I'm Off To Black Hat USA and BSidesLV - Why Aren’t There Eight of Me???

By Ariel Robinson, Host and Editor of The Tech Effect

It’ll be my first time attending both Black Hat USA or BSides Las Vegas (BSLV) and as I’m going through the 2017 schedules I’m finding myself in want of Hermione Granger’s Time Turner.

Here’s what I’m excited about. If you’re going, let me know! Maybe we can divide and conquer.


The Commoditization of Security Solutions: Will You Be Replaced by a Small Script?’ – BSLV

Speaker: Nathan Sweaney

Ah, the question of our age: how soon will your special skillset be replaced by a machine? And is there anything you can do about it?

From the Abstract: “Security technologies and solutions change constantly. Today's new hotness will be tomorrow's old news and distinguishing features will be defaults in the next version. The insane pace of the digital arms race makes it difficult to keep up with the latest trends and skills. In this talk I'll explore this phenomenon & look at examples over the last 30 years to demonstrate a consistent pattern in the technology lifecycle. Then I'll outline proactive steps to prepare yourself to maintain a career in this field. By the end of this talk, you'll walk away with practical guidance on preparing for the future, avoiding burnout, and building your skill-set in a way that will prevent you from being replaced by a small shell script or the next security appliance.”
 

 

 

The Human Factor: Why are we so bad at security and risk assessment?’ – BSLV

Speaker: John Nye

From the Abstract: “How does the science of human perception and decision making influence the security sector? How can we use information about how people make decisions to create more successful security professionals?”

As I’ve explained time and again in my own talks, security won’t work until it works for everyone. That means we need to think more about how humans work in order to make tools and systems that work better for them. Fellow cognitive scientist John Nye will be applying what we’ve learned from the science of decision making to information security in what will undoubtedly be an incredibly valuable talk.
 

 

 

Infecting the Enterprise: Abusing Office365+Powershell For Covert C2’ – Black Hat

Speaker: Craig Dods

From the Abstract: “As Enterprises rush to adopt Office365 for increased business agility and cost reduction, too few are taking time to truly evaluate the risk associated with this decision. This briefing will attempt to shine a light on the potential hazards of Microsoft's SaaS offerings while also demonstrating a practical example of what a malicious actor can do when Office365 is allowed into the Enterprise.”

I just hope he gives some examples of how enterprises and individual users can protect themselves.
 

 

 

Regulatory Nets vs. The Fishing Hook of Litigation’ – BSLV

Speaker: Wendy Knox Everette

From the Abstract: “What sort of legal and policy choices would lead to more secure and safer software and computing-enabled devices? The patchwork of existing legal regimes in the US is based on regulations imposed on a few verticals (finance, healthcare, and education in particular)… the policy choices we preference now may have long reaching effects. This talk will explore the implications of relying on software liability or other ex-post options vs. regulations or similar ex-ante choices.”

In other words, failing to plan ahead can be a pretty poor strategic move. Stay tuned for a write up of Wendy Knox Everett’s talk.
 

 

 

Why Most Cyber Security Training Fails and What We Can Do About It’ – Black Hat

Speaker: Arun Vishwanath

From the Abstract: “To date, the only pro-active, user-focused solution against spear phishing has been cyber security awareness training. However, multiple lines of evidence—from continuing news stories of bigger and bolder breaches to objective academic assessments of training effects—point to its limited effectiveness.” University at Buffalo associate professor Arun Vishwanath has developed a new approach to user training, one that takes individuals’ differences into account.

I’ll be looking out for his thoughts on how we communicate about cyber security, and whether or not he thinks.

 

NOTE: Arun Vishwanath will be participating in the discussion around human factors in Debra Farber's expert panel – Power To The People - Knowledge Is Power – being streamed live during Black Hat USA 2017.

 

 

Magical Thinking … and how to thwart it.’ – BSLV

Speaker: Mara Tam

From the Abstract: “For all the progress we’ve made – as a community, as an industry, as a discipline – describing the brittleness of our IT infrastructure and 'the shape of the beast’ (what is this hacking stuff anyway?), we’re not seeing much in the way of obvious returns in two key areas: procurement and policy.

We know what's broken; we even mostly know how to fix it. We fight the good fight from the C-suite to Capitol Hill. Yet often we lose. Why?”

If only Mara Tam’s talk was not at the exact same time as mine! Understanding how we’ve gotten to where we are, with major cybersecurity incidents despite billions of dollars spent, will be critical if we want to avoid making the same mistakes.