There were a number of very good presentations this year and the after-hours parties were great, but from a security industry standpoint, Black Hat 2011 seemed like it had less energy this year. Some of that might have been because it got so much airplay on commercial media and NPR before and during the event, but even with many, many more people, there just wasn’t as much excitement as in the past.
It’s long been clear that the US Government is interested in the space and is spending massive amounts of money on information security and new security technology. It’s also apparent that many organizations are waking up to the fact that they need to develop effective information security programs. Recent discussions with clients are generally about how much more budget they will have in 2012 than this year. These are good things and you’d think they’d lead to significant private investment and more innovation that might show up at Black Hat.
However, while Black Hat (and DEF CON for that matter) is supposed to be vendor neutral, you would expect organizations to emerge as industry leaders or at a minimum to show overall industry thought leadership. Other than the US Government and its speakers (in particular Mudge), there wasn’t much commentary on the state of the industry and bigger picture issues. I realize that some of the lack of corporate thought leadership (and momentum) is intentional – Jeff Moss referenced getting back to vendor neutrality in one of the keynote intros and I do understand that Black Hat is more about security research and technology. Nevertheless, in past years, there was at least some industry excitement surrounding new concepts and industry related acquisitions such as IBM buying Ounce and AppScan, or HP buying WebInspect and Fortify. Even the spinoff (and eventual Dell acquisition) of SecureWorks created buzz at Black Hat in the past. There was really no “buzz” and no real unifying industry vision at this year’s event – which ultimately is important as we mature as a vertical.
As has happened before with the security industry, roll-ups and investment seem to be bungled. Like the first major round of roll-ups (where Symantec, McAfee, and VeriSign were the acquirers), the latest generation of security rollups appear to be flailing. IBM has struggled to consume ISS and its other recently acquired security product lines. HP appears to be in a similar boat. RSA looked like it might be starting something, but, well they won a pwnie this year…
Don’t get me wrong, I enjoyed many of the presentations – Moxie Marlinspike was great, Nelson Elhage’s preso on breaking KVM was interesting, and I always enjoy the Securosis crew. Additionally, the overall focus on mobile security, IOS and Android was good. And the open discussion about advanced persistent threat (APT) and what actually is going on with foreign governments (like China) was refreshing – Alex Stamos gave a good 10 minute overview of APT within his presentation comparing Windows and Apple security.
However, you know the industry is having issues when one of the main industry related discussions is about Trustwave trying to go public (which we’ve been hearing for 18 months) and the biggest booth at the show is occupied by a pwnie award winner, RSA (one of the reasons for increased budgets next year). I’m not sure that this will change soon, and, in fact, not having large major players benefits boutique firms like NetSPI, however, with all of the government money and the increased information security budgets, it’s inevitable that we’ll see more investment, new ideas, and new leaders emerge – maybe next year.
For the past five years it seems like almost everything in information security has focused on application security and, for the NetSPI consulting practices, our application security business (app pen testing, code review, etc.) has significantly increased. In that time, we have seen areas like network and systems vulnerability assessments change due to the commoditization of those services. Qualys, nCircle, and Rapid7 have all created a less expensive way to do a fairly simple scan of networks and systems that provide some level of comfort that networks and systems are secure.
Today it’s pretty common to hear people say “we’ve got the network covered; now we’re really interested in pursuing our application security.” In 2006 I remember Charlie Johnson, head of the consulting practice at Symantec, talking about apps being the only thing that mattered and that he was thinking of committing the Symantec consulting team to secure application development. He may have just been thinking out loud, but securing applications has become the focus of many IT security groups almost to the exclusion of focusing on risk to the organization.
Don’t get me wrong, application security is a huge problem and it will remain a problem for many years. However, there are many other areas of risk (perhaps greater risk) that cannot be ignored. At the technical level, system security for off-the-shelf software is a persistent problem. Organizations still struggle to patch quickly and there are often systems with exceptions to the patching process that weaken an organization’s domain and system security. While patching is still an issue, the biggest vulnerabilities are found within network and system configurations. In most (90-95%) of our pen tests we find weak configurations that lead to the complete compromise of an environment. In addition, in many organizations, database groups are silo’d off and don’t get the security attention that they need. Because of this, we find an excessive level of insecure configurations, embedded passwords, and inappropriate trust relationships that can lead to compromise.
With all of these technical vulnerabilities, it’s amazing that an even wider security hole can be found within the physical operations, business process, and personnel at organizations. This is still usually the easiest way to break into an organization. Often it’s combined with technical exploits, but social engineering provides an almost failsafe way to get information and access within technology environments.
I don’t think we should reduce our focus on application security – there’s a lot to do there and it will take many years to secure this aspect of IT within organizations. However, I think it’s incredibly important not to lose sight of what constitutes risk. If you really want to understand and reduce IT related risk, you’ve got to look comprehensively at risk within all aspects of your IT environment – process, physical, network, systems, database, and applications. Because while you may not be looking at these things, it’s certain that at some point, someone looking for the easiest way in will be looking at exploiting these weaknesses.
We celebrated NetSPI’s 10 year anniversary last month. It’s amazing that it has been that long. The anniversary has led me to reflect on NetSPI’s history and on the security industry’s history (at least since I’ve been involved – so, from around 1995).
Being on the forensics team at Ontrack in the mid 1990′s, we saw a significant number of criminal and security related incidents. It truly was the Wild West, with companies moving to Windows 95/NT3.51 before they had a clue about stabilizing them, let alone securing them. Many people didn’t understand that email lived beyond what you saw on your screen (let alone that files lived on forever on various hard drives). At that time, very few people in corporate America (including those in IT) had any idea about what was going on within their IT environments. In many organizations, the CFO ran IT and no one else at the C-level wanted anything to do with it. Security wasn’t even a joke for most companies – it was a non-issue, and at Ontrack we got to see that first hand.
