Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/12/2015
12:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Solving Security: If You Want Something New, Stop Doing Something Old

Black Hat Europe keynoter Haroon Meer tells security pros to work smarter, think out of the box, and speak out to the C-suite.

BLACK HAT EUROPE -- Amsterdam --  Black Hat Europe keynote speaker Haroon Meer, founder of Thinkst, took some shots at a few sacred security cows Thursday during the opening session at RAI Amsterdam Thursday. His presentation, “What Got You Here Won't Get You There,” exhorted hundreds of cyberdefenders in the audience to focus on what’s important in the many battles they face and, more importantly, ignore the distractions.

“Every day we seem to pump out more code, connect more machines, and collect more data than ever before," he said. "Malicious actors have been making out like bandits and intelligence agencies have been owning (and pre-owning) the planet while your average large-company Infosec team is still struggling with the problems we knew about in the 90s.”

At the same time, corporate boards are becoming more involved in assuring people that everything is under control.  But “the truth is,” Meers said, “they have very few answers; when it comes to the major breaks [in recent years] organizations have spent a lot of money and they just couldn’t stop them.”

Worse, only the largest companies -- the top 100 of the Fortune 500 -- have a “genuine shot” at ever successfully playing the game of cyber defense, he said. “After that, the rest are the "toasted 400” and they don’t even know they’re toast?!  Everyone I know understands that every attack going back to 2003 still works the same way.”

Meer, riffing on the popular 2007 self-help book by executive coach Marshall Goldsmith, noted several reasons for the current state of insecurity: the increasing complexity of the IT environment, the widespread availability of hacking tools in the mainstream, and the growing awareness of the value of data. “Even junior staff members know now that access matters,” he said pointing to Julian Assange of WikiLeaks fame.

Meer was not without solutions. But, first he said the industry has to throw away a lot of pre-conceived notions: “What you think helps, doesn’t. And worse, it’s probably harmful." His list of the “wrong ways”:

Penetration testing: The industry performs them routinely, but it doesn’t seem to help, according to Meer. One reason is because he said pen testers don’t focus enough on important attack vectors -- for example, web browsers. But he also said the industry also is overly dependent on pen tests “because they are easy. It feels like you are doing something and it delivers a result.”

Defining risk: “We have to stop referring to breaches in terms of numbers of records lost,” he said, noting that there is a “big difference between the loss of 80 million records at Anthem and a defense contractor losing the plans to a brand new fighter jet.”

Big Data: “More data won’t fix everything when we still cannot even connect the dots we have now.”

Choosing complexity over simplicity: “People want complexity when simple works,” he said pointing to proven tools like honeypots and The Enhanced Mitigation Experience Toolkit. “Take the best of what you can find that will do the job you need to do.”

Saying “no” to new ideas.  At Etsy, Meer said that management encourages security teams to think out of the box with “crazy ideas” and then to enable them. “What we need is to become solutions engineers, to focus on incident response and create not buy solutions,” he said.

Finally Meers strongly advocated that security professionals become more social, visible, and vocal; to stop being the folks “in the corner.”  

“Your job is to make management get it," he said. “If you can’t do that, then you should change jobs because either they’ll never get it, or you’ll never break through.”

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17537
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
CVE-2019-17538
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
CVE-2019-17535
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
CVE-2019-17536
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
CVE-2019-17533
PUBLISHED: 2019-10-13
Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.