Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/12/2015
12:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Solving Security: If You Want Something New, Stop Doing Something Old

Black Hat Europe keynoter Haroon Meer tells security pros to work smarter, think out of the box, and speak out to the C-suite.

BLACK HAT EUROPE -- Amsterdam --  Black Hat Europe keynote speaker Haroon Meer, founder of Thinkst, took some shots at a few sacred security cows Thursday during the opening session at RAI Amsterdam Thursday. His presentation, “What Got You Here Won't Get You There,” exhorted hundreds of cyberdefenders in the audience to focus on what’s important in the many battles they face and, more importantly, ignore the distractions.

“Every day we seem to pump out more code, connect more machines, and collect more data than ever before," he said. "Malicious actors have been making out like bandits and intelligence agencies have been owning (and pre-owning) the planet while your average large-company Infosec team is still struggling with the problems we knew about in the 90s.”

At the same time, corporate boards are becoming more involved in assuring people that everything is under control.  But “the truth is,” Meers said, “they have very few answers; when it comes to the major breaks [in recent years] organizations have spent a lot of money and they just couldn’t stop them.”

Worse, only the largest companies -- the top 100 of the Fortune 500 -- have a “genuine shot” at ever successfully playing the game of cyber defense, he said. “After that, the rest are the "toasted 400” and they don’t even know they’re toast?!  Everyone I know understands that every attack going back to 2003 still works the same way.”

Meer, riffing on the popular 2007 self-help book by executive coach Marshall Goldsmith, noted several reasons for the current state of insecurity: the increasing complexity of the IT environment, the widespread availability of hacking tools in the mainstream, and the growing awareness of the value of data. “Even junior staff members know now that access matters,” he said pointing to Julian Assange of WikiLeaks fame.

Meer was not without solutions. But, first he said the industry has to throw away a lot of pre-conceived notions: “What you think helps, doesn’t. And worse, it’s probably harmful." His list of the “wrong ways”:

Penetration testing: The industry performs them routinely, but it doesn’t seem to help, according to Meer. One reason is because he said pen testers don’t focus enough on important attack vectors -- for example, web browsers. But he also said the industry also is overly dependent on pen tests “because they are easy. It feels like you are doing something and it delivers a result.”

Defining risk: “We have to stop referring to breaches in terms of numbers of records lost,” he said, noting that there is a “big difference between the loss of 80 million records at Anthem and a defense contractor losing the plans to a brand new fighter jet.”

Big Data: “More data won’t fix everything when we still cannot even connect the dots we have now.”

Choosing complexity over simplicity: “People want complexity when simple works,” he said pointing to proven tools like honeypots and The Enhanced Mitigation Experience Toolkit. “Take the best of what you can find that will do the job you need to do.”

Saying “no” to new ideas.  At Etsy, Meer said that management encourages security teams to think out of the box with “crazy ideas” and then to enable them. “What we need is to become solutions engineers, to focus on incident response and create not buy solutions,” he said.

Finally Meers strongly advocated that security professionals become more social, visible, and vocal; to stop being the folks “in the corner.”  

“Your job is to make management get it," he said. “If you can’t do that, then you should change jobs because either they’ll never get it, or you’ll never break through.”

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1811
PUBLISHED: 2020-02-18
GaussDB 200 with version of 6.5.1 have a command injection vulnerability. Due to insufficient input validation, remote attackers with low permissions could exploit this vulnerability by sending crafted commands to the affected device. Successful exploit could allow an attacker to execute commands.
CVE-2020-1815
PUBLISHED: 2020-02-18
Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00; Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, and V500R005C00 have a memory leak vulnerability. The software does not sufficiently track and release allocated memory while parse...
CVE-2020-1816
PUBLISHED: 2020-02-18
Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00; Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, and V500R005C00 have a Denial of Service (DoS) vulnerability. Due to improper processing of specific IPSEC packets, remote attacker...
CVE-2020-1830
PUBLISHED: 2020-02-18
Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00; Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, and V500R005C00 have a vulnerability that a memory management error exists when IPSec Module handing a specific message. This cause...
CVE-2020-1882
PUBLISHED: 2020-02-18
Huawei mobile phones Ever-L29B versions earlier than 10.0.0.180(C185E6R3P3), earlier than 10.0.0.180(C432E6R1P7), earlier than 10.0.0.180(C636E5R2P3); HUAWEI Mate 20 RS versions earlier than 10.0.0.175(C786E70R3P8); HUAWEI Mate 20 X versions earlier than 10.0.0.176(C00E70R2P8); and Honor Magic2 vers...