Thoughts from Black Hat Europe 2017

December 12, 2017

For those of us operating in the cyber security space, the recent Black Hat Europe event in London was informative and interesting, providing us all with some pertinent issues to consider and act upon as we move into 2018.

As a new cyber security apprentice at Nominet, this was my first visit to the event with the team. I was encouraged to consider what my top four ‘take-aways’ would be:

Government Policy and Policing: ‘cyber diplomacy’

  • Cyber security is no longer just as a technical challenge; it is political, with multiple parties (high level executives and governments) and policies involved and subsequently at risk. Ensuring advice from security professionals can bleed into the cyber norms of the general population is key, with collaboration between policy makers and the technical community being crucial.
  • A question was raised on the future of security and, ultimately, who should be held accountable, as attribution is difficult in this space. Making vendors more accountable is one solution but others are standards, regulation and helping the consumers to assess risk in their suppliers. The security market has vastly expanded over the years but security risks have continued to increase – should we be doing something differently?
  • With GDPR on the horizon (May 2018), the repercussions of a breach may have a huge impact on the organisation. This will hopefully bring a clear line in accountability and repercussions for poor security practices.
  • Patching regulation is also an important topic in terms of the future of security governance. With the lifetime of a device increasing every year, we need to ensure patching is adhered to across the lifecycle of the device and that updates are done whenever available.

Security through distrusting

Joanna Rutkowska, Chief Executive of Invisible Things Lab, broached the idea of ‘security through distrusting’. Basically, this remodels the way we feel about all hardware components, software and networks, starting from a place of distrust.

From the conventional approach of trying to make systems secure and trustworthy such as removing backdoors and regularly deploying patches, it moves to a mentality of treating every component as compromised, employing practices such as compartmentalisation.

While interesting, this approach encourages people to be distrusting in order to be secure. It also transfers additional costs and risks to the consumer rather than demanding the vendor be more accountable.  In another setting or format, however, could this approach be used to help maintain security?

IoT is still at risk – as if you didn’t know

It is well-established that IoT devices suffer from vulnerabilities, but Black Hat cemented this through demonstrations of how easily different devices can be hacked. The ones that stuck in my mind included the BlueBorne exploit demonstration, which created a small botnet of two Alexa devices and a Samsung Gear watch onstage. There was also a session that identified vulnerabilities in the Bluetooth protocol and one that showed how to exploit connected medical devices such as a patient monitoring equipment (e.g. insulin pumps), allowing the hacker to steal highly valuable patient data and potentially adjust medicine levels. It was a sharp reminder that more needs to be done to keep IoT secure.

Machine Learning & AI

A definite trend in the vendor space was a push for AI and machine learning, using the former to perform intelligent behaviours and the latter to then ensure these machines are evolving and are truly ‘intelligent’. When these tools are in the hands of the right people (your security team) they can be powerful and effective, but they must be handled and implemented correctly to unlock the benefits.