Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Mieng Lim
Mieng Lim
Connect Directly
E-Mail vvv

It's Time to Ditch Celebrity Cybersecurity

High-profile attacks and solutions are shiny objects that can distract from the defenses that afford the greatest protection.

As a cybersecurity professional, I relate to those old movie scenes where a character is starting to lose it, someone delivers a firm face slap, and the first character pulls it together, saying, "Thanks, I needed that." 

Corporate and government leaders around the world got a stinging wake-up slap from cyber adversaries in 2020, a year that set records for data breaches, compromised records, and ransomware attacks. The pandemic-accelerated digital transformation (including the swift switch to remote work and cloud-based databases) created the broadest security vulnerabilities in history, and attackers were ready. 

Related Content:

How to Attack Yourself Better in 2021

Special Report: Tech Insights: Detecting and Preventing Insider Data Leaks

New From The Edge: Cybersecurity and the Way to a Balanced Life

The year culminated with the Sunburst cybersecurity hack, in which intruders sponsored by a hostile regime penetrated US government and corporate networks for reasons and with consequences yet unknown. 

How will the world's cybersecurity experts respond to the annus horribilis of 2020? Like the slapped movie character, cybersecurity experts must pull it together and stop being distracted by trendy cybersecurity solutions that address only the best-publicized vulnerabilities. Celebrity vulnerabilities get all the attention and create distractions while the company's technical foundation crumbles. 

Celebrity Cybercrimes Draw Glittering Solutions
The worse cybercrime gets, and the more publicity certain vulnerabilities attract, the more money companies budget to combat well-publicized threats. Predictions for cybersecurity spending in 2021 vary wildly — I found estimates ranging from $60 billion to $180 billion among credible analysts — but it is universally acknowledged that cybersecurity is among the fastest-growing parts of the IT industry, with a CAGR modestly estimated at 10% or more. 

Credit: Michael Traitov via Adobe Stock
Credit: Michael Traitov via Adobe Stock

All this financial opportunity attracts the brightest, most innovative minds. One glittering solution after another enters the arena, aimed at famous vulnerabilities, complete with celebrity-worthy PR stylists and evangelists. Stakeholders are putting growing pressure on chief information security officers (CISOs) and chief information officers (CIOs) to invest in these bright and shiny objects instead of less sexy security fundamentals. 

I've spent more than two decades doing post-mortems for companies penetrated by cyberattacks. The vast majority of hacks, intrusions, and cybersecurity failures were caused either by bumbling insiders clicking on phishing emails or by plain-vanilla mistakes that could have been avoided by basic cybersecurity best practices and hygiene. 

The most important cybersecurity investment for CISOs, CIOs, and chief financial officers (CFOs) isn't some glamorous new cybersecurity solution for a high-profile problem; it's the time and resources to do fundamental blocking and tackling. Organizations must go back to basics to assure their cybersecurity foundations are rock solid, even against no-name threats. Incidentally, cybersecurity solidity works great against celebrity threats, too. 

Celebrity cybersecurity challenges get the lion's share of attention because their names appear in the cybersecurity and even mainstream media, and everyone rushes to defend against them because that's where the money is. Meanwhile, yawning holes in cybersecurity sit for years without getting fixed because 1) they aren't (in)famous, and 2) they're not a fast and easy fix, if we're honest. 

One example: Conficker, a vulnerability in Windows 2000 and Windows XP from 2008 that's old, boring, and still doing a lot of damage. No shiny new solutions are hitting the runway promising to protect networks from Conficker (stifle that yawn!). It continues to spread among, for example, hundreds of thousands of older medical machines still running outdated Windows versions and whose hospital and clinic owners never applied the Microsoft patches, likely because of resource and time constraints. Hospitals are among the most popular ransomware targets. Coincidence? Probably not. 

But the Front Door Lock Is Still Broken
Imagine your front door lock is broken. You don't fix it because you know it will take time and money, and frankly, the work is boring. So, you put spiked bars on the windows and advanced laser security on all rear entrances. Your front door is even impenetrable reinforced steel. Very impressive, but your front door lock is still broken. Anyone can easily bypass your flashier security measures to get inside. 

That's the situation for most businesses in the real world today. Fundamental cybersecurity problems are not addressed for many reasons. There may be legacy elements to a system for which no patch exists. Fixing it may be slow, costly, and require specialized expertise. A business may be unable to afford the downtime required to replace an entire operational system. 

So, vendors develop the cybersecurity equivalents of window bars and laser beams when the front door lock is still broken. When I talk to CISOs and CIOs about cybersecurity, I implore them to forget about the in-vogue threats and the shiny solutions and instead do the "boring" detailed work: Run regular deep scans and find, fix, or protect those fundamental network vulnerabilities to the greatest extent possible. 

Taking the time to seek and harden fundamental vulnerabilities can move the security needle more than addressing threats that get celebrity press. Admittedly it's low-glamor work, but essential for the best results. After the face-slap of 2020, it's time to get back to reality.

Mieng Lim, vice president, product management has served as a security expert for Digital Defense, a HelpSystems company, since 2001. Mieng takes a consultative approach to security, having held prior roles in operations, quality assurance, and sales engineering. Mieng ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file