In it's first-ever hybrid conference, Black Hat USA 2021 opened last week on a somber tone. Black Hat and DEF CON founder Jeff Moss gave his usual introductory remarks. He first, however, noted the passing of two infosec leaders within the last year: Philippe Courtot, the former CEO of Qualys, and researcher Dan Kaminsky.
Moss, like a lot of us, said he has been thinking about comparisons of COVID with infosec. “if you think about how doctors approach problems, Nobody gets up in the morning and says I'm going to cure cancer. Today, you're not going to wake up the morning and cure memory corruption or off-by-one problems.”
“And so it's probably unhealthy,” Moss continued, “for you to tell yourself you're going to be the person that cures cancer, but it's totally healthy for you to say, I'm going to be part of a team and we're going to research cancer and we're going to minimize the effects of cancer and we're going to help people with cancer, you can probably have a very long career, and make changes in everybody's lives with that kind of an attitude.”
Moss offered up his opinions on the three modes of immunity in the real world and how they could be applied to infosec.
First, Moss said, there’s the mode where no one is immunized. “There’s a disease rampant in the community but nobody's immunized.” This is the cheapest options; there’s literally no cost to doing nothing.
In the second mode of immunity, Moss said, some of the population is immunized. “The contagious disease spreads through some of the population, and some networks, and some systems are not maintained.” This is lower cost than a fully immunized, and you're only really helping yourself, he said. “It’s pretty selfish, and if we know anything that the internet, our problems are connected.”
Third mode is a lot more optimistic; that's where most of the population is immunized. “Spread of contagious diseases contained,” Moss said. “That's what we're working towards, 70% 80% immunization. In the digital world that might be most networks and systems are maintained, malware is noticed most of the time, and it is removed most of the time. Here, actions are taken to protect other systems besides your own system.”
The difference In this third step, Moss said, is that you are also concerned about the networks that are around you, not just your own stuff. “You're thinking about the others around you.” There is the most cost here, of course, but the benefit is shared across all systems, the entire internet.
There is no fourth mode, Moss said, where all systems are patched. “There is no system where 100% of the people are immunized -- that just doesn't work. That's just not realistic. There's just too many edge cases.”
Moss concluded, “I just want you to think about what are you doing to try to confer an immunity to those around you? Are you sort of part of the problem? Are you a user, you know, you're just getting the benefit of those around you? Or are you contributing? You know, are you route filtering your BGP routes? Are you doing things to help those around us in the community?”
And with those questions hanging in the air, Moss segued to invite the first keynote speaker, Matt Tait, COO of Corellium, on stage.