What is the Biggest Problem in Cybersecurity Today?

Themes from the show floor of RSA 2018

Viability. Quite simply, the operating environments of organizations have gotten too complex for cybersecurity defenders.

The problem goes beyond not being able to see what is happening in organizational systems to not even understanding the full extent of those systems. Keeping up with the assets under their control and keeping them secure is a new challenge for the modern enterprise.

Asset Explosion

As organizations move to the cloud, their data moves to systems they don’t own. Employees frequently log into corporate accounts from personal devices. Add the growing number of IoT devices connected to corporate networks and the number of ways for organizations to lose control of their data spirals out of control.

This is not to say that responding to and stopping threats is not important, but before organizations can even begin to think about remediation, they have to know what is under attack. Theresa Payton, CEO and President of Fortalice Solutions and former White House CIO noted in a panel that the first step to securing an organization is understanding what assets are under its protection.

What You Don’t See

Two of the top five attacks from “The Five Most Dangerous New Attack Techniques” keynote presented by SANS researchers result from abuse of poor visibility. The first is data leaks from repositories and cloud storage, a growing issue that resulted in several breach disclosures over the last year. It is easy to forget that cloud buckets and GitHub repositories are part of an organization’s assets that can lead to poor configurations.

The other is the rise of cryptojacking. Malware that appropriates processing power to mine cryptocurrency for hackers can remain undetected for months by flying under the radar of systems administrators. Seeing rogue cryptomining activity may be trivial in owned data centers, but when they are outsourced to cloud providers, organizations need to actively search for this activity.

Asset discovery cannot be a static activity though. Data and devices shift so rapidly that organizations need a constant stream of information about the state of their assets so they can adjust their practices accordingly. Dan Schiappa of Sophos said in a talk that asset management and the policies they inform need to take on an almost evolutionary appearance as they adapt to the changing operational landscape.

It’s Not About the Machines: Cybersecurity is a Human Problem

Themes from the show floor of RSA 2018

The annual Cryptographer’s Panel spent the first 10 minutes of their discussion at the opening Keynote yesterday deriding blockchain, the trendiest technology of the year. Quantum computing and machine learning are also banner bearers for technical innovation in cybersecurity.

At the same time, however, experts around RSA have shunned the idea that technology is the answer to cybersecurity. The theme of the show—“Now Matters”—calls for the defender community to take action to prepare themselves for a better and more secure tomorrow. RSA president Rohit Ghal called “the death of the silver bullet fantasy” a major win for cybersecurity. Meanwhile McAfee CEO Christopher Young called for a culture shift across organizations to realize that cybersecurity is everyone’s responsibility.

This theme has echoed across the rest of the conference as well.

Technology Does Not Make Security

Panelists have addressed blockchain in nearly every session, either bringing it up themselves or responding to questions from the audience.

In a panel about building trust in an insecure world, Adam Ross, a manager at GmbH, noted that blockchain does not build trust. It is merely a means to store data, and does little to guarantee that the information it stores can be trusted.

In the same vein, machine learning technology is a valuable supplement to human cybersecurity teams, which are understaffed with skilled workers. But machine learning processes are highly corruptible if not properly secured.

Even encryption, an almost automatic part of privacy and security processes by now, only works if there is a deliberate decision.

“It’s easier to say I can’t than I won’t,” said Moxie Marlinspike, founder of Signal.

Organizations that have taken custody of our data are under constant pressure to divulge that information to governments. If they care to protect our data, they need to build their systems in a way that no one can access it, not even themselves.

The Importance of a Sound Strategy

While technical solutions are an important part of security, it’s how they are used that makes security. In the past, there has been a culture of treating security as an afterthought. Now, the question of how to use that technology is a question that has been the subject of many panels across the show.

While the answer is far from simple, two essential parts of it are building a sound business case for cybersecurity and focusing on outcomes. What this accomplishes is up-leveling the conversation around cybersecurity issues so that executives don’t feel lost in the technical quagmire of the day-to-day operations. It also opens to door to understanding what is important in this task.

Theresa Payton, CEO and President, Fortalice Solutions and former White House CIO, noted in a panel the importance of prioritization. Limited resources mean that no organization can protect all of its data equally well. Deciding what is important and starting a conversation about what a cybersecurity program should do lead to the beginning of a plan.

We will always need innovation in cybersecurity to keep ahead of the hackers that threaten our digital landscape. Tools, platforms and techniques that make it easier to identify and stop hacker activity will always help, but many of the innovations we need are in the processes we use to make our organizations secure. Remember that people are part of this too.

A Time for Optimism: Cybersecurity is Stronger than Ever

Highlights from the Opening Keynotes of RSA 2018

It’s easy to call 2017 a cybersecurity failure. WannaCry alone rocked the digital world to the core. But it was only made worse when we realized that the attack was perpetrated by governments, not individuals or criminal organizations.

But across the board, the speakers of the opening keynotes at RSA 2018 called for optimism. While there is still a lot of work to do and the job of cyber defenders is by no means done, these keynotes highlighted that the work they do every day is making a difference.

The Little Things Count

It may not look like it, but the cybersecurity progress that has been made over the last 30 years of RSA conferences is making the world safer.

“Joe, your brilliant deployment of multifactor authentication to stop a massive breach will never make the New York Times,” said RSA president Rohit Ghal.

That is the danger of cybersecurity. The only news is bad news. The best state of affairs is when there is nothing to report. The end of the keynote by McAfee CEO Christopher Young was a video whose mantra was “Nothing important happened today…except everything.”

“We need to shift our focus from becoming perfectly unhackable one day to being a little more secure every day,” said Ghal.

All the little things do add up. Every activity that makes us a little more secure is time well spent, because security is an ongoing battle. There is no silver bullet for security, and while the daily grind may feel like a thankless task, that is how we win.

Adapting to Change

Microsoft president Brad Smith spent much of his talk calling for governments to do more to defend us now that the battlefield has shifted to the cyber realm. We need to view attacks on machines as attacks on people.

“We need a new digital Geneva convention,” said Smith.

WannaCry, which exploited a vulnerability in Microsoft operating systems, had a global impact by shutting down key elements of our society that have come to depend on machines. In the U.K. 19,000 hospital appointments were cancelled because of WannaCry.

But cyber defenders have advantages over the hackers. When hackers find a creative way to breach companies, we can force them to be creative again by closing that vulnerability. Young pointed to the how the air travel industry became more secure over time by adding security measures when would-be attackers tried new techniques

By working together and sharing information we can make the increasingly connected world more secure. Ghal praised organization like the Cyber Threat Alliance and Smith pointed to a new coalition of security companies that have promised to prioritize security.

Turning Awareness into Action

If there is a good side to the “breach a day” cadence of stories coming out about cybersecurity, it is that awareness of cybersecurity issues is reaching board members and executives.

Ghal pointed to a statistic that 89 percent of board agenda have cybersecurity on the agenda at some point. It’s a step in the right direction, but there is more to do.

“The awareness is there, but there is a failure to turn that awareness to action,” said Young.

There needs to be a cultural shift in the approach to cybersecurity. In addition to the incremental progress of small gains, everyone needs to take responsibility for cybersecurity. There are signs of progress on that front across the industry with the adoption of DevSecOps, which pushes cybersecurity to the beginning of the development process.

The gains from baking in cybersecurity from the start cannot be matched by the “bolted-on” approach we’ve taken in the past.

Incremental success is a hard story to tell. It’s a lot easier to focus on the disasters of cybersecurity like WannaCry, but the truth is that there is a reason for optimism. For every attack that we hear about, there are hundreds or thousands that defenders stop dead in their tracks.

The hard work of cyber defenders may be a thankless task, but it’s working and it’s making a difference.


Check back tomorrow for the next blog in this series live from RSA where we’ll have insights from our panel of industry experts.

A Week at RSA 2017: Insights from Highwire’s CyberSquad

Nation-State Activity, AI and Market Consolidation All Top-of-Mind for Security

February stands out for African-American History Month, Valentine’s Day and President’s Day, but we cannot forget about the annual RSA Conference that takes place in San Francisco.

