Although this year’s edition of Black Hat and DEF CON USA was a while ago, the topic of IT security remains as important as ever with new challenges appearing every day. This is why we have invited Michal Olawski and Adrian Korczynski – cybersecurity team managers at Comarch – to chat with us. We asked them about what they had learned at the US conferences (the most important events of that kind worldwide) as well as their current challenges.
Are Black Hat and DEF CON really worth participating in? It is such a long transatlantic trip after all.
Michał: Both Black Hat and DEF CON are ones of the biggest international conferences on cybersecurity in IT. Taking part in them is a great opportunity to increase one’s knowledge of the topic and a chance to meet and talk to the greatest experts of this field.
What were some of the most important topics of this year’s conference?
Adrian: Both conferences dealt at great length with cyberattacks on critical infrastructure (i.e., airports, gas stations, energy suppliers). This kind of infrastructure is currently at great risk given its strategic importance and the unstable geopolitical situation.
There were also many talks on mobile app security. Considering the amount of sensitive information those applications collect, the potential for a security breach is huge.
Were there any presentations you took a particular interest in?
Michał: Both conferences offered a wide selection of presentations on many parallel tracks. I personally chose mainly those lectures that dealt with application security, network security and defense against attacks, preferably with practical examples of exploiting vulnerabilities. These lectures were closest to my interests as well as to the area of security I deal with.
One of the many interesting lectures was a presentation by Jacob Baines from Rapid7 on Cisco ASA Firewalls. This is one of the key infrastructure elements when conducting network security tests and thus – a quite obvious target for an attack. During the lecture, Jacob showed in practice how to exploit new vulnerabilities using Metasploit.
Adrian: The most interesting presentations are always the ones that include the so-called “technological meat” – a specific description of how easy it can be (or has been) to break a certain system. On many occasions the reason is a trivial and seemingly unimportant bug in implementation or specification. There were quite a lot of presentations like that at Black Hat and DEF CON.
Another very useful and interesting presentation was the one about the concept of incomplete patches. The speakers - Brian Gorenc and Dustin Childs – showed statistics on how low the quality of improvements/ patches delivered by software producers is and how big of a problem it can be.
An “incomplete patch” refers to a situation when a manufacturer releases a patch that is not 100% effective. Along with the patch, information about the existing vulnerability is released as well. In the case of 0-day for popular products, this often encourages the hacker community to start digging deeper. In case the patch doesn’t give a 100% security, the resulting situation might turn out to be even worse than before releasing the incomplete patch and before revealing its vulnerability. This shows how significant it is to thoroughly verify all released patches and how important it is to effectively patch the managed environments.
Another interesting thing at the conferences was to listen to the very organizers describe their own experience. At the „Annual Black Hat USA NOC Report” lecture, the IBM Security X-Force engineers spoke about how they had secured the technical infrastructure of the conference. Considering the number of participants and their profile (cybersecurity) it truly was an immense task. Among the participants there were people who even sent/received their mail via the Wi-Fi network available at the conference venue without as much as turning on the SMTP/IMAP encryption.
The COVID-19 pandemic has greatly speeded the process of digital transformation. Has it brought about any new challenges for cybersecurity specialists?
Michał: The IT infrastructure is getting more and more complex and the informatization of all areas is advancing dynamically. For us it means the necessity to guarantee system security on multiple levels, including integrations with other suppliers.
What we focus on when creating new software is to make sure it follows the SSDLC rule (Secure Software Development Life Cycle). It is possible to achieve by automating as many tasks as possible.