(Editors note: This is the second of two blogs. Check out my other blog for a more pessimistic view on our current cybersecurity challenges.)
Yesterday, I posted a blog detailing ten reasons to be pessimistic about the state of cybersecurity. In summary, the world is not coming to an end, but as security professionals we do have some serious problems and need real world solutions to solve them. While some will continue to argue the glass is half empty versus half full, the rest of us are trying to solve the problems versus embracing them as unsurmountable hurdles and complaining.
To that end, here is the rebuttal to the previous blog and ten reasons to be optimistic about the state of cybersecurity. And yes, they are the same topics with a positive perspective.
1) Threat actors are one step ahead.
The optimist’s view is that we are only one step behind. While that is not always true, the truth is that the attacks we are facing today are not so sophisticated that no one can figure them out. Yes, threat actors are smart, but security professionals are just as smart. Many defenses we develop protect against variants from occurring and require threat actors to be overly creative to find the next successful exploit. Simple techniques like removing administrator rights, application control, and even patch management can stop a variety of attack vectors. If you do not believe this, consider this: If you applied Microsoft MS17-010 within 90 days of release, you would not have been susceptible to WannaCry. If your rebuttal was regarding patches for Windows XP and 2003, please review #6. End of life is no excuse for proper protection. Many basic defenses counter the one step ahead theory.
2) Modern solutions are not keeping up to evolving threats.
I disagree with this argument. In fact, there are so many new technologies that protect against a single use attack vector that it is difficult to keep up. The solution is to choose vendors wisely. Embrace ones with a vision and roadmap that adapts to modern threats and provides updates as a part of their maintenance versus suckering more money out of you for a new layer of protection. If you need proof, remember all the add-ons for spyware and adware that anti-virus vendors tried to charge for in addition to their base services. Layers of features, advanced functionality, and new tools show be included in a platform versus going back to the well each time. This is how you keep your solutions up to date and allow natural evolution of your implementations to keep up with the threats.
3) Cybersecurity solutions are always defensive, never offensive.
Yes, they are. If your cybersecurity technology could be used offensively imagine what would happen if it was compromised and used against you! One of the biggest risks to consolidation solutions like centralized logging, vulnerability management, and directory services is a single point of failure for a plethora of sensitive information and command and control capabilities. All it takes is a leakage of vulnerability data to help an attacker gain a persistent presence. Now imagine if a threat actor or insider used the technology offensively without proper permission, rational, automation, or even due to a hack. In this security professional’ s opinion, the risks are just too high to consider and cybersecurity should remain defensive in nature and leave offensive capabilities in the hands of cybersecurity professionals in the government using them for warfare.
4) Not enough cybersecurity professionals.
I cannot disagree with this one, but we are making progress. Higher education has begun offering classes in cybersecurity, and even Bachelor’s degrees to prepare the next generation of workers with careers to fill the need. Some of these programs pack years of experience and knowledge in a four-year degree, including CISSP certifications such that students can hit the ground running as soon as they graduate.
5) Regulatory compliance initiatives are not sufficient.
I would argue that this is the difference between theoretical physics and applied physics. Regulatory compliance initiatives are the guidelines we should (must in many cases) follow and the actual implementation requires experience and expertise. This is why we hire security partners, pay for professional services, or embrace system integrators. Their experience and knowledge closes the gap and takes the documentation we must follow and makes it into reality for our business and our processes. The regulatory compliance initiatives are actually sufficient. We just need to learn from other professionals on how to actually get them implemented. The pessimist will stop at stating we can never get this implemented. The optimist will ask who can help us make this work.
6) No provisions for end of life.
That’s not the vendor’s fault but rather yours and your business’ fault. Many vendors offer technology that is considered extended life, or a support program (that costs money) to maintain solutions even past their end of life dates. Make no mistake, these can be very expensive but it is up to us to understand the life cycle for a solution we choose versus blaming the vendor. In addition, there are many layers of technology and security best practices – from segmentation to lateral movement prevention and detection – that can protect these devices well past their end of life date. In the end, don’t blame the vendor. We need to make smarter choices or demand extended support from the technology we pick to run our businesses.
7) Rapid growth in Internet of Things (IoT).
Consider this a teaching moment and method to share cybersecurity best practices and education with vendors that have never worked with connected technology before. These vendors are neophytes. They are building technology to make our lives easier, and communications is a key part of the process. They just need to be taught and held accountable for poor designs and implementations such that the next generation of their solutions will be better and more secure. And yes, there is a right way to handle public disclosure of a discovered vulnerability and a wrong way. I challenge all security researchers to do the right thing and remain patient for fixes while these vendors learn how to develop better IoT products. As an optimist, take the high road here.
8) Poor basic security hygiene within organizations.
I think we all recognize which cybersecurity practices in our business are under performing. The only time the pessimist will win this argument is if no one is doing anything about it or your business is actually devolving. It can happen when key personnel are lost or in a declining market. Take this opportunity to help fix cybersecurity basics – from vulnerability management to the removal of administrator rights. If you can master the basics, including patch management, your foundation will help you remain optimistic for any future threats.
9) Desensitized to breaches.
We all can become numb to the same story over and over again. The truth is, the news reports almost all security breaches the same way. “N” of people have had their personal information stolen or company “X” was hacked and operations were disrupted. The key to not becoming desensitized is to look beneath the story and into why it happened. If every breach said that the hack occurred due to default credentials, we would not care and nothing could be fixed. The optimist’s view is to investigate the story (low level) and learn from someone else’s mistakes such that it does not happen to you or your business. Each breach in the news should hopefully be different so we can learn. If they are the same attack vector, the pessimist has one and no one cares anymore. We are sensitized.
10) Potential cybersecurity issues with the removal of net neutrality.
I believe in the good in human nature and that companies will do the right thing to protect the Internet and our businesses from cybersecurity attacks. When we misbehave, governments and laws tend to step in to regulate and change behavior with penalties. If net neutrality is truly at an end, the optimist in me says providers will do the right thing and not throttle or block critical security updates or information. If the pessimist wins, we will have laws prohibiting them from doing so. Government will be forced to step in and no one wants that. Let’s take the high road again and do the right thing – keep security information open and unrestricted on the web.
Cybersecurity requires us to embrace change and become optimistic about the challenges we face. If we view the dilemmas with a pessimistic attitude, we will never be successful in protecting our organizations. While we all fall victim from time to time to the no-win state, I can positively affirm after 20 years in information technology and security, things are getting much better versus much worse or staying the same. However, we must always look at both sides of an argument in order to build our own opinions and in the case of cybersecurity, understand how a threat actor thinks and why they behave the way they do in order to prevent the next breach.
At BeyondTrust, we have solutions to help solve many of these attack vectors – from privileged access management to vulnerability management. If you would like to learn more about how to be optimistic about cybersecurity, contact us today.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.