LAS VEGAS -- During the last 15 years, software makers have improved their security practices while enterprises have deployed better security defenses, but the improvements have pushed cybercriminals to target vulnerable humans rather than vulnerable code.
That was a key theme that emerged Wednesday at the
Social engineering techniques are now the basis of most successful enterprise attacks, with many cybercriminals stealing account credentials to penetrate enterprises, snatch intellectual property or snoop on government agencies. Defenses, in turn, will likely be less focused on technology and more on legal and policy tactics, said Bruce Schneier, CTO of BT Counterpane, and one of several prominent experts participating in the panel discussion.
Schneier said contractual arrangements could begin to drive security and privacy between people and the companies with which they do business.
"We are terrible as an industry in dealing with this targeted attack," Schneier said. "We're good at stuff that randomly goes after things, but we aren't good at defending against that targeted attack."
In addition to Schneier, the panel included security luminaries Jeff Moss, Black Hat's founder; Adam Shostack, senior program manager in Microsoft's Trustworthy Computing Group; Marcus Ranum, chief of security for Tenable Security Inc., as well as cybersecurity legal and policy expert Jennifer Granick, general counsel of Worldstar LLC. The panelists were chosen to participate by Black Hat conference planners because they all took part in the first Black Hat conference held in 1997.
More from Black Hat 2012
For more news, analysis, commentary and video interviews from Las Vegas, visit SearchSecurity.com's 2012 Black Hat special coverage page.
The panelists agreed that the changes in the information security industry during the past 15 years have been dramatic. A lack of trust and transparency -- driven primarily from the use of outsourcing and cloud-based services -- has fueled an erosion in the amount of control people and businesses have over security and privacy of their data.
The panelists urged enterprises to make investments in people by bolstering forensics and malware analysts, and adding well-staffed incident response teams. From a technology perspective, the experts advocated a stronger focus on configuration and change-management activities to mitigate the problem of runaway privileges and misconfigured systems that open up pathways for cybercriminals to gain access to sensitive resources.
"You are going to want employees who are generalists," Ranum said. "[In the cloud] you've got extremely specific services that solve a specific problem like payroll. For your workforce, you need people to understand payroll systems at large, rather than at the specific level."
There's been a movement in the security industry to create technologies that can detect and isolate an attack before it becomes a serious problem, rather than defending against the constant attacks at the perimeter. Schneier said technologies are aimed at making it faster to recover from a breach when it inevitably happens.
"As an industry we've been telling people, 'Buy our stuff, you'll be magically safe,'" Schneier said. "I'm glad we're finally saying, 'God your screwed; buy our stuff when you are breached.'"
U.S. legislation being considered in Congress during the past year aims to foster information sharing to improve information security, but the panelists said the bills lack incentives to share threat data and could overstep their bounds. Moss, who serves as CSO of ICANN, said he was discouraged by the government's role in fostering information sharing, saying that often when the government gets involved with good intentions, it causes liability issues and other problems that wrangle most threat information-sharing groups.
When sharing becomes proscribed and formalized, Moss said, often the "intention is good, but in the end, I'm worried about the outcome."
Moss said the government is excelling at spending money on places where private sector isn't. It has the ability to jump-start technology research, drive adoption of technology within agencies and departments, and in turn force the security market to create new products.