Storage Developer Conference - #179: Storage Security Update for Developers
Episode Date: January 4, 2023...
Transcript
Discussion (0)
Hello, everybody. Mark Carlson here, SNEA Technical Council Co-Chair. Welcome to the
SDC Podcast. Every week, the SDC Podcast presents important technical topics to the storage
developer community. Each episode is hand-selected by the SNEA Technical Council from the presentations at our annual Storage
Developer Conference. The link to the slides is available in the show notes at snea.org
slash podcasts. You are listening to SDC Podcast, episode number 179.
My name is Eric Hibbard. I'm with Samsung.
I've been involved with SNEA activities for quite some time.
I've been either the chair or the co-chair of the security technical work group since about 2004.
So a little bit of history.
I do and have operated in the storage security space, and I do like the
letters C, I, and S. I have many more I didn't list there, so if you were going to ask what that means,
I am actually certifiable both as a security professional and a privacy professional.
What I intend to do with this session is to give you some insights into things that are going on in a variety of spaces.
It's pretty routine for developers to have their head down, looking at their shoes, worrying about what they're developing, either hardware or software-wise, and don't always sort of look up and see what's
happening in the shadows, which is where a lot of bad things happen in the security space that we
track. And then there are some interesting responses that happen based on regulators and
lawyers and whatnot who think that they need to do something,
but they're never quite sure what they're going to do.
But eventually, this stuff does trickle down and has the potential of impacting what you do as a developer.
So the intention here is to give you some insights into some recent developments and some things that we see on the horizon, give you an opportunity to ask some questions.
And as you can probably guess, I'm, at least from a standards perspective, fairly heavily involved in that.
I represent the U.S. on the ISO standards for information security, cybersecurity, and privacy protection.
And on the IEEE side, I chair the Cybersecurity and Privacy Standards Committee.
So a little background on me.
That's where I'm coming from.
I watch the real world, and then I try and do what I can in the standards space.
Okay, so you may or may not have seen this.
What it basically means is I'm not a lawyer.
I do play the part of a lawyer.
I'm actually co-chair of the ABA's IOT committee.
I sit on a couple other activities.
And probably more importantly, I'm not your consultant.
Anything I tell you, it's your problem, not mine.
Okay, so let's talk a little bit about threat landscape,
because in my world, this is where all the action is. And in most cases, security is basically,
security people like me are responding to a set of actions or activities that are ongoing,
and we're having to deal with these.
Unlike other technology areas,
we don't typically deal with one-and-done kinds of problems.
As fast as we figure out how to deal with something,
the bad guys have moved on to sort of the next angle.
They found a way around it or figured out a more profitable adventure from their perspective.
So what you see here is what I would say is the current threat landscape.
Which of these is sort of the top activity varies a little bit,
but these are the kinds of things that we see on a continual
basis. Social engineering is typically one of the top problem areas. The human is the weak link,
continues to be the weak link, and so social engineering is one of the tools that the adversaries basically
deal with. I'm sure, well, let me ask, how many of you have not heard of ransomware?
Okay. So ransomware has definitely been in the news. It's the current scourge
that is actually lighting a fire
under a lot of IT managers
and C-level executives
in terms of we've got to do something
because you can actually lose your company
or your organization
if you get hit with one of these.
But it's also important to recognize
they're not going after just the big guys anymore.
It's getting personal.
They vary the fees.
So if they take all your stuff, they might only charge you $500 as opposed to a half a million dollars, depending on the size.
So it is getting very personal. And with a few exceptions, usually in the category of revenge,
you've got a pretty good chance of getting the keys back
to basically decrypt your data.
That doesn't mean you get your data back because, well,
they are a little bit cumbersome.
When they do the attacks, it can actually mess up systems in the process,
and recovery is not absolutely guaranteed.
So make sure you're doing your backups.
Denial of service attacks used to be the thing that we talked about a lot.
They're still happening, but there's a lot of mitigation strategies that are in place to sort of make that stuff go away. And the list goes on and on.
We could actually do a two-day talk on the various techniques that are in this.
But it's important for you to understand that as the security community,
these are the kinds of things that they're having to watch for.
