Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/8/2015
11:00 AM
Bruce Cowper
Bruce Cowper
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Avoiding ‘Magpie Syndrome’ In Cybersecurity

A quick fix usually isn't. Here's why those bright shiny new point solutions and security features can cause more harm than good.

Have you ever been in a situation where your security tools and features simply got in the way? It happened to me recently, when an airline called me in to fix a problem.

The email account of the airline’s chief engineer had been compromised. This was critical, because the engineer was authorized to direct planes to anywhere at any time. The management team wanted to know whether the attack was internal or external.

The firm had a complex array of different point solutions designed to address specific threats. Instead of helping, the threat response technologies spewed out an ocean of data that was almost impossible to correlate. To make matters worse, the person who set up the whole information security infrastructure had left the company, leaving the team entangled in unfathomable security spaghetti. The investigation proved inconclusive and cost a lot of money.

How do security teams get to this sorry point? Both customers and vendors have a part to play.

On the customer side, many of the people in charge of cybersecurity budgets are IT practitioners, for whom cybersecurity is one of many challenges they deal with every day. Their primary objective is to identify and quickly neutralise threats, which they may not have the time to entirely understand.

A vendor’s primary objective is to sell things. To do that, they must make it easy to market. That requires a clearly identifiable problem with fixed, clear boundaries.

This leads them both to the same problem. I call it magpie syndrome – an unhealthy fixation on bright, shiny security product features that each promise to deliver but fail to solve security problems on their own.

Security takes more than product features
Buying an appliance or a new piece of software can provide short-term, empty satisfaction. In reality, there’s no silver bullet, and the complete solution to your security problem rarely has a three-pin plug at the end of it. In many cases, customers may not even understand how to use those features properly, making them detrimental rather than useful.

Shiny product features can sometimes blind people to the need for process. Another firm ­– a publishing house – contacted me after their FTP server became compromised. This should have been a two-hour fix: unplug the box, rebuild the server, and reload the data from backup.

In reality, it took days. The firm’s security team became mired in politics that stopped it from doing its job. The server contained data from a number of different departments, and each of them had its own idea about how to handle the problem. They spent most of that time fighting over when to take the box offline.

The publishing company should have had an incident response playbook that was tested and used, neutering the politics up front. Like the airline, it should also have focused on basic operations that would have prevented the problems in the first place.

Vendors and customers pursue this feature fetish during every product refresh because it’s easy. Vendors can identify a new threat category – ideally with a sexy acronym – put ‘anti’ on the front of it, stick it into the next product version, and score a quick sale. Harried customers looking for an easy fix can buy it, tick a box, and then blame someone else if their systems are compromised. No one ever has to really think about the problem in depth, but eventually, everyone loses.

A more mature approach
How can we make everyone a winner? There is an opportunity to strengthen security from the ground up, getting the basics right through education and deep, tactical and strategic thinking.

Let’s start with the customers themselves. Instead of blindly ponying up more security budget, they can take a step back and ask whether the latest attack identified by the vendor is a serious threat to their organization or not. If it is, then they could ask whether their existing tools – in conjunction with some smart procedures and awareness training – could achieve the same goal as the latest security gizmo.

Vendors have an opportunity to look beyond the short-term sales opportunity and truly partner with customers and help them understand what’s needed. They can build longer-term relationships including service-based revenue models. Strong partner ecosystems will help drive the systematic change that will help us thwart attackers.

The alternative continues to put vendors and customers alike at a disadvantage in a game of rising stakes. With the frequency and cost of breaches and data losses on the rise, it doesn’t seem to be working well for the industry so far.

Bruce Cowper is a founding member of the Security Education Conference Toronto (SecTor), which takes place October 20 and 21. For more information and to sign up for educational sessions about techniques spanning the management and technology aspects of cybersecurity, visit http://www.sector.ca.

Bruce Cowper is a founding member of the Security Education Conference Toronto (SecTor), the Toronto Area Security Klatch (TASK), the Ottawa Area Security Klatch (OASK) and an active member of numerous organizations across North America. In his day job, Bruce works for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
paulholland
50%
50%
paulholland,
User Rank: Apprentice
9/9/2015 | 4:59:20 AM
RE: Avoiding 'Magpie Syndrome' In Cybersecurity
I agree with this, the technologies are great up to a point, but you need to have your processes in place to support them properly and also the staff knowledgable enough to be able to deal with the process and the technology.
mattwilliamsfromseattle
50%
50%
mattwilliamsfromseattle,
User Rank: Apprentice
9/8/2015 | 8:23:06 PM
Importance of Context Awareness
The issue I see with many of the anti"fill-in-the-blank" and the shiny new vendor tools is that they are siloed. Vendors make many promises about their tool, but context awareness around their tool is important as well as being able to integrate each tool into an overarching strategy. I agree with the point that vendors need to act as trusted advisors instead of going for the easy sale. Unfortunately, like the bad actors out there, vendors and security teams both follow the path of least resistance. Meaning, until either vendors, or the more likely, security teams work together to discover how a tool can fit into a seurity strategy, we will continue to see this 'Magpie Syndrome.' On top of that, we have yet to see a tool that manages vendor risk, how difficult is it to know that the best tools and a top notch strategy can be undone by a 3rd party vendor with poor security.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24376
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
CVE-2021-24377
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
CVE-2021-24378
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
CVE-2021-24379
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
CVE-2021-24383
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue