Day two of the RSA Conference was a mixed bag compared to yesterday’s stellar experience. I attended four different sessions, with only two delivering genuine value. The first disappointed with questionable statistics and oversimplified solutions, while the last session was unfortunately just a thinly-veiled sales pitch.
The sessions I attended today were:
- Modern Architectures: Mapping SASE to the Cyber Kill chain
- Blowing up gas stations for fun and profit
- The Toilet Paper Principle – The Overlooked Human Side of IR
- Ducks in a row – How to effectively manage the remediation lifecycle
Modern Architectures: Mapping SASE to the Cyber Kill chain
Niki Porteli and Lucas Skipper began by establishing the need for zero trust architecture and SASE (Secure Access Service Edge). They claimed 70% of organizations have suffered ransomware attacks (roughly 3 out of 4 companies) though they didn’t cite sources for this suspiciously high statistic.
The presentation demonstrated a common attack pattern using the Lockheed Martin kill chain:
- Initial reconnaissance with tools like nmap
- Exploiting vulnerabilities in perimeter firewalls
- Kerberoasting for lateral movement
- Deploying malware or ransomware
- Establishing command and control (C2) connections
According to the presenters, implementing SASE would prevent all these attack vectors. They suggested that with SASE, organizations wouldn’t own IP addresses anymore and systems would automatically receive the latest security patches.
This painted an unrealistically utopian picture. Several practical concerns went unaddressed:
- How would public-facing websites remain accessible?
- How would customer connections work through the SASE implementation?
- How would device patching actually function?
- What about testing environments and legacy systems?
While SASE technology combines internet access, application access (north-south traffic), and identity management into a single solution, it’s certainly not the silver bullet the presentation made it out to be.
Blowing up gas stations for fun and profit
This presentation from Pedro Umbelino at Bitsight covered his research into Automated Tank Gauges (ATGs): systems monitoring probes in gas tanks at fuel stations.
His investigation revealed alarming security issues:
- Over 9,000 legacy devices and 1,200+ modern ATGs are directly connected to the internet
- Legacy devices using an inherently insecure ATG protocol that’s open by default
- Optional 6-digit passcode protection requiring physical DIP switch to enable the security feature
- While devices with a passcode don’t respond to network connections, 6-digit passcodes are easy to brute-force.
- By trying the most common 6-digit password: 123456, he found 57 more vulnerable devices
- Most devices operating with no password protection whatsoever
Even modern ATGs with web interfaces continued to support the legacy protocol and contained serious security flaws. Umbelino discovered 10 zero-day vulnerabilities that he classified as “unforgivable” according to MITRE’s definition:
- Common mistakes made by many developers
- Well-documented issues in security literature
- Obvious weaknesses
- Simple attack vectors
- Discoverable within just 5 minutes
These vulnerabilities enable several dangerous attack scenarios:
Through sensors:
- Manipulating fuel/water level readings, potentially causing tank overflow
- Altering tank geometry parameters
- Disabling leak protection measures
- Triggering simultaneous alerts across multiple systems
Through actuators:
- Controlling external hardware connected to the ATG
- Creating fire hazards by rapidly cycling relays until they burn out
This presentation highlighted the critical importance of properly securing Internet-connected industrial control systems (ICS) and operational technology (OT), not just in fuel stations but across all industries.
The Toilet Paper Principle – The Overlooked Human Side of IR
Eric Olson from JetBlue Airways delivered an excellent presentation based on a simple principle: just like toilet paper’s value skyrockets when you desperately need it, incident response capabilities shouldn’t be developed during a crisis.
Olson interviewed crisis management veterans to compile lessons learned and best practices for effective incident response:
Before the Storm
Understand that stress physically impairs brain function, affecting:
- Language processing
- Analytical ability
- Decision-making capacity
- Self-care capabilities
During high-stress situations, people don’t rise to the occasion, they default to their level of training. Preparation is essential and should include:
- Policy: Brief document outlining organizational commitment to security incident detection/response, high-level roles, and clear authority delegation
- Plan: Framework applicable to most incident types, defining severity classifications, escalation paths, and responsibilities
- Process: Step-by-step workflows for response team members
- Procedures: Specific tool-based implementation instructions
Additional preparation steps:
- Regular practice sessions with team member observers providing feedback
- Physical contact lists with direct numbers to key decision-makers
- Pre-arranged retainer services with “break glass” access accounts
- Emergency communication channels independent of potentially compromised organizational systems
During the Storm
- Designate a clear Incident Commander with:
- Strong communication skills for both technical and management audiences
- Organizational credibility
- Decision-making confidence under pressure and incomplete information
- Determine if you’re in a “sprint” or “marathon” scenario and plan accordingly:
- Implement shift changes
- Limit meeting participation to essential personnel
- Ensure adequate rest periods
- Consider assigning a team member to focus on responder wellbeing
- Communicate with leadership using clear “postcards” containing:
- Key points upfront
- Specific action requests followed by context
- Risk and business impact details
- Current status, progress, known/unknown factors
- Next steps and update schedule
After the Storm passes
- Provide proper recovery time beyond just a day off
- Arrange coverage for team members during recovery
- Conduct thorough lessons-learned sessions
- Assign accountability for tracking and implementing improvement actions
This presentation provided valuable takeaways for improving organizational crisis preparedness.
Ducks in a row – How to effectively manage the remediation lifecycle
Unfortunately, presenters Nadir Izrael and Curtis Simpson used this session primarily to promote their company. They made little effort to disguise their sales pitch, even concluding with directions to their expo booth.
This approach violated one of RSA’s cardinal rules: presentations should provide educational value, not serve as marketing platforms. This is reflected in the very first question on the session evaluation form.
I found this approach disrespectful to both the conference organizers and attendees. I sincerely hope the remaining sessions I attend will focus on knowledge sharing rather than sales pitches.
Conclusion
While day two had some disappointments, the presentations on ATG security vulnerabilities and incident response human factors provided valuable insights worth implementing. Looking forward to what the remaining days of RSA will bring!
Leave a Reply