Why nothing is working in cyber security? Cyber Securities Book of Revelations.
I spend a fair amount of time in my current role thinking about future cyber-attacks. Some folks may call this “threat modeling” or even “cyber threat intelligence.” I recently had several revelations about cyber security which although not as nearly as spectacular as say the Book of Revelation written by Saint John of Patmos, are worthy of recording and talking about.
Revelation 1: “I’m from the government and I am here to help.”
It appears to me that most western governments are hypocritical when it comes to cyber security. On one hand, a lot of government organizations and funded projects seeks to strengthen cyber security defenses. On the other hand, those very same government organizations are calling for encryption backdoors and within the intelligence and law enforcement communities, hell-bent on eroding an enshrined right to privacy. This duplicity is understandable.
Nation-state motivations regarding cyber-crime are questionable at best and a conspiracy at worst. The Ouroboros or uroborus (/ˌ(j)ʊərəˈbɒrəs, uːˈrɒbərɒs/) is an ancient symbol depicting a serpent or dragon eating its tail – this describes the essence of the problem.
Cybersecurity Ventures predicts global spending on cybersecurity products and services will exceed $1 trillion cumulatively over the five years from 2017 to 2021. No nation-state has the desire nor-motivation to put a 1-trillion-dollar industry – built on cybercrime activity – at risk. The conclusion is we can expect very little in the way of impactful action against cybercrime and organizations small and large will continue to face cybercriminal threats to drive a 1 trillion-dollar global cyber security industry.
Revelation 2: “You need product X to protect from attack Y”
A widely accepted cyber security truth, substantiated by multiple vendor reports and think tanks like SANS indicates a vast majority of impactful cyber-attacks occur as a result of a phishing email. Despite best efforts of email service providers and email filter’s we still receive dangerous email; containing malicious links or malicious attachments.
Of course, this does not invalidate the entire cyber security industry products and services that have nothing to do with email; but, if email defenses are not part of your security strategy, that decision is not supported by any factual analysis of the most common attack vector used by malicious threat actors.
Ongoing user training is according to research the least cost yet highest-impact security control business can establish. Rather than promoting it, many businesses are paying lip service to user training delivered once a year through a dated powerpoint.
According to the FBI (PDF), the fastest growing trend in cybercrime is the business email compromise (BEC). BEC is akin to a social engineering attack which seeks to create a sense of urgency to wire transfer funds or change banking information.
It is almost impossible to prevent a BEC attack on your organization through technological means. Only “BEC aware, security trained staff” and an out-of-band authentication process has any hope of stopping this type of attack.
It should be noted as well that the GDPR, PCI DSS, and HIPPA all have user training requirements due to the staff members potential exposure to sensitive data or cardholder/banking details. Again, if your user security training program is not a priority, there is a substantial chance you will be victimized by ever-evolving cyber-attacks that use social engineering as a foundational technique.
Revelation 3: “Your business is the cyber security problem and the cyber security solution”
This is perhaps the largest and most radical idea I’ve ever consider proposing but it’s based on the idea that the current cyber security challenge has little to do with cyber security controls or their effectiveness. As I see it, the arch-nemesis of cyber security is complexity and technological debt.
Physical network complexity in the small and medium enterprise space (SME) is fairly simple. Internet, Firewall, Internal Network – that’s it. The larger enterprise may be more complex adding a DMZ and perhaps links to other offices or business partners. The relatively simple physical model has not changed very much since the very beginning of connectivity. Logical complexity, on the other hand, has exploded – mobility, hosted services (SaaS) and hosted infrastructure and platforms (IaaS, PaaS) have all conspired to eliminate any semblance of a security perimeter.
Technological debt is amplified by logical complexity. The vast majority of organizations are a Hodge Podge of new technology and old legacy systems. Sure, some folks will claim that they are “so out of date they are un-hackable”. That may be the case but, I would say to those folks “What is your disaster recovery capability if your legacy hardware finally packs it in?.” Usually, those questions drain the color from their faces.
As IT professionals we know that not all version of Windows, macOS, and UNIX can run all software apps. We also know on the client side there are many dependencies on 3rd party apps like Adobe & Java to support those old systems. A quantum leap in security is achieved by supporting technological roadmaps which target legacy systems which are difficult if not impossible to secure.
If for instance, your organization has an old vulnerable “Citrix” system working with the business to move to something more modern (such as remote desktop services) and decommissioning the “Citrix” is going to be more impactful to your security than buying a new security control. Moving your XP, VISTA, WIN 7, 2003 and 2008 machines to 2012 and Win10 will do more for your organizational security than deploying an expensive anti-malware solution.
The key takeaway here is a technological road map combined with a coherent digital transformation strategy may actually be more impactful to cyber security than the purchase of more cyber security controls for your organization. The added bonus of this approach is a reduction in complexity which yields greater predictability with the environment. If complexity is reduced and predictability has increased the deployment of security tools becomes incredibly more effective at detection and prevention of cyber-attacks.