The Sadness of the Wise IT Security Pro

The Sadness of the Wise IT Security Pro

Observations from Black Hat Security Conference

By Eric Chabrow, August 7, 2014. Follow Eric @GovInfoSecurity
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
Eric Chabrow

The hacker community can be a cynical crowd, or perhaps a realistic one, that tries to make the best of the threats confronting society.

Take, for instance, Dan Geer, an influential chief information security officer, who this week delivered the keynote address at the Black Hat security conference in Las Vegas.

 Their glasses are not rose-colored; they are spattered with realpolitik. 

Geer, CISO at In-Q-Tel, a not-for-profit investment firm that invests in technology to support the U.S. intelligence community, says he prefers to hire security folks who are, more than anything else, sadder but wiser.

"They, and only they, know that most of what commercially succeeds, succeeds only so long as attackers do not give it their attention, while what commercially fails, fails not because it didn't work but because it wasn't cheap or easy or sexy enough to try," Geer says.

"Their glasses are not rose-colored; they are spattered with realpolitik," he says. "Sadder but wiser hires, however, come only from people who have experienced private tragedies, not global ones. There are no people sadder but wiser about the scale and scope of the attack surface you get when you connect everything to everything and give up your prior ability to do without. Until such people are available, I will busy myself with reducing my dependence on, and thus my risk exposure to, the digital world even though that will be mistaken for curmudgeonly nostalgia. Call that misrepresentation, if you like."

The Password Issue

News that more than 1 billion passwords have been amassed by Russian hackers was greeted with a shrug of the shoulders by many Black Hat attendees (see Experts Analyze Impact of CyberVor). "We don't know which organizations the information has been stolen from [so] there is no point in being worried about anything unless you have recycled your password," says Mikko Hypponen, chief research officer at F-Secure.

But, of course, finding ways to get rid of passwords was a hot topic at the security conference.

One of the more fascinating sessions featured security researcher Markus Jakobsson, a senior director at wireless telecommunications chip and products maker Qualcomm, who explained the technology behind a bracelet or smart watch that could be used to authenticate online users.

The fact that individuals' passwords are constantly being breached won't necessarily get users to adopt new technologies - but getting tired of resetting their passwords could. "The increasing number of passwords we have is a frustrating thing," Jakobsson told me in an interview after his presentation. "And the fact that our brains work in the way they do, unfortunately, that leads to resets. That's something that is stressful for people. I feel really frustrated every time I go through one of these. Of course, I'm not alone. If I bought a watch or other device that freed me from that, I'd be very pleased. Once people realize that, and there is enough of a marketplace presence of devices that support this, I think it's going to happen."

Fooling the Enemy

It's not surprising that many cybersecurity specialists are military veterans, and one of the presentations at Black Hat focused on transforming battlefield tactics and strategy to cyberspace.

Among the tactics that work in the kinetic world that could translate to the virtual world are denial and deception. Denial keeps the adversary from learning the truth; deception gets the enemy to reach the wrong assumption.

Arguably the most effective deception in military history was Operation Bodyguard, which fooled the German high command into believing the Allied invasion of France would occur near Calais weeks after troops stormed Normandy beaches on June 6, 1944.

How could that work in cyberspace? Army Col. Greg Conti, director of the Army Cyber Institute at West Point, provides one example: posting information online that would deceive hackers to use a specific port on a computer, which would then spew incorrect information about a system. But Conti says deception in cyberspace must be carefully planned to avoid collateral damage.

"You have to be very careful; your users still have to use the network," he says. "It can't be so deceptive that they're not able to use it."

Employing schemes that work in the real world can only provide a guide that can't be fully adapted in the virtual world. But it's a start.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Alleged Russian Hacker Faces 40 Charges

Alleged Russian hacker Roman Valerevich Seleznev, arrested earlier this year, is facing 11...

Latest Tweets and Mentions

ARTICLE Alleged Russian Hacker Faces 40 Charges

Alleged Russian hacker Roman Valerevich Seleznev, arrested earlier this year, is facing 11...