Impressions from a RSAC 2020 “Outsider”
My previous experiences of attending the RSA Conference in San Francisco for the past 15 years have remained consistent. This year’s version was no different and the themes, trends, and buzzwords were eerily similar to last year: zero trust, kill the password, machine learning, artificial intelligence (AI), cloud, Internet of things (IoT), open-source security, identity, and mobile threats.
The main difference for me was I had to do booth duty and theater presentations on the exposition floor all week and couldn’t attend any live sessions. Even without that vantage point, I was still able to formulate my own impressions of this year’s conference.
My interpretation of the Human Element theme is that no matter how many security controls you implement on endpoints and network servers, the human is the weakest link. You and I can easily succumb to social engineering exploits like phishing, connecting to an insecure wireless hotspot (thinking that VPN will save us), or installing legitimate apps that leak our personal and work information without telling us!
Here’s my zero trust take: the mobile device is the enforcement point for most, if not all, the security controls. Use strong multi-factor authentication (MFA) like live scan biometrics as a primary factor to access the device. Firewalls and VPNs are no longer effective because there is no cloud perimeter. That mobile device in your back pocket is always on, connected to the Internet, even if you are behind the firewall or router at work or home. Don’t be fooled! There are more malicious sites on the regular Internet than the deep or dark webs! As far as VPN is concerned, since there is no network perimeter, where does your secure connection terminate? Most enterprises implement a split-tunnel VPN that permits you to connect to your work resources while simultaneously connecting to the insecure Internet to do your TikToking or FaceApping. Have you heard of drive-by malware download? It happens!
The best advice to ensure that your connection to any Internet portal is secure is to make sure it is protected by HTTPS using the strongest ciphers in TLS v1.2 or 1.3 always. Just click on the little padlock alongside the URL on your friendly neighborhood browser. Work mobile devices should only install the bare minimum set of apps to get the job done. If email or text messaging is required, have phishing and content protection enabled that regularly updates the list of malicious URLs from distributed databases that have sensors all over the world. Permit only network connections that are known to be secure or use a private APN that connects directly to the corporate network. Block connections to insecure wireless networks at the coffee shop, airport, hotel, inflight, or RSA conference Wi-Fi. And oh, don’t connect your USB to any of these places either!