And this is why you're getting your training and whatnot,
is to help you to sort of participate in the
protections. All right, so who's doing this and why? Well, we definitely have cyber terrorists.
At this point, they're pretty active for obvious reasons. We're seeing a lot of activity in
government and state actions right now. No big surprise given
some stuff going on in Europe.
An area that
I've been involved with
trying to counter for quite some time
is organized crime.
To give you an idea of
how vicious that can be,
I've been involved in multiple homicide
investigations.
Grandma's in the trunk.
The C-level executive is being told, give me the credentials so I can go do this.
And they both end up in a river.
So this is organized crime.
They brought all the tools that they had before.
They're just doing it now in the cyberspace.
So they found that a hammer is much more effective than trying to run some sort of tool to get some of the security credentials.
The other players, Hacktivist and Insider, ScriptKitties, all of these have been around for quite some time.
In, I think, our current state of affairs, they're more of an annoyance than anything else.
These other players are much more active, very motivated, which on the motivation side,
we see that there's political, economic, technical, and military agendas, some cases all at once, others not.
The profit side of this is quite interesting, and I'll give you an example.
There are ransomware as a service kits that are available.
It is not illegal to sell those, at least at the moment.
If you use one, it is. And so there are groups that are developing these tools,
and less technical people are able to fully exploit them.
And the guys that wrote the software might get a 30% cut on anything that is exploited.
So, you know, they've taken the whole sort of cloud model and moved it into this space.
Obviously, there's some, you know, people that like to say, I hacked NASA. I used to work for
NASA. We always had people that were coming after us and saying, see, I compromised your web server.
Revenge is absolutely a factor in this day and age with, again, some of the activities in Eastern Europe.
If you open your mouth, you could very easily suddenly become a target.
And then some players are actually engaging in all of these sort of motivations.
You've probably heard of several of these,
but these are just some examples of some breaches.
But just to give you kind of an idea
of what's being dealt with,
the Colonial Pipeline attack,
it's clearly an example of critical infrastructure attacks
where we're anticipating more and more of these
are going to be happening and have been happening.
A lot of our critical infrastructure worldwide is not very well hardened.
And it can be kind of scary when you actually look at what's actually running there.
Obviously, the Russian-Ukraine hacking, they're both going after each other.
But there's a whole bunch of other players who are maybe not part of the actual governments
who are participating in this. And of course, anybody that's supporting either side in this
adventure are also at play here. So if you raise your hand and say, this is evil,
choose which side you're on, then the other side may go, okay, yeah, we're coming.
This Lambus Digital extortion gang,
I put this here because they've been very effective
at going after source code and certain kinds of data
for some well-known organizations.
This is, again, not new,
but the kinds of things that they're doing is,
if you don't pay us some outrageous fee,
we're going to make the entire source code
for your operating system available worldwide,
just for fun.
Or maybe we'll give part of it away
and then hold the other part.
So, you know, it's buy it one piece at a time kind of thing.
Costa Rica had an interesting problem.
They actually, due to some ransomware, had to declare a state of emergency.
So this is an example where the critical infrastructure hit was so severe that the entire country was impacted.
If you're into cryptocurrency, just thought you might be interested.
North Korea's been very, very effective.
A small amount of cash probably kept a couple of sections of the country operational for
a couple of years with the amount of money they snagged there.
And health care providers are absolutely a point of attack.
And part of the reason for that is, well, health care is,
if you have some sort of condition that you probably don't want the rest of us to know about,
that might be worthy of ransom, but you have social security numbers, probably billing information. So one shot,
they get just about everything they want. So they can steal money and then turn around and come back
for some sort of impersonation of you in the future. So we're seeing lots and lots of healthcare organizations
being hit. We're also seeing them taken down. And there's some pretty nasty players who are
trying to see if they can shut down ICUs with cyber attacks. And it's just, you know,
let's see if we can do that. And I do some work in IoT, and this is one of the really, really big areas of concern is how far can they get, especially with that embedded XP operating system that they can't update.
And, well, I'll leave it there.
You get the picture.
All right, so oftentimes when we're talking about, I waved some terms earlier, you know, so privacy, personal data protection, ethics, which, you know, depending on where you're at may be challenging, information security and cybersecurity.
The key thing to keep in mind when you see these kind of terms is they are not all the same thing.
There is some overlap, and it's sort of the broad level.
Privacy and information security are not just digital.
It can involve paper and a variety of other kinds of areas, whereas personal data protection and cybersecurity tend to be of a digital form.
So it's important to see that these things are not the same,
and one way of thinking about this is security and information security, cybersecurity,
really don't have a dependency on privacy, but privacy and data
protection does have a dependency on security. So there is some commonality, but it's important to
sort of keep an eye on those pieces. The privacy piece right now is heavily regulated around the
world. The security side, not so much. So when you talk with lawyers,
which I spend a lot of time talking to lawyers, they like to talk about reasonable security.
And in fact, on Monday, I had a cybersecurity session I was on with the ABA, and somebody
asked me point blank, so what's your definition of reasonable security? And my response was,
exactly what a New York lawyer can argue in front of a judge.
This was with a whole bunch of lawyers,
and they all laughed and said, yeah, that's basically it.
So the right tends to be,
at least from a regulatory legal perspective,
a bit more of a wild west.
The left,
depending on your jurisdiction,
a little better understood and known.
So like in California,
those of you who are not Californians,
we've got some privacy laws here that are sort of tracking what we're seeing in Europe.
And there's a few other states that have the same thing.
We in the U.S. don't have a national privacy or right to privacy.
It's not one of our inherent rights, but in Europe it is.
So when we look at this space from a storage security perspective,
both sets of issues, the left and the right here, come into play.
So there are things that privacy might drive down into the products.
So if you're, as a developer, getting hit with some things that are like, well, why is that IP address important?
Well, if you're in Europe,
that might actually be protected information.
So there's broad scope of things
that we have to sort of worry about
in the storage security space.
Okay, so what's happening in the legal regulatory landscape?
Well, in the case of cybersecurity,
there's a lot of stuff happening. If you're doing work with the U regulatory landscape? Well, in the case of cybersecurity, there's a lot of
stuff happening. If you're doing work with the U.S. government, they have recently put in place a
cybersecurity maturity model certification program. And this also comes into play if you are
not just handling government systems, but if you have what they consider sensitive government information on your systems, you may actually have to go through a certification program to be able to do that.
And that could be things like procurement information in terms of what's being classified.
How many of you heard of the zero trust? Is this a concept that you're being
exposed to? Okay. Well, this came out of one of the U.S. presidential executive orders,
and the National Institutes of Standards and Technology was tasked with going off and doing
some work in this space, and they've come out with some documents,
CISA, which deals with more direct cyber kinds of protections
for the U.S. government,
are also focusing on network aspects of this.
This is a fundamental change in the security architecture,
if you will, from what traditionally has been around.
We're also seeing a fairly new executive order
dealing with IoT, consumer IoT,
and it's actually a labeling program
where the IoT product will need to have
security certification, third-party,
and maybe a vendor attestation.
So, again, NIST has been tasked with putting together basic materials.
So you're wondering, well, why am I talking about IoT here?
Well, IoT in NIST's definition includes just about everything except routers and switches.
So your smartphones, probably your storage systems are all going to fall into this kind of space.
And then there's, in Europe, the Digital Operations Resilience Act.
Again, lots of security requirements that are kind of coming in here.
And what we're seeing on a country-by-country basis, we're beginning to see regulations on security. If you're multinational, this stuff is a real headache
because now you've got to look across these various jurisdictions
that you sell into or operate in and try and figure out
what's the superset of things that you need to worry about.
Or somebody like me, I'm trying to figure out
if I'm selling products in 160 countries,
what does that mean from a security perspective?
Likewise, privacy has some of the same kinds of issues.
Remember, they're not exactly lined up.
And so most people have heard of the General Data Protection Regulation, or GDPR.
Still alive and well.
Nice fines being issued.
I've actually heard it accused of being a creative
taxation form because some of the companies that are being gone after. But, you know, the Europeans
are not alone. There's the Chinese, the Russians, the Japanese, the Australians, New Zealand,
the list goes on and on, all have their own privacy
regulations. Again, they vary quite a bit. And in the United States, in the absence of a federal
approach, we're doing it state by state. And of course, they don't line up. So further complicating
what vendors potentially have to worry about.
