Original Post from Rapid7
Author: Tod Beardsley
As Hacker Summer Camp comes to a close, we sat down with a few friends in the security space to discuss the major highlights from Black Hat, DEF CON, and BSides and what have emerged as the latest industry trends over the past week.
I was joined by Fahmida Rashid, the senior managing editor at Decipher.sc, and award-winning journalist and security researcher Steve Ragan at the end of Black Hat for this discussion. Here are our takeaways:
Hacking for social good
One of our favorite talks at Black Hat this year was Bruce Schneider’s “Hacking for Social Good” track. The topic stood out as not your typical Black Hat discussion, since these talks tend to revolve around zero-day attacks, using ATMs to steal money, and the like. According to Schneider, we can use the same methods hackers use to do evil to actually do good in the world and make it a better place.
In fact, many presenters, researchers, and leaders at Black Hat this year were determined to shift the mindset of Black Hat to one of defending, helping, and making things better in the world—not just hacking to hack or to be malicious. We also saw this trend at DEF CON and, as expected, in many BSides events.
This is a much-needed and underutilized approach to security because most individuals are vulnerable to attacks and they don’t even know it (let alone what to do when they’ve actually been attacked). This is one of our biggest opportunities as a security community to do good and reach outside of our echo chamber to help the vulnerable population learn how to protect themselves.
Bob Lord’s talk at BSides took a similar stance as he said we need to get off the sidelines and realize more people need our help. It’s easy to get caught up in the work we have on our plate and need a reminder that attacks aren’t obvious to everyone, but all it takes is five minutes of your day to help one person, which creates a ripple effect of helping many over time.
The false perception of imposter syndrome
Many security pros admit they suffer from “imposter syndrome,” which often stops them from reaching their full potential in their career. All of us on the panel unabashedly said we experience this feeling often, and many people we spoke to at Black Hat agreed. The saying goes that you don’t know what you don’t know, but if you focus on what you do know, it’s actually quite a bit.
Feeling like an imposter can stop many security pros from feeling capable of doing good in their community and in the world. Many people we talk to say that only when they reach a certain level of expertise will they be able to confidently help others outside their industry. The truth is, you don’t need to be dubbed an “expert” to help the majority of people who don’t know anything about security.
Not everything is an APT or sophisticated attack
As we walked the exhibit hall of Black Hat, it became clear that advanced persistent threats (APTs) and sophisticated attacks were the theme of the conference. But the truth is, the majority of attacks that hit companies are not that sophisticated. For example, if there is open access to your S3 bucket, it’s not an APT when an attacker gets in and dumps your data to the internet. Or, if you have poor password policies and someone guesses that your WiFi password is “password1243” it’s not a sophisticated attack at all.
However, there was an interesting dichotomy between the messages we observed on the tradeshow floor and those found in the talks. Most presenters spoke to the fact that you first need to get good at security fundamentals before you should move on to worrying about or dealing with advanced threats. Defenses like two-factor authentication, password management, and patching will address an overwhelming majority of your issues, but there still needs to be a greater discussion about what the fundamentals are and how they apply to your particular company.
Unfortunately, most educators aren’t taking the time to explain how a company can assess whether it’s covered by just addressing the fundamentals or whether it needs to go further. Additionally, security education is much bigger than just learning one thing, such as phishing or ransomware. Many vendors say that if you do this one thing, you’ll be covered, but that’s not how it works in real life. For example, a hot topic now is detecting and stopping ransomware, but the importance of backups gets lost in that conversation. While there are some variants of ransomware that can be detected and stopped by endpoint solutions, the easiest (and most ethical) way to deal with ransomware is to revert to the known-good image or restore it from a backup. Treat ransomware like the disaster recovery scenario that it is.
A boost in technical talks at exhibitor booths
We also noticed a marked increase of Black Hat vendors giving technical talks at their booths, not just doing product demos or handing out swag. We also noticed this at BSides, where employees of well-known companies sat in small, informal circles to discuss issues, answer questions, and offer advice. These mini-discussions enabled a new level of information-sharing we haven’t seen at conferences like this before.
Spend time at conferences outside your bubble
Just as important (if not more so) than going to security conferences is going to ones outside your industry, such as developer conferences. It’s easy to get stuck in the habit of attending just security conferences, since there’s one going on every week, but considering how tightly security ties into development, we can’t not be a part of these events and discussions.
We need to talk about how to create secure solutions that won’t get in the way of developing a product. Developers are the first line when it comes to security, and if we can’t help them make their products more secure, we’ve lost the game. BSides welcomes all industries and is a prime example of encouraging cross-industry collaboration. In fact, BSides founder Jack Daniels is famous for saying, “BSides changes the world,” and it’s obvious this is true when you experience how integrative these events are. All it takes is sending one person from your team to a developer conference to walk around and chat with developers to share information and create collaborations that will benefit the greater security good.
That’s a wrap for Hacker Summer Camp! Let us know what your biggest takeaways were from the events and what you hope to see emerge in 2020 in the comments below.
Go to Source
Author: Tod Beardsley