5 Black Hat Security Lessons For CIOs - InformationWeek
IT Leadership // IT Strategy
12:52 PM
Eric  Lundquist
Eric Lundquist
Connect Directly
Building Security for the IoT
Nov 09, 2017
In this webcast, experts discuss the most effective approaches to securing Internet-enabled system ...Read More>>

5 Black Hat Security Lessons For CIOs

Beyond the bearded coders and men in black suits was a trove of security best practices for enterprise IT.

The Black Hat conference convenes in Las Vegas each year to discuss the latest hacks, cracks, and IT security fissures. The crowd ranges from bearded coders wearing T-shirts emblazoned with arcane programming references to straight-backed, men-in-black CIA types lurking on the periphery. CIOs, even if the subject matter is among their least favorite, must pay attention to security.

Here are five takeaways from Black Hat.

1. Understand what you're protecting. The conventional IT security concepts of "behind the firewall" and "securing the perimeter" are outdated in a world of mobile devices and social networks. CIOs must take a hard look at what information they must make widely available versus the information they must restrict.

A compartment approach to security was one of the themes raised at Black Hat by former FBI executive assistant director (and now CrowdStrike president) Shawn Henry. Henry, whose keynote address was short on tactics and overly long on warnings about impending cyberwarfare, was right on the concept of protecting some data by not putting it into the generally available corporate data pool. For instance, should you make all of your company's customer data available for statistical analysis, or only the customer activity data (without identifying information) for the last year?

2. Read the fine print on cloud contracts. Remember those past controversies about software vendors' liabilities (or lack thereof) for the defects in their products? If you actually read those license documents, you would often find that the vendor's liability didn't extend beyond the cost of the software. So even if your company's intellectual property documentation suddenly went kaput because of a word processing glitch, the software vendor (if it was at all responsible) was only on the hook for the amount your company paid for the program.

[ Another Black Hat lesson: How to Find Sensitive Data In Cloud Before Criminals Do. ]

As you move to include cloud services in your IT infrastructure, you must understand the vendor's security responsibilities and liabilities if someone hacks into your data. Licensing agreements may not be your idea of fun reading, but someone on your team must do this due diligence. There's some evidence that the move to cloud computing has slowed as executives investigate the technology, business, and legal ramifications.

3. When it comes to mobile security, think backward. Smartphones were designed for an always-on, mobile world connected via myriad carrier networks and Wi-Fi hotspots. So smartphone vendors had to design security into the device from the start. Common on enterprise smartphones are application sandboxing, separation of the operating system from the user data, built-in encryption, and remote data wipe--technologies that often aren't on enterprise desktops and laptops.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.
CIOs are wise to look at the mobile security model as the goal for all of the organization's user devices, rather than hold off on deploying mobile devices out of security fears. This year's Black Hat included the first presentation by Apple on security aspects of the iPhone iOS software.

4. Developers and security professionals don't need to party together, but they sure do need to work together. Software development too often takes place in its own realm of user interfaces and rapid deployment, with security an afterthought. Security pros are consumed with patching past errors rather than spending time at the early stages of application design. "Developers are in charge," security researcher Dan Kaminsky said at Black Hat.

5. Data and physical security will come together--finally.The "Internet of Things" and machine-to-machine communications mean that not only is your data infrastructure at risk of being hacked, but also your heating, electrical, and numerous other physical systems. A hack of the familiar hotel keycard systems was one of the highlights at Black Hat.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/2/2012 | 5:37:14 PM
re: 5 Black Hat Security Lessons For CIOs
Andy, the intrinsic value of stolen usernames, passwords and email addresses from an online gaming site like Gamingo may not be apparent at first blush. However, as you point out, since many people reuse the same passwords on multiple sites including sensitive banking and financial applications G㢠the fallout from this and other apparently innocuous data breaches is being underestimated. Any company that gathers and stores customer information needs to make sure the data is unusable if it is stolen.

User Rank: Apprentice
7/31/2012 | 7:50:20 PM
re: 5 Black Hat Security Lessons For CIOs
You make several salient points here. Considering the mountains of data on enterprise networks today it is crucial to understand the value of data and the necessary safeguards required to protect your critical assets.

Generating internal buy-in and agreement on priorities and acceptable risk are key in securing assets and funding for protecting them.

A little forethought and planning goes a long way in security!

User Rank: Apprentice
7/31/2012 | 7:24:30 PM
re: 5 Black Hat Security Lessons For CIOs
Eric, what role does TRANSPARENCY play? All to often, we may have a predisposition to "hide" what's going on. Is this what you mean by, "... Developers and security professionals don't need to party together, but they sure do need to work together". --Paul Calento http://bit.ly/paul_calento
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
7/28/2012 | 8:02:42 PM
re: 5 Black Hat Security Lessons For CIOs
If the end of point 2 is accurate, and I really hope it is, that's a great thing.

While I really like the idea of cloud computing, organizations absolutely MUST sit down and look at the risks associated with adopting this technology in it's currentl state. The push to make data and applications available to anyone authorized from any authorized device has the fallout of only being a secure as the authorization methods used.

Weak password here, lack of proper encryption there, a little social engineering and you'll see your confidential business data on the e-reader screen of your neighbor on the train tomorrow (if it's not in the headlines of the newspaper already).

Andrew Hornback
InformationWeek Contributor
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll