In early August I attended my 11th Black Hat USA conference in sunny Las Vegas, Nevada. Black Hat is the somewhat more corporate sibling of the annual DEF CON hacker convention, which follows Black Hat. Since my first visit to both conferences in 2002, I’ve kept tabs on the themes expressed by computer security practitioners. This year I heard a new refrain: “If you can’t protect it, don’t collect it.”
Reducing risk of cyberattack
A deluge of breaches continues to plague corporate, non-profit, educational, and public organizations. In my recent Brookings article “If you can’t keep hackers out, find and remove them faster,” I offered strategic guidance on how to detect and respond to intruders. By catching attackers after they gain unauthorized access, but before they steal, alter, or destroy data, defenders can prevent an intrusion from becoming a breach. A complementary strategy, reflected by several colleagues at Black Hat, involves reducing the amount of information at risk.