By James R. Lint
Faculty Member, School of Business, American Military University
Overview: On August 2nd and 3rd, BSides Las Vegas held its eighth annual information security conference at the Tuscany Suites in Las Vegas. BSides is a community event organized and run by volunteers. The following is a survey of some of the many strategies, insights and experts that enriched the entire two-day experience for cybersecurity professionals.
BSides Keynote Speaker Dr. Lorrie Cranor Discusses Misconceptions in Password Security
The conference kicked off with an outstanding keynote speaker, Dr. Lorrie Cranor, Chief Technologist of the U.S. Federal Trade Commission. Having written over 150 research papers, she’s also a professor in the School of Computer Science and the Engineering and Public Policy Department at Carnegie Mellon University, and Director of the Carnegie Mellon Usable Privacy and Security Laboratory.
A thought leader in the information security industry, Dr. Cranor puts forth revolutionary ideas—especially in changing conventional security practices such as the mandatory password changes conducted in many organizations. Her research data shows that changing passwords is not as effective as one might think. Keylogger software programs detect password changes and can instantly compromise the new password.
She discussed a report by the University of North Carolina that studied 10,000 defunct accounts. The study found that people apply changes in predictable ways, making it easier for UNC to determine future passwords using an algorithm.
The UNC study discovered that users who are annoyed when they must frequently change passwords were statistically shown to create weaker passwords. Consequently, the weaker security choices of some users endangered cybersecurity for all users in an organization.
Dr. Cranor addressed misconceptions on password strength, noting that using keyboard patterns on any mobile device, including diagonal patterns, does not provide security for users. She discredited the infamous belief that an exclamation point at the end of a password offers greater security. To increase information security for passwords, Dr. Cranor recommended that users avoid common words or names and add digits and symbols to increase a password’s strength.
Dr. Cranor also presented an interesting bit of research that asked people to decide which password was more secure: “ILoveYou88” or “IEatKale88”? The Password “IEatKale88” is 4 trillion times more secure than “ILoveYou88”. It’s interesting to note how “super” common “ILoveYou” is as a password.
Expert Haydn Johnson Talks about Organizational Confusion with Information Security
Network penetration tester and vulnerability assessment expert Haydn Johnson of KPMG Canada spoke about his interesting concerns commonly used information security terms, such as penetration testing, vulnerability assessments and red teams. Managers who contract security testing and assessment services often confuse these terms and have unrealistic expectations about system and network security, he noted.
Johnson described concerns about how to modify scanning tools to keep up with new security vulnerabilities. He advised that information security companies should differentiate themselves from their competition in the future by providing much-needed education to customers about business risks and the impact of security vulnerabilities.
Cybersecurity Research Expert Keren Elazari Calls for Better Computer Software Content Identification
Another thought-provoking speaker was Keren Elazari, a senior cybersecurity researcher and computer security expert from the Balvatnick Interdisciplinary Cyber Research Center at Tel Aviv University in Israel. Elazari facilitates hacker/security researcher conferences in Israel and spoke during I Am The Cavalry’s track at the BSides conference.
Elazari discussed why security research matters for the coming decades and emphasized that third-party computer software needs to be better identified to determine potential vulnerabilities. She drew a startling comparison—while candy bar labels are required to list all of their ingredients, software has no labels that explain elements of the software code.
There’s danger in buying unfamiliar software. Large, multimillion-dollar companies may purchase smaller software companies, yet not have intimate knowledge of their acquisitions’ third-party software, which could contain harmful viruses.
Other noteworthy topics by Elazari included how “Hacker Heroes” wield their skills for the greater good. They have the knowledge to report on vulnerabilities and assist in the software patch to repair the problem.
BSides Conference Showcases Information Security Nonprofits
One of the interesting tables on display at BSides was The Open Web Application Security Project (OWASP), a nonprofit focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations are able to make informed decisions.
OWASP is in a unique position to provide impartial, practical information about application security to individuals, corporations, universities, government agencies and other worldwide organizations. Operating as a worldwide community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.
OWASP will hold a conference in Washington, DC in October 2016, and another conference in Belfast, Ireland, in 2017. Additionally, OWASP has programs to attract women into the application security career field.They also have projects working with military veterans to boost awareness of the critical need for the application security career field.
Similarly, I Am The Cavalry is a grassroots organization that is focused on issues where computer security intersects with public safety and human lives. I Am The Cavalry’s primary concerns are medical devices, automobiles, home electronics and public infrastructure.
During the conference, I Am The Cavalry offered a choice of speakers, including Keren Elazari, for the “I Am The Cavalry” track of discussion sessions. The entire track was excellently managed and facilitated by Joshua Corman and Beau Woods.
With such a diverse choice of speakers and presentations at BSides, it’s hard to see everything. However, this conference offers something for everyone and is well worth attending.
About the Author
James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded the 40th scholarship for national security students and professionals. He has 38 years of experience in military intelligence within the U.S. Marine Corps, U.S. Army, contractor and civil service.
James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has served in the DHS Office of Intelligence and Analysis and at the Department of Energy’s S&S Security Office. James had an active military career in the Marine Corps for seven years and also served 14 years in the Army. His military assignments include South Korea, Germany and Cuba in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” and a new book in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea.”