Every year, cybersecurity experts, aficionados, journalists, and Highwire’s very own #CyberSquad congregate in San Francisco for one of the premiere cybersecurity events of the year. This year’s show, the largest in the books, did not disappoint.

The conference was abuzz with talks on new offerings, partnerships and industry sentiment. The keynotes — ranging from Microsoft’s President to renowned astrophysicist Neil DeGrasse Tyson — were also especially enlightening. Additionally, Highwire was on the show floor interviewing attendees to get the pulse on show and industry trends. Thanks to all who participated, especially those who are typically doing the interviewing — I’m talking to my reporter friends out there. Special shoutout to Bradley Barth of SC Magazine, Fahmida Rashid of InfoWorld, Paul Roberts of The Security Ledger and Katherine Teitler of MIS Training Institute for taking time out of your busy schedules to help with our man on the street videos.

At a high level, the buzz from the conference floor and attendees alike focused on nation-state cybersecurity concerns, the hype around AI, the issue of false positives, visibility and the blurred perimeter. Also of note was the sentiment around market consolidation.

We also heard from seven of our own clients in a live podcast series conducted from our annual Highwire RSA happy hour. Special thank you to Sean Sposito and our friends at CSM Passcode for partnering with us on this great event. See here to learn more about the “Rise of the Chief Digital Transformation Officer and Six Other Key Takeaways” from industry experts.

Jesse Bil Justin 2 Chris Jer Ziv

Here’s more from our in-house security pro, Erik Martinez, on what Highwire’s CyberSquad learned at the 2017 RSA Conference:

Nation-State Cybersecurity

Many at the conference discussed the ostensibly growing involvement of nation-states in cybersecurity, both as attackers and targets. The recent nefarious activity and attacks in Europe and the U.S. thought to be instigated by Russian hacker being a catalyst for this train of thought. As a result, industry leaders are prepared to expect more espionage; information and influence operations; and the destruction or disabling of data and systems. Interestingly, the common belief is that these activities will increasingly happen in the shadows after the recent wave of public discussions on the matter. This can be expected to happen through hired non-state actors like organized criminal groups.

AI: The Bell of the Ball

Like in most technology-focused industries, cybersecurity is in love with AI and machine learning. The possibilities it offers the cybersecurity space are mouthwatering and nearly everyone is touting some version of it in their solutions. But perception around AI is still mixed. Many RSA-goers equated the buzz around AI to that which big data stirred up when it first came onto the scene — a tad premature.

This is not saying that AI technology is not helpful — it is — but it will require human judgment for the foreseeable future. AI technology can execute tasks faster and with fewer errors than humans but training is still necessary and intuition lacking.

Market Consolidation

There is a coming disruption in the market in the form of market consolidation and whoever remains will like have no other option but to play nice. In terms of disjointed solutions, Palo Alto Networks CEO Mark McLaughlin predicts  that “the measure of [the industry’s] success will be, instead of people saying, ‘I have twenty, thirty, forty vendors, and I have to figure out how to handle that,’ they’ll say, ‘I have four hundred vendors and I’m good with it.'” He argued that this happy state would come about as vendors developed “better ways of consuming their value proposition.” In other words, all the products will work effectively and with increased cooperation as the market consolidates.

This should not be cause for alarm, as the trend could provide exits via mergers and acquisitions. Not to mention that good outcomes are likely to result from general industry cooperation. Why work against each other, when working together can be much more beneficial.

If you were in attendance, share your story in the comments — we’d love to hear about your experience!

Also, we’re hiring! If you are a security or enterprise tech PR pro interested in joining our rapidly growing team, we’d love to hear from you. Please contact Nida Ilahi at nida@highwirepr.com.

The post was written by Christine Elswick who leads Highwire’s burgeoning security practice and Erik Martinez, our in-house security expert.

Client Experts on the Future of Security

IoT, AI, Offense and (Cyber)Insurance

We are in the midst of a thrilling time in which many of our technological aspirations, from autonomous cars to highly advanced computing devices that fit comfortably in our pockets, are a practical reality. But along with the enhanced capabilities offered to businesses and individuals, comes increased risk.

