
State of Cybersecurity 2020-21, II
Current trends in preventionBy Felipe Ruiz | November 20, 2020 | Category: Opinions
In the previous part, we focused our
attention mainly on some current trends of cybercriminals. Now we intend
to make room for the preventive and defensive sectors in cybersecurity,
estimating some important tendencies in 2020. These trends are related,
in different degrees, to the approaches, methodologies, and activities
that we carry out at Fluid Attacks
. A red team focused on detecting
vulnerabilities in IT systems. That’s why we’ll also speak here from our
experience.
Cybersecurity as a necessity and responsibility
Cybersecurity has gained particular relevance as a necessity. This is partly due to the sudden changes in the structure and ways of working that many companies and organizations have not long ago experienced around the world. Of course, this is also related to the growing activity of IT criminals. However, many businesses and public entities have not adequately addressed this need. And some of them have been victims of cyberattacks, often of disastrous scale. That’s why it’s recommended for many people to rethink their cybersecurity strategies. Even for some of them, it’s advisable to reevaluate their attitude towards cybersecurity and their knowledge on the subject.
That’s something that applies in the case of cybersecurity compliance
requirements. Some firms are ignoring the function of those
requirements. Many of them focus only on avoiding any sanction from some
standard but leaving aside the incorporation of solid cybersecurity
plans. At Fluid Attacks
, we have maintained a set of
requirements
under construction and evaluation. It gathers information from more than
ten international standards. The companies that work with us find it
useful to go beyond mere security compliance.
Technology advances yet best practices remain
It’s no secret to anyone: malicious hackers have kept up with technological and methodological advances. The same applies to the prevention and defense sectors. However, as Schwartz puts it, "security experts say the basic best practices that an organization should pursue to protect itself largely remain constant." It’s now typical for us to listen and at the same time recommend, for instance, the careful management of passwords and multi-factor authentication and the proper administration of privileges (limiting access). We also advise the constant updating of components and dependencies (including software employed as defense, e.g., secure email gateway, antiviruses, firewalls) and the continued use of the latest patches for known vulnerabilities.
As a curious fact, it is said that currently, only 1% of the attack vectors used by cybercriminals correspond to new methods for cybersecurity professionals. In other words, we have a lot of knowledge to identify and repair almost all the existing vulnerabilities on which criminals take advantage. Conflict arises when the necessary tools and trained personnel are not available or by simple carelessness.
Talent in cybersecurity is still lacking
At this point, it is convenient to remember what Arango shared with us in April this year in regards to current trends in cybersecurity. Today, there’s something that has become a common denominator for many firms with cybersecurity issues: the shortage of skilled and prepared talent. Arango referred to Cybersecurity Ventures, estimating that more than 3 million cybersecurity jobs would be unfilled this year. An alarming number indeed! He commented that, at this time, in cybersecurity matters, some people believe that the academy is not qualified to keep up with the industry’s pace. Some even consider that the automatic tools can do the operations usually destined to security professionals to counter this lack. Nevertheless, this can also represent a crisis.
Automation is not a substitute for IT professionals
Process automation is undoubtedly something that almost all humans benefit from in a variety of environments. In the field of information technology, the amounts of data to be controlled are growing every day. Moreover, in different industries, fast and efficient solutions to an assortment of problems are often requested. It’s in such cases that automation has taken some prominence. In cybersecurity, specifically, as Kaushik tells us, automation is useful for identifying, investigating, triaging, prioritizing, and remediating vulnerabilities and threats.
Still, the trouble lies in assuming that machines' work, at least in
these times, can replace all human activity in a field like this. On
countless occasions, Fluid Attacks
has informed about the high rates
of false positives (lies) and false negatives (omissions) that can
appear in cybersecurity assessments performed by automated tools. Apart
from the fact that typically someone is needed to keep an eye on these
tools' operations, their constant errors and limitations make
complementary human work still required. Moreover, according to the
results of these automatic processes —sometimes instruments identifying
just 2.5 of 10 vulnerabilities present in a system—, the tools
should be seen only as a supplement to human exercise.
ML and AI represent benefits
Cybercriminals have indeed taken advantage of advances in Machine
Learning (ML) and Artificial Intelligence (AI), as we mentioned in the
first part. But it is also true that
cybersecurity companies have leveraged these same advances and developed
new strategies to respond to threats. This has represented a tendency in
the last years. New tools have emerged within these technological
approaches. We have experienced this at Fluid Attacks
, e.g., with
Sorts.
Sorts is a recent command-line interface that we use for extracting metrics from the code repository. A previously trained neural network-based ML model is used to evaluate these metrics. Later, it returns the probabilities of finding vulnerabilities in specific files. As Oscar Prado remarked one year ago: tools like this "can help our analysts to decide where to look first, what portions of code may have vulnerabilities and require further attention, or which inputs may not have been properly sanitized."
The human-tool combination becomes ideal
Additionally, Oscar emphasized the point of view that we continue to
hold: "We see machine learning emerging technologies more as tools
rather than the holy grail of cybersecurity that will replace human
hackers." At Fluid Attacks
, we preserve the idea of mixing humans and
tools. The latter provide high-speed but low-accuracy reports. The
former, in longer times but using their astuteness and creativity, are
more accurate and access more profound and complex issues.
The activity of our tools, searching for superficial vulnerabilities that are already known, facilitates and speeds up the work of our ethical hackers. A work that remains indispensable (using techniques such as pentesting) for comprehensive evaluations of our clients' IT systems. Organizations should no longer fall into the trap of relying only on these automated systems that generally check the perimeter of attack and deliver weak and limited reports.
Cybersecurity implemented from the beginning
It is ideal that today we include security in the DevOps methodology. We should do it from the beginning! And, of course, always with the intention that all people involved in business projects understand it and apply it. Firms that build and manage software should indeed keep at least one Security Champion on their staff. From there, they could start training other potential talents to strengthen their means of prevention and defense (even if they are not the ones in charge of looking for vulnerabilities). Besides, many organizations should also start educating their other employees about behaviors that can pose cybersecurity risks. As we once said, it is imperative that everyone working for an organization be responsible for cybersecurity within this new culture of DevSecOps.
See you in the third part of this series of posts!