Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/14/2014
12:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Dispelling The Myths Of Cyber Security

Perfect security that focuses on eliminating threats is too expensive and impossible to achieve. Better to think about consequence management.

Most of us in the security profession don't have James Bond's 007 license (or even a smartwatch) to eliminate threats. Instead, we focus on strategies to reduce risk through formulas such as cyberrisk = threats X vulnerabilities X consequences. That practice that assumes we can create near-perfect security by reducing one of these factors to zero.

In the real world, it’s hard to imagine any CISO worth his or her salt telling the CEO that vulnerabilities have been reduced to zero. A more effective approach might be to focus on consequence management. But to do that, we first need to dispel a few cyber security myths:

MYTH 1: Prevention, detection, and information-sharing are adequate for protecting systems. The CISO truth is twofold: Intrusions are inevitable, no matter what preventive approaches you use, and your public facing hosts are constantly under attack. There are 86,000 new pieces of malware reported each day. Industry stats show that within a few minutes of going online hosts are under attack.

MYTH 2: Once a server comes online, we leave it alone until we need to perform maintenance or patching. We have been using this work/time element of security strategy for 15 years. But the CISO truth is that while keeping systems static is a low-work, low-cost strategy, it also creates an opportunity for the criminal. We know that once criminals get into the system they do damage for days, weeks, months, or even years. Target (more than two weeks), New York Times (four months), and Nortel (10 years) are all examples of persistent compromises.

MYTH 3: All security threats need attention. The CISO truth is that there are ankle biters that are unlikely to cause significant damage, and serious persistent threats to which we must pay attention. The ankle biter causes numerous alarms which overwhelm the security department. The serious persistent threat probably causes one alarm which can be easily missed in the "cacophony of alarms." Turn the alarm “screwdriver” too far to the right and the security team is overloaded. Turn it too far to the left and important alarms are missed. The challenge is to find the alarm level that leads to the persistent threats where serious consequences occur.

MYTH 4: It’s possible to get rid of all vulnerabilities. The CISO truth is that the common vulnerabilities and exposures (CVE) list has more than 50,000 recorded vulnerabilities -- with more added hourly. How are you going to ensure your network (firewalls, IDS, hosts, etc.) can deal with 50,000+ vulnerabilities every day?

MYTH 5: You can win the cyber security lottery with "predictive systems" that will find the next attack. The CISO truth is that it’s probably easier to predict your spouse’s mood after many years of marriage than the next attack launched by a criminal you have never met. You know nothing of the person's skills. He or she intentionally uses deceptive techniques and could be 10,000 miles away.

CISOs need to develop strategies that are independent of the attacker, require no prior knowledge to succeed, are easy-to-implement, and keep our servers as secure as they were before they go online. Perfect security is too expensive and impossible to achieve.

We need to tolerate intrusions by limiting the resulting consequences. Computer cycles are cheap and getting cheaper. We should explore solutions that trade CPU cycles against enhancing security.

CISOs are always reflecting and reexamining security myths, and identifying the products and services that make the organization more secure. The uncertainty in the environment has led to general acceptance of defense in depth, with a variety of solutions being included in the mix. To mitigate cyberrisk, CISOs must include consequence management strategies, principally intrusion tolerance, in the solution mix.

Mark Goldstein, Principal, SafeSecurePrivate Mark is a cybersecurity, privacy, and IT pro. He looks at securing across the ecosystem, not as a security problem, nor a privacy problem, nor a technology problem. It's about changing the DNA of the organization. During his 11 ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WeedWhackerDood
100%
0%
WeedWhackerDood,
User Rank: Apprentice
5/15/2014 | 11:43:52 AM
#5 and Cyber Kill Chain success
Tracking and mitigating attacks and APT adversaries IS possible using historical data, as proven by the Cyber Kill Chain from Hutchinson, Cloppert and Dr. Amin from Lockheed Martin. Having a qualified team that partners with key industry experts such as these individuals would help any CIO mitigate many threats that they face on their network. With the proper training, supported by company management, and with the proper tool set, the Cyber Kill Chain methodology can be implemented and be a highly effective solution to mitigating the threat. Your article brings good points to light but should have contained more useful and factual data for you last point.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/15/2014 | 11:19:42 AM
Re: Dispelling The Myths Of Cyber Security
Myth #5 made me LOL, but the point was well-taken: "it's probably easier to predict your spouse's mood after many years of marriage than the next attack launched by a criminal you have never met. You know nothing of the person's skills. He or she intentionally uses deceptive techniques and could be 10,000 miles away."
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/14/2014 | 4:01:51 PM
Dispelling The Myths Of Cyber Security
Interesting but true article, this points out the true but often overlooked security measures. If you have never worked as an analyst you probably thing some of the topics are true. Some of them now are laughable.
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...