Starting today, thousands of cybersecurity professionals will flood San Francisco's Moscone Center for the RSA Conference, one of the industry's largest and most authoritative events.
Over the next five days, attendees will see presentations that provide a snapshot of the nation's cybersecurity Id: A conference weighted toward government and corporate security, any given year's topics provide a summary of collective fears, fantasies, sales trends, pain points, and heaps of obsessive research.
Taking it all in is impossible. Seeing PR reported as news is unavoidable. But what's not impossible for us to do is separate PR company pitches and scare tactics from practical remedies and real concerns -- which is what our list offers.
No doubt that if you're reading this and attending, you already have your track set for the week. But if you're looking for something with a spark, take a look at our handpicked list of compelling RSA 2015 sessions below.
This year's emergent themes include insider threats, privacy and identity management, passwords, the phishing epidemic, the struggle to get value out of threat intel, breach response and forensics, Internet of Things hysteria, point of sale miasma, and the movement within the industry to stop re-inventing the CISO.
Today, Monday April 20, begins the popular RSAC Innovation Sandbox Contest (Moscone Center North, Room 134), which continues through Thursday. Among many displays, this year's features a full replica of a typical water plant network setup, as well as isolated industrial equipment stations to try out, and "a mocked-up crime scene and digital forensics lab, and see if you can figure out who was involved in our crime via the smartphone evidence."
These three company-sourced talks look well worth attending:
- A CISO's Perspective on Talking to the Board about Cybersecurity (Veracode, Tuesday)
- Know your Adversary: Gathering Intelligence on Targeted Attacks (Verisign, Tuesday)
- Building an Effective Incident Response Program (Rapid7, Wednesday)
Note that some talks are repeated on different days. Each talk or panel below is listed on the first day it appears on the schedule; be sure to check its page for additional dates. Some of these are compelling for the people who are in them, as much as for what they're covering, debating, or unraveling with attendees.
The (anti)Social Network: Key Facts About Social Media Threat Vectors, Security and Compliance (Emerging Threats) 40% of Facebook accounts and 20% of Twitter accounts claiming a Fortune 100 brand name are unauthorized, and Fortune 100 brand channels experience one compromise per business day. Come hear about Social Media as a threat vector, including breach causes and protective measures.
Exploitation Trends: From Potential Risk to Actual Risk Research presented: Microsoft researchers have studied some of the exploits discovered over the past several years and the vulnerabilities they targeted. Understanding which vulnerabilities get exploited, who exploits them, the timing of exploitation, and the root causes.
From wearables and facial recognition to the ubiquitous use of big data, understanding the potential privacy implications of these advancements is essential to ensure the industry addresses issues that could potentially stifle innovation and adoption. Technologies That Will Shape the Future Privacy Debate
Network Security and Operations When the Network Is Already Compromised SANS focuses on how an organization should think about managing a network with the fundamental assumption that Internet-facing networks (business networks) are already compromised.
A Privacy Primer for Security Officers Information security officers will need to become involved in privacy issues to maintain relevance in the future. This session provides the fundamentals of information privacy and building of a privacy program, touching on US, EU, Canadian, and other global privacy laws to provide a foundation to begin to intelligently discuss the privacy issues.
The Wolves of Vuln Street: The 1st Dynamic Systems Model of the 0day Market 0day vulns have been traded for decades for defense and offense. Recent bug bounty programs have changed market dynamics. Learn about the true levers in the market, from the pioneer of the Microsoft Bounty Programs and a Principal Researcher at MIT Sloan School, based on the 1st dynamic systems model of the 0day market. Price is not the sole force at work.
Before and Beyond the Breach: New Research in the 2015 DBIR You probably read about the DBIR highlights in our perky analysis, Verizon: Android is a mess, but the mobile malware epidemic is a myth. In this session, the researchers unpack the report that told us "got 99 problems, and mobile malware isn't even less than 1 percent of them."
Does The New 2015 California Data Breach Law Protect Individual Privacy, Corporate Security, Both or Neither? Effective January 1, 2015, California suggests offering identity protection services for private citizens victimized by data breaches. The law shifts the burden of protecting personal information from data owners to data storage companies. Companies who "maintain" this information may be responsible for identity protection services, if a breach occurs.
Challenges in Network Forensics Modern-day attackers use sophisticated attack techniques to cover their attack traces. Due to current limitations of analysis tools, network forensics is challenging. The goal of this session is to discuss what new tools need to be developed to help in forensics analysis.
The CISO Reporting Project When a CISO reports to their Board on security metrics, there is no industry standard or template to leverage. Our research has shown that most CISOs have been in their role for less than 12 month while Boards are becoming more security-aware. This requires reporting to be relevant and actionable. This talk will reveal results of a study of CISOs reporting behaviors and what Boards really want.
