InfoSec Cons and the Future (Part 1: The Present)

(An Interview with Jayson E. Street – find Part II HERE)


SK: I’d like to start off by having you talk a bit about your experience with conferences in general – what are some general thoughts?

I have gone to conferences all over the world to speak (with no shame); I have spoken to every kind of crowd, from three to two thousand and everything in between. I’ve spoken to government officials and business people, from people who were just getting into the industry, to people who are not in InfoSec at all, and may have shown up to the conference because they were interested in it. I’ve spoken to people with every kind of opinion with every kind of person, because I love hearing from people with strong views.

I have seen a lot of different conferences, and I think there’s one unifying thing that people forget to observe when they think about conference culture. One observation that they forget about. The one simple truth that ties every conference I’ve seen together.

Someone is going there to learn.

Someone is going there because they need to know something; someone will find an answer when they go. They’re looking for help, they’re looking for knowledge, they’re looking for someone to help them with the issues that they face. That’s why they exist, why they’re needed, and why people go. That is why I gladly ignore the crazy number of cons. In my opinion, there aren’t too many cons as long as there’s someone there that wants to hear somebody speak.


SK: What about specialized talks within conferences?

I think some conferences are figuring out how to give people the talks they really want (which are often very specialized), and I do like conferences that are starting to have straight offensive tracks or straight defensive tracks. It’s a great way for people to hear someone speak on a topic they’re definitely interested in.


SK: While these conferences may be great places for veterans of the security industry to meet, talk, and learn, the industry is growing very quickly and there are lots of people who are now showing up but not industry veterans. Are these cons a place for beginners?

One of the things I like seeing (for example, at Bsides London and 44con) is a newbie track. Not just newer talks, or newer questions, but people who have never spoken before. Shmoocon does a great job of trying to get first-time speakers, and careers have been spawned there. DEF CON has DEF CON 101, which is specifically designed for this. DEF CON is great because it makes those talks approachable. Granted, I think every one of my talk is a 101 talk – but there’s a place for lots more of them!


SK: So while lots of cons are going out of there way to be a place for both experienced pros and beginners, we still hear those “con horror stories.” Do you think conference culture can be toxic?

I try not to talk about the conferences I don’t like, only about the conference culture I love. That being said, I do have a list of conferences I will never attend again. For example, I went to a conference this year that was one of the most inclusive, clique-ish, boutique conferences I have ever witnessed. I had a wow moment there: people talk about some of the bigger cons – DEF CON, or ShmooCon, or DerbyCon – and how they don’t feel included. My response to that now is that, having being on the outside of the “cool crowd” at a con – is “oh, no, trust me, you have not seen anything.” Some of the larger cons can seem exclusive at times, because they are so big and overwhelming, but there are conferences that actually pride themselves on excluding the “plebes”. I’ve never been looked so down on just because I’m not “one of the cool kids.”


SK: So then what do we do about the conferences that aren’t trying to be exclusive, but can end up seeming exclusive because of their overwhelming size?

I know it’s very hard for a lot of people in this industry: it’s very hard to talk to someone. The great thing about conference culture is that at most of the conferences I’ve attended – no matter how big or small – there was somebody you could meet and talk to. Go into a talk? The person sitting next to you is interested in that topic, just like you. That is your conversation starter. You share that interest – you are there for that interest.

I particularly like the cons that have embraced that kind of community bonding. For DEF CON, l0ST has created several badges that force you to socialize. One of the best badges that’s been out there was from DEF CON 19 or 20, with Egyptian symbols and a microcomputer. It was great because you had to socialize. You had to interact, you had to talk to other people. You had to go up to people to make sure you had to talk to people outside of your group to try and spark conversations.


SK: Do you think this can necessarily be applied by people besides you? You’re so incredibly social.

Conferences have tried to make it more social, but I’ve gotta say – at some point it’s still on the person. Stated without judgement and without condemnation, but it’s a fact. I wish people were as sociable as me, but not everyone is… which is probably a good thing.

