Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/12/2015
12:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Solving Security: If You Want Something New, Stop Doing Something Old

Black Hat Europe keynoter Haroon Meer tells security pros to work smarter, think out of the box, and speak out to the C-suite.

BLACK HAT EUROPE -- Amsterdam --  Black Hat Europe keynote speaker Haroon Meer, founder of Thinkst, took some shots at a few sacred security cows Thursday during the opening session at RAI Amsterdam Thursday. His presentation, “What Got You Here Won't Get You There,” exhorted hundreds of cyberdefenders in the audience to focus on what’s important in the many battles they face and, more importantly, ignore the distractions.

“Every day we seem to pump out more code, connect more machines, and collect more data than ever before," he said. "Malicious actors have been making out like bandits and intelligence agencies have been owning (and pre-owning) the planet while your average large-company Infosec team is still struggling with the problems we knew about in the 90s.”

At the same time, corporate boards are becoming more involved in assuring people that everything is under control.  But “the truth is,” Meers said, “they have very few answers; when it comes to the major breaks [in recent years] organizations have spent a lot of money and they just couldn’t stop them.”

Worse, only the largest companies -- the top 100 of the Fortune 500 -- have a “genuine shot” at ever successfully playing the game of cyber defense, he said. “After that, the rest are the "toasted 400” and they don’t even know they’re toast?!  Everyone I know understands that every attack going back to 2003 still works the same way.”

Meer, riffing on the popular 2007 self-help book by executive coach Marshall Goldsmith, noted several reasons for the current state of insecurity: the increasing complexity of the IT environment, the widespread availability of hacking tools in the mainstream, and the growing awareness of the value of data. “Even junior staff members know now that access matters,” he said pointing to Julian Assange of WikiLeaks fame.

Meer was not without solutions. But, first he said the industry has to throw away a lot of pre-conceived notions: “What you think helps, doesn’t. And worse, it’s probably harmful." His list of the “wrong ways”:

Penetration testing: The industry performs them routinely, but it doesn’t seem to help, according to Meer. One reason is because he said pen testers don’t focus enough on important attack vectors -- for example, web browsers. But he also said the industry also is overly dependent on pen tests “because they are easy. It feels like you are doing something and it delivers a result.”

Defining risk: “We have to stop referring to breaches in terms of numbers of records lost,” he said, noting that there is a “big difference between the loss of 80 million records at Anthem and a defense contractor losing the plans to a brand new fighter jet.”

Big Data: “More data won’t fix everything when we still cannot even connect the dots we have now.”

Choosing complexity over simplicity: “People want complexity when simple works,” he said pointing to proven tools like honeypots and The Enhanced Mitigation Experience Toolkit. “Take the best of what you can find that will do the job you need to do.”

Saying “no” to new ideas.  At Etsy, Meer said that management encourages security teams to think out of the box with “crazy ideas” and then to enable them. “What we need is to become solutions engineers, to focus on incident response and create not buy solutions,” he said.

Finally Meers strongly advocated that security professionals become more social, visible, and vocal; to stop being the folks “in the corner.”  

“Your job is to make management get it," he said. “If you can’t do that, then you should change jobs because either they’ll never get it, or you’ll never break through.”

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.