The Black Hat USA 2018 conference earlier this month was packed full of hands-on sessions, workshops and training that hammered home two ongoing industry themes:
- The industry has come a long way in its understanding of potential security risks and how to protect against them;
- Threat vectors are emerging every day that challenge everything we think we know about securing networks and data.
This annual gathering—now in its 21st year—is not just for security professionals, but also for network and IT teams from both the public and private sector who are tasked with keeping their organization’s network and data safe. Dozens of sessions focusing on penetration testing, defensive posturing, and other hot topics were led by an excellent team with diverse backgrounds, expertise and specialties as security professionals.
The four days of training gave a keen look into both a criminal’s mindset and the tools they have available to attack an organization. And while security professionals have tools of their own to combat attacks, one look at the breach headlines indicate there’s still much more work to be done. Now more than ever, the industry needs an influx of security professionals to join the fight to combat cybercriminals.
While it’s hard to boil down the conversations and training that took place over the weeklong show, here are three common themes I took away:
- Every person, place, and thing is a potential attack vector, and everyone at an organization has a responsibility to do what they can to prevent successful breaches. The advantage of the red team (attackers) is they only need one point of entry to get in and do damage. Blue teams (defenders) need to shore up every potential weakness. This calls for not only the best technology, but also ongoing education of users so they know how they can be exploited and takes steps to prevent it.
RECAP: Manuel Lobao gives a quick video recap of part of his experience at Black Hat.
One story in particular caught my attention—a company that had done everything right. They had the best protection money can buy and exceptional processes…except one: their BYOD strategy. Hackers found all standard entry points difficult to penetrate, but were able to exploit the app suite through an iPhone and gain access to the corporate network.
- Someone is always knocking on the door. Whether or not we know about it, there is always a threat actor looking to work an angle. IT and security teams are a relatively paranoid bunch, and that paranoia is warranted. There are companies whose business model it is to find footholds and sell them to threat actors who want access to any given organization. If we’re not careful as an organization and community, we will fall victim to one of those business models. Companies must be ever-vigilant. One presenter showed us how “easy” it was for hackers to subvert multi-factor authentication, for example, by using a smartphone and information about a person commonly found on their social media profiles.
- Tools are great, but it’s people, processes, and how we approach security as part of our daily lives that will keep us secure. We can have the best tools, but if we are not totally committed as a group, threat actors will gain a foothold. There was a lot of talk at the show about leveraging technologies, but technology is only one piece of the puzzle; people and processes round out a solid security strategy.
I’m looking forward to bringing all the tools, technologies, and processes back to my colleagues at Carousel and talking with our clients about the best practices they could be following. Together, we can make our organizations “Secure by Design.”