Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Infrastructure Security

7/31/2017
01:40 PM
Curtis Franklin
Curtis Franklin
Curt Franklin
50%
50%

Five Words for Black Hat

The Black Hat 2017 conference could be summed up in five words: Should there be more?

Black Hat 2017 has come and gone, and attendees have scattered to the winds, going home to count their new t-shirts, run exhaustive anti-malware passes on their devices and take stock of everything they learned at the conference.

Looking back at the meetings and conversations I had at Black Hat, five words stand out. It's not that these were the only things discussed, by any means, but there were five words that cropped up in many conversations -- and were sub-text in many others. In total, these five words sum up a host of nightmare scenarios -- and potential solutions -- for security professionals.

The interest and impact, though, go far beyond the world of security. There's no question that the general awareness of security issues has grown exponentially in the last decade. That awareness hasn't been accompanied by a rise in overall security, but hope truly springs eternal. So in the hopeful spirit of Black Hat's aftermath, five words to ponder as we gaze into security's future.

Visibility -- If there's one thing that just about everyone at Black Hat agreed upon, it was that CIOs and their management teams have no real clue what their networks look like or what's happening on them. That ignorance gives a huge advantage to criminals who take the time to explore the network as it currently exists and take advantage of weaknesses and vulnerabilities it finds.

In most cases, the experts said, company executives know what the network looked like on the day it was installed or at the time of the most recent major update. What companies need, everyone agreed, is the willingness and budget to know what their network looks like today, from the devices making up the network to those that use it, to the software running on all those devices. It's a daunting task, but absolutely the foundation of any real hope of security.

Diversity -- In the keynote address, Facebook CSO Alex Stamos talked about the need for greater diversity in people, background and thinking if security professionals are going to meet the challenges posed by next-generation criminals.

Criminal hackers will try approaches no one on the legitimate side has considered, and that's where the diversity comes into play. Greater diversity means more avenues of thought and imagination that can be applied to research and security approaches in the search for protection, prevention and remediation -- the three goals for pretty much everyone in security.

Expansion -- What do we mean when we use the word "security"? One of the things people were talking about was the possibility -- and ramifications -- of expanding the definition to include more human behavior topics, from social engineering to social media abuse. In many ways, it makes sense: If you define a security issue as something that causes harm to individuals or the organization, then it makes sense for security professionals to consider it part of their portfolio. On the other hand, actions traditionally labelled "abuse" tend to fall into HR's laps more than security. Should that change? What would it mean if it did? Those are the sort of questions the community will be wrestling with over the coming months.


Track the heartbeat of the virtualization movement with Light Reading at the NFV & Carrier SDN event in Denver. There's still time to register for this exclusive opportunity to learn from and network with industry experts -- communications service providers get in free!

Critical -- As in "critical infrastructure." We've known that water systems, the power grid, energy production sites and other facilities with huge impact footprints have long been targets for attackers. In conversations with researchers at Black Hat, many expressed concern that the attackers are getting better and, as critical infrastructure gets "smarter," attack surfaces multiply. Attacks in the Ukraine have shown that successful breaches of critical infrastructure systems are possible; the question is whether security professionals around the world have done enough to harden the systems under their care. Betting seems to be that the answer is "no."

War -- That computers and networks are now both the targets and instruments of war surprises no one. The worry is that the scope of warfare is rapidly increasing and "collateral damage" will be spreading. In addition, as economic warfare increases, more and more organizations will find themselves targets -- even organizations that have always considered themselves too small, or too inconspicuous, to find themselves on a nation-state target list.

Military operations use military-grade weapons, and the cyber world is no exception.The professionals are girding themselves for response when the wheels of war turn in their direction: When truly massive strikes begin, it's liable to get ugly for a lot of organizations, for a long time.

Those are the five key words I heard: What did you hear from Black Hat that would make your list? Let us know in the comments -- Black Hat is big enough to insure that any individual is going to miss at least one thing of importance!

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-20001
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
CVE-2020-36317
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
CVE-2020-36318
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
CVE-2021-28875
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
CVE-2021-28876
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...