Cybersecurity Pros: Fresh Challenges Face 'Next Generation'Experts Urge Them to Collaborate, Demand More From Vendors, Guide the Government
"Are we in the business of solving security, or are we just here for the ride?"
So asked veteran security researcher Daniel Cuthbert in a keynote speech at Black Hat Europe 2022 in London on Wednesday.
Questions about whether the cybersecurity profession will be the collective master of its own destiny, and how this should be achieved, have been major themes dominating the Black Hat Europe 2022 conference.
In her Thursday keynote speech "Cybersecurity: The Next Generation," cybersecurity veteran Jen Ellis said either the profession gets ahead of Cuthbert's question on its own or outside actors will force the question. That's because the explosion in mobility and internet of things devices has opened users to new types of harm: that are not just virtual but physical.
"This changes the stakes and changes how we think about the impacts of cyber risk. In fact, it's so important that governments have responded," said Ellis, who regularly advises governments through her various roles, including as a co-chair of the Ransomware Task Force and adviser to the CyberPeace Institute and Global Cyber Alliance, among others.
The U.K. government's Department for Culture, Media and Sport in 2018 published a code of practice for IoT that contains 13 basic secure by design principles it urged manufacturers to adopt. Lawmakers have been considering making them a legal requirement.
DCMS has also been exploring whether certifications for cybersecurity professionals should become mandatory. For now, the U.K. government has not opted to make certification a requirement. Keeping it that way will require engagement from the audience and other cybersecurity practitioners, Ellis said adding that it's in their best interests to help the government get things right.
Can the industry collectively guide its own future? "We're an industry based on pointing out problems. We are professionally cynical. We have to be; there's nothing wrong with that. It's actually a great quality," Ellis said. "What we're not so good at though is working together to find solutions and to find alignment. … What that means in the context of this conversation is that if people decide that we should have mandatory certification, it will be handed to us rather than us having developed it for ourselves."
To put that another way: As the societal risk posed by cybersecurity increases, don't expect old approaches, solutions or attitudes to continue to apply - in part because everything continues to change so quickly, and many more stakeholders are now involved.
Echoing opening conference remarks Wednesday from Jeff Moss, the founder of Black Hat and Def Con, Ellis identified the never-ending increase in complexity as a significant challenge to better security (see: As Complexity Challenges Security, Is Time the Solution?).
Hacking group L0pht testified before Congress in 1998 that it could take down the internet in 30 minutes or less. Twenty years later, the group testified again, minus the 30-minute claim. "But they did say that a lot of the same issues they had talked about 20 years earlier were still present," she said. "They talked about how the complexity is only increasing … the attack surface is increasing. So the fact that we're still seeing the same issues is a real problem."
In the meantime, it's up to the next generation to begin taking over from the likes of L0pht. "They're now in a position where they actually are business leaders," Ellis said. "Some of them work in the government. Some of them are retiring with the hard-earned money that they have earned through a career in security."
Ellis said she wasn't necessarily urging attendees to add to their existing workloads by joining advisory boards to help the government design better guidelines or regulations, which can sometimes drive needed change. But she said one essential step for cybersecurity professionals today is to help consumers - including their own business - understand that they can effect change, for example, by demanding things such as a software bill of materials, or SBOM, which details what components are in a software or hardware product.
"The whole point of SBOM is to say to large-scale buyers, big companies: You have buying authority. You can demand better from your vendors. The manufacturers you work with should not be exposing you to risk intentionally," Ellis said. Of course, vulnerabilities will creep into software development; it's a complex process. But when vendors choose to not proactively deal with this problem, "that's not OK," she said, and that is when the consumers of such technology need to push back and say: "No, it's not acceptable. It's not good enough."
Holding vendors to account doesn't just involve SBOMs, but also demanding that vendors do more to make their products more secure, by modeling threats, understanding their own supply chains and pushing SaaS versions of their software, says Cuthbert, who's a veteran bug hunter and member of the U.K. government's new cyber advisory board.
The industry arguably has a long way to go, thanks in part to a pervading, engineering-driven mindset that too often seeks new tools to fix the old tools. Cuthbert recalled from early in his career the introduction of firewalls to protect online services. But needing port 80 to be kept open made it easy for attackers to bypass firewalls, which led to the introduction of web application firewalls, only for them too to be "bypassed at an alarming rate" by researchers as well as criminals, he said.
"That was a big part of how a lot of security tools around you grew up - knee-jerk reactions to the fact that a product that you wanted to rely on was not built securely, so we had to then go get another product … and hope to God that that product did the job. And then the offensive community came out and tore apart that product," Cuthbert said. "Here we are in 2022, and that problem still exists today."
Litmus Test: Phishing Attack Success
Even problems that in theory should be easy to stop, such as phishing attacks, remain pervasive. "For me, phishing is a systematic problem of where we are as an industry, in that you should be able to click on something and not have it push a reverse shell out to somebody else," he said, adding that more training isn't the solution that is required.
What doesn't help, he added, are manufacturers failing to take responsibility for doing more - such as Microsoft failing to block macros in Office by default until just earlier this year, despite it being a top attack vector.
At a code level, Cuthbert recommends a rigorous focus not just on eliminating bugs but on reducing the size of a code base - which will leave room for fewer bugs - as well as eliminating any code that isn't trusted. The theory of how to do this is well known. Now, he said, the challenge remains adoption.