There's an awful lot of, especially in the U.S., cybersecurity privacy litigation, and we see that increasing.
I made this smart-alike comment about reasonable security.
In several of the states, that's how the regulations are basically being written,
is reasonable security. And depending on who is taking enforcement action,
you may have some challenges in terms of what you have to demonstrate that you're doing.
Again, depends on your lawyer.
And the last one, under under others is an interesting one.
You may have heard of Lot 9.
This is a green storage, green server EU regulation or directive.
And it has this funny little element in it, which if you have between four and 400 drives in a storage system,
it needs to have a secure data deletion function,
which is not very well defined.
And so this is an example of something that's not focused on security,
not focused on privacy,
that's indirectly affecting storage security aspects of it.
And we're, again, expecting to see more of these kinds of things coming into play.
Okay.
So in the security world, we deal with frameworks typically.
So some set of collection of controls, things you should worry about,
things like authentication and authorization and how you go about doing that, right?
And in the last 18 to 24 months, in fact, in the last six months, we've seen two of
these, three, go through a fairly significant change.
So the ISO 27000 series is recognized in the international space as how to handle information security management.
And earlier this year, February, 27002, which is the controls, was published.
This was a massive change in what was there before.
So if you were ISO 27001 certified and you used 27002 as the controls when the audits were basically performed, these controls now fundamentally
changed. Now, the reason this is important is 27001 is about to be published in a brand new
edition, probably no later than November of this year. That means if you hold a 27001 certification,
you got 24 months to recertify or it goes bye-bye. So there's going to be a lot of security people
that are scrambling on this. If you touch credit cards in your infrastructure, the payment card
industry data security standard was updated to 4.0 this year. Now, many of organizations
have some sort of order processing capabilities.
That means some portion of their infrastructure has to be compliant with PCI DSS.
And now you've got another one of these that's basically undergone change.
And of course, the U.S. government, with its special publication, 853 Rev. 5, came out in September of 2020.
There are already work underway on a Rev. 6, and the cybersecurity framework was another one of the frameworks that's related to this.
1.1 is currently out.
Work is underway on 2.0.
So what all this means is the security professionals
that have to deal with these
and their policies and everything else,
they're going to be just a bit distracted
trying to conform with these requirements,
deal with the auditors that are going to basically come in.
This is on top of what we see with all the attacks that are happening
that I described earlier.
What do I think is going to happen? What do I see happening in the future?
We're seeing a transition to this
reasonable security, what a good lawyer can argue. We're now beginning to see
language that is risk-oriented.
So it means you have to demonstrate that you've looked at the risks associated with your infrastructure, your data, and you respond to it in an appropriate fashion.
That changes the game a little bit. We're seeing supply chain security issues, counterfeit, infiltrated, hard to get,
you know, government saying, no, you can't do this, you can't send this. These issues
will really sort of came to light during the COVID lockdowns. But we're seeing that there's not really going to be
a lot of relief on this.
So it's going to be an issue going forward,
especially for certain governments
that are being very, very picky
about where the products come from.
And you may have seen that one of the state-of-the-art
fighter aircraft was identified of having some component from China, which was like a magnet.
And they had to basically go in and do a big study saying, yeah, it can't be compromised.
It's just a magnet.
But it shut down production on that entire line until they sorted that detail out.
So it's an example of what's happening around supply chain issues.
Circularity is another hot issue, and there's a talk later today on media sanitization,
and this potentially plays into that.
So being able to reuse, stop filling landfill, you know, kinds of issues. Product security
certifications. The EU is currently
making noise that they may require certifications
of products in the future.
All products. I mean, they're
doing some work right now to sort of make it a little easier to deal with the certification.
Some of you already may be familiar with FIPS 140 for crypto in the United States.
Are you familiar with Common Criteria?
Maybe?
Well, what's important to recognize here, FIPS 140 Bash 3 came into effect April of this year. So we've got a new flavor of FIPS 140.
And Common Criteria, which is known as ISO 15408, was just published, the next edition,
as in like the last month. And it went from three-part to a five-part standard. And so lots
of the labs are basically going through and getting ready to actually accept product certifications
under the new criteria.
