By Morey Haber, CTO
(Ed. note: This is the second of two blogs. Check out my other blog for a more pessimistic view on our current cyber challenges.)
A month ago , I posted a blog detailing ten reasons to be pessimistic about the state of cyber security. In summary, the world is not coming to an end, but as security professionals we do have some serious problems and need real world solutions to solve them. While some will continue to argue the glass is half empty verses half full, the rest of us are trying to solve the problems verses embracing them as unsurmountable hurdles and complaining.
To that end, here is the rebuttal to the previous blog and ten reasons to be optimistic about the state of cyber security. And yes, they are the same topics with a positive perspective.
Threat actors are one step ahead.
The optimist’s view is that we are only one step behind. While that is not always true, the truth is that the attacks we are facing today are not so sophisticated that no one can figure them out. Yes, threat actors are smart, but security professionals are just as smart. Many defences we develop protect against variants from occurring and require threat actors to be overly creative to find the next successful exploit. Simple techniques like removing administrator rights, application control, and even patch management can stop a variety of attack vectors. If you do not believe this, consider this: If you applied Microsoft MS17-010 within 90 days of release, you would not have been susceptible to WannaCry. If your rebuttal was regarding patches for Windows XP and 2003, please review #6. End of life is no excuse for proper protection. Many basic defences counter the one step ahead theory.
Modern solutions are not keeping up to evolving threats.
I disagree with this argument. In fact, there are so many new technologies that protect against a single use attack vector that it is difficult to keep up. The solution is to choose vendors wisely. Embrace ones with a vision and roadmap that adapts to modern threats and provides updates as a part of their maintenance verses suckering more money out of you for a new layer of protection. If you need proof, remember all the add-ons for spyware and adware that anti-virus vendors tried to charge for in addition to their base services. Layers of features, advanced functionality, and new tools show be included in a platform verses going back to the well each time. This is how you keep your solutions up to date and allow natural evolution of your implementations to keep up with the threats.
Cyber security solutions are always defensive, never offensive.
Yes, they are. If your cyber security technology could be used offensively imagine what would happen if it was compromised and used against you! One of the biggest risks to consolidation solutions like centralised logging, vulnerability management, and directory services is a single point of failure for a plethora of sensitive information and command and control capabilities. All it takes is a leakage of vulnerability data to help an attacker gain a persistent presence. Now imagine if a threat actor or insider used the technology offensively without proper permission, rational, automation, or even due to a hack. In this security professional’ s opinion, the risks are just too high to consider, and cyber security should remain defensive in nature and leave offensive capabilities in the hands of cyber security professionals in the government using them for warfare.
Not enough cyber security professionals.
I cannot disagree with this one, but we are making progress. Higher education has begun offering classes in cyber security, and even bachelor’s degrees to prepare the next generation of workers with careers to fill the need. Some of these programs pack years of experience and knowledge in a four-year degree, including CISSP certifications such that students can hit the ground running as soon as they graduate.
Regulatory compliance initiatives are not sufficient.
I would argue that this is the difference between theoretical physics and applied physics. Regulatory compliance initiatives are the guidelines we should (must in many cases) follow and the actual implementation requires experience and expertise. This is why we hire security partners, pay for professional services, or embrace system integrators. Their experience and knowledge close the gap and takes the documentation we must follow and makes it into reality for our business and our processes. The regulatory compliance initiatives are actually sufficient. We just need to learn from other professionals on how to actually get them implemented. The pessimist will stop at stating we can never get this implemented. The optimist will ask who can help us make this work.
No provisions for end of life.
That’s not the vendor’s fault but rather yours and your business’ fault. Many vendors offer technology that is considered extended life, or a support program (that costs money) to maintain solutions even past their end of life dates. Make no mistake, these can be very expensive, but it is up to us to understand the life cycle for a solution we choose verses blaming the vendor. In addition, there are many layers of technology and security best practices – from segmentation to lateral movement prevention and detection – that can protect these devices well past their end of life date. In the end, don’t blame the vendor. We need to make smarter choices or demand extended support from the technology we pick to run our businesses.
Rapid growth in Internet of Things (IoT).
Consider this a teaching moment and method to share cyber security best practices and education with vendors that have never worked with connected technology before. These vendors are neophytes. They are building technology to make our lives easier, and communications is a key part of the process. They just need to be taught and held accountable for poor designs and implementations such that the next generation of their solutions will be better and more secure. And yes, there is a right way to handle public disclosure of a discovered vulnerability and a wrong way. I challenge all security researchers to do the right thing and remain patient for fixes while these vendors learn how to develop better IoT products. As an optimist, take the high road here.
Poor basic security hygiene within organisations.
I think we all recognise which cyber security practices in our business are under performing. The only time the pessimist will win this argument is if no one is doing anything about it or your business is actually devolving. It can happen when key personnel are lost or in a declining market. Take this opportunity to help fix cyber security basics – from vulnerability management to the removal of administrator rights. If you can master the basics, including patch management, your foundation will help you remain optimistic for any future threats.
Desensitised to breaches.
We all can become numb to the same story over and over again. The truth is, the news reports almost all security breaches the same way. “N” of people have had their personal information stolen or company “X” was hacked and operations were disrupted. The key to not becoming desensitised is to look below story and into why it happened. If every breach said that the hack occurred due to default credentials, we would not care and nothing could be fixed. The optimist’s view is to investigate the story (low level) and learn from someone else’s mistakes such that it does not happen to you or your business. Each breach in the news should hopefully be different so we can learn. If they are the same attack vector, the pessimist has one and no one cares anymore. We are sensitised.
Potential cyber security issues with the removal net neutrality.
I believe in the good in human nature and that companies will do the right thing to protect the Internet and our businesses from cyber security attacks. When we misbehave, governments and laws tend to step in to regulate and change behaviour with penalties. If net neutrality is truly at an end, the optimist in me says providers will do the right thing and not throttle or block critical security updates or information. If the pessimist wins, we will have laws prohibiting them from doing so. Government will be forced to step in and no one wants that. Let’s take the high road again and do the right thing; keep security information open and unrestricted on the web.
Cyber security requires us to embrace change and become optimistic about the challenges we face. If we view the dilemmas with a pessimistic attitude, we will never be successful in protecting our organisations. While we all fall victim from time to time to the no-win state, I can positively affirm after 20 years in information technology and security, things are getting much better verses much worse or staying the same. However, we must always look at both sides of an argument in order to build our own opinions and in the case of cyber security, understand how a threat actor thinks and why they behave the way they do in order to prevent the next breach.