State of Cybersecurity 2020-21 (II)

Since the sudden changes in the structure and ways of working that many companies and organizations have recently experienced worldwide, in parallel with IT criminals' growing activity, cybersecurity has gained particular relevance as a necessity. However, lots of businesses and public entities have not adequately addressed this need and have fallen victim to cyberattacks, often of disastrous magnitude. That’s why it’s recommended for many people to rethink their cybersecurity strategies. Even for some of them, it is advisable to reevaluate their attitude towards cybersecurity as well as their knowledge on the subject.

That’s something that applies in the case of cybersecurity compliance requirements. Some companies are ignoring the function of those requirements. Many of them focus only on avoiding any sanction or penalty from some standard but leaving aside the incorporation of solid cybersecurity strategies. At Fluid Attacks, we have maintained in construction and evaluation a set of requirements called Rules, which gathers information from more than ten international standards. The companies that work with us find it useful to go beyond mere security compliance.

It is a secret for no one that malicious hackers or attackers have kept up with technological and methodological advances. The same applies to the prevention and defense sectors. However, as Mathew Schwartz puts it, "security experts say the basic best practices that an organization should pursue to protect itself largely remain constant." It is now typical for us to listen and at the same time recommend, for instance, the careful management of passwords and multi-factor authentication and the proper administration of privileges (limiting access). We also advise the constant updating of components and dependencies (including software employed as defense, e.g., secure email gateway, antiviruses, firewalls) and the continued use of the latest patches for known vulnerabilities.

As a curious fact, it is said that currently, only 1% of the attack vectors used by cybercriminals correspond to new methods for cybersecurity professionals. In other words, we have a lot of knowledge to identify and repair almost all the existing vulnerabilities on which criminals take advantage. Conflict arises when the necessary tools and trained personnel are not available or by simple carelessness.

At this point, it is convenient to remember what Julian Arango shared with us in April this year, in regards to current trends in cybersecurity. Nowadays, there is something that has become a common denominator for many companies with cybersecurity issues: the shortage of skilled and prepared talent. Julian referred to Cybersecurity Ventures estimating that more than 3 million cybersecurity jobs would be unfilled this year. An alarming number indeed! He commented that, at this time, in cybersecurity matters, some people believe that the academy is not qualified to keep up with the industry’s pace. Some even consider that the automatic tools can perform the operations usually destined to security professionals to counter this shortage. Nevertheless, this can also represent a severe difficulty.

Process automation is undoubtedly something that almost all humans benefit from in a variety of environments. In the field of information technology, the amounts of data to be controlled are growing every day. Moreover, in different industries, fast and efficient solutions to an assortment of problems are often requested. It is in such cases that automation has taken some prominence. In cybersecurity, specifically, as Khushhal Kaushik tells us, automation is useful for identifying, investigating, triaging, prioritizing, and remediating vulnerabilities and threats.

Still, the trouble lies in assuming that machines' work, at least in these times, can replace all human activity in a field like cybersecurity. On countless occasions, Fluid Attacks has informed about the high rates of false positives (lies) and false negatives (omissions) that can appear in cybersecurity assessments performed by automated tools. Apart from the fact that typically someone is needed to keep an eye on these tools' operations, their constant errors and limitations make complementary human work still required. Moreover, according to the results of these automatic processes —sometimes instruments identifying just 2.5 of 10 vulnerabilities present in a system—, in cybersecurity, the tools should be seen as a supplement to human exercise, and not the opposite.

Cybercriminals have indeed taken advantage of advances in Machine Learning (ML) and Artificial Intelligence (AI), as we mentioned in the first part. But it is also true that cybersecurity companies have leveraged these same advances and developed new strategies to respond to threats. This has represented a tendency in the last years. New tools have emerged within these technological approaches, and we have experienced this at Fluid Attacks, for example, with Sorts.

Sorts is a recent command-line interface that we use for extracting metrics from the code repository. A previously trained, neural network-based ML model is used to evaluate these metrics, which then returns the probabilities of finding vulnerabilities in specific files. As Oscar Prado remarked one year ago, tools like this "can help our analysts to decide where to look first, what portions of code may have vulnerabilities and require further attention, or which inputs may not have been properly sanitized."

Additionally, Oscar emphasized the viewpoint that we continue to hold: "We see machine learning emerging technologies more as tools rather than the holy grail of cybersecurity that will replace human hackers." At Fluid Attacks, we preserve the idea of mixing humans and tools. The latter provide high-speed but low-accuracy reports. The former, in longer times but using their astuteness and creativity, are more accurate and access more profound and complex issues.

The activity of tools such as Asserts, for example, searching for superficial vulnerabilities that are already known, facilitates and speeds up our ethical hackers' work, which is still indispensable (using techniques such as pentesting) for comprehensive evaluations of our clients' IT systems. Organizations should no longer fall into the trap of relying only on these automated systems that generally check the perimeter of attack and deliver weak and limited reports.

It is ideal that today we include security in the DevOps methodology primarily from the beginning with the intention that all people involved in business projects understand and apply it. Companies that build and manage software should indeed keep at least one Security Champion on their staff. From there, they could start training other potential talents to strengthen their means of prevention and defense (even if they are not the ones in charge of looking for vulnerabilities). Besides, many organizations should also start educating their other employees about behaviors that can pose cybersecurity risks. As we once said, it is imperative that everyone working for an organization be responsible for cybersecurity within this new culture of DevSecOps.

This series of articles on the State of Cybersecurity 2020-21 has to end with a third part looking ahead to next year. See you soon!