Every year, security experts descend on Black Hat USA 2014 conference to gather, compare notes and share information on the latest security hacks, vulnerabilities and data breaches. The event this year was no less thought-provoking than previous years, with eye opening revelations on how vulnerable we really are to cyber attacks.
While we walked away with a number of key findings that remind us of the importance of always having cybersecurity software in place to provide fool-proof protection to the network, the following three trends stood out as prevalent themes at this year’s event
- Latest target for hackers – the humble USB stick
USB devices have become a ubiquitous part of everyday computer use, but that has led to complacency about how secure they are. At Black Hat USA 2014, there was much discussion about how USB devices are now used to imitate other types of devices in order to spy, steal data or take complete control of a victim’s computer.
These latest findings illustrate how threats often hide in plain sight, using common applications as their infiltration vector, exhibiting application-like evasion tactics, and acting as, or using common network applications for communications and data exfiltration. Most of these applications are unmonitored, or worse, assumed to be completely safe, as in the case of the humble USB stick.
Rather than doing away with USB devices altogether, it is recommended that enterprises deploy a safe enablement policy for common sharing applications by determining which applications are in use and by whom. They can then establish security policies that enable the required applications while blocking others. Key to the success of this recommendation is documentation of the policies, educating users, and periodically reviewing and updating the policy.
- Hackers infiltrating home devices
The growth in net-connected home devices, otherwise known as the Internet of Things (IoT), has brought with it a new set of cybersecurity vulnerabilities, which were a point for discussion at this year’s conference.
Experts agreed that IoTis a ticking time bomb, and called for closer scrutiny of potential vulnerabilities in this space.Central to this problem is the common home router, in which home devices access the internet, providing a potential entry-point for hackers to inflict serious damage right under our noses.
The most logical solution against these attacks is to secure these devices at a network level rather than an endpoint level, overcoming the limitations present in endpoint security functions. In addition, by using the Zero Trust principles of least privilege access with granular segmentation, end-users can secure IoT data and application access with peace of mind.
- Aircraft hacking
Another theme that was prominent at this years’ event was cybercrime targeting aircraft. Recent airline catastrophes around the world have raised the question of whether it is possible for hackers to remotely take over an aircraft’s systems and run it aground.
It just so happens that researchers have figured out how to hack the satellite communications equipment on passenger jets through their WiFi and inflight entertainment systems. While they acknowledge that much of their findings were conducted in controlled environments and is extremely difficult to replicate in the real world, this is a grim reminder that when it comes to cybersecurity, hackers will continue pushing the boundaries of what is possible.
With more of the critical infrastructures we rely on now connected, it’s imperative for governments, organizations and enterprises alike to collaborate and share information as quickly as possible in order to actively protect the infrastructure and information systems that sustain our economy.
Even though security vendors continue to develop new types of visibility and techniques to reveal advanced threats, coordination across security disciplines and products has become critical to recognize complex, multi-faceted attacks, and in the case of an aircraft hacking, can potentially save lives as well as sensitive data.