Black Hat: Everyone Has a Part to Play in Cybersecurity
(Pictured above: Square’s Dino Dai Zovi on stage at Black Hat USA 2019 in Las Vegas, Aug. 7.)
BLACK HAT USA — Organizations will be better prepared to defend themselves against cybercriminals if security teams include software developers and others in the fight.
That was the message conveyed Wednesday by keynoter Dino Dai Zovi, Square’s mobile security lead, at this week’s Black Hat USA 2019 conference in Las Vegas. In its 23rd year, the conference has drawn a record 19,000-plus attendees.
Jeff Moss, Black Hat founder and director, told attendees 112 countries are represented at this year’s conference.
“Infosec really does span the globe,” he said.
A main theme at Black Hat has been communication, how security experts communicate and what they talk about, Moss said.
“A lot of past talks were about how it’s our time now,” he said. “We wanted the attention of management, political leaders, and we’ve finally got it. Now that we’ve got the attention, what do we do with it, how we communicate determines outcomes.”
Moss said he thought the internet worked one way until he spoke with someone in China, and one conversation “flipped me upside down.”
“That’s why I’m a big believer [that] most of our problems are communication,” he said. “These are totally fixable communication problems. We can fix communications problems … and will have completely different outcomes.”
Dai Zovi said it’s important for development teams and security teams to work together and share the responsibility for security. There shouldn’t be a separation between the two, he said.
“Instead of saying no, say yes, and here’s how we can help,” he said. “Why don’t all security teams start with yes? They’re afraid. But fear misguides us because it’s irrational. We might focus completely on zero-day attacks and miss another way.”
“A lot of practices that we’ve learned through application development, DevOps and agile in general can be applied to our security engineering practices as well,” he said. “So that is something that is top of mind for us and our customers, how do I secure my workloads and applications as they move to a new model of application development, delivery, visibility, performance monitoring and security operations.”
Another recurring them at Black Hat is the continuing reluctance of organizations to embrace multifactor authentication (MFA), and therefore leaving themselves more vulnerable to cyberattacks. During a briefing focused on attacking and defending Microsoft Cloud (Office 365 and Azure AD), Mark Morowczynski, Microsoft’s principal program manager, brought up a startling statistic: 92 percent of Azure AD admins don’t use MFA.
“Nearly 100 percent of password spray attacks are using legacy authentication,” he said. “This is still a very active attack.”
Sean Metcalf, Trimarc’s CTO, also took part in the briefing and said what the cloud is useful for and where the data is are what attackers are going after.
“The cloud is a new paradigm that requires special attention and resources,” he said. “Cloud isn’t inherently secure. Security responsibilities are shared between …