Those were three common themes that emerged during last week's Black Hat Europe conference in Amsterdam. Of course, the annual gathering also featured plenty of hardware hacking, details of new bugs in everything from SAP to Cisco VoIP systems, all-day technical training sessions, and loving tear-downs of Apple iOS and Google Android mobile operating systems.
But throughout many of the sessions these three themes--along with corresponding admonishments and warnings--were consistently voiced:
1. Forget Perfectionism. Cryptographer Whitfield Diffie, in his keynote speech opening the conference, highlighted a persistent challenge faced by information security practitioners: they get no credit for all of the attacks they successfully repel. "Even when defense has done its job well, it is blamed for doing anything other than doing it perfectly," he said. But who has the time--or money--for perfection? Instead, businesses must emphasize getting something in place that's good enough to do the job.
[ For more thoughts on the changing state of information security, see 10 Lessons From RSA Security Conference. ]
One case in point involves Bradley Manning, who allegedly leaked confidential government memos to WikiLeaks. "In one sense, very clearly, for the [Department of Defense] it is a security failure," he said. But what really happened? Foreign adversaries didn't break the Pentagon's high-grade cryptography, crypto equipment, or key management setup. Instead, the attack hinged on a single insider who already had access to the materials in question.
"A variety of people who designed the system should say, we did a pretty good job of that. We had an awful thing happen, but it's something that the opponents can't mass produce," Diffie said. In other words, almost any security can be defeated. But just how gracefully does it fail, and how difficult or expensive would it be for an attacker or attackers to successfully repeat the effort?
2. Keep Cloud Security In Perspective. Avoid the cloud? Hardly. As long as it offers lower costs and better ease of use than traditional on-premises systems, that's never going to happen. From a security standpoint, however, cloud architecture isn't always ideal, and thus it demands strong doses of security skepticism for anyone who's called on to secure business data that's stored there.
"What I find interesting is that Web security bugs are existing with companies that we're pretty sure know what they're doing," said Felix "FX" Lindner, head of Recurity Labs in Berlin, in an interview at Black Hat. "Even Google has issues doing that," he said.
In other words, it's tough to get security right in the cloud, not least because clouds aren't static. Developers keep pushing new code, as do business partners, plug-in providers, and everyone else who's tied into the cloud ecosystem. "The inherent problem with cloud is it's a moving target," he said. Furthermore, just one coding error in any of that code might be exploited by an attacker to gain access to a cloud-based target.
That constantly evolving code base may also not be protected with extra layers of security. In fact, the opposite is most often true. "We worked on privilege separation in the operating systems for years and years--don't work as root, and stuff like that," said Lindner. "But the cloud does it, and sometimes there's just one account, or password." In such scenarios, attackers may need to compromise only one credential to gain the keys to a business's cloud kingdom.
Some cloud providers, however, are better than others. "Ridiculous as it might sound, I think Microsoft is doing it right with Live.com--'We're using the secure development lifecycle, and we don't do anything without SSL,'" said Lindner. "I don't understand why any Google functionality is available via HTTP; it's not like they don't have the computer power to do it all in HTTPS." Indeed, if the cloud remains hard to secure, why aren't cloud providers offering as much out-of-the-box security, by default, as possible?
3. Beware Free Lunches. Whether it pertains to cloud security, the challenge of hardening mobile devices, or the speed with which vendors patch, Black Hat presenters urged skepticism: trust nothing, verify as much as possible, and above all, get working security in place quickly.
For a profession that tends to reward paranoia, however, many conference attendees appeared to arrive without their skepticism intact. The well-known first rule of Black Hat, notably, is to never trust the conference's wireless network, since it's more than likely that someone will be sniffing your packets or attempting to own your mobile device. Accordingly, deactivate Bluetooth, and beware Wi-Fi--especially hotspots with names such as "LEGITFREEWIFI."
Otherwise, you may end up on the wireless router with that SSID, which happens to be owned by Steve Lord, a director at information security consultancy Mandalorian. Lord brought an extra router with him to Black Hat Europe, then used dsniff to log the credentials that flew across the router. "Weaponizing hotspots is fun," he said in his Black Hat Europe presentation.
Any "should have known better" free hotspot takers? He had more than a few, including one apparent conference attendee who used the hotspot to telnet into his Cisco router--username: "Cisco," password: "Cisco." "But I've no way of knowing if someone was just messing with me or they really logged on, as dsniff didn't log the full session, just what was sent," said Lord in an interview.
Thankfully, Lord also said he would name no names and had deleted all of the collected data, noting that it was lucky he wasn't running an "evil mobile coffee hotspot."
Of course, it was alarming to see information security professionals fall for what should have been an obvious trick. The moral: "If something at a security conference looks too good to be true ... don't connect to it," Lord said. Those are words to live by--and not just at security conferences.
Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud. In our Cloud Security report, we explain the risks and guide you in setting appropriate cloud security policies, processes, and controls. (Free registration required.)