Black Hat 2018: Michael Howard talks IoT technology risks

August 21, 20184 minute read

Select article text below to share directly to Twitter!


On August 8, Black Hat 2018 catapulted into full swing at the Mandalay Bay Convention Center in Las Vegas, Nevada. As the largest annual hacker conference, Black Hat isn’t your average tech trade show—it’s a hacker’s paradise of cutting-edge security briefings, tech demos, and high-energy parties.

Last year’s conference brought 17,500 security professionals to the Mandalay Bay. While 2018 attendance stats haven’t been released yet, I can personally testify there have been a lot of nerds in cargo shorts walking around Vegas. There’s no way to see it all, but I prioritized a highly anticipated IoT technology session by HP’s Head of Security Practice Michael Howard and Senior Security Advisor Jason O’Keeffe: Securing Endpoints Using Analytics and a Proven Framework.

When I last spoke to Michael Howard, he was coy about what this session would cover aside from analytics, but let me tell you: These two genuinely funny and friendly security pros delivered on analytics, stats, real-world examples, and a whole lot more.

Understand the state of IoT technology security risks

Gartner forecasts that 20.4 billion connected things will be in use worldwide by 2020, all of which will need securing. Meanwhile, the Identity Theft Resource Center tracked a 44.7 percent increase in security breaches from 2016 to 2017.

Clearly, the stakes are high, but Howard identified the perfect area to start with on your journey to secure every endpoint on your network: security hygiene. To achieve a solid state of security hygiene, you simply need to tackle the basics of endpoint protection. However, doing so is easier said than done. For example, Howard recalled, “I once worked with a client who had 10,000 devices on their network, which were invisible to the security team.”

That’s a lot of open vulnerabilities. And leaving that many endpoints unidentified, including printers, is far from the best cybersecurity hygiene practice. There are also risks that can’t be mitigated easily, including the biggest piece of malware on a company network—humans. To protect against human error and other risks difficult to lock down, the best tactic is to adopt smarter endpoint protection, including IoT technology with embedded security.

As Howard stated, “You must make sure all devices touching the network are cyber-resilient.”

Recognize your unsecured IoT technology

Jason O’Keeffe also shared some real-world examples of IoT threats and exploits, which were equal parts scary and thrilling. For hackers, finding unsecured printers can be as easy as using a basic search engine for internet-connected devices. O’Keeffe said, “I once worked with a client who had 200 printers, each of which was worth $18,000. None of these printers had basic protection.”

That’s an incredible amount of IoT technology to leave wide-open, especially considering one real-world cybersecurity incident O’Keeffe encountered. A hacker gained access to a network and some mission-critical corporate data by pulling key info from an unprotected printer. The hacker didn’t have to work too hard, considering the printer lacked any administrative passwords.

Listen to your IoT devices

“The key is to go back and listen to your devices,” according to O’Keeffe. Once you’re listening to IoT technology analytics, security teams then need to digest this information.

If your printers and other IoT devices have embedded security and analytical capabilities, you’ve got an advantage when it comes to stopping cybersecurity threats from turning into real cybersecurity incidents. If your printers and other IoT devices aren’t protected, it’s time to push vendors to embed security and analytics into them. As customers, speaking up to demand stronger endpoint protection can make a big difference.

Develop a framework for endpoint protection

Do you know your IoT risk profile? Many organizations don’t even know what’s on their network, let alone whether they’ve performed basic security hygiene activities, such as password-protected printers. To create a strategic framework, you’ll need analytics and data from:

  • Security incident and event investigation
  • Security assessments
  • Security data analytics

Turn intelligence into solutions

If there was an unofficial theme to Black Hat, it would be turning data into action. The past few years in cybersecurity, there’s been a focus on identifying risks through bug finding and threat hunting. However, just identifying a threat doesn’t improve security. You need to act on this data to close gaps and improve your organization’s protection.

Intelligence without action is useless—at least when it comes to the threat vector. In Black Hat’s opening keynote, Google’s Head of Engineering Parisa Tabriz asked the bug fixers in the audience to stand up. Thousands of attendees gave a round of applause for the cybersecurity pros making a real difference.

BHUSA 2018 Opening Keynote by Google's Parisa Tabriz

Knowing about IoT endpoint threats and gathering data on them is the first step, but you need to apply that knowledge by taking that data and turning it into specific security policies.

The security climate is scary, and few nerds on the ground would dispute the fact 2017 was the hardest year yet. There’s not much you can do about the growth of cybersecurity threats, but when it comes to blocking out the majority of risks, Howard recommends these three tips:

  1. Adopt smarter endpoint devices with analytical capabilities
  2. Listen to your IoT devices to understand what you’re up against
  3. Apply first-hand intelligence to create a strategic security framework

Curious to read more security insights from Michael Howard and Jason O’Keeffe? Check out, “How vulnerable are you through print security?” and “Black Hat 2017: Michael Howard talks sheep, hackers, and urgency.”

Stay tuned for more coverage of Black Hat 2018 on Tektonika by clicking “subscribe” at the top of the page, and come back in the next few days to read more from Jasmine. In the meantime, check out last year’s conference highlights here: “Black Hat 2017: How I survived a 17,500-hacker conference.”

  • Recommended for you
  • Recommended for You