There are breaches happening left and right on the news, yet the IT security industry is expected to boom to $120 billion dollars this year. You would think with all that money getting thrown around that we would see fewer breaches. But they only seem to be increasing, and those are just the public ones.
In our experience, a breach can go from initial entry to full compromise in just a half hour. “Full compromise” means that you cannot get the hackers out without taking extreme measures like taking your system offline or wiping everything. From there, a hacker can exfiltrate data undetected within one to three hours.
None of the security solutions offered by vendors these days will magically protect you from being hacked. As of this writing, we have always found a way to penetrate systems even if they have strongest firewalls, antivirus and anti-malware solutions. They simply cannot withstand targeted attack from a dedicated attacker.
Is the security industry being deceitful to itself, its clients and the public about the effectiveness of their security solutions? I believe the answer is yes. Here’s why.
Most vendors offering security solutions do have their hearts in the right place. They do want to protect the customer. But even if their hearts are in the right place, their strategic brains aren’t thinking the way that a hacker thinks.
IT security isn’t like home security. A few locks and lights aren’t going to cut it. It’s a full-on war out there, and security companies are much like generals directing troops (security tools) to do battle. Yet it is a military adage that a general is always fighting the last war, not the one they are in now. And thanks to a combination of factors, some regulatory, some legal and some cultural, the security industry is completely flat-footed against a competent attacker.
But if their products are only protecting against the most basic of attacks, why is the industry booming?
Deceiving Their Clients
There are only a few industries where penetration testing is a requirement, notably the financial industry. The actual rules that define what a penetration test is and what level of protection is needed are horribly defined. Every company wants to present the illusion of security to their clients. Icall this political security.
Some clients just want the cheapest security solution possible so they can check off the box. Fine. Enjoy getting breached. There are many companies that do want strong security and are getting fooled by the industry. Few companies have someone with a true hacker mentality on their staff and can call out security product salespersons on their claims. Buzzwords and fear tactics sway businesses into buying products that are not as efficient as advertised or can be gotten around in other ways. These products make businesses feel safe and let them put up a positive front to customers and clients.
However, it is false security to a competent attacker. To be honest, a breach will eventually happen. Always. A true security solution will do at least three things:
- Make it as difficult as possible to be breached, in order to ward off the undedicated attackers.
- Detect when a breach occurs and how it happened as soon as possible.
- Shut it down as soon as possible upon detection
What manual penetration testers do is act like a dedicated hacker that wants your information and will do everything they can to get it. As we said, it’s a constant war and should be treated as such. The cost of a breach is always higher than what it would cost to get an annual manual penetration test.
The desire of companies to have political security and the eagerness of IT security companies to get companies to fork over money for it erodes public trust in the internet. Why does political security work in the first place? The public is just as uneducated about computer security as the companies. But they are rapidly catching on.
Ashley Madison, the infamous adultery site, was providing just such an illusion of political security. They made all sorts of claims that your personal data and payment information would be safe and people believed them. Then look what happened.
Sony, Verizon, Yahoo and many other big name companies have been compromised and lost personal information. There’s even a site, https://haveibeenpwned.com/, that can check email addresses and user names to see if you’ve been involved in a breach. And these are just the big ones.
The biggest target of cybercriminals are actually mid-sized businesses that have enough information to be valuable but without pockets deep enough to spend millions discovering the hacker’s identity. These breaches are often unreported because it would destroy the business, if they’re even detected at all. With each breach, the public trust in the internet decreases. This problem is only going to get worse (see the Internet of Things) until everyone admits that political security will not work and true security solutions must be pursued.
Security companies must admit their products don’t work as advertised and create better security solutions based on how hackers operate. Their clients must be willing to get penetration tested by competent hackers regularly to find and seal breaches in their security. The public also has to get educated on cybersecurity and start to push for regulations that have some teeth to keep their personal data safe.
Until this happens, the net is a cybercriminal’s playground and your data is the easy prize.
Photo credit: Shutterstock