Survey & Infographic from Black Hat 2015 – Hot Security Topics, Overused Buzzwords and more

The second biggest security conference of the year – Black Hat 2015 – may be critiqued as being more and more corporate (comparing it to its professional counterpart RSA), but the research and hacks remain just as impressive as ever. From cyber espionage, to IoT, to car hacking – a landmark moment forever changing the public’s perception of security – this year’s show was anything but dull. Highwire Security was on the ground surveying attendees and here’s what we found:

Top Trends in Security

In line with conversations with reporters, clients and security experts, the survey found that IoT (40 percent) remains the hottest trend in security this year. And the research at the show holds true – hacking rifles, satellites and even a skateboard. Tied for a close second was application security (30 percent) and board-level security awareness (30 percent) – regardless of the intense frequency of hacks and breaches, there is still a major disconnect between the developer and the board.

While IoT dominated conversation this year, we’re expecting to see a few new topics on the list at Black Hat 2016. For example, the intersection of healthcare and security was a hotly discussed item at this year’s show, with the FDA recently making one of their first comments ever on cybersecurity. Long considered to be a laggard when it comes to security, the healthcare industry is finally starting to acknowledge there is work to be done.

In addition to healthcare, we expect to see cyber legislation shoot up the charts next year. For months, the security research community has been very outspoken about the controversial Wassenaar Arrangement, and with a few other security-focused bills on the floor of congress, the trend is only expected to go up.

What are Security Pros Scared of?

People! Twenty eight percent are most concerned about careless employees and user error – insider threats remain a top cause of many high-profile breaches (ahem, Target). Closely followed by 25 percent concerned about cyber espionage (Sony) and 23 percent concerned about mobile malware (Stagefright). Interestingly enough, only 6 percent are concerned about PoS attacks, when in reality 40 percent of data breaches were PoS breaches according to Trustwave’s 2015 Global Security Report.

OPM OMG

The recent hack on the Office of Personnel Management has dominated headlines for months, with the number of leaked records increasing in almost every update to the story. So many whispers at Black Hat speculated what would happen next: “Who has this data?” “Somebody’s just sitting on it- are government profiles being built?” “What’s the next targeted agency?” 

The ongoing saga of nation state attacks have struck a nerve with the security community- and everybody has an opinion. Many politicians have recently called for increased collaboration between the private and public sectors to thwart these breaches, with 73 percent of Black Hat attendees claiming they agree that the entities should increase information sharing between one another.

Excuse My French

So what’s the worst of the worst in security? Cut these words from your vocabulary and save yourself a few eye rolls. The top buzzwords security pros are sick of hearing are next generation (64 percent), advanced persistent threats (54 percent), thought leader (52 percent) and game changer (52 percent). Oh and while you’re at it, let’s get rid of disruptive (40 percent), hacktivism (40 percent) and BYOD (36 percent) too.

See our full results below, and we’ll see you at Black Hat 2016!

BlackHat Infographic-Revised2

Written by Christine McKeown, Bill Bode, Nicole Plati and Megan Grasty, members of Highwire PR’s security practice

Highwire PR at Black Hat USA 2015

Leave your smart phones, tablets, drones, rifles and cars at home (yeah, I said rifles). This year’s 18th annual Black Hat USA is boasting some seriously cool sessions from hacking sniper rifles to remotely killing a Jeep on the highway to cloning payment devices. Highwire PR’s security practice will be there front and center alongside corporate information security professionals, government infosec pros – oh and hackers.

To say security is a major concern to all is an understatement usa-v2-inactive– just in the past few months we’ve seen the largest government breach to date when the Office of Personnel Management was hacked leaving more than 20 million vulnerable, a vulnerability called Stagefright that can affect millions with just one text message, and to round that out: data breaches are paving the way for a significant jump in cybersecurity funding. This year’s Black Hat attendees are getting ready to learn, network and attend a solid lineup of must-see presentations.

So what session’s are Highwire’s security pros looking forward to most?

Bill Bode, account director
I’m sort of a space nerd (ask me about my idea for my space-themed dive bar, “Space Bar.”) This, combined with my interest in security makes my most anticipated talk a no brainer: Colby Moore from Synack will be taking Black Hat attendees step by step on how to hack a satellite, with real world attack vulnerabilities in his talk, Spread Spectrum Satcom Hacking: Attacking the GlobalStar Simplex Data Service. I wouldn’t miss it for the world (get it?)

Pete Johnson, account manager
The one I’m most excited about is “Remote Exploitation of an Unaltered Passenger Vehicle” by Charlie Miller & Chris Valasek. Andy Greenberg at Wired published a really crazy piece about Miller & Valasek’s research last week—with arguably the best lede in an article I’ve read all year. Given the rapid shift toward connected cars and the industry’s race to usher in a driverless future, these kinds of exploits raise a lot of questions (if you were a fan of Michael Hastings’ work for Rolling Stone, you’ll probably find yourself fighting some gnawing questions).

