Expert Roundup: Why Can’t Cybersecurity Be Simpler?

Time and time again, people ask:

Why can’t cybersecurity be simpler?

This question is not asked just by regular users confused by the “techno-babble” or enraged by information leaks.

It’s also increasingly asked by business owners, analysts, journalists and even the people involved in securing information, whether sysadmins for small companies or even high-level executives in multinational organizations.

This is why we thought to go straight to the source to find the best responses. Last time, we asked specialists to say whether they think that Internet security is a losing battle or not and their responses were memorable. Today, we asked highly accomplished cybersecurity experts from various infosec fields another tricky question and they were gracious enough to provide their insights.

If you’re a regular user angry at your data being exposed to various leaks and cyber attacks, you will get a behind-the-scenes look at the reasons why these incidents happen. If you’re someone involved in handling customers’ data, these perspectives will prove to be just as illuminating.

We wanted to provide you valuable, often hard to find perspectives. We managed to make a great start to answer a simple-looking, but an actually difficult and ramified question.

Why can’t cybersecurity be simpler?

Use the links below to quickly navigate the experts’ replies.

• Brent White (BITKILL3R)– Senior Security Consultant at NTT Security and the founder of the Nashville DEF CON group
• Ian Thornton-Trump – Cyber Vulnerability & Threat Hunting Lead at Ladbrokes Coral Group and CTO of Octopi Managed Services Inc
• Isaac Kohen – Founder and CEO of Teramind, an employee monitoring and insider threat prevention platform
• Joe Ward – Senior Security Analyst at Bishop Fox
• Peter Buttler – Cyber security journalist, consultant at PrivacyEnd
• Albert Ahdoot – Business Development Director at Colocation America
• Harsh Agrawal – Founder and CEO of ShoutMeLoud.com

 

Brent White

Brent is a Senior Security Consultant at NTT Security and the founder of the Nashville DEF CON group. He can be found at We Hack People, a website dedicated to red team and social engineering assessments.

 

Security isn’t a convenience because it requires being careful and demands that users be diligent to take extra steps to follow rules.

I focus on social engineering and physical security and see this come in to play on a regular basis when a company hires me to break into their buildings.

For example, tailgating (piggybacking) is one of the most common ways that I gain unauthorized access to a business.

This could be mitigated if employees followed their security awareness training and made sure that everyone who entered was scanning their badge, and that the badge being scanned was valid.

However, this takes time and requires people who are already focused on their own paths and agendas to slow down and be more aware of their surroundings.

Asking them to change their thought process and to “validate” each person coming in the door isn’t something that’s going to happen overnight.

You also have the human kindness factor that is innate in most of us, where we naturally want to help out someone in need.

This is easily exploited by a social engineer in many ways, whether it’s pretending to need help opening the door because their arms are full, or the social engineer can simply tailgate in, be in an “argument” on the phone (making the situation uncomfortable on purpose).

People will want to avoid a potential confrontation with someone who already appears to be upset about something.

Once an attacker has physical access to data, it’s pretty much “game over”.

Companies need to go beyond the required annual “security awareness” training PowerPoints if they want to get serious about addressing these issues.

Regular drills such as internal phishing campaigns, testing unauthorized entry, and even full red team assessments are a good way to consistently check the level of awareness and response within an organization.

Employees should be incentivized to find and report something, and have a clear path of how and who to report incidents to in a way that is easy and convenient for them. 

It’s very difficult to incorporate a security mindset 100% into the culture of a company. But, when it’s done correctly, it can be a very effective countermeasure against potential threats.

Ian Thornton-Trump

Ian is the Cyber Vulnerability & Threat Hunting Lead at Ladbrokes Coral Group and CTO of Octopi Managed Services Inc.He can be reached on Twitter here.

 

Security can be simple, but it won’t ever be because business is not simple. And humans are not simple. And security today is in some malevolent Venn diagram right in the damn center of what can only be described for 80% (ish) of the GNP of a country as the small-medium business/enterprise (SMB/SME in the EU UK) security nightmare.

It’s not easy being profitable and everyone from the governments to the regulators (hackers in suits) to the cyber criminals (hackers in hoodies) is out to attack the hard work of organizations which strive to make an honest living.

I’m a cybersecurity Captain Willard.

“I was going to the worst cyber security situation in the world and I didn’t even know it yet. Weeks away and hundreds of dollars/pounds/euros spent on a security project that snaked through the compliance regulations like a main circuit cable plugged straight into the businesses cybersecurity posture. It was no accident that I got to be the caretaker of a business’s cybersecurity any more than being back in some SANS certification course was an accident. There is no way to tell the businesses’ cybersecurity story without telling my own. And if that business story is really a confession, then this may be my own as well.”

That’s where we are today. Most businesses are scared of an existential threat from criminal hackers (or regulatory authorities) and are turning to security vendors and consultants to solve their security problem.

The reality is: the problem is cultural and societal.

We reward efficiency over good decision making, we sacrifice security for convenience and we consistently place profit in front of pragmatism.

Cybersecurity is complicated because life is complicated and there is no perfection. We can’t be a hundred percent secure – so the rhetoric and fear monger of vendors and security professionals has given in to a feeling of helplessness and disparity among the 80%.

