Black Hat tilts toward business users

According to a survey conducted by anti-virus giant Symantec, more business users than ever before attended the Black Hat 2007 security conference held this week in Las Vegas.

Based on the study, which surveyed roughly 400 of the show’s 4,000 registered attendees, people who identified themselves as IT managers comprised a far larger cross-section of the Black Hat audience than in year’s past, making up some 42 percent of the crowd.

The result marks an impressive gain in the number of business workers attending Black Hat compared to 2006, when Symantec’s survey found that only 26 percent of the audience identified themselves as corporate IT pros.

Show-goers and presenters repeatedly noted the apparent shift in Black Hat’s demographic makeup on the show floor this year, as business users continue to spend more energy on addressing security issues, pushed to do so by data governance regulations and the ever-increasing sophistication of malware attacks and electronic fraud.

In previous years, Black Hat was recognized as an event that primarily drew security researchers and all forms of hackers — both ethical and nefarious.

Despite a strong presence from those groups at the show — and the likelihood that such individuals may have been less willing to participate in Symantec’s survey — it was clear from the job titles and companies represented among the attendees that this year’s event had become more corporate in flavor.

While a dominant proportion of the 2007 conference sessions were oriented toward identifying software vulnerabilities and building exploits that can be used to defeat the bugs, the consensus among show-goers was Black Hat’s sister conference, Defcon, being held in Las Vegas from Friday through Sunday, has taken over as the de facto hacker gathering.

Chief security concerns of IT Among the business users surveyed by Symantec, concerns with vulnerabilities in Microsoft’s dominant operating systems remained high. Security of the software maker’s Windows XP OS was tabbed as the most pressing security concern for 60 percent of the IT managers who responded.

A larger share of the IT managers participating in the study indicated that they were concerned about potential security problems in Microsoft’s newest Windows Vista OS, despite all of the onboard defense technologies that were built into the product. Some 38 percent of the business IT workers said they were worried about security issues in Vista, compared to 31 percent in 2006.

Many respondents who identified themselves as security researchers in Symantec’s Black Hat survey expressed a growing interest in examining Vista’s potential weak points. Only 41 percent of the researchers, however, said that Vista is one of their primary areas of focus, compared to 55 percent last year.

Among all show-goers, some 36 percent said that they were at Black Hat to research security issues related to messaging and scripting technologies, along with those connected to networking infrastructure technologies.

Security concerns related to mobile technologies, virtualization, and Web services were other central issues on the minds of Black Hat attendees, according to Symantec.

Issues of security problems in embedded technologies appeared to weigh less on the minds of respondents to the survey than in years past, with only 5 percent of Black Hatters citing the topic as an area of great interest in 2007, compared to 21 percent only one year ago.

Matters of risk Symantec said that “job function” and “curiosity” were the most frequently cited reasons expressed among respondents for researching the applications and technologies being highlighted at the conference.

Despite the increasing business focus, Black Hat continues to focus significantly on the makeup and machinations of the hacking community, and how it interacts with technology providers.

The ongoing tug-of-war between researchers and technology vendors over what price ethical hackers should be paid for isolating security flaws in commercial technologies — and how those problems should be reported to the public — was one of the more controversial issues being debated at the show.

According to the Symantec survey, 59 percent of attendees said that researchers should be paid at least a fair market rate for their discoveries. But 80 percent of the Black Hat attendees who participated in the study said that by simply publishing vulnerabilities publicly without first working with vendors, researchers put both those companies and end-users at serious risk.