Billions of dollars are spent every year on cyber security products; and yet those products continually fail to protect businesses. Thousands of reports analyze breaches and provide reams of data on what happened; but still the picture worsens. A new study takes a different approach; instead of trying to prevent hacking based on what hacking has achieved, it asks real hackers, how do you do it?
The hackers in question are the legal pentesters attending last Summer's DEFCON conference. Seventy were asked about what they do, how they do it, and why they do it -- and the responses are sobering. The resulting report, The Black Report by Nuix, is a fascinating read. It includes sections on the psycho-social origins of cybercrime and a view from law enforcement: but nothing is as valuable as the views from the hackers themselves. These views directly threaten many of the sacred cows of cyber security. They are worth considering: "The only difference between me and a terrorist is a piece of paper [a statement of work] making what I do legal. The attacks, the tools, the methodology; it's all the same."
What they do is surprisingly easy and frighteningly successful. Take sacred cow #1: it takes 250-300 days for the average organization to detect a breach, and the earlier it is detected, the less damage will be done. But there is less time than you think. Eighty-eight percent of the pentesters claim that it takes less than 12 hours to compromise a target; and 80% say it then takes less than another 12 hours to find and steal the data. Even though they are employed, and therefore expected, a third claim their presence is not detected by the security teams they attack. "Data breaches take an average of 250-300 days to detect -- if they're detected at all -- but most attackers tell us they can break in and steal the target data within 24 hours," said Chris Pogue, Nuix CISO and a co-author of the Nuix Black Report. "Organizations need to get much better at detecting and remediating breaches using a combination of people and technology."
Sacred cow #2 could affect the cyber security skills gap. A recent ISACA survey shows that 70% of employers require a security certification before employing new staff. The people they are defending against, however, place little value in those certifications. "Over 75% did not believe technical certifications were an accurate indicator of ability," notes the report. While 4% of the pentesters hoard certifications like bitcoins with more than 10, 66% have three or less. Clearly, demonstrable ability is more important than paper qualifications -- aptitude testing rather than certificate counting might just close that skills gap.
Sacred cow #3 is that anti-virus and a firewall equates to security. Only 10% of the pentesters admitted to being troubled by firewalls, and a mere 2% by anti-virus. Nevertheless, modern endpoint security is the biggest problem for (that is, best defense against) hackers; with 36% saying it is an effective countermeasure.
Conversely, this demonstrates that sacred cow #4 remains a sacred cow: "For security decision-makers," says the report, "this result clearly demonstrates the importance of defense in depth rather than relying on any single control. Any individual security control can be defeated by an attacker with enough time and motivation. However, when an organization uses a combination of controls along with security training, education, and processes, the failure of any single control does not automatically lead to data compromise."
It's worth adding, however, that nearly a quarter of the hackers boasted "that no security countermeasures could stop them and that a full compromise was only a matter of time."
When asked what companies should buy to improve their security posture, 37% suggested intrusion detection/prevention systems. Only 6% suggested perimeter defenses. When asked the opposite question (that is, the least effective spend) data hygiene/information governance at 42% is seen as less effective than perimeter defenses at 21%. Somewhat anomalously, penetration testing is seen as the second most effective spend at 25%, and simultaneously the least effective at 4%.
One of the biggest surprises of the survey is that while companies may go to the expense of a penetration test, they will not necessarily act upon the results. "Only 10% of respondents indicated that they saw full remediation of all identified vulnerabilities, and subsequent retesting," notes the report. Indeed, 5% of the respondents saw no remediation whatsoever from their clients -- they were just checking boxes. Seventy-five per cent indicated that there was some remediation, but usually focused on high and critical vulnerabilities.
"While 'fix the biggest problems' appears to be a logical approach to remediation, it misrepresents the true nature of vulnerabilities and provides a false sense of security for decision makers," warns the report. "If you only address specific vulnerabilities that you have chosen arbitrarily and devoid of context, it's the cybersecurity equivalent of taking an aspirin for a brain tumor; you are addressing a symptom as opposed to the root cause."
Of course, this failure to fully remediate may be a side-effect of compliance. Elsewhere in the survey, 30% of the pentesters felt they were employed for compliance purposes only: "We have to deal with security for compliance reasons, nothing more." This resonates with the suggestion that the companies that did zero remediation were 'just ticking boxes' -- it is the hidden danger within the growing number of penetration testing compliance requirements.
The real value of this survey is that it can make security decision makers question what security vendors tell them. The purpose of security software is first and foremost to be sold, and only then to do what it says on the box. By looking at how professional hackers work, security teams are in a better position to plug the gaps effectively rather than just by the latest technicolor product.