Last summer, after being inundated with false claims from fellow security vendors, I let loose in a “cybersecurity rant” blog. As we approach RSA, the FUD dial is being turned up again and instead of just throwing up my hands and yelling “GREAT SCOTT!” I thought it would be healthier to air my frustrations with the goal of us focusing on what’s really important.
If you read a lot of what comes out in the news or from the cybersecurity vendor community, there is an overwhelming focus on the sophistication of threats. Having been in this space for 10+ years I’ve been guilty of playing into this FUD as well. Certainly some of this does exist, but as my colleague Adam Meyer recently wrote in a SecurityWeek article if we look at what the intel is telling us, many of the cyber threats we face are, in fact, not sophisticated at all.
Ransomware, extortion, exploit kits, data breaches, DDoS attacks and more. These are some of the hot threat trends from the past year and moving into 2017. But when looking at these threats and how many of them are actually carried out, the intel points to security basics running amok. Patching software, enforcing better credentials management, backing up important data on a regular basis, segmenting your networks so that attackers don’t have freedom of movement once they break in, etc. This is all stuff that has been talked about for years. It’s not new. And yet, the same things keep happening over and over again.
Let’s use passwords as an example. It’s always a balance of security vs. usability when it comes to passwords, but more often than not usability wins out at the risk of poor security. Many big breaches from the last year were driven by used previously stolen credentials. So if my password is Sam123 and I’ve used it across my business email, personal banking, etc. and my credentials are compromised in one place, they’re compromised in the other place as well (unless I change ’em up). Pretty basic right?
It’s human nature to look for that shiny new whiz-bang toy that does something cool as opposed to the basic toy that isn’t fancy, but just works. I’m not saying we shouldn’t worry about the more sophisticated and targeted threats, but before tackling these challenges, why do we as an industry keep overlooking fundamental basics.
Working for a company that delivers cyber threat intelligence, I’m quite fortunate because I have access to a wealth of intel and an experienced analyst team. I’m constantly learning not only about threats, but the path those threats take in order to wreak havoc. It’s what we refer to here as the adversary’s “avenue of approach.”
There are always variances in how a threat works its way into/through an organization, but the common denominator is that it always exploits the organization’s level of presence — whether through an employee who’s active on social media, poor credentials, poor patch management, a supplier with weak security practices who has access into your network, etc. etc. etc.
At the end of the day I’m just a marketer with some industry awareness and expertise, not a cyber expert. I can’t code. So while some of this to me is still complex, overall we’re not talking about sophisticated security practices … we’re talking about the fundamentals.
As a sports junkie, I’ll wrap this up with a baseball analogy …
In baseball, to win the game you must score more runs than the other team. Trying to hit home runs is one way, but the more guys you get on base, the more runs you can score. Keeping it simple and making good contact results in a greater likelihood that you will get a base hit. Do that consistently, and you’ll score plenty of runs. My point here is instead of swinging for the fences, if we focus on what’s in front of us, we’ll be in pretty good shape and change outcomes for the better.