Hooyah! The Challenge of BYOD Policy Enforcement in the Navy and In Your Organization

I have been off the boat (former submariner) for a few years now, but every now and again I find myself browsing the U.S. Navy’s public website to see who got promoted and to check out the new policies heading to the fleet. Last week, I saw a NAVADMIN, (a formal Navy Administration Memo for those not in the service), with the subject, USE OF UNCLASSIFIED NAVY AND MARINE CORPS INTRANET LAPTOPS WITH EMBEDDED  WIRELESS (NAVADMIN 290/15). The message goes on to present a new formal policy to a problem facing many organizations – protecting critical data and systems from the ever-growing swarms of wireless devices.

With a tradition of tech heroes like Grace Hopper and Hyman Rickover, the U.S. Navy has a proud history of being an innovator and early adopter of technology (Hooyah!). From the early days of software, through nuclear propulsion reactors and advanced weapons systems and satellites, the Navy has tackled the most challenging of technical problems. This history makes it particularly interesting to see how such a large and structured organization is tackling the proliferation of web-enabled devices.

In short, the policy states that devices issued for use on UNCLASSIFIED systems, when used in areas with sensitive networks and operations, must have the WiFi turned off by the operator. The onus is on the device owner to remember that they must disable wireless capabilities prior to entering these areas (of which the Navy has many), and re-enable when they are in an appropriate area.

But here’s the thing, relying on humans to remember to turn off WiFi will be challenging. It’s even a significant challenge when you have well trained and loyal sailors legally bound to follow your orders. So the question must be asked, how do you enforce this type of policy? The memo goes on to tease some additional measures for “detection/jamming” on the horizon so that the policy can be properly enforced, though specifics aren’t offered at this time

Sound familiar? It should, because, this is not just a problem for the military. Every organization has sensitive data and critical infrastructure that needs to be protected – and your “sailors” are not legally bound to follow orders. You might even have something similar in your enterprise where you have a BYOD or IoT policy that states WiFi should be disabled or even certain devices not allowed onto the WiFi network. Two stats are telling: While 74% of organizations permit or plan to permit BYOD, 30% of those with a BYOD policy in place have no way to enforce it or simply rely on the honor system.
Now, ask yourself, how will your organizations develop and enforce policies to mitigate risk and protect your important assets in 2016? Let us know below.

Pwn Pulse Now Available In Europe: EU Workplaces Gain Full Visibility Into the Connected Devices Posing Threats To Their Networks For the First Time

With the rise in connected devices around the world, organizations globally need to better understand the threat of connected devices in and around their workplaces. In fact, according to the ISACA European 2015 IT Risk/Reward Barometer, 70 percent of European business and IT professionals consider it a medium to high likelihood that a company will be hacked through an internet-connected device. As bring your own device (BYOD) and Internet of Things (IoT) devices continue to proliferate in workplaces across the EU, 51 percent believe their IT department is not aware of all of the connected devices within the organization, and one in three do not have a policy in place to address BYOD at all – let alone discover and analyze the multitude of devices in and around their networks. These devices can be inherently malicious or can be used as gateways into the networks of these organizations, including critical networks used by utilities, financial institutions, government organizations, and others.

Our Pwn Pulse SaaS platform continues to gain recognition for its unique ability to detect and fingerprint rogue, misconfigured, and unauthorized devices on and around workplace networks – driving increased global demand. Today, we are proud to announce the European availability of our device detection platform in Europe, to help EU organizations protect their critical business infrastructure while preserving data privacy. With Pulse, European organizations can now detect all of the things – from phones and printers to malicious access points – across wired and wireless spectrums. This gives security teams full visibility of all devices, and enables real-time analysis and auditing of each device to determine which are rogue, misconfigured, or unauthorized. This helps them to prioritize security response, reduce alert fatigue, and provide situational intelligence to implement real-time remediation.

As part of this new offering, and as a committed, trusted security partner, we have deployed an on-continent instance of Pwn Pulse to meet newly heightened customer data policies as dictated by the EU. 

 

You can read full details of today’s announcement HERE.

Are you a European company interested in learning more about Pwnie Pulse? Contact us at sales@pwnieexpress.com

Our 2016 Security Predictions…Because You Have to Write One of These!

As the year draws to a close, it’s time to face the facts: You are being deluged with 2016 predictions while you scroll through your news feed on your mobile device. And right here, right in the palm of your hands…that’s our very first prediction. Your security team has a device visibility problem.

Whether it is called BYOD, BYOx, IoT, or some other acronym, the fact is every workplace of every size needs to see the phones, laptops, access points, printers, and more in and around their network. 2015 was the year this hits home, and now as Hello Kitty gets hacked we can see that we are susceptible via any connected device. But it’s not just childhood playthings. Now, if we all agree this is a major trend, and you’re done reading all the other 2016 predictions, let’s look at specific device security trends (ahem, predictions) you’ll see come true in 2016.

So, as we continue to work hard to close out the year with a bang, we took some time to sit down together at Pwnie headquarters to sip some eggnog and discuss our predictions for the year ahead. Here are a few we came up with:

 

2016 will truly be is the “year of mobile” – because a company will be breached via an approved mobile device, but not in the way you’d expect.

To date, no one has publicly acknowledged that a misconfigured device led to a crippling breach – or worse, the demise of an enterprise.  But in 2016, this will change: we’ll learn (and see proof) of the first major, publicly disclosed breach linked to a connected device. And as these device threats take the spotlight, organizations will increasingly seek out ways to achieve better visibility of the devices in and around their networks – for without this critical situational awareness, they cannot hope to effectively enforce even existing BYOD policies.

 

2016 is the year physical and cybersecurity truly intersects

Not long ago, a group of researchers demonstrated how to use a drone to intercept wireless printer transmissions from outside an office building, among other nefarious uses for drones. These use cases, as well as the integrated data we can now see via personal devices, are increasingly common and highlight the close link between physical and cyber security. In 2016, we’ll see more reports of seemingly innocuous, connected devices – like drones, health monitors,  printers or even vacuum cleaners – being used to penetrate the network of an enterprise, each brought past physical security quite easily.

 

The perimeter is dead. Now it will be  time to start acting like it.

While historically the defense industry has focused on building walls and “digging moats” to keep attackers out, the billions of devices in and around an organization act as countless new points of entry – ways for attackers to parachute in, often undetected. The perimeter is dead (and has been for some time). Companies will begin to shift the lion’s share of their time and resources fortifying their defenses and instead, start placing more emphasis on effectively detecting and responding to current threats and even in-progress attacks. Many of these involve devices lurking in and around the workplace and also the “human factor” – internal employees wreaking havoc, often unintentionally, but sometimes maliciously.

 

The insider threat is real. In 2016 we get real about it.

While the industry has been aware of insider threats for a long time, we are just starting to fully grasp the notion that knowing is half the battle. As more agile detection and remediation technologies are introduced, companies are realizing just how large of a threat insiders pose, and that attacks from within often create the most damage. A recent SANS Institute study showed that almost three-quarters (74%) of IT security professionals are most concerned about negligent or malicious employees who might be insider threats. The FBI and Department of Homeland Security agree that insider threats have increased and that such threats pose a serious risk. The biggest inhibitor of progress on this front has been cost – if the price tag is too high, CIOs tend to find it cheaper to simply ignore the threat. Yet they cannot continue to bury their heads in the sand when it comes to insider threats. The stakes are too high, and in 2016 we’ll see companies begin to take this far more seriously and stories will focus around people losing their jobs and perhaps even being charged with corporate espionage.

 

Taking digital forensics to the next level in 2016. Device intelligence will be utilized in new and innovative ways to aid local law enforcement in catching known criminals – a capability once reserved for top intelligence officials and the FBI.  Additionally, advancements in device detection, fingerprinting and intelligence gathering will help organizations and government agencies assess hard-to-secure locations and people, such as SWAT or delivery vehicles, bases of military operations, and high risk targets such as politicians, celebrities or executives.

 

The in-security of political campaigns will become clear.

As the 2016 presidential primary season heats up, the field narrows and stakes for each remaining campaign are growing higher. A candidate’s most valuable assets – data and voter information, along with policy and political secrets – are now prime targets for cyber theft, fraud and even political hacktisvism. Yet According to the Online Trust Alliance (OTA), most presidential campaign sites have received failing grades on privacy, security and consumer protections. We expect to see more reports of frequent, and increasingly sophisticated targeted attacks on these largely insecure campaigns. Politicians and their campaign leads need to wake up and realize they simply cannot afford to NOT have cyber security at the top of their priority list. Read all about how campaigns can secure themselves in our blog post on the subject.

What do you think 2016 will bring? If you have thoughts on device security please also consider taking our 5-minute annual survey. For your five minute effort you’ll get the report AND be entered into a chance to win a 12-month subscription to Pwn Pulse and a Pwn Plug R3.

5 Ways Campaigns Can Secure Themselves

As a former government major, the first question I get asked is usually some variation of “who’s going to win in 2016?!” The second question: “How’d you end up in cybersecurity? What does cybersecurity even have to do with government?”

The answer, increasingly, is “everything.” After the recent data breach kerfuffle between the Sanders and and Clinton campaigns, the connection has become clearer. It’s not just about policy now – it’s about practice. A candidate’s most valuable assets – data and voter information, along with policy and political secrets – are now prime targets for cyber theft, fraud, and even political hacktisvism. A recent study by Wakefield Research that examined American perceptions of the threat of political hacking, shows 64% of registered US voters believe it is likely that a 2016 presidential campaign will be hacked.

Calling the breach a “software glitch” or “data issue,” the media sought to make it a story of political intrigue and election drama. They’re not wrong: in today’s world, losing access to data, or data in the wrong hands, could spell defeat. But when “a vulnerability in the software was exploited,” it sounds a lot more like a data breach. While the fault for this particular breach lies with the company that Democratic National Committee had hired for its database, campaigns have access to all kinds of sensitive information and many potential threats.

So how well are campaigns protecting themselves? According to the Online Trust Alliance (OTA), the answer is….not well. The organization recently reported that 17 of 23 presidential campaign sites received failing grades on privacy, security, and consumer protections. While websites are just the “posters on the wall,” campaigns whose websites can be easily defaced, used to mislead potential supporters, or used as a pivot into the organization are most likely not paying much attention to data security. And with the level of personal data now collected by these campaigns – from contact and financial information to personal views on abortion, gun reform and other sensitive topics – securing data is more important than ever.

But here at Pwnie, we don’t  just point out the problem: we want to give you solutions, like Kyle’s post on passphrases NOT passwords earlier this week. Yes, it’s difficult, if not impossible, to fully secure yourself, but a few simple steps will go a long way. Consider this a holiday gift for the campaigns themselves.

 

5 Ways the Presidential Campaigns Can Secure Themselves
1. Admin Rights and Rules.
Who has access to your data? To your computers? For that matter, to your candidate? A quick audit of the administrator privileges for all of your services (data, website, social media, etc) every couple of weeks shouldn’t take more than an hour and will help to reveal superfluous users and unnecessary access to potentially sensitive data.
If possible, whittle it down to the minimum number of people. I know that access is necessary for speed and flexibility, but a little creative thinking can go a long way. Have a higher-up who wants to post directly to social media? Great – but does she need the creds to every platform, or is she only ever going to post to Twitter? A newsletter that is written by two people but needs to be reviewed by twenty? Post an editable version somewhere outside of the email service and copy over to where it needs to be. It’s all about risk management and reduction (you’ll never get rid of risk entirely), but make sure you know what risk you’re accepting.

