5 Black Hat Security Lessons For CIOs - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // IT Strategy
12:52 PM
Eric  Lundquist
Eric Lundquist
Connect Directly

5 Black Hat Security Lessons For CIOs

Beyond the bearded coders and men in black suits was a trove of security best practices for enterprise IT.

The Black Hat conference convenes in Las Vegas each year to discuss the latest hacks, cracks, and IT security fissures. The crowd ranges from bearded coders wearing T-shirts emblazoned with arcane programming references to straight-backed, men-in-black CIA types lurking on the periphery. CIOs, even if the subject matter is among their least favorite, must pay attention to security.

Here are five takeaways from Black Hat.

1. Understand what you're protecting. The conventional IT security concepts of "behind the firewall" and "securing the perimeter" are outdated in a world of mobile devices and social networks. CIOs must take a hard look at what information they must make widely available versus the information they must restrict.

A compartment approach to security was one of the themes raised at Black Hat by former FBI executive assistant director (and now CrowdStrike president) Shawn Henry. Henry, whose keynote address was short on tactics and overly long on warnings about impending cyberwarfare, was right on the concept of protecting some data by not putting it into the generally available corporate data pool. For instance, should you make all of your company's customer data available for statistical analysis, or only the customer activity data (without identifying information) for the last year?

2. Read the fine print on cloud contracts. Remember those past controversies about software vendors' liabilities (or lack thereof) for the defects in their products? If you actually read those license documents, you would often find that the vendor's liability didn't extend beyond the cost of the software. So even if your company's intellectual property documentation suddenly went kaput because of a word processing glitch, the software vendor (if it was at all responsible) was only on the hook for the amount your company paid for the program.

[ Another Black Hat lesson: How to Find Sensitive Data In Cloud Before Criminals Do. ]

As you move to include cloud services in your IT infrastructure, you must understand the vendor's security responsibilities and liabilities if someone hacks into your data. Licensing agreements may not be your idea of fun reading, but someone on your team must do this due diligence. There's some evidence that the move to cloud computing has slowed as executives investigate the technology, business, and legal ramifications.

3. When it comes to mobile security, think backward. Smartphones were designed for an always-on, mobile world connected via myriad carrier networks and Wi-Fi hotspots. So smartphone vendors had to design security into the device from the start. Common on enterprise smartphones are application sandboxing, separation of the operating system from the user data, built-in encryption, and remote data wipe--technologies that often aren't on enterprise desktops and laptops.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.
CIOs are wise to look at the mobile security model as the goal for all of the organization's user devices, rather than hold off on deploying mobile devices out of security fears. This year's Black Hat included the first presentation by Apple on security aspects of the iPhone iOS software.

4. Developers and security professionals don't need to party together, but they sure do need to work together. Software development too often takes place in its own realm of user interfaces and rapid deployment, with security an afterthought. Security pros are consumed with patching past errors rather than spending time at the early stages of application design. "Developers are in charge," security researcher Dan Kaminsky said at Black Hat.

5. Data and physical security will come together--finally.The "Internet of Things" and machine-to-machine communications mean that not only is your data infrastructure at risk of being hacked, but also your heating, electrical, and numerous other physical systems. A hack of the familiar hotel keycard systems was one of the highlights at Black Hat.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/2/2012 | 5:37:14 PM
re: 5 Black Hat Security Lessons For CIOs
Andy, the intrinsic value of stolen usernames, passwords and email addresses from an online gaming site like Gamingo may not be apparent at first blush. However, as you point out, since many people reuse the same passwords on multiple sites including sensitive banking and financial applications G the fallout from this and other apparently innocuous data breaches is being underestimated. Any company that gathers and stores customer information needs to make sure the data is unusable if it is stolen.

User Rank: Apprentice
7/31/2012 | 7:50:20 PM
re: 5 Black Hat Security Lessons For CIOs
You make several salient points here. Considering the mountains of data on enterprise networks today it is crucial to understand the value of data and the necessary safeguards required to protect your critical assets.

Generating internal buy-in and agreement on priorities and acceptable risk are key in securing assets and funding for protecting them.

A little forethought and planning goes a long way in security!

User Rank: Apprentice
7/31/2012 | 7:24:30 PM
re: 5 Black Hat Security Lessons For CIOs
Eric, what role does TRANSPARENCY play? All to often, we may have a predisposition to "hide" what's going on. Is this what you mean by, "... Developers and security professionals don't need to party together, but they sure do need to work together". --Paul Calento http://bit.ly/paul_calento
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
7/28/2012 | 8:02:42 PM
re: 5 Black Hat Security Lessons For CIOs
If the end of point 2 is accurate, and I really hope it is, that's a great thing.

While I really like the idea of cloud computing, organizations absolutely MUST sit down and look at the risks associated with adopting this technology in it's currentl state. The push to make data and applications available to anyone authorized from any authorized device has the fallout of only being a secure as the authorization methods used.

Weak password here, lack of proper encryption there, a little social engineering and you'll see your confidential business data on the e-reader screen of your neighbor on the train tomorrow (if it's not in the headlines of the newspaper already).

Andrew Hornback
InformationWeek Contributor
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
Graph-Based AI Enters the Enterprise Mainstream
James Kobielus, Tech Analyst, Consultant and Author,  2/16/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll