The latest Verizon DBIR (.pdf) has arrived and my old reporter colleagues have all filed their stories touting the most high-profile finding contained therein, the rise of so-called hacktivism.
Based on all the disruptive and newsworthy campaigns carried out by groups such as LulzSec and Anonymous in 2011, that’s understandable enough, it’s an interesting trend. Those guys had their way and made headlines. It’s a dynamic new cyber-social phenomenon.
But everyone who looks at the DBIR and thinks that the big issue here is hacktivism is actually missing the point. No offense, but, truthfully, if your job is related to IT security and your assessment after reading the results is that we need to focus more efforts on stopping these electronic protests/attacks, not only are you incorrect, you absolutely do not get it. Can’t see the forest for the trees; looking in the wrong direction.
The news isn’t that Anonymous or LulzSec is the new threat to be concerned about, because the fact is, just as APT, botnets, insider attacks or malware toolkits were the highlights of previous years’ research, guess what… there’s always going to be a new form of threat. Tomorrow the sun may come out or it might rain. Electronic attacks are not going away. Ever. This is not news; this is fact.
The real news here is, the most fundamental answer to these problems is right in front of our eyes, and has been for years, and no one has figured out how to address it. No one even talks about it much anymore, aside from a quick mention when the DBIR comes out and reports this same news EVERY SINGLE YEAR.
The most shocking and noteworthy trend in the DBIR is that we spend an increasing amount of time and effort, and millions of dollars, trying to stop all of these types of attacks every year and we’re not improving our ability to do so.
Even worse, as an industry we IT security people wait like kids on Christmas for the DBIR to arrive and help lead our thinking for the next 12 months, and then we completely ignore the most important finding, perhaps because it seems boring and unquestionably because no one has had an answer.
Save RedSeal and a few other providers like us, no else seems to fixate on this issue and that’s why we harp on this fact in every single presentation, media interview and analyst briefing that we give year round. Often, in fact, when we cite it as one of our primary drivers these experts wave it off and say “Yes, we all know this already.” Well, then why hasn’t anyone done anything about it?
So here it is. Here’s what never changes year-to-year. This is what everyone is too blind to see right under their news-of-the moment, emerging threat, it leads if it bleeds, Twitter-addled noses.
Simple Problems, No Improvements
According to Verizon’s 2012 Data Breach Investigations Report, 96 percent of the successful attacks they tracked were “not highly difficult, meaning they did not require advanced skills or extensive resources.” Additionally, the report finds that “97 percent of the attacks were avoidable, without the need for organizations to resort to difficult or expensive countermeasures.
In previous years reports this has also been expressed as the compromise of “simple” security controls. For the 2010 report it was 96 percent; in 2009, 89 percent. And it’s always been in this high range. Way, way up there.
Conclusion: The issue isn’t hacktivism or malware or even cybercrime. The issue is, most people are failing in upkeep of their most basic IT security defenses. And the bigger your network is, the greater the likelihood that this is true in your environment.
Want to know why LulzSec is truly lulzing at us? Because we’ll make a big deal of their work of the last year and won’t likely invoke the most obvious opportunity that we have to do anything to stop it.
People on Capitol Hill want to strike down this new breed of protester who has so frequently made them look badly? How about making sure that your information is protected using the systems you already have in place, instead of marshaling armed officials to go hunt for them from basement to basement.
Afraid that foreign nation states are all up in our federal government’s most sensitive data? How about taking a closer look at the layered defenses we’ve installed rather than attempting drastic means to remotely shut down the networks the traffic we have seen is coming from.
The majority of attacks exploit the lack of effectiveness of firewalls or vulnerability patching initiatives that we already have in place, but simply screw up.
The reality is, worrying about threat intelligence or aggressive forms of advanced attack defense or toughening up anti-hacking laws to prosecute law breakers is all well and good, but if you can’t stop the simple stuff, you’re wasting your time and money on the above.
Focusing on hactivism is interesting… but almost entirely pointless from a practical security management standpoint!
Fundamentally Flawed
Organizations spend millions of dollars on cyber-security but have no idea if it works, because its components are too numerous, complex and constantly changing to support the goals we need to stay in business, for most organizations to understand where they’re making mistakes or have blind spots.
As Verizon itself recommends, security teams needn’t study up on Anonymous or whatever form of attack is bound to arrive next on their doorsteps, they need to “establish essential security controls… to ensure fundamental and common sense security countermeasures are in place and that they are functioning correctly… to monitor security controls regularly.”
At RedSeal we contend they need automation to do this. Self-serving? Yes. Valid? Yours to judge, but we think we’ve got some pretty good evidence that network security infrastructure has become too complex and changes to fast to attempt to do so without it.
As Dan Geer, the longtime security guru and CTO of RedSeal investor In-Q-Tel has recently remarked, and our CTO Dr. Mike Lloyd often quotes: “[IT] Security is too wide to master, too deep to know, and too fast to photograph.”
As usual Dan is right, but as I’m sure he’d agree, this does not mean that we cannot make progress.
Just as we can’t point surveillance cameras into every corner of the world to watch where crimes may be committed (and don’t want to, independent of the fact that we’d never be able to watch them all) we can put them up at strategic locations covering our most high security sectors, like airports and banks. Is that a new idea?
In the same way, we can take pictures of our security infrastructure, in particular of our individual networks, to see where the weak points may be exploited, where our most basic security controls are failing to work as intended. We better hope that cloud providers are doing so as we hand them an increasingly large share of our data, computing muscle and applications.
We argue, at RedSeal, that using our solution, you can take a virtual image of your network security whenever you want to see how it’s changing and where unwanted access, and exposure of known vulnerabilities, is present.
This is a great way to understand how to fix it. Even if you don’t believe in our product’s ability to do so, we think it’s hard to debate the underlying logic and the DBIR ALWAYS VALIDATES THIS POINT.
If you keep talking about hacktivism as the big problem, and fail to address the inability of organizations to maintain these simple controls “consistently” as Verizon themselves spin it…
You’ll never get anywhere in improving IT security.
Whatever comes after hacktivism will own you. Sure, some of these characters are capable of incredibly complex attacks, and social engineering vehicles through which to deliver them that we will remain challenged to stop for a long time, if not forever. People still rob banks. 9/11 really happened.
But as long as we focus on the nifty trend of who is attacking us, and not why they’re being successful, we’re destined to keep reading the DBIR every year and fail to noticeably move the needle.
Here’s hoping some others seeing this point decide to do something about it.
The numbers reported in the DBIR every year that illustrate this hasn’t happened yet remain downright depressing.