SBN

State of Cybersecurity 2020-21, II

In the previous part,
we focused our attention
mainly on some current trends of cybercriminals.
Now we intend to make room
for the preventive and defensive sectors in cybersecurity,
estimating some important tendencies in 2020.
These trends are related,
in different degrees,
to the approaches, methodologies, and activities
that we carry out at Fluid Attacks.
A red team
focused on detecting vulnerabilities in IT systems.
That’s why we’ll also speak here
from our experience.

Cybersecurity as a necessity and responsibility

Cybersecurity has gained particular relevance as a necessity.
This is partly due to the sudden changes
in the structure and ways of working
that many companies and organizations have not long ago experienced
around the world.
Of course,
this is also related to the growing activity of IT criminals.
However,
many businesses and public entities
have not adequately addressed this need.
And some of them have been victims of cyberattacks,
often of disastrous scale.
That’s why it’s recommended for many people
to rethink their cybersecurity strategies.
Even for some of them,
it’s advisable to reevaluate their attitude towards cybersecurity
and their knowledge on the subject.

That’s something that applies
in the case of cybersecurity compliance requirements.
Some firms are ignoring the function of those requirements.
Many of them focus only on avoiding any sanction
from some standard
but leaving aside the incorporation of solid cybersecurity plans.
At Fluid Attacks,
we have maintained a set of requirements
under construction and evaluation.
It gathers information from more than ten international standards.
The companies that work with us find it useful
to go beyond mere security compliance.

Technology advances yet best practices remain

It’s no secret to anyone:
malicious hackers have kept up with technological and methodological advances.
The same applies to the prevention and defense sectors.
However,
as Schwartz puts it,
“security experts say
the basic best practices
that an organization should pursue to protect itself
largely remain constant.”
It’s now typical for us to listen
and at the same time recommend,
for instance,
the careful management of passwords
and multi-factor authentication
and the proper administration of privileges
(limiting access).
We also advise the constant updating of components and dependencies
(including software employed as defense,
e.g., secure email gateway, antiviruses, firewalls)
and the continued use of the latest patches
for known vulnerabilities.

As a curious fact,
it is said that
currently,
only 1% of the attack vectors used by cybercriminals
correspond to new methods for cybersecurity professionals.
In other words,
we have a lot of knowledge
to identify and repair almost all the existing vulnerabilities
on which criminals take advantage.
Conflict arises
when the necessary tools and trained personnel are not available
or by simple carelessness.

Talent in cybersecurity is still lacking

At this point,
it is convenient to remember what Arango shared with us
in April this year in regards to current trends
in cybersecurity.
Today,
there’s something that has become a common denominator
for many firms with cybersecurity issues:
the shortage of skilled and prepared talent.
Arango referred to Cybersecurity Ventures,
estimating that more than 3 million cybersecurity jobs
would be unfilled this year.
An alarming number indeed!
He commented that,
at this time,
in cybersecurity matters,
some people believe that
the academy is not qualified to keep up with the industry’s pace.
Some even consider that
the automatic tools can do the operations
usually destined to security professionals
to counter this lack.
Nevertheless,
this can also represent a crisis.

Korpa

Photo by Jr Korpa
on Unsplash.

Automation is not a substitute for IT professionals

Process automation is undoubtedly something
that almost all humans benefit from
in a variety of environments.
In the field of information technology,
the amounts of data to be controlled are growing every day.
Moreover,
in different industries,
fast and efficient solutions
to an assortment of problems
are often requested.
It’s in such cases
that automation has taken some prominence.
In cybersecurity,
specifically,
as Kaushik tells us,
automation is useful
for identifying, investigating, triaging, prioritizing
and remediating vulnerabilities and threats.

Still,
the trouble lies in assuming that
machines’ work,
at least in these times,
can replace all human activity
in a field like this.
On countless occasions,
Fluid Attacks has informed about the high rates of false positives (lies)
and false negatives (omissions)
that can appear in cybersecurity assessments
performed by automated tools.
Apart from the fact
that typically someone is needed to keep an eye on these tools’ operations,
their constant errors and limitations
make complementary human work still required.
Moreover,
according to the results of these automatic processes
—sometimes instruments
identifying just 2.5 of 10 vulnerabilities present in a system—,
the tools should be seen only as a supplement
to human exercise.

ML and AI represent benefits

Cybercriminals have indeed taken advantage of advances
in Machine Learning (ML) and Artificial Intelligence (AI),
as we mentioned in the first part.
But it is also true that
cybersecurity companies have leveraged these same advances
and developed new strategies to respond to threats.
This has represented a tendency in the last years.
New tools have emerged within these technological approaches.
We have experienced this at Fluid Attacks,
e.g., with Sorts.

Sorts is a recent command-line interface
that we use for extracting metrics from the code repository.
A previously trained neural network-based ML model is used
to evaluate these metrics.
Later,
it returns the probabilities of finding vulnerabilities
in specific files.
As Oscar Prado remarked one year ago:
tools like this “can help our analysts
to decide where to look first,
what portions of code may have vulnerabilities
and require further attention,
or which inputs may not have been properly sanitized.”

The human-tool combination becomes ideal

Additionally,
Oscar emphasized the point of view
that we continue to hold:
“We see machine learning emerging technologies more as tools
rather than the holy grail of cybersecurity
that will replace human hackers.”
At Fluid Attacks,
we preserve the idea of mixing humans and tools.
The latter provide high-speed
but low-accuracy reports.
The former,
in longer times
but using their astuteness and creativity,
are more accurate
and access more profound and complex issues.

The activity of our tools,
searching for superficial vulnerabilities
that are already known,
facilitates and speeds up the work of our ethical hackers.
A work that remains indispensable
(using techniques such as pentesting)
for comprehensive evaluations of our clients’ IT systems.
Organizations should no longer fall into the trap
of relying only on these automated systems
that generally check the perimeter of attack
and deliver weak and limited reports.

Cybersecurity implemented from the beginning

It is ideal that
today we include security in the DevOps
methodology.
We should do it from the beginning!
And,
of course,
always with the intention
that all people involved in business projects understand it
and apply it.
Firms that build and manage software
should indeed keep at least one Security Champion
on their staff.
From there,
they could start training other potential talents
to strengthen their means of prevention and defense
(even if they are not the ones in charge of looking for vulnerabilities).
Besides,
many organizations should also start educating their other employees
about behaviors that can pose cybersecurity risks.
As we once said,
it is imperative that
everyone working for an organization be responsible for cybersecurity
within this new culture of DevSecOps.

See you in the third part
of this series of posts!


*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/cybersecurity-2020-21-ii/