FBI and Trend Micro: Combating Cybercrime within your Organization Recent data breaches continue to expose cybercriminal's persistent quest for valuable intellectual property and PII. Join an FBI special agent and Trend Micro, as they give an overview of the threat landscape and share best practices for protecting data and detecting/mitigating breaches. Hear tips for collaborating on attacks with your security vendors and the FBI or international authorities.
Applied Information Sharing: Lessons Learned from the Gameover/Zeus Takedown Orchestrating the takedown of the massive Gameover/Zeus botnet was an 18-month joint effort that required the cooperation of 12 governments, 13 companies, 4 non-profits and 3 USG federal agencies. This successful operation required a great deal of sensitive coordination and timing. This discussion features the Principal Deputy AAG of the Criminal Division from the Department of Justice; the International Liaison Officer (Cyber) from the National Crime Agency (UK); the Supervisory Special Agent of the FBI Cyber Initiative and Resource; the CTU Senior Security Researcher at Dell SecureWorks; and the Principal Research Manager at Symantec Security Response.
Inconvenient Security: When Attorneys Drive Security Decisions Financial services organizations are being increasingly sued for fraud losses by their commercial banking clients. The outcome is new case law that is being used to drive security decisions with the intent of minimizing the bank's legal exposure. As you'd imagine, this is causing a whole new set of problems.
How Can We Use Classified Information to Make Our Companies More Secure, Without Going to Prison? Many companies now participate in government programs that provide access to classified cyber threat information. How do you use these programs to secure your networks and data?
Breach 360: How Top Attacks Impact Tomorrow's Laws, Litigation, Security We all know how the Target, Sony and Anthem breaches were seismic, but have you truly considered how the aftershocks of these breaches will forever change the security profession?
Tools of the Hardware Hacking Trade Embedded systems are pervasive in our society and many contain design flaws that can lead to exploitable vulnerabilities. In this session, Joe Grand examines common hardware tools used during the hacking and reverse engineering of electronic products, including those that monitor/decode digital communications, extract firmware, inject/spoof data, and identify/connect to debug interfaces.
Dan Geer on the Future of Security Mr. Geer is the CISO at In-Q-Tel, and his RSA 2014 talk was widely recommended and was called excellent, wise... and frightening.
Domain Name Abuse: How Cheap New Domain Names Fuel the eCrime Economy To stay agile and avoid detection, cybercriminals need plentiful and "too cheap to meter" domain names and the DNS industry is only too happy to comply. The result is that most new domain names are created for wicked purposes. Dr. Paul Vixie will provide examples of the critical role domain name abuse plays in today's cyberthreat landscape and technical advances designed to mitigate this problem.
Technology used for humanitarian aims faces some of the toughest security challenges; opportunities seem to be everywhere these days. While security pros say they feel overwhelmed by rate of change, humanitarians grow impatient at the slow pace. This panel discusses why there's a divide and looks at where information security controls are working, as well as areas needing greater attention. Use of Technology in Preserving and Protecting Humanity
Cyber Bullying, Revenge Porn and the Work Place Cyberbullying is not limited to schools. Today's hyper-connected workplace is primed for abuse ranging from mean-spirited messages to intimidation, potential threats and revenge porn. Organizations are under a legal duty to insure a safe environment for employees and customers. Case studies are used to show how to recognize appropriate limits and minimize risk.
Bug Bounties: Internet Savior, Hype or Somewhere Between? Companies are still having serious problems with security and many believe that bug bounty programs are here to save the day! But are bug bounty programs really a good thing, or are they incenting the wrong behavior that leads to a negative impact? Join Jake Kouns of Risk Based Security, Casey Ellis of Bugcrowd, Nate Jones of Facebook and Chris Evans of Google.
Renewing the Patriot Act Sections 215 and 206 of the Patriot Act "sunset" in June, unless Congress reauthorizes them. The Administration uses Sections 215 and 206 to justify domestic surveillance. Snowden's leaks caused an uproar, but so did the invasion of Crimea and the rise of ISIS. This will be the opening debate on surveillance, terrorism and privacy. With James Lewis Director and Senior Fellow, Strategic Technologies Program, Center for Strategic and International Studies (CSIS), Bruce Schneier, Chief Technology Officer, Resilient Systems, and Congressman Mike Rogers Former Chairman, House Permanent Select Committee on Intelligence.
The Emperor's New Password Manager: Security Analysis of Password Managers Research Scientist, Shape Security presents results of security analysis of popular web-based password managers. Unlike local password managers, web-based password managers run in browsers. We identify four key security concerns and representative vulnerabilities. Our attacks are severe: in four out of the five password managers we studied, attackers can learn credentials for arbitrary websites.
Defending against State-Sponsored Cyber Theft of Intellectual Property State-sponsored IP theft is now a top US national security priority, but OECD countries need to devise strategies and organize to implement them. Panelists discuss how companies can protect their most valuable information against foreign corporate espionage.
See any interesting talks we missed? Please leave them in the comments! Image via RSA on Twitter.