That NetSPI started around 9/11 is an unfortunate but good reference point. It was ironic that an event that should’ve heightened corporate America’s focus actually led to decreased attention and reduced budgets for information security. In 2001 almost everyone that I met discussed what a great industry information security must be due to the focus created by 9/11. Nothing could have been further from the truth. Companies were cutting spending dramatically. This wasn’t necessarily the case in the Northeast (because of the proximity of 9/11), but it was around the rest of the country. IT security was an abstraction unrelated to corporate operations.
From 2001 through 2005 or so, there was lots of commiseration surrounding the lack of traction that information security was attaining. The “I’m beating my head against a wall” feeling was pretty strong for those in IT security, at least everywhere but in very large financial institutions. There was always hope that one day people would start to care. In fact, in many conversations there was an underlying sentiment that “the C-level isn’t giving me what I need and some day they’ll pay.” It felt like that someday was probably decades away, but everyone hoped that non-IT and executive management would start to get it.
It’s hard to believe, but I think that day – the upper management getting it day – has come. Just look at Sony. Because they’re a Japanese company there are some cultural issues that have played into holding the person at the top accountable. It is amazing that there has been discussion about his accountability and the future of his job. It didn’t start entirely with Sony, things have been changing for a while. Events like the RSA breach were a wake-up call and because Art Coviello, RSA’s President, responded, I think we’re seeing a sea change in attitudes and accountability with regards to information security. While the responses and/or the programs are not entirely what many in our industry would consider adequate, we’re seeing C-level responses and there appears to be action behind their words.
There was a great quote in a recent Ponemon study sponsored by Cenzic and Barracuda: “Most organizations have been hacked, yet 88 percent still spend more on coffee than on app security.” Combined with the recent revelation that oil companies and components of our national infrastructure have been compromised (see McAfee’s Global Energy Cyberattacks: “Night Dragon” for more information), this should be cause for significant alarm. Aside from funny quips like the one above, there are massive tangible costs associated with the recent breaches. One of the most shocking losses is the cost associated with US fighter jet technology. It’s estimated that China “saved” over $20 billion in the development of its latest stealth fighter. Although not publicly discussed, it’s commonly acknowledged that China’s advances were due in large part to lapses in US information security.
What’s scary are the breaches that we are hearing about are occurring at organizations that spend significantly more than average on information security. While each has its issues, the military spends massive amounts on information security and large oil companies tend to allocate security significant budget dollars. In addition, the breaches at the oil companies were fairly simple: break in through externally available web applications and step through to confidential information and critical processes. Most of the attacks in the McAfee report were based on existing and commonly used tools. If highly profitable companies that spend significant amounts of money on information security are being breached, it shows how massive the problem is that we are facing and how difficult it will be for smaller less profitable organizations to confront.
In the past, when I spoke to what might be considered an ordinary mid-sized business (one that didn’t think it had significant security needs) like manufacturing or healthcare, the response was often “who would want to break into our environment.” Unbelievably, these comments can still be heard within the IT groups of Fortune 500 companies; however, with breaches at organizations like Minneapolis’ Valspar (a Fortune 500 paint manufacturer which had its paint formulas stolen) corporate boards are beginning to understand the risk related to information security within IT and this is one of the keys to addressing the problem.
Corporate boards need to wake up to the massive problem, fund information security, and demand more information about their organization’s posture on a regular basis. Since boards are usually not made up of IT or security experts, it’s the responsibility of Information Risk, Security, Audit, and IT to provide them with tangible information about security and risk posture. While boards could ask for the coffee vs. security budget ratio, there are better ways to look at this and budget for this. However, making the point to a non-IT oriented board takes tangible events and understandable facts. As the recent reports and news articles show, the events are happening. It’s up to boards, executive management, IT and information security to understand the facts and plan / fund appropriately.
I like to watch industries evolve in how they deal with information security. It was interesting to watch retail evolve as PCI got more organized. The PCI Council put together the DSS with dates and penalties for breaches and non-compliance, and that drove significant change. It appears that a similar major change within healthcare is starting to take place. We have begun to see a proactive shift that incorporates compliance with HIPAA, an understanding of risk, and the development of security programs.
As I’ve discussed in the past, the healthcare industry is significantly behind in dealing with IT-related risk. For an industry to change its approach to information security / risk, its culture needs to evolve. In my opinion, risk is the most effective driver of this change. If the risk is great enough, industries develop a mature understanding of risk management (of which security is a subset). The military and banking have tangible risks tied directly to their IT assets; therefore, they understand risk. The problem is that this mature understanding of risk doesn’t exist in most other industries. Without risk driving a security program, industries must rely on other drivers – usually compliance (also a subset of risk).
What we’re seeing within healthcare is that PCI is driving the maturation of risk. For example, one key issue that keeps coming up, especially in hospitals, is the belief that PHI is more important than PCI / credit card information. Yet it is PCI compliance that has forced organizations to think systematically about risk. How do you reconcile the budget for PCI compliance with the lack of budget for PHI-related security?
In addition, PCI has forced multiple groups (including IT, security, audit, and finance) to work together to deal with compliance and, ultimately, information security issues. Many of these same groups are now being asked to deal with HITECH / ARRA / updated HIPAA. With the new interpretations of HIPAA, the new regulations, and with these new sets of eyes, these groups are beginning to understand that they are not compliant with HIPAA, that they have significant risk exposure, and that they need to develop programs to deal with this exposure.
From what we are seeing with many of our healthcare clients, the combination of a more pervasive awareness of PCI and new healthcare-specific regulations are creating a more mature understanding of risk and driving a new focus on developing successful information security programs. Let’s hope this trend continues.
