Information Security Disconnect: RSA, USB, Antivirus, and reality

Information Security Disconnect: RSA, USB, AV, and reality

The world's largest information security event, the annual RSA Conference, is over for another year. Most of the more than 18,000 people who attended the 2012 gathering are probably back home now, getting ready to go into the office. What will be top of mind for them, apart from "How did I manage to survive

The world's largest information security event, the annual RSA Conference, is over for another year. Most of the more than 18,000 people who attended the 2012 gathering are probably back home now, getting ready to go into the office. What will be top of mind for them, apart from "How did I manage to survive

The world's largest information security event, the annual RSA Conference, is over for another year. Most of the more than 18,000 people who attended the 2012 gathering are probably back home now, getting ready to go into the office. What will be top of mind for them, apart from "How did I manage to survive 5 days of non-stop security-speak?"

This was the twenty-first year the event was held and, if the last 20 years are anything to go by, one thing that most conference attendees are not thinking about right now is the enormous gap between security discourse at the show and security reality down at street level. To illustrate my point I will contrast one unhelpful platitude I heard last week, with something that happened to a friend of mine on the last day of the show, something that directly links data security to life and death.

Unencrypted USB data on the streetFirst, the platitude: "You don't need antivirus any more." This piece of nonsense was suggested to me in several conversations I had with attendees on the floor of the RSA exhibition hall. It has also been discussed in the Wired article: Is Antivirus Software a Waste of Money?

If you read between the lines you get the picture: Some security experts figure they are safe enough without AV. But listen closely and I doubt you will hear anyone willing to stake their career on advising companies, in a professional capacity, to abandon AV protection. (You also have to wonder exactly what AV software those experts were using that let them down so badly they want to abandon this basic layer of information protection.)

Now to my friend's street-level information security experience. She was walking her dog near the courthouse in a city of considerable size (that will remain nameless to protect the innocent, the guilty, and the accused). On the sidewalk she sees a USB stick and picks it up. Seeing nobody around, and thus unable to determine ownership of the device or any data that it might contain, she takes it home and plugs it into her forensic computer (at which point I need to stress that you should not try this at home–my friend is a computer security expert and the computer she used for this task is not an ordinary one, although it is equipped, as all computers should be, with AV software that automatically scans USB devices when you insert them–she's not one of those "you don't need AV" security experts).

There were no viruses on the device, but there were dozens of documents, mainly Microsoft Word .doc and Adobe .pdf files. Judging by the file names she figured they contained some serious legal content. So next comes the moral dilemma: Do I try to open a file or two to determine ownership, thereby risking accusations of "snooping" from the owner when I get their drive back to them? And what is the alternative? It's hard to imagine a classified ad or flyer stapled to the neighborhood telephone poles that says "Found: One USB drive containing over 200Kb of legal documents, please call me if you think it belongs to you."

My friend did not reveal what was in the two documents she opened, and from which she was able to determine who owned the drive (which has now been reunited with its owner). All she said was: "It was serious stuff, scary life and death stuff that's likely to be in the news soon and frankly I was very uncomfortable that it was in my possession."

So, as thousands of security experts continue to absorb all they heard at RSA last week about the cutting edge technologies that will take information security to the next level, I'm scratching my head and asking myself: Why were the files on that USB device not encrypted? After all, they were created with two applications that are capable of file encryption: Microsoft Word and Adobe Acrobat.

Ignore the chorus of crypto experts who pipe up saying "those encryption schemes have been hacked." That is surely not the point. The point is that twenty-one years after the first RSA Conference, big name criminal attorneys and the para-legals they employ don't yet understand enough about information security to take cheap, basic, and practically-effective defensive measures. Makes you wonder just how much of an impact the information security industry has really had.

Perhaps security experts should take a break from grabbing media attenton with contrarian views on basic data protection like antivirus software and spend some time talking security to mere mortals at street-level. Indeed, maybe it's a good moment for us all to think about the reality of what information security means to most people today. Here's one thing it shouldn't mean: an unencrypted USB key holding someone's life or death, lying on the sidewalk.

Discussion