Black Hat 2018 is over. Its post-conference survey of the world’s leading cybersecurity experts is telling.
You can read the 30-page report here. GadgetGuy has extracted the ‘best bits’ below.
It’s no longer a battle of the good geeks and bad geeks
In the good old days (read, until recently) tech-savvy, ethical professionals developed new ways of defending critical data, and tech-savvy cybercriminals found new ways to break those defences.
It has become a battle to protect the integrity of the internet.
How can humans safely communicate electronically and still maintain their privacy? Is it possible to conduct a democratic election without interference from hackers or rival countries? How can businesses safely and universally exchange money or data? These are just a few of the challenges that today’s IT security leaders are confronting.
The Black Hat 2018 attendee Survey – key outcomes
Following recent news of Facebook’s misuse of data
55% of security professionals are advising internal users and customers to rethink the data they are sharing on Facebook
65% are limiting their use of Facebook or avoiding it entirely due to security concerns.
44% will keep the account but strictly limit usage
25% will continue to use it with appropriate privacy settings
7% are deleting their account
10% have not used it
Following the deadline for the European Union’s new privacy regulation (GDPR, the General Data Protection Regulation)
30% say they don’t know if their organisations are in compliance, or they haven’t started GDPR initiatives and are concerned
25% have spent some funds on compliance and didn’t believe they are at risk
19% believe they are not in compliance
26% have not started or don’t know if they comply
Most IT security pros believe
52% Russian cyber initiatives made a substantial impact on the 2016 U.S. elections
71% Cyber activity from Russia, China, and North Korea is making U.S. data less secure
69% A successful cyberattack on U.S critical infrastructure will occur in the next two years;
15% Government and private industry are prepared to respond.
13% Congress and the White House understand the cyber threat; only 16% approve of President Trump’s performance so far.
Security of their own organisation
59% believe they will have to respond to a major security breach in their own organisation in the coming year
Most do not believe they have the staffing, skills or budget to defend adequately against current and emerging threats.
Prime attack vectors
47% fear a sophisticated attack targeted directly at their organisation (intimate knowledge)
40% via Phishing, social network exploits, or other forms of social engineering
22% via accidental data leaks by end users who fail to follow security policy
22% via compromise of cloud services providers that my organisation relies on
16% via attacks or exploits on cloud services, applications, or storage systems used by my organisation
16% via Data theft or sabotage by malicious insiders in the organisation
There are dozens more attack vectors including new cryptocurrency issues
End users remain the biggest issue
38% worry about end users who violate security policy and are too easily fooled by social engineering attack
18% say there is a lack of comprehensive security architecture and planning that goes beyond “fire-fighting”
Many other issues related to BYOD and mobile devices.
But the ‘biggie’ is the source of attacks
40% believe the attacker will have intimate knowledge of the organisation (how did they get it?)
17% believe cybercriminals have strong backing from organised crime or nation states
17% commented on the increased sophistication of attacks (bad guys have better tools)
14% fear zero-day vulnerabilities as they can’t test and patch fast enough
Cybersecurity is no longer a geeks game
Over half were Information security department managers, directors or staff
31% earned $99,999 or less
39% earned $100,000 to $149,999
19% earned $150,000 to $199,999
11% earned over $200,000 – some a lot more
GadgetGuy’s take – cybersecurity is for pros. Thank goodness for Black Hat 2018
I came into the world of computing in 1979. One of the first ‘virus’ was a practical joke to make an IBM PC make a gurgling-water-down-the-plughole sound.
Over the years we saw more virus emerge. And pioneers like Peter Norton and John McAfee gave their name to what would become large cybersecurity companies. At worst we had to worry about an infected floppy disk infecting PCs via sneaker-net.