But people should keep in mind that there’s a lot of incentive to be sociable. From starting at DEF CON 12, to Derby Con 1, to going to so many of these conferences when I was first starting out, I benefited from being social. When I was just a network security administrator at a financial organization in the midwest, never did I feel that I didn’t have an opportunity to meet someone, or bother someone, or interact with someone – even the important someones. DEF CON 12 was when I first met HD Moore, and so many other “big names”. They were accessible and willing to talk; they showed what this community was about. They were the examples that people should follow. Everything I do now is from the example that I learned from those people.


SK: Do you think that as the industry grows – and it’s clearly growing quickly – that this kind of camaraderie and accessibility will change?

There’s been a lot of talk about how big these conferences have gotten. I’ll be the first one to say that this past DEF CON that I was upset afterwards by looking at facebook posts – of friends of mine! – and realizing that there were people I knew at DEF CON and I never saw them. The biggest misconception of DEF CON now is that people still consider it a single conference. It is no longer just a conference. It’s not like a Derby, or a ShmooCon, or one of the many B-Sides. It’s really almost like a hacker burning man, with villages (they’re called villages!) catering to the various interests you may have.

There’s something so cool about the fact that you can spend your whole entire con at a “whole conference” dedicated to what you specialize in – the Hardware Village, Wireless Hacking, etc. When you do that, it’s a very small con for you. All the people you want to see, things you want to learn about, are there. But because of your one badge, you still have the opportunity to go to the others. An entire conference dedicated to every kind of specialty is at your fingertips.

Derby Con is currently dealing with the growing pains of getting bigger. From its very creation, it has always been an accessible “family vibe”. I’ve never seen an instance of a speaker not talking to a first timer. You see regulars just hanging out at the bar, buying drinks, or getting drinks, or just drinking and available to talk to (and for those who don’t drink, just hanging out and being available to talk to).

The front driveway is sometimes totally crowded with people just having great conversations. The lobby is full, and it is an equal opportunity place for everybody to mingle. That is not a size issue, not a clique- issue… it is a fact that is part of Derby Con. It’s just an accessible place to meet people. Dave always tries to make it feel like the family. Some people take that the wrong way, by thinking as though it’s “only” for the family, but no –  he’s trying to suggest that there’s no exclusion to that family.


(Continued Here)

Social Engineering Attacks: What You Need to Know

Attacks on US enterprise systems and infrastructure continue to increase in severity and quantity. Some target specific organizations themselves, seeking their “crown jewels” such as intellectual property. Other attacks are carried out solely for financial gain, and target both consumers and the organizations that hold consumers’ personally identifiable information. While some high-profile attacks make splashy headlines – nation state espionage and high-profile data leaks – countless others remain undisclosed and, too often, unrecognized by victim organizations until after crippling damage has been done.

Social engineering represents a major and ever-increasing threat to businesses. Attackers know that a company’s weakest link is its employees, and they will continue to find new, innovative ways to exploit this via sophisticated phishing attacks and other methods. Here’s a look at some of the most common social engineering attacks today:


  • Spearphishing: Contrary to popular belief, today’s spearphishing attacks are highly calculated and carefully crafted to be relevant and un-alarming to the user. It’s not as easy as most people think to spot a spoof, so employees must be trained to question and validate unprompted links by calling the sender, sending a separate follow-up email or checking via services such as
  • The rogue technician: Under the guise of technicians or delivery people, stealthy social engineers walk right into organizations and can physically compromise the network. Employees should heed basic “stranger danger” trainings and ensure anyone who enters the building has an appointment or pre-established purpose.
  • Malicious websites: Often, malicious websites are disguised as corporate or partner sites, and will prompt visitors to update java/Adobe or install a specific plug-in. Users should always close the browser and open a new one to directly update java or Adobe from their official sites. If users are prompted for a specific program or missing plug-in, they should close the browser and send an email to the website asking about the specific configuration issue.
  • Device attacks: The rampant adoption of personal, connected technologies by workers and their reliance upon them for day-to-day business communications has provided exponentially more pathways for bad actors and social engineers – and they cannot be secured. Organizations need new ways to detect employee-owned and rogue devices in and around their workplaces to gain the full visibility needed to prioritize security response, reduce alert fatigue and provide situational intelligence to implement real-time remediation.


