Ten Reasons to be Pessimistic About Cybersecurity

Morey Haber, Chief Technology Officer
February 27th, 2018

(Ed. note: This is the first of two blogs. Tomorrow, check back here for a “optimistic” spin on our current cybersecurity challenges.)

Is the glass half empty or half full? Do you watch CNN or Fox News? Are you an optimist or pessimist? One thing we can agree on is that the state of cybersecurity has continued to be the cornerstone of conversations from the CIO to the boardroom. While it is rare we can ever firmly get ahead of modern threats, there are many pessimistic views that have become the backbone of our fears. Unfortunately, as we battle the next breach, critical vulnerability, privileged attack, ransomware, or social engineering threat, we find ourselves battling fatigue and the sense that we can never win this battle. In fact, the best we could ever achieve is a stalemate because threat actors, hackers, and attackers will always try to undermine our governments and businesses, and attempt to profit for their own financial gains.

As far as recorded history goes, there have always been thieves, and to date there has never been a society (outside of science fiction) that has ever solved this problem. For some, this has made us very pessimistic about the state of cybersecurity. For others, very optimistic due to the challenge and opportunity to improve the status quo.

For the negative Monday blues everyone experiences from time to time, here are the top ten reasons to be pessimistic about the state of cybersecurity:

1) Threat actors are one step ahead.

It goes without saying that modern cybersecurity is reactive to the threats we face today. Once we develop a strategy and technology to combat a threat, threat actors evolve their tactics to circumvent defenses or develop new attack vectors to create an incident. While old school attacks are always possible, and occur all the time, the evolution of threats always places the threat actor one step ahead. After all, you cannot develop a defense when you do not know what the potential offense is of a threat actor. And, while you can dream up new attack vectors, no matter how good you are, you will always miss something the criminal mind has developed. This always places them one step ahead.

2) Modern solutions are not keeping up with evolving threats.

While threat actors are one step ahead, it takes time to design, develop, mature, deploy, and test new security solutions. This makes them potentially behind – or worst, obsolete – by the time the threat evolves. This unfortunately alludes to cybersecurity defenses not evolving fast enough as threat actors change their tactics and attack vectors. If you have trouble relating to this problem, consider how many virus signatures are in a modern end point protection solution.

3) Cybersecurity solutions are always defensive, never offensive.

This is one of the most highly debated topics for white hat security professionals. Of all of the tools in our arsenals, they are all defensive in nature. Cybersecurity ethics prohibits us from hacking back and becoming offensive. While there are huge legal and moral ramifications in hacking back, we will always be defensive unless things change. This unfortunately justifies the first two pessimistic views since we can never get ahead of them.

4) There aren’t enough cybersecurity professionals.

Does this one really need a justification? We are all aware of the deficit of cybersecurity professionals and the impact to businesses and government. Luckily, this is one of the few pessimistic bullets that actually has a silver lining, as universities and private organizations step up the training on cybersecurity.

5) Regulatory compliance initiatives are not sufficient.

While we suffer from shock due to all the regulations we are governed by, they have truly proven to be insufficient in today’s organizations. They provide guidance for everything from application control to log management but falter in explaining on how to actually get it done. It is one thing to state that you need a vulnerability management program and must patch all critical vulnerabilities, and a completely separate problem to actually get it working. Don’t get me wrong. The guidance in regulatory compliance initiatives and frameworks is stellar. They share common traits between each of them but in a modern organization making them work efficiently and cost effectively is another. It would be ideal if these regulations evolved to include best practices for implementation versus just stating, “get it done”.

6) No provisions for end of life.

Modern operating systems last approximately twelve years. While some may argue that is plenty of time, I contend it is far too short. If these implementations are working well, based on proven technology, and become a part of our critical infrastructure for operations, just because they are end of life does not mean we must replace them. Actually, most regulations do require we do replace them but outdated systems are currently used for power generation and missile defense. They are just too costly and problematic to replace.

This means that when granted exception status, we can no longer maintain them with security patches or other modern defensive technology. This means the provisions we have to protect them are limited and increase in time as we surpass the end of life date. Businesses have relied on file cabinets and paper for much longer than ten years. Just look at your local library. As we evolve in the next generation economy, even libraries will need to cycle their storage and systems in far less than one human generation. I contend that we have pure provisions for end of life and technology of this nature should last at least one generation (25 years).

7) Rapid growth in Internet of Things (IoT).

There is no doubt this field of technology is explosive in growth. The problem is many of the products lack basic cybersecurity hygiene and may even be hard wired into our homes or cars. Consider if you purchased a door bell or thermostat that is IoT based. How long will it receive security updates and what is its end of life? By modern accords, five years is typical. Does this mean you are going to hard wire a new door bell, thermostat, or even cameras every three to five years (depending on where in the life cycle you purchased it)? I highly doubt it. This leaves older versions susceptible to potential hacks and supports all of the previous pessimistic statements.

8) Poor basic security hygiene within organizations.

Even after 20 years since the dot com bubble, we still have not mastered basic cybersecurity hygiene. We still cannot master vulnerability management, patch management, privilege management, log management, etc. These basics are the foundation for any cybersecurity defense and are absolutely required by any modern defensive security strategies. Therefore, without a well working foundation, the evolution of attacks will evade organizations and make it harder to detect and protect against threats.

9) Desensitized to breaches.

Every week we hear about another breach in the news. We have become numb. The size, dollar value, and even leakage of sensitive personally identifiable information has made us emotionless to the information. We all know our personal information is out there and there is no way to truly stay off the grid in this next generation economy. Considering the severity of the breaches in 2017 and what has already occurred in 2018, there is not much more room to shock us and inflect pain. We are truly desensitized to the next announcement and loss of information.

10) Potential cybersecurity issues with the removal of net neutrality.

One of the most controversial technology changes of the current United States administration is the end of net neutrality. While this may get held up in the courts for years, the potential security impact has theoretical implications beyond streaming movies and illegal downloading of bit torrents. If you consider that all security solutions require updates and signatures, the throttling of this information by a provider could potentially stymie an organization’s ability to receive security information needed to defend against an attack. While I acknowledge there is no proof a provider could throttle anti-virus signature updates or security patches for an operating system, without net neutrality there is no reason they couldn’t nor any legislation that states they must prioritize this data. In addition, while it does give a provider the ability to throttle or block a real-world attack, the discretion of what to throttle or block is not defined either. This leaves the removal of net neutrality as the final pessimistic statement we should consider having real world ramifications in the future of cybersecurity.

Now it is time to reflect on these issues. It is also time to find strength in what we are doing wrong and spin the negative energy into a productive cause. We need to find solutions for these issues – some may be policy, process, attitude, or even product, but in the end if we succumb to our negative opinions, we will fail. If you are looking for ways to change the culture of pessimism in your environment, embrace any one of these topics and create a challenge. Having differences in opinion is a strength, being pessimistic is not. Empower teams to fix or improve on the issue and reward them when the goal is insight. We will never permanently solve these ten problems but accepting they are reality and that we can combat our natural instincts will only strengthen our defenses in the end.

We’re here to help, contact us today for a personalized cybersecurity planning session.

Morey Haber, Chief Technology Officer

With more than 20 years of IT industry experience and author of Privileged Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees BeyondTrust technology for both vulnerability and privileged access management solutions. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelors of Science in Electrical Engineering from the State University of New York at Stony Brook.