Cyber Security News / Trends Column

Black Hat Conference Evolves as Cyber Risk Soars

ATMs hacked to spit out $20s on stage, overriding pacemakers and insulin pumps via laptops – these are just a few of the demonstrations by enterprising hackers at Black Hat, but these presentations often help enterprises more than they hurt.

Black Hat, by its name, seems ominous. What was once a conclave of hackers in 1997 has become a fast-growing global conference series focused on the business of cyber security and includes technical presentations on vulnerabilities and solutions. Black Hat and its attendees have grown up, representing and protecting enterprises from cyber risk and threats. Past demonstrations have included hacked ATM’s spitting out $20s on the stage, using a laptop to override a pacemaker and cause a fatality (not an actual, live demo- thankfully) and later, similar fates via insulin pump.

But these threats and vulnerabilities were first shared with and mitigated by the at-risk enterprises before being presented. The value connection to business risk has led to a strong expo sponsored by major organizations including Cisco, Microsoft and Deloitte. Indeed, two groups that would never acknowledge each other in high school have come together. One in suits, the other in cargo shorts are now conversing and doing business. 

From training to briefings to interactive discussions, Black Hat delineates the maturity and growth of the cyber security market to the big businesses of ethical hacking and cyber risk management. The significant boom in dollars being applied against cyber crime documents the recognition that this is a business issue that requires strategic attention at the C-level vs. post-event patches by network and desktop IT administrators. 

And to put an exclamation point on the reality that cyber crime as a business issue, General Keith Alexander, Director of the National Security Agency keynoted the recent conference, saying at the start of his speech:

“This is the technical foundation for our world’s communications, you folks right here, and the issue that stands before us today is one of what do we do next, how do we start this discussion on defending our nation and protecting our civil liberties and privacy.
“The reason I’m here is because you may have some ideas of how we can do it better. We need to hear those ideas.
“But equally important, from my perspective, is that you get the facts. And so what I’m going to do today is try to lay out those facts.…there are good reasons why some of this is classified and why some of it is stuff that we just don’t put out there. And the big reason, from my perspective, is because terrorists use our communications. They live among us. How do we come up with a program to stop terrorism and to protect our civil liberties and privacy? This is perhaps one of the biggest issues facing our country today.”

Indeed, the very solutions to America’s most pressing threats will come from those who are, perhaps, most skilled at threatening it. The economic incentives and legal disincentives to work on the solution to cyber risk are winning the day as enterprises are investing and paying a premium to white-hat hacker organizations to protect their businesses. 

Unfortunately, the first of my 2013 Trends predictions to be realized was that a cyber attack would put a business out of business. As I wrote in January 2013:
Prediction 1. An organization will declare bankruptcy after a cyber-attack.

While some organizations are shoring up against cybercrime, many are not taking even basic or intermediate steps to remove vulnerabilities. As the level of attempts increase, the odds of a catastrophic event resulting in an organization failing also increases. The U.S. Cyber Consequences Unit (US-CCU) an independent, non-profit (501c3) research institute has found that a cyber-attack that could hijack systems, at a corporate level “have the potential to create liabilities and losses large enough to bankrupt most companies.” 

Krebs on Security recently reported that “A $1.5 million cyber heist against a California escrow firm earlier this year has forced the company to close and lay off its entire staff. Meanwhile, the firm’s remaining money is in the hands of a court-appointed state receiver who is preparing for a lawsuit against the victim’s bank to recover the stolen funds.”

Fraudulent money wires to banks in Moscow and China led to the insolvency and closure of Efficient Services Escrow Group by the California Department of Corporations. 

General Alexander noted that “the offense is winning right now. Where is the defense?” We have learned, recently, that the defense (the NSA) has violated its own restrictions thousands of times due to human error, technical glitches and lax oversight. Indeed, the NSA and Black Hat were wise to meet and discuss the current situation. Any enterprise leadership believing cyber is a technical IT and not a serious business risk and security issue is delusional. Enterprise security must become just that, “enterprise-wide.” And the solutions will most certainly come from the Black Hatters that are motivated and compensated to play defense.


REGISTER TODAY  for the Security 500 Conference on November 5th in New York City at www.sec500.com. The conference is free is to qualified security practitioners.
 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+