Read Time:7 Minute, 37 Second

Topics that are top of mind for the week ending Aug. 12 (Black Hat Special Edition) | The Black Hat USA conference returned to Las Vegas this week to celebrate its 25th anniversary, as thousands of security pros gathered in the desert to get wiser about critical challenges, including cloud security, software supply chain risks, ransomware and the rampant burnout and stress among their ranks. Here’s what caught our attention at the event.

A look back and a look ahead

In the opening keynote, “Black Hat at 25: Where Do We Go from Here?,” Chris Krebs addressed thorny questions facing the cybersecurity industry and community: Why are things so bad right now? Will it get worse? What can be done about it?

Here’s a sampling of points made by Krebs, founding partner at the Krebs Stamos Group and former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA):

Tech products are insecure by design because security considerations take a back seat to features and capabilities, and security is seen as “friction” that slows down development and innovation.
Unsafe products, distributed computing and myriad connected devices make managing risk extremely complicated, as evidenced by the difficulty in securing the cloud.
Businesses often prioritize efficiency over security when choosing what technology products to adopt, because many CEOs still don’t equate cyber risk with business risk.
Businesses also must do long-term planning, looking ahead not two quarters but rather years into potential threats, including geopolitical conflicts that could impact their IT environments.
While security vendors try to address existing and emerging threats, it’s a challenge for them to keep up the necessary pace as the attack surface expands.
The U.S. government must do better on various fronts:

Issue smarter – not more – cybersecurity regulations that focus on attaining desired outcomes. 
Manage its systems better as a user and buyer of technology. 
Rethink how it’s structured to deal with digital risk management – moving CISA out of DHS could be a step – because right now the government moves too slowly and is too difficult to work with.

This overall scenario plays into the hands of cybercriminals, allowing them to jump on a growing number of diverse opportunities to do damage. However, Krebs has hope that things can get better if all the parties involved do their part to address the critical obstacles hampering cybersecurity efforts. He specifically called on Black Hat attendees to step up to the challenge.

“Ultimately, it’s going to come down to the people in this room,” he said. “It’s going to take us as leaders to make the changes that we want to see.”

Supply chain, cloud security among infosec pros’ biggest concerns

Black Hat surveyed 180 current and past conference attendees earlier this year about what worries them the most, and supply chain risk and cloud security were among the top current and future concerns, along with phishing and direct sophisticated attacks.

Regarding the supply chain threat, which has gained steam in the past two years with the SolarWinds breach and the massive Log4j flaw, respondents are most concerned about vulnerabilities affecting:

Cloud or network services supplied by third-party providers
Systems, apps or networks maintained by contractors, suppliers, and customers
Off-the-shelf software or systems purchased from third parties
Commercial software or cloud services using insecure open source components
The internet or network connections that link their systems to customers and suppliers

With regards to cloud, the report notes a disparity between respondents’ high level of concern and their relatively low adoption of cloud security technologies, including:

Cloud permissions management – implemented by 35% of respondents
Cloud security posture management – 31%
Cloud-native application protection platform – 20%
Cloud workload protection platform – 16%

Why is this? The report ventures that it may be less about rejecting the technology “and more about the fact that security professionals are not interested in standalone tools” and would be more inclined to adopt new security features if they’re part of a broader security platform.

To dig into all the details, check out the report, which also includes interesting findings on ransomware, burnout, disinformation attacks, budget and staffing issues, and critical infrastructure security.

Behind the scenes: The CSRB’s Log4j report

Black Hat attendees got an insider’s view of the process to create the Cyber Safety Review Board’s (CSRB) much-discussed “post mortem” report about the Log4j vulnerability’s discovery. 

Two board members revealed, among many other things, that they were pleasantly surprised at the level of cooperation they found when they reached out to private businesses, governments, open source software foundations and vendors.

“Overall it was really good to see 80 different stakeholders being willing to come to the table with us, speak with us, get data – that was remarkable,” said Robert Silvers, Chair of the CSRB and Undersecretary for Policy at the U.S. Department of Homeland Security.

For example, it was surprising that the Chinese government answered the board’s call and shared its findings and insights into Log4j. 

“It’s a testament to the appetite people have to get the facts out there and to pull this kind of information together in a way where everybody can trust the facts – or at least trust they have been deeply looked at,” said Heather Adkins, Deputy CSRB Chair and VP of security engineering at Google.

Other interesting issues that came up:

The board determined that after Alibaba discovered the vulnerability, it followed the established, correct process for notifying The Apache Foundation, but that the existence of the flaw probably became public prematurely because Apache, as is common in the open source community, began to fix it publicly, albeit quietly, and the work apparently was noticed. A question on the table is how to prevent this scenario from repeating itself.

The board fully supports the concept of the software bill of materials (SBOM), but recognizes these products need to be further developed to truly realize their promise of providing granular, precise visibility into all the components of a piece of software.

There should be incentives and resources aimed at boosting the security knowledge and capabilities of open source developers, so that the code they write becomes safer.

A compassionate approach to employee security awareness

It’s a constant source of concern and frustration among security teams: Despite frequent security awareness training, employees continue to act dangerously, clicking on shady email links, re-using passwords, downloading suspicious apps and the like.

What to do? Change your approach, says Kyle Tobener, head of security at DevOps startup Copado. He shared an alternative way based on harm reduction and compassion, instead of on rigid rules and scare tactics. 

“My goal is very simple: To help you give better security guidance,” he said during his presentation.

Instead of seeking to reduce risky behavior by forbidding certain actions, Tobener suggests pointing them at the outcome of the unwanted behavior as a way to engage employees in ways to shrink negative consequences.

Risky behavior can’t be fully eradicated because it has strong incentives attached to it, such as the convenience of password reuse or the fun of downloading and using a gaming app.

Harm reduction has worked successfully in healthcare for decades – an example being needle exchange programs that helped curb the spread of HIV among intravenous drug users, while tactics like stigmatization and shaming fell short.

Tobener’s three maxims:

Accept that risk-taking behaviors aren’t going away.
Prioritize reduction of negative consequences.
Embrace compassion while providing guidance.

Tenable at Black Hat

As always, Tenable had a strong presence at Black Hat, starting with its position as a Sustaining Partner of the event and dazzling everyone on the show floor with the coolest booth, complete with snowfalls, a vodka luge, mountain-climbing bots, goofy yetis and much more.

Speakers

Tenable’s Chief Product Officer Nico Popp explained how continuous threat exposure management helps security teams prevent attacks via a better understanding of their attack surface exposure. Benefits include anticipating the consequences of a cyber attack and accurately assessing how secure you are and prioritizing efforts to reduce your risk.

Meanwhile, Tenable’s Senior Director of Product Management Shantanu Gattani spoke about the proper way to do vulnerability management in the cloud, saying that security teams must assess their cloud configurations and assess what’s running the cloud – a unification of cloud security posture management and VM.

Product announcement

Tenable chose Black Hat to announce the latest enhancements to the Tenable.cs cloud security product, unifying cloud security posture and VM in a single, 100% agentless solution from build to runtime. More details in this blog post.

Black Hat quick takes

Here’s a roundup of articles and blogs about Black Hat, to give you a broader perspective on the conference. Happy reading!

Looking Back at 25 Years of Black Hat(Dark Reading)
Black Hat USA 2022 video walkthrough(Help Net Security)
Google’s Android Red Team Had a Full Pixel 6 Pwn Before Launch(Wired)
One of 5G’s Biggest Features Is a Security Minefield(Wired)
Researcher Hacks Starlink Terminal to Warn SpaceX of Dangerous Flaws(Gizmodo)

Read More