Two Lessons from the 2019 Rocky Mountain Information Security Conference (RMISC)
Each year I embark on a journey with what seems like every other security professional in the Denver area, to the only Security conference that seems worthwhile to attend: The Rocky Mountain Information Security Conference (RMISC). For a city the size of Denver that has such a strong technical industry you might wonder why larger conference such as RSA or Cisco wouldn’t hold their conferences here. I’ll chalk it up to the cold weather and altitude. The conference was great as usual and there was a good selection of speakers this year. There were some great takeaways.
I sat in on the keynote with Deborah Blythe the CISO for the State of Colorado as she discussed the challenges that every state government organization faces with cyber security. She is seeing more attacks that are clearly nation state sponsored. In 2018 the Colorado Department of Transportation (CDOT) was hit by a brute-force attack by a variant of the SamSam ransomware that penetrated a temporary system being tested without full security. From there the attackers gained access to the CDOT financial systems. The infection was so widespread that an executive order was issued from the State Governor making the event the first-ever state emergency declared for a cybersecurity incident. The lesson on this one?Testing systems are often stood up with lax controls. After all, it’s just a test system, right? Well, the ransomware certainly didn’t care that it was only a test system and ran just fine on the test server(s). Since it wasn’t segregated from production systems on the rest of the network the ransomware was able to propagate.
As a GRC / IRM professional I hold a couple of IT Audit certifications. I attended several sessions on audit and risk to see what the latest developments are in these areas. One thing that stood out was the emphasis on Block Chain auditing. The idea with a properly designed blockchain is that it is unable to be defrauded and the historical data is immutable, as decentralized ledgers geographically distributed all track transactions and propagate them through the blockchain network as they occur. The nodes that track the transactions and hold a copy of the ledger work on a system on consensus, where a majority rules if a discrepancy arises. For a fake transaction to be written, it would have to be faked on 51% of the nodes on the network. This would likely be one of the toughest known hacks to pull off if the network has enough nodes and their geography and access/administration/security is decentralized. Notice that “if” in the prior sentence. The possibilities are amazing, but if not properly configured with an emphasis on decentralization of both geography and control, a blockchain can be as vulnerable as any other database.
I can understand the importance to many industries that blockchain promises. It’s most obvious application is to secure financial transaction ledgers for the financial industry. Billions of dollars are stolen or lost each year globally, making the bounty for an immutable ledger that is nearly impossible to defraud very worthwhile. I see a new niche for auditors in the future that are savvy in cryptocurrencies, utility tokens, and other cryptographically-secured digital assets. Many of the discussions centered around the Crypto Currency Security Standard (CCSS) as the industry standard security framework from which basic compliance can be measured. As of yet, I haven’t seen government get into the business of mandating security measures as they have with HIPPA or SOX. However, as these currencies move further into the mainstream politicians will not be able to help themselves unless the industry establishes good controls and enforceable practices as the credit card industry did with PCI. The lesson here?Risk and security professionals should make it their top priority to learn the basics of blockchain technology. These types of systems will likely become more and more prevalent for hosting valuable data.
All in all, I enjoyed the conference and saw value in attending. I’m also optimistic for more security related events of this caliber to be hosted in Colorado.