-
Discussion Boards
- Welcome to the Community
- 1 categories, 6 boards
- Desktops and Workstations
- 1 categories, 12 boards
- Mobile
- 7 boards
- Networking
- 6 categories, 20 boards
- Operating Systems
- 7 categories, 76 boards
- Printing and Digital Imaging
- 1 categories, 17 boards
- Partner Solutions
- 2 categories, 5 boards
- HP ExpertONE
- 4 boards
- Solutions
- 1 boards
-
BlogsEnglish
- Community Home
- >
- Software
- >
- Enterprise Security
- >
- Following the White Rabbit - Security & Risk through a new looking glass
- >
- Lessons from Black Hat & Defcon 19 - It's Easier t...
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Email to a Friend
- Printer Friendly Page
- Report Inappropriate Content
Lessons from Black Hat & Defcon 19 - It's Easier to be the Bad Guy
I read a good interview with Charlie Miller on the TomsHardware.com, and it reminded me of that quote from the IRA that I had forgotten. I'm quoting the author here -
After the Brighton Bombing in ’84, the IRA released a statement that included the line "...remember we only have to be lucky once. You have to be lucky always."
Lesson #1: As the defender, your job is at least an order of magnitude harder than the hacker.
That's absolutely correct. As the attacker, you typically have the luxury of time and resources. You can avoid the well-fortified front gate and go around back and jiggle the handles on the doors no one thinks to lock. This is real-life attacking. Attackers have time on their side, and know that it is human nature to over-protect the things we value, but to forget to protect those things that we feel are not-so-important ...even though they are often connected to those super-critical things.
Lesson #2: You have to understand how things are connected together to understand risks, form a defensive strategy.
This year's Black Hat conference, and Defcon 19 reminded me of this quite well. There was no shortage of hacking things such as insulin pumps, automobile remote start/open systems over SMS, and other random stuff that proves that breaking in, is harder than keeping the bad guys out.
Then, a friend sent me this: http://twitpic.com/61jqgu which is basically someone asking "do I get points for getting the diagnostic screen on a poker machine?? :-) " ...proving that amongst the many things compromised at the Rio Hotel & Casino - the PA system, elevators, light/sound, registration system, ATMs, poker machines and pretty much every other thing that was electronic - there was no shortage of breaking... and the defenders clearly lost, big.
What sort of advice can I offer, then? If being a defender is so much harder, what's the strategy? I really would really like to see a lot of the breakers turn into defenders, or at least try it. I'm not saying hacking is easy - but let's face it, after attending Black Hat, Defcon, and BSides LV ...you start to lose hope just a little.
-
-
Follow Us on Facebook
-
Follow Us on Twitter
-
Follow Us on LinkedIn
-
Follow Us on Flickr
-
Follow Us on Youtube
-
Follow Us on SlideShare
-
Follow Us on Google+
- The [Hidden] Cost of Software Security Fixes in En...
- HP ShadowLabs deepens the talent pool
- Melville's "Bartleby the Scrivener" and what it te...
- Let's talk business agility (Survey analysis)
- Root Cause Analysis (RCA) - a critical skill
-
Logging: Opening Pandora's Box - Part 4 (Awareness
... -
Logging: Opening Pandora's Box - Part 3 (Paralysis
... - Why does software security keep falling off your b...
- Keeping Security Relevant - From Control to Govern...
- Logging: Opening Pandora's Box - Part 2 (Elation)
- John Kozlowski(anon) on: Let's talk business agility (Survey analysis)
- todd mahnom(anon) on: Root Cause Analysis (RCA) - a critical skill
- DeeLima2(anon) on: Why does software security keep falling off your b...
- Olivier Saudan(anon) on: Keeping Security Relevant - From Control to Govern...
- Clerkendweller on: Logging: Opening Pandora's Box - Part 2 (Elation)
- reswob10(anon) on: Logging: Opening Pandora's Box - Part 1 (Anxiety)
-
Neira Jones(anon)
on:
NoOps and the Evolving Role of Informatio
n Securit... -
cpfoutz(anon)
on:
Missing Opportunit
ies - Making things worse by ask... - Sidragon(anon) on: Cyber Weapons - Bits instead of bullets but damage...
