Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Cybersecurity News

Cybersecurity

The Hunt for Cybersecurity Solutions at Black Hat 2014

“Freedom, Security, Convenience: Choose Two”

Black Hat logo
October 20, 2014
Dan Geer, CISO for In-Q-Tel, delivers his keynote on "Cybersecurity as Realpolitik" to Black Hat USA 2014 attendees.

Dan Geer, CISO for In-Q-Tel, delivers his keynote on “Cybersecurity as Realpolitik” to Black Hat USA 2014 attendees. This year’s conference drew more than 9,000 attendees and 180 speakers.  Photo courtesy of Black Hat USA

With the nature of security quickly evolving to encompass both physical and cybersecurity at its very core, software manufacturers and security experts are finding themselves in a precarious situation – balancing between what is required and what is needed.

“Convergence is an inevitable consequence of the very power of cyberspace in and of itself…. The power that is growing in the Net, per se, will soon surpass the ability of our existing institutions to modify it in any meaningful way,” says Dan Geer, CISO for In-Q-Tel, a not-for-profit investment firm that looks to invest in technology supporting the missions of the CIA and the U.S. intelligence community, during his keynote presentation at the Black Hat USA Convention 2014.

Just as everyday uses of converged cyber and physical devices continue to grow (just look at your smartphone), so do the uses of converged cyber and physical security technology. And so do the risks. One of the major debates at the cybersecurity conference this year was over vulnerability and breach reporting.

“I claim that policy matters are now the most important matters, that once a topic area, like cybersecurity, becomes interlaced with nearly every aspect of life for nearly everybody, the outcome differential between good policies and bad policies broadens, and the ease of finding answers falls,” Geer says, quoting H.L. Mencken: “For every complex problem there is a solution that is clear, simple, and wrong.”

For example, if a company is required to notify all stakeholders, customers and competitors about discovered vulnerabilities in their systems, it could help others become more prepared, or it could also alert malicious actors to the vulnerability. In terms of breaches, Geer’s recommendation is mandatory reporting, but with a severity threshold – if your breach affects X many people or contains Y information, you must publicly report it. But therein lies the problem with the current cybersecurity landscape – “mandatory.”

While the NIST Cybersecurity Framework, among other organizations’ best practices and guidance, gives many good suggestions for enterprises to develop cybersecurity policies, they’re just that – suggestions.

As Geer told reporters later, “People are willing to do it (mandatory reporting), so long as everybody else has to too.” That sort of universal cooperation would require legislation, which has been slow in coming.

Until then, panelists and experts offered some advice:

On Choosing Technology

Even when (or especially when) you have the might of the U.S. Government behind you, procurement can be a process littered with potential pitfalls. In a presentation on “Pulling Back the Curtain on Airport Security: Can a Weapon Get Past TSA?” Billy Rios, Director of Threat Intelligence for Qualys, revealed several security vulnerabilities within TSA equipment, which, by DHS regulations must meet identical, very specific requirements at every airport in the U.S.

However, regulations do not necessarily make technology secure – service passwords were still accessible on technology, and researchers were able to modify scanner images. According to Rios, “Trust, but verify the engineering.”

This was echoed in a seminar on penetration-testing Bring Your Own Device (BYOD) platforms, with the added advice of “Don’t deploy a solution unless you have a good business reason for it.”

What is Black Hat?

Now in its 17th year, Black Hat USA is part of a global information security event series, focusing on information security research, development and trends. The conferences include vendor-neutral briefings from security researchers, roundtable discussions, technical training courses and networking sessions. Black Hat USA 2015 is scheduled to run August 1-6, 2015 in Las Vegas.

On High-Profile Data Breaches

The Black Hat conference convened right after news broke of a Russian crime ring stealing 1.2  billion username and password combinations and more than 500 million email addresses.

“The attack surface is probably growing faster than we can cope with,” says Geer. So the top goal, and what enterprise security executives should aim for in security engineering, is “no silent failure.”

“Unless you have perfect knowledge, the absence of evidence is not the evidence of absence,” he adds.

On Radical Simplicity

Another of the problems discussed at the conference was the “fog of more.” As software, apps and analytics produce more and more data, with more and more options, and more and more capabilities, they inevitably produce more risk. According to Tony Sager, Chief Technologist and a founding member of the Council on CyberSecurity, “There are far too many, a near-infinite number, of claims and options… We’re drowning in this.”

He recommends using a threat model that is driven by data and translatable to action as part of a larger risk process, one that is reputable, dynamic, open and demonstrable.

Black Hat Founder and Director Jeff Moss recommends falling back to a system of “radical simplicity” – focusing all cybersecurity efforts around the key systems that are truly critical to the enterprise, making those systems as simple and secure as possible, stripping away all unnecessary functionalities to better protect the core processes. Everything outside of that core can remain as complex as it can be, in terms of function and depth, but users must also assume that it is not secured. “It’s a matter of acceptance. We just have to accept that everything is going to be compromised, and plan for that,” he says.

In a quest for convenience, complexity and technological advancement, “we have removed physical impediments to integrity,” he says.

 And on the future of cybersecurity:  “Freedom, Security, Convenience: Choose two,” says Geer.  

KEYWORDS: Black Hat cybersecurity litigation data breach radical simplicity cybersecurity

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Homeland Security Deputy Secretary Jane Holl Lute at the Black Hat Conference: “Commonalities between Cyberspace and Homeland Security”

    See More
  • Black Hat USA

    Black Hat USA Announces Briefings and Programs for 2020 Virtual Event

    See More
  • It’s a Black Hat Day with All the Black News that Goes with It

    See More

Related Products

See More Products
  • 150 things.jpg

    The Handbook for School Safety and Security

  • Physical-Security-and-Safet.gif

    Physical Security and Safety: A Field Guide for the Practitioner

  • databasehacker

    The Database Hacker's Handboo

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing