Skip to content

Top Ten Things I Learned at Black Hat

by on August 19, 2015

I was out at Black Hat last week and I thought I’d sum up some of the things I learned for those of you who couldn’t make it –

Top 10 things I learned at Black Hat:

  • Hackers don’t look like they do in the movies. Well, some do, but not the majority of them. Hacking is less emo than you think.
  • It’s also more boring than it looks on the movies. It’s really a long process of finding vulnerabilities in an environment and matching them to exploits. It’s more like data analysis than playing some kind of video game.
  • Manage your vulnerabilities. Risk equals vulnerabilities multiplied by assets multiplied by threats (R=VxAxT). You can’t do anything about threats. Not much use trying to explain to your organization that they have too many assets.
  • It’s really just the plain old normal patched vulnerabilities you need to be interested in. 99.9% of successful attacks exploited known and patchable exploits.
  • Everything has vulnerabilities. Hardware, software, applications.
  • Obsessive patching seems like a good idea to me. If the manufacturer has taken the time to write and release a patch, we should get it deployed.
  • 6 days is too long to spend in Las Vegas. 1 or 2 is too short. 3 or 4 is good. Anything past that, the place gets on my nerves.
  • Have a cyber-crisis plan and drill it like you drill your DR plan. The “Bad Day” is inevitable.
  • We need to train more people in basic hacking skills. Even if you’re not penetration testing for a living, it’s hard to defend if you don’t know what an attacker’s perspective is.
  • At the craps table, always back up your bet on the pass line. It’s the best bet on the table. (Thanks to JRM)

 

From → Uncategorized

Comments are closed.

%d bloggers like this: