5 Black Hat Security Lessons For CIOs

The Black Hat conference convenes in Las Vegas each year to discuss the latest hacks, cracks, and IT security fissures. The crowd ranges from bearded coders wearing T-shirts emblazoned with arcane programming references to straight-backed, men-in-black CIA types lurking on the periphery. CIOs, even if the subject matter is among their least favorite, must pay attention to security.

Here are five takeaways from Black Hat.

1. Understand what you're protecting. The conventional IT security concepts of "behind the firewall" and "securing the perimeter" are outdated in a world of mobile devices and social networks. CIOs must take a hard look at what information they must make widely available versus the information they must restrict.

A compartment approach to security was one of the themes raised at Black Hat by former FBI executive assistant director (and now CrowdStrike president) Shawn Henry. Henry, whose keynote address was short on tactics and overly long on warnings about impending cyberwarfare, was right on the concept of protecting some data by not putting it into the generally available corporate data pool. For instance, should you make all of your company's customer data available for statistical analysis, or only the customer activity data (without identifying information) for the last year?

2. Read the fine print on cloud contracts. Remember those past controversies about software vendors' liabilities (or lack thereof) for the defects in their products? If you actually read those license documents, you would often find that the vendor's liability didn't extend beyond the cost of the software. So even if your company's intellectual property documentation suddenly went kaput because of a word processing glitch, the software vendor (if it was at all responsible) was only on the hook for the amount your company paid for the program.

[ Another Black Hat lesson: How to Find Sensitive Data In Cloud Before Criminals Do. ]

As you move to include cloud services in your IT infrastructure, you must understand the vendor's security responsibilities and liabilities if someone hacks into your data. Licensing agreements may not be your idea of fun reading, but someone on your team must do this due diligence. There's some evidence that the move to cloud computing has slowed as executives investigate the technology, business, and legal ramifications.

3. When it comes to mobile security, think backward. Smartphones were designed for an always-on, mobile world connected via myriad carrier networks and Wi-Fi hotspots. So smartphone vendors had to design security into the device from the start. Common on enterprise smartphones are application sandboxing, separation of the operating system from the user data, built-in encryption, and remote data wipe--technologies that often aren't on enterprise desktops and laptops.

CIOs are wise to look at the mobile security model as the goal for all of the organization's user devices, rather than hold off on deploying mobile devices out of security fears. This year's Black Hat included the first presentation by Apple on security aspects of the iPhone iOS software.

4. Developers and security professionals don't need to party together, but they sure do need to work together. Software development too often takes place in its own realm of user interfaces and rapid deployment, with security an afterthought. Security pros are consumed with patching past errors rather than spending time at the early stages of application design. "Developers are in charge," security researcher Dan Kaminsky said at Black Hat.

5. Data and physical security will come together--finally.The "Internet of Things" and machine-to-machine communications mean that not only is your data infrastructure at risk of being hacked, but also your heating, electrical, and numerous other physical systems. A hack of the familiar hotel keycard systems was one of the highlights at Black Hat.