Security Roundup: Black Hat Edition
HackerOne was on hand for five days of live hacking events.
Last week’s Black Hat USA 2018 conference in Las Vegas was the place to be for all things cybersecurity.
Among the topics explored were the need for more collaboration among cybersecurity providers and more information sharing in the industry to battle the ever-increasing volume of cyberthreats. Other individual topics included securing IoT and stopping election hacking.
HackerOne was on hand for five days of live hacking events. Marten Mickos, HackerOne’s CEO, tells us the event is a good way to get people interested in “white hat” hacking.
HackerOne’s Marten Mickos
“We have 100 hackers that we’ve flown in at our expense; they come here and it’s like an athletic tournament for them,” he said. “They compete against each other, but they also have this enormous professional respect for each other, so they share all of the information. But the customers sign up and say ‘We want to be the next one, we want to be hacked,’ because they see so much value in one day. It’s a fantastic offering for our customers.”
HackerOne paid anywhere from $100,000 to $450,000 in bounties in a single day during the event.
“There’s enormous growth, every kid wants to be a white hat hacker,” Mickos said. “But it is tough. Think about sports. Every kid will do sports after school and not all of them will become professionals or even strong amateurs. It’s the same here. Everybody wants to do it, not everyone will make it all the way, but it is fun even on the most beginner-amateur level. Even when you start, it’s exciting. Even if you don’t find anything, it’s exciting and you learn. So it is rewarding to them even before they find something.”
And hacking builds their professional skills and strengths, and give them a competitive edge when job hunting, he said. There’s no better way to land a security job with a company than saying “‘I found all these valid vulnerability reports for all these companies, here’s my track record,'” he said.
HackerOne also tries to steer hackers away from becoming black hats, which can be more of a challenge when they’re younger and don’t necessarily have a “moral compass” yet, Mickos said.
“We give them a very positive experience with that,” he said. “We show them that when they file a bug report, they get the bounty, the credit and the appreciation for it, they get the respect of the others and they say ‘Wow, I like this,'” he said. “It’s not that they ever were on a path to becoming black hats, but it very clearly shows them the path to a white……hat and how fulfilling it is for a young person who is unsure about what their life will bring them, whether they will be useful to society, whether anybody will respect them. Here we give them the path to become respectable, contributing citizens.”
There is a “very elaborate system” in place to ensure hackers don’t go too far and end up committing crimes, Mickos said.
“But in the actual moment, there can be nuances and questions as to how far you should go,” he said. “In order to demonstrate that they were in, they have to find something and they have to be careful that they don’t steal anything. But once you learn, it’s not rocket science, it’s common sense. You say ‘I found this file, I think it contains sensitive information, I’ve not copied it, I’ve not taken the file, but there it is and I know it’s there, I know the name of the file’ … and then the company will know you truly found a way in.”
Targeting political candidate websites
During the Def Con hacking conference immediately after Black Hat, a group of researchers reported the websites of nearly one-third of U.S. House candidates, both Democrats and Republicans, are vulnerable to attacks, according to a report by Reuters.
Jessica Ortega, security researcher at website security provider SiteLock, was at Def Con and has been following the research regarding hackers targeting political candidates’ websites. She tells us it comes down to a “larger, almost propaganda machine” and that candidate websites tend to be low-hanging fruit.
SiteLock’s Jessica Ortega
“They’re much easier to attack, they’re much more likely to be vulnerable than your average voting machine or voter registration database, and it’s easier to make a large impact,” she said. “For example, if you hack into a political candidate’s website, you can make very subtle changes, say changing one word on their platform from I’m pro-something to I’m anti-something, and you’ve now sewn distrust, there’s misinformation out now and you may lose a whole demographic of voters based on that one simple platform change.”
Website attackers are looking to “create chaos” and attacking a number of websites is an easier, cheaper and more subtle way to achieve their goals, Ortega said.
“Luckily, when you talk about website security, most of the solutions that you need to have in place are basically five-minute setups, one-click installs,” she said. “It can be done immediately, and set up and running usually within a couple of hours at most. And what they want to look for in particular is firewalls that can block attacks and block bad traffic, and…
…then malware scanners that scan not only malicious content, but also tainted content.”
