Black Hat 2018: Everything You Know About Infosec Is Wrong
Yeah, well, you know, that's just like, uh, your opinion, man. - The Big Lebowski
The lively Duo-sponsored debate broke through the FUD, with opinionated security professionals bantering and buzzing on current issues in the information security industry. The panel included:
- Wendy Nather, Director of Advisory CISO, Duo Security (also moderator)
- Dave Lewis, Advisory CISO, Duo Security
- Steve Manzuik, Director of Security Research, Duo Security
- Katie Moussouris, Founder & CEO of Luta Security
- Ian Amit, Chief Security Officer, Cimpress
- Mike Rothman, President, DisruptOPS and Securosis
- Rachel Tobac, CEO, SocialProof Security
- Jayson E. Street, VP of InfoSec at SphereNY, DCG Global Ambassador
Defense vs. Offense
When it came to the defense vs. offense theme of Black Hat 2018, the question is how to sell defense - how to make protecting corporate data appealing, since breaking code and systems is more fun.
To Wendy’s point, if you’re not sitting in a conference room across from an auditor, you’re not doing real defense. Ian agrees that any consultant that hasn’t practiced defense is worthless.
The panelists also tackled the question of the evolution of the infosec industry - Jayson claimed it’s not the fault of technology; it’s more so the practitioners that are looking for the newest blinking box instead of tackling what our real issues are.
As security people, we need to talk to business people to help them better understand security, build relationships and bake security capabilities into the core stacks that other IT groups, like DevOps, are building.
In a discussion about bug bounties (which most all panelists agreed are overhyped), Katie stated that organizations are moving away from baking security in to using pentesting (an offensive tactic) to manage risk. As Jayson put it, “You’re asking me to rob your house, and you didn’t build the walls yet,” in regards to a company with no segmentation in place that asked him to conduct a pentest.
Wendy noted that so much of the industry is offense, with the attitude that we can fix issues individually, while really it’s a communal problem we need to solve. Fixing problems at scale requires influencing an entire organization to make that fix, and we must work nicely with other teams to ensure that happens.
The conversation shifted to the security marketing theater of producing logos, websites and PR campaigns for the latest vulnerabilities - are they hurting or helping the infosec cause?
The general consensus was that vulnerability logos, while useful for getting attention, aren’t a replacement for severity scoring with the overlay of your actual threat model, as Katie said. With 40 new Common Vulnerabilities and Exposures (CVEs) released daily, this can contribute to bug fatigue. Likewise, Steve agreed that the logos and attention garnered for vulnerabilities can mistakenly translate to the severity of the bug, which isn’t always the case.
“Everyone needs to chill the f--- out about patching,” said Wendy. Less than two percent of CVEs had ever been exploited in the wild - which raises the question of what portion of CVEs are actually worth patching.
It’s important to exemplify how the threat affects or is relevant to your company or product with the use of a proper red team, according to Ian. Katie stated that executives don’t actually think it’s a threat, even when pentesters prove it is, and that random patching is better than having a patch strategy.
Plus, from an attacker perspective, they’re not likely to burn through exploits of CVEs if they can just use a phishing attack to gain access to your company, said Steve. Rachel agreed it’s important to understand the realistic threats associated with the vulnerabilities, beyond the logos.
Users = Humans
When asked what problem was the most overhyped or one they were sick of hearing about, Rachel responded, “Humans are the weakest link.” In fact, they’re your first line of defense.
If you treat users like a liability, they will be a liability. There’s a problem with how infosec approaches, treats and trains employees. If we don’t tell them what the possible repercussions are, users won’t respect or take security responsibilities seriously, said Jayson.
But Katie and Wendy argue that the infosec industry is putting too much of the burden on users to make up for bad security systems. Users of a system don’t need to care about how it works; infosec people need to make infrastructure and systems seamless enough for non-tech-savvy people to still be secure.
Mike took the middle ground, claiming that the answer is both - we don’t need to choose between educating users and being secure enough without human intervention.
Jayson and Rachel also advocated for teaching users personal infosec that affects their life, which can translate to being more security conscious at work. Another tactic includes putting people in the shoes of an attacker, and allow them to craft phishing emails or ways to hack their own team.
Watch the entirety of the debate below (and be forewarned, some strong language is indeed used by some members of the panel ;P):