Black Hat 2019: Communication, culture, and controversy
Over 20,000 security executives, analysts, hackers, academics, and government staffers from 112 countries filled the Mandalay Bay Hotel for Black Hat USA 2019. Now in its 22nd year, the conference was jam-packed with the latest cybersecurity research, threats, trends, and technologies.
Recurring themes included communication and culture, along with a healthy dose of controversy!
Black Hat founder Jeff Moss kicked off the conference in sparkly shoes, joking, “If the lasers hit me just right, I may be able to blind one or two of you.” Focusing on the relationship between communication and outcomes, he warned attendees that while security is now firmly in the spotlight, we’re not communicating effectively about it.
“Most of our problems are communication problems, and they’re totally fixable.”
— Jeff Moss, Founder, Black Hat and DEF CON
While cyber (or information) is considered the Fifth Domain of Warfare after land, sea, air, and space, it is fundamentally different, and requires its own language. Moss called on the industry to reorder the way we think about security in order to achieve better results. He pointed out that if you communicate well, you may find yourself with more budget. And if you communicate poorly, you could find yourself fired.
Dino Dai Zovi, Mobile Security Lead at Square, reiterated the importance of interactive communication. He pointed to three lessons that promote a generative culture focused on shared goals and risks, rather than blame or fear:
- Work backward from the job. Security teams need to evaluate the job to be done. Talk to internal teams about their struggles and what they’re looking to accomplish. By listening to them and understanding their “hiring” and “firing” criteria for a security solution, you can avoid friction and better address needs.
- Seek and apply leverage. Focus on having a big impact despite limited resources. You can work smarter — not just harder — through better software and better automation.
- Culture is king. Culture is greater than strategy and tactics. Without a cultural shift toward embracing security throughout the organization, technical aspects will fail despite the best-laid plans.
Numerous security offerings were introduced during the conference. Two announcements in particular highlight a move toward increased collaboration and communication between companies and researchers:
- Apple announced an expansion of its existing bug bounty program to include macOS, tvOS, watchOS, and iCloud. It’s been opened up to all researchers and includes rewards of up to $1 million for a zero-click, full chain kernel code execution attack. Previously, the program was open only to those on the company’s invitation list and the reward was $200,000.
- Microsoft announced the Azure Security Lab — a sandbox-like environment for security researchers to test its cloud security — and encouraged applicants to sign up for a 30-day trial period. The company also announced new scenario-based challenges with additional bounty awards of up to $300,000.
4 notable sessions
More than 100 sessions, or “briefings,” spanning 20 tracks took place during the main conference. Here are a few that caught my attention:
1. In “Attacking and Defending the Microsoft Cloud (Azure AD & Office 365),” Sean Metcalf and Mark Morowczynski highlighted six common attacks — including consent abuse, breach replay, phishing, password spraying, and compromising ADFS or Azure — and how to defend against them. They made it clear that cloud security threats require improved IT collaboration, and recommended implementing multi-factor authentication (MFA) for all users and cloud admin accounts. Additionally, the Center for Internet Security (CIS) controls, which outline specific things that can be done to thwart attacks, has removed all references to passwords in an effort to get organizations to move toward MFA.
2. In “DevSecOps: What, Why and How,” Anant Shrivastava stressed that successfully injecting “Sec” into “DevOps” requires automation and cultural change. We need to avoid the blame game, he said, and provide development, security, and operations teams with cross-skilling opportunities.
A recent GitLab Inc. survey revealed 68% of security professionals think it’s a developer’s job to write secure code, but less than half of developers can spot security holes. At the same time, nearly 70% of developers said that while they are expected to write secure code, they get little guidance or help.
3. In “Arm IDA and Cross Check: Reversing the Boeing 787’s Core Network,” IOActive penetration tester and self-proclaimed fearful flyer Ruben Santamarta presented what he says are vulnerabilities in the Boeing 787 Dreamliner that could be used for several different attacks. Boeing disputed the findings, maintaining that its network defenses would thwart the attacks, and called the presentation “irresponsible and misleading.”
4. A presentation titled, “The 2019 Discovery of Quasi-Prime Numbers: What Does This Mean For Encryption?” caused an uproar. The session was sponsored by Crown Sterling, an emerging company that claims to provide the world’s first dynamic non-factor based quantum AI encryption software.
Trail of Bits CEO Dan Guido stood up and challenged presenter Robert E. Grant during the session, accusing him of potentially putting people in danger by pitching an unproven technology. Black Hat speaker and cryptography expert Jean-Philippe Aumasson remarked that Grant took credit for a discovery first attributed to Greek polymath Eratosthenes. He later told PCMag that Crown Sterling’s website has “all the signs of snake-oil crypto: extravagant claims, total lack of experience in the domain, no technical documentation, no testable software, no references.”
Attendees ridiculed the session on social media, and it has since been scrubbed from the Black Hat website. Despite all of the criticism, Crown Sterling stands by its claims. A press release issued the day after the conference called the company’s challengers “resistant to change.”
Cybersecurity culture is a collective effort
There are more Black Hat highlights than I can mention on a variety of other interesting topics, including IoT hacks, bypassing Apple’s FaceID, social media phishing, container escapes and more, not to mention the winners of the annual Pwnie Awards.
While some attendees noted — with disappointment — that Black Hat has become more commercial, it continues to provide valuable insight into the security community’s maturity and challenges.
This year’s themes of communication and culture provided actionable ideas we can draw from to strengthen our organizations’ overall commitment to cybersecurity. We have the attention of management and executive teams, and it’s time to use it. As Dino Dai Zovi put it, we need to stop saying no. If we start more conversations with “yes, and here is how we can help,” we can communicate more effectively and achieve better outcomes.
David O’Leary contributed to this post.