Notes from the InfoSecurity North America Conference

By Rene Kolga

A few weeks ago I had an opportunity to speak at the InfoSecurity conference in New York City.

My Tech Talk presentation, Anatomy of a Nation-State Attack, dove into the tactics, techniques and procedures (TTPs) advanced attackers use to gain a foothold within an organization’s network. I based it on a real-life example of a recent suspected nation-state attack our Research team investigated. Tech Talks were not recorded, but you can listen to a more in-depth discussion about the OilRig threat actor (aka APT34), as an example of a middle of the road nation state actor, in this webinar.

The conference’s opening keynote speaker was Kevin Mitnick – it is always great to listen to the legend. He showed tons of fantastic demos, including cloning somebody’s HID keycard, revealing another person’s PII, and using many unique attack vectors including a Rubber Ducky hidden in a USB cable. Famously, Kevin focuses on social engineering as a never failing method of cost-effective way of getting into targeted organizations, which he covered in-depth in his book “The Art of Deception”.

Another keynote speaker was Dave Hogue, Technical Director, NSA’s Cybersecurity Threat Operations Center (NCTOC). He spoke about what the NSA is doing to secure its networks, and on the return to cyber defense basics the agency practices, including Application Whitelisting as the #1 on his “What’s old is new again” list (the other two items were role-based access controls and 2-factor authentication). That makes sense given that in the last few years, older generation Positive Security model based technologies like whitelisting or Application Control have been dramatically improved by new approaches like OS-Centric Positive Security and are seeing a market resurgence.

One other memorable session was called Securing Nuclear Secrets is Easy Compared to Healthcare led by Christopher Plummer, Senior Cybersecurity Analyst at Catholic Medical Center. He compared and contrasted the way we secure our military and healthcare infrastructures. The military approach is very structured: from accreditation to the use of DISA STIGS, from PKI to consistent vulnerability scanning, and much more. Healthcare infosecurity, on the other hand, is very different and challenging because, as Plummer put it, “Security is new to us; We are old; We are big; We have no economies of scale; Patient care is our priority.” He also dispelled a long-standing myth about not being able to patch or install security solutions (e.g. AV) on FDA approved medical devices. The FDA had to issue a special clarification to fight this pervasive misconception.

The show wrapped up with a spectacular snowstorm that shut down most of New York City along with surrounding states. Aside from all the travel inconveniences, it felt like Christmas. Speaking of holidays and the end of the year, it is time for 2019 predictions on what is to come. Join our webinar on December 19 to find out what our team expects organizations will see develop across the cybersecurity landscape in the new year.