Here's a sobering thought. Phil Lieberman, the President of Lieberman Software, says, "Every day you wake up, you know somebody is in your network. You just don’t know where they are, what they're getting and what you can do to stop them".
The overwhelming theme of this year's RSA Conference has been that border protection, while an important layer in our security, is not enough. The distribution of end points, characterised today by increased numbers of mobile devices but expanding rapidly as the Internet of Things becomes a reality, and the distribution of critical systems out of private data centres into shared service providers has changed the nature of our information systems and infrastructure.
"The perimeter is porous," said Lieberman. "It doesn’t mean we've lost the war. Those who are successful on the Internet, the only ones who will be successful, are those who have their eyes open and understand that whatever technology they have will have a limited lifetime of protection. The question is not whether they're going to get in but how far can they go".
That changes the focus from vulnerability protection to more complex threat management. Lieberman's company develops and distributes identity, utility and password management tools for securing environments. But there are broader applications.
"Our clients are doing regular red/blue warfare where they use our tools on both sides," he said.
This technique is not new. These war games pit teams in a game of hacking and reacting so that the business has practice in dealing with threats. This has been an important but overlooked element of many security strategies. While companies have been diligent in ensuring software is patched and appropriate controls are in place they are often caught out when there is a breach as they are unsure as to how to react.
Lieberman's observations of the behaviour of large cloud service providers are that they do this war-rooming constantly. "They suffer massive DDoS attacks on an almost daily basis. They have people who are ex-intelligence, ex-military and ex-NSA who, as part of their career path left and are no conducting cyber-defence on the other side," he said.
Many companies we've seen talk about how they undertake regular audits, have policies in place to change passwords regularly and issue new certificates periodically. Lieberman did not see those as poor practices – most people would agree that these fall under accepted best practice activities – but he pointed out that these may give a false sense of security.
For example, if a business' policy is to force users to change passwords every 90 days, what happens if the hash for that password is hacked the day after a password is changed? The malicious party will have unfettered access until the hash is changed. Similarly, certificates that are valid for long periods of time – three years are not uncommon – can provide long windows of opportunity for parties invading systems.
"What we see as best practice is a rethinking of ages of things like passwords, thinking of ages of certificates. So, for some of our customers, we're rotating their passwords every eight hours. Another example is Microsoft Lync. I looked at the certificate used for my secure communications channel. I was wondering how long Microsoft sets up the PKI for it. And I was shocked – it was one day. I was shocked. Certificates you think of being good for up to five years, they've reduced the life cycle to less than a day".
Rather than operating in a mode that says passwords and certificates will be enough to maintain border security, the modern posture is that these things are going to be stolen and the focus is now on risk management and damage containment.
Anthony Caruana travelled to RSA Conference as a guest of RSA.