Blackhat 2020 went all virtual this year, like every other conference under the sun. In its 23rd year, folks who normally descend on Vegas didn’t seem to miss Vegas…at all. They missed each other, the camaraderie, the fun, but in more than one session, speakers started with “we wish we were all together” then quickly pivoted to what that speaker despised most about Vegas – the heat, the taxi lines, casino-stench, expensive drinks.
What Informa did well was put community and connection, the engagement and the opportunities to connect, be it with speakers during sessions or with each other in between sessions, front and center. While the “content” of each session was pre-taped, there was always live Q&A and the back and forth that is harder, but not impossible, in a virtual session. It wasn’t the same…but it wasn’t terrible and while attendees knew what they were missing, they didn’t regret investing the time to attend the virtual soiree.
Aside from the event and engagement itself, here are some of my takeaways and thoughts:
The Election is a Big Cyber Deal
A HUGE part of Blackhat was dedicated to Election security, kicking off with a keynote from Matt Blaze, legendary security researcher, McDevitt Chair of Computer Science and Law at Georgetown University, Chairman of the Tor Project, and co-creator of the Voting Village at DEFCON (the hacking conference) who issued a broad call to action for the security community to come to the aid of election security. One CTA that had the chat room buzzing was the suggestion that the best way to secure the election was to have security pros volunteer at polling centers…LITERALLY asking people to be in the room where it happens.
It was telling that Blaze, who has arguably seen a LOT, shared that security of the 2020 United States federal election presented an issue that was “orders-of-magnitude more difficult and complex” than anything he had seen before. Both Blaze and Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency (CISA) discussed the problem that was also the solution to fraud and security: Paper.
That’s right…you heard me loud and clear. That thing that was supposedly dead because the internet killed it…paper…is the channel that could save us all. But getting that paper into the hands of voters is what is keeping some researchers up at night thanks to a complex voting system run by individual states but demanding security and uniformity at the federal level. While the question of how we get paper into the hands of the electorate – and then returned to the right secure destination – is the nightmare du jour, but having an auditable record on paper, according to Krebs, is the path to a more secure election. Now if we could just convince people to stop clicking on all those memes and misinformation links!
Letting Your Contractors Go to Prison...Not Cool
Anyone who has ever worked in a services or consulting based business has horror stories to share about nightmare clients. The social engineering and physical pen-testers at Coalfire officially set the bar at “our nightmare client let us get arrested, spend the night in prison and be charged with a felony.” They had been hired by the state of Iowa’s Judicial Branch and let’s just say, it didn’t go well for anyone. If you want the whole story behind, check out this great summary from DarkReading.
Long and the short…the job was to test security. They did…found a bunch of flaws…set off alarms and then literally waited around to see the response. The testers were arrested, spent the night in jail, charged with felonies, had bail set at an astronomical level, had the business threatened with every type of legal action, and lived through an extended trial drama that ended in total exoneration, charges dropped all over an internal power struggle over jurisdiction and who had the power to authorize the testing.
The soap opera turned pen test horror story was less about the actions and testing motions executed by Coalfire and red-team experts Gary De Mercurio and Justin Wynn and far more about the fragility of egos, the peril of turf wars and a stark reminder to have iron clad contracts. Their story has all the makings of a made-for Netflix movie. The chat stream was filled with bets on who should play De Mercurio with most voting for Dave Bautista. But in the end, security wasn’t in question…people were.
The Human Toll of Cyber
From the sessions on the election to the tales of pen-testers in prison, and all the medical device, diversity in security and pandemic-related attack dissections in between, the common theme was that security is testing limits…and the human toll is beginning to show. More than enough research was presented across the two days of conference sessions telling the tale of a frustrated, stressed out, over-worked and burnt out security teams being forced to do much more day in and day out with barely a shred of respect.
Security today is a tale of over-tooled and under-resourced teams now having to spend time unravelling the mass of competing data just to get a handle on what is and is a threat. Then there is the reality that internal threats, from espionage to lazy keystrokes that bring down the internet, are growing and making bold headlines.
Nothing discussed at Blackhat 2020 felt like it had an easy fix. The complexity being described in the seemingly simple need to get paper ballots into the hands of voters turned into a massive workflow across competing systems rife with vulnerabilities and little oversight. Hiring pen testers became a human drama of epic proportions. Just onboarding new tools and techniques revealed the pressure teams face as chat streams started to fill with laments over “I wish our leadership team got it,” and shared misery as security teams are being asked to justify spend and deliver tangible returns outside of “we didn’t get attacked this week!”
The frustration in security is real – and we can’t afford to ignore it or assume that new tooling will help. In fact, over-tooling is as much to blame as is a general lack of awareness and education beyond the security community about the threats and issues teams are really facing.
If there is anything I walked away from Blackhat 2020 with it is this: Security needs champions. It has amazing leaders who are more than capable of turning security posture into a strategic advantage for our businesses, our countries and our lives. It has ridiculously talented people wearing white, red and purple team hats and hoodies. What it doesn’t have is help.