CyberGuide - Information Security and Cyber Risk Management



Cybersecurity Has Failed: We Need a New Paradigm

By Jack B. Blount and Bob Barker, Intrusion

The common vulnerabilities and exploits (CVE) database lists more than 11,000 exploitable vulnerabilities in commonly used systems and software—and as of mid-2019, 34 percent had no patches available. – Josh Fruhlinger, CSO, March 9, 2020

How Cybersecurity is Failing

The threat of cyberattacks to businesses worldwide has become immense and continues to grow. While significant measures have been taken to address this acceleration of cyber aggression, the figures remain mind-numbing.

CSO magazine recently listed these statistics:

9 Key Cybersecurity Statistics at-a-Glance

  • -94 percent of malware is delivered via email.
  • -Phishing attacks account for more than 80 percent of reported security incidents.
  • -$17,700 is lost every minute due to phishing attacks.
  • -60 percent of breaches involved vulnerabilities for which a patch was available but not applied.
  • -63 percent of companies said their data was potentially compromised within the last twelve months due to a hardware- or silicon-level security breach.
  • -Attacks on IoT devices tripled in the first half of 2019.
  • -Fileless attacks grew by 256 percent over the first half of 2019.
  • -Data breaches cost enterprises an average of $3.92 million.
  • -40 percent of IT leaders say cybersecurity jobs are the most difficult to fill.

 

Most of the time when we consider our cyber vulnerabilities, software exposures come to mind. While software threats are extensive, a Dell survey revealed that 63% of companies identified a hardware-level or silicon-level security breach as the reason their data was compromised within the last twelve months, and further found that “only 28 percent of companies were happy with their vendors’ hardware security management.”(1)

In combatting this growing threat, the cybersecurity market has grown dramatically. According to Cybersecurity Ventures, “The cybersecurity market grew by roughly 35x over 13 years entering our most recent prediction cycle. Cybersecurity Ventures predicts global spending on cybersecurity products and services will exceed $1 trillion cumulatively over the five-year period from 2017 to 2021.”(2)

Despite massive spending, it is challenging to see progress, and certainly no one is claiming victory. While most new technologies addressing a specific type of threat work as advertised, the number of breaches continues to grow.

To put it bluntly, the cybersecurity industry as a whole is failing to protect our economy. Instead of continuing to invest blindly as new classes of threats emerge, it’s time to find a new paradigm that is based on an enhanced architecture.

Changing the Paradigm

While businesses of all sizes are impacted by breaches, the nature and impact differ.

Large Enterprises and Government

A common assumption among CISOs is “you haven’t been breached if you don’t know it,” and that is simply untrue. Sony, Home Depot, JP Morgan Chase, and the other millions of businesses that got breached will tell you they did not know of their breaches until it was too late. Almost every business – no matter how large or small – has been breached. Agents are living on your network, examining what data you have, and searching for what’s most valuable to them. One of the authors of this paper found that software agents had been living undetected on the networks of his consulting client for almost two years. In cybercrime and cyber warfare, this seems to be the new normal.

CISOs of large companies must adopt a new mindset and make different assumptions than most currently have. They can’t assume they are safe now, let alone that they will be safe in the future. They have to be constantly diligent and seek out evidence of bad actors, not resting until they are found. They must realize that they can’t keep bad actors out of their networks. Technology allows adversaries to find a way to come into your network. CISOs of all size companies must accept these facts and fight complacency.

Small and Medium Enterprises

According to the SBA, more than 30 million small businesses exist in the U.S., employing almost half the private workforce.(3) Cyberattacks are an even greater danger to small and medium businesses because according to the FBI, 60 percent of businesses that experience a ransomware breach fail soon thereafter.

The Vistage CEO organization, with more than 24,000 members, joined Cisco and National Center for the Middle Market to survey small businesses. They found that 62 percent of the 1,377 respondents did not have an active cybersecurity strategy, and “that’s a major problem, given that the cost of a cyberattack can be high enough to put a company out of business; according to the National Cyber Security Alliance 60 percent of small and midsized businesses that are hacked go out of business within six months.”(4)

Smaller businesses can’t adequately prepare for cybercrime, much less cyber warfare. With only about 3,000 certified CISOs in the U.S., few of the 30 million organizations have a CISO. While they realize the threat, they don’t know where to get the education they need to take appropriate measures within their available budget.

Myths and Fallacies

Many companies rely on information that is half true at best, or totally inaccurate at worst. We have to retrain them to face today’s realities.

  1. If firewalls stay updated, the network stays protected.”

Even large companies like Equifax have problems keeping up with updates.5 Even more importantly, they need to realize that of all of the millions of breaches that have occurred on businesses, they all had one thing in common—the business had a firewall. Firewalls don’t stop breaches.

2. “Software and hardware from trusted vendors is secure when delivered.”

Vendors acquire systems and components from the lowest cost source with adequate quality. They don’t consider it cost-effective to evaluate every item before shipping. Furthermore, in most cases they would not know how to identify malware already hidden in the ROM by the manufacturer.

3. “An intrusion protection system or DNS tool will spot the bad guys and keep the network safe.”

Most companies that use block lists may have 50,000 entries, and some may approach one million IPs identified. In reality, there are over five billion IP addresses in existence, so this only begins to scratch the surface.

4. “The right number of people with the right talent will keep the network safe.”

According to Gartner’s Cybersecurity Report, there is a severe shortage of talent in the global security workforce. By 2022, the global cybersecurity workforce shortage has been projected to reach upwards of 1.8 million unfilled positions. The depth and breadth of the problem companies’ face can’t wait for that gap to be filled.

Elements of a New Paradigm

To replace the current, unrealistically positive view of cyber resilience with a new, realistic paradigm means starting from a very different perspective. Here are the key components of such a paradigm that CISOs and other IT professionals must adopt if they are to have a fighting chance of protecting their company’s valuable data:

  1. Accept that you can’t keep the bad actors out of your network. Large company and small company CISOs need to be aware of this fact and not be complacent. Reframing the problem in this way allows you to address it at its root. How do I face those with malicious intent head-on? Otherwise the focus remains only on fixing an endless cycle of symptoms.
  2. Similarly to the acceptance that bad actors will enter your network, you must operate on the belief that everything in your network has already been compromised. The part of your plan based on this assumption would address existing breaches, which are most certainly present, while the assumption above will cover future breaches.
  3. Once you’ve adjusted your mindset, the focus should shift to finding ways to neutralize threats while they’re on your network. This means you aren’t relying on endpoint solutions so much as those solutions that work to immediately disable the adversaries where they stand.
  4. Look for and employ solutions that eliminate the unrealistic volume of false positives, making it more practical for your personnel to address the real threats. Too often technology available today creates more work for already overburdened staff. A truly advantageous solution should eliminate noise, enabling your security staff by doing the bulk of the work for them.

About the authors: Jack B. Blount is president and CEO of Intrusion, Inc. and Bob Barker is founder and CEO of The Partnering Network. Intrusion is a cybersecurity innovator that has reframed the problem of failed network security to successfully address the depth and breadth of cyberattacks experienced every three seconds in the United States alone. Learn more by visiting intrusion.com.

1.            Josh Fruhlinger, CSO, March 9, 2020
2.            Steve Morgan, Cybersecurity Ventures, June 10, 2019
3.            “Small Businesses Drive Job Growth,” U.S. Small Business Administration website, April 25, 2018.
4.            Joe Galvin, INC., May 7, 2018.
5.            Bob Barker, “Equifax 2.0: Massive Aftershocks Result from Breach,” Advisen, March 30, 2018.