
In an article on www.cnbc.com Aneri Pattani appears to be saying that the cyber security industry has failed. Aneri refers to breach-after-breach and points to the fact that simple, old-school expoits & attack methods continue to work against newly deployed software. While the facts are true, I believe that Aneri has missed the point completely. I suggest that the failure is not in the industry as much as in the people who choose not to take the advice of security professionals. There are two components here. First, Cyber Security professionals may need to improve how they educate people on the subject of risk. Second, those in control of businesses must take ownership when things fail if the failure happened after they elected not to enact recommended security measures. Blaming the Security industry for breaches is inaccurate and distracts from the real cause of security issues.
Regarding educating people on risk, let’s take one example. Aneria says “The best way to fight this cyberwar is to get back to basics, like knowing how many computers a company has and gaining control over them in seconds.” This is true. The industry has been saying this for years. Take, for example, the SANS Top 20 Critical Security Controls, now the CIS security controls. Number one on the list. “CSC 1: Inventory of Authorized and Unauthorized Devices” That would correspond to “knowing how many computers a company has”. This simple step is the number one thing that companies can do, and yet many, many companies don’t do so. (There’s a poster too, which I recommend.)
Regarding how companies encourage bad behavior while ignoring the security industry’s recommendations, let’s consider the very web page accusing the industry of failure. The industry has said for years that running lots of scripts on a web page increases risk. Each time a user opens up their browser to run more scripts they have exposed themselves to more code from unknown sources. For this reason many people, like myself, use script blockers as part of keeping our browsers secure from attack. When I tried to read the comments on the cnbc.com article I specifically allowed scripts to run for the current page. I did this three times. Each time allowing more and more scripts to run. In the end I was still not able to view the comments, and the page still wanted to run more scripts. (Yes. I know that MEI Security’s web page asks for some scripts to run, but it does function with scripting disabled.)
In conclusion, the article proclaiming that the security industry has failed shows by it’s very nature that businesses continue to ignore the advice of the security industry, and they push for users to bring more risk into their own environments. If you refuse to secure yourself then you’ve decided to take that risk. When you are breached don’t blame the folks who told you not to take the risk in the first place.