Marissa Mayer, Yahoo’s CEO, once said: “People are more productive when they’re alone, but they’re more collaborative and innovative when they’re together.” With that, she made an undeniably compelling case for working together—particularly when tackling one of the world’s most persistent and pernicious problems: cyberhacking.
Between Petya, WannaCry, and the Equifax breach that compromised the personal financial information of over 145 million people, 2017 proved that cybersecurity conferences are a valuable tool to get the best minds collaborating to stop cybercrime. From RSA to Defcon, Black Hat, Ignite, and InfoSec World, the 2017 cybersecurity conferences have broken down traditionally siloed efforts in the industry to identify vulnerabilities and innovate solutions.
For instance, did you know that the real world has a lot more scary and sophisticated threats than a sci-fi thriller? This year, we saw how hackers can use typing sound decryption source code to make fairly accurate predictions on what platform you’re using purely based on the sound of your typing. First guesses were 80 percent accurate—and that number zoomed to 100 percent after five tries. Then, there was the critical security flaw in a car wash IoT system that allowed a hacker with a laptop to sabotage cars as they got soaped and shined. And connected devices in health care facilities, like an IV pump, can also be hacked, which can put patients at tremendous risk.
If you didn’t get a chance to attend the events, here are some of the key takeaways, insights, and lessons in prevention—straight from the experts. You’re welcome.
1. Watch out for threats hiding in plain sight
The 20-year-old Black Hat conference is foremost among the world’s cybersecurity conferences, bringing together the offense (black hat) and the defense (white hat) to win the cybercrime war. Call them paranoid, but these soldiers understand there are threats everywhere, even at an industry event designed to promote best security practices. That’s why one of the top takeaways of the conference season is to protect yourself from some of the more innocuous threats.
Skip the swag, for instance, as infected thumb drives have been passed around as easily as sore throats, and forget about charging your phone or laptop in a public charging port, as that could expose you to juice jacking.
2. Dispel shadow IT
Speaking at Black Hat, Chris Olson of The Media Trust stated: “The biggest challenge with digital shadow IT is that there typically is no one individual or department in charge of managing it.”
He also observed that websites are the most overlooked aspect of shadow IT, because there are multiple players with access, such as video providers, social media tools, content recommendations, and chat features—not to mention analytics, data management, hosting, and more.
Yet, Olson maintained that it’s not enough to identify everyone—you should have designated managers who evaluate activity and policies that deal with providing the safest, most secure browsing experience.
3. Protect your data with the big three
The sheer volume of daily security alerts can prove exhausting for an IT pro. In a Black Hat briefing, HP security advisor Dr. Kimberlee Brannock said the proper mix of governance, compliance, and security is the smartest way to protect your organization’s data.
Brannock said that selecting hardware, software, and connected devices with an eye toward built-in security features, like advanced threat detection and self-healing capability, can reduce risk. She also recommended reducing access to only necessary individuals and building out policies and controls with strong password protection to make connectivity to the network as secure as possible. Finally, she suggested that effective governance should cover internal stakeholders, vendors, and tech partners to reduce threats and liability.
4. Secure your endpoints
In his Black Hat briefing, HP’s chief security advisor Michael Howard noted that at least 70 percent of today’s successful data breaches originate from endpoints, such as routers or printers, that aren’t secured and therefore vulnerable to hackers.
More recent targets of attacks like these include the US Chamber of Commerce and Integra. That’s why Howard insists that IT teams need to consider every part of the 200-plus functions of the printing processes, including mobile, storage, BIOS, and more. He recommends taking a proactive stand by incorporating smart, self-healing technology alongside schooling staff on security awareness.
5. Know thine enemy
As Olson said at Black Hat, you also need to know there are many of them. At RSA, security experts from the SANS Institute discussed the seven most common threats to personal, corporate, and infrastructure technology. Among the most underrecognized are:
- Random-number generators: These aren’t all that random. It’s up to device manufacturers to deal with this issue, but users need to be aware that security isn’t guaranteed.
- Dependence on web services: Developers are tasked with fixing this problem, but everyone should be wary of mobile apps—which might not pose a threat on their own, but the service they connect to may.
- Ransomware: Paying up to retrieve your data isn’t always the best course of action, because it’s likely been shredded and inaccessible, even to the hacker.
Best practices include backing up offline or doing cloud backups with unique usernames and passwords.
But perhaps the biggest takeaway of all the 2017 conferences is that you can’t be too careful. If you make it your personal mission to be proactive, look at your network holistically, reduce the number of people who can access it, and securely encrypt data from end to end. That’s the best way you can stay protected—into 2018 and beyond.