This blog written in Amsterdam, one of my favorite cities in all the world for its laid-back attitude, it's brilliant culture, and history beyond books.
The conference has grown again, and I'm having a great time learning, meeting, and presenting - but as always, long after memories of presenters and topics fade I will remember the hallway conversations, the between-talk discussions and new friends being made.
On that thread, thought it would be appropriate to give you a Top 3 list of things I think are key take-aways from this year's Black Hat Conference here in Europe, in case missed it:
Vulnerabilities don't die, they multiply
Nothing exemplified this more than David Litchfield's talk where he basically broke out some 2007-era Oracle vulns and told the audience how they're pretty much all still exploitable. Then there's the issues with VoIP systems that are, still, exploitable (albeit in a slightly new way), and yes we're still failing to solve or even put a big enough dent in the software security space.
On top of the fact that lots of old bugs haven't been sufficiently squashed yet, many new ones pop up every day (especially here at a Black Hat conference!) which means we're adding on to our current threats rather than being able to ever take anything off that radar.
This is an unsustainable model for going forward, as we're absolutely certain to hit some magical tipping point where security's current method of operation unravels horribly and fails. I suspect this is coming faster than any of us would like to admit. We need to re-think how we approach non-security folks to talk to them about security. Urgently.
Corporate security professionals are overwhelmed
Overwhelmed, under-funded, and unprepared is how one of the attendees of my talk put it. Simply working a corporate security job day-to-day without taking the time to poke your head up to see how the threats have changed is a recipe for a grade-A failure. Unfortunately, many of the attendees of a conference like Black Hat have to pay their own way and do it on their time off.
If you're a corporate security CISO and you don't regularly send your people to understand the offensive side of security, the latest threats against you, and just what the security community is saying - you're failing your business.
This should be an automatic line-item on every budget... keeping employees current on today's threats and tomorrow's attacks and thinking should be something that cannot be cut from a budget, for corporate security professionals.
'Security' as a profession has fallen further behind
As I alluded to in point #1 above, this year is another perfect example of the phrase "another year, another step behind". Too many people still talking about implementing practices, procedures and technologies that were the in thing last year and are barely relevant right now.
I'm not saying security teams should be chasing the next hotness in attacks - but you have to keep up lest we drown. Collectively, I think every year we see tons of new technologies from new development frameworks, to IP telephony, to something else the business wants - mobility, cloud, consumerization are fantastic examples - that information security professionals only start to address and understand just as they're starting to go out of style.
I can't think of a better reason to say that we need to re-think how security functions because this way of operating is unsustainable.
Something else that I find interesting, but not necessarily a lesson I want you to take away from this post, is that we seem to like to re-invent wheels here in Information Security.
I don't mean completely re-inventing the wheel, but I'm referring to a scenario where a perfectly good wheel that is starting to gain maturity is scrapped and re-built from scratch because it doesn't fit this tiny edge-case someone found... and rather than contributing to the upgrade of an existing wheel we're starting over because this one will somehow be better because it's a stand-alone niche solution.
I apologize if I sound snarky, but I'm of the belief that we're wasting a lot of time and effort and not really collectively maturing the industry. Whether this is ego-driven, or purely because we simply find existing solutions too unwieldy - I urge you to consider contributing to an existing product (commercial or open-source) rather than starting your own... but that's just me thinking out loud.
I tell you this not as a presenter, but as someone who's learned a few things over this past couple of days - if you're not here spend the cash to get the videos... and get here next year if you can.
This is well worth your budget dollars, and is orders of magnitude than what you'll end up paying in emergency response cash when things you haven't even thought about or knew existed happen to you.
Cross-posted from Following the White Rabbit