High-Stakes Cybersecurity at Black Hat USA 2012
It is entirely possible that the Black Hat Conference was set in Las Vegas simply as an ironic statement about the state of information security today. Everyone is gambling. For hackers, the buy-in cost to attack a massive number of websites through simple Web scripts, spam, and malware is minimal. But with a slightly larger investment of time and resources, hackers can target large organizations for much bigger jackpots. Consequently, enterprise organizations are “all-in” whether they want to be or not. The stakes are high, as hackers conducting targeted attacks are not stopping at personal identification information (PII) and are now going for the “secret sauce” recipes. Security breaches that leak state secrets and intellectual property are difficult to measure in dollars but have major sociopolitical implications that can shape the modern world. Worse still, hackers and cyber criminals have stacked the deck and are able to penetrate network defenses through targeted attacks seemingly at will.
So, All is Lost?
For 2012, the prevailing tone underlying every major industry discussion has been defeatism. In the Keynote address given by Shawn Henry, former FBI-guy extraordinaire, we were told that we are all already breached and to accept this fact. Now, I understand the psychology here: that if we convince ourselves that there are malicious actors already in our system then we will be that much more motivated to go find them. However, a paranoid hunt for a phantasm hacker cannot possibly be an efficient use of very limited resources.
On the other hand this defeatist mentality has led other security professionals nearly to the point of surrender. This post calls for companies to cease security awareness training for end-users and to focus instead on security technologies. While it is important to prioritize efforts to focus on the security strategies that are most effective, the urge to give up on the human element is short-sighted. Training at all levels is an essential pillar in any security architecture, and I would argue that training requirements should actually increase for end-users higher up the management ladder.
Who Should Take Responsibility
Henry also indicated that the government was not interested in (or capable of) protecting the private sector. The government considers information security to be the responsibility of each individual business. The idea is that businesses must ward off thieves and burglars in the physical world and should do so in the cyber world. In the very next briefing, Marcus Ranum voiced his concern and distaste for this notion, pointing out that the government should try to defend private businesses as well because the most sophisticated attacks are often perpetrated by nation states and foreign criminal organizations. These organizations could not conduct physical attacks against businesses without recourse, but are free to do so online.
(Henry also said that we should take the fight to the enemy as well, which is clearly not viable or even advisable depending on the attacker. But at that point I was certain he was just jumping the shark for entertainment value).
(Pictured: The Black Hat signal.)
Unfortunately, many businesses do not realize that they are breached until a business partner reports anomalous behavior from the victim’s systems. The FBI and other government organizations will only contact victims once the damage is done. The government is interested in finding and eliminating hacking groups which is admirable but does little to protect businesses from their attacks in the meantime.
Where Do We Go Now?
The point is: the threat is greater than ever. Businesses must implement the foundational layers of security, including next generation firewall, IPS, content filtering, and anti-virus. Leading security vendors such as Check Point and McAfee have been adding new features such as advanced anti-malware, anti-bot technologies, DLP, and threat correlation to better defend customers. Businesses should invest in vulnerability management solutions from innovative vendors such as Qualys and BeyondTrust (acquired eEye).
SMB companies can receive nearly all of these capabilities from UTM solutions, as UTM vendors including Fortinet and WatchGuard license technologies such as anti-virus and IPS from leading vendors such as Kaspersky. In addition, they also maintain a high level of internal product and feature development. Thus, there is no excuse for businesses to lack these essential technologies.
Additionally, new technologies are emerging that will empower businesses to block a large number of threats. Companies such as ClickSecurity and Critical Watch use advanced analytics and security intelligence to identify the most sophisticated and targeted attacks. Considering the massive amounts of log data generated in enterprise organizations and attackers’ skill at remaining undetected, these real-time tools are absolutely necessary to find the most persistent security breaches.
Most importantly, companies must dedicate budget to improve the “human factor” through training, auditing, penetration testing, and analysis. As far as penetration testing goes, everyone should be doing it on a regular basis. Companies that don’t engage in auditing and penetration testing have no insight into their true security posture. Use these guidelines to find reputable and skilled ethical hacker companies. These days, companies such as Trustwave SpiderLabs make it easy to purchase, prioritize, and regularly schedule these engagements with retainer agreements.
The Last Word
The time has come: it is necessary to adapt. But this is not such as bad thing. The best known attacks, Operation Aurora, Stuxnet, and Flame, were based on techniques and vulnerabilities that have been known in the industry for years. We have known that this day would come, but we don’t need to feel like the sky is falling just because it is here. Instead, businesses must learn, understand, strategize, implement, test, and update their information security architectures.
Businesses are betting the house on a bad hand when they rely on outdated security technologies, ignore the human element, and fail to adapt to new threats. But that’s just me: I never gamble with my money—only with my life.
Double down with Industry Analyst Chris Rodriguez by e-mail.
For additional information on hacking, check out the Frost & Sullivan white paper entitled The Importance of Ethical Hacking: Emerging Threats Emphasise the Need for Holistic Assessments or learn more about Network Security.