IANS Faculty were front and center providing key insights at this year’s Black Hat Conference in Las Vegas. Black Hat and its edgier sibling, DEF CON bring together thought leaders and security pros from all facets of the infosec world – from
corporate and government sectors to academic and even underground researchers.
IANS Faculty members Allison Miller and Jake Williams hosted the Fireside Chat at the IANS Security Summer Camp - just two of our many expert security practitioners featured
during the week. Jake and Allison shared feedback from their week in Las Vegas.
Key Takeaways with IANS Faculty Jake and Allison from Black Hat 2023
What were the topics that resonated with you at Black Hat this year?
Generative AI Offerings: Are Promised Capabilities Real?
AI product offerings were one of the dominating themes that stood out during the week for Jake, particularly the number of different vendors that emphasized generative AI as a potential capability.
“I was amazed by the number of vendors with various AI offerings. It was rare to hit a vendor booth that wasn't talking about how they were using AI or intended to use AI,” said Jake. “Maybe 10% could explain how AI in these products
actually helped clients. I think one of the big takeaways is that AI is over hyped currently. If a vendor can't explain how generative AI is going to help you create better outcomes – consider this a buyer beware moment.”
The Changing Role of the CISO
The shifting role and responsibility of the CISO from a technical expert to all around business risk expert generated numerous topics of discussions during the week.
Allison pointed out, “Even as the CISO role is maturing in terms of how we're thinking about it, getting more specific on responsibilities - it is also expanding as business is changing. A good example is how we’re seeing the CISO role becoming
a bridge over to governing AI. How did that become the CISO’s responsibility? Just because it's new and sort of dangerous?”
“As business and the world comes up to speed on AI, we always think about the security concerns. Along those lines, we also discussed CISOs knowing and being integrated into the business versus a few years ago. CISOs will undoubtedly
face changes in liability that will redefine future CISO contract negotiations,” Jake added.
“With all of the winds of change, the upside is that we finally are seeing CISOs and cyber security not just as ‘data security’. Not just securing corporate systems from external attackers, but also functioning as the technology risk
officer of the business. The downside is that we still don't have great language for communicating risk to the rest of the business and we are often seen as an expense category, not a strategic capability. We're still not past those misconceptions
when we’re interacting with the different units of the business,” said Allison.
SEC Cyber Rules and CISO Liability
There was much talk around the new SEC Cyber Disclosure regulations and the long-range implications to CISOs’ own personal liability.
“This is interesting because there were a lot of people watching the development of the regulations. The CISO community was hoping that there would be strong direction - something to give both CISOs and boards some guidance. Maybe more of a message
that would resonate with the board and with their fellow executives. We don't quite have that yet,” said Allison. “We have regulations and ideas that are going to require a lot of interpretation and negotiation with our partners in legal,
and not much upside to try something new. It’s testing the boundaries of what works around personal liability.”
CISO Liability Insurance
“We even discussed D&O insurance during the Summer Camp Fireside Chat and these new areas that weren't previously covered on D&O insurance policies. If I was the CISO for a Fortune 500 company today, I would consider
personal umbrella insurance, D&O and maybe even E&O - stacking additional insurance coverage,” Jake noted. “We may also want clauses giving us the option to retain independent counsel, too - it's going to be a lot. Those are hard
items to negotiate when you're trying to close on a potential role.”
“If you’re the fantastic candidate and the hiring team receives these requirements and special conditions that other executives don't have - it's just going to make it a little more difficult. It creates more friction for candidates who really
want this liability coverage to be part of their comp package,” added Allison.
User Enumeration Vulnerabilities and Attacks
Jake saw a big technical takeaway when an attendee at DEF CON identified the ability to go and map user enumeration, which identifies that a given user is valid along with their pattern of life.
“When are they in meetings? When are they not? If I want somebody to interact with a phishing e-mail for instance, I want it to deliver right when they're at their e-mail box and paying attention to their e-mail box,” he said. “Because
it’s executed through Teams and other online presence apps, Microsoft initially did not feel it created a vulnerability, but obviously it’s useful to attackers and that's significant. Just because a vendor doesn’t consider something
a vulnerability doesn’t mean it can’t expose or create additional exposure to an attack.”
E-Mail Provider Phishing Vulnerabilities and Attacks
Jake highlighted another vulnerability discovered with one of the large e-mail providers that serves as a marketing remailer. MailChannels could potentially be used to send e-mails on your behalf that get past the phishing email filtering, appearing to
be from a legitimate source. So rather than setting up their own mail server, threat actors use a high reputation mailing service for an attack. “Once again, it was reported to the provider who did not acknowledge a vulnerability. After visibility
at DEF CON, the provider began to lock it down,” he said.
About the IANS Faculty
Our Faculty are comprised of more than 120 renowned security practitioners with deep, domain-based knowledge who understand - firsthand - the challenges faced by CISOs and their teams.
IANS connects clients with Faculty to help them make better decisions, grow professionally, save time & stay compliant. Get in touch to learn more about how we can help move your security program forward.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.