Earlier this month I attended DEF CON, one of the world’s largest security conferences. Each year, the event brings together computer security professionals, hackers, security researchers, federal government employees, lawyers, and journalists. One of my biggest takeaways from this event is that the security enthusiast community is very much growing and evolving. The creativity of attendees is always humbling and their passion for learning and sharing that knowledge is difficult to not get swept up in.
Here are eight key takeaways from the conference:
- Administering Microsoft Active Directory (AD) security is complex — New tools and techniques are constantly surfacing to attack Microsoft AD, Outlook Web Access, Exchange Web Services, and general Windows Challenge/Response (NTLM) hash relaying. Limiting the number of administrators and tightening access controls are the most effective ways to mitigate the risk of these attacks.
- The ability to identify programmers from the source code and binaries they produce is an active area of research and surprisingly accurate — Researchers have shown that they can identify the author of a given piece of malware by comparing the source code against legitimate test samples. Researchers have gone as far as parsing Github (the development platform where developers can host code and network with other developers) for test cases to identify the authors of malicious malware found in the wild. The results have yielded an 80% success rate for code that has not been obfuscated. The same researchers plan to move forward with this research by acquiring additional sample data to increase the accuracy rate.
- Social engineering is effective — DEF CON attendees showcased their social engineering abilities by calling legitimate organizations and manipulating the recipients to navigate their browsers to a fake website. The success rate for the recipients trusting the caller and navigating to the webpage was nearly 100%.
- Analysis of older processor types has led to vulnerability disclosures and has made auditing legacy hardware an even more important consideration — Updating legacy hardware or implementing additional layers of protection has become a necessity to prevent an attacker from compromising a network.
- IoT device manufacturers are starting to take security considerations seriously — Many IoT vendors have enrolled in bug bounty programs that allow hackers and security researchers to test the product and submit vulnerabilities for a cash reward. Vendors have also started to implement additional security enhancements such as multi-factor and biometrics authentication to help secure devices.
- Medical devices are gaining attention for becoming more complex, but are not thoroughly vetted from a security perspective — Many medical devices (e.g., defibrillators, heart monitors, and EKG machines) use wireless signals to operate. It has become apparent that many of these devices are configured with default passwords. Security specialists have started to raise awareness to medical facilities to help secure their devices and protect patients.
- New techniques are emerging to attack Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) networks — As a result, the need for stronger keys and policies has grown.
- Industrial control systems (ICS) is a burgeoning topic — ICS is a term that describes the integration of different control systems and software with network connectivity to automate processes and support critical infrastructure. It’s used in practically every industrial sector, including manufacturing, energy, and transportation.
For highlights, presentations, and more information from DEF CON, read more here: https://www.defcon.org/html/links/dc-archives/dc-26-archive.html
About the Author
Justin Karpenski is a consultant at ACA Aponix, the cybersecurity and IT risk division of ACA Compliance Group. Prior to joining ACA Aponix, he spent two years as a member of PwC's cybersecurity, privacy, and risk practice where he specialized in the banking and financial services sectors. Earlier in his career, he served as a member of a boutique consultancy firm focused on providing information security services to small businesses and developed software for the retail and manufacturing industries.
Justin earned his MS in Information Technology from Rensselaer Polytechnic Institute and his BS in Computer Science from Massachusetts College of Liberal Arts. He also holds several technical credentials including the Certified Information Systems Security Professional (CISSP) certification.