Security pros at hacker conference: Be more boring
LAS VEGAS – Cyber threats have never been more complicated, but professionals at the most prominent research event in the hacker calendar are arguing that it has never been a better time to be more boring about security.
“Especially in recent months NotPetya and WannaCry have emphasized how important the boring parts of security are,” said Ryan Kazanciyan, chief security architect at Tanium and a consultant for the television show “Mr. Robot.”
Kazanciyan and other experts spoke to The Hill during B-Sides, Black Hat and DEF CON – three back-to-back cybersecurity conferences in Las Vegas sometimes collectively referred to as “hacker summer camp.”
The fundamental flaw exploited in WannaCry – ransomware that infected hundreds of thousands of machines in under a week in May – had already been patched by Microsoft at the time of the attack. The infected machines had all put off updating their systems. NotPetya, which spread about three weeks later, used the same flaw.
Most high-profile research is in novel attacks, previously unseen security flaws in software and large – sometimes nation-driven – political actors. But most attacks use well-worn techniques like phishing and other forms of fraud and security vulnerabilities that have long since been patched.
“Just because security folks don’t get excited about something doesn’t mean it’s not important,” said Tod Beardsley, director of research at the firm Rapid7.
Beardsley noted that even before the WannaCry vulnerability was patched, Microsoft had stopped supporting the feature that had the vulnerability in new versions of Windows. They even told security professionals the feature was out of date and should be turned off if possible years earlier.
And the recent ransomware outbreaks were far from the only security flaw over the past year that caused massive damage despite being well known and frequently warned about.
“We’ve been saying for 20 years that internet connected devices needed to be as secure as any computer system,” Beardsley said. “It took something like Mirai to get people to notice.”
Mirai is software that automatically hacked vast arrays of internet-connected security cameras, and used them to flood web servers with so much traffic that they crashed – an attack known as a distributed denial of service (DDoS). It received public attention when it downed a critical junction point on the internet, briefly shuttering Twitter, Netflix, The New York Times and Etsy.
The problem stems from excitement surrounding new technologies, security experts argued. They say it’s easier for threats with interesting motives or the potential for chaos to catch media attention, and it is easier for cybersecurity companies to sell defenses against the newest threat rather than older ones.
“A lot of companies now start their security by emphasizing which attackers they think will be attacking them,” said Veracode chief technology officer Chris Wysopal. “That’s crazy.”
Wysopal gave a presentation to chief information security officers as part of the Las Vegas festivities, saying that there were multiple layers of security to emphasize before getting to blocking specific bad guys.
“Start with the basics: Know what hardware and software you have and what’s most important for you to defend.”
Before fighting a war against a specific attacker, first sure up your most important items against every attacker, he said.
Cataloging what systems are under an IT department’s purview may sound a basic task, but it is a task many departments get wrong. When Congress decided to consolidate federal data centers to save money and bolster security, it first asked agencies how many data centers were in use. The estimate was off by a factor of 10.
After a year of high-profile attacks that took advantage of security flaws, most researchers no longer find exciting, many are encouraging all security professionals and policy makers for a return to basics – even if it is less glamorous.
“There is a lot of hype in cybersecurity,” said Mischel Kwon, the former head of the United States Computer Emergency Readiness Team (US-CERT) and former chief information security officer and director of the Justice Security Operations Center at the Department of Justice. She currently heads the firm MKA-Cyber.
“There’s a lot of B.S.,” she said. “The easy things aren’t sexy. We keep talking about the same problems, and we know what we have to do to solve them. Why don’t we?”
The Hill has removed its comment section, as there are many other forums for readers to participate in the conversation. We invite you to join the discussion on Facebook and Twitter.