RSA recap, an Enigma machine and a warning on China-backed cyberthreats
From left to right: Niloofar Razi Howe, senior operating partner at Energy Impact Partners; Kevin Mandia, CEO and director of Mandiant; Sudhakar Ramakrishna, president and CEO of SolarWinds; and Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, speak at the RSA cybersecurity conference in San Francisco last week. Blake Sobczak/README
Welcome to Changelog for 6/12/22, published by Synack! Blake here, en route to Washington, D.C., today after attending another successful RSA security conference in San Francisco. We Synackers spent much of the time at Fogo de Chão hosting hundreds of guests, sponsors and a Journey cover band. When not at the, ahem, meat-and-greet in the restaurant, I made the quick walk to the Moscone Center to cover some RSA highlights:
The payload
The RSA conference is a whirlwind of expert talks, one-on-one meetups, in-your-face marketing pitches and flashy parties. From its roots in the cryptography community to its current incarnation as one of the biggest annual infosec gatherings on the planet, the event provokes strong feelings from fans and detractors alike.
I missed it.
Last week’s RSA con was the first held since 2020 and had been rescheduled from early February due to the COVID pandemic. The new dates meant that RSA played out against the backdrop of the ongoing Russia-Ukraine war, which continues to put top U.S. cybersecurity officials on high alert.
“We do not think the threat has passed. We think it’s very important that we keep our shields up,” Cybersecurity and Infrastructure Security Agency Director Jen Easterly said at the conference. “When we think that threat is no longer relevant, we will absolutely communicate that transparently.”
Ryan Kalember, EVP of cybersecurity strategy at Proofpoint, attended his first RSA as a student in 1999, when attendees focused on issues like whether the NSA would allow for exporting strong crypto.
Today, competing claims from the “sea of vendors” at the conference can make it tricky to tease out interesting takeaways, he said.
“Ransomware has been such a noisy trend that everybody kind of forgot that the space, before it was called cybersecurity, was information security. The whole point was to keep the information safe,” Kalember told me. “I think that’s coming back around. We are seeing a bigger focus on not losing data to insiders.”
The week, compiled
Here are a few other key points from the conference:
Expanding the talent pool: While many cybersecurity startups are in for some chop due to near-term economic headwinds, the industry still faces a dire shortage of cybersecurity professionals.
“The cybersecurity community does not have enough people,” said Wen Masters, VP of cyber technologies at MITRE, who estimated the work force has room to grow by a factor of 100. “This is really an all hands on deck kind of activity. Everyone has a responsibility to work on cybersecurity… getting talent is a huge issue.”
MITRE is championing Women in Cybersecurity initiatives and working on programs to attract and retain neurodiverse talent, including autistic cyber professionals.
“A lot more agencies are really exploring neurodiversity and the neurodiverse talent pool,” said Teresa Thomas, who heads neurodiverse talent enablement at MITRE. “The conversation is shifting… What’s down the road is organizations and agencies really building in neurodiversity and neuroinclusivity into the way they do business.”
The biggest hurdle, Thomas told me, is fear of making mistakes when implementing such programs.
Her advice? “Do it wrong and learn. Do it better the next time. Do it again — and just don’t be afraid to do it wrong.”
Boosting operational technology (OT) defenses: Industrial cybersecurity firm Dragos rolled out a new OT cyber emergency readiness team Tuesday helmed by former Rockwell Automation CISO Dawn Cappelli. The company’s OT-CERT is aimed at offering tailored cybersecurity tools to water treatment facilities, municipalities and power utilities, among others.
“The majority of our industrial infrastructure are actually smaller companies that don’t get any support whatsoever,” Dragos VP of threat intelligence Sergio Caltagirone told me. The OT-CERT “is not trying to reach the big companies; it’s actually a free service we are providing to the underserved or underresourced organizations.”
The most pressing threat bearing down on these critical infrastructure operators?
“Ransomware,” Caltagirone said. “It continues to keep us busy in the most unfortunate way.”
A message from Synack
Synack Red Team mission data indicates that once-a-year pentests are no longer adequate to protect sensitive missions or meet most compliance requirements. Government Agencies Deserve A Better Way To Pentest, one that scales to find vulnerabilities that matter most and to meet M-22–09 zero trust requirements for dedicated application security testing. Find your Better Way to Pentest today in Synack’s FedRAMP Moderate In Process environment.
Flash memory
The National Security Agency brought a true cryptologic relic to RSA, showcasing a World War II-era Enigma machine at the agency’s booth in the expo hall.
A tangle of wired rotors, pins and wheels produced encrypted messages for Army-level forces in Nazi Germany. But the cipher machine was no match for Polish cryptanalysts, British codebreakers (including famed mathematician Alan Turing) and other Allied forces during the war.
German designers had overestimated the strength of the machine based on the eye-popping number of outputs the plugboard could produce.
“The Enigma stands as a silent sentinel to the folly of those who placed their absolute confidence in its security,” NSA technical expert Ray Miller wrote in a report on the mathematics underlying the device. “But it also stands in renowned tribute to the cryptanalysts who pitted their minds against a problem of seemingly invincible odds and who scaled its lofty heights.”
Local files
Bleeping Computer: The Italian city of Palermo has become the latest local government to be menaced by ransomware, as the “Vice Society” cybercriminal group claimed responsibility for a cyberattack on the municipality.
CISA: U.S. authorities issued a warning about new China-backed malicious cyber activity. State-sponsored threat actors have led “widespread campaigns to rapidly exploit publicly identified security vulnerabilities” at big telecom companies since 2020, said CISA, FBI and NSA.
CyberScoop: Some water industry leaders and politicians including Rep. Jim Langevin (D-R.I.) have blasted the Environmental Protection Agency for its alleged failure to improve the cyber defenses of U.S. water utilities.
Off-script
A picture’s worth a thousand words, and now it takes only a few words to produce one.
The text-to-image DALL-E mini AI tool debuted last week, prompting many internet users to waste hours entering goofy terms to see what pops out.
Unlike Casey Newton at The Verge, I lack access to the private research beta for DALL-E 2, the most cutting-edge text-to-image tool. So I had to settle for the lower-quality versions of “USB ouroboros” and “hacker parkour”:
That’s all for this week. Please send tips and feedback to bsobczak@synack.com. Changelog will take a break next Sunday to honor Juneteenth, so I’ll see you June 26th!