We have been following the same cybersecurity approach, more or less, for over a decade. Yet, most everyone agrees that the problem continues to grow worse. Perhaps we are not on the right course. Maybe we are operating on false assumptions. The following list (to be continued in next month’s column) is meant to promote a dialogue about what, in my view, are widely held cybersecurity myths.
10. The Patch Myth. It is beyond debate that systems administrators should patch their systems and, with few exceptions, should upgrade to current versions of operating systems, firmware and applications. The Patch Myth comes into play in overestimating the value of this basic tenet. On countless occasions, I have heard very smart people suggest that there is a one-to-one relationship between patching vulnerabilities and stopping attackers who take advantage of those vulnerabilities. The real dynamic is far more complicated. Hackers take advantage of the easiest paths first but, when denied, routinely escalate and innovate. Especially when it comes to targeted attacks, hackers do not simply move on to the next guy when they see a fully patched system. Just because X% of intrusions may take advantage of known vulnerabilities, it does not follow as a matter of logic or industry experience that anywhere close to X% of those intrusions would have been eliminated had those vulnerabilities been patched. Hackers evolve.
9. The Invincibility Myth. The Patch Myth is part of a much larger misconception that relates to our having adopted vulnerability mitigation as the central pillar of cyber risk management, with the apparent hope of achieving invincibility. This time-consuming and costly approach, although not without some value when correctly balanced, has come at the expense of properly resourcing threat deterrence and consequence management efforts. It would be nice if security experts could keep all the bad guys out, but it is clear that applying all the secure coding, patching, passwords and spam filters in the world will never result in sufficient security. Rather, the cybersecurity industry has come to realize that early detection aftera breach, followed by rapid containment and mitigation efforts are equally essential. More significant, the world’s cyber insecurity will continue to get worse unless and until individuals and nations are sufficiently deterred from attempting to break into networks in the first place. Successful intrusions almost always occur by hackers who first got away with thousands of unsuccessful intrusion attempts. That dynamic would never be accepted in the physical world, and it has to change for cyber.
8. The Bad Guy Doesn’t Matter Myth. Countless times I have heard companies and government agencies argue that identifying one’s cyber adversaries is of no value. The logic, for those who express this view, is that network administrators must defend themselves against all attack scenarios and do not have the luxury to downselect. The truth is far more nuanced. There are a number of good reasons to integrate cyber threat intelligence into a program. From a practitioner’s perspective the primary advantage is to determine the tactics, techniques and procedures (TTPs) of the hacking groups that have an interest in your data and networks. Doing so allows an organization to develop a more mature risk profile, better focus and prioritize prevention, detection and response measures, and become increasingly predictive rather than reactive.
7. The Information Sharing Myth. Many organizations discuss information sharing as a valuable initiative without first defining their operational objectives. There is no inherent virtue in disseminating as much data as possible between as many companies and government agencies as possible without agreeing upon the end-state. Instead, the starting point for organizations should be to prioritize their most significant cybersecurity challenges, create measures around those that define success, and then determine the leastamount of information and the smallest number of participants required to collaborate and resolve them. Information sharing is not always required, and there typically are opportunity costs, resource challenges, legal impediments, trust hurdles and potential data overload consequences when we direct so much attention to building these platforms.
6. The National Strategy Myth. The Information Sharing Myth is part of the larger National Strategy Myth. Simply put, we really cannot claim to have a unified strategy, which would imply understanding our objectives, developing measures of success with targeted performance goals, and advancing consistent, coordinated policy choices. One example will suffice to demonstrate the National Strategy Myth. The same government that routinely warns all companies that sooner or later they will get hacked, simultaneously enacted a law incentivizing healthcare providers to digitize the personal health records of every man, woman and child in our country. Inconceivable!
To be continued in May 2015.