So if you knew what you were doing with these in the past,
what I'm telling you is that maybe a new game may take longer
to basically get the products through.
And some of this is being looked at from an international perspective
of, yeah, we want more of this. And we're seeing other organizations talking about doing their own
kinds of certifications and conformance testing. It's all under the heading of trust but verify,
and there's not so much trust, so everybody's trying to verify. And that's kind of going on.
We do see zero trust showing up. It's primarily a U.S. thing, definitely being driven by the U.S.
government, but there is a likelihood that some of this is going to show up in the international
community because there's a lot of crosstalk happening. NIST is talking with its international
partners. And we're seeing continued work in cloud and edge computing, and how does IoT and cloud and smart cities, how does all this stuff play together, and the security implications of all this are quite wicked.
How connected is Evo and the whole question of software, why change in 2015, software-related? So the question is, am I aware of any SNEA software supply chain security kinds of things?
Not directly.
It's definitely a topic of interest, I think, for the vendors that operate within SNEA,
but there are other quarters that are working on it.
Examples, Trust Computing Group has got a supply chain security activity.
And if you look at what OCP is doing, again, they're very much worried about sourcing kinds of issues.
So there are other players that are looking at it.
Okay, so why should you care? other players that are looking at it.
Okay, so why should you care?
Well, first of all, you should be thinking secure by design, secure by default.
Hopefully this is not a phrase that's new to you.
It's pretty much an expectation today. So if your products go out and they're by default wide open, unpatched, and somebody's got to spend a whole bunch of time bolting it down, you're likely to get a rejection.
Vulnerability management.
Do you have a program? to deal with problems in a way where you can quickly respond to customer requirements
or third parties that are basically identifying this.
And as a developer, you need to be thinking about how would I deal with something?
I wrote this. It's introduced this problem.
How can the problem get back to me so I can get it fixed? Does your organization have
a way of dealing with this fairly complicated sequence of events? So you've got things like
disclosure and if you fail to deal with this in a reasonable fashion, you could find yourself,
there are certain law firms that are specializing in going after vendors because it actually helps augment the funding of their security teams.
So it's almost a predatory kind of behavior, and you should be aware that this stuff is going on.
And they're on the hunt, especially if you've got deep pockets.
Poor cyber hygiene.
So if your development processes
really are not up to snuff, so to speak,
they don't pass the security giggle test,
there are legal implications
if you're selling products.
The FTC is very fond of using unfair and deceptive practices.
So you make certain claims, don't follow through with them, or you just basically ignore security.
You could find, depending on where you're operating, very, very nasty fines associated with this stuff. If you're fond of your source code and your design specifications, they are under constant attack.
And in fact, if you are in some form of litigation, I'm here to tell you that the law firms are under attack.
Because in some cases, their e-discovery mechanisms may have made it actually easier for the attackers to go get yours and your uh the other side of the uh
the problem if you've got like a patent disputes and things of that nature ransomware um you could
get hit with it as part of your organization um what happens if if your systems never come back
does that mean your project's dead does it mean? Does it mean you've lost all your code?
What do you need to be doing to make sure that you protect you, your team, your company?
And as developers, you may actually have the most insight in terms of how to go about doing that.
Another piece of this is maybe they don't want to keep you from getting the code. Maybe they
want to help your development out.
Maybe they want to substitute a particular module so that when you distribute your code, you're helping them with a distribution problem.
So you distribute it to 10,000 customers, and they got 10,000 distributions from day one.
This has definitely been going on for a while. And when you're talking organized crime, they're perfectly happy to pay somebody
a premium amount of money.
You pay your developers, your low-end developers,
no money.
They're in your development teams.
So some of these environments,
if you're high-profile, lots of customers,
you need to be very careful about how you're managing your source code and your builds.
Okay, storage security, Event Horizon.
So we are, so it's not all doom and gloom.
Remember, security, we're a wet blanket because we're always staring at the wrong end of things.
There's a brand new standard,
IEEE 2883,
which is dealing with sanitization.
How do you make data go away
when it's actually on storage?
There's a talk later today
around 4 o'clock. We'll walk
you through what's going on.
This is an area that
will help with the circularity kinds of issues
and will help organizations figure out some alternatives to just destroying,
which in some cases is just the automatic default.
There's a revision underway, almost done, with an ISO standard on storage security.
The previous version, which was published in 2015, was all guidance.
Therefore, it's all optional.
The new standard has shell statements.
So that means auditors will be able to use this to see,
did you basically do the baseline requirements?
So there's now a baseline in this standard.
Even more importantly, and this is a labor of love,
I happen to be the editor for 27040,
so there's a very interesting relationship that's been set up.
The new 27002, which is this one that does all these controls, now defers the 27040 for certain kinds of storage-oriented things, in particular, sanitization of storage backups. And in the case of 27040,
it defers to IEEE 2883
for the actual techniques of standardization.
So it's taken a long time to put it in place,
but what you're about to see
by the first quarter of next year,
all of these documents will be approved
and published and consumed by the auditor communities.
Next one is computational storage. There's been a lot of sessions here this week on
computational storage. There's a lot of work in security considerations, a
lot more work in need to figure out how you translate a consideration into actual implementations.
Maybe that's probably the best way to describe it.
On the not-too-distant future, we think there's going to be a new capability, Keeper.io, for NVMe storage, there's a session this afternoon talking about this is something that the Trusted Computing Group and NVMe have been working on for a while.
I think it's intriguing, possible capabilities around cloud and virtual environments, containers could very well take advantage of this kind of technology.
But I think you'll hear more about that in a little while.
And those of us that operate in the crypto arena,
there's a lot of buzz around quantum computing
and the implications of what's going to happen there.
From a vendor perspective,
if you think about how long your products are out in the customer environments.
If it's one year or two years, you're probably not going to have a problem.
But in my experience, five to seven years,
we're in the window where we may in fact have to have quantum algorithms
or quantum resilient algorithms shipping in products
in the not-too-distant future, if not now already.
Okay.
So we're seeing many of the security standards that sort of relate to the
storage technology have or are being updated, and they're now requirements.
So it's not optional.
Exploiting these may require changes to your products,
and you may be asked by your customer base to do this.
The trust but verify mantra that the security community
sort of lives and breathes is getting even stronger.
You see hints of that in what's happening with supply chain
kinds of issues.
And as a supplier and a vendor, you're going to have to earn the trust of your customers.
One security breach, one mishandled vulnerability is all it takes to basically take you down from a trust perspective.
So vigilance is absolutely required if you want to maintain that trust.
And you absolutely have to assume that there will be attacks that affect you,
could be your development, definitely will affect your products. It's just the nature of the
business that we're in right now. There are some resources that are available. I find that the NIST
materials, which are available at no cost and have no copyrights in them, are very consumable.
They do represent a bit of a U.S. government sort of perspective, but if you're in need of some useful standards, it's a good starting point.
Obviously, there are ISO documents as well. Payment card industry, if you
touch credit cards, you are contractually obligated to meet PCI DSS. The fines can be in the order of
$100 million, besides shutting you down. So it's a whole different game than what we see with standards, which in the U.S. are voluntary, except for PCI DSS.
And if you're not familiar with the Center for Internet Security,
they have some interesting benchmarks in terms of how to harden systems.
So this is definitely something to take a look at.
They used to be known for the top 20 kind of security issues,
but I find the benchmark materials to be particularly useful.
Because if you're trying to figure out how to configure a Windows operating system or a Linux operating system,
they have some materials that can really help you figure out what you need to do for that kind of thing.
Okay, so that's a sort of a whirlwind tour of what's happening in the storage security space.
To give you an idea, in the international arena for ISO,
because I told you earlier that I track this on behalf of the U.S.,
the ISO committee that deals with InfoSec and cybersecurity and data protection
has currently 325 projects.
That's 325 documents that are either published,
under development, being amended, or
error corrections. And they cover
information security management, cryptography, privacy,
and identity management, and a wide range of other kinds of activities.
So many, many things to watch, and hopefully this gives you a flavor of at least some of
the more probably relevant from a storage perspective.
Yes, in the back. A couple of things that are supposed to be a comment.
