Risk
5/14/2014
12:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Dispelling The Myths Of Cyber Security

Perfect security that focuses on eliminating threats is too expensive and impossible to achieve. Better to think about consequence management.

Most of us in the security profession don't have James Bond's 007 license (or even a smartwatch) to eliminate threats. Instead, we focus on strategies to reduce risk through formulas such as cyberrisk = threats X vulnerabilities X consequences. That practice that assumes we can create near-perfect security by reducing one of these factors to zero.

In the real world, it’s hard to imagine any CISO worth his or her salt telling the CEO that vulnerabilities have been reduced to zero. A more effective approach might be to focus on consequence management. But to do that, we first need to dispel a few cyber security myths:

MYTH 1: Prevention, detection, and information-sharing are adequate for protecting systems. The CISO truth is twofold: Intrusions are inevitable, no matter what preventive approaches you use, and your public facing hosts are constantly under attack. There are 86,000 new pieces of malware reported each day. Industry stats show that within a few minutes of going online hosts are under attack.

MYTH 2: Once a server comes online, we leave it alone until we need to perform maintenance or patching. We have been using this work/time element of security strategy for 15 years. But the CISO truth is that while keeping systems static is a low-work, low-cost strategy, it also creates an opportunity for the criminal. We know that once criminals get into the system they do damage for days, weeks, months, or even years. Target (more than two weeks), New York Times (four months), and Nortel (10 years) are all examples of persistent compromises.

MYTH 3: All security threats need attention. The CISO truth is that there are ankle biters that are unlikely to cause significant damage, and serious persistent threats to which we must pay attention. The ankle biter causes numerous alarms which overwhelm the security department. The serious persistent threat probably causes one alarm which can be easily missed in the "cacophony of alarms." Turn the alarm “screwdriver” too far to the right and the security team is overloaded. Turn it too far to the left and important alarms are missed. The challenge is to find the alarm level that leads to the persistent threats where serious consequences occur.

MYTH 4: It’s possible to get rid of all vulnerabilities. The CISO truth is that the common vulnerabilities and exposures (CVE) list has more than 50,000 recorded vulnerabilities -- with more added hourly. How are you going to ensure your network (firewalls, IDS, hosts, etc.) can deal with 50,000+ vulnerabilities every day?

MYTH 5: You can win the cyber security lottery with "predictive systems" that will find the next attack. The CISO truth is that it’s probably easier to predict your spouse’s mood after many years of marriage than the next attack launched by a criminal you have never met. You know nothing of the person's skills. He or she intentionally uses deceptive techniques and could be 10,000 miles away.

CISOs need to develop strategies that are independent of the attacker, require no prior knowledge to succeed, are easy-to-implement, and keep our servers as secure as they were before they go online. Perfect security is too expensive and impossible to achieve.

We need to tolerate intrusions by limiting the resulting consequences. Computer cycles are cheap and getting cheaper. We should explore solutions that trade CPU cycles against enhancing security.

CISOs are always reflecting and reexamining security myths, and identifying the products and services that make the organization more secure. The uncertainty in the environment has led to general acceptance of defense in depth, with a variety of solutions being included in the mix. To mitigate cyberrisk, CISOs must include consequence management strategies, principally intrusion tolerance, in the solution mix.

Mark Goldstein, Principal, SafeSecurePrivate Mark is a cybersecurity, privacy, and IT pro. He looks at securing across the ecosystem, not as a security problem, nor a privacy problem, nor a technology problem. It's about changing the DNA of the organization. During his 11 ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WeedWhackerDood
100%
0%
WeedWhackerDood,
User Rank: Apprentice
5/15/2014 | 11:43:52 AM
#5 and Cyber Kill Chain success
Tracking and mitigating attacks and APT adversaries IS possible using historical data, as proven by the Cyber Kill Chain from Hutchinson, Cloppert and Dr. Amin from Lockheed Martin. Having a qualified team that partners with key industry experts such as these individuals would help any CIO mitigate many threats that they face on their network. With the proper training, supported by company management, and with the proper tool set, the Cyber Kill Chain methodology can be implemented and be a highly effective solution to mitigating the threat. Your article brings good points to light but should have contained more useful and factual data for you last point.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/15/2014 | 11:19:42 AM
Re: Dispelling The Myths Of Cyber Security
Myth #5 made me LOL, but the point was well-taken: "it's probably easier to predict your spouse's mood after many years of marriage than the next attack launched by a criminal you have never met. You know nothing of the person's skills. He or she intentionally uses deceptive techniques and could be 10,000 miles away."
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/14/2014 | 4:01:51 PM
Dispelling The Myths Of Cyber Security
Interesting but true article, this points out the true but often overlooked security measures. If you have never worked as an analyst you probably thing some of the topics are true. Some of them now are laughable.
More Blogs from Commentary
InfoSec’s Holy Grail: Data Sharing & Collaboration
Despite all the best intentions, cooperation around Internet security is still a work in progress. Case in point: Microsoft’s unilateral action against No-IP.
Phishing: What Once Was Old Is New Again
I used to think the heyday of phishing had passed. But as Symantec notes in its 2014 Internet Security Threat Report, I was wrong!
Dark Reading Radio: Data Loss Prevention (DLP) Fail
Learn about newly found vulnerabilities in commercial and open-source DLP software in our latest episode of Dark Reading Radio with security researchers Zach Lanier and Kelly Lum.
The Perfect InfoSec Mindset: Paranoia + Skepticism
A little skeptical paranoia will ensure that you have the impulse to react quickly to new threats while retaining the logic to separate fact from fiction.
Weak Password Advice From Microsoft
Tempting as it may seem to do away with strong passwords for low-risk websites, password reuse is still a significant threat to both users and business.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

Best of the Web
Dark Reading Radio