2. Train personnel on how to avoid becoming a conduit for attack.

This is a major undertaking that many very secure organizations haven’t been able to accomplish, and I can only give you a limited list in a summary post like this one. Luckily, you (campaigns) already have one major advantage: your personnel actually care. They wouldn’t be there working for you if they didn’t care about the campaign, so it’s vital that you remind them that they, personally, could be the end of the campaign if they don’t pay attention to their cyber hygiene.

      • In this category, the top reminder is “passwords, passwords, passwords.” When the European Space Agency is using three-character combinations as passwords, it’s clear that we haven’t gotten to a point where everyone knows to use good passwords.
      • Give them someone to talk to if they suspect something is up. Do your personnel know who to talk to if they’ve seen anything suspicious? Do they have someone to tell when they receive a suspicious email? Create a system of reporting so that helpful employees can be helpful.
      • Public WiFi is dangerous! If cellular dongles or hotspots are not an option, remind them to be careful with what is sent (or logged into) via public WiFi.
      • Install AntiVirus. Though many have claimed “the end of AntiVirus,” there’s no excuse to not protect yourself when there are excellent free options available.
      • Remind them, too, that even their personal cyber safety can affect the campaign. A few simple steps might save them – and your campaign – a world of worry.

3. Be aware of the hardware.

We’ve said it, and we’ll say it again: hardware is another way into your organization. With the rise in the number of devices – both given out by the organization and brought in by employees and volunteers – the number of potential beachheads has skyrocketed. Without getting into the threats posed by the Internet of Things, start by asking yourself a question: what happens to any hardware provided by the campaign after an individual leaves, or the campaign is over? Is it wiped? Do you know what your volunteers are using on the campaign trail, and do you know if they’re leaking data?

4. Vet any third party providers.

NGP VAN’s claim on their blog that they “played no part in the October data issue that has been mentioned” is true in the sense that they did not help any campaign to download or export any data, but as with any third party data breach, their vulnerability led to the release of sensitive information. What other third party providers are you using? Do they value data protection? For most services, you have options: data security should rank right up there with price as an important deciding factor.

5. Use virtual private networks (VPNs).

While this might be a little more advanced than the previous suggestions, it isn’t as difficult as many might think. With many inexpensive VPN options available today, there’s no reason not to protect your sensitive communications by putting them on a private network.

This is only a preliminary (and cursory) overview, but as two more campaign staffers were just let go in light of the recent scandal and the race becomes even more contentious, these little things make a big difference.

Creating A Secure PassPHRASE and Ditching PassWORDS

In a nearly two decade career in technology, mainly in security, I can count on my two hands the amount of times that I’ve changed my personal behavior because of something I’ve heard in a meeting. Typically it would happen as I was sitting in the audience watching a presentation at some con, and a sudden realization came over me that if I tweaked my behavior just a bit I could better secure myself. At the same time I’ve been really lucky to sit next to super smart security people, literally, at work each day and listen in as they detailed why what I was doing was WRONG (or dumb, or idiotic…). Unfortunately, it isn’t always done with grace. There’s nothing I hate more than a smug reminder of how insecure I am with no suggestion of how to make it better.

Last week in a cramped conference room in Boston it happened again, but this time it was done with such ease and simplicity I not only wanted to change my behavior, I wanted to punch myself in the face for not having realized it sooner. The conveyer of this great idea – though not the first person to say it – was Jayson Street, well known throughout the community and of course on this blog for saying what he means, telling it like it is, and always trying to help all of us in need. The advice might be old hat for some, but it hit me like a ton of bricks.

The one thing you can do to better secure yourself in 2016 is to ditch your passwords and start using passphrases.

Yes, I know, many of you have been talking about and doing this for years. Even Edward Snowden got on the bandwagon earlier this year. Simply because it’s been talked about doesn’t mean people are actually adhering to the advice, and that means we have to keep talking about this one as much as possible, since our biggest threat remains the uneducated consumer. AND, yes, the strongest password is the one you can’t remember…but people outside of a very few in security simply laugh at the absurdity of that statement.

Now, with that all behind us, let’s talk about how to implement this into your connected lifestyle.

5 Ways To Create a Secure Passphrase…and Ditch Passwords

Think of a passphrase as a complex sentence, versus a password that is simply, well, a word that maybe has some digits or a few symbols (yes, you are SO tricky using ‘$$’ as ‘ss’). But there are a few tips you should follow (or share with your employees) to create the strongest passphrase.

1. Use The Space Bar

Most online accounts will now support the use of blank spaces in your passphrase, this will allow you to create that sentence we talked about above, but it also makes it harder to figure out by both humans or sniffers.

2. Go Long…15 or More Characters

Most password crackers will slow when the passphrase hits 15 or more characters, and that’s when they get past the NTLM hashes and have to actually work at it! Can they still figure it out? Sure, but the longer it takes for them to get your password your chances of them giving up rises.

3. Use a Passphrase That is Personal, but Unique

The beauty of a passphrase is that it should be something that you can remember a bit more easily, but it can’tcreate a secure password be something that people would easily guess. Say, for example, you are a huge Star Wars fan (I hear there is a new one that came out recently), so you decide to create a passphrase of “May the force be with you!”. Look at you, it’s more than 10 characters, it uses the space bar, and even that pesky exclamation point. Nice work, but it’s not stronger than you’re old “w00ki3” password.

Most likely you have already liked Star Wars on Facebook and everyone knows you were at the midnight showing dressed as Jenga Fett. While that passphrase was personal, it wasn’t unique. You may have, instead, chosen something that was both personal and unique, maybe:

Think of something you’d tell someone close to you, but not your coworkers. Unforgettable? Slightly embarrassing? (“I actually like Episode one. Don’t tell anyone!”) Perfect.

“I actually like Episode one. Don’t tell anyone!”

4. Keep Being a Character

No, not you personally, your passphrase. Still use those exclamation points, hyphens, ampersands…they are even more effective in a passphrase. Building on our example:

“I @ctually like Episode 1. Don’t tell anyone!”

5. Variety is the Spice of Live…and Passphrases

Here is where I’m still going to tell you that you need different passphrases for different accounts. Now, is it realistic that you’ll have a different passphrase for every single site, app, and account? Probably not.. Doesn’t mean we can’t try. One suggestion here is to create a variety of passphrases that also will help you remember where each one belongs. Example:

“I @ctually like Episode 1. Don’t tell anyone at the bank!”

Feel better? Feel more secure? Good! Now, make it your 2016 resolution to replace passwords with a secure passphrase.

Annual Innovation List Provides Clues to Security’s Future

The end of a year always brings about both retrospective and predictive posts. It is important, especially in our security community to both recognize where we’ve been to learn from the past and look forward to what might happen in order to be prepared. That is why SC Magazine’s annual “Security Innovator” awards have been a great barometer of both sides of this coin. During my career in security I’ve always used this list to look back at the accomplishments from the past year, bindustry innovatorut also get a feel for where the market is going.One example hit me as I read this year’s list of innovators, which included a “Hall of Fame” designation for FireEye, who originally grabbed an innovator award back in 2010. Five years, and we’ve seen our industry shape and reshape itself over and over again.

And now we do it all again.

Pwnie Express Named 2015 Security Innovator by SC Magazine

When an article starts out “This is one of our personal favorites” you just can’t help but continue reading on, and that is exactly how the article about Pwnie Express being named a SCMagazine 2015 Security Innovator begins. This annual list of the very coolest up and comers in the security industry is broken into ten categories. Pwnie was one of only two innovators selected in the “Security Infrastructure” category, which the magazine described as a “tough one”.

Obviously when you get this type of recognition you immediately think about the engineering talent and vision that went into creating our Pwn Pulse solution, launched at RSA 2015. Then, to our amazing users who have deployed Pwn Pulse around the world to detect, fingerprint, and analyze the rogue, misconfigured, and unauthorized wireless and wired device
s threatening their workplaces.

Innovation In Action

The best way to recognize true innovation in security is to actually use the products in real-world scenarios, and this is what SC Magazine did. Peter Stephenson, technology editor for the magazine wrote about his use of Pwn Pulse December issue:

“We tested the Pwn Plug in the depths of Levi’s Stadium, home of the San Francisco 49ers and the most high tech football stadium in the world with more than 12,000 Wi-Fi access points. We ran a single Pwn Plug during the World Cup soccer match last spring with about 75,000 fans in the stadium. The single device followed several thousand Wi-Fi users and many of the access points. Obviously, we were impressed.”

Stephenson continued, “When this Innovator took the management and visibility of the devices to the cloud – their Pwn Pulse offering – the company’s business exploded. He continued, “These folks have one of the best crystal balls in the
 business – they really know how to predict an important emerging niche – and exploit it.”

And there it is…the future, and this is what is truly exciting for us all here at Pwnie and throughout our industry. We continue to push forward in the face of sometimes insurmountable challenges.

See For Yourself

For those not familiar with Pwn Pulse it is solution that continuously detects all of the devices putting your office(s) at risk. The SaaS platform detects devices connected to or even around a network, helping to replace legacy, expensive, on-site, manual point-in-time assessments. Pwn Pulse finds unidentified, open attack paths including: mobile phones, Wi-Fi Printers, Access Points, Smart Devices, and more, while working to amplify an organization’s existing IT and security tools, people, and workflow.

If you have time register for our demo so we can hear directly from you about your challenges in this area and if Pwn Pulse can help.

FYI: SC Magazine is a trademark of Haymarket Media.

Thanksgiving Pwnies

Thanksgiving is a time for giving thanks and taking a moment to reflect a bit on what has been happening in each of our lives. It is pretty remarkable that we are already nearing the end of 2015 because this has been a truly defining year for the entire security industry, and certainly for all of us at Pwnie Express. Was it not just yesterday that we were all together at RSA (and now we are already planning for the 2016 edition!)?

So, what do I give thanks for, at least professionally? It’s a big list:

  • You: Our readers, customers, loyal supporters, partners…it’s so obvious of course but it’s always important to remind you all how thankful we are that you are with us on this amazing journey. And in 2015 you also helped us with your data points for the industry’s first-ever “Internet of Evil Things” report.
  • Our world-class engineering team: Because of them not only did we launch Pwn Pulse to the entire world, they keep adding amazing new features and capabilities–and wait until you hear what we will be announcing over the next few months!
  • New Pwnies: Nearly every week in 2015 there was a new face in our offices. Growth is so exciting, especially when you are doing something like we are here at Pwnie.
  • Market recognition: Now we don’t do this for the awards, but it does feel so good when win awards.

Honestly, the list could go on and on. But let me just say thank you once more and we’ll be back next week!

 

Happy Thanksgiving!

The Stove is Hot: and Other Life Lessons We Had to Learn the Hard Way

There have been a lot of stories in the news about transportation hacks, from planes to automobiles (and I’m waiting on the train). Security threats in transportation have become both more frequent, more threatening, and – as increasingly more of our transportation becomes “hackable” – more important. Recently, very high-risk vulnerabilities were discovered in these various methods of transportation and this time, they were presented loudly and in the public eye.

My thoughts on this are simple: 1.4 million cars are recalled, but not because there was a security vulnerability that was discovered and reported to the car manufacturer. The recall happened because the general public was made aware of this flaw through the media, and it was something that they could actually see and experience.

We can be told that the stove is hot.

We can be shown that the stove is hot.

But unfortunately, it sometimes takes a more memorable incident for us to remember that – wait for it – the stove is hot.

Would I say that this more “memorable incident” should be irresponsible reporting, or irresponsible disclosure? Am I advocating a “yell first think later” stance? No, but I would like for organizations, industries, and governments to take security more seriously not just because it has become painfully clear that human lives are at risk. Not just because the direct result of inaction is a company going under. But because a security researcher has done responsible disclosure, has tried to help, without the need for a blatantly public example or demonstration needed.

We are quickly approaching a state in this society where security research and the actual discovery of these vulnerabilities is thought of as and treated as an actual crime. This brings up the question – are we trying to kill dissent, hide the truth? Or are we really trying to discover these vulnerabilities? By keeping quiet and not reacting to security researchers, we’re not helping the public. Hiding the danger from people does not keep them protected. We’re just making the stove look like it’s off – which might make it even more dangerous when they find out the hard way that it’s not.

The Insecure Internet of Things: 10 Stats

ISACA recently put out its 2015 IT Risk/Reward Barometer report, which highlights the major challenges organizations face in combating today’s Internet of Things (IoT) security issues. Here are ten stats that caught our attention from the global study of 7,016 security professionals located across 140 countries:

 

  • In the workplace, IoT devices can be a great boon for businesses. 77 percent of IT professionals say that the IoT has benefited their company, bringing things like greater accessibility to information (44 percent), greater efficiency (35 percent), improved services (34 percent) and increase productivity (25 percent). However…
  • 73 percent of IT professionals consider it a medium to high likelihood that a company will be hacked through an internet-connected device (whether it be a laptop or a Fitbit)
  • 1 in 2 believe the IT department is not aware of all the organization’s connected devices
  • 47 percent expect a cyber attack on their organization within a year’s time.
  • 1 in 3 believe their organization is unprepared for a sophisticated cyber attack
  • 72 percent don’t believe that manufacturers are implementing sufficient security measures in IoT devices
  • The #1 IoT security concern for enterprises is data leakage
  • 45 percent say the best way to keep IoT data secure is simply to not store any sensitive or classified data on devices at all
  • 63 percent believe that the IoT will result in decreased employee privacy
  • And 63 percent are not confident that they can control who has access to their information collected by IoT devices at home

 

As ISACA CEO Matt Loeb explained in a Wall Street Journal article, “Workplaces are becoming more difficult to secure as connected devices like fitness bands and smartwatches spread in popularity and make their way to the office on the wrists and in the pockets of employees. If these seemingly harmless devices connect to your company’s networks or servers and share and store information, they create more entry points where such information can be compromised. Cybercriminals realize this. Many of your employees probably don’t.”

No matter what policies you’ve put in place to regulate BYOD and minimize the risk of IoT threats, you face a losing proposition. Wireless and wired devices will continue to proliferate inside and around your organization, and if you haven’t made device detection and fingerprinting a top priority, this new study should serve as a wake-up call.

Learn how Pwnie Express can arm your security team to win the BYOD battle and see all the things you’ve been missing by visiting here.  

InfoSec Cons – What is the future? (Part 2: The Future)

(Continued from Part I: The Present)

 

SK: OK, so now we’ve done a lot of talking about the great improvements in some of the cons, and what you’ve seen a lot of improvement in this year. What do you think didn’t work this year? What is concerning to you?

I think this year one of the things I saw – and I think I may be a part of the problem – is the cosplay factor. I didn’t think about it until Russ Rogers brought it up, but I think a lot of people are going to “play hacker” instead of going to learn to be a hacker. It particularly came across at a couple of cons this year; it seemed that people weren’t really there to learn, they were there to be seen. They’re not really there to network, they’re there to play. I feel entitled to say that because I was one of the fakest and cosplay-iest attendees ever when I started attending ten years ago. I’m going to address it in my talk next year – I went to DEF CON 12 thinking about how a hacker was supposed to act, without actually learning… and it made me look like an idiot.

DEF CON, Derby Con, Shmoocon should never be equated with Comic Con.

 

SK: What about the beginners? The ones who don’t know any other way?

When I first went, I was already on the technical side. I had my CISSP in 2001, but didn’t go to my first con until 2004. I’ve been in InfoSec since 2000. I was four years in the industry before I got to go to a DEF CON. By then – seeing the stereotypes on the news, seeing them on the Internet – I got that romanticized version of “this is what it’s about”. I don’t want to say I was wrong, because people in those places aren’t necessarily wrong. I was simply ignorant, and there’s nothing wrong with being ignorant. I have a problem with being stupid. Being ignorant changes because you can learn. I showed up to DEF CON being very ignorant, but I learned. I get the sense that some people at these conferences are willfully ignorant. I don’t think they truly want to be a part of the community. They just wanna party (without giving anything back).

I can’t particularly talk about giving back anything from a technical standpoint; I’d like to think that I’ve helped the community in other ways. Communities are about contributions, not just “happy feelings” and cosplay.

SK: What are a few new conferences you’re excited about?

Conferences that I’m excited about – to hear about – are obviously skewed towards ones that I’m going to be a part of (which should be interesting). There’s going to be a BSides Tanzania; Jack Daniels has been reopening some BSides. There’s a conference I’m going to the Maldives. Think about that – the Maldives is concerned about InfoSec!

What I’m really excited about is that it is now a topic of conversation and something for people to meet and discuss all over the world. It is not an American problem, it is not a first-world problem…. it is a global issue. And the world is responding to it by getting together and forming conferences to discuss this. There are people waking up all over the world and realizing that their information has to be secured.

 

SK: So you would say that it’s important for the American security community to start paying attention to Global cons?

I think it all came to a head for me last year when I did my talk “Around the World in 80 Cons.” One of the reasons I’m working with DEF CON Groups is to make it a global action. Because of the way that we are connected and communicate today we can no longer have the audacity to think that any one country or group can solve these issues by themselves. We are all in this together and these are global problems that require global solutions and global action. It doesn’t take a tsunami or an earthquake or a hurricane to show that what happens in one region impacts the entirety of the world. I consider myself a citizen of the world, not just a citizen of the US. I love my country, but I love my planet just as much.

 

SK: Here’s a hard question, then: what do you think “The State of the Con” is today?

The state of most conferences today are – whether they realize it or not – uncertain. I think our community and industry as a whole is at a crossroads. Where is it going to go from here?

The conferences themselves are at a crossroads: as they grow, they eventually become the victim of their success. In some sense it’s a product of the way that society is evolving and becoming more tolerant of hackers, with TV shows, etc. demystifying what a hacker is and what InfoSec is. Learning about (though we hate the word cyber) cybersecurity, people are starting to understand how it’s used and why it’s used that way and what it actually means.

Because of this, I think we are becoming a better force for good to educate the general populace. The cons, though, are at a crossroads – there’s a chance that they may devolve into a place where people go because they saw it on TV and think it’s cool (they just want to “play” at the community). I think we’re at a point where things might also take a bad turn: people will be more afraid of “hacking”, and these conferences will become less acceptable, and it may reflect poorly on them or even be illegal to go to these conferences.

 

SK: Is there any way to answer or begin to solve these huge issues?

Of course I always like to make grandiose statements, but I generally also like to give a solution, or at least something positive to say. In this case I can admit: I’m not smart enough to have that answer. I don’t know. The people running these conferences are smarter than me, and have more experience than me, and I can’t presume to give them advice on these things. A lot of the people who criticize these conferences also don’t know. They don’t have any solutions. They just criticize.
I’ll just say that I don’t know what the solution is, but I have faith that the people working on it have a better grasp on it all.