(Pictured above: Square’s Dino Dai Zovi on stage at Black Hat USA 2019 in Las Vegas, Aug. 7.)

BLACK HAT USA — Organizations will be better prepared to defend themselves against cybercriminals if security teams include software developers and others in the fight.

That was the message conveyed Wednesday by keynoter Dino Dai Zovi, Square’s mobile security lead, at this week’s Black Hat USA 2019 conference in Las Vegas. In its 23rd year, the conference has drawn a record 19,000-plus attendees.

Jeff Moss, Black Hat founder and director, told attendees 112 countries are represented at this year’s conference.

“Infosec really does span the globe,” he said.

A main theme at Black Hat has been communication, how security experts communicate and what they talk about, Moss said.

“A lot of past talks were about how it’s our time now,” he said. “We wanted the attention of management, political leaders, and we’ve finally got it. Now that we’ve got the attention, what do we do with it, how we communicate determines outcomes.”

Moss said he thought the internet worked one way until he spoke with someone in China, and one conversation “flipped me upside down.”

“That’s why I’m a big believer [that] most of our problems are communication,” he said. “These are totally fixable communication problems. We can fix communications problems … and will have completely different outcomes.”

Dai Zovi said it’s important for development teams and security teams to work together and share the responsibility for security. There shouldn’t be a separation between the two, he said.

“Instead of saying no, say yes, and here’s how we can help,” he said. “Why don’t all security teams start with yes? They’re afraid. But fear misguides us because it’s irrational. We might focus completely on zero-day attacks and miss another way.”

Jon Oberheide, Duo Security‘s co-founder and CTO, said Dai Zovi’s message “speaks directly to some of the stuff we’re doing.” Cisco acquired Duo last year.

“A lot of practices that we’ve learned through application development, DevOps and agile in general can be applied to our security engineering practices as well,” he said. “So that is something that is top of mind for us and our customers, how do I secure my workloads and applications as they move to a new model of application development, delivery, visibility, performance monitoring and security operations.” 

Another recurring them at Black Hat is the continuing reluctance of organizations to embrace multifactor authentication (MFA), and therefore leaving themselves more vulnerable to cyberattacks. During a briefing focused on attacking and defending Microsoft Cloud (Office 365 and Azure AD), Mark Morowczynski, Microsoft’s principal program manager, brought up a startling statistic: 92 percent of Azure AD admins don’t use MFA.

“Nearly 100 percent of password spray attacks are using legacy authentication,” he said. “This is still a very active attack.”

Sean Metcalf, Trimarc’s CTO, also took part in the briefing and said what the cloud is useful for and where the data is are what attackers are going after.

“The cloud is a new paradigm that requires special attention and resources,” he said. “Cloud isn’t inherently secure. Security responsibilities are shared between …

… provider and customer. There are many security features and controls that are available.”

Chet Wisniewski, principal research scientist at Sophos, said if there’s one takeaway from Black Hat, it’s that authentication is at the core of a lot of the problems right now, and the “best way we have of securing that authentication today is MFA.” At Black Hat, Sophos released a new research report on Baldr, an up-and-coming password stealer with at least four major revisions over the past seven months.

“For channel partners, it’s so important,” he said. “We provide a cloud service and administrators control all of their security within their organization from that portal, no different than Azure Active Directory (AD), and we have a hard time getting our partners to use MFA and criminals are trying to steal our partners’ passwords, log in and turn the security off. Of course they are. What better way to bypass the security than to log in as the security person and say turn it off. We warn all of our partners every time they log in, if they don’t have it turned on, please enable MFA. But like every other business, we’re afraid to force everyone to do it because we don’t want someone to not want to work with our software because they don’t want the inconvenience, so it’s kind of this Catch-22 situation.”

Monzy Merza, Splunk‘s vice president and head of research, said he agreed with a lot of the messages being conveyed at Black Hat.

“I think there’s a better appreciation of all the different facets of security, whether it’s mobile, whether it’s hardware or applications or services to cloud, or what people would traditionally call firewall protection and email attacks,” he said. “It just shows the diversity of what’s happening. For us, our message is fairly consistent … which is that data is really the engine that drives a lot of things. So you have to have the ability to collect the data or to enrich from other sources, and then be able to analyze that data and then be able to act on that data.”