Black Hat, DEF CON Founder Offers Insight Into Security Shows, Trends
Q: What are one or two of the most common security issues you are asked to help solve? A: There's sort of two modes of consulting: One is management consulting, when I'm asked: 'Here's what we're doing; do you think we're doing the right thing? What should we be doing? How should we think of risk? How should we think of cyber insurance? How much emphasis do we put on training versus buying products?' The normal business-reality check. Or it's more of a crisis mode, after the fact. 'We've had an incident; help us with hacks; help us find the things that were stolen; help us get the right incident-response team; help us put out the fires,' essentially. It's either much more calm and serene, or much more immediate and on fire. Q: I have to ask you this question: Will we, as enterprises, individuals, organizations and security vendors, ever going to get to the point where we can stop the hackers cold and protect our data completely?But what we should do is constantly work towards making things better. You know what? I would take 80 percent security, because that means we can focus our attention on that 20 percent. I don't want to take really smart people and focus on 100 percent, because we're diluting ourselves. We're sort of at the beginning of a stage here, with machine learning, more automated processes, certain things we have centralized in a SaaS or cloud environment, where you can start getting economies of scale, where you can start learning from other sensors. I think in the next four or five years we'll be flushing out the bulk of the crap (security), and that will leave us with the more challenging, interesting stuff. At least that's what I hope. I hate having to focus on the same mundane stuff year after year after year -- let's move the needle a bit -- and I think we're starting to see that with machine learning. Q: Do you still interact with hackers a lot? A: Depends on what you mean by "hackers." If you mean computer criminals, no, I don't hang out with a lot of computer criminals. If you mean old-school hackers, then yeah, all the time. Q: What's your experience interacting with a nation-state or organized crime syndicate? A: Normally, if it's a nation-state, you don't know it's a nation-state. They'll always pretend they're somebody that they're not. They work for a company, a different government that the one they're really with. They often ask general questions, essentially like a reporter -- like they're trying to get advice on where you see things going. They also sniff around and see if you're available to do work. Organized crime used to reach out years ago, but organized crime now has their own budgets, their own training, their own infrastructure -- they haven't had to come to the security community or hacking community to get talent for a long time. In the early days, it was interesting; they'd (the crime syndicates) would throw parties and try to recruit you, and then you'd stop and think, 'Wait a minute, who's paying for this, what's going on?' But then again, you really don't know -- for all you know, it was an FBI sting. Q: One last question: Tell me something I don't know about Internet security that I probably should know. A: Okay. If someone takes a picture of your keys, they can make a copy of your keys. Q: Good to know. A: Indeed.
A: No. I don't think so, but I don't think that's the measure we should be using; 100 percent security is not achievable, so you don't want to be telling people that's a valid goal, because otherwise you're setting yourself up for failure. My dad was a doctor, and he didn't go into medicine thinking he was going to cure cancer. If he told himself that, he'd go crazy. As security people, we should not be saying we should solve security, because we're not.