Black Hat Organizer Touts Value of Publicizing Cyber-Security Research

As the threat landscape evolves, researchers discussing their latest research and exposing vulnerabilities help organizations become more aware, a Black Hat organizer said.

LAS VEGAS-The threat landscape is increasingly sophisticated, complex and volatile, but there are some promising trends on how organizations are meeting the threat, a Black Hat organizer said as he kicked off the annual security conference.

Organizations and international governments are now more aware of the necessity of cyber-security and are exerting a more concerted effort to protect core Internet infrastructure, Black Hat founder and director Jeff Moss said as he welcomed attendees to the conference in Las Vegas Aug. 3. This change could be attributed partially to researchers that publicize their security findings, Moss said.

"The researchers are always talking publicly about this, they are some of the few people who are actually talking out loud about what's going on," he said.

Historically, Black Hat was a good "proxy for a crystal ball" that revealed the "interesting things that will happen in the future," according to Moss. Organizations would say, "If that's what they're doing now, I probably should be doing something about that," Moss said.

The topics covered at Black Hat often are an accurate indicator of the kinds of exploits and threats that may be coming down the road, he said.

"Stories and talks that happen at Black Hat affected the world later," Moss said, adding, "We have this great mirror" into the types of security trends that people are paying attention to.

The increased awareness also meant security was being discussed by senior executives much earlier in the decision making process, Moss said. It was easier for security professionals to make the case for security to the executive level since CIOs and CEOs were aware and nervous about what could happen.

"You've got more than enough stories now to explain to your management how (security) can be a business enabler," Moss said, referring to the recent string of data breaches.

Organizations talking about security sooner in the process have more control over how it's implemented. "If you involve us in the decision making process we can help you. If you only call us when the house is on fire, you have much fewer options," Moss said.

The U.S. government was also increasing international collaboration on cyber-security issues, which would help make the Internet safer for everyone, Moss said. If other international governments followed suit and published a policy document similar to the Department of Defense's Cyber-Security Strategy, than they can all start working together on "commonalities," according to Moss.

For example, if governments agree on definitions and tactics, they can work together to stop organized crime, phishing and money laundering, Moss said.

Vendors were also reacting deliberately and "intelligently" when a security vulnerability was discovered in one of their products, Moss said, noting that was a sign the software industry was maturing. "They don't have that knee-jerk reaction so much when someone points out a flaw in one of their products," Moss said.

Organizations are also taking steps to protect core infrastructure by adding security features such as DNSSec to secure online traffic. The eventual IPv6 upgrade will also bolster overall security, Moss said.

Launched as a vendor-neutral alternative to industry security conferences 15 years ago, Black Hat attracted more than 8,000 researchers and security professionals, according to organizers. The more technical and edgy DEFCon follows a week of Black Hat training sessions and briefings. DEFCon begins Aug. 5.