Given the media hype around the Conficker worm (and now Gumblar), and the constant barrage of alarming disclosure announcements, I thought it would be a good time to take a calmer look at some of the security myths, misconceptions and mistruths that plague the industry.
Many of these cyber security myths have been around for close to a decade. They have driven marketing campaigns and have sold a lot of traditional newspapers. But for the most part these threats have proven much less dangerous than ballyhooed. Worse, they distract us from addressing the routine problems that lead to a more secure global IT environment. Until we can address every day vulnerabilities threats, how can we justify focusing on exotic edge cases?
5. China is the Leading Exporter of Cybercrime
China has become the favorite security bad-guy country. If you believe media hype, that half of Beijing is dotted with malware manufacturing sweat shops turning out some of the most devilishly clever digital pathogens since the Black Death.
There is no doubt that the Chinese military is experimenting with Cyberwarfare techniques and there have been several highly publicized security incidents involving Chinese citizens. But in terms of organized Cybercrime, China is not nearly as involved as the pundits say. By contrast, China has been quite cooperative in working with the international community to address security incidents. In fact, they were instrumental in identifying and shutting down the command and control servers for the Conficker worm. China has also implemented tough Cybercrime litigation and has worked with international law enforcement to apprehend and prosecute cybercriminals.
4. Insider Threats Trump Outside Attacks
Most recognize that the main impetus for cybercrime has shifted from hobby-based cyber-vandalism to financially motivated theft of data and services. This shift has caused many to question the loyalty of internal employees. But as scary as the image of the bent accountant absconding with millions of confidential records, or the misguided IT consultant destroying decades of intellectual property, the reality remains that external parties commit majority of security incidents.
Should organizations implement controls to properly manage user access to sensitive information? Yes. Should IT continue to define usage policies and monitor activity for violations? Absolutely. But let’s not allow our attention to drift from those outsiders that initiate the majority of security incidents.
3. Advanced Hacking Techniques Render Conventional Security Pointless
90 percent of all external attacks take advantage of poorly administered, misconfigured, or inadequately managed systems that any moderately competent hacker can exploit. Sure, there are some real artists out there, but when you can take candy from a baby 90 percent of the time, you rarely need expert safecrackers.
It still stands that the majority of external attacks exploit most organizations’ astonishing inability to implement the most basic security controls. Why would criminals go through the trouble of creating elegant methods to bypass advanced controls when they can easily find poorly administered servers in the DMZ running vulnerable versions of Bind, or Windows Servers configured behind firewalls running “full-monty”, i.e. all open ports and protocols.
2. Mobile Malware Equals Apocalypse Now
There is nothing that would make the anti-virus companies happier than mobile malware to bring their performance degrading, signature-based shakedown business to a smart phone near you. The boardroom would be abuzz with talk of record growth and skyrocketing profits. But alas, the onslaught of mobile malware has yet to become the epidemic anti-virus company shareholders so hope for.
Mobile malware will become a reality one day, but that day has not yet come. For the time being, it’s better to focus on improving assets that are actively under threat, such as endpoints, servers, and databases.
1. The End of the Internet is Nigh
The “Warhol” worm is defined as an extremely rapidly propagating computer worm that spreads as fast as physically possible, infecting all vulnerable machines on the entire Internet in 15 minutes or less. This concept emerged shortly after the Y2K hysteria subsided, and has captured headlines ever since. The reality is that the Internet is far more resilient than we give it credit for and short of a world war-level of effort the Internet will remain that—a net that may suffer its share of tears and gaps, but will remain functionally intact because people want it that way.
Finally, we must realize that myths often have a grain of truth in them that motivated parties can exaggerate into imminent threats to civilization. This is not to say that some of them are not real or shouldn’t be taken seriously.
China (like a number of nations) does have a thriving Cybercrime underground, Insider threats can be devastating to a business. Some ingenious hackers have developed extremely advanced methods infiltrate networks The Internet may supernova and someone, somewhere is probably developing an iPhone worm. But as the old saying goes, let’s change the things we can, endure (but watch carefully) the ones we can’t, and have the wisdom to know the difference.