Strategic CIO // IT Strategy
Commentary
7/27/2012
12:52 PM
Eric  Lundquist
Eric Lundquist
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

5 Black Hat Security Lessons For CIOs

Beyond the bearded coders and men in black suits was a trove of security best practices for enterprise IT.

The Black Hat conference convenes in Las Vegas each year to discuss the latest hacks, cracks, and IT security fissures. The crowd ranges from bearded coders wearing T-shirts emblazoned with arcane programming references to straight-backed, men-in-black CIA types lurking on the periphery. CIOs, even if the subject matter is among their least favorite, must pay attention to security.

Here are five takeaways from Black Hat.

1. Understand what you're protecting. The conventional IT security concepts of "behind the firewall" and "securing the perimeter" are outdated in a world of mobile devices and social networks. CIOs must take a hard look at what information they must make widely available versus the information they must restrict.

A compartment approach to security was one of the themes raised at Black Hat by former FBI executive assistant director (and now CrowdStrike president) Shawn Henry. Henry, whose keynote address was short on tactics and overly long on warnings about impending cyberwarfare, was right on the concept of protecting some data by not putting it into the generally available corporate data pool. For instance, should you make all of your company's customer data available for statistical analysis, or only the customer activity data (without identifying information) for the last year?

2. Read the fine print on cloud contracts. Remember those past controversies about software vendors' liabilities (or lack thereof) for the defects in their products? If you actually read those license documents, you would often find that the vendor's liability didn't extend beyond the cost of the software. So even if your company's intellectual property documentation suddenly went kaput because of a word processing glitch, the software vendor (if it was at all responsible) was only on the hook for the amount your company paid for the program.

[ Another Black Hat lesson: How to Find Sensitive Data In Cloud Before Criminals Do. ]

As you move to include cloud services in your IT infrastructure, you must understand the vendor's security responsibilities and liabilities if someone hacks into your data. Licensing agreements may not be your idea of fun reading, but someone on your team must do this due diligence. There's some evidence that the move to cloud computing has slowed as executives investigate the technology, business, and legal ramifications.

3. When it comes to mobile security, think backward. Smartphones were designed for an always-on, mobile world connected via myriad carrier networks and Wi-Fi hotspots. So smartphone vendors had to design security into the device from the start. Common on enterprise smartphones are application sandboxing, separation of the operating system from the user data, built-in encryption, and remote data wipe--technologies that often aren't on enterprise desktops and laptops.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.
CIOs are wise to look at the mobile security model as the goal for all of the organization's user devices, rather than hold off on deploying mobile devices out of security fears. This year's Black Hat included the first presentation by Apple on security aspects of the iPhone iOS software.

4. Developers and security professionals don't need to party together, but they sure do need to work together. Software development too often takes place in its own realm of user interfaces and rapid deployment, with security an afterthought. Security pros are consumed with patching past errors rather than spending time at the early stages of application design. "Developers are in charge," security researcher Dan Kaminsky said at Black Hat.

5. Data and physical security will come together--finally.The "Internet of Things" and machine-to-machine communications mean that not only is your data infrastructure at risk of being hacked, but also your heating, electrical, and numerous other physical systems. A hack of the familiar hotel keycard systems was one of the highlights at Black Hat.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
7/28/2012 | 8:02:42 PM
re: 5 Black Hat Security Lessons For CIOs
If the end of point 2 is accurate, and I really hope it is, that's a great thing.

While I really like the idea of cloud computing, organizations absolutely MUST sit down and look at the risks associated with adopting this technology in it's currentl state. The push to make data and applications available to anyone authorized from any authorized device has the fallout of only being a secure as the authorization methods used.

Weak password here, lack of proper encryption there, a little social engineering and you'll see your confidential business data on the e-reader screen of your neighbor on the train tomorrow (if it's not in the headlines of the newspaper already).

Andrew Hornback
InformationWeek Contributor
pcalento011
50%
50%
pcalento011,
User Rank: Apprentice
7/31/2012 | 7:24:30 PM
re: 5 Black Hat Security Lessons For CIOs
Eric, what role does TRANSPARENCY play? All to often, we may have a predisposition to "hide" what's going on. Is this what you mean by, "... Developers and security professionals don't need to party together, but they sure do need to work together". --Paul Calento http://bit.ly/paul_calento
jrandels342
50%
50%
jrandels342,
User Rank: Apprentice
7/31/2012 | 7:50:20 PM
re: 5 Black Hat Security Lessons For CIOs
You make several salient points here. Considering the mountains of data on enterprise networks today it is crucial to understand the value of data and the necessary safeguards required to protect your critical assets.

Generating internal buy-in and agreement on priorities and acceptable risk are key in securing assets and funding for protecting them.

A little forethought and planning goes a long way in security!

Joy Randels, CISM,CIPP,CWSP
RichardGorman
50%
50%
RichardGorman,
User Rank: Apprentice
8/2/2012 | 5:37:14 PM
re: 5 Black Hat Security Lessons For CIOs
Andy, the intrinsic value of stolen usernames, passwords and email addresses from an online gaming site like Gamingo may not be apparent at first blush. However, as you point out, since many people reuse the same passwords on multiple sites including sensitive banking and financial applications G㢠the fallout from this and other apparently innocuous data breaches is being underestimated. Any company that gathers and stores customer information needs to make sure the data is unusable if it is stolen.

@a_greenberg
@Forbes
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.