Since so many employees today use their personal devices at home and on the job, enhanced awareness and employee training on the dangers of social engineering is more critical than ever before. This starts with focusing on the devices they’re carrying, where they are being used, and what they are connecting to.

Here are four best practices for employees to follow to reduce their own personal attack surface, as well as that of your organization:


  • Don’t connect to open wifi: Anybody can connect to them, and there could be traps set up to trick you (sneakily labeled hotel wifi, free wifi, airport wifi, etc.).
  • Configure your phone so it does not automatically search for and connect to wifi: Always require your phone to “ask to connect” instead of connecting automatically.
  • If you don’t need your wifi and Bluetooth, turn them off while you’re out and about: Period.
  • Password-protect your phone: Don’t let your device fall into the wrong hands without a password in place – particularly if you use your personal phone for business use. Also set up the “wipe phone” feature after several incorrect password attempts.


Stay safe out there!

Security is a Think Globally, Act Locally Proposition

Before RSA expanded to take up the entire Moscone, before Blackhat grew to amazing proportions, before even Defcon became a big time event, there were local meetups to talk about security. Often looked at as a gathering of mistfit ‘hacker’ types, these gatherings many moons ago were all about sharing knowledge about vulnerabilities, techniques, new tech, and more. And as often as the group met in person, there were the listserv groups that allowed them to all keep in touch and continue to grow a community. Security, no matter how much marketing buzz is created, is still all about the community.

It’s simple when you break it down into psychology. People create communities based on two primary factors:

  1. A common location or regional area;
  2. A common interest;

In the case of infosec it was often both of these elements working in congruence to generate a strong community base. This is how events like DerbyCon get their shape (it’s top of mind since it just happened last week). A cool group of people in Louisville get together to talk about security and help each other, some sponsors help to keep the lights on, and a few years later it’s still an awesome gathering of people more akin to a family reunion than a conference. Watching the live DerbyCon feed via YouTube it was obvious how much learning and sharing was happening amongst the people, and it is exactly this concept of community building, or acting locally, that will help us to then transition into thinking globally.


Building Security Communities in Your Own Backyard

Community matters in security, and it is what will help us continue to fight the battles being waged online, but it always starts at home. One example really struck me recently when the Pwnie dev team, many of whom reside in the great state of Vermont, signed back up to sponsor two upcoming Vermont security cons; vtTA (Vermont Technology Alliance) and HackVT, a 24-hour hackathon. Both are great orgs that are focused on continuously building this burgeoning community in their backyards.

When we talk about security companies we often get blinded by enormous funding announcements and valuations, marketing-fed FUD clouding up the environment, or the creation of the rockstar hacker grabbing yet another keynote. But the work, the real work, is being done at the local level, where practice becomes code. Without this mentality there are no big security companies, because most of them started locally, often in a garage (or basement as the Pwnie team did), and often surrounded by friends who weren’t getting together because of dreams of riches years down the road.
Instead, they dreamt of creating a group of people who would create some cool stuff that could help people be more secure throughout the globe. Act locally, think globally.

US Government Workplaces must “see all the things” and Detect the Threats Posed by BYOD/IoT

Every day, tens of thousands of undetected – and often unauthorized – devices move through government worksites and military bases throughout the world. These devices run the gamut from seemingly innocuous employee-owned smartphones to potentially malicious planted devices, or even a wifi-enabled drone. Sure, government agencies have strict policies in place to ‘regulate’ BYOD because security pros know these devices can be gateways for threats to get inside the network, but it is becoming increasingly clear that policies cannot be enforced when these devices cannot even be detected in the first place. This was underscored by a recent industry study of 1,000 Federal government employees that revealed that:

  • 50% of government employees use their personal devices to access email.
  • 49% use personal devices to download work documents.
  • Of employees at agencies with rules against the use of personal devices, 40% said the restrictions “have little to no impact on their behavior” – and as a result, they are unknowingly providing open pathways into critical government infrastructure.

Government agencies, with hundreds of thousands of people flowing through sites each day, recognize this problem is something that must be addressed – and quickly.