For instance, IoT technology has helped create devices reminiscent of HAL 9000—but, much like the film character, it can be subject to major flaws. Fortunately, direct physical harm hasn’t been caused yet, but 2017 will surely be the year that cybersecurity stops being a news novelty to becomes a well-understood norm by all. The year to come is the year “cybersecurity” becomes just “security,” for even those outside the industry.

Taking from our all-star security client lineup, here’s what our experts are expecting in the year to come.


Affecting Trust

The savviest attackers are moving away from just data theft to targeting data integrity. Longer standing, reputational damage is becoming more common, especially in cases where the involvement of a nation-state is suspected. We’ve already seen these kinds of attacks in M&A scenarios with the Yahoo breaches and during the presidential election.

This kind of attack will continue to gain traction, especially within industries that rely on public confidence like medical facilities and financial institutions. Governments may also fall victim to attacks to spur on distrust in national institutions and processes (e.g. alleged Russian involvement in the presidential election).

Cyber Insurance Matures

Amid the slew of unmanageable threats, organizations will likely continue to increasingly take advantage of cybersecurity insurance. As the underwriting market responds, we can expect the due diligence requirements for underwriting to bolster greater spending on security controls. As such, we can expect security product purchasing decisions to be driven by cyber-insurance companies.

Expect cyber-insurance organizations to develop short lists of vendors and products that must be deployed to be compliant for insurance. CSO/CISOs will be asked by CFOs for these products and purchases may be directed top down if they’re lacking. We can also expect more vendors to offer guarantees and/or their own insurance offerings.


Finally Sifting Through Troves of Data

Machine learning and AI have recently come to the forefront across industries for good reason. Human’s cannot parse and make sense of all the data being generated today. Human’s simply can’t scale, work as long or be as detailed oriented like a well crafted and intelligent program, so expect further investments in neural networks and smart technology.

A caveat is that machine learning and AI will also be used for nefarious purposes. Hackers often mimic the same models as their targets for unlawful tools and distribution, often protected by the anonymity of the dark web. Just like machine learning algorithms sift through threat alerts, criminals will start using it to parse the troves of data they steal. Moreover, smart strains for malware (e.g polymorphic and metamorphic) have already entered the scene, capable of intelligently evading detection and even changing is composition to do so.

What do you think we have in store for the year to come?

If you’d like to here more from our experts, join us at Highwire’s third annual RSA Happy Hour—this time in conjunction with the Christian Science Monitor’s security vertical, Passcode, which will conducting live podcast interviews with some our experts.


Highwire Talks Security with Black Hat Communications Director

Blackhat 2016 event logo


One of the biggest global security events in the world, Black Hat has been providing attendees with the latest in research for over 18 years. Participants can enjoy learning from information security luminaries about various developments and trends in the industry. As you think about how to present new or interesting perspective this year, take a look at our survey findings from last year’s Black Hat, particularly the part about overused buzzwords, as you may want to eliminate some of the most commonly used jargon from your content.

With the event fast approaching on July 30, Highwire took the opportunity to speak with Meredith Corley, director of PR & communications for UBM—the company that puts on Black Hat every year—to gain some insider knowledge that will prove useful for PR professionals and security companies.

Q: What is the number one strategy you can offer companies as they prepare to pitch media at Black Hat?

A: Remember that these members of the media and analyst community are the crème de la crème of the InfoSec reporting world—so do your research! And I don’t just mean on their specific beat, that’s a given. My research advice is the following:

1) Pitch the Goods: With so much dynamic content on stage, running alongside big research report releases and innovative product launches from the show floor (all vying for their attention & time slots), now is not the time to do a generic email blast. Before you work to set up that briefing or meetup, ask yourself: How does this news break the mold, challenge the status quo or take our industry in a new direction? With a product launch, how specifically will your new product or service solve an existing problem or void? Any cool demos to share? Alternatively how will your perspective help dig into an existing industry hot button issue or theme with a fresh (or challenging) perspective? Are you offering up special access to key thought leaders or research? Is there a new finding that will change the course of the current dialogue?

If you can’t answer these with an elevator pitch before pressing ‘send’ on that email, hold off. Media get a ton of email leading up to the show, so make it count.

