TF 7 Radio Covers What's Going On At RSAC This Week

Plus, should employees be sued for falling for phishing?




George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies, was joined by Co-Hosts Tom Pageler and Andy Bonillo in episode #74 of Task Force 7 Radio on Monday night. Pageler currently is Chief Security Officer of BitGo, Inc. and Bonillo is Global Head of Information Security for AIG. The trio broke down some of the main themes of the RSA Conference happening out in San Francisco, Calif. this week.

They also provided analysis on companies around the world who are choosing to sue their employees who fall for phishing attacks. And a new cyber security law in Thailand that gives the government total control over the internet, has privacy rights activists reeling over the wide range of power the new legislation gives the government.

What’s Going On At RSA?

With about 700 sessions all in four days, it’s likely cyber security professionals should be able to find some expertise on whatever topics they’re looking for in this space.

The general consensus of the three hosts is that although RSAC is great for networking and reconnecting with contacts, it may not necessarily warrant a big sponsorship budget, depending on needs. Some organizations “can just show up and have meetings and network.”

Pageler added that the conference is so large and can be so overwhelming that it’s unclear if anyone would notice who wasn’t there. He explained that he just assumes the “big names are all there.”

See Related: “RSAC Day 1 Theme: People And Tech Are ‘Better Together’

Rettas brought up an example of the cost for a booth last year, which was about $130 per square foot for a booth ($52k). Then you still have to add in hotel costs, travel, dinners, staff, trinkets, etc. It’s “interesting how much the companies are willing to spend.”

“It’s just so hard to know what your return is. You don’t know if not going will hurt you,” Pageler said. He brought up that maybe if you’re a startup, you don’t go with booth. Instead, do something fun or different offsite.  Although he did note that RSAC San Francisco is the flagship event of all the regions, so “if you do one, this is the one to attend.”

Bonillo brought up the notion that small businesses outside of US, typically end up here because where they’re from outside the US, typically doesn’t have a large enough market.

Speaking of booths and the trinkets sponsors invest in the event, Rettas half-joked about those that give out USB sticks … are they for spying?

Bonillo and Pageler both agreed that “any security professional should be smart. Be aware.” 

Is AI Here Or Just A Buzzword?

Rettas cited a Marketwatch.com article that brought all the talk ahead of RSAC looking at AI to fill the skills gap. The article said that:

Over the past week, both Palo Alto Networks Inc. and Microsoft Corp. announced new AI-branded services to address an often-cited lack of cyber security workers qualified to keep on top of an exponentially growing number of cyber attacks.

In a report released Thursday, however, Cisco Systems Inc. said that the industry may actually be cooling to AI-powered cyber security. In a survey of more than 3,000 security experts, two-thirds said they would rely upon AI, down from the 74% who said they would in 2018.

While it’s only an 8% decrease, confidence on AI seems to be trending downward at the moment. And, Rettas reported that there are about over 20 sessions at RSAC 2019 focused on AI.

“Right now it’s all hype,” according to Pageler. He said that it’s really just great data analytics and automation, and AI won’t come until it’s life or death situation (like AI cars driving without killing anyone).

Whereas, Bonillo believes that we’re still trying to get our head around leveraging analytics and advanced analytics in a fully mature way. “So, how we can really see what an attack will look like using AI?” he asked. “It’s going to take a little while for companies to feel comfortable with it.”

Finally Rettas brought up alert fatigue, which Bonillo said is very real. While Pageler thinks it’s still just good data analytics, any reduction in alert time is great: Anything that helps us “respond to things that are important and rule out false positives faster.”

Tech Consolidation And Phishing

According to Cisco, 63% of responding CISOs said they have whittled down the vendors they work with to 10 or less versus 54% in 2017.

Pageler said, “Good CISOs are moving to more open-sourced tools.” They’re starting to become less reliant on vendors, and learning to do things themselves. “I can patch and fix things myself (I have the source code).”

“Startups may be easier to do open source,” Bonillo said. However, it may not come as easy for large companies built out of acquisitions, dealing with M&A and needing to shrink down all the tools being used. But the three agreed that you have to make sure you have the right consultants on board and right services to help shrink down the solutions because they have the relationship and know the technology.

The bigger companies have innovation teams according to Rettas, but mid-sized and smaller ones don’t have the resources. “I’m not even sure the vendors have the bandwidth and capital to be all things to everybody.”

Pageler advises, “Rather than look at consolidating vendors, look to better align to standards,” so you’re at a baseline with what everyone else is doing.

See Related: “Implementing A Risk-Base Cyber Security Framework

Switching gears, Rettas brought up a Trend Micro report released at RSAC saying that –“attacks that capitalize on the human desire to respond to urgent requests from authority, are skyrocketing.” The business of email phishing attempts are up 269% compared with 2017. And people are terrified of getting in trouble.

“You have to have a strong awareness program,” Bonillo asserted. Companies need to have a strong policy in place because it’s not going to stop. To make matters worse, there are more targeted emails where attackers are doing research on people to craft very specific emails.

See Related: “The Phishing Phenomenon: How To Keep Your Head Above Water

Rettas, Pageler and Bonillo offer this advice:

  • Slow it down, read the email and do the training.
  • Use a layered approach.
  • Encourage and train (and reward) employees.
  • Apply standard technical setup and solutions.
  • Segregation of duties, and checks and balances on top of that.

While Rettas noted the headlines of late that revealed a woman who is being sued for falling for a CEO fraud scam, Pageler felt that, “This is absolute horrible practice and she should countersue for not having a safe work environment. That is a failure of that company to properly train and educate.”  

Thailand’s (Cyber Martial) Law

Rettas shared another recent headline about Thailand, which is defending its new cyber security law

The article said that Thailand’s parliament recently approved the Cybersecurity Act unanimously, the latest in a wave of new laws in Asia that assert government control over the internet.

Activists have called the legislation “cyber martial law”, saying it would sacrifice privacy and the rule of law, and warning compliance burdens could drive foreign businesses out of Thailand.

The government said the law was intended to protect networks from cyber attacks and would not enable state surveillance or violate rights.

“We have made sure that it would not allow for violation of individuals’ rights and arbitrary use of power,” Ajarin Pattanapanchai, permanent-secretary of the Ministry of Digital Economy and Society, told reporters.

“The law will not be used to regulate social media, or computers or devices belonging to the people.”

According to Pageler, “We’re going to see more and more this,” even if he doesn’t trust it.

Bonillo added that “There’s an education that still has to happen.” It’s not clear [to the public] that they know what the regulators are asking for. “It’s a slippery slope,” closed Pageler.

See Related: “When Politics And Cyber Security Collide

The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub.

To listen to this and past episodes, click here.