[BreachExchange] 6 reasons you’re failing to focus on your biggest IT security threats

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jan 17 10:55:07 EST 2018


Humans are funny creatures who don’t always react in their own best
interests, even when faced with good, contrarian data they agree with. For
example, most people are far more afraid of flying than of the car ride to
the airport, even though the car ride is tens of thousands of times
riskier. More people are afraid of getting bitten by a shark at the beach
than by their own dog at home, even though being bitten by their dog is
hundreds of thousands of times more likely. We just aren’t all that good at
reacting appropriately to risks even when we know and believe in the
relative likelihood of one versus the other happening.

The same applies to IT security.

Computer defenders often spend time, money, and other resources on computer
defenses that don’t stop the biggest threats to their environment. For
example, when faced with the fact that a single unpatched program needed to
be updated to stop most successful threats, most companies do everything
other than patch that program. Or if faced with the fact that many
successful threats occurred because of social engineering that better
end-user training could have stopped, the companies instead spent millions
on everything but better training.

I could give you dozens of other examples, but the fact that most companies
can easily be hacked into at will is testament enough to the crisis.
Companies simply aren’t doing the simple things they should be doing, even
when confronted with the data.

The problem bothered me enough that I wrote a whitepaper, slide deck, and
book on the subject. Without having to read all of that, the answer for why
so many defenders don’t let the data dictate their defenses is mostly about
a lack of focus. A lot of priorities compete for computer defenders'
attention, so much so that the things they could be doing to significantly
improve their defense aren’t being done, even when cheaper, faster, and
easier to do.

What is causing this lack of focus in putting the right defenses in the
right places in the right amounts against the right threats? A bunch of
things, including these:

1. The sheer number of security threats is overwhelming

There are 5,000 to 7,000 brand new threats a year, or about 15 a day.
That’s 15 brand new problems on top of yesterday’s 15 brand new problems,
day after day after day. It’s been this way for decades, for as long as
they have been tracking the stat. Computer defenders could be likened to
911 call center dispatchers who are getting more emergency calls each day
than any single ambulance crew can adequately respond to, and so they have
to triage and prioritize.

2. Threat hype can distract from more serious threats

It doesn’t help that some computer defense vendors are doing their best to
make every rescue call a heart attack victim. Today’s announced threats and
vulnerabilities often come with as much focus on the hype and intent to
spread fear as the actual threat. They come with scary-sounding names and
even media-ready, free-licensed cartoon figures.

I don’t put all the blame on computer defense vendors. It’s their job to
sell their software or service, and it’s easier to sell batteries during a
hurricane. It’s up to the consumer to decide what is and isn’t deserving of
their attention, and it’s exceedingly hard to do when you’ve got 15 new
threats a day coming in.

Even when the threat and risk is huge, the overhyping of every threat makes
it hard to pay attention to the right ones. For example, Meltdown and
Spectre are actually one of the biggest threats we’ve faced as a
computerized society. They impact nearly every popular microprocessor,
allow attackers to invisibly exploit computers, often require multiple
software and firmware patches for protection, and when solved may
significantly slow down your computer. In many instances, the only good
solution is to buy a new computer. Meltdown and Spectre are, rightly, big
deals! In my opinion you can’t hype them enough.

Yet, outside of computer security circles and a few mainstream media
articles for a day or two, the world’s collective reaction is a global
“meh.” Normally when something big happens in computer security, my friends
and family ask me what they should do. With Meltdown and Spectre, I didn’t
get a single inquiry. To warn my social circle, I sent out helpful
information. Usually I get a few questions back. Nothing this time. Not a
single post in my social circle of hundreds of people. It’s like a hungry
great white shark has been spotted at the beach and no one is trying to get
out of the water.

Because Meltdown and Spectre often require firmware patches, which almost
no consumer has done or will do, you can bet we will have hundreds of
millions of vulnerable machines for many years to come. Why? Hype fatigue.
Every threat is so over-hyped that when a real, global threat comes out
that everyone needs to pay attention to, they just shrug their shoulders
and assume their OS or device vendor will patch it in due time. Frankly,
I’m scared about the weaponization opportunities these two new threats
offer. They are probably going to cause more microprocessor bugs to be
found and exploited.

3. Bad threat intelligence skews focus

Part of the reason is that most companies’ own threat intelligence does a
poor job of telling their company which threats they need to be worried
about. Threat intelligence (TI) should be looking at the thousands of
threats and telling their employers which ones are most likely to be used
against them. Instead, they usually act as megaphones replaying the global

Want to see how infective most threat intelligence departments are? Ask
them what’s the number one way that their company is broken into causing
the most damage. Is it malware, social engineering, password attacks,
misconfiguration, intentional attacks, lack of encryption, etc.? I’ve never
met the TI team that could tell me that with a straight face, with data to
back up the conclusion. How can a company most efficiently fight the right
threats if they can’t even determine the biggest threats?

4. Compliance concerns don't always align with security best practices

If you want to get something done quickly in computer security, claim it’s
needed for regulatory compliance. Nothing opens the purse strings quicker.
Senior management is required to pay attention to compliance concerns. In
many cases, they can be held personally liable for actively ignoring a
compliance deficiency. It begs for their attention.

Unfortunately, compliance and security don’t always agree. For example,
today’s best password recommendations announced over a year ago, pretty
much go against every legal and regulatory requirement concerning
passwords. Turns out that much of what we thought was true about password
security, like requiring complexity, wasn’t the best advice, or the threats
changed over time. The creators and maintainers of most legal and
regulatory recommendations don’t seem to be paying attention, even though
following the old password advice often makes a company more likely to be

One of my personal pet peeves on this subject is how many websites won’t
let me create a password longer than 16-characters (which would be very
strong regardless of its complexity), but forces me to use “special”
symbols that it thinks in theory will make hackers' lives more difficult,
when the data and research shows this is clearly not the case in practice.

5. Too many projects spread resources thin

Every company I’ve consulted with has had dozens of ongoing projects, each
designed to secure the company’s computers and devices. In every case, one
or two of those projects, if finished to completion, would provide most of
the security benefits the company needs to significantly minimize security
risk. Splitting dozens of projects among a finite set of limited resources,
however, guarantees that most projects will be delayed and inefficiently
implemented even if run to completion. The IT security world is full of
expensive software sitting on the shelf and promised projects with no one
to properly oversee their continued operations.

6. Pet projects usually aren't the most important ones

Worse yet, most companies have one or two pet projects being pushed by a
senior executive as their flavor of the month. They read a book, heard a
story on the radio, or went golfing with a friend who told them what they
needed to do to fix their company. So, without consulting their own
company’s data to see what the biggest threats are, they pull the best and
the brightest team members from other projects to get theirs done first--if
they can get a project done before becoming excited and enamored with their
next pet project.

I could give more examples of why computer defenders aren’t focusing on the
right things, but it starts with an avalanche of daily threats and is
worsened by many other factors along the project chain. The first step in
fixing a problem is admitting you have a problem. If you see your company’s
ineffective computer defenses represented above, now is the time to help
everyone on your team understand the problem and help them to get better
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180117/056f5e04/attachment.html>

More information about the BreachExchange mailing list