There’s No Such Thing As a Cool Vulnerability
If you work in vulnerability management, all the vulnerabilities you’ll hear about at Black Hat are irrelevant. Every year at Black Hat and DEF CON, new vulnerabilities get released, explained and demoed. This year, you’ll see everything from remote car hacks, to hotel room takeovers, to virtual desktop attacks to Google Glass hacks. But once you get back home, don’t let the hype get you. It might be months before the code is weaponized, attacks will still go after the old, reliable vulnerabilities, and chances are, you will have enough security debt to keep your head down anyhow. This is not to say that you shouldn’t go see a talk about hardware level vulnerabilities in the NEST thermostat. It’s interesting. I own a NEST. Go see it.
But when you get back, get back to what matters. In reality, attackers seem to care about efficiency just as much as you ought to. The data shows that attackers shift tactics over time…a lot. Below is a gif of a small sample (past 3 months, week by week snapshots) of attacks and breaches we’ve recorded at Risk I/O, grouped by CVE type (attacks are WASC). The x-axis is the amount of breaches during the week, the y-axis is the week-over-week change.
You can take a closer look at the technical details by signing up for a trial of Risk I/O (this feature is currently in beta, but will be released shortly). More important than these details is the fact that breaches shift wildly week over week, both in variety and in volume. In fact, the vast majority of breaches occur on CVEs published 10 years ago. What this means for us is that the newness of a vulnerability—or the hype assigned to it—is irrelevant. Getting a handle on attackers’ behavior is the only way to know which vulnerabilities matter.
So, given this mindset, which talks am I excited for?
1. Building Safe Systems at Scale: Lessons from Six Months at Yahoo! by Alex Stamos
Alex will detail his first six months as the CISO of Yahoo. He’ll review the impact of the government surveillance revelations on how Yahoo designs and builds hundreds of products across dozens of markets. The talk includes discussion of the challenges Yahoo faced in deploying several major security initiatives and useful lessons for both Internet companies and the security industry from his experience.
2. Epidemeology of Software Vulnerabilities by Kymberlee Price and Jake Kouns
This talk will discuss the proliferation of vulnerabilies through third-party libraries. It’ll use vulnerability data to explore the source and spread of these vulnerabilities through products, as well as actions the security research community and enterprise customers can take to address this problem.
The presentation will describe the techniques and feature sets that were developed by Alex in the past year as a part of his ongoing research project on the subject. In particular, he’ll present some interesting results obtained since his last presentation at Black Hat USA 2013, and some ideas that could improve the application of machine learning for use in information security, specially in its use as a helper for security analysts in incident detection and response. The techniques should be applicable to many types of infosec analytics.
Stay tuned for my recap in case you can’t attend or were busy doing other things in Vegas!