Billions of dollars are spent every year on cyber security products; and yet those products continually fail to protect businesses. Thousands of reports analyze breaches and provide reams of data on what happened; but still the picture worsens. A new study takes a different approach; instead of trying to prevent hacking based on what hacking has achieved, it asks real hackers, how do you do it?
The hackers in question are the legal pentesters attending last Summer’s DEFCON conference. Seventy were asked about what they do, how they do it, and why they do it — and the responses are sobering. The resulting report, The Black Report by Nuix, is a fascinating read. It includes sections on the psycho-social origins of cybercrime and a view from law enforcement: but nothing is as valuable as the views from the hackers themselves. These views directly threaten many of the sacred cows of cyber security. They are worth considering: “The only difference between me and a terrorist is a piece of paper [a statement of work] making what I do legal. The attacks, the tools, the methodology; it’s all the same.”
Sacred cow #2 could affect the cyber security skills gap. A recent ISACA survey shows that 70% of employers require a security certification before employing new staff. The people they are defending against, however, place little value in those certifications. “Over 75% did not believe technical certifications were an accurate indicator of ability,” notes the report. While 4% of the pentesters hoard certifications like bitcoins with more than 10, 66% have three or less. Clearly, demonstrable ability is more important than paper qualifications — aptitude testing rather than certificate counting might just close that skills gap.
Sacred cow #3 is that anti-virus and a firewall equates to security. Only 10% of the pentesters admitted to being troubled by firewalls, and a mere 2% by anti-virus. Nevertheless, modern endpoint security is the biggest problem for (that is, best defense against) hackers; with 36% saying it is an effective countermeasure.
Conversely, this demonstrates that sacred cow #4 remains a sacred cow: “For security decision-makers,” says the report, “this result clearly demonstrates the importance of defense in depth rather than relying on any single control. Any individual security control can be defeated by an attacker with enough time and motivation. However, when an organization uses a combination of controls along with security training, education, and processes, the failure of any single control does not automatically lead to data compromise.”
It’s worth adding, however, that nearly a quarter of the hackers boasted “that no security countermeasures could stop them and that a full compromise was only a matter of time.”
When asked what companies should buy to improve their security posture, 37% suggested intrusion detection/prevention systems. Only 6% suggested perimeter defenses. When asked the opposite question (that is, the least effective spend) data hygiene/information governance at 42% is seen as less effective than perimeter defenses at 21%. Somewhat anomalously, penetration testing is seen as the second most effective spend at 25%, and simultaneously the least effective at 4%.
One of the biggest surprises of the survey is that while companies may go to the expense of a penetration test, they will not necessarily act upon the results. “Only 10% of respondents indicated that they saw full remediation of all identified vulnerabilities, and subsequent retesting,” notes the report. Indeed, 5% of the respondents saw no remediation whatsoever from their clients — they were just checking boxes. Seventy-five per cent indicated that there was some remediation, but usually focused on high and critical vulnerabilities.
“While ‘fix the biggest problems’ appears to be a logical approach to remediation, it misrepresents the true nature of vulnerabilities and provides a false sense of security for decision makers,” warns the report. “If you only address specific vulnerabilities that you have chosen arbitrarily and devoid of context, it’s the cybersecurity equivalent of taking an aspirin for a brain tumor; you are addressing a symptom as opposed to the root cause.”
Of course, this failure to fully remediate may be a side-effect of compliance. Elsewhere in the survey, 30% of the pentesters felt they were employed for compliance purposes only: “We have to deal with security for compliance reasons, nothing more.” This resonates with the suggestion that the companies that did zero remediation were ‘just ticking boxes’ — it is the hidden danger within the growing number of penetration testing compliance requirements.
The real value of this survey is that it can make security decision makers question what security vendors tell them. The purpose of security software is first and foremost to be sold, and only then to do what it says on the box. By looking at how professional hackers work, security teams are in a better position to plug the gaps effectively rather than just by the latest technicolor product.