Cybersecurity Pros: Fresh Challenges Face 'Next Generation' –

Black Hat , Events , Governance & Risk Management
“Are we in the business of solving security, or are we just here for the ride?”
See Also: OnDemand | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies
So asked veteran security researcher Daniel Cuthbert in a keynote speech at Black Hat Europe 2022 in London on Wednesday.
Questions about whether the cybersecurity profession will be the collective master of its own destiny, and how this should be achieved, have been major themes dominating the Black Hat Europe 2022 conference.
In her Thursday keynote speech “Cybersecurity: The Next Generation,” cybersecurity veteran Jen Ellis said either the profession gets ahead of Cuthbert’s question on its own or outside actors will force the question. That’s because the explosion in mobility and internet of things devices has opened users to new types of harm: that are not just virtual but physical.
“This changes the stakes and changes how we think about the impacts of cyber risk. In fact, it’s so important that governments have responded,” said Ellis, who regularly advises governments through her various roles, including as a co-chair of the Ransomware Task Force and adviser to the CyberPeace Institute and Global Cyber Alliance, among others.
The U.K. government’s Department for Culture, Media and Sport in 2018 published a code of practice for IoT that contains 13 basic secure by design principles it urged manufacturers to adopt. Lawmakers have been considering making them a legal requirement.
DCMS has also been exploring whether certifications for cybersecurity professionals should become mandatory. For now, the U.K. government has not opted to make certification a requirement. Keeping it that way will require engagement from the audience and other cybersecurity practitioners, Ellis said adding that it’s in their best interests to help the government get things right.
Can the industry collectively guide its own future? “We’re an industry based on pointing out problems. We are professionally cynical. We have to be; there’s nothing wrong with that. It’s actually a great quality,” Ellis said. “What we’re not so good at though is working together to find solutions and to find alignment. … What that means in the context of this conversation is that if people decide that we should have mandatory certification, it will be handed to us rather than us having developed it for ourselves.”
To put that another way: As the societal risk posed by cybersecurity increases, don’t expect old approaches, solutions or attitudes to continue to apply – in part because everything continues to change so quickly, and many more stakeholders are now involved.
Echoing opening conference remarks Wednesday from Jeff Moss, the founder of Black Hat and Def Con, Ellis identified the never-ending increase in complexity as a significant challenge to better security (see: As Complexity Challenges Security, Is Time the Solution?).
Hacking group L0pht testified before Congress in 1998 that it could take down the internet in 30 minutes or less. Twenty years later, the group testified again, minus the 30-minute claim. “But they did say that a lot of the same issues they had talked about 20 years earlier were still present,” she said. “They talked about how the complexity is only increasing … the attack surface is increasing. So the fact that we’re still seeing the same issues is a real problem.”
In the meantime, it’s up to the next generation to begin taking over from the likes of L0pht. “They’re now in a position where they actually are business leaders,” Ellis said. “Some of them work in the government. Some of them are retiring with the hard-earned money that they have earned through a career in security.”
Ellis said she wasn’t necessarily urging attendees to add to their existing workloads by joining advisory boards to help the government design better guidelines or regulations, which can sometimes drive needed change. But she said one essential step for cybersecurity professionals today is to help consumers – including their own business – understand that they can effect change, for example, by demanding things such as a software bill of materials, or SBOM, which details what components are in a software or hardware product.
“The whole point of SBOM is to say to large-scale buyers, big companies: You have buying authority. You can demand better from your vendors. The manufacturers you work with should not be exposing you to risk intentionally,” Ellis said. Of course, vulnerabilities will creep into software development; it’s a complex process. But when vendors choose to not proactively deal with this problem, “that’s not OK,” she said, and that is when the consumers of such technology need to push back and say: “No, it’s not acceptable. It’s not good enough.”
Holding vendors to account doesn’t just involve SBOMs, but also demanding that vendors do more to make their products more secure, by modeling threats, understanding their own supply chains and pushing SaaS versions of their software, says Cuthbert, who’s a veteran bug hunter and member of the U.K. government’s new cyber advisory board.
The industry arguably has a long way to go, thanks in part to a pervading, engineering-driven mindset that too often seeks new tools to fix the old tools. Cuthbert recalled from early in his career the introduction of firewalls to protect online services. But needing port 80 to be kept open made it easy for attackers to bypass firewalls, which led to the introduction of web application firewalls, only for them too to be “bypassed at an alarming rate” by researchers as well as criminals, he said.
“That was a big part of how a lot of security tools around you grew up – knee-jerk reactions to the fact that a product that you wanted to rely on was not built securely, so we had to then go get another product … and hope to God that that product did the job. And then the offensive community came out and tore apart that product,” Cuthbert said. “Here we are in 2022, and that problem still exists today.”
Even problems that in theory should be easy to stop, such as phishing attacks, remain pervasive. “For me, phishing is a systematic problem of where we are as an industry, in that you should be able to click on something and not have it push a reverse shell out to somebody else,” he said, adding that more training isn’t the solution that is required.
What doesn’t help, he added, are manufacturers failing to take responsibility for doing more – such as Microsoft failing to block macros in Office by default until just earlier this year, despite it being a top attack vector.
At a code level, Cuthbert recommends a rigorous focus not just on eliminating bugs but on reducing the size of a code base – which will leave room for fewer bugs – as well as eliminating any code that isn’t trusted. The theory of how to do this is well known. Now, he said, the challenge remains adoption.
Executive Editor, DataBreachToday & Europe, ISMG
Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Covering topics in risk management, compliance, fraud, and information security.
By submitting this form you agree to our Privacy & GDPR Statement

Fraud Management & Cybercrime
Incident & Breach Response
API Security
Security Operations
KPMG – Montvale, NJ
DraftKings – Ontario, CA
Pfizer – Tampa, FL
Continue »
90 minutes · Premium OnDemand 
From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations’ risk management capabilities. But no one is showing them how – until now.
Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management – will share his unique insights on how to:
Sr. Computer Scientist & Information Security Researcher, National Institute of Standards and Technology (NIST)
Was added to your briefcase
Cybersecurity Pros: Fresh Challenges Face 'Next Generation'
Cybersecurity Pros: Fresh Challenges Face 'Next Generation'
Sign in now
Need help registering?
Contact support
Complete your profile and stay up to date
Contact Support
Create an ISMG account now
Create an ISMG account now
Need help registering?
Contact support
Sign in now
Need help registering?
Contact support
Sign in now
Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page