Are we drowning in a sea of negative security press?

It would seem from news accounts that the increase in the number of new vulnerabilities and security issues in devices, software and systems is escalating out of control. Consider the significant vulnerabilities and security issues reported in just the past two weeks: 

• DDoS attach on Dyn, impacting Twitter, Amazon and much of the internet
• Dirty COW, privilege escalation vulnerability impacting almost all UNIX kernels
• Flash vulnerability allowing attackers to gain system control 

Some weeks ago, Steve Gibson, speaking on the Security Now program, mentioned a “sublime” vulnerability he called Flip Feng Shui, a somewhat obscure exploit of a known weakness in DRAM memory, and not one that most people, probably Gibson included, would worry much about. This week, the same vulnerability has been discovered in a variety of Android devices, and is apparently being exploited.

It is undeniable that the time from the discovery of a security weakness to its exploitation by bad actors is getting shorter. As such, the problem is a real one. 

In the past, vulnerabilities and security issues were reported mostly in trade publications, known primarily to information security professionals. Today, such news is covered by all of the major consumer news sources. 

The volume of new vulnerabilities, exploits and exposures seems to be increasingly impacting those inside and outside of the security world. For the consumer and nontechnical business person, the overwhelming volume of bad security news is causing “security fatigue,” as identified by the National Institute of Standards and Technology (NIST) in a recent study. The study shows that people become so overwhelmed with news about vulnerabilities and security issues, they in many cases surrender and accept a less secure existence. 

For those of us in the information security industry, the effect is somewhat different. We tend to wake up in the morning feeling like we are fighting a losing battle. We tend to be busy remediating a vulnerability discovered weeks ago, even as five new ones are reported. I fear that the present shortage of security employees is going to get worse, not just because of growth in demand, but increasingly due to the loss of people who just can’t handle another day of a losing battle. 

While the situation is bad, I think the recent interest by the “mainstream” media in all things security has blown it a bit out of proportion. The fact that we in the industry must read various trade sources daily to keep abreast of the latest issues and then go home to get blasted by consumer media on the same topic, has many of us down. 

There is probably not one set of rules and practices for staying sane, encouraged and secure in this time of unprecedented security upheaval. I can share with you, however, what works for me: 

Keep calm and carry on. I recognize at this point that the popular media loves reporting about breaches and vulnerabilities. Once the political news dies down, it will likely get worse. I don’t let all of this news discourage me. Rather, I use it to strengthen my resolve. 

Be convinced that we will win. I get up every morning with renewed determination that we will ultimately win this battle. It may seem like a lost cause many days, but I truly believe that we can ultimately achieve safe and secure computing environments. Perhaps history will show that I am wrong on this point, but if I give in to that feeling, I have no incentive to keep going. 

Sort out the important news. Author Stephen Covey, in his well-known book “The 7 Habits of Highly Effective People,” refers to a category of items he calls “urgent but not important,” often noted as “time-sensitive distractions.” I would suggest that much of the security “crises” mentioned by the media belong in this category. I have learned to automatically filter security news as I hear it. 

Seek reliable sources of information. I find it important to have sources of information I can turn to quickly to understand what is truly urgent in the security world. When I get wind of a major security issue, i check those sources first to get an idea about what is really going on. 

Track the important stuff. Trying to keep a list of critical issues and vulnerabilities in my head has become impossible, and attempting to do so just increases my stress level. Instead, I always use some form of tracking system for the concerns I feel need to be addressed. I no longer have the stress of trying to remember and prioritize them, and I always have a record of the items in need of attention. 

Bottom line: If we succumb to the overwhelming number of negative stories, vulnerability reports and bad news, we will lose the cybersecurity battle before we even begin to fight. I urge you to renew your resolve to win, and hit the ground running tomorrow morning.