Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat Asia
March 26-29, 2019
Singapore
Black Hat USA
August 3-8, 2019
Las Vegas, NV, USA
Black Hat Europe
December 2-5, 2019
London UK
8/2/2019
10:00 AM
John B. Dickson
John B. Dickson
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Black Hat: A Summer Break from the Mundane and Controllable

Enjoy the respite from the security tasks that await you back at home. Then prepare yourself for the uphill battles to come. Here's how.

Next week, security practitioners from across the globe will make their summer pilgrimage to Las Vegas for Black Hat, DEF CON, and other security gatherings. As in years past, there will be no shortage of surprises:

  • Attendees, press, vendors, and analysts will clamor for insight on a tactic or technique that will break what was once thought unbreakable.
  • A geopolitical event will cast a shadow over the week like the Edward Snowden and DIRNSA keynote did in 2014.
  • A vendor will have the most over-the-top party (my bet, Rapid7).
  • The funniest T-shirt will capture the spirit of this year's get-together.
  • Attendees will be mesmerized by the latest hacking demo or "drop the mic" vulnerability announcement.

What's more — and most important — attendees for one week can forget the less exciting, mundane, and more challenging tasks that await them back at home. Tasks such as patch management, identity management, and other basics that most affect the security health of an organization and about which security leaders have the most influence.

Why is focusing on the external and sensational far more compelling than the internal and controllable? The answer is what I describe as "breach fixation." Here are four examples:

In Search of the EZ Button
The EZ button is what I call a popular trend in the corporate world in which executives attempt to solve a business problem in one fell swoop by implementing a technology solution or outsourcing the entire problem to a third-party provider. Instead of trying to make substantial progress on your own, you chuck the whole thing over to someone else and make it their problem. On the corporate side, think of business process outsourcing as where you take a huge problem (IT and billing) and expect … "voilà!" — problem solved. Perhaps this reflects a relentless pursuit of the instant gratification derived from US fast food. Perhaps …

Internal Resistance
Security might be your job, but it's just one more additional thing for laypeople in your organization to worry about. Aside from clear mandates on the topic, compliance-driven requirements, or a recent "near-death" experience, most organizations are still balancing security needs with day-to-day pressing needs in order to win more customers and increase revenue. This is a good thing. Security is asking other people to improve the organization above and beyond what individual workers are held accountable for on a daily basis. It's important to understanding that this is the natural order and that security leaders are likely to encounter pushback on additional security controls.

Bias for Products over Processes
I get it. Product equals scalability. To make substantial progress on a security problem in a large 20,000-seat corporate environment you need technology. However, when the underlying risk decisions, business processes, and operations have not been addressed in a meaningful way, products only solve part of the problem and give security leaders a false sense of security. One example I come across in the application security world involves web application firewalls (WAFs). When the PCI DSS first mandated the implementation of WAFs to protect web applications, organizations went out and bought WAFs, implemented them, and in large numbers did not implement any semblance of blocking. WAFs without blocking are really glorified Layer 7 logging devices. Worse, they provide a false sense of security.

Fixing Processes Is Hard
Let's face it: Reengineering existing business processes to improve security is hard. Doing so requires a deep understanding of existing security processes, an understanding that most organizations don't have outside of the security team itself. The expanding consulting ecosystem focused on providing clients feedback on NIST security processes reflects that. The different levels of the Capability Maturity Model Integration (CMMI) Scale show just how challenging process improvement can be:

  • Level 1, Initial: Processes are unpredictable, poorly controlled and reactive.
  • Level 2, Managed: Processes are characterized for projects and is often reactive.
  • Level 3, Defined: Processes are characterized for the organizations and is proactive.
  • Level 4, Quantitatively Managed: Processes are managed and controlled.

As security practitioners privately know, most organizations are fortunate to achieve Level 2 and rarely are their security processes quantitatively managed and controlled. That's because improving security processes is an uphill battle, though well worth the effort, especially after a welcome respite at Black Hat.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Wings2i
50%
50%
Wings2i,
User Rank: Apprentice
9/10/2019 | 1:27:12 AM
Information and Data Security
Insightful read on having better information and data security in place...
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...