Humans are funny creatures who don’t always react in their own best interests, even when faced with good, contrarian data they agree with. For example, most people are far more afraid of flying than of the car ride to the airport, even though the car ride is tens of thousands of times riskier. More people are afraid of getting bitten by a shark at the beach than by their own dog at home, even though being bitten by their dog is hundreds of thousands of times more likely. We just aren’t all that good at reacting appropriately to risks even when we know and believe in the relative likelihood of one versus the other happening.
The same applies to IT security.
Computer defenders often spend time, money, and other resources on computer defenses that don’t stop the biggest threats to their environment. For example, when faced with the fact that a single unpatched program needed to be updated to stop most successful threats, most companies do everything other than patch that program. Or if faced with the fact that many successful threats occurred because of social engineering that better end-user training could have stopped, the companies instead spent millions on everything but better training.
I could give you dozens of other examples, but the fact that most companies can easily be hacked into at will is testament enough to the crisis. Companies simply aren’t doing the simple things they should be doing, even when confronted with the data.
The problem bothered me enough that I wrote a whitepaper, slide deck, and book on the subject. Without having to read all of that, the answer for why so many defenders don’t let the data dictate their defenses is mostly about a lack of focus. A lot of priorities compete for computer defenders' attention, so much so that the things they could be doing to significantly improve their defense aren’t being done, even when cheaper, faster, and easier to do.
What is causing this lack of focus in putting the right defenses in the right places in the right amounts against the right threats? A bunch of things, including these:
1. The sheer number of security threats is overwhelming
There are 5,000 to 7,000 brand new threats a year, or about 15 a day. That’s 15 brand new problems on top of yesterday’s 15 brand new problems, day after day after day. It’s been this way for decades, for as long as they have been tracking the stat. Computer defenders could be likened to 911 call center dispatchers who are getting more emergency calls each day than any single ambulance crew can adequately respond to, and so they have to triage and prioritize.
2. Threat hype can distract from more serious threats
It doesn’t help that some computer defense vendors are doing their best to make every rescue call a heart attack victim. Today’s announced threats and vulnerabilities often come with as much focus on the hype and intent to spread fear as the actual threat. They come with scary-sounding names and even media-ready, free-licensed cartoon figures.
I don’t put all the blame on computer defense vendors. It’s their job to sell their software or service, and it’s easier to sell batteries during a hurricane. It’s up to the consumer to decide what is and isn’t deserving of their attention, and it’s exceedingly hard to do when you’ve got 15 new threats a day coming in.
Even when the threat and risk is huge, the overhyping of every threat makes it hard to pay attention to the right ones. For example, Meltdown and Spectre are actually one of the biggest threats we’ve faced as a computerized society. They impact nearly every popular microprocessor, allow attackers to invisibly exploit computers, often require multiple software and firmware patches for protection, and when solved may significantly slow down your computer. In many instances, the only good solution is to buy a new computer. Meltdown and Spectre are, rightly, big deals! In my opinion you can’t hype them enough.
Yet, outside of computer security circles and a few mainstream media articles for a day or two, the world’s collective reaction is a global “meh.” Normally when something big happens in computer security, my friends and family ask me what they should do. With Meltdown and Spectre, I didn’t get a single inquiry. To warn my social circle, I sent out helpful information. Usually I get a few questions back. Nothing this time. Not a single post in my social circle of hundreds of people. It’s like a hungry great white shark has been spotted at the beach and no one is trying to get out of the water.
Because Meltdown and Spectre often require firmware patches, which almost no consumer has done or will do, you can bet we will have hundreds of millions of vulnerable machines for many years to come. Why? Hype fatigue. Every threat is so over-hyped that when a real, global threat comes out that everyone needs to pay attention to, they just shrug their shoulders and assume their OS or device vendor will patch it in due time. Frankly, I’m scared about the weaponization opportunities these two new threats offer. They are probably going to cause more microprocessor bugs to be found and exploited.
3. Bad threat intelligence skews focus
Part of the reason is that most companies’ own threat intelligence does a poor job of telling their company which threats they need to be worried about. Threat intelligence (TI) should be looking at the thousands of threats and telling their employers which ones are most likely to be used against them. Instead, they usually act as megaphones replaying the global hype.
Want to see how infective most threat intelligence departments are? Ask them what’s the number one way that their company is broken into causing the most damage. Is it malware, social engineering, password attacks, misconfiguration, intentional attacks, lack of encryption, etc.? I’ve never met the TI team that could tell me that with a straight face, with data to back up the conclusion. How can a company most efficiently fight the right threats if they can’t even determine the biggest threats?
4. Compliance concerns don't always align with security best practices
If you want to get something done quickly in computer security, claim it’s needed for regulatory compliance. Nothing opens the purse strings quicker. Senior management is required to pay attention to compliance concerns. In many cases, they can be held personally liable for actively ignoring a compliance deficiency. It begs for their attention.
Unfortunately, compliance and security don’t always agree. For example, today’s best password recommendations announced over a year ago, pretty much go against every legal and regulatory requirement concerning passwords. Turns out that much of what we thought was true about password security, like requiring complexity, wasn’t the best advice, or the threats changed over time. The creators and maintainers of most legal and regulatory recommendations don’t seem to be paying attention, even though following the old password advice often makes a company more likely to be exploited.
One of my personal pet peeves on this subject is how many websites won’t let me create a password longer than 16-characters (which would be very strong regardless of its complexity), but forces me to use “special” symbols that it thinks in theory will make hackers' lives more difficult, when the data and research shows this is clearly not the case in practice.
5. Too many projects spread resources thin
Every company I’ve consulted with has had dozens of ongoing projects, each designed to secure the company’s computers and devices. In every case, one or two of those projects, if finished to completion, would provide most of the security benefits the company needs to significantly minimize security risk. Splitting dozens of projects among a finite set of limited resources, however, guarantees that most projects will be delayed and inefficiently implemented even if run to completion. The IT security world is full of expensive software sitting on the shelf and promised projects with no one to properly oversee their continued operations.
6. Pet projects usually aren't the most important ones
Worse yet, most companies have one or two pet projects being pushed by a senior executive as their flavor of the month. They read a book, heard a story on the radio, or went golfing with a friend who told them what they needed to do to fix their company. So, without consulting their own company’s data to see what the biggest threats are, they pull the best and the brightest team members from other projects to get theirs done first--if they can get a project done before becoming excited and enamored with their next pet project.
I could give more examples of why computer defenders aren’t focusing on the right things, but it starts with an avalanche of daily threats and is worsened by many other factors along the project chain. The first step in fixing a problem is admitting you have a problem. If you see your company’s ineffective computer defenses represented above, now is the time to help everyone on your team understand the problem and help them to get better focus.