[BreachExchange] Terrified about cyber ninjas? You may be missing the real threat

Audrey McNeil audrey at riskbasedsecurity.com
Thu Apr 20 19:09:45 EDT 2017


http://www.zdnet.com/article/terrified-about-cyber-ninjas-
you-may-be-missing-the-real-threat/

Companies are far more likely to be attacked by low-level cybercriminals
than sophisticated nation-state backed hackers. That means that it's
possible to stop the crooks doing significant damage to your systems -- if
you're following the right advice and working with the right cybersecurity
mindset, that is.

One of the steps towards that is admitting that a significant amount of
technology -- be it computers, smartphones or Internet of Things devices --
are built with vulnerabilities that hackers will be able to exploit.

However, instead of aiming for impossible ideal of entirely bulletproof
security, IT security professionals should be working towards ensuring that
exploiting these vulnerabilities does the least harm possible.

"The reality is the stuff we buy, the stuff we build is going to have
vulnerabilities -- get over it. We should be building systems to manage
harm, not vulnerability," says Ian Levy, technical director at the National
Cyber Security Centre, theGCHQ unit dedicated to protecting the UK from
cyberattacks.

Part of the problem, he said while speaking at CRESTCon & IISP Congress
security conference in London, is how many cybersecurity companies drum up
fear about nation-state attacks -- while these do occur, most companies are
unlikely to face one.

If you listen to a lot of security companies, "most of the attacks we see
are performed by ninja cyber monkeys", he said, "who can compromise my
laptop in my bag just by thinking about it. That's not true".

That sort of approach only leads individuals and enterprises into trying to
solve a problem that doesn't necessarily exist for them -- and in
attempting to prevent nation-state attacks, it's entirely possible that the
real threat posed by lower-level hackers could be missed.

"We're throwing things at a problem when we don't understand what to do.
[We need to] understand the value proposition or the threat we're trying to
fix," says Levy, who says honesty is needed about the identity of the
attackers that pose a threat -- low-level hackers rather than so-called
'advanced persistent threat' groups backed by governments.

"They're adequate, they do the minimum necessary to achieve their aims; and
a lot the time that is trivial. Adequate Pernicious Toerags is what we're
really, really up against most of the time. Of course there are some
very-high end actors using some very high-end techniques, but let's use
them as the exception; the majority of the stuff we see is this," he says.

So why are organisations potentially ignoring this threat? Simple: "The
reality is a lot of the guidance we give is terrible," Levy said, referring
to the cybersecurity industry as a whole, citing recommendations of using
long, complex, regularly-changed passwords and how some organisations --
particularly in finance -- don't allow customers to use password managers
help with security.

"It's dumb advice -- let's stop giving dumb advice," he said. He urged
security firms to "take the mystery out of cybersecurity" with the aid of
evidence and useful advice to help people make better decisions that
"protect the majority of people from the majority of attacks the majority
of the time".

When it comes to nation-state back cyberattacks, Levy is blunt about the
prospects of being a target -- "there's not a lot you can do about it" --
so urged organisations and individuals to concentrate on ensuring that
low-level cyberattacks do the least harm.

"The majority of people in this country don't need to worry about
nation-states, the majority of people get harmed by cybercrime, they get
harmed by ransomware, they get harmed by script-kiddies," he said.

"Let's take away the crap so that skilled network defenders can work on the
hard stuff. Target investment in the right way so people can understand
what they're defending against," he added.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170420/01f61092/attachment.html>


More information about the BreachExchange mailing list