Cyber attack hysterics miss the point

The cyber security industry may have penchant for hyperbole but is the alarmist tone of some vendors and the media counterproductive?

The cyber security industry may have a penchant for hyperbole but just how big a minefield is the internet for businesses big and small? Whether we like it or not the web is no place for a novice and April has been a busy month in the information security space.

The latest flash point came in the form of a group of hackers who managed to send Wall Street into a tailspin, albeit briefly, last Wednesday. As it happens, this exploit was quickly superseded by news of the Australian Federal Police managing to nab the alleged kingpin of the hacking collective LulzSec.

The two events provide a fitting footnote to a month that has had its fair share of cyberattacks and threat perception reports.  

The spat between Spamhaus and CyberBunker hogged the limelight over Easter, with the purported claims of denial-of-service attack large enough to slow down the internet. Then came the hysteria around Remote Administration Tools and finally the threat report from US outfit FireEye, which said that organisations were experiencing a malware infection up to once every three minutes, with tech companies copping one every one minute.

With danger lurking around every corner, it’s almost enough to make you quit the internet for good.

That’s not to say that the threats aren’t real. Denial-of-service attacks are only getting better and malware is becoming more prevalent and sophisticated. But is the alarmist tone of some vendors and the media actually counterproductive? After all, this is the new normal for us denizens of the net.

Big headlines do generate awareness but there is also risk that the whirligig of threat perception reports could become a distraction for organisations as they adopt new technologies.

As the IT Security Manager for Echo Entertainment Group, Hank Opdam does his fair share of dealing with security vendors and his fair share of separating the hype from the reality

“I hear a lot of scary stories designed to agitate a response from me, but I tend to spend my time looking at the demonstrable losses of an organisation and start to think about what that’s worth,” Opdam says.

New threats emerge over the horizon all the time, there’s nothing new there. What’s changing is how businesses are adapting to trends like the cloud and mobility, and exposing themselves in the process.

“We need to be more aware of what that means, I think we are looking at the wrong end of the stick, we need to highlight the demonstrable losses emanating from a breach and the risk of security becoming a deterrent to adoption,” Opdam says.

There is always a risk in adopting new technology and according to Opdam the biggest risk for businesses is to adopt new technology in a half-hearted way.

Motivations and remedies

When it comes to motivation, the basic imperative hasn’t changed. It’s all about making money and exploiting the vulnerabilities of an unsuspecting user. Unsurprisingly, the basic remedy to the situation hasn’t changed that much either. Sure the playing field is a little more complicated, but as Verizon’s latest Data Breach Investigations Report points out the single biggest source of breaches still involve weak passwords and stolen credentials. Hang on haven’t the vendors banged the drums ad nauseaum about weak passwords? Surely the message would have sunk in by now?

Apparently not, and it does make one wonder whether the vendors have been going about their business in the wrong way.

According to Palo Alto Network’s Matt Keil there is a lot of hype and discussion, which unfortunately tends to scare people more than it needs to.

“Organisations are aware of the threats and are taking the necessary steps, many of them understand that they might be higher value target than their peers,” Keil says.

The security industry has always been a reactive industry and Keil says that there are ways to improve the diagnostic processes. There are command and control traffic markers that can be utilised to check network vulnerabilities, another mechanism is to analyse .exe and .dll files in a sandbox environment and isolate any potential threats before they are start causing havoc on the network.

Security vendor BitDefender’s senior analyst Bogdan Botezatu says that some vendors make the mistake of coasting on their past successes.

“You need to re-evaluate and rethink performances, just because you coined the term anti-virus 15 years ago doesn’t make you the best, unless you are staying on top of the landscape,” Botezatu says.

Botezatu’s tongue in cheek comments may seem self-serving but he does have a point. In an evolving battlefield, the threats and defences are in a constant state of flux. Cybersecurity is a multi-faceted problem with no single solution. This again is the new normal of life on the internet.

As we adopt new capabilities security needs to become an embedded solution rather than a bolt on afterthought. Building an effective defence relies on understanding the enemy. The emphasis on the adversary is important but perhaps it’s time for security vendors to start rethinking their message. There is a temptation to spruik every new threat and every solution as a game changer. A little perspective can go a long way here and as Echo Entertainment’s Opdam and Palo Alto’s Keil point out, organisations are more informed than the vendors would like to imagine.  

The trick is to make companies realise that there is no silver bullet. Solutions that protect physical servers are not going to do the job if you are keen to dabble with virtualisation. Different ecosystems bring different challenges and the conversation needs to be about illustrating the subtleties of the cyber landscape, rather than scaremongering.