Top 10 themes from RSA Security Conference

It's been a highly productive show for many it seems. Certainly a fair amount of business has been done and the tutorial sessions were highly useful.

The show was certainly smaller than last year but this is no bad thing in a way. There was more serious work done, with fewer freeloaders gumming up the works. There were fewer press as well, which was nice for us.

So here we have our view about the most noticeable themes of the show. If you were there let us know what you thought.

Honourable mention: Heat

Iain Thomson: San Francisco suffered (and I use the word advisedly) a "heatwave" for the first two days of the show. As the temperature climbed towards the 90s (around 32 Celsius) some delegates were visibly wilting in the heat.

To explain, San Francisco enjoys a microclimate that usually never gets over 80 or below 40, due to being surrounded on sea by three sides. This does have downsides, notably the summer fog, but otherwise makes it perfect for Europeans like myself who think that only lizards like every day to be hot and sunny.

On the plus side the heatwave did give everyone a topic of conversation that wasn't about security. A full week of 8am to 7pm security can be dulling after a while and it was nice to have something else to talk about.

Shaun Nichols: Hot, stuffy, crowded... RSA this year was a lot like CES, minus the Blue Man Group. To those of us who have grown accustomed to Bay Area weather, a heatwave like the one that struck the first days of the show can be downright miserable. Heck, I had to open the windows in my flat AND turn on the ceiling fan.

I'm sure those who flew out to the show from places like Finland and Moscow didn't mind it much, but for those of us who are used to the local weather, it only added to what was already a pretty tiring experience.

Add to that the fact that computer security professionals aren't always the type of people you want to be around when s it'hot and sweaty, and one can begin to imagine why most of us are hoping that next year's RSA comes with a generous fog bank to keep everything cool.

Honourable Mention: Fewer freebies

Shaun Nichols: Recessions lead to belt-tightening. When money is short, budgets get cut and things like booth freebies dry up a bit. This year, those expecting to score some cool RSA swag came away with less than they did in previous years.

That's not to say there weren't enough freebies to go around, but companies that were hounding out t-shirts and thumb drives in years past were giving away key chains and brochures instead.

I don't think too many people are complaining though, when the choice is between booth goodies and jobs, it is no contest. Besides, would you REALLY want to use a thumb drive you got at RSA?

Iain Thomson: I think the lack of disappointment over freebies was more of a case of fewer freeloaders being here due to tighter budgets.

In the past I've seen the crowds roar forth like the Visigoth hoards at the start of the expo, intent on pillaging everything possible and carrying it home in triumph to dispense to friends and family. This year the people who came to RSA largely did so because they needed to be there and fripperies were less of an issue.

Ultimately I think it's a good thing that booth babes and their male equivalents weren't thrusting cheap pens and squeeze balls at us all the time. Such things break or get tossed soon enough and it's better for the environment if they don't get made.

10. Conficker

Shaun Nichols: As if the hysteria in late March wasn't enough, nearly a month later we get to RSA and Conficker is once again a hot topic.

However, much of the Conficker talk at RSA was of a very different tone. Few people spoke of it as the potential catastrophe it was portrayed as in years past. Rather, many people thought Conficker was actually helpful to the security industry.

The reason is that so many eyes were opened by the Conficker panic that even though there was no major attack, many companies were awakened to the need to tighten up their security practices.

Iain Thomson: If the Conficker worm did anything it alerted managers to the state of their patching regimes. If your network is at risk from a vulnerability that could have been patched in October 2008 then there are some more serious issues to be addressed on the patching front.

There was also a certain amount of appreciation, if that's the word, for the skill of the malware writer. Conficker avoided a lot of the mistakes malware writers often make that light up the board of intrusion detection systems.

I'd have to say the Conficker worm also had another effect; it made security professionals feel misunderstood by the media. No matter how many times people in the industry said that there was nothing to worry about sections of the media refused to listen.

9. Job security

Iain Thomson: The elephant in the room for many of the security professionals at the conference was the lingering concern that they might be out of a job tomorrow.

With seemingly healthy companies imploding left, right and centre everyone was obviously worried. This manifested itself in various ways. Some people were genuinely pleased to see colleagues, having feared that they were facing the chop. In the sessions people were working hard at making the trip pay and there were more people working later than at previous RSA conferences.

Some people did tell us that security was one of the better places to be in a downturn. That said, IBM's Brian Truskowski rather overegged the pudding by claiming that “security is recession-proof”. I only hope he doesn't have cause to regret those words.

Shaun Nichols: These days, job security is a concern for everyone from the mail room to the corner office. And as much as many at RSA like to claim otherwise, it is an issue in the IT security space as well. With budgets shrinking, spending is going down in just about every IT department, and one of the first things to get cut is often security spending.

That doesn't mean security won't fair better than other industries. With all the attention afforded to data leaks and information losses these days, a major breach can be fatal to a company, and many firms are now beginning to realise this and invest money into security even with the recession.

That's not going to mean that the industry won't see the same hardships that the rest of us are, and boasting about security being "recession proof" won't do much good when you're the person out of a job.

8. Social engineering

Shaun Nichols: Sometimes the biggest threats are ones that use no computer code at all. A successful cybercriminal is often much more a con man than computer whiz, convincing victims to hand over sensitive data rather than use covert software tools.

The security experts at RSA are very aware of that, and the dangers of social engineering were a popular topic at this year's show. Many show-goers were discussing ways to help users spot scams and stay safe.

There was also talk of how to use social engineering against the bad guys. An FBI agent spent three years running a social engineering scam on hackers to infiltrate and take down the Dark Market credit card trading site.

Iain Thomson: There are very few people who have the skill and inclination to make a career hacking systems when there are easier ways to do it. There's no need to storm the gates of the citadel when someone's left the back gate open.

Social engineering is still depressingly successful. A lot of security companies publish bogus studies where people will give up their passwords for a pen or a chocolate bar. They never check if the passwords are actually correct.

Nevertheless it's easy enough to socially engineer useful information out of people, and until people learn to be more security minded then hackers will carry on getting away with it.

7. Mac security

Iain Thomson: Without a doubt the most commented piece I wrote all week was on Mac security. Apple fanboys and girls are a sensitive bunch and don't like it when you point out that things may not be always rosy in the land of Jobs. I even got someone sending me a thankfully non-stalkery message on Facebook, which I will reply to once the show is over.

But there was serious concern among the assembled security experts about the state of Mac security. It's not that Apple make a more insecure operating system - it doesn't - but it's the attitude of Apple users to security. Years of being untouched by malware has given many Mac users a false sense of security and led them to take no precautions at all.

Now the amount of malware targeting the Mac is still relatively small, albeit on the rise. But the fears expressed in seminars and conversations was that Mac malware could be much more damaging because of the lack of security software. Once an infection is made, the possibilities for it to be removed are much less. This is even worse from a corporate networking standpoint since it could allow malware to spread much more easily.

It's too early to tell but the view from many delegates, not just those trying to sell security software, is that a big Mac attack is coming and when it does a lot of people are going to get stung.

Shaun Nichols: I elaborated on this subject further in the Mac Inspector blog, but the arrogance and ignorance displayed by the Mac community regarding security these days is really disappointing.

As a Mac owner myself, it's a bit worrying to see Mac malware shrugged off because the attacks are not self-replicating worms (almost no malware is anymore) or because there aren't as many Mac malware samples as there are for Windows. Those excuses will mean nothing when your machine gets infected.

There's also the strange notion that security researchers and vendors want to see Mac malware emerge. You will see as many Macbooks at RSA as any conference, and some of the most respected researchers in the business use Macs. Though the ranks of Mac anti-malware products have expanded in recent months, few vendors are selling products, and nearly all of those that do make an almost insignificant share of their revenues from Mac product sales.

If Mac users want to stop being referred to as smug and ignorant regarding security matters, we need to wise up and lose the attitude when it comes to dealing with what have become real security threats for MacOS X.

6. PCI

Shaun Nichols: Now more than ever we are reliant on bank and credit cards to pay for everything from the gas bill to groceries. This in turn makes securing those systems more important than ever.

Earlier we mentioned the Dark Market bust, an important example of just how easy and lucrative the 'carding' operation has become. The ability to steal and trade credit card information has become one of the top cybercrime practices.

In response to this, RSA was teeming with PCI security vendors who specialise in training and systems to help merchants secure credit card data and prevent card fraud both online and on site.

Iain Thomson: Swarming they were, but I still wasn't convinced.

There still seems to be a lag between the technology for protecting payment cards and the will of suppliers to actually use it. I saw a lot of innovative technology and some really good security systems but then left the hall and went to buy a new shirt and the only security check was a signature that the salesman didn't even glance at.

Until retailers and banks stop living with the losses from crime and actually do something about it then PCI will remain a dead zone.

Read on to page two for the next five!