2) Expand Your International Contacts: Does your company have international roots or hope to take their products and services global? Don’t forget to research the many international members of the media that join us onsite every year. We have massive news agencies, trade journals and analysts join us from as far as Australia,  many parts of Asia, Europe, S. America and everywhere in between. Now is your chance to build those valuable relationships with key international stakeholders for your brand all in one place. Don’t miss out.

Q: How do you select which companies get their own mini press conferences in the Black Hat press room?

A: We work closely with the Black Hat Review Board and journalist community to get a sense of what is really going to be “hot” onsite—big themes, impactful vulnerability disclosures, big name speakers or government officials, and controversial topics discussed by distinguished resources.

Press conferences are highly selective and are typically reserved for Black Hat speakers that will be presenting during the show. Sometimes we will group them by theme (e.g. “mobile vulnerabilities”) while other times it will be a solo session (e.g. keynote presentation or completely unique topic that stands apart from the rest).

If your company or client is speaking at Black Hat this year and you think the topic fits the bill, drop us a note: BlackHatPR@ubm.com.

Q: What do you think the top trends will be at this year’s show based on what you’re seeing across the top sessions and/or media requests?

A: Aside from the headline-making and completely unique vulnerabilities and research (a lá car hacks, new ways to take over ATMs, and medical device weaknesses and defense), I would say that one of the top trends this year is what we collectively call “Platform Security.” We also saw more submissions than ever around vulnerabilities (and defenses) in top operating systems and virtual machines.

Unsurprisingly, Internet of Things (IoT) is also a big theme again this year as everything we know becomes increasingly “smart.”

Also, talks this year really run the gamut—and they should, since we received more submissions this year than any year prior. The Review Board really had their work cut out for them to pick the best of the best. There are quite a few great enterprise system-related briefings, some really smart research across all things mobile, and even a whole track of talks in the “human factors” category, which covers everything from phishing to the actual success rates of malicious actors dropping USBs in parking lots to name a few.

Q: Anything new or different taking place at the show this year that we should know about?

A: Glad you asked—Yes!

New to Black Hat? If you, your team members or your client(s) are newbies to Black Hat, we’ve got you covered. ALL pass types are invited to join us for Black Hat Day Zero —a first-timer’s guide to making the most of Black Hat. Here, new attendees can come a day early (Tuesday, Aug. 2) to learn what to expect on site, how to make the most of their time and even how to keep their devices safe on the show network. (Don’t forget your tinfoil hat…) There will be a welcome reception for some good mingling after the sessions.

Closing the Gap: Despite more attention to the issue, the needle just hasn’t moved all that much on the dramatic underrepresentation of women and minorities in the security industry, even as the talent gap deepens. I would encourage you and your colleagues to check out this fantastic panel, “Removing Roadblocks to Diversity,” on Thursday, Aug. 4, with a pretty stellar lineup. It includes moderator Kelly Jackson Higgins, executive editor of Dark Reading, with Jamesha Fisher, security operations engineer at GitHub; Elena Kvochko, head of global cyber security strategy and implementation at Barclays; Angie Leifson, security operations center (SOC) analyst at Insight Enterprises; and Chenxi Wang, chief strategy officer of Twistlock.

**Tip: this is first-come, first-served—so get there a little early to reserve a seat.

Other neat new and exciting things on site include a hands-on Kali Linux Lab for ALL pass types on Thursday, Aug. 4. And I’d highly recommend checking out the Black Hat Arsenal if you’re looking for real-time demos—this year marks the largest tool lineup yet with 80 to be presented on site.

Meredith Corley is the director, PR and communications, at UBM Americas. Find her on Twitter @MeredithCorley or LinkedIn.

RSA Preview: In 2016, Security Policy is Front & Center

Next week, much of the security industry will again converge in Highwire PR’s hometown of San Francisco for the 2016 RSA Conference. With our security practice constantly adding new clients and welcoming new faces, RSA is an exciting time for all of us.

11159457_10152768333602116_1266236881653969431_nLast year, security entered national consciousness on a new level. This year, it has entered the stratosphere, with debates such as the need for consumer privacy versus national security reaching a fever pitch due to the role encryption has played in high profile cases like the attacks in Paris and San Bernardino. The convergence among the worlds of lawmaking, politics and cybersecurity is reflected in two of the biggest names on this year’s agenda, keynote speakers Attorney General Loretta Lynch and White House Cybersecurity Coordinator Michael Daniel.