One is around proactive security.
Is there anything, you know,
how to attack threats before they become threats
and before they become threats to the district?
When I'm looking at those,
do you comment on that kind of the defense by a good offense.
And then the other question I have is around near misses.
Near misses, like I had a near miss, I could have been compromised, but it was a great learning experience. How do you think about your business and learning experiences
and a good way to protect them and learn from them?
Because they provide an opportunity that doesn't involve damage.
So let me take the first one, basically proactive
security, if you will.
And I absolutely advocate
for doing that. For example, the CIS materials
may be very helpful in that quarter.
You can use those to help you harden various kinds of
systems, but you should be using
volume management, penetration testing, kinds of tools that are out there.
In fact, I would encourage you to engage your customers and ask them what tools they're using.
And you may find that they actually use different tools.
And your tool set should, at a bare minimum, be that full sort of cross-section. I mean,
you know you're going to be confronted with that. So being proactive is absolutely going to be
necessary. The other thing it does is if you, you're not going to catch everything because of
the nature of the attacks, but if you end up getting sued as a company because of some exploit,
the fact that you're doing this proactively may actually be a bit of a safe harbor.
So you are at least trying to do something. If you don't do anything,
I know I would have a lot of fun. I'm a certified auditor as well. I would eat you alive.
As to near misses, it's an interesting idea.
There are a lot of concerns about sharing.
We see, even with the U.S. government trying to set up programs of sharing zero-day attacks or potential zero-day attacks, there's a lot of probably borderline paranoia about disclosing that because of the implications that if that information got out. So you have the problem, even internally,
what do the InfoSec teams tell the developers?
In many cases, they don't.
My own personal experience is that often you'll want to have security professional
or professionals working closely with your development teams
separate from your InfoSec team that's protecting the company because they
have different interests and the nature of the disclosures.
You probably don't want cross-pollination happening there.
Does that help?
I mean, I'm giving you my personal opinion on it.
Yes.
Ransomware insurance being common.
So if you don't mind me giving an opinion.
So be very careful with your assumptions about ransomware.
So, for example, the most ransomware will have a provision where acts of war are not covered.
Gee, we've got quite a bit of activity in this space right now.
But what I find even more entertaining is,
what is the trigger for when the insurance applies?
And many of them are written up at the time of notification.
That would be after the event.
So anything up to that point might not be covered.
So you have to look very, very carefully
at the terms and conditions for ransomware.
The other trend that we're seeing is
some companies are basically saying,
we don't want to cover ransomware
because it's gotten so expensive.
And if you don't have your security house in order,
in other words, your hygiene is not what it should be,
you may not even be able to apply for it.
So you may actually have to have
some pretty serious upfront activities.
And if you're familiar with the concept of e-discovery, they're not your attorney.
Any information you disclose to them, if you ended up in a lawsuit, could be discovered.
Okay, so you get an impression that I'm not necessarily a big fan of ransomware.
Ransomware insurance is really not a form of protection.
You're trying to share the ultimate cost,
and the insurance companies are quite aware of that,
and they're not going to make it easy for you.
Probably more than you wanted, right?
It's, it's,
each one has their own terms and conditions.
But increasingly what we're seeing is that you better have your act in.
They may cover
you knowing
that you don't have your act together, so
they've got an immediate get out of jail
free card. You didn't do your basics.
You were required.
See, you signed up and said you were doing it.
But some of them won't even engage
you if you don't walk in with
some sort of audit. Any other
questions?
Have you heard of
in the wild?
In the wild? Not through any
official channels. The question is,
Roehammer attacks in the wild.
And I think the hook has been raised.
Well, I appreciate your attention.
Hopefully this was helpful.
It's intended to be an overview.
The slides should be available.
If not, feel free to reach out.
I'm happy to share. Thank slides should be available. If not, feel free to reach out. I'm happy to share.
Thank you for your time. Thanks for listening. If you have questions about the material presented
in this podcast, be sure and join our developers mailing list by sending an email to
developers-subscribe at sneha.org.
Here you can ask questions and discuss this topic further
with your peers in the storage developer community.
For additional information about the Storage Developer Conference,
visit www.storagedeveloper.org.