I was out at Black Hat last week and I thought I’d sum up some of the things I learned for those of you who couldn’t make it -
Top 10 things I learned at Black Hat:
- Hackers don’t look like they do in the movies. Well, some do, but not the majority of them. Hacking is less emo than you think.
- It’s also more boring than it looks on the movies. It’s really a long process of finding vulnerabilities in an environment and matching them to exploits. It’s more like data analysis than playing some kind of video game.
- Manage your vulnerabilities. Risk equals vulnerabilities multiplied by assets multiplied by threats (R=VxAxT). You can’t do anything about threats. Not much use trying to explain to your organization that they have too many assets.
- It’s really just the plain old normal patched vulnerabilities you need to be interested in. 99.9% of successful attacks exploited known and patchable exploits.
- Everything has vulnerabilities. Hardware, software, applications.
- Obsessive patching seems like a good idea to me. If the manufacturer has taken the time to write and release a patch, we should get it deployed.
- 6 days is too long to spend in Las Vegas. 1 or 2 is too short. 3 or 4 is good. Anything past that, the place gets on my nerves.
- Have a cyber-crisis plan and drill it like you drill your DR plan. The “Bad Day” is inevitable.
- We need to train more people in basic hacking skills. Even if you’re not penetration testing for a living, it’s hard to defend if you don’t know what an attacker’s perspective is.
- At the craps table, always back up your bet on the pass line. It’s the best bet on the table. (Thanks to JRM)