With five full days of programming, here’s a sample of key themes, important sessions and other things to anticipate at this year’s conference, courtesy of a few folks in our security practice:

  • Bill Bode, Account Director, San Francisco: The talk I am looking forward to most is the keynote, from United States Attorney General Loretta Lynch. Why? In the wake of Apple’s move to publicly defy the FBI by refusing to allow backdoor entry into a cell phone involved in a major investigation, US cyber policy will be at the forefront of conversation, a topic Lynch will surely address. The Attorney General’s talk should stimulate a thoughtful (and possibly heated) discussion highlighting the differing opinions between what the government and Silicon Valley thinks could be the future of fighting cyber crime- or a dangerous new precedent.
  • Lindsay Bubbico Ciulla, Account Director, New York: I’m looking forward to seeing what comes out of a panel discussion on “Roles of Industry and Government in Cyber-Incident Responses.” Given the election year and the increasing role of security in our everyday lives, I think it’ll be especially interesting to hear from the panel on the role of government and industry during a major security event.
  • 10444656_10152768332977116_647562636317943578_nMegan Grasty, Senior Account Executive, San Francisco: I’m amazed at the continued implications surrounding our connected world. Also at the lack of understanding around the need for security in everything that is connected to the Internetfrom smart toys to planes to cars. I’m looking forward to attending “Our Brave New Connected World: Is it Already Too Late?” to hear experts discuss the security challenges associated with the connected world.

And, of course, we’re excited to see the epic parties and stunts that punctuate the show!

Beyond our Natoma Cabana San Francisco 03party on Tuesday night, we wouldn’t miss vArmour’s Monday night punk rock throw down, ForeScout’s Wednesday night bash featuring one of the world’s Top 5 DJs, Trusona’s VIP launch party at Mourad or Veracode’s annual gathering at Ruby Skye. What are you most excited to see? Share your hot topics and party tips in the comments below. See you there!

AppSec USA: The Place to Be for Web Application Security

It’s no secret that cybersecurity is a top concern for the enterprises, government and consumers. And what do hackers target to steal sensitive information? The application layer. According to Verizon’s 2015 Data Breach Investigations report, 61 percent of attacks happen at the application level. From mobile application flaws—such as Stagefright Android—to Web application vulnerabilities—such as the WhatsApp hack—now more than ever, it’s time to educate yourself on application security.

So where can you meet the best application security experts? AppSec USA.OWASP-AppSecUSA2015-logo

Hosted by Highwire client Open Web Application Security Project (OWASP), AppSec USA is a four-day conference where developers, security experts and technologist meet to discuss cutting edge approaches to securing Web applications. This year’s conference is in San Francisco September 22-25, 2015.

Highwire PR will be at AppSec USA and is thrilled for this year’s keynotes from Facebook CSO Alex Stamos, Microsoft MVP Troy Hunt and Department of Homeland Security’s Chief Cybersecurity Official Dr. Phyllis Schneck. Not to mention Fireside Chats with Uber, Twitter, Netflix and Salesforce.

To get the most out of this year’s AppSec USA, here are the top three must-do’s from OWASP global board member Michael Coates:

1. Hands on Training

There is a massive shortfall in the industry for quality security engineers. If you’re technically inclined, learn application security fundamentals from the best-of-the-best to secure your organization through hands on training opportunities.

As cyber threats become pervasive, everyone from developers to incident responders need to stay up-to-date on the latest threats and best practices and tools needed to keep sensitive systems safe.

The trainings range from application vulnerability evaluation to a malware crash course that includes hands-on malware dissection, software debugging, malware analysis and more.

2. Listen, Learn, Discuss

Learn, listen and discuss about pertinent, cutting edge security topics, such as how to address cloud security for your Web applications, how to handle security at scale, and real-time event detection and response. Experts from security companies like WhiteHat, iSec Partners and Denim Group; technology providers such as Docker and Akami; and enterprise security teams like Netflix, Salesforce and LinkedIn will all cover a variety of security topics and enable discussions that address security experts’ burning questions. Additionally, learn about the state of security, its most pressing issues and what it will take to secure them from keynote speakers Facebook CISO Alex Stamos, Microsoft MVP Troy Hunt, Chief Cybersecurity Official of DHS Dr. Phyllis Schneck and more.

