Two years ago I wrote about seven cybersecurity myths that create business risks and cause well-meaning security teams to focus on the wrong things.
At the time we were in the beginning of a global pandemic, and both our real-world and digital lives were rapidly changing, in some ways permanently. Since then, the world has been shocked economically, politically, and technologically. Technology advancement has shifted into overdrive from its already dizzying pace. Nation states engaging in cyber warfare have hit ordinary citizens right in the wallet. Surely after two years those myths would be totally different, right?
Wrong. As the saying “plus ça change” reminds us, the more things change, the more they stay the same. All seven of the original myths are still highly relevant, but I offer seven additional cybersecurity myths that spring from the immutability of the human condition.
A lot of enterprises know they have bots, but the reality is social media companies often don't know and don’t want to know how many bots they really have.
We did a proof of concept with a social networking site years ago that showed 98% of their logins were automated bots. This company was very proud of their rapid growth and excited for the future, but it turns out they only had a tenth of the subscribers they thought they had.
The significance of why this knowledge is important has been playing out in a very public way with the acquisition of Twitter. The value of the company is largely based on the number of users. Elon Musk’s challenge to the company to demonstrate that spam bots and fake accounts are less than 5% is a fair expectation for any investor, advertiser, potential business partner, and even its users.
I predict Twitter’s bot number is closer to 50% or more. (Note: Based on subsequent research, I've revised this estimate in a more recent blog post.) Companies should be required to validate that users are human and effectively manage and mitigate their bot traffic.
Simply stated, the success of malicious bots indicates a security failure. Bot prevention is critical to ensuring the integrity of the information flowing through these sites, but also having accurate data for companies to make important business decisions and for others doing business with them.
We've seen good companies with big budgets and brilliant technical staff doing battle with bots for years. Yet when we analyze the bot traffic in these organizations, expecting to see sophisticated bots that had evolved to overcome their defenses, it just isn’t the case.
Companies have been fighting bots by blocking IPs, regions, and autonomous systems, and here is where we see the evolution of malicious bot traffic—attacks are now coming from hundreds of thousands, even millions of IP addresses. Those network layer defenses only take you so far.
My mantra is that client-side signals are king. You must have behavioral biometrics. You must interrogate the browser and interrogate the device. All of those signals taken in the aggregate are how you identify not just bots but malicious humans as well.
Companies also think they can hire their way out of this situation, but there is no way to hire enough IT people to fix a problem this vast. The only way to really fight automation is with automation.
Those of us in security, the tech press, and corporate PR share a common fear of those threat actors who are constantly innovating and staying ahead of us. But in many ways, attacks are still the same with only slight tweaks along the way.
Most of the bots we see today show the same level of sophistication that we saw five years ago. They just come from different places. Credential stuffing still works in spite of two-factor authentication and/or CAPTCHA. Attackers won’t innovate new attack vectors as long as the original vector remains successful. All they need to do is come up with a way to dodge new defenses.
Companies do need to consider emerging threats and try to prepare for them, but the industry also needs to continue to mitigate last year's threats.
The multiple cloud world is a reality that many, if not most, companies are living in today. Whether it’s because of an acquisition, integration with a partner, or just capturing best-of-breed features, multi-cloud is here to stay.
Yet when I ask companies if they’re in multiple clouds, one answer I hear repeatedly is some version of “yes, unfortunately.” Companies who operate across multiple clouds sometimes do so begrudgingly and don't embrace the opportunity to get the best of all worlds.
Today there’s no reason that managing and securing your IT estate across multiple clouds should be arduous. Cloud vendors have built interoperability into their strategies, and there are many other providers whose solutions are designed to remove the burden of integration, abstract their functionality across clouds, and deliver it through a simple, unified interface.
Security teams are focused on the enterprise's infrastructure, their servers, their computers, their desktops—everything inside the organization. What they largely are not focused on is the home networks of all the organization’s employees.
An attacker might want to target the CEO to access mergers and acquisitions insights or other strategic information, but monetizing that isn’t as easy as targeting an accounts payable clerk or an IT administrator. At a time when working from home is more common than ever, home networks are an emerging loophole for bad actors.
Insider threats have an enormous advantage simply because it’s human nature to assume the best of those around us. But the fact is you can’t hire 50 or 100 employees without the very real risk of introducing a bad apple or two to the barrel.
Disgruntled employees don’t just leave bad reviews on Glassdoor. They can throw sensitive files onto a thumb drive and walk right out the door. There's even a growing concern that they might leave malicious software in the system.
I’ve long had a theory that insiders are probably behind a lot of ransomware attacks also. An IT administrator can easily create a persona on the dark web, give that persona access to the system to install malware, and then issue a demand for ransom—and in turn advocate that the company just pay the ransom. It’s important to note that I’ve not yet seen evidence of this, but the incentive is certainly there.
When the Colonial Pipeline was attacked a year ago, causing long lines at gas stations that inconvenienced consumers on the East Coast, it was major international news.
Yet, there is little to no conversation about the millions of Americans who are defrauded every year online, many of whom are elderly and living on their retirement savings. This is a tremendous threat to our social safety net that can have devastating effects on people and their families—much more so than having to wait in line and pay more for gas.
I spent years in law enforcement investigating cybercrime, more often than not with frustrating results, and this issue is a passion of mine. Attacks on our infrastructure are important and very real, but when you listen to the stories of these victims it’s clear that widespread cyber fraud should be getting more attention than it is.
If you are interested in learning more about managing and defending against bots, identifying and mitigating threats, or implementing zero trust within your organization, here are a few supplemental reading suggestions:
By Dan Woods, Global Head of Intelligence, F5