Pwn Plus on GSA Schedule

Today, we’re proud to announce that Pwn Pulse is now available via the US GSA schedule, as well as our new strategic partner  gvTechSolutions. Pwn Plus is used by  government agencies at the local, state and federal level continuously detect and fingerprint the billions of devices in and around their workplaces. Much like surveillance cameras brought much-needed visibility for physical workplace security, the Pwn Pulse platform continuously detects the devices that are open pathways for attackers. The assessment and analysis of any BYOD or rogue device gives government agencies the full visibility needed to prioritize security response, reduce alert fatigue and provide situational intelligence to implement real-time remediation.

You can read full details about our new partnership here – but here’s what our CEO Paul Paget had to say about the news:

“Adversaries know that organizations, both in the private and public sector, spend most of their security budgets on physical and network security. These organizations have limited, if not zero-capability, to monitor the presence and behavior of wireless devices from the ubiquitous smartphone to the world of other smart devices now being deployed. With this explosion of devices, coupled with ever-present wireless access points, the devices in and around your network are open pathways to your most sensitive data. Pwn Pulse is a unique platform purpose-built to deploy in minutes and provide security teams the ability to remotely, securely, and effectively monitor and assess their security risk against all of these previously undetectable devices.”

To learn more about how Pwnie Express is uniquely positioned to help federal, state and local government departments achieve their critical security mission, please visit:

Submarine Thinking Will Save Your Network

Even our terminology reflects what we think about security. Case in point; the very name of what we call the first line of perimeter defense – a firewall – shows our antiquated thinking regarding the defensive postures of the network. Somehow, we are still in the realm of thinking about moats and castle walls while we have people paratrooping from a jet.

In a similar analogy, the way I like to design networks is to take out the aspect of it being a “building” and start thinking about it as a submarine. Submarines are designed to take a hit, withstand a certain amount of attack damage even in the deep sea, and it takes into account the high possibility of being breached. A sub may be breached by uncharted depths, or by being torpedoed or attacked, but it is designed to ensure that not everything will fail in case of a breach.

Submarines are designed to acknowledge the fact that a breach may happen, and operates on the idea that the breach must be contained. A submarine crew understands, “this part of our environment is compromised. We have to sacrifice this part so that the submarine stays functional, so that it survives. We need to quarantine the area until we can make it habitable again.”

So why don’t we acknowledge that in InfoSec? For example, wouldn’t it make sense to have the accounting department compartmentalized from the rest of the company? Why not have certain channels with chokepoints? This is a practice savvy security folks have accomplished, but looking at it from the submarine perspective allows you to design a network with the same mentality.

Stop using firewalls as the external perimeter that “can’t be breached,” and start using airlock doors which can be sealed off within a submarine.


Implementing the Submarine Mentality

We have to start evolving – and understanding. I think people have really shied away from treating their networks as untrusted or potentially untrusted because human nature tells you to believe that bad things aren’t gonna happen to you. But we need to start looking within and thinking: what would happen if this part of the network was compromised or contaminated? How I would I be able to stop them from getting the keys to the kingdom?

I’m not saying that I don’t trust my defenses – I just recognize that defenses get breached. Every network I’ve designed in the last decade is not just: how do I find the breach? It’s: how do I contain it?

There’s something great about this being on the Pwnie Express blog, because it’s absolutely vital to look at indicator warnings. A device detection technology like Pwn Pulse will help you detect when a breach is imminent, when something is off or might be faulty. Using your Intrusion Detection Systems or looking at the loads on your system can help with detection as well. You have to look not just at what is on your network or is coming onto your network – take more time to inspect what’s leaving your network. If you don’t know your submarine is leaking, how do you contain it? How do you stop it before you’ve sunk?

In addition, there are a lot of technologies out there (though I won’t get vendor specific), but I think most application-level firewalls have Domain User Role Access. Otherwise, based on how you’ve logged in to the network and logged in to the domain you have lots more access.
Granted, this is not a cheap solution, but it is a secured solution. It’s one of those things I recommend you use internally first for your biggest assets. In security, it’s vital to think to yourself: what do you need to protect the most? Once you’ve figured that out, you protect it not only from the outside world, but from your internal network as well.

