As the threat landscape evolves, researchers discussing their latest research and exposing vulnerabilities help organizations become more aware, a Black Hat organizer said.
LAS VEGAS-The threat landscape is increasingly sophisticated,
complex and volatile, but there are some promising trends on how
organizations are meeting the threat, a Black Hat organizer said as he
kicked off the annual security conference.
Organizations and international governments are now more aware of the
necessity of cyber-security and are exerting a more concerted effort to
protect core Internet infrastructure, Black Hat founder and director
Jeff Moss said as he welcomed attendees to the conference in Las Vegas
Aug. 3. This change could be attributed partially to researchers that
publicize their security findings, Moss said.
"The researchers are always talking publicly about this, they are some
of the few people who are actually talking out loud about what's going
on," he said.
Historically, Black Hat was a good "proxy for a crystal ball" that
revealed the "interesting things that will happen in the future,"
according to Moss. Organizations would say, "If that's what they're
doing now, I probably should be doing something about that," Moss said.
The topics covered at Black Hat often are an accurate indicator of the
kinds of exploits and threats that may be coming down the road, he said.
"Stories and talks that happen at Black Hat affected the world later,"
Moss said, adding, "We have this great mirror" into the types of
security trends that people are paying attention to.
The increased awareness also meant security was being discussed by
senior executives much earlier in the decision making process, Moss
said. It was easier for security professionals to make the case for
security to the executive level since CIOs and CEOs were aware and
nervous about what could happen.
"You've got more than enough stories now to explain to your management
how (security) can be a business enabler," Moss said, referring to the
recent string of data breaches.
Organizations talking about security sooner in the process have more
control over how it's implemented. "If you involve us in the decision
making process we can help you. If you only call us when the house is
on fire, you have much fewer options," Moss said.
The U.S. government was also increasing international collaboration on
cyber-security issues, which would help make the Internet safer for
everyone, Moss said. If other international governments followed suit
and published a policy document similar to the Department of Defense's
Cyber-Security Strategy, than they can all start working together on
"commonalities," according to Moss.
For example, if governments agree on definitions and tactics, they can
work together to stop organized crime, phishing and money laundering,
Vendors were also reacting deliberately and "intelligently" when a
security vulnerability was discovered in one of their products, Moss
said, noting that was a sign the software industry was maturing. "They
don't have that knee-jerk reaction so much when someone points out a
flaw in one of their products," Moss said.
Organizations are also taking steps to protect core infrastructure by
adding security features such as DNSSec to secure online traffic. The
eventual IPv6 upgrade will also bolster overall security, Moss said.
Launched as a vendor-neutral alternative to industry security
conferences 15 years ago, Black Hat attracted more than 8,000
researchers and security professionals, according to organizers. The
more technical and edgy DEFCon follows a week of Black Hat training
sessions and briefings. DEFCon begins Aug. 5.