Thycotic Telephone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Publication

The Black Hat 2019 Hacker Survey Report and Black Hat / Defcon 27 Recap

Written by Joseph Carson

September 5th, 2019

Brought to you by Thycotic

Black Hat 2019 Conference Las Vegas

Well folks, Black Hat 2019 conference has come and gone. Around 19,000 InfoSecurity professionals from around the world came to Las Vegas to learn, share, educate and disclose security research on the latest vulnerabilities, cyber threats, cyber attacks and techniques used to bypass popular cyber security methods—the same methods used by most governments and organizations today.

Among them were many vendors who had come to contribute solutions to help reduce the risks.

The central theme of Black Hat 2019 was communication

In his opening remarks, Jeff Moss, also known as Dark Tangent, described the challenges security professionals are experiencing today.  He emphasized that communication can make the difference between achieving your security goals and budget—or getting fired.  He also covered the rule of law, and explained some major trends such as decentralization.

Black Hat 2019 Conference

The Keynote from Dino Dai Zovi

In delivering the main keynote, “Every security team is now a software team,” Dino Dai Zovi, head of security at Square, recognized the value of fear in managing cyber security.  First you must fear the impact of the threat, he argued, then understand and assess the risks, and ultimately reduce those risks by mitigating them where possible. The best way to overcome fear is to understand the nature of cyber security risks and find automated solutions to help manage them. This way, your security teams can scale and become more efficient in dealing with threats.

This keynote got me thinking. I thought it was excellent, though I believe the message should have been inverted: every software team is now a security team. We need to build and develop more secure code as well as adhere to best practices. But after an online discussion with Dino we agreed that it actually goes beyond that, because in today’s world cyber security is everyone’s responsibility. And within a business, it means cyber security must become part of the organization’s culture.

Dino Dai Zovi

Annual Black Hat Survey compares hacker and security professional opinions

Thycotic conducts a survey every year at Black Hat to gauge what’s on hacker’s minds, especially regarding privileged credential targeting and attack techniques. At this year’s conference, we gave our survey a bit of a twist by dividing respondents into hackers and security professionals and then comparing their answers to similar questions.

Both strongly agree on why service accounts are prime targets and how best to defend them, but we found that more than 30% of organizations still only rotate service account passwords after an incident, or never! You can get the details by downloading the free Black Hat 2019 Hacker Survey Report.

Black Hat Sessions and Interviews

I usually also get involved in several media interviews, having fun panel conversations and deep discussions on cyber threats and upcoming trends.  Some of my favorite interviews are featured below. I hope you have a few minutes to catch up on them.

The BrightTALK Panel on The Future of Privacy and Security featured an awesome team that included:

Debra Farber, Independent Privacy & Security Advisor
Nathan Wenzler, Director, Cybersecurity
James Chappell, Co-Founder & Chief Innovation Officer, Digital Shadows

Please be sure to watch the panel discussions as they include important topics such as EU GDPR and CCPA, and they provide valuable details on what privacy really means, and the importance of data security

Here’s another interview I always enjoy as it is a direct, lively discussion. If you’re not already following Security Guy TV then you should start now.  Watch the video below and you’ll also get the latest updates on Thycotic’s solutions along with some cyber threat trends.

The Key Takeaways

In echoing Jeff Moss’s comments in his keynote address to Black Hat attendees, cyber security is all about communication—and that means going beyond successfully communicating to the executive board.  Security pros need to become better communicators, but also engaged listeners.  While security professionals and hackers have different methods of security and use different techniques, they are ultimately trying to solve the same problem, albeit from different perspectives.

Just as security professionals must balance security with productivity among employees, they must also find common ground and open communication channels with hackers.  In the past, the media has often portrayed hackers negatively; however, their actions and insights may ultimately prove to contribute significantly to reducing risks from cyber attacks.

Basic rules of thumb for cyber security pros going forward:

  1. Think business value first
  2. Drive a positive security experience
  3. Make security an integral part of your corporate culture
  4. Be a sincere listener
  5. Work together with hackers to understand threats and risks

The Lessons Learned

A valuable lesson learned from attending the Black Hat Conference over many years is that you must not turn up to Black Hat without a strategy.  This was the 22nd year of Black Hat and it was  bigger than ever before. Cyber-attacks were at the top of everyone’s list of concerns—governments and organizations included—and all eyes were on the cyber security solutions that were trending at Black Hat this year. But with so much outstanding information available, if you didn’t prioritize your sessions beforehand you may have missed the messages that would have benefited you most.

If you sign up for our blog—The Lockdown—you’ll receive my recommended sessions for Black Hat 2020 before the event.

DefCon 27

Right after Black Hat, you must attend DefCon to learn more about what is really happening in the field.

Logo - Def Con 27

Of course, DefCon 27 brought its usual entertainment. The highlight at DefCon centered on how easy it is to hack into election voting machines.  One of my favorites was the new Aviation Village that demonstrated how to hack into fighter jets, and the lucky few got to enjoy the flight simulator.

Def Con 27 Aviation Village

The DefCon 27 sessions this year were truly amazing.  These stood out to me:

Hacking Congress: The Enemy Of My Enemy Is My Friend

Former Rep. Jane Harman, President, The Wilson Center, Former Rep. (D-CA), aka Surfer Jane

Rep. James Langevin (D-RI)

Jen Ellis, Vice President of Community and Public Affairs, Rapid 7

Cris Thomas, Director, X-Force Red Team, IBM, aka Space Rogue

Rep. Ted Lieu, (D-CA)

This was a thought-provoking session on hacking Congress from the perspective of Congress.  I really enjoyed listening to the different opinions but my key takeaway was that Congress is not set up to be proactive when cyber attacks strike, and they have yet to ensure that those who respond have exactly what they need.

Change the World, cDc Style: Cow tips from the first 35 years

Joseph Menn, Author, Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World (PublicAffairs, June 2019)

Peiter Mudge Zatko

Chris Dildog Rioux

Deth Veggie

Omega

Def Con 27

This was my favorite session. I got the opportunity to listen to true internet hacking legends.  It was a journey through the years, bringing back so many memories.  If you have not read the Cult of the Dead Cow,  put it on this year’s reading list.

Cult of the Dead Cow - Joseph Mein

Finally, no Black Hat or DefCon would be the same without catching up with awesome people.  It was a pleasure to join Troy Hunt and Scott Helmes for a quick chat.

Hopefully next year I’ll see you there too!

Meeting up with other cyber security professionals is always a high point
 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS


The following two tabs change content below.

Joseph Carson

Joseph Carson has over 25 years' experience in enterprise security, is the author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies", and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist at Thycotic.