Risk
5/14/2014
12:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Dispelling The Myths Of Cyber Security

Perfect security that focuses on eliminating threats is too expensive and impossible to achieve. Better to think about consequence management.

Most of us in the security profession don't have James Bond's 007 license (or even a smartwatch) to eliminate threats. Instead, we focus on strategies to reduce risk through formulas such as cyberrisk = threats X vulnerabilities X consequences. That practice that assumes we can create near-perfect security by reducing one of these factors to zero.

In the real world, it’s hard to imagine any CISO worth his or her salt telling the CEO that vulnerabilities have been reduced to zero. A more effective approach might be to focus on consequence management. But to do that, we first need to dispel a few cyber security myths:

MYTH 1: Prevention, detection, and information-sharing are adequate for protecting systems. The CISO truth is twofold: Intrusions are inevitable, no matter what preventive approaches you use, and your public facing hosts are constantly under attack. There are 86,000 new pieces of malware reported each day. Industry stats show that within a few minutes of going online hosts are under attack.

MYTH 2: Once a server comes online, we leave it alone until we need to perform maintenance or patching. We have been using this work/time element of security strategy for 15 years. But the CISO truth is that while keeping systems static is a low-work, low-cost strategy, it also creates an opportunity for the criminal. We know that once criminals get into the system they do damage for days, weeks, months, or even years. Target (more than two weeks), New York Times (four months), and Nortel (10 years) are all examples of persistent compromises.

MYTH 3: All security threats need attention. The CISO truth is that there are ankle biters that are unlikely to cause significant damage, and serious persistent threats to which we must pay attention. The ankle biter causes numerous alarms which overwhelm the security department. The serious persistent threat probably causes one alarm which can be easily missed in the "cacophony of alarms." Turn the alarm “screwdriver” too far to the right and the security team is overloaded. Turn it too far to the left and important alarms are missed. The challenge is to find the alarm level that leads to the persistent threats where serious consequences occur.

MYTH 4: It’s possible to get rid of all vulnerabilities. The CISO truth is that the common vulnerabilities and exposures (CVE) list has more than 50,000 recorded vulnerabilities -- with more added hourly. How are you going to ensure your network (firewalls, IDS, hosts, etc.) can deal with 50,000+ vulnerabilities every day?

MYTH 5: You can win the cyber security lottery with "predictive systems" that will find the next attack. The CISO truth is that it’s probably easier to predict your spouse’s mood after many years of marriage than the next attack launched by a criminal you have never met. You know nothing of the person's skills. He or she intentionally uses deceptive techniques and could be 10,000 miles away.

CISOs need to develop strategies that are independent of the attacker, require no prior knowledge to succeed, are easy-to-implement, and keep our servers as secure as they were before they go online. Perfect security is too expensive and impossible to achieve.

We need to tolerate intrusions by limiting the resulting consequences. Computer cycles are cheap and getting cheaper. We should explore solutions that trade CPU cycles against enhancing security.

CISOs are always reflecting and reexamining security myths, and identifying the products and services that make the organization more secure. The uncertainty in the environment has led to general acceptance of defense in depth, with a variety of solutions being included in the mix. To mitigate cyberrisk, CISOs must include consequence management strategies, principally intrusion tolerance, in the solution mix.

Mark Goldstein, Principal, SafeSecurePrivate Mark is a cybersecurity, privacy, and IT pro. He looks at securing across the ecosystem, not as a security problem, nor a privacy problem, nor a technology problem. It's about changing the DNA of the organization. During his 11 ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WeedWhackerDood
100%
0%
WeedWhackerDood,
User Rank: Apprentice
5/15/2014 | 11:43:52 AM
#5 and Cyber Kill Chain success
Tracking and mitigating attacks and APT adversaries IS possible using historical data, as proven by the Cyber Kill Chain from Hutchinson, Cloppert and Dr. Amin from Lockheed Martin. Having a qualified team that partners with key industry experts such as these individuals would help any CIO mitigate many threats that they face on their network. With the proper training, supported by company management, and with the proper tool set, the Cyber Kill Chain methodology can be implemented and be a highly effective solution to mitigating the threat. Your article brings good points to light but should have contained more useful and factual data for you last point.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/15/2014 | 11:19:42 AM
Re: Dispelling The Myths Of Cyber Security
Myth #5 made me LOL, but the point was well-taken: "it's probably easier to predict your spouse's mood after many years of marriage than the next attack launched by a criminal you have never met. You know nothing of the person's skills. He or she intentionally uses deceptive techniques and could be 10,000 miles away."
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/14/2014 | 4:01:51 PM
Dispelling The Myths Of Cyber Security
Interesting but true article, this points out the true but often overlooked security measures. If you have never worked as an analyst you probably thing some of the topics are true. Some of them now are laughable.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.