The channel can play a role in helping candidate websites remain secure, Ortega said. Web-hosting providers and MSPs can act as educators, and partner with security firms to offer security suites for individual websites. she said.
“We hammer on the message over and over again that the web host, the channel guys aren’t responsible for individual website security, the individual website owners are, but there’s still a massive misconception with the majority of website owners thinking that their hosting provider is the end-all, be-all of security,” she said. “So I think this presents a unique opportunity for those teams to go out and educate people and let them know what their role is in securing their websites really is and offering solutions for that.”
The biggest adversary in the website security space is doing nothing, Ortega said. It’s people who don’t realize that they’re responsible for their own website security and maintenance, and are not taking proactive steps to monitor for malicious activity, she said.
“If you’re a hosting provider, letting people know where your role ends and their role begins goes a long way toward fighting this type of cybercriminal activity,” she said.
Nation-states targeting IoT
During Black Hat, Armis surveyed more than 130 IT security professionals regarding their thoughts about the future of IoT security, and the results were unsettling to say the least.
Key takeaways from the survey include:
93 percent of respondents predict nation-states will target or exploit connected devices in the next year.
23 percent of respondents said the energy and utility industries are the most vulnerable to IoT attacks, followed by 17 percent citing health care and 15 percent citing financial services.
Gartner predicts that by 2020, more than 25 percent of identified attacks on enterprises will involve IoT. However, 59 percent of respondents said they believe that figure is too low.
Regarding methods for securing unmanaged devices in their workplace, 25 percents of respondents named network segmentation as their top protection approach (followed by network access control at 21 percent).
38 percent of respondents said vulnerabilities in the OS or applications are the biggest IoT device security problem (followed by 36 percent who named the inability to easily patch connected devices).
Armis’ Yevgeny Dibrov
Yevgeny Dibrov, Armis’ CEO and co-founder, tells us he wasn’t surprised by the final results of the survey as IoT devices permeate businesses and are becoming ingrained in the workplace.
“The majority of these connected devices are insecure by nature,” he said. “You can’t put an agent on them, and firewalls and network access…
…control (NAC) won’t protect against this new attack landscape. If Mirai (malware) and BlueBorne weren’t a wakeup call, the findings of the survey should do just that. The folks we spoke with at Black Hat believe nation states will soon begin to harness IoT to find new ways into businesses.”
These are motivated and well-resourced adversaries finding the easiest route to companies’ most valuable information, Dibrov said.
“It is paramount that every business have unmanaged and IoT device security, which is why there’s a massive opportunity for the channel to bake IoT security into their offerings,” he said.
Black Hat provides opportunities for cybersecurity newcomers
This was King & Union‘s first time at Black Hat. The company was started in April 2016 and its Avalon software platform allows cybersecurity analysts to optimize their efforts through workflow automation and real-time collaboration.
Brent Wrisley, King & Union’s co-founder, told us his company is testing the market, getting good feedback on its SaaS model “and validating our idea, so we’re super excited about that.”
King & Union’s Brent Wrisley
“We’re still sort of in the early growth stage, but everybody in the company comes from an operational background, so the problems that we’re approaching and solving are the problems that we had when we actually did the work before we got into product,” he said.
As a small company, King & Union recognizes that the channel is going to be instrumental in getting out to market, Wrisley said.
“CenturyLink was our first reseller as a telecommunications provider, and we have a couple of partners that are in the government space so we’re going to use their schedules for selling into the government,” he said. “CenturyLink … has commercial customers so they’re going to help us start breaking into that market. Data providers, we already have those customers who can use our platform, so that’s our strategy right now. We’re opportunistic, if it makes sense and it plugs in nicely, let’s go do that and figure out how to partner.”
Black Hat was a networking opportunity for King & Union, Wrisley said.
“We know that there are several large firms that do sort of managed security services and we feel our platform works really well in that construct,” he said. “And that was one of the reasons we went to CenturyLink, because they do a very large managed security offering and it just made natural sense. They’re already selling a service and we don’t do that service, but we can enhance what they’re doing. So the managed security market is definitely a target.”
Read more about:
AgentsAbout the Author
You May Also Like