When The Meat Scale Betrays You

Remember in December 2013 when news started filtering out about the Target data breach? Ultimately this attack would take 40M customer debit/credit card numbers, along with untold and still fully unaccountable costs for the company themselves. For months after the announcement the news was full of stories around the attack, centering on a HVAC company in Pennsylvania, contracting with Target, who had suffered their own breach via email-delivered malware. Slowly the news focused on other attacks, because that is the nature of our business, while every single vendor at RSA 2014 had some “Target-breach demo” set up in their booth to show how their tech would have stopped the attack.

As we all focused our eyes elsewhere (looking at you Sony) Target was still cleaning up after this breach, and preparing themselves for possible lawsuits from banks hurt by the breach. The intersection between banking, insurance, and data breaches is getting very much intertwined, and that is forcing organizations like Target to take a much deeper incident response dive than in previous breaches. In fact, organizations are doing a lot of pre-IR work currently to ensure they are covered from both an insurance-level and future litigation-level when a breach occurs. But this necessitates understanding, and seeing, every possible threat to your network…and I’m not talking malware here.

Let’s play some acronym bingo: BYOD, IOT, BYOT, BYOE…the list seemingly goes on and on. Yet nobody is seemingly marketing to the “BYOMS (Bring Your Own Meat Scale)” set, and according to reports it might be that connected piece of equipment that finally tipped the scale in the Target breach (sorry, had to use the pun). Although fun to talk about connected meat scales being an entry point, the larger picture here is that you can throw all the acronyms you want into a data sheet or product video, but the fact is that workplaces know they have billions of devices floating around, at least one of which might be the open pathway for an attack.


If You Think Meat Scales Are Scary, What About Drones?

Meat scales are one thing, and certainly being able to simply see they are connected or even around your network is critical, there are so many other devices to consider. The printer someone installed that is also transmitting wifi. The drones, equipped with wifi, flying above your building. The Roku someone put in the far conference room so they could watch a World Cup match…last summer. The Amazon Echo in the corner office so the boss can control the glare on those fancy lights.

Are these BYOD or IOT? WHO CARES. The fact is they are there, either on or near your network, and you just need to see them and then make a call. Too often we get bogged down into the ‘what and why’, when we should be focused purely on the ‘how’. As we come full circle and approach the 2-year anniversary — Cotton is the gift, FYI — of the Target breach we continue to see more and more devices on or around our network. The question isn’t what to call those, the question is what are you doing to see them now.
Oh, and in case you were wondering, you can NOT buy a meat scale on

Saddle Up for Derby?

That’s right – once again we’ll be hanging out at DerbyCon (as a gold sponsor, no less!)

We were going to put together another Louisville guide, but after last year we realized that the city is simply too cool – and too popular – for the likes of us to try and outdo a real guide. However, just a quick reminder (according to the DerbyCon official website) of a few of the things around the area:

  • 4th Street Live (seriously, you should check it out)
  • Muhammad Ali Center
  • Louisville Slugger Museum
  • Frazier History Museum
  • Louisville Waterfront Park
  • Kentucky Center for the Performing Arts


Obviously, plenty going on at the con itself – of particular interest is the Hackers screening… we’re (more than) a little obsessed with the movie here at Pwnie. Remember to check out the Schedule of talks and events – we’ve got a few favorites, but for the sake of fairness we’ll let you figure out which ones those are.

As usual, swag will be present and plentiful, and for the first time ever we have PWNIE PATCHES!


Most importantly, remember that we’ll have THREE different drawings, all for a year-long subscription of Pwn Pulse (including an R3 Pwn Plug!) This year we’re running things a little differently; instead of having a card dropbox, we’ll have three separate live drawings:


  • Friday at 6pm
  • Saturday at 6pm
  • Sunday at 2pm

Can’t wait to see y’all there!

