The Cycle Continues: Black Hat USA 2022 — Day 2 Recap
Black Hat USA 2022 has officially wrapped, and the attendees will soon leave the heat of Las Vegas behind to go back to their organizations with some fresh perspectives on fighting the good fight. The day 1 theme of community was prevalent from the get-go again today, starting with the keynote address.
Once again, Jeff Moss kicked things off, addressing the evolving relationship the Black Hat community has with the media. Moss pointed out that Black Hat has always been about bringing new voices to the infosec community and that includes the press. Unfortunately, the press hasn’t always been so kind to the group, resulting in a love/hate relationship. Like any organization, Moss pointed out, a good media interview can result in showcasing the community’s great work and educating the public about cybersecurity topics, while a bad interview can cast its work in a negative light or perpetuate the “criminal” hacker stereotype. Thankfully, as cybersecurity issues have become more mainstream, the community’s relationship with the press has evolved in a positive way.
Moss then welcomed to the stage, Kim Zetter, an author and investigative journalist with an impressive résumé that includes cybersecurity writing roles at WIRED, the New York Times Magazine, the Washington Post, Yahoo! News, Vice Magazine, and more. One would be hard-pressed to find a more appropriate journalist to address the Black Hat crowd.
Zetter explained that in the beginning of her career, cybersecurity reporters almost exclusively worked for tech press. The mainstream media would assign a general reporter to the story only when a major incident occurred. Over the last 10 years or so, the major news outlets woke up and realized the importance of hiring reporters to translate security to the general public.
Zetter’s presentation, titled “Pre-Stuxnet, Post-Stuxnet: Everything Has Changed, Nothing Has Changed,” examined decades of cybersecurity developments, including the lead-up to the Stuxnet discovery in 2010. That discovery opened the eyes of the security community to a sector it previously ignored: the operational networks and industrial control systems that manage critical infrastructure. This was when cybersecurity became linked to national security.
Since Stuxnet, the cybersecurity industry has made tremendous strides. Security technology is far more advanced than in 2010, and despite all their work, organizations still suffer from incidents that have major consequences—-and that were totally predictable (we might even say preventable).
Zetter explained that organizations will always experience incidents that no one saw coming, but they could foreshadow more incidents before they occur. So while it’s important that we look back at the history of watershed cybersecurity events, we must also watch for the signs of what’s to come—and take the proper precautions to prepare now.
This sentiment was present—albeit to a lesser degree—in the session by Nathan Hamiel titled, “From Hackathon to Hacked!: Web3’s Security Journey.” This presentation examined the security maturity of Web3 projects, built on blockchain technology. While the tech community recognizes the term “Web3,” it’s still an emerging technology with some kinks to work out. When combined with the fact that small teams, with no security systems or safeguards in place, run many of the Web3 projects, these projects become juicy targets for cyber criminals.
Even though Web3 is still such a nascent space, it faces a lot of the same challenges as the nation’s critical infrastructure. There are basic security best practices that both areas still don’t follow. And this is true across the business landscape. At Expel, we often see companies not applying patches, or lacking simple email filters to reduce phishing attempts, or misconfiguring their cloud settings.
So what should we as an industry do? It comes back to community. We should heed the advice of Kim Zetter, and pay close attention to the warnings of impending vulnerabilities and ransomware attacks to sense what’s coming, and take the appropriate steps to prepare. Security challenges are only increasing in sophistication and frequency, and we can’t wait for major incidents to happen before dealing with them.
While this all sounds very dire, if Black Hat USA 2022 showed anything, it’s that this community is able to meet these challenges head on, and usher in a new age of security.