Black Hat: Security Needs a Change

Wednesday, July 26, 2017 @ 05:07 PM gHale

By Gregory Hale
Security is doing a fine job of maintaining and keeping organizations up and running against a constant threat of attack, but like all jobs, companies and industries, it is time to change.

“In the security world, we still focus on the sexy areas,” said Alex Stamos, chief security officer at Facebook during his keynote address Wednesday at Black Hat USA 2017 in Las Vegas, NV. “There is very little time spent on how to handle the main types of attacks that go on more frequently.”

Summit: Security Needs Hands on Training
Ransomware Attack Part II
Monitoring Network Could Help Find Attack
Grid Attack: Understand ‘What We Will See Tomorrow’

He pointed out three areas the industry needs to address:
• We focus on complexity, not harm
• Our field punishes imperfect solutions in an imperfect world
• We don’t engage the world effectively

In terms of focusing on complexity, Stamos said while Zero Day issues are important there needs to be more conversations about standard security issues.

“The vast use of human harm is around the area of abuse, but they are not using the technology incorrectly.” They are just using it nefarious purposes like for smaller things like spam all the way up to harming children and adults.

To his second point, which also plays into his third point, the industry can be very brutal with solutions that fail.

“Our field punishes imperfect solutions in an imperfect environment,” he said.

Think about it for a moment, how can a solution ever be perfect? It is all about being smart and having the right tools and people in place, but as everyone knows if a hacker or a team of hackers want to get in, they will get in.

By punishing those that create an imperfect solution, “this allows us to shift the responsibility on to other people. We have to put ourselves in the shoes of others.”

Without that empathy, Stamos said it is very easy to fall into what he calls security nihilism, which is where people think most threats are from advanced hackers and nation-state adversaries and nothing is safe.

That thought process can lead to the third point Stamos was trying to make which is the security industry is not effective in engaging the world.

‘Engage the World’
“We are no more smarter than the people whose systems we break. We are good at what we do, but that does not mean we denigrate those that we have issues with. We don’t bug smash those people.”

That means those working in the security world need to open up to other sectors in the business and have an understanding and acceptance of where people were coming from.

“Just because people don’t agree with me, that doesn’t mean they are stupid or evil,” he said. “It is hard for us to have empathy to those that don’t agree with you. The security community needs more diverse people, backgrounds and thought to live up to our potential.”

All that being said, it is easy to be negative and think all things are not going well, with attacks growing, sophistication levels increasing, and a lack of qualified security workers to name a few. The reality is, though, positive wins out.

That is where, he said, defense and diversity can come to the rescue.

A strong defense means it is possible to have a solid offense, Stamos said. One really feeds into another.

“We need to broaden what we consider out issues,” he said. The industry can’t stop and say it is not my job, instead they have to be willing to tackle bigger issues and step out of comfort zones.

“There needs to be a diversity of people and backgrounds and thoughts,” he said. “It is much easier to do that as a team and we lack that in our industry.”

That means there needs to be people from different backgrounds that can help solve problems and issues because looking at things from a different perspective can help — and those people don’t have to be technical.

“Things are not getting better, they are getting worse,” he said. “We have the world’s attention so what are we going to do with it?”

Leave a Reply

You must be logged in to post a comment.