Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/11/2021
01:00 PM
Etay Maor
Etay Maor
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Cybersecurity Myths to Bust

Deeply rooted cybersecurity misconceptions are poisoning our ability to understand and defend against attacks.

"Every lie is a poison; there are no harmless lies." Leo Tolstoy said this over 100 years ago, and who am I to argue with the great author? His observation holds as true today as ever — in many aspects in life, including cybersecurity.

I attend many cybersecurity presentations in my work, and one thing that has bothered me the past several years is the (over)use of clichés, myths, and misconceptions. There are many cybersecurity myths out there, but the three that are the most deeply rooted in the cybersecurity world (and therefore are the most "poisonous," as Tolstoy would say,) relate to People, Process, and Technology.

Related Content:

MITRE Adds MacOS, More Data Types to ATT&CK Framework

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Name That Edge Toon: Magical May

Myth #1: Sophisticated Threat Actors Use Sophisticated Tools
One misconception I run into a lot is the notion that sophisticated nation-state actors always use sophisticated cyberweapons when they breach organizations. While threat actors may indeed use zero-day exploits and advanced techniques to breach systems and access networks, in almost all cases, the initial vector is a (relatively) simple attack against humans. Why? Several reasons: a) it works, b) it's very cost-effective, and c) it's much harder to attribute. When attackers use an advanced capability like a zero-day exploit, they have a higher risk of being attributed to the attack. After all, there are only so many organizations that can develop or purchase zero days.

On the other hand, a relatively simple attack against a person, using a combination of social engineering techniques and open source intelligence (OSINT) can yield devastating results. Some of the most notorious breaches started just like that: the RSA hack, the Sony hack, the Associated Press hack, the Target hack, the DNC hack … and the list goes on.

In 2018, Verizon estimated that 33% of all breaches start with a social engineering attack. This is a very conservative estimate. Some researchers estimate the number to be closer to 90%. While security vendors push for more products, we must remember that not all cybersecurity gaps are technological. Most are related to people.

Myth #2: Attackers Need to Be Right Only Once; Defenders Must Be Right All the Time
I probably hear this process-related misconception the most. Claiming that an attacker needs to be right only once oversimplifies an attack life cycle from the point-solution vendor's point of view. In actuality, the attacker has to be right many times, and the defender has many opportunities to detect, mitigate, or prevent the attack.

To illustrate this, I suggest looking at the MITRE ATT&CK framework. For virtually any threat actor or attack type, the ATT&CK Navigator shows multiple techniques that can be used as part of the 14 tactics. Pick, for example, REvil ransomware. Notice how many different actions the attacker takes from Initial Access to Impact. The attackers don't have to be right once; they have to be right many times. The defenders will remain unaware of the attack if they miss all these opportunities to detect it.

True, the attackers likely will not give up if one technique fails or is stopped, and sophisticated threat actors are nearly impossible to stop. However, there is a lot to be said about early detection, attack mitigation, and incident response time. Saying that the attacker needs to be right only once is an easy out. We can do better than that if we break the siloed view.

Myth #3: You Need More Security Products to Stop All the New Threats
In terms of technology, we are learning the hard way that less is more. (Why not use a cliché to refute a cliché?) The average organization has 50 to 80 security products, yet most of them don't communicate with each other, some are partially integrated, and together they create huge management and monitoring burdens on security teams. Analysts and researchers suffer from alert and monitor fatigue, and there are good reasons practitioners in all disciplines are looking for easy-to-use, converged systems.

Vendor overload is directly related to the People and Process myths above. More chief information security officers (CISOs) are looking to cut back on the number of solutions they have while maintaining their security capabilities and operational readiness. This can be backtracked to the layered-security approach: The notion is true; you do need multiple layers for defense. Yet this does NOT mean you need more and more disparate systems to achieve it! The number of systems that analysts need to work with has become a burden. We don't need more tech — we need smarter, easier-to-use tech. We need to develop muscle, not fat.

It's Time to Bust These Myths for Good
To sum things up, we have to acknowledge these misconceptions about cybersecurity. If you read reports from almost 20 years ago, you will see the same problems and issues. Now is a great time to turn things around and bust these myths forever.

The adoption of cloud architectures gives us an opportunity to change the way we think and approach cybersecurity challenges. We can take these myths and put them behind us. As another great thinker, Albert Einstein, said"The measure of intelligence is the ability to change."

Etay Maor is the Sr. Director Security Strategy at Cato Networks and an industry-recognized cybersecurity researcher and keynote speaker. Previously, Etay was the Chief Security Officer for IntSights, where he led strategic cybersecurity research and security services. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.