- Phil Cox(anon) on: Patch Management in the Cloud - It's About Consist...
-
0day
(2) -
2009 prediction
(1) -
30_in_30
(30) -
academia
(1) -
academic hack
(1) -
administrivia
(1) -
adware
(1) -
Agile
(1) -
Agility
(1) -
AJAX
(1) -
AJAX security
(1) -
alerting
(1) -
ALM
(1) -
announcement
(2) -
announcements
(2) -
anonymity
(1) -
application development
(3) -
application security
(12) -
application security case study
(1) -
application security program
(1) -
application security program challenges
(3) -
application security testing
(2) -
application security workshop
(1) -
assessments
(1) -
attribution
(1) -
audience
(1) -
authentication
(1) -
automated testing
(2) -
automated tools
(1) -
automation
(3) -
Black Hat SEO
(1) -
black-box testing
(1) -
blackbox
(1) -
blacklist
(1) -
breach
(3) -
breach impact
(2) -
browser
(1) -
browser database
(1) -
bsides
(1) -
budget
(3) -
business case
(1) -
business intelligence
(1) -
business logic defect
(2) -
business value
(1) -
businessweek attack
(1) -
businessweek hack
(1) -
byod
(1) -
change control
(1) -
change management
(1) -
CIO
(1) -
CISO
(5) -
Cloud
(4) -
cloud computing
(20) -
cloud security
(11) -
cloudpocalypse
(1) -
ColdFusion
(1) -
Commentary
(1) -
complexity
(1) -
compliance
(6) -
compromise
(4) -
Computer Security Institute
(1) -
conference
(2) -
conferences
(7) -
Converged Cloud
(1) -
crisis management
(1) -
critical infrastructure
(1) -
Cross-Site Scripting
(2) -
CSI Conference
(1) -
cyber security
(2) -
cyber war
(1) -
cybercrime
(1) -
data breach
(15) -
data breach notification
(1) -
data compromise
(1) -
data loss prevention
(8) -
data sanitization
(1) -
data-flow analysis
(1) -
defects
(2) -
defense
(1) -
defense in depth
(1) -
development
(4) -
development psychology
(1) -
DevOps
(2) -
dynamic analysis
(4) -
educating developers
(2) -
education
(1) -
EFD
(1) -
ehealth
(2) -
encryption
(2) -
enterprise application security
(1) -
Enterprise security
(49) -
Enterprise Security Intelligence
(2) -
enterprise security management
(1) -
enterprise security services
(1) -
enterprise web application security program
(2) -
ethics
(1) -
evolution
(1) -
Execution Flow Based Testing
(1) -
Failed
(1) -
failure
(1) -
federated identity management
(1) -
file upload
(1) -
firesheep
(1) -
functional specification
(2) -
future of web application security
(1) -
guest blog
(2) -
hack
(2) -
hacked
(3) -
hacking
(15) -
hacking demonstration
(3) -
hacking file upload hacking
(1) -
hacking incident
(2) -
hacking web application logic
(1) -
hacking workshop
(1) -
Hacktivism
(6) -
haktivism
(1) -
healthcare
(2) -
HITECH
(1) -
holistic security
(1) -
HTML 5
(1) -
HTML5
(1) -
HttpOnly
(1) -
https
(2) -
Hybrid Analysis
(1) -
hybrid delivery
(1) -
ICANN
(1) -
identity theft
(1) -
IE
(1) -
iis security
(1) -
incident
(5) -
incident handling
(1) -
incident response
(9) -
incidents
(1) -
industry commentary
(1) -
Information Management
(1) -
information security
(16) -
InfoSec World 2009
(2) -
Innovation
(1) -
input validation
(2) -
Instant-ON Enterprise
(2) -
interview
(1) -
IPv6
(1) -
ISSA
(1) -
IT Performance
(4) -
KPI
(3) -
KPIs
(5) -
legacy applications
(2) -
liabiilty
(1) -
live hacking workshop
(1) -
live web application hacking
(1) -
logging
(4) -
logic defects
(1) -
logic flaws
(1) -
Malware
(1) -
malware distribution
(1) -
marketing
(1) -
Metrics
(4) -
misconceptions
(1) -
