Wednesday, April 22, 2009

RSA Conference 2009: Notes on Complacency and the "Smoking Gun" from BT's Briefing Luncheon



RSA Conference, 4/22/09

At BT's RSVP briefing luncheon, held off-site at Lulu's on Folsom Street, Bruce Schneier, BT's Chief Security Technology Officer (and industry icon), spoke on "Cyber Security Risks for 2009 and Beyond."

And what did Schneier see as the biggest risk this year and next?

Complacency.

He used the recent Conficker story to framed his remarks:

"Conficker was a huge media story in the run-up to April 1st. It pressed many of the fear buttons: no one knew what it would do, no one knew where it came from, it has a weird name and weird names make people afraid, it was big and it was magnified in the press. Everyone selling security or writing about security spun it. And then nothing happened. It was a 'Boy Who Cried Wolf' story. Of course, something did happen. It updated itself five days later. But that was not as good a news story.

"Stories that make good news often aren't real risks. There was nothing about April Fool's Day that made any difference. The press does not do any of us any favors by writing these stories. Fear mongering leads to complacency.

"Real risks are usually much more pedestrian. For example, the kind of cyber fraud and cyber espionage we see every day. If it is in the news, don't worry about it. If it is so common its not in the news anymore, then it's something that we all have to worry about."

But Tim Le, BT's Director of Research and Technology for its Managed Security Services (MSM) followed Schneier with some other "Lessons Learned from the Conficker Triple Threat."

According to Le, BT sent out one thousand alerts about Conficker, but only 10% of Conficker incidents were detected by client intrusion detection systems (IDS).

Why?

Conficker utilized evasion capacities that had not be seen before - in cyberspace. Conficker infected systems via USB keys and via mobile users. Conficker maintained a low profile; for example, unlike Slammer or Code Red, Conficker had sleep cycles, and only scanned 100 times an hour (instead of thousands) so as not to trigger IDS. It also had a selective payload delivery mechanism, i.e., it scanned first and did not deliver unless it detected the vulnerability it was looking.

IDS, Le cautioned, look for a "smoking gun." Well, in the physical world, you rarely get a smoking gun, Le added, it is more likely that you will have to build a case with circumstantial evidence. And just as in the physical world, in the digital world you rarely get a smoking gun either. MSM can look for the circumstantial evidence.

How?

By "logging broadly, and analyzing deeply." Le concluded with a very sobering admonishment, "Assume your IDS will not see an initial attack."

A persuasive argument for MSM?

Richard Power