Black Hats – Function or Fashion?
If you’re like many people, you’ve either been in Vegas this week, or you’ve been getting a few extra newsletters describing the heavily publicized antics that went on at this year’s Black Hat conference.
Unfortunately, I fell into the latter category.
Like years past, Black Hat delivered as advertised. Although the Secret Service didn’t halt any sessions for purposes of national security, there were some great pieces.
Black Hat (and DEF CON) always provide security professionals with plenty of new things to think about. I suppose that’s why they’ve become the most popular security conferences in the world.
But let’s be honest, they’re a lot like fashion shows.
I find fashion shows hilarious. A bunch of high-brow, Paris-types, with more time than other things convene and parade utterly garish clothing that’s entertaining and thought-provoking, but not in the least bit wearable. The ornaments, trappings and meatpuppets draped over wafer-thin models will never see a department store rack, let alone the closet in your home.
Kinda like Black Hat.
Please don’t take this the wrong way – I love Black Hat, DEF CON and the spirit behind these events. It’s just that they tend to be a distraction from what’s going on in the real world.
For example, one presentation suggested that businesses add offensive tactics to their arsenals. The presentation went on to purport that attacking, or “bringing pain to” your attackers has simply become necessary and other security tactics have become obsolete.
Another presentation, titled “Catching Insider Data Theft with Stochastic Forensics” gave attendees a look at how to predict unpredictable things in a precise way.
Yet other research focused on compromising iris recognition systems.
I feel like I need to repeat that these researchers are doing a great service, and their findings are truly revered.
However, most businesses can’t even manage to use decent passwords. They don’t patch. They don’t train their employees. Forget about introducing stochastic forensic analysis, most companies don’t have a shredder.
There was some really great research presented this year on circumventing web application firewalls, trust models and the latest findings on malware in the wild. You could say that some of these fit like an old pair of jeans.
The rest will probably stay in the closet until next year.