Denise Schenasi, senior account executive
I’m interested in the session on, “Back doors and front doors breaking the unbreakable system“. Given the recent U.S. Government hack and the increasingly rampant cyber and insider threats on government institutions and their employees, it’ll be interesting to see what this session adds to the industry debate- and their thoughts on whether the government should – or shouldn’t – have backdoor access to encrypted data.

Isaac Steinmetz, account executive
This presentation on “Android Security State of the Union” should be especially interesting given the recent attention that Stagefright garnered. The presentation will draw on data derived from “hundreds of millions” of devices in order to highlight some of the most pressing Android security issues. The scale of this research alone is impressive. Furthermore, it’s extremely timely, as we’re faced with a vulnerability that could affect close to 1 billion Android devices.

Mariah Robertson, account associate
Pen Testing a City” sounds like it’s going to be a really interesting talk. As our world becomes increasingly connected, and the idea of hacking airplanes and critical infrastructure becomes a bit more real (and terrifying), it will be interesting to hear about what could happen if hackers were to take down an entire city! Is your city prepared for this kind of attack?

Laura Pezzini, account associate
las-vegas-04Bringing a Cannon to a Knife Fight” should be really interesting — considering how deeply governments worldwide are now involved in trying to boost security efforts, it’s fascinating that the Chinese Communist Party literally has a weapon called the “Great Cannon” to suppress any sites they deem against their agenda with a casual DDoS attack.

Alexi Foster, account associate
Whenever we are hit with a major breach, there seems to be a lot of skepticism around human error, activity, and response. The talk on “Automated Human Vulnerability Scanning with AVA” will be interesting to learn if/how we can test human response to security incidents, and what the behavior analysis finds.

Devon Swanson, account associate
The talk on “Exploiting IT Analytics to Create a Human Layer Security Initiative” is one I have my eye on because Dtex examines the “people-centric” aspect of security that leads to insider threats. This workshop actually sounds super interesting by examining user analytics for the human layer of security threats.

Interested in meeting with Highwire PR at Black Hat this year? Email us at Hi@HighwirePR.com

Post-RSA 2015: The Evolving Security Landscape

“Let’s do things differently; let’s think differently; let’s act differently. Because what the security industry has been doing has not worked.” – RSA President Amit Yoran

The overall consensus and call to action at this year’s conference is the security industry needs to change – as threats become increasingly more sophisticated, we’re racing to evolve faster than the hackers and we are continuing to fall behind in the arms race.

Last year saw a 25 percent increase in high-profile, over-hyped data breaches, but who’s held accountable? Conversations at RSA this year centered around the increased need for board-level discussions and how CISOs can adopt a business mindset; the scary potential of vulnerable connected devices; debates about how threat intelligence should be free; the governments increased involvement and the Department of Homeland Security setting up shop in Silicon Valley, and more.

Highwire’s Security Practice was on site this year taking it all in, supporting clients, attending sessions, networking and throwing a killer happy hour. See the team’s highlights here:

Christine McKeown Elswick, vice president
The overarching message in Amit Yoran’s keynote was a significant moment for the industry. He said,”We are losing this contest. The adversaries are out-maneuvering the industry, out-gunning the industry, and winning by every measure.” This was echoed by the New York Times, Nicole Perlroth in a private panel session on Wednesday who said that we can’t build walls high enough to keep out the hackers, and with traditional AV software not working, something must be done to close the gaps that hackers continue to exploit. It will be fascinating to watch as the arms race continues. Startups like Cylance, a next-generation AV company, are making huge strides in this race against threat actors. They recently blocked 99 percent of all threats in live demonstrations across the United States using real malware to test its new technology against old school AV software.

Bill Bode, account director
RSA is changing. For the first time I can remember, some of the most intriguing security startups in the space- Synack, Tanium, vArmour- opted not to have a booth, instead relying on throwing amazing parties, packing in customer/prospect schedules to the brim and networking events featuring prominent journalists to get the most out of their week in San Francisco. If you look at most of the keynotes from this year, you’ll see a laundry list of outdated legacy players talking about old world problems, but one talk did stand out in particular to me, from RSA President Amit Yoran (referenced above). Above all else, his call for vendor accountability is one that could turn the security world on its head. It’ll be a long road ahead to get to a point of true accountability, but it begs the question- once it’s here, will the constant noise die down? Will we get industry-wide agreement on the “best vendors” when we know which solutions just aren’t making the cut?

Mariah Robertson, account associate
RSA is such a great forum to discuss problems, showcase ideas and share solutions. My favorite part of RSA was seeing how different companies are addressing the biggest pain points in security. For example, at the Trustwave booth, security researcher Garrett Picchioni showed us the most commonly used and easily crackable passwords and demonstrated how quickly criminals could hack into a company’s system and steal passwords: it’s just a matter of seconds. We learned that longer passwords are always tougher to crack, and that “Thisismypasswordnoreallyitis” is a much better password than even a short random string of numbers or words such as “Spring2015” or even “A2qR!” Knowing that weak passwords are the leading cause of data breaches, I recommend everyone change theirs on a regular basis!

Isaac Steinmetz, account associate
This year was my third RSA, but ended up being the first time I was able to see a client present (those pesky “Explorer Expo” passes lock you out of a lot of sessions!). I got to see Veracode’s co-founder Chris Wysopal address a crowded four-sided box in the middle of the expo floor. Before he started speaking I worried that the session wouldn’t attract much attention since it was barely separated from the sea of booths in the hall, but surely enough the box was packed standing room only and Chris’ presentation moved forward with a full audience. It’s always great to see a client’s expertise and respect from his peers so clearly validated at events like this!

Alexi Foster, account associateIMG_2907
The highlight of RSA for me this year was the closing keynote, an interview with Alec Baldwin and Hugh Thompson, RSA’s program chair. They spoke about the cultural implications of a hack, mentioning the Sony hack in particular. It was interesting to hear Baldwin discuss how the Sony hack hurt the entertainment business through more than just preventing box office sales. Now, Hollywood producers might feel afraid to create controversial movies because they fear that those on the opposing side could use “evil forces” on them out of spite. And this idea stretches beyond the entertainment industry- anyone who knows how to hack has the ability to hinder another’s individual expression and creativity through a few lines of malicious code. It’s a scary thought.

Interested in learning more about Highwire PR’s security practice? Email Hi@HighwirePR.com to learn more! See you at RSA 2016.

Beyond Snowden: A New Era of Security Disruption at RSA 2014

RSA2

Say what you want about Edward Snowden, but the fact of the matter is that his recent leak of NSA secrets has brought cybersecurity to the forefront of national conversation. This year, conversations regarding privacy were constant at RSA, to no surprise. In 10 years, when we’re commuting to RSA 2024 via hoverboard, we’ll look back and remember RSA 2014 as the year cybersecurity and privacy discussions left the hacker forums and leaped to the front pages of the Wall Street Journal and New York Times.

Despite the controversial buzz surrounding Snowden, whose mystery is only exceeded by his power, the polarizing whistleblower and current Russian resident still played second fiddle to the central themes at RSA 2014: continuous disruption and the recent flock of investors targeting cybersecurity start-ups.

From the industry’s first bot killer to an evolved look at geopolitical nation-state cyber attacks, the innovation and research to emerge from the industry this year signaled a changing of the guard that was hard to ignore at RSA 2014. Several members of the Highwire PR security practice were on site this year to rep our growing security practice and learn more. See their highlights below:

IMG_4893[1]

Nicole Plati, Senior Account Executive
At RSA 2014, we were reminded just how dynamic and rapidly accelerating the cybersecurity sector is. You could feel it in the air: this was the biggest RSA ever. One of the messages heard over and over again at RSA was clear: if the industry fails to develop disruptive new technologies and defense mechanisms, out-of-date solutions will become obsolete as soon as they are put into place due to hackers that simply work harder, better, faster (stronger?). At this year’s show, Highwire client Trustwave reminded us that we are officially in an arms race between cyber criminals and IT professionals, and without the latest and greatest technology, IT professionals will constantly be playing catch up.

Megan Grasty, Account Executive
Cybersecurity is by definition a constant war between the good and evil. This year, my favorite keynote was from HP’s SVP and General Manager, Enterprise Security Products, Art Gilliland, who taught us if we want to succeed, we need to “think like a bad guy.” Tying in a Star Wars theme (unfortunately, no lightsabers were broken out), Art reminded us that the bad guys usually had the cooler weapons, but it’s up to all of us to use the force and build our own cool weapons that focus not only on breach prevention, but on the full cycle of an attack.

Natalie Mendes, Account Associate
When I tell friends I represent enterprise security companies, most people’s eyes tend to glaze over. However, if we’ve learned anything from the cyber events of this year, it is that cyber security may just have the largest impact on consumers of any other sector. From Snowden’s NSA revelations, to Apple OS vulnerabilities, and yes, even the Mt. Gox exchange hack, cybersecurity has never been closer to the everyman. It was with this perspective that I attended RSA, realizing that the greatest vulnerabilities and threats in the cyber world are being rooted out and stopped by the companies in attendance at the conference. In fact, at RSA this year, security companies uncovered threats exposing the confidential information of consumers such as the iOS key logging flaw discovered by FireEye and Bitcoin-stealing botnet exposed by Trustwave. If there is one industry that should excite and interest every person it is security, and RSA is a conference that brought that fact to life.