Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/4/2021
10:00 AM
Mieng Lim
Mieng Lim
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

It's Time to Ditch Celebrity Cybersecurity

High-profile attacks and solutions are shiny objects that can distract from the defenses that afford the greatest protection.

As a cybersecurity professional, I relate to those old movie scenes where a character is starting to lose it, someone delivers a firm face slap, and the first character pulls it together, saying, "Thanks, I needed that." 

Corporate and government leaders around the world got a stinging wake-up slap from cyber adversaries in 2020, a year that set records for data breaches, compromised records, and ransomware attacks. The pandemic-accelerated digital transformation (including the swift switch to remote work and cloud-based databases) created the broadest security vulnerabilities in history, and attackers were ready. 

Related Content:

How to Attack Yourself Better in 2021

Special Report: Tech Insights: Detecting and Preventing Insider Data Leaks

New From The Edge: Cybersecurity and the Way to a Balanced Life

The year culminated with the Sunburst cybersecurity hack, in which intruders sponsored by a hostile regime penetrated US government and corporate networks for reasons and with consequences yet unknown. 

How will the world's cybersecurity experts respond to the annus horribilis of 2020? Like the slapped movie character, cybersecurity experts must pull it together and stop being distracted by trendy cybersecurity solutions that address only the best-publicized vulnerabilities. Celebrity vulnerabilities get all the attention and create distractions while the company's technical foundation crumbles. 

Celebrity Cybercrimes Draw Glittering Solutions
The worse cybercrime gets, and the more publicity certain vulnerabilities attract, the more money companies budget to combat well-publicized threats. Predictions for cybersecurity spending in 2021 vary wildly — I found estimates ranging from $60 billion to $180 billion among credible analysts — but it is universally acknowledged that cybersecurity is among the fastest-growing parts of the IT industry, with a CAGR modestly estimated at 10% or more. 

Credit: Michael Traitov via Adobe Stock
Credit: Michael Traitov via Adobe Stock

All this financial opportunity attracts the brightest, most innovative minds. One glittering solution after another enters the arena, aimed at famous vulnerabilities, complete with celebrity-worthy PR stylists and evangelists. Stakeholders are putting growing pressure on chief information security officers (CISOs) and chief information officers (CIOs) to invest in these bright and shiny objects instead of less sexy security fundamentals. 

I've spent more than two decades doing post-mortems for companies penetrated by cyberattacks. The vast majority of hacks, intrusions, and cybersecurity failures were caused either by bumbling insiders clicking on phishing emails or by plain-vanilla mistakes that could have been avoided by basic cybersecurity best practices and hygiene. 

The most important cybersecurity investment for CISOs, CIOs, and chief financial officers (CFOs) isn't some glamorous new cybersecurity solution for a high-profile problem; it's the time and resources to do fundamental blocking and tackling. Organizations must go back to basics to assure their cybersecurity foundations are rock solid, even against no-name threats. Incidentally, cybersecurity solidity works great against celebrity threats, too. 

Celebrity cybersecurity challenges get the lion's share of attention because their names appear in the cybersecurity and even mainstream media, and everyone rushes to defend against them because that's where the money is. Meanwhile, yawning holes in cybersecurity sit for years without getting fixed because 1) they aren't (in)famous, and 2) they're not a fast and easy fix, if we're honest. 

One example: Conficker, a vulnerability in Windows 2000 and Windows XP from 2008 that's old, boring, and still doing a lot of damage. No shiny new solutions are hitting the runway promising to protect networks from Conficker (stifle that yawn!). It continues to spread among, for example, hundreds of thousands of older medical machines still running outdated Windows versions and whose hospital and clinic owners never applied the Microsoft patches, likely because of resource and time constraints. Hospitals are among the most popular ransomware targets. Coincidence? Probably not. 

But the Front Door Lock Is Still Broken
Imagine your front door lock is broken. You don't fix it because you know it will take time and money, and frankly, the work is boring. So, you put spiked bars on the windows and advanced laser security on all rear entrances. Your front door is even impenetrable reinforced steel. Very impressive, but your front door lock is still broken. Anyone can easily bypass your flashier security measures to get inside. 

That's the situation for most businesses in the real world today. Fundamental cybersecurity problems are not addressed for many reasons. There may be legacy elements to a system for which no patch exists. Fixing it may be slow, costly, and require specialized expertise. A business may be unable to afford the downtime required to replace an entire operational system. 

So, vendors develop the cybersecurity equivalents of window bars and laser beams when the front door lock is still broken. When I talk to CISOs and CIOs about cybersecurity, I implore them to forget about the in-vogue threats and the shiny solutions and instead do the "boring" detailed work: Run regular deep scans and find, fix, or protect those fundamental network vulnerabilities to the greatest extent possible. 

Taking the time to seek and harden fundamental vulnerabilities can move the security needle more than addressing threats that get celebrity press. Admittedly it's low-glamor work, but essential for the best results. After the face-slap of 2020, it's time to get back to reality.

Mieng Lim, vice president, product management has served as a security expert for Digital Defense, a HelpSystems company, since 2001. Mieng takes a consultative approach to security, having held prior roles in operations, quality assurance, and sales engineering. Mieng ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16060
PUBLISHED: 2021-10-15
Mitsubishi Electric SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI.
CVE-2018-16061
PUBLISHED: 2021-10-15
Mitsubishi Electric SmartRTU devices allow XSS via the username parameter or PATH_INFO to login.php.
CVE-2021-27561
PUBLISHED: 2021-10-15
Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
CVE-2020-4951
PUBLISHED: 2021-10-15
IBM Cognos Analytics 11.1.7 and 11.2.0 contains locally cached browser data, that could allow a local attacker to obtain sensitive information.
CVE-2021-28021
PUBLISHED: 2021-10-15
Buffer overflow vulnerability in function stbi__extend_receive in stb_image.h in stb 2.26 via a crafted JPEG file.