12.7 billion packets captured, 88.3 million logs analyzed and 8.08 terabytes of data written to disk.
These stats make up the RSA Conference (RSAC) 2020 Security Operations Center Findings Report. RSA Security was again proud to sponsor the educational exhibit that monitors network activity during RSA Conference. If you’re not familiar, the goal of the RSAC SOC is to use technology to educate attendees about what happens on a typical open, unsecured wireless network.
The RSA Conference SOC team again deployed the RSA NetWitness® Platform as part of its array of tools, including the RSA NetWitness Logs, RSA NetWitness Network and RSA NetWitness Orchestrator components for evolved SIEM capabilities. With this tool, the RSAC SOC Team was able to collect all the raw network traffic from a switch port analyzer (the SPAN) from the Moscone Center network, add metadata and visually prioritize threats occurring in real time. It also helps inspect every network packet session for threat indicators at time of collection and enriches this data with threat intelligence and business context. For files that might be malicious, RSA NetWitness Network checks a community anti-virus (AV) lookup, some static analysis and its own network intelligence. RSA NetWitness Orchestrator powered by ThreatConnect then helps triage and share these insights with the other technologies deployed in the SOC.
With that in mind, let’s examine three key takeaways from this year’s findings report:
Cleartext usernames and passwords: This remains a major area of vulnerability. The majority of the traffic data we analyzed was hosted on small business-hosted domains. Given this, it’s vital to know your protocols and configurations. There is no reason anyone should be using POP3 or IMAP2 protocols for email. Even at the one of the world’s largest cybersecurity events, many are not following security best practices. Although there is evidence of stronger passwords using alphanumeric and special characters, a strong password does not win over an insecure protocol displaying the password in cleartext.
Location data and mobile devices: At RSA Conference, over 13,000 mobile devices were connected to the event’s public WiFi network. These devices – often unbeknownst to you – share your data. This year, location data was prevalent. Although this can be fairly benign data, it is data that is unnecessarily leaking. In some cases, the data was not current, but cached location data, revealing previously visited locations. In addition, the RSAC SOC Team saw many unencrypted SMS messages in cleartext. In both cases, Wi-Fi assisted settings should be inspected and understood.
Know your vendor: There were many instances at this year’s Conference where exhibitor claims were in conflict with their actions. Our report illustrates examples of data being stored in cleartext from vendors on the Expo Hall floor touting their ability to secure data. Similarly, the team saw identities transmitted in cleartext from identity access vendors exhibiting at the event. Finally, we also analyzed vendor demo information in cleartext. This type of transmission can lead to demos being hijacked by bad actors who compromise stolen credentials. Internet Protocol Televisions (IPTV) – those awesome displays you see throughout the exhibit hall – need to be secured. Many IPTV’s use cleartext username and passwords.
The RSAC SOC Team hopes you enjoy the findings of this year’s report. We will continue to deliver these findings as a way to educate our community about the typical activities that take place on a wireless network and the best practices we should all be exhibiting.
Check out the RSA Conference 2020 Security Operations Center Findings Report for an in-depth look at the key takeaways the team analyzed in the RSA Conference 2020 SOC.
Want more? Get a behind-the-scenes tour of the RSA Conference 2020 SOC with ITSPmagazine's Sean Martin and Marco Ciapelli.