mobile application security
(2) -
Mobile Applications
(2) -
mobile security
(2) -
mobility
(1) -
movie theater hacked
(1) -
Mozilla Bug 178993
(1) -
NetOps
(1) -
News
(2) -
noops
(1) -
online shopping
(1) -
ooda
(3) -
ooda loop
(2) -
OOPS
(30) -
open source
(2) -
open-source software security
(1) -
Operations Manager
(1) -
OSS security
(1) -
OWASP
(6) -
Password Security
(2) -
patch management
(1) -
patchwork cloud
(7) -
PCI Compliance
(2) -
PCI DSS
(3) -
penetration testing
(1) -
perform better
(2) -
phishing
(2) -
phpBB
(1) -
phpMyAdmin
(1) -
planted bug
(1) -
plug-in
(2) -
poccast
(1) -
podcast
(3) -
politics
(2) -
ponemon
(1) -
president hacked
(1) -
privilege
(1) -
process improvement
(1) -
program failures
(1) -
program maturity
(1) -
program secrets
(1) -
provisioning
(1) -
psychology
(2) -
QA
(7) -
quality
(4) -
Quality Management
(1) -
Quality testing
(1) -
reality check
(1) -
requirements management
(1) -
Research
(1) -
Rich Internet Applications
(1) -
risk analysis
(1) -
risk management
(8) -
risk mitigation
(1) -
risk rating
(1) -
ROI
(1) -
SaaS
(3) -
sandbox
(1) -
sandboxing
(1) -
SCADA
(1) -
school hack
(1) -
scurity vulnerabilities
(1) -
SDL
(1) -
SDLC
(3) -
Search Engine Optimization
(1) -
SecBiz
(10) -
SecOps
(1) -
secure code development
(1) -
security
(6) -
security architecture
(2) -
security automation
(3) -
security awareness
(2) -
security budget
(1) -
security conference
(3) -
Security Conferences
(5) -
security defects
(1) -
security fail
(21) -
security intelligence
(2) -
security operations
(1) -
security program
(8) -
security relationship
(1) -
security requirements
(1) -
security testing
(7) -
security tools
(1) -
security vulnerability
(1) -
securitycurity program
(2) -
Securityity Bloggers Awards
(1) -
service management
(1) -
services
(1) -
SIRM
(1) -
slides
(1) -
social engineering
(1) -
social media
(1) -
software defects
(1) -
software design
(1) -
software development
(1) -
software quality
(7) -
software security
(7) -
software security assurance
(34) -
sofware security assurance
(2) -
speaking
(2) -
SQL Injection
(3) -
sql injection attack
(1) -
ssa
(12) -
standards
(1) -
StarWest
(1) -
static analysis
(1) -
static code analysis
(2) -
strong authentication
(1) -
student hacker
(1) -
study
(2) -
talk
(3) -
talks
(2) -
technology
(1) -
technology strategy
(1) -
terminology
(1) -
testing
(4) -
testing methodology
(1) -
threat analysis
(1) -
threat assessment
(1) -
threat intelligence
(2) -
threat modeling
(1) -
TLS
(1) -
tools
(2) -
Top x
(1) -
trade shows
(1) -
transparency
(1) -
trends
(1) -
trust
(2) -
Twitter
(1) -
uncommon sense
(1) -
user-agent
(1) -
voting system
(1) -
vulnerabilities
(2) -
Vulnerability
(1) -
vulnerability context
(1) -
WDPRS
(1) -
Web 2.0
(4) -
web application
(2) -
Web application firewall
(1) -
web application hack
(1) -
web application hacking
(1) -
web application hacking live
(1) -
web application security
(23) -
web application security awareness
(3) -
web application security business case
(2) -
web application security case study
(1) -
web application security program
(4) -
web application security workshop
(1) -
web application vulnerability
(2) -
web applications
(4) -
web hack
(2) -
web server error
(1) -
web.config
(1) -
Webinar
(1) -
WebKit bug 10957
(1) -
webmail
(1) -
whitebox
(2) -
whitelist
(1) -
workflow vulnerability
(1)
- « Previous
- Next »
