We have been following the same cybersecurity approach, more or less, for over a decade. Yet, most everyone agrees that the problem continues to grow worse. Perhaps we are not on the right course. Maybe we are operating on false assumptions. The following list (to be continued in next month’s column) is meant to promote a dialogue about what, in my view, are widely held cybersecurity myths.
10. The Patch Myth. It is beyond debate that systems administrators should patch their systems and, with few exceptions, should upgrade to current versions of operating systems, firmware and applications. The Patch Myth comes into play in overestimating the value of this basic tenet. On countless occasions, I have heard very smart people suggest that there is a one-to-one relationship between patching vulnerabilities and stopping attackers who take advantage of those vulnerabilities. The real dynamic is far more complicated. Hackers take advantage of the easiest paths first but, when denied, routinely escalate and innovate. Especially when it comes to targeted attacks, hackers do not simply move on to the next guy when they see a fully patched system. Just because X% of intrusions may take advantage of known vulnerabilities, it does not follow as a matter of logic or industry experience that anywhere close to X% of those intrusions would have been eliminated had those vulnerabilities been patched. Hackers evolve.