Author: Morey Haber, CTO, BeyondTrust
(Ed. note: This is the first of two blogs. Check back here for an “optimistic” spin on our current cyber challenges.)
Is the glass half empty or half full? Do you watch the news? Are you an optimist or pessimist? One thing we can agree on is that the state of cyber security has continued to be the cornerstone of conversations from the CIO to the boardroom. While it is rare we can ever firmly get ahead of modern threats, there are many pessimistic views that have become the backbone of our fears. Unfortunately, as we battle the next breach, critical vulnerability, privileged attack, ransomware, or social engineering threat, we find ourselves battling fatigue and the sense that we can never win this battle. In fact, the best we could ever achieve is a stalemate because threat actors, hackers, and attackers will always try to undermine our governments and businesses and attempt to profit for their own financial gains.
As far as recorded history goes, there have always been thieves, and to date there has never been a society (outside of science fiction) that has ever solved this problem. For some, this has made us very pessimistic about the state of cyber security. For others, very optimistic due to the challenge and opportunity to improve the status quo.
For the negative Monday blues everyone experiences from time to time, here are the top ten reasons to be pessimistic about the state of cyber security:
Threat actors are one step ahead.
It goes without saying that modern cyber security is reactive to the threats we face today. Once we develop a strategy and technology to combat a threat, threat actors evolve their tactics to circumvent defences or develop new attack vectors to create an incident. While old school attacks are always possible, and occur all the time, the evolution of threats always places the threat actor one step ahead. After all, you cannot develop a defence when you do not know what the potential offense is of a threat actor. And, while you can dream up new attack vectors, no matter how good you are, you will always miss something the criminal mind has developed. This always places them one step ahead.
Modern solutions are not keeping up with evolving threats.
While threat actors are one step ahead, it takes time to design, develop, mature, deploy, and test new security solutions. This makes them potentially behind – or worst, obsolete – by the time the threat evolves. This unfortunately alludes to cyber security defences not evolving fast enough as threat actors change their tactics and attack vectors. If you have trouble relating to this problem, consider how many virus signatures are in a modern endpoint protection solution.
Cyber security solutions are always defensive, never offensive.
This is one of the most highly debated topics for white hat security professionals. Of all the tools in our arsenals, they are all defensive in nature. Cyber security ethics prohibits us from hacking back and becoming offensive. While there are huge legal and moral ramifications in hacking back, we will always be defensive unless things change. This unfortunately justifies the first two pessimistic views since we can never get ahead of them.
There aren’t enough cyber security professionals.
Does this one really need a justification? We are all aware of the deficit of cyber security professionals and the impact to businesses and government. Luckily, this is one of the few pessimistic bullets that actually has a silver lining, as universities and private organisations step up the training on cyber security.
Regulatory compliance initiatives are not sufficient.
While we suffer from shock due to all the regulations we are governed by, they have truly proven to be insufficient in today’s organisations. They provide guidance for everything from application control to log management but falter in explaining on how to actually get it done. It is one thing to state that you need a vulnerability management program and must patch all critical vulnerabilities, and a completely separate problem to actually get it working. Don’t get me wrong. The guidance in regulatory compliance initiatives and frameworks is stellar. They share common traits between each of them but in a modern organisation making them work efficiently and cost effectively is another. It would be ideal if these regulations evolved to include best practices for implementation verses just stating, “get it done”.
No provisions for end of life.
Modern operating systems last approximately twelve years. While some may argue that is plenty of time, I contend it is far too short. If these implementations are working well, based on proven technology, and become a part of our critical infrastructure for operations, just because they are end of life does not mean we must replace them. Actually, most regulations do require we do replace them, but outdated systems are currently used for power generation and missile defence. They are just too costly and problematic to replace. This means that when granted exception status, we can no longer maintain them with security patches or other modern defensive technology. This means the provisions we have to protect them are limited and increase in time as we surpass the end of life date. Businesses have relied on file cabinets and paper for much longer than ten years. Just look at your local library. As we evolve in the next generation economy, even libraries will need to cycle their storage and systems in far less than one human generation. I contend that we have pure provisions for end of life and technology of this nature should last at least one generation (25 years).
Rapid growth in Internet of things.
There is no doubt this field of technology is explosive in growth. The problem is many of the products lack basic cyber security hygiene and may even be hard wired into our homes or cars. Consider if you purchased a door bell or thermostat that is IoT based. How long will it receive security updates and what is its end of life? By modern accords, five years is typical. Does this mean you are going to hard wire a new door bell, thermostat, or even cameras every three to five years (depending on where in the life cycle you purchased it)? I highly doubt it. This leaves older versions susceptible to potential hacks and supports all of the previous pessimistic statements.
Poor basic security hygiene within organisations.
Even after 20 years since the dot com bubble, we still have not mastered basic cyber security hygiene. We still cannot master vulnerability management, patch management, privilege management, log management, etc. These basics are the foundation for any cyber security defence and are absolutely required by any modern defensive security strategies. Therefore, without a well working foundation, the evolution of attacks will evade organisations and make it harder to detect and protect against threats.
Desensitised to breaches.
Every week we hear about another breach in the news. We have become numb. The size, dollar value, and even leakage of sensitive personally identifiable information has made us emotionless to the information. We all know our personal information is out there and there is no way to truly stay off the grid in this next generation economy. Considering the severity of the breaches in 2017 and what has already occurred in 2018, there is not much more room to shock us and inflect pain. We are truly desensitised to the next announcement and loss of information.
Potential cyber security issues with the removal net neutrality.
One of the most controversial technology changes of the current United States administration is the removal of net neutrality. While this may get held up in the courts for years, the potential security impact has theoretical implications beyond streaming movies and illegal downloading of bit torrents. If you consider that all security solutions require updates and signatures, the throttling of this information by a provider could potentially stymie an organisation’s ability to receive security information needed to defend against an attack. While I acknowledge there is no proof a provider could throttle anti-virus signature updates or security patches for an operating system, without net neutrality there is no reason they couldn’t nor any legislation that states they must prioritise this data. In addition, while it does give a provider the ability to throttle or block a real-world attack, the discretion of what to throttle or block is not defined either. This leaves the removal of net neutrality as the final pessimistic statement we should consider having real world ramifications in the future of cyber security.
Now it is time to reflect on these issues. It is also time to find strength in what we are doing wrong and spin the negative energy into a productive cause. We need to find solutions for these issues; some may be policy, process, attitude, or even product, but in the end if we succumb to our negative opinions, we will fail. If you are looking for ways to change the culture of pessimism in your environment, embrace any one of these topics and create a challenge. Having differences in opinion is a strength, being pessimistic is not. Empower teams to fix or improve on the issue and reward them when the goal is insight. We will never permanently solve these ten problems but accepting they are reality and that we can combat our natural instincts will only strengthen our defences in the end.