In the film Red Dawn,the United States was invaded by Communists, forcing ordinary citizens and soldiers alike to take up arms and fight for their freedom. Although fictional, it was an epic tale of cooperation against a common foe, not unlike the situation that corporations and governments find themselves in today, fighting shoulder-to-shoulder with users to fend off the Internet-based attacks of determined adversaries. According to the most recent reports from uscollegeresearch.org, as of June 2011, about 73 percent of U.S. and 65 percent of global Internet users had been victimized by cyber criminals, mainly via social engineering.
The theme of this year’s BlueHat was, fittingly, “We fight for the user.” Whether that user is within our own corporate infrastructure, or is a customer, it is more important than ever for us to stay focused on security by regularly improving our Security Development Lifecycle (SDL), honing our security response, and helping each user avoid social engineering attacks, a leading cause of computer compromise.
BlueHat v11 focused on bringing real-world security threats and issues to light by taking us on a journey that began with discussions about real attacks and adversaries, as witnessed by Context Security. Context Security has performed penetration testing simulating targeted attacks, as well as responded to many victims of industrial Internet espionage and crime. The picture it painted of the adversaries and the targets reinforced the overarching themes and lessons learned at the conference around appropriate risk management and secure product development. The approach must go beyond tools and code review, and into more advanced threat modeling that takes the entire ecosystem into account.
BlueHat, as always, was filled with many memorable talks, which focused on risks that leverage weakness at the seams of deployment, at the interfaces between components, between applications and infrastructure, and amid the relationships of the “trifecta” (the platform, the apps, and the app store), as described in Matias Brutti’s talk. While we as platform providers make our products more secure, we realize that they are not always deployed in ideal scenarios or configurations, and that we must work closely with intermediary vendors like OEMs who are in a position to make changes to specific devices that may decrease the effectiveness of some of our security measures. Andrew Cushman reminded us in his keynote address that in an age of transition toward “The Internet of Things,” where IP-enabled devices (e.g., cars, appliances, medical devices) begin to far outnumber traditional computers and mobile devices, we need to work with the ecosystem to help provide end-to-end security assurance.
Adam Shostack’s talk about the statistics of how malware actually gets onto Windows machines demonstrated that social engineering accounts for 45 percent of compromised systems, versus 0-day exploits, which represents less than one percent of all attacks. Fittingly, Adam works on a team within Microsoft that is dedicated to helping us improve both Microsoft and third party user interfaces. With the work of Adam’s team, we can help users make smart security choices when faced with decisions like “should I proceed to this webpage even though there is an error in its certificate?” when they might not know what a certificate is or begin to guess what it does. Further, the user might not know whether or not the certificate’s issuing certificate authority (CA) was compromised, resulting in fraudulent certificates used in attacks, as was the case with DigiNotar this year and Comodo prior to that.
Moxie Marlinspike wrapped up the conference with a thought-provoking presentation highlighting the journey through the compromise of certificate authority, Comodo, and subsequent consequences (or lack thereof). The fact that the CA system of trust is rigid and does not recover well in cases where CAs are compromised is an issue that we as an influential participant in the ecosystem must consider, even though we did not create the CA system itself. Moxie challenged the audience to envision a new model where trust is agile and the decision of who to trust is made (and can be revoked) by the user.
No matter the threat, whether attacks are random or targeted, whether the attacker is unskilled or sophisticated, we must attempt to protect our systems, data and users. When attacks do occur, we must hone our ability to detect, contain and recover from them quickly. Working with our partners and customers is the best strategy for dealing with and adapting to these threats.
Many thanks go to all the speakers, attendees, organizers, and volunteers for a memorable and enlightening BlueHat v11. We will continue to work together, shoulder to shoulder, defending our Internet neighborhoods from invasion, as we fight for the user in a Blue Dawn.
Strategist Lead, MSRC Security Ecosystem Strategy Team
Katie on Twitter at https://twitter.com/k8em0