Top 5 RSA Conference Resources: Week 4

We are back with another round of RSA Conference resources, which may prove useful for much more than pandemic survival. In reality, the education offered by speakers at Conference transcends time and any singular crisis or incident. Though some presenters may have made slight tweaks to their sessions if they were to deliver them today, most would make no changes. We know because we asked them, “What would you do differently?” Here’s what this week’s Top 5 RSA Conference Resources speakers had to say:

1. Authentication on the Move: Challenges for Mobile Web Applications

“With more and more employees working from home, many of them will use their mobile devices to access corporate web applications. They will be authenticating to corporate web applications for which they possess elevated privileges, and using these applications they will be dealing with confidential and personal information. Strong authentication is a must for these accounts. Traditional 2FA authentication requires the use of hardware tokens. Purchasing these tokens will be tricky right now, and they may not arrive in time. But recently, browsers started implementing modern authentication methods like WebAuthn that can leverage the biometric sensor built into mobile devices for authentication. WebAuthn can also provide a better user experience compared to traditional 2FA,” said Johannes Ullrich, Dean of Research at SANS Technology Institute.

2. XDR: Improving EDR Effectiveness by Adding Email/Network Visibility

Eric Skinner, VP of Market Strategy at Trend Micro, said, “Since the XDR approach is about getting better telemetry, COVID-19 means reviewing what telemetry can be incorporated from work-from-home environments. Is the corporate laptop EDR enough? Can more be done on the endpoint or at the network layer? And what privacy implications need to be considered?”

3. Digital Channel Fraud Mitigation: Balancing Risk and Reward

“As the COVID pandemic hit, most of the banks I’ve interviewed saw their call center volumes spike by 40%, inundating staff and causing SLAs to be exceeded. A handful of firms analyzed call volumes to identify the most common reasons for inbound calls, and quickly adjusted their digital channel and IVR messaging and capabilities to facilitate self-service,” said Julie Conroy, Research Director at Aite Group. “The fraudsters are hitting first with application fraud. Most of the banks I’ve spoken with thus far are seeing ATO attacks relatively flat (although none expect this happy state to continue). Fraudsters seem to be immediately focusing on application fraud attacks, using both stolen and synthetic identities. Mule recruitment is also on the rise. Many FIs are seeing a rise of mule-related activity in their online account openings.”

4. Challenges in Android Supply Chain Analysis

“The understanding of the complexity of supply chains is crucial in finding vulnerable weak links. However, it’s also necessary that this complexity isn’t misinterpreted and doesn’t lead to inaccurate and dangerous claims. It may be even more important now to reiterate the main message from my talk: we need more high-quality research into the Android supply chain, but we also need to be mindful that there are some pitfalls when considering such complex systems,” said Łukasz Siewierski, Reverse Engineer at Google.

5. Magecart Attacks Require Rethinking Your Credit Card Security

Raja Patel, Vice President of Security Product Management at Akamai said, “The base truth remains: web protectors need to monitor all scripts’ behaviors. Yours, third parties, trusted parties, all scripts—any can be a vector for attack. Over the last two months, we have seen the cat-and-mouse game evolve. Adversaries have used scripts to not just skim the web forms but also create new forms that a web protector would not have known to monitor for. To detect these types of attacks, we believe web protectors must have detections examining script execution behavior in all permutations of real-user sessions, rather than static policies based on known site construction.”