• United States




Don’t let the security hype get you down

Nov 27, 20175 mins
CybercrimeData and Information SecurityData Breach

How to maintain optimism and objectivity in information security.

state of infosec 2018 intro

On a quiet Thanksgiving day, I decided to catch up on my writing.  I was out in the woods, where I do my best thinking, looking for something in the information security/risk management world to be thankful for.  Given what we have faced this year in the industry, from International incidents like WannaCry, to the loss of most of our personal data at the hands of Equifax, this was an uphill battle.

While hiking, I was listening to Down the Security Rabbit Hole, one of my favorite information security podcasts.  Now, an information security podcasts is not normally a source for optimism, but on this day, I found a ray of hope, albeit small, but quite welcome.

The guest, Robert M. Lee, an expert in Industrial Internet of Things (IIoT), a subject even less likely to generate encouragement, was discussing concerns about the security of the power grid.  In the process, he used the term “defender bias” to describe the tendency of those of us in the business of defending against security attacks to assume we have lost the battle even before it began.  That was just the perspective I needed to see light at the end of the tunnel.

In fact, we in the industry are bombarded daily with news about the latest vulnerability, hack, or data breach.  Of late, this bad news has gotten the attention of the mainstream media, who are now eagerly reporting the latest bad security news.  With all this bad news, it would be easy for us to show up at work, do the minimum we need to make the auditors happy, and watch funny cat videos for the rest of the day.

If we take the time to do an objective look at the bad news, it often does not look nearly as bad as it originally did.  As an example, take the power grid vulnerabilities discussed on the podcast.  A recent article in Wired described a group, known as Dragonfly 2.0, that had reportedly gained access to the networks of over 20 electric utilities.  The article even used some rather hyperbolic language, quoting Eric Chien, a Symantec security analyst, as saying “We’re now talking about on-the-ground technical evidence this could happen in the US, and there’s nothing left standing in the way except the motivation of some actor out in the world.”

After letting us spend the next month contemplating life without power, Wired let us off the hook with another article, titled How Power Grid Hacks Work, and When You Should Panic.  In it, the author describes the three steps that would be required to successfully impact the US power grid.  The author confesses that the language used to describe grid hacks, is often hyperbolic, “What’s publicly referred to as a “breach” of an energy utility could range from something barely more sophisticated than a typical malware infection to a nation-state-funded moonshot months or years in the making.”

Another recent example of a hyped vulnerability came as a result of Intel’s latest fail, a vulnerability resulting from them exposing a debugging interface which could allow an attacker to take control of a system virtually undetected.  If you drill into the reports, however, it can only be exploited by inserting a specially-crafted USB drive into a system.  In fact, there is no evidence that any such USB has been created.  Further, it would require the attacker to have physical access to a system to insert such a USB.  I would point out that, if an attacker has physical access to a system, there are many ways they could exploit it, even without this vulnerability.  This is yet another example of an exposure that sounds serious when first discussed, but, given the complex requirements, may never be exploited.

Many such vulnerability announcements come at the hands of security researchers, who spend all of their time trying to find and report on undiscovered technology issues.  While these researchers play an important role in improving the quality of our security controls, many of their discoveries are strictly theoretical, and may never again make the news.

Adding to the problem of over-hype of vulnerabilities and attacks are the security product vendors, who are quick to email every prospect they know about how their product would have helped prevent the latest crisis making the news.  While possibly well-intentioned, this barrage of emails tends to inflate the challenges we face.

If we in the industry are to successfully do our jobs keeping our businesses and organizations safe from attack, it is imperative that we see the information security war as winnable.  Since we can count on the mainstream media and trade press to continue aggressive reporting on hacks, breaches, and vulnerabilities, we must learn how to see past the inflated headlines to the details, and understand what the reality of the danger is.

In some cases, the risk is real, and we need to act with appropriate haste.  The Wannacry ransomware work is a good example of such an instance.  As one healthcare industry consultant correctly said to me early in the crisis, “be prepared to lose anything you don’t patch.”

In other cases, like the power company hacks or Intel vulnerability described above, while the exposure is real, the actual danger is low.

Bottom line – We can’t let hype about the latest concern disrupt our focus on our day-to-day responsibilities to protect our organizations from risk.  In most cases most businesses and organizations are far more likely to succumb to stolen credentials resulting from a phishing attack, than to the new vulnerability that made headlines yesterday.  Don’t take your eyes off the ball.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author