Security Industry Best Practices: Black Hat 2010
Following an industry conference, I find it a good practice for me to reflect back on what I learned and observed and see how I can apply it to my current work. At the conference there is so much to learn and take in, so I find it helps to let it all marinate for a bit of time and then I can start to uncover the new learning once I’m back at my desk and away from the conference buzz. It’s now been nearly two weeks since BlackHat wrapped up and these are the topics and observations from the conference that have been swilling around in my head. I hope to explore these thoughts more with my industry colleagues and find my way to contribute to improving security industry best practices.
Cyber security professionals need an education
Education remains an area of concern for cyber security professionals. The perception is that universities are graduating computer scientists and other degreed professionals inadequately prepared to create secure software products. One comment seemed to resonate with many BlackHat attendees: “If it’s fair to expect a journalism graduate to write with appropriate grammar, why can’t we expect computer science graduates to write secure code?” This problem arises from a number of challenges, particularly the need to adjust curricula to meet the ever-changing technology landscape. Security is also an “eat your vegetables” topic that most computer science students rank low on their hierarchy of interests. The onus falls to employers and groups like SAFECode to inform universities of the need for graduates who are well trained in how to produce secure software products.
Should we break the Web?
It seems an odd question to ask during the BlackHat conference, though this question arose in several sessions. Tim Berners-Lee conceived the Web as a mechanism to easily share documents. His original vision for the Web did not include it becoming the foundation of global e-commerce, real-time video delivery, and the fundamental infrastructure of our connected society. Much of the functionality needed for the Web to meet its current needs is added on, often at the application layer of the Web. For instance, since the Web is stateless, most all Web 2.0 sites implement some form of session management in the application layer. This is a functional solution, though not an ideal one. Up until now the Web has evolved to meet the needs of its users, but are we approaching a time when evolution is insufficient and a revolution is necessary? Maintaining backward compatibility for the Web while moving the technology forward is a desirable goal, though—according to many BlackHat speakers and attendees—it may not be attainable.
Are wireless networks more secure than wired networks?
The surprising consensus from a panel discussion at BlackHat was “yes.” After an initial “gasp” from the audience, many of those in attendance agreed that a number of factors contribute to wireless networks achieving greater security than many of their wired brethren. First, security technologies such as cryptography and access control are commonplace for wireless access points, although they remain rare for wired networks. Second, many network administrators rely too heavily on their physical security to assure access control and as we have seen in several recent incursions, a thumb drive left accessible to malicious hands near personnel entrances is often the easiest route to physical access within a firewall-protected network. Finally, the availability of cheap and efficient switches makes unmanaged expansion of networks highly likely. All agreed that this does not mean we should begin pulling the plugs on our wired networks and deploying wireless access points everywhere. However, we should remove the blinders and be vigilant, always aware that a locked door does not assure your wired networks are safe. The same principles and technologies making our wireless networks safer should be applied to wired networks.
Vulnerability disclosure discussions at BlackHat
The software industry has been abuzz recently, with several companies announcing changes to their policies for the disclosure of vulnerabilities; BlackHat became host to this ongoing debate. One researcher commented that software vendors should “stop hiding behind responsible disclosure policy,” suggesting his disdain for the use of the word “responsible” in naming such policies. Others defended these policies, noting that vendors cannot be placed in the position of undermining their customers and partners until both are in a position to deploy solutions. The one fact that seemed elusive in the debate is the disparate nature of the software business. For instance, products with smaller customer bases can be expected to release patches and updates at a much faster rate than products with larger installed bases. Similarly, SaaS vendors can often create, test, and deploy a fix within a few hours, whereas a traditional “shrink wrap” software vendor may require several weeks to perform a release. Expectations for vulnerability disclosure must be contoured within the reality of that specific product because it is not presently a level playing field for all software vendors.
Bounties for bugs
Similar to the recent buzz around disclosures, there have been a few recent announcements regarding bounties for bugs. Some noted vendors have upped the ante and are now offering as much as several thousand dollars to researchers reporting bugs within that vendor’s products. Now, the pressure is increasing for other companies to offer bounties or increase them. This may be one of those religious debates, like asking which is the better path to security: openness or obscurity? By offering bounties, vendors are openly encouraging researchers to find defects in their code and to keep discussion of the defect limited to the researcher and the vendor. Alternatively, many vendors offer public recognition (and in some cases, employment) to researchers who find defects, though no direct financial reward for their efforts. So, which is better? The debate continues.
And finally, a warning to all the guys—a panel of former federal employees at BlackHat confirmed that the best source of tips leading to arrests and convictions of cybercriminals is (drum roll please!) ex-wives. So, gentlemen, you have been advised: do not commit cyber crime and be good to your ladies!