Black Hat 2018 – What cybersecurity pros really think (and it is not good)

Black Hat 2018 is over. Its post-conference survey of the world’s leading cybersecurity experts is telling.

You can read the 30-page report here. GadgetGuy has extracted the ‘best bits’ below.

It’s no longer a battle of the good geeks and bad geeks

In the good old days (read, until recently) tech-savvy, ethical professionals developed new ways of defending critical data, and tech-savvy cybercriminals found new ways to break those defences.

It has become a battle to protect the integrity of the internet.

How can humans safely communicate electronically and still maintain their privacy? Is it possible to conduct a democratic election without interference from hackers or rival countries? How can businesses safely and universally exchange money or data? These are just a few of the challenges that today’s IT security leaders are confronting.

Black Hat 2018The Black Hat 2018 attendee Survey – key outcomes

Following recent news of Facebook’s misuse of data

  • 55% of security professionals are advising internal users and customers to rethink the data they are sharing on Facebook
  • 65% are limiting their use of Facebook or avoiding it entirely due to security concerns.
  • 44% will keep the account but strictly limit usage
  • 25% will continue to use it with appropriate privacy settings
  • 7% are deleting their account
  • 10% have not used it

Following the deadline for the European Union’s new privacy regulation (GDPR, the General Data Protection Regulation)

  • 30% say they don’t know if their organisations are in compliance, or they haven’t started GDPR initiatives and are concerned
  • 25% have spent some funds on compliance and didn’t believe they are at risk
  • 19% believe they are not in compliance
  • 26% have not started or don’t know if they comply

Most IT security pros believe

  • 52% Russian cyber initiatives made a substantial impact on the 2016 U.S. elections
  • 71% Cyber activity from Russia, China, and North Korea is making U.S. data less secure
  • 69% A successful cyberattack on U.S critical infrastructure will occur in the next two years;
  • 15% Government and private industry are prepared to respond.
  • 13% Congress and the White House understand the cyber threat; only 16% approve of President Trump’s performance so far.

Security of their own organisation

  • 59% believe they will have to respond to a major security breach in their own organisation in the coming year
  • Most do not believe they have the staffing, skills or budget to defend adequately against current and emerging threats.

Prime attack vectors

  • 47% fear a sophisticated attack targeted directly at their organisation (intimate knowledge)
  • 40% via Phishing, social network exploits, or other forms of social engineering
  • 22% via accidental data leaks by end users who fail to follow security policy
  • 22% via compromise of cloud services providers that my organisation relies on
  • 16% via attacks or exploits on cloud services, applications, or storage systems used by my organisation
  • 16% via Data theft or sabotage by malicious insiders in the organisation

There are dozens more attack vectors including new cryptocurrency issues

End users remain the biggest issue

  • 38% worry about end users who violate security policy and are too easily fooled by social engineering attack
  • 18% say there is a lack of comprehensive security architecture and planning that goes beyond “­fire-fi­ghting”

Many other issues related to BYOD and mobile devices.

But the ‘biggie’ is the source of attacks

  • 40% believe the attacker will have intimate knowledge of the organisation (how did they get it?)
  • 17% believe cybercriminals have strong backing from organised crime or nation states
  • 17% commented on the increased sophistication of attacks (bad guys have better tools)
  • 14% fear zero-day vulnerabilities as they can’t test and patch fast enough

Cybersecurity is no longer a geeks game

  • Over half were Information security department managers, directors or staff
  • 31% earned $99,999 or less
  • 39% earned $100,000 to $149,999
  • 19% earned $150,000 to $199,999
  • 11% earned over $200,000 – some a lot more

GadgetGuy’s take – cybersecurity is for pros. Thank goodness for Black Hat 2018

I came into the world of computing in 1979. One of the first ‘virus’ was a practical joke to make an IBM PC make a gurgling-water-down-the-plughole sound.

Over the years we saw more virus emerge. And pioneers like Peter Norton and John McAfee gave their name to what would become large cybersecurity companies. At worst we had to worry about an infected floppy disk infecting PCs via sneaker-net.

Fast forward to the 90s when the internet began to take hold, and email nearly put Australia Post out of business.

Now cybercrime is a US$1.5 trillion, and that is conservative. Dr Michael McGuire has completed a landmark study of cybercrime business (a compelling read) and estimates

Crime Annual Revenues
Illegal online markets $860 Billion
Trade secret, IP theft $500 Billion
Data Trading $160 Billion
Crime-ware/Crime as a Service $1.6 Billion
Ransomware $1 Billion
Total Cybercrime Revenues $1.5 Trillion

 

Black Hat 2018, Black Hat 2018, Black Hat 2018