3. Build Your Network, Find the Right Talent

A crucial aspect to any conference, network and connect with the brightest security minds in the world at the most concentrated event for Web application security. Discuss the leading topics with people from all parts of the security process including software developers, information security professionals, incident responders, computer security researchers, and corporate investigators.

Hiring? Job searching? AppSec USA also provides the opportunity to network with a wide range of security professionals and find your next gig or next great hire at the career fair. Some of the hottest companies will be participating including Netflix, Twitter, Airbnb, Palantir, LinkedIn, NetSuite, MobileIron and Tableau.

OWASP’s AppSecUSA is the largest application security conference in the world. You won’t want to miss out!

Register now for AppSecUSA and win 4 sold out Giants baseball tickets. If you’re already registered you can Retweet this to enter to win!

If you’d like to get in touch with Highwire PR at AppSec USA, please email owasp@highwirepr.com.

*Top Three Things to Know originally published by OWASP Global Board Member Michael Coates.


Survey & Infographic from Black Hat 2015 – Hot Security Topics, Overused Buzzwords and more

The second biggest security conference of the year – Black Hat 2015 – may be critiqued as being more and more corporate (comparing it to its professional counterpart RSA), but the research and hacks remain just as impressive as ever. From cyber espionage, to IoT, to car hacking – a landmark moment forever changing the public’s perception of security – this year’s show was anything but dull. Highwire Security was on the ground surveying attendees and here’s what we found:

Top Trends in Security

In line with conversations with reporters, clients and security experts, the survey found that IoT (40 percent) remains the hottest trend in security this year. And the research at the show holds true – hacking rifles, satellites and even a skateboard. Tied for a close second was application security (30 percent) and board-level security awareness (30 percent) – regardless of the intense frequency of hacks and breaches, there is still a major disconnect between the developer and the board.

While IoT dominated conversation this year, we’re expecting to see a few new topics on the list at Black Hat 2016. For example, the intersection of healthcare and security was a hotly discussed item at this year’s show, with the FDA recently making one of their first comments ever on cybersecurity. Long considered to be a laggard when it comes to security, the healthcare industry is finally starting to acknowledge there is work to be done.

In addition to healthcare, we expect to see cyber legislation shoot up the charts next year. For months, the security research community has been very outspoken about the controversial Wassenaar Arrangement, and with a few other security-focused bills on the floor of congress, the trend is only expected to go up.

What are Security Pros Scared of?

People! Twenty eight percent are most concerned about careless employees and user error – insider threats remain a top cause of many high-profile breaches (ahem, Target). Closely followed by 25 percent concerned about cyber espionage (Sony) and 23 percent concerned about mobile malware (Stagefright). Interestingly enough, only 6 percent are concerned about PoS attacks, when in reality 40 percent of data breaches were PoS breaches according to Trustwave’s 2015 Global Security Report.


The recent hack on the Office of Personnel Management has dominated headlines for months, with the number of leaked records increasing in almost every update to the story. So many whispers at Black Hat speculated what would happen next: “Who has this data?” “Somebody’s just sitting on it- are government profiles being built?” “What’s the next targeted agency?” 

The ongoing saga of nation state attacks have struck a nerve with the security community- and everybody has an opinion. Many politicians have recently called for increased collaboration between the private and public sectors to thwart these breaches, with 73 percent of Black Hat attendees claiming they agree that the entities should increase information sharing between one another.

Excuse My French

So what’s the worst of the worst in security? Cut these words from your vocabulary and save yourself a few eye rolls. The top buzzwords security pros are sick of hearing are next generation (64 percent), advanced persistent threats (54 percent), thought leader (52 percent) and game changer (52 percent). Oh and while you’re at it, let’s get rid of disruptive (40 percent), hacktivism (40 percent) and BYOD (36 percent) too.

See our full results below, and we’ll see you at Black Hat 2016!

BlackHat Infographic-Revised2

Written by Christine McKeown, Bill Bode, Nicole Plati and Megan Grasty, members of Highwire PR’s security practice

Highwire PR at Black Hat USA 2015

Leave your smart phones, tablets, drones, rifles and cars at home (yeah, I said rifles). This year’s 18th annual Black Hat USA is boasting some seriously cool sessions from hacking sniper rifles to remotely killing a Jeep on the highway to cloning payment devices. Highwire PR’s security practice will be there front and center alongside corporate information security professionals, government infosec pros – oh and hackers.

To say security is a major concern to all is an understatement usa-v2-inactive– just in the past few months we’ve seen the largest government breach to date when the Office of Personnel Management was hacked leaving more than 20 million vulnerable, a vulnerability called Stagefright that can affect millions with just one text message, and to round that out: data breaches are paving the way for a significant jump in cybersecurity funding. This year’s Black Hat attendees are getting ready to learn, network and attend a solid lineup of must-see presentations.

So what session’s are Highwire’s security pros looking forward to most?

Bill Bode, account director
I’m sort of a space nerd (ask me about my idea for my space-themed dive bar, “Space Bar.”) This, combined with my interest in security makes my most anticipated talk a no brainer: Colby Moore from Synack will be taking Black Hat attendees step by step on how to hack a satellite, with real world attack vulnerabilities in his talk, Spread Spectrum Satcom Hacking: Attacking the GlobalStar Simplex Data Service. I wouldn’t miss it for the world (get it?)

Pete Johnson, account manager
The one I’m most excited about is “Remote Exploitation of an Unaltered Passenger Vehicle” by Charlie Miller & Chris Valasek. Andy Greenberg at Wired published a really crazy piece about Miller & Valasek’s research last week—with arguably the best lede in an article I’ve read all year. Given the rapid shift toward connected cars and the industry’s race to usher in a driverless future, these kinds of exploits raise a lot of questions (if you were a fan of Michael Hastings’ work for Rolling Stone, you’ll probably find yourself fighting some gnawing questions).

Denise Schenasi, senior account executive
I’m interested in the session on, “Back doors and front doors breaking the unbreakable system“. Given the recent U.S. Government hack and the increasingly rampant cyber and insider threats on government institutions and their employees, it’ll be interesting to see what this session adds to the industry debate- and their thoughts on whether the government should – or shouldn’t – have backdoor access to encrypted data.

Isaac Steinmetz, account executive
This presentation on “Android Security State of the Union” should be especially interesting given the recent attention that Stagefright garnered. The presentation will draw on data derived from “hundreds of millions” of devices in order to highlight some of the most pressing Android security issues. The scale of this research alone is impressive. Furthermore, it’s extremely timely, as we’re faced with a vulnerability that could affect close to 1 billion Android devices.

Mariah Robertson, account associate
Pen Testing a City” sounds like it’s going to be a really interesting talk. As our world becomes increasingly connected, and the idea of hacking airplanes and critical infrastructure becomes a bit more real (and terrifying), it will be interesting to hear about what could happen if hackers were to take down an entire city! Is your city prepared for this kind of attack?

Laura Pezzini, account associate
las-vegas-04Bringing a Cannon to a Knife Fight” should be really interesting — considering how deeply governments worldwide are now involved in trying to boost security efforts, it’s fascinating that the Chinese Communist Party literally has a weapon called the “Great Cannon” to suppress any sites they deem against their agenda with a casual DDoS attack.

Alexi Foster, account associate
Whenever we are hit with a major breach, there seems to be a lot of skepticism around human error, activity, and response. The talk on “Automated Human Vulnerability Scanning with AVA” will be interesting to learn if/how we can test human response to security incidents, and what the behavior analysis finds.

Devon Swanson, account associate
The talk on “Exploiting IT Analytics to Create a Human Layer Security Initiative” is one I have my eye on because Dtex examines the “people-centric” aspect of security that leads to insider threats. This workshop actually sounds super interesting by examining user analytics for the human layer of security threats.

Interested in meeting with Highwire PR at Black Hat this year? Email us at Hi@HighwirePR.com