underpinnings of authentication.  This puts all transactions – business, government, personal – at risk.

Third, the VeriSign breach came to light in a 10Q filing with the SEC that listed the breach in accordance to the new SEC guidance on breach disclosure.  Reuters did a search of such disclosures and found the VeriSign admission.  Without the SEC guidance, this breach may never have come to light and the companies that trust the integrity of VeriSign’s services would have never known.  I draw the conclusion that there was no communication of VeriSign to their customer given that the CTO of VeriSign at the time of the breach learned about the problem from Reuters.

The potential impact of this breach could make this event the tipping point in the call for more strict guidance and perhaps even legislative action in regard to breach disclosure (see “Prediction Regarding Data Breach Detection – Soon to be a Regulatory Requirement“). Proponents will have a field day with the idea that VeriSign may have never disclosed the breach without the SEC guidance.  But opposition to such action will also use the event as an argument against such action. The article intimates that the breach is a persistent attack done by a nation-state, or an Advanced Persistent Threat attack.  Such an attack at a company such as VeriSign has far reaching impact on national security, so there are those who would not want the attack disclosed before there was reasonable time to perform analysis, attribution, and potentially launch a counter attack.  Mix this attack in with a presidential election year and I predict the skies will darken will calls and counter arguments for legislation.

Fourth, this event may finally take many over the emotional hump  of clinging to the hopes that 100% prevention is still possible (see “The Emotional Barriers to Embracing the Presumption of Breach Doctrine“).  The article quotes security consultant Dmitri Alperovich as saying “prevention is futile”.  Those who have clung doggedly to prevention in the face of mounting evidence will find it hard to continue to do so.  It is okay.  Those of us who have already accepted the inevitable are here, waiting for you without judgement.  Just let go.

Fifth.  I will have much more to say about this subject, but notice that although the breach happened in 2010, VeriSign still does not know the extent of the damage.  There were even intimations that they may not have completely eradicated the adversary from their systems.  This is proof to my ongoing statement that organizations are not equipped to detect, analyze, and respond to breaches.  Trust me when I say I have much more to say on this topic in the very near term.

Watching this story unfold should prove to be quite interesting.  Quite interesting.