Black Hat Handed CIOs Plenty to Think About
The Black Hat hacker conference saw nearly 8,000 digital security pros talking, hacking and holding press briefings on the latest security holes in the corporate armor.
Smartphones were hacked and demonstrated to act as secret recorders relaying your conference room discussions to outside listeners. Sensors running in manufacturing plants and on oil pipelines were remotely hacked and ordered to shut down. WiFi networks were compromised and had all their traffic redirected as users' browsing habits and passwords were stolen.
These were just demonstrations on a stage, but the message was clear: The new era of smartphones and the Internet of Things can be a dangerous place to do business. It is enough to make a CIO long for the days when the biggest security threats were passwords written on sticky notes attached to computer monitors or the “Stoned” virus that made PC screens images jiggle.
While the new threats are real—although at times overblown as the white hat hacker economy depends on a questionable relation between hackers wanting to turn their digital cracking prowess into a business and vendors who want to keep bad publicity to a minimum—CIOs and corporate technology execs need to focus on the big security picture rather than sink into a morass of fixing every new vulnerability. Here are some lessons learned from attending this year’s Black Hat conference.
The expanding digital world means expanding digital danger. Smartphones, sensor-based networks and new computing devices create new, mobile business opportunities but also new vulnerabilities. Vendors tend to talk up the opportunities more than the risks. But CIOs need to perform a risk assessment for each new round of devices joining the corporate network. The central security role belongs with the CIO and is a good reason why new technologies should require a centralized approval process.
Creating a security process is more important than buying the latest security product. The discovery of security holes and vendors offering fixes is a continuous loop. Creating a process where security is part of the daily, weekly and annual technology evaluation and investment is difficult when you are rushing about trying to patch the latest leak, but it is the only way to get out of the race.
Cloud computing is a permanent piece of the enterprise infrastructure. Customers are evaluating whether or not to build their own cloud, mixing private clouds with outside public clouds or moving entirely to the public cloud. Every customer has to find their own solution.
While much of the cloud discussion centers on costs, that is the wrong tack. Customers also need to include cloud security in their deliberations. The range of cloud security offerings is as wide as the assortment of cloud infrastructure offerings, and should be evaluated and tested.
Taking some time to make sure you and your users are applying the privacy and security settings already included in products is a good place to start. While advanced digital criminal organizations are indeed a real and growing problem, a lot of corporate leaks still take place because users (even IT administrators) employ easily guessed passwords, don’t use mobile security dual authentication procedures, or don’t change passwords and security settings regularly. This all falls into the category of making sure you lock down your stuff with the current tools available.
The year’s Black Hat and DEF CON represented a community in turmoil. The careful ballet between hackers and government officials was upset by the National Security Agency surveillance leaks. Vendors are more frequently bypassing the public leak revelation process and providing bounties for hackers to find weaknesses in their products.
Meanwhile, hackers also have to keep up with the new products and services out there. Knowing a lot about hacking personal computers is not much in demand when that market has gone mobile. How this turmoil will play out is still in process, but customers and CIOs need to look at those trends and consider how their companies should react.
Eric Lundquist is a technology analyst at Ziff Brothers Investments, a private investment firm. Lundquist, who was editor-in-chief at eWEEK (previously PC WEEK) from 1996-2008, authored this article for eWEEK to share his thoughts on technology, products and services. No investment advice is offered in this article. All duties are disclaimed. Lundquist works separately for a private investment firm, which may at any time invest in companies whose products are discussed in this article and no disclosure of securities transactions will be made.