#TBT To That Time We All Had a BlackBerry

I remember quite distinctly being asked a few years ago to “defend the BlackBerry.” While the devices are really quite good, the task is harder than it sounds in the era of iPhones and Androids. After grasping for an answer I finally stumbled upon “it’s professional! Do you ever see a businessman in the movies carry an iPhone?” While that may not have been the case a few years ago, today it is completely standard – and professional – to have whatever phone you’d like. BlackBerries are falling out of favor at faster rates than ever – according to The Guardian, BlackBerry users have fallen from 80 million to 50 million and the number is still dropping.

BlackBerry did hold a position of some importance in business technology for a long time, and it relied heavily on its reputation as secure, controlled, and uniform. The company even wrote on its blog about the challenges of cybersecurity in the enterprise and why a BlackBerry device is a good choice for cybersecurity. Their answer was really very simple: BlackBerries are easily controlled by IT, and if your employees can’t make choices about technology, then they can’t make bad choices about technology.

Neither this post nor this webinar will be about BlackBerries in particular, but about much larger issues – the reality of BYOD (Bring Your Own Device) in financial institutions, the problem of cybersecurity in financial institutions, and the fact that one is contributing to the other.


BYOD Is The New BlackBerry

While many people think of financial cybercrime as being the work of foreign criminals on a computer, those criminals are often aided by an unexpected (and unwitting) ally in your office – any one of the many employees walking around with a personal device that happens to be connected to your network, email server, or other sensitive information. More employees than ever are walking around with these kinds of devices. BYOD (Bring Your Own Device) isn’t going anywhere – IDC predicts that by 2016 there will be 480 million smartphone sold, 65% of which will be heading into a BYOD environment. According to a recent Cisco study, 69% of decisions makers in the US feel that BYOD is a good thing for their organization.

Unfortunately, we haven’t shifted our mentality to reflect these changes. Though according to SecureEdge a whopping 80% of all BYOD is completely unmanaged, the security thought process is the same – lock everything down. A SANS Institute Research Survey found that “more than 50% of organizations rely on their users to protect personally owned devices.” Well what could be done? It’s actually not as complicated (or costly) as one may think.

Our September 1 webinar on Wireless devices discussed the various ways that organizations are trying to lock down their security with hardened outer defenses while ignoring internal threats. While these statistics are disheartening, they are also for industry in general. The outlook in the financial industry is not quite as bleak – with security budgets for the financial industry topping $9.5 billion in 2015, one would hope so. But what does it look like on the ground?

We will continue this exact conversation with Security Weekly crew on Wednesday, September 30 to hear a panel of experts discuss what it’s actually like to implement a secure, effective BYOD policy.

REGISTER HERE for the webinar

True Disruption: What It Will Really Take

In between Black Hat meetings, demos, briefings and networking events, I headed down the streets of Las Vegas to AGC Partners’ Distrupt!on 2015 to participate in some hard-hitting conversations about the current state of the cyber security industry – and where we’re going.

It’s no secret that cyber threats are proliferating at terrifying speeds and increasingly making their way into the mainstream. AGC co-founder Maria Lewis Kussmaul’s opening remarks pointed to one of the major challenges that we, as an industry, face in getting ahead of these threats: the security ecosystem tricotomy, comprised of three, distinct groups of technology providers:

  • The “old guard” technology companies – from Symantec to McAfee to HP – who have fallen behind and gotten lost in this new threat landscape
  • The “undecided” companies, i.e. Cisco and IBM, who have dipped their toes in the water but haven’t moved their offerings beyond table stakes
  • The hungry, early-stage companies, such as Palo Alto Networks, that are working hard to crack the code and emerge as the next-generation security leader, but face challenges in innovating and scaling rapidly enough to make it happen

One particular area where this segmentation is palpable is threat intelligence. A hot industry buzzword for years, threat intelligence products and services are finally delivering real value and profit to customers and investors. But despite the slew of new data and analytics available, organizations are still struggling to harness this information and preemptively get in front of threats to shut them down before real harm is done. A panel of experts, led by Wendy Nather of the Retail Cyber Intelligence Sharing Center, discussed how, despite the surge in threat intelligence offerings, Fortune 100 companies are still unprepared to handle the advanced threats looming on the horizon. One only has to pick up a newspaper to realize the severity of the problem: the string of headlines announcing crippling cyber attacks on major corporations seems never-ending.

Though the true promise of threat intelligence technology has yet to be realized, advancements are certainly being made. Yet as an industry, we could be moving so much faster, and be so much more effective if it weren’t for the complacency of the “old guard,” and the hesitation of the non-committal “undecided.” Imagine if these players – with their massive resources, huge R&D teams, scalable infrastructure and global partnership networks – would just go all in and make cyber security a core focus and top priority. Imagine the possibilities of banding together – leveraging the strengths of the established players and the agility and creativity of the next-generation who have already made cyber security their mission.

What’s happening in our industry today reminds me of the legendary gladiator fights of ancient Rome. The modern day gladiators – the emerging companies, the innovative minds that work for them and the investors who believe in them – are taking extraordinary risk and putting everything they’ve got on the line. Meanwhile, the old guard sits back and simply spectates. But the fact is, time is on no one’s side in this cyber security game. While the big guys watch the little ones fight for survival, the whole city is being stealthily surrounded by a host of formidable, motivated adversaries who will inevitably find ways to break in and take down the entire empire.

Walking back from the conference to Black Hat headquarters, I couldn’t help but sigh when I saw an old-school limo roll by me, plastered in a Symantec ad that read “Advancing Security.” If only that were true.

Kicking Off Black Hat 2015: Detecting the Signs That Give Attackers Away

The Pwnies have officially landing in Las Vegas! As we kick off what is sure to be an exciting week at Black Hat/DEF CON, we’ve been struck by how mainstream (and sobering) this year’s research and vulnerability disclosures are – for security pros and consumers alike. Theoretical conversations about hackers’ abilities to cause destruction – even death – in the future have become today’s reality. We’ve truly entered an era in which virtually anything can be turned into a weapon to cause harm.

For example, in late July, the world was shocked to learn that two security researchers had successfully pulled off a remote takeover of a Jeep – while it was traveling down a public highway at 60+ miles per hour. A WIRED piece this week highlighted a new experiment in which security researchers found a way to seize control of electric skateboards and toss riders. And at Black Hat, security researchers Runa Sandvik and Michael Auger will reveal how to hack a $13,000 sniper rifle via its Wi-Fi connection and exploit vulnerabilities in its software to alter targeting and affect how the ammunition is fired.

Scary stuff.

But there is a silver lining. Just think of a movie scene – when a sniper takes aim at a target, there’s always a quick flash of the gun in the sunlight, or the telltale red point of the laser from the weapon’s scope. There’s always something – albeit subtle – that gives away the shooter’s position. And the same is true of cyber attackers. There are always signs. You just need to know how to spot them.

As in our personal lives, it’s time to accept that the devices we use everyday to do our jobs are inherently insecure. We can no longer rely on anything to be truly safe (read more in our Internet of Evil Things study). That’s why an enterprise-wide device detection and protection strategy is so critical to regaining control from malicious attackers or, more often, employees who unintentionally wreak havoc. This includes:

  1.     Discovery of all Internet-enabled devices (wired, wireless, Bluetooth, cellular, etc.)
  2.     Real-time threat alerts for high-risk devices: unauthorized, known-bad, vulnerable, misconfigured, suspicious
  3.     Identification, fingerprinting, and historical logging for all detected devices
  4.     Continuous discovery of changes in device attributes and device behavior
  5.     Effective rapid threat response capabilities including device “track & disable” & SIEM/WIPS integration
  6.     Auditing and validation of existing security controls, including enterprise wireless infrastructure and device management technologies
  7.     Secure, centralized management with enterprise-class reporting, trending, peer benchmarking, & cross-sensor correlation

Interested in learning more? Stop by the Pwnie Express Black Hat Booth #IC1 for a demo of Pwn Pulse, the industry’s first full visibility and threat detection platform for the enterprise. And while you’re there, head across the hall to our meeting room MBR 217 to meet with internationally renowned security expert, author and Pwnie Express Infosecurity Ranger Jayson E. Street and grab a signed copy of his soon-to-be-released book Dissecting the Hack: The V3rb0t3n Network.