From the ever-evolving threat of ‘hacktivism’ to the security of cloud networks, the leading edge of the perpetual war against cybercrime was out in force at this year’s RSA conference

TRYING TO FIGURE out what hackers and crackers are going to throw at the world next – and develop products to counter it – is no easy task these days.

“The threat landscape has evolved so fast,” says Uri Rivner, head of new technologies in the Identity Protection and Verification Solutions division of longtime security technologies company RSA.

It’s the company’s mammoth annual conference in San Francisco, and Rivner and his colleague, RSA chief scientist and head of RSA Laboratories Ari Juels (who earlier in the week hosted the Cryptographers Panel, one of the event’s longstanding favourite sessions) are two of the key hands-on people in RSA’s innovation process – turning ideas and concerns into products and services.

Rivner says there’s been more change in recent times than there had been in years on the security front, and it’s that “adaptive nature of the threat” that he finds the most exciting challenge in his job.

“Today security is more about the perimeter, and current threats are different than those we have experienced for several years. For years, security focused on authentication. But now, you need multiple lines of defence.

“It’s not the tools or the technologies themselves that are changing, it’s the actors,” says Rivner. The actors, and the motivation, have “drastically changed” to include “hacktivists” with social and political motivation, for example, or state-sponsored hackers staging “military-grade attacks”, he says.

“You faced threats before, but never an army invading your network. That’s new.”

Hackers also use “a lot of social engineering”, manipulating people to give up what information that can be used for targeted attacks against specific employees, gleaned through social media forums, for example.

“Today, the most important reconnaissance [hackers] do is, ‘who are the employees and how do you send them an email’,” he says.

So how do such observations get turned into software tools a company buys and puts on its networks?

Rivner says he holds a monthly “threat forum” for his team. “We want to encourage people to just throw out ideas. Often crazy ideas are the best.” And they work to understand the enemy: “We’ve started to map this dark economy, to figure out where do they communicate.”

As new threats emerge, and new tools might be needed. “Typically, we want to understand if there’s a business case around it. We also talk lot with customers, and want to understand what they’re concerned about.”

RSA will then consider whether to develop solutions in-house, or buy in capability through an acquisition.

Are there areas where RSA is more likely to develop products in-house rather than through acquisitions?

“Incremental development – building on specific products, and solving problems with the same kind of technologies, we’d do internally.” Something completely new is typically better brought in as an acquisition, he says.

“I think today it’s a mature market. Sometimes it’s more important to make sure a product works well without reacting to every specific threat. In other cases, you need to respond. If it’s an emerging area, you need to focus on that. It’s a balancing act.”

It’s the job of boyish-looking RSA chief scientist and head of RSA Laboratories Ari Juels to anticipate and analyse the very big picture for the company, and consider what threats might be coming five to seven years down the line, and how they might be addressed.

The scope of his job is broad. When Juels’s original employer RSA was acquired by storage giant EMC in 2006, he was given responsibility for security innovation across both diverse companies.

Juels said they realised focus would expand to including the area of storage security. “At first, we thought, ‘Boy, that will be really boring’,” he laughs. “But we looked at it, and it turned out actually to be really interesting.”

Market acceleration towards cloud computing threw up a range of issues right away. Ensuring the integrity and even the actual ongoing existence of data placed into the cloud for storage, for example, is an extremely difficult problem and became his first challenge.

A cloud can easily make it look as if data is there, he says – as well as the most up to date version of data uploaded to it – but in the past the only way to verify this was to download all the data and look at it. Not a very practical approach.

New security tools from RSA now enable remote verification. “Even in an ill-behaving cloud, we can prove that files are there and that every bit of those files is there.”

He also led development of technologies to spread data across multiple clouds, so that in case data disappears from one, it is duplicated safely elsewhere.

Are they sometimes too far ahead of the curve in anticipating the next market developments and accompanying security threats?

“Actually, yes – almost exactly five years ago, we were worrying about security and smartphones,” Juels says. As the smartphone market was beginning to develop, they started to consider whether mobiles could become full-blown computing devices in their own right, and related security issues as phones started to communicate with PCs wirelessly.

But, he says, much of what they worked on has only now come to pass, and they were a bit too far ahead of the market. While it is nice to be prescient, he jokes, it is better to have market needs fit more closely to predictions.

In his free time – what there is of it – Juels published a novel in 2009, a cryptographic thriller entitled Tetraktys, which, he says, brings together his degree subjects of Latin literature and mathematics.

“It took me 10 years to write,” he says. Was it fun to do? “Both fun and painful.”

Which sounds not too unlike the day job for these two resident innovators.

ONCE MORE INTO THE BREACH: CATCHING THE 'ACTORS'

PLEDGING TO protect anonymity and trade secrets, the head of the FBI, Robert S Mueller III, told businesses that they need to start revealing large data breaches to the agency to help catch hackers.

Speaking to thousands of security- focused delegates in a packed keynote at the annual RSA Data Security Conference last week, Mueller said he realised businesses were often reluctant to disclose breaches or discuss them in detail.

However, he pledged that the FBI "would minimise disruption to your business and will protect your privacy. But maintaining a code of silence will not help."

He said businesses were misleading themselves if they believed being hacked was not a major security concern for every organisation.

"There are only two types of companies: those that have been hacked, and those that will be," he said. He added that, soon, this would change to those that had been hacked, and those that had been hacked again.

"Attribution" – finding the hackers that the security industry generally refers to as the "actors" – is critical to preventing crime by "catching the actors rather than just defending against them", Mueller said.

He also said the FBI was pushing for a national system of mandatory data breach reporting in the US. While 47 states already have some form of mandatory disclosure law, they do it "in different ways and degrees".

Mueller said companies may think a successful breach was minor and relatively unimportant, only to discover later that the first enabled other, more damaging penetrations of corporate networks.

He also said hackers often will make what seem to be a number of minor intrusions and gather a small bit of data here and there, "but it is information that in aggregate may be of high value".

He said the FBI was seeing a wide range in types of hackers, from terrorists to state-sponsored agents and spies to "hacktivists" and petty criminals. Technology was changing so quickly that it was difficult for law enforcement to keep up, he said.

Mueller said that, unlike traditional criminal families, hackers "may never meet [up], but possess specialised skills in high demand".

He said the FBI also increasingly sees "trusted insiders [in organisations] that are willing to sell out" and give data or access to hackers.

Breaches by hackers meant companies were losing money and innovation. "Together we must find a way to stop the bleeding," he said.

– Karlin Lillington