Akamai Diversity

The Akamai Blog

Black Hat 2013: What's New In Security? Nothing.

I get the question a lot at conferences like Black Hat: What do I see as the next big thing in security? I usually respond with a blank stare. The reason is that I see absolutely nothing new, and haven't for some time.

Some might say that's a cynical, jaded response. I don't think so. Security doesn't need a constant torrent of new trends to be interesting and important.

A decade ago, when I first started writing about the security industry, it seemed as though I was chasing a new trend every year, then every six months. In the beginning the big news always involved worm outbreaks like Sasser and Mytob. First a big vulnerability would be revealed on Patch Tuesday and then someone would exploit it with the malware. Then the trend shifted from covering that to chasing the latest data breach. From early 2005 onward, every time a company announced it had suffered a breach, reporters like me would have to drop everything and chase it. Eventually, breaches were announced so often that it ceased to qualify as breaking news. Then the trend shifted to such things as hacktivism and the rise of cloud insecurity. The one constant along the way has been the challenge of regulatory compliance, from HIPAA to Sarbanes-Oxley and PCI DSS.

But in more recent years, especially the last two or three, I've seen nothing new. It's the same old threats and the same old technological and cultural challenges. 

Gone are the days when I attended security conferences in hopes of catching a new trend. As I see it, we keep coming to these events in hopes of finding some new morsel of information on how to deal a little more effectively with the same old stuff. 

Sometimes fresh insight comes our way. Sometimes we walk away with more questions than we started with.

Will some major shift take place in the next couple of years? Perhaps.

For now, I'm more interested in how we deal with the older problems that continue to vex us.


Marcus Ranum said pretty much the same thing at Blackhat in 98? As usual his choice of words was a little acerbic, kinda pissed people off. But what he said then is still true today. Security in the same, nothing changes. the weakest link is still the user and the second weakest is the password. Sure technology gets updated but we are still chasing the same basic principles.

I know exactly what you mean, Bill. With all the changes that happened in the last couple of years, there are absolutely a lot of things that we currently don't know about Black Hat. I can only wish it gets better for us from here.

"Form follows function" we were told, back in the '60s, when we were learning to convert manual procedures to RPG.

those manual procedures were paper based. mostly what we did was to "analyze" how the paper based system worked -- and then do the same thing "on computer"

but there was one thing on paper that didn't get converted: when the pen turned into the keyboard authentication,-- was dropped.

that didn't matter much when the bank courier came by at 5 o'clock to pick up the tapes.

Today an electronic funds transfer (EFT) can be launched from an ever increasing variety of sources.

the industry goes on an on ad nauseum about encryption, claiming they are protecting data that way. but they prefer not to discuss authentication -- which is where the real trouble lies

not just in EFT, but more particularly in software distribution. e/mail, for example, has been used to distribute malware. This is done by creating e/mails that are either forgeries or just bait. e/mails are generally not authenticated and this tends to facilitate such activities.

progress has been made in software distributiuon. such as authenticode for msft updates and approved libraries for android apps for phones. but hackers are like mice: if there is a way -- they will find it. today they are shifting to include their malware in the software distribution channel so thast it gets incorporated into "legitimate" apps. Zero-defect procedures will be needed to combat this as everyone involved in building software will need to 'vet' the libraries they are using in their builds.

a better general public understanding of electronic authentication will tend to improve general expectations and lead to a better general practice in electronic communication.

I don't think x.509 is the answer. every computing device should have PGP or GnuPG so that owners can identify which sources they will honor -- for software as well as for EFT.