Black Hat convention hype hurts the enterprise risk management process

By Andrew Plato, CISSP, CISM, QSA
President / Principal Consultant
Anitian Enterprise Security

reprinted from Search Security.com.

For a few weeks in 1982, I was convinced that space aliens were outside my house. I had irrefutable evidence: strange lights, odd noises, and the like. Of course, the lights were the neighbor's pool, and the noises were the wind. I was just a child, caught up in the hysteria of having just watched the movie Alien on cable a few nights before. I eventually grew up and accepted the reality that aliens were not going to eat me.

Sometimes when I look at the security industry, I see a lot of children, quivering in their beds, sure that malicious hackers are going to eat them. The story is similar: Some "133t" hacker at Black Hat or Defcon demonstrates the latest vulnerability and the audience "oohs" and "ahhs." In the flash of a blog post, media fire up the hysteria engines and the hyperbole begins. "ATM machines are no longer secure!" "Is your money safe?" "Will terrorists take down the power grid?"

This is nothing more than hysteria and it undermines sound enterprise information security practices. The security community must stop this hysterical response to vulnerability research. Security professionals must embrace more measured, logical and reasoned responses to new threats. This unjustified hysteria encourages companies to waste millions (perhaps billions) to defend against phantom threats that will never pose any real threat to them.

The Black Hat problem
Consider the recent demonstration at Black Hat 2010 regarding flaws in ATM machines. Vulnerability researcher Barnaby Jack spent two years working on ATM machines. He purchased some used units and tore them apart in his living room. At Black Hat in Las Vegas, Jack showed off the results of his research. In a spectacular display, he made the machines spit out money. The story was splashed across the Net. IT people worldwide hungrily devoured the story. A Google search shows hundreds of stories with reactionary quotes like: "This is a game-over vulnerability right here," and "Our money is no longer safe."

Jack's demonstration was fascinating. It is obvious that the ATM manufacturers have some work to do on improving their machines. But frankly, the vulnerabilities Jack demonstrated do not mean the entire ATM market is at risk. Our money is safe. This is not a "game-over" vulnerability. ATMs worldwide are not going to suddenly start spitting out cash. They will continue to function as they should and the global economy will continue as normal.

Jack's presentation, like many other such demonstrations, is an example of how vulnerability research is at best misperceived and at worst twisted into a sensationalist sideshow that exaggerates the significance of new security vulnerabilities.

Security is about risk. And risk has two fundamental components: impact and probability. The coverage of the ATM hack has been exclusively about impact. That "Oh my God!" moment where people see that their money can be stolen. Media coverage of this story has not sufficiently addressed the probability of such an attack actually happening on any scale and the damage such an attack could really cause. That's because the probability of a hacker successfully carrying out the ATM hack against a real-world machine is quite low. There are just too many mitigating factors and safeguards that make such an attack difficult to execute.

Even if such safeguards didn't exist, then the entire demonstration is really just underscoring the need for such defenses. It is unlikely every ATM provider can or even would patch every system immediately upon learning of a new vulnerability. This is why technologies such as access controls, intrusion prevention and log monitoring are so important. They provide valuable "gap protection" from the time when a vulnerability is publicized, to when the manufacturer issues a patch and the company can responsibly apply that patch.

Impact and measured response
The more troubling problem with these sensational hacks is how they alter the conversation and focus of security practitioners. Rather than build a sound, effective electronic defense, practitioners are manipulated into reacting to these threats with unnecessary technologies and outlandish practices. Technology vendors and consultants alike seize the moment to aggressively market products to address high-profile vulnerabilities rather than handle the broader spectrum that is an effective enterprise risk management process.

Good security starts with good fundamentals, such as stable and reliable operations, change management, intrusion monitoring, antivirus, Web content filtering, least-privilege access rights, diligent account auditing, and other seemingly dull and boring practices. Sound operational security is what makes organizations safe and prevents attacks. While a strong case can be made that most, if not all, enterprises should ignore these sensational proof-of-concept hacks, a business struggling with the basics of risk management certainly shouldn't consider them as anything more than entertainment.

This is not to say that such hacking demonstrations are not useful. Vendors benefit from skilled researchers testing their equipment and locating vulnerabilities. There is a need for such analysis, but the focus of that analysis should be to improve products, not to influence practical, day-to-day risk management activities in a typical enterprise.

Security practitioners have a duty to derail hysteria before it takes hold. Too much of what we see at Black Hat and other events is simply theatre; it cheapens security practices and exaggerates nonexistent problems. Security people have long spoke of FUD (fear, uncertainty and doubt) as a destructive element of information security. These sensationalist hacking demonstrations are just that: FUD. Security practitioners need to put them into perspective. Any company spending resources to defend against sensational hacks should immediately cease such efforts and consider the broader picture of their information security. These sensational hacks are not the way to build a secure organization or IT infrastructure.

Conclusion
Do not mistake research for reality. There are many successful simulations that happen in a laboratory that never make it to the real world. Real-world hacking is a lot harder than it looks on stage at the Black Hat convention.

Don't fall victim to the hysteria. Don't be a child, quivering in bed at the phantoms in the backyard. It's OK to enjoy the security theater, but don't mistake the exploits that happen on stage for the ones that truly pose risk to your enterprise.

 

For more information, please call 888.ANITIAN, or email Anitian Enterprise Security.