Dan Geer, CISO for In-Q-Tel, delivers his keynote on “Cybersecurity as Realpolitik” to Black Hat USA 2014 attendees. This year’s conference drew more than 9,000 attendees and 180 speakers. Photo courtesy of Black Hat USA
With the nature of security quickly evolving to encompass both physical and cybersecurity at its very core, software manufacturers and security experts are finding themselves in a precarious situation – balancing between what is required and what is needed.
“Convergence is an inevitable consequence of the very power of cyberspace in and of itself…. The power that is growing in the Net, per se, will soon surpass the ability of our existing institutions to modify it in any meaningful way,” says Dan Geer, CISO for In-Q-Tel, a not-for-profit investment firm that looks to invest in technology supporting the missions of the CIA and the U.S. intelligence community, during his keynote presentation at the Black Hat USA Convention 2014.
Just as everyday uses of converged cyber and physical devices continue to grow (just look at your smartphone), so do the uses of converged cyber and physical security technology. And so do the risks. One of the major debates at the cybersecurity conference this year was over vulnerability and breach reporting.
“I claim that policy matters are now the most important matters, that once a topic area, like cybersecurity, becomes interlaced with nearly every aspect of life for nearly everybody, the outcome differential between good policies and bad policies broadens, and the ease of finding answers falls,” Geer says, quoting H.L. Mencken: “For every complex problem there is a solution that is clear, simple, and wrong.”
For example, if a company is required to notify all stakeholders, customers and competitors about discovered vulnerabilities in their systems, it could help others become more prepared, or it could also alert malicious actors to the vulnerability. In terms of breaches, Geer’s recommendation is mandatory reporting, but with a severity threshold – if your breach affects X many people or contains Y information, you must publicly report it. But therein lies the problem with the current cybersecurity landscape – “mandatory.”
While the NIST Cybersecurity Framework, among other organizations’ best practices and guidance, gives many good suggestions for enterprises to develop cybersecurity policies, they’re just that – suggestions.
As Geer told reporters later, “People are willing to do it (mandatory reporting), so long as everybody else has to too.” That sort of universal cooperation would require legislation, which has been slow in coming.
Until then, panelists and experts offered some advice:
On Choosing Technology
Even when (or especially when) you have the might of the U.S. Government behind you, procurement can be a process littered with potential pitfalls. In a presentation on “Pulling Back the Curtain on Airport Security: Can a Weapon Get Past TSA?” Billy Rios, Director of Threat Intelligence for Qualys, revealed several security vulnerabilities within TSA equipment, which, by DHS regulations must meet identical, very specific requirements at every airport in the U.S.
However, regulations do not necessarily make technology secure – service passwords were still accessible on technology, and researchers were able to modify scanner images. According to Rios, “Trust, but verify the engineering.”
This was echoed in a seminar on penetration-testing Bring Your Own Device (BYOD) platforms, with the added advice of “Don’t deploy a solution unless you have a good business reason for it.”
What is Black Hat?
Now in its 17th year, Black Hat USA is part of a global information security event series, focusing on information security research, development and trends. The conferences include vendor-neutral briefings from security researchers, roundtable discussions, technical training courses and networking sessions. Black Hat USA 2015 is scheduled to run August 1-6, 2015 in Las Vegas.
On High-Profile Data Breaches
The Black Hat conference convened right after news broke of a Russian crime ring stealing 1.2 billion username and password combinations and more than 500 million email addresses.
“The attack surface is probably growing faster than we can cope with,” says Geer. So the top goal, and what enterprise security executives should aim for in security engineering, is “no silent failure.”
“Unless you have perfect knowledge, the absence of evidence is not the evidence of absence,” he adds.
On Radical Simplicity
Another of the problems discussed at the conference was the “fog of more.” As software, apps and analytics produce more and more data, with more and more options, and more and more capabilities, they inevitably produce more risk. According to Tony Sager, Chief Technologist and a founding member of the Council on CyberSecurity, “There are far too many, a near-infinite number, of claims and options… We’re drowning in this.”
He recommends using a threat model that is driven by data and translatable to action as part of a larger risk process, one that is reputable, dynamic, open and demonstrable.
Black Hat Founder and Director Jeff Moss recommends falling back to a system of “radical simplicity” – focusing all cybersecurity efforts around the key systems that are truly critical to the enterprise, making those systems as simple and secure as possible, stripping away all unnecessary functionalities to better protect the core processes. Everything outside of that core can remain as complex as it can be, in terms of function and depth, but users must also assume that it is not secured. “It’s a matter of acceptance. We just have to accept that everything is going to be compromised, and plan for that,” he says.
In a quest for convenience, complexity and technological advancement, “we have removed physical impediments to integrity,” he says.
And on the future of cybersecurity: “Freedom, Security, Convenience: Choose two,” says Geer.