State of Cybersecurity 2020-21, II

Cybersecurity has gained particular relevance as a necessity. This is partly due to the sudden changes in the structure and ways of working that many companies and organizations have not long ago experienced around the world. Of course, this is also related to the growing activity of IT criminals. However, many businesses and public entities have not adequately addressed this need. And some of them have been victims of cyberattacks, often of disastrous scale. That’s why it’s recommended for many people to rethink their cybersecurity strategies. Even for some of them, it’s advisable to reevaluate their attitude towards cybersecurity and their knowledge on the subject.

That’s something that applies in the case of cybersecurity compliance requirements. Some firms are ignoring the function of those requirements. Many of them focus only on avoiding any sanction from some standard but leaving aside the incorporation of solid cybersecurity plans. At Fluid Attacks, we have maintained a set of requirements under construction and evaluation. It gathers information from more than ten international standards. The companies that work with us find it useful to go beyond mere security compliance.

It’s no secret to anyone: malicious hackers have kept up with technological and methodological advances. The same applies to the prevention and defense sectors. However, as Schwartz puts it, "security experts say the basic best practices that an organization should pursue to protect itself largely remain constant." It’s now typical for us to listen and at the same time recommend, for instance, the careful management of passwords and multi-factor authentication and the proper administration of privileges (limiting access). We also advise the constant updating of components and dependencies (including software employed as defense, e.g., secure email gateway, antiviruses, firewalls) and the continued use of the latest patches for known vulnerabilities.

As a curious fact, it is said that currently, only 1% of the attack vectors used by cybercriminals correspond to new methods for cybersecurity professionals. In other words, we have a lot of knowledge to identify and repair almost all the existing vulnerabilities on which criminals take advantage. Conflict arises when the necessary tools and trained personnel are not available or by simple carelessness.

At this point, it is convenient to remember what Arango shared with us in April this year in regards to current trends in cybersecurity. Today, there’s something that has become a common denominator for many firms with cybersecurity issues: the shortage of skilled and prepared talent. Arango referred to Cybersecurity Ventures, estimating that more than 3 million cybersecurity jobs would be unfilled this year. An alarming number indeed! He commented that, at this time, in cybersecurity matters, some people believe that the academy is not qualified to keep up with the industry’s pace. Some even consider that the automatic tools can do the operations usually destined to security professionals to counter this lack. Nevertheless, this can also represent a crisis.

Process automation is undoubtedly something that almost all humans benefit from in a variety of environments. In the field of information technology, the amounts of data to be controlled are growing every day. Moreover, in different industries, fast and efficient solutions to an assortment of problems are often requested. It’s in such cases that automation has taken some prominence. In cybersecurity, specifically, as Kaushik tells us, automation is useful for identifying, investigating, triaging, prioritizing, and remediating vulnerabilities and threats.

Still, the trouble lies in assuming that machines' work, at least in these times, can replace all human activity in a field like this. On countless occasions, Fluid Attacks has informed about the high rates of false positives (lies) and false negatives (omissions) that can appear in cybersecurity assessments performed by automated tools. Apart from the fact that typically someone is needed to keep an eye on these tools' operations, their constant errors and limitations make complementary human work still required. Moreover, according to the results of these automatic processes —sometimes instruments identifying just 2.5 of 10 vulnerabilities present in a system—, the tools should be seen only as a supplement to human exercise.

Cybercriminals have indeed taken advantage of advances in Machine Learning (ML) and Artificial Intelligence (AI), as we mentioned in the first part. But it is also true that cybersecurity companies have leveraged these same advances and developed new strategies to respond to threats. This has represented a tendency in the last years. New tools have emerged within these technological approaches. We have experienced this at Fluid Attacks, e.g., with Sorts.

Sorts is a recent command-line interface that we use for extracting metrics from the code repository. A previously trained neural network-based ML model is used to evaluate these metrics. Later, it returns the probabilities of finding vulnerabilities in specific files. As Oscar Prado remarked one year ago: tools like this "can help our analysts to decide where to look first, what portions of code may have vulnerabilities and require further attention, or which inputs may not have been properly sanitized."

Additionally, Oscar emphasized the point of view that we continue to hold: "We see machine learning emerging technologies more as tools rather than the holy grail of cybersecurity that will replace human hackers." At Fluid Attacks, we preserve the idea of mixing humans and tools. The latter provide high-speed but low-accuracy reports. The former, in longer times but using their astuteness and creativity, are more accurate and access more profound and complex issues.

The activity of our tools, searching for superficial vulnerabilities that are already known, facilitates and speeds up the work of our ethical hackers. A work that remains indispensable (using techniques such as pentesting) for comprehensive evaluations of our clients' IT systems. Organizations should no longer fall into the trap of relying only on these automated systems that generally check the perimeter of attack and deliver weak and limited reports.

It is ideal that today we include security in the DevOps methodology. We should do it from the beginning! And, of course, always with the intention that all people involved in business projects understand it and apply it. Firms that build and manage software should indeed keep at least one Security Champion on their staff. From there, they could start training other potential talents to strengthen their means of prevention and defense (even if they are not the ones in charge of looking for vulnerabilities). Besides, many organizations should also start educating their other employees about behaviors that can pose cybersecurity risks. As we once said, it is imperative that everyone working for an organization be responsible for cybersecurity within this new culture of DevSecOps.

See you in the third part of this series of posts!