Don’t let the security hype get you down

On a quiet Thanksgiving day, I decided to catch up on my writing.  I was out in the woods, where I do my best thinking, looking for something in the information security/risk management world to be thankful for.  Given what we have faced this year in the industry, from International incidents like WannaCry, to the loss of most of our personal data at the hands of Equifax, this was an uphill battle.

While hiking, I was listening to Down the Security Rabbit Hole, one of my favorite information security podcasts.  Now, an information security podcasts is not normally a source for optimism, but on this day, I found a ray of hope, albeit small, but quite welcome.

The guest, Robert M. Lee, an expert in Industrial Internet of Things (IIoT), a subject even less likely to generate encouragement, was discussing concerns about the security of the power grid.  In the process, he used the term “defender bias” to describe the tendency of those of us in the business of defending against security attacks to assume we have lost the battle even before it began.  That was just the perspective I needed to see light at the end of the tunnel.

In fact, we in the industry are bombarded daily with news about the latest vulnerability, hack, or data breach.  Of late, this bad news has gotten the attention of the mainstream media, who are now eagerly reporting the latest bad security news.  With all this bad news, it would be easy for us to show up at work, do the minimum we need to make the auditors happy, and watch funny cat videos for the rest of the day.

If we take the time to do an objective look at the bad news, it often does not look nearly as bad as it originally did.  As an example, take the power grid vulnerabilities discussed on the podcast.  A recent article in Wired described a group, known as Dragonfly 2.0, that had reportedly gained access to the networks of over 20 electric utilities.  The article even used some rather hyperbolic language, quoting Eric Chien, a Symantec security analyst, as saying “We’re now talking about on-the-ground technical evidence this could happen in the US, and there’s nothing left standing in the way except the motivation of some actor out in the world.”

After letting us spend the next month contemplating life without power, Wired let us off the hook with another article, titled How Power Grid Hacks Work, and When You Should Panic.  In it, the author describes the three steps that would be required to successfully impact the US power grid.  The author confesses that the language used to describe grid hacks, is often hyperbolic, “What’s publicly referred to as a “breach” of an energy utility could range from something barely more sophisticated than a typical malware infection to a nation-state-funded moonshot months or years in the making.”

Another recent example of a hyped vulnerability came as a result of Intel’s latest fail, a vulnerability resulting from them exposing a debugging interface which could allow an attacker to take control of a system virtually undetected.  If you drill into the reports, however, it can only be exploited by inserting a specially-crafted USB drive into a system.  In fact, there is no evidence that any such USB has been created.  Further, it would require the attacker to have physical access to a system to insert such a USB.  I would point out that, if an attacker has physical access to a system, there are many ways they could exploit it, even without this vulnerability.  This is yet another example of an exposure that sounds serious when first discussed, but, given the complex requirements, may never be exploited.

Many such vulnerability announcements come at the hands of security researchers, who spend all of their time trying to find and report on undiscovered technology issues.  While these researchers play an important role in improving the quality of our security controls, many of their discoveries are strictly theoretical, and may never again make the news.

Adding to the problem of over-hype of vulnerabilities and attacks are the security product vendors, who are quick to email every prospect they know about how their product would have helped prevent the latest crisis making the news.  While possibly well-intentioned, this barrage of emails tends to inflate the challenges we face.

If we in the industry are to successfully do our jobs keeping our businesses and organizations safe from attack, it is imperative that we see the information security war as winnable.  Since we can count on the mainstream media and trade press to continue aggressive reporting on hacks, breaches, and vulnerabilities, we must learn how to see past the inflated headlines to the details, and understand what the reality of the danger is.

In some cases, the risk is real, and we need to act with appropriate haste.  The Wannacry ransomware work is a good example of such an instance.  As one healthcare industry consultant correctly said to me early in the crisis, “be prepared to lose anything you don’t patch.”

In other cases, like the power company hacks or Intel vulnerability described above, while the exposure is real, the actual danger is low.

Bottom line – We can’t let hype about the latest concern disrupt our focus on our day-to-day responsibilities to protect our organizations from risk.  In most cases most businesses and organizations are far more likely to succumb to stolen credentials resulting from a phishing attack, than to the new vulnerability that made headlines yesterday.  Don’t take your eyes off the ball.