How does a security program dwindle from a powerful method of stopping hacks to a cargo cult of pointless rituals? Just because we use powerful and expressive terms for our “best practices,” it doesn’t guarantee they’ll be useful or effective in keeping our systems afloat. In this series we’ll explore key security processes in both name and in reality, by deconstructing four major gaps we’ve observed between reported cyber-security activity and the tangible results of that activity.
In part one, we will re-examine three key gaps previously discussed by F5 Labs research in the past year. In part two, we’ll explore a new, previously unreported mismatch in cyber security practices. Because—given human nature and the relative immaturity of the cyber security industry—it is likely that other gaps and misconceptions lurk in our programs and in our mindsets, part three will discuss possible causes of these mental blind spots, and offer actionable and practical solutions to prevent them.
Risk is our business
Everything we do in cyber security relates to risk, whether we are conscious of it or not. Some lead cybersecurity efforts by generic “best practices” or defined control frameworks, but these are simply pre-computed risk-control tradeoff measures. It is in our best interest to customize our risk management for our particular organization, industry, and threat profile. This means measuring the risk to our assets, allocating resources to reduce the risk; accepting or transferring the remaining risk; and ensuring that the risks are properly mitigated to an acceptable level.
The risk concept is fundamental to every cyber security training curriculum, such as the CISSP Common Body of Knowledge: Security and Risk Management. It is the axis that cyber security frameworks orbit around, such as NIST Special Publication 800-53, the Risk Management Framework. It’s baked into every major compliance framework, such as COBIT—alignment of IT value creation and IT risk, and ISO 27001, the application a risk management process as part of an information security management system.
Ask a security professional and they will agree. In 2017, F5 partnered with Ponemon to survey senior level IT security professionals from 184 organizations in seven countries. The most popular answer to the question “What is your role?” was “Assessing IT Security risk” (60% of respondents). A year later, we surveyed security professionals again as part of the 2018 Application Protection Report. 64% of respondents reported that “Risk assessment” was in their top 5 controls deployed. There is no doubt that risk is a vital element of cyber security. But how many use a consequential, effective risk management process, and how many just go through the motions—resulting in a superficial, and possibly misleading, risk management process?
We can start to answer that by determining what we mean by risk management. Many of the previously-mentioned frameworks and codes of practice define it as the control of adverse events to an acceptable level of loss exposure. Another way to describe risk is how threats exploit vulnerabilities for harmful impact. At the heart of these definitions is the concept of damage. Whether it’s called “loss” or “impact,” risk means the assets and resources we value are being stolen, misused, or rendered inoperative. Or in even more simple terms: the bad guys mess with our important stuff. This means that to do risk management, we need to know the form and location of all our important stuff.
Gap: Incomplete risk management
The same surveys that show a majority of security professionals performing risk assessment also reported shockingly low adoption of asset management practices. The 2017 CISO survey revealed that only 16% of respondents consider asset inventory as a security process, ranking it as the least important control. It’s no wonder that our 2018 Application Protection Report survey reported that 62% respondents have low confidence in their inventory. If you don’t know what you have, how can you protect it? Granted, complete and effective asset inventory is tedious and exacting activity. Still, without this basic foundational knowledge, risk management will be incomplete and unproductive. For more on this gap, check out To Protect Your Network, You Must First Know Your Network.
Gap: Biased risk appraisal
Like all humans, security professionals can be misled by chilling headlines that magnify the threat and prevalence of some risks. In the 2017 CISO survey, we asked security professionals to rank their “top threats” and the number one risk was “Advanced persistent threats (APTs).” Sure, APTs are dangerous foes, often capable of overcoming most traditional cyber defenses and wreaking immense damage. But how many organizations are actually targeted by APTs? In both of our detailed breach analysis reports, Lessons Learned from a Decade of Data Breaches and the 2018 Application Protection Report, F5 Labs reported that the most profound risks for organizations are common web application attacks and credential theft. The exploitation of known vulnerabilities and phishing are hardly the exotic and difficult-to-stop attacks of an APT (although a savvy APT would probably attack first in this way in order to preserve valuable zero day exploits).1 These common, but nonetheless effective, attacks were ranked third- and fourth-level threats in that same survey. We explored this more in our article Risk vs. Reality: Don’t Solve the Wrong Problem.
Gap: Misaligned risk mitigation
So if we know what our risks are, we should be able to select appropriate defenses. But once again, some cyber security professionals’ processes do not align with what is really going on. In that same CISO survey, we asked about the most important technical controls. The top two answers were traditional firewalls (88%) and anti-virus (83%). Yes, these controls are table stakes for the cyber defense game. But are they effective against web application attacks? In our 2018 Web Application Security Survey, we found that 74% of organizations were still using usernames/passwords unique to the application, which we know are easily stolen and misused. Furthermore, the CISO survey noted that DDoS was the number 2 threat (behind APTs) yet the App Security survey found that only 7% of organizations had deployed anti-DDoS defenses. Our top chosen defenses are not designed to mitigate these top risks. We discussed this in depth in our article 86 Your Cyber Attackers! Avoid Data Breaches by Protecting Your Most Likely Attack Targets.
We’ve touched three of the four gaps in perceptions of cyber security practices and their real-world effectiveness. In our next installment we’ll discuss a new gap, and finally in part three we’ll get into causes and solutions.