If this short essay strikes you as incoherent, it only matches the vast majority of SMB/SME firms approaches to cybersecurity: cybersecurity perfection is not attainable.

Attempting to apply the binary model of security and compliance to the “grayness” of business, life and society only ends in disappointment.

If this is dystopian view makes you angry or causes you discomfort – good, do something about it – change the security culture, change the business world.

It may never be simple, but you may be able to keep the doors open.

Isaac Kohen

Isaac is the founder and CEO of Teramind, an employee monitoring, and insider threat prevention platform that detects, records, and prevents malicious user behavior. He can be reached at ikohen@teramind.co.

 

As much as we wish life to be straightforward and simple, reality seems to tell us a different story.

The reality around security is it feels complicated, dynamic and perpetually a ‘catch up’ game in keeping company data secure.

With new technologies advances like the internet of things (IoT), the security landscape becomes more intertangled, and companies find themselves with new vulnerabilities and ‘patching’ new security holes in their IT infrastructure.

With many moving parts, it’s not a surprise that the traditional approach to a security plan doesn’t seem possible.

In my opinion, the best way to prepare for the future is to move from a protection to a prevention security mindset.

This progressive strategy looks at data security in ‘real time’ meaning security isn’t viewed as an afterthought, rather it’s using data, monitoring, and analytics to anticipate security breaches and adapt quickly to changing security landscapes.

Joe Ward

Joe is a Senior Security Analyst at Bishop Fox. His thoughts on infosec can be found here.

First, there is an accelerating rate of change and complexity in systems.

Driven by market forces to deliver more features and derive more value, new technologies are invented every day, and old technologies are being leveraged in new and interesting ways.

Second, there has been historically strong pressure to maintain backward compatibility to the point that the foundation of newer technologies is built on legacy systems riddled with security defects that can never be fixed.

Ultimately I think the increasing pace of “what CAN we do” has overshadowed the fundamental question of “what SHOULD we do”, leaving the question of “what can we do SAFELY” unasked.

Peter Buttler

Peter Buttler is a cybersecurity journalist and a tech reporter. He is the security consultant at PrivacyEnd. You can follow him on Twitter.

 

Security isn’t an accommodation since it requires being cautious and demands clients to be persistent about finding a way to look after weaknesses.
Cyber-security is complex in light of the fact that our life is never 100% perfect.

We can’t be a hundred percent secure – so the talk of security experts has yielded to a sentiment weakness among the 70%.
With new innovations like IoT, the security scene turns out to be more complicated, and organizations end up with new vulnerabilities and ‘fixing’ new security flaws in their IT foundation.

Driven by advertising powers to convey more highlights and determine more esteem, new technologies are designed each day, and old technologies are being utilized in new and fascinating ways.

From re-establishing indicates and organizing monitor firewalls and malware filtering, every coordination in cybersecurity protects your business and most importantly your clients.

 

Albert Ahdoot

Albert is the Business Development Director at Colocation America. He can be reached on Twitter.

Security isn’t an accommodation since it requires being cautious and demands clients to be persistent about finding a way to look after weaknesses.
Let’s state the obvious: the Internet is always changing. Everyday new technology is created while our current technology systems continue to evolve. The cyberworld, in itself, is a complex system; technology companies are creating new systems and features faster than ever before.

However, this “need for speed” approach is not always benefiting the client and/or business at hand. With the ever-changing landscape of the Internet, cyber attacks are becoming more frequent. Hackers are exploiting the cyber-security shortcuts taken by businesses needing to be the “first to adapt.”

By the time the business implements cybersecurity measures, the cyber attack has already happened, and the hackers have moved on. Cybersecurity is like a massive game of Cat & Mouse meets Whac-A-Mole—once you fix one issue, another pops up. No matter how secure your system is one minute, the next, it can be under attack.

To top it all off, there is a shortage of cybersecurity professionals. As we look to the future of the Internet, we must consider the players involved. While we encourage innovation in the fields of software development, we need to do the same in the realm of cybersecurity. After all, we, as individuals, are relying on technology more than ever to keep us safe – but who is going to keep us safe from our technology?

Thankfully, some businesses understand cybersecurity and its complexity. Let’s all hope businesses, small and large, are utilizing them (for all our sakes).

Harsh Agrawal

Harsh is the founder and CEO of an award-winning blog known as “ShoutMeLoud”. He`s an engineer by education and a blogger by profession. You can reach him on Twitter.

 

Some guys think that cybersecurity is as simple as affiliate marketing or blogging. After all, it’s just about providing safe methods for internet users to complete their online activities, right?

Well, not quite.

With more and more hackers trying to get hold of sensitive information and finding new, advanced ways to do it, you can never be at ease. It is crucial that people understand no one is safe, especially if they handle their personal information carelessly.

But even if users and companies do take care of the data, unfortunately, a breach occasionally happens.

I mean, do you really think that Equifax, Target, and so many other companies wouldn’t do anything to prevent the scandals that have happened in the past years?

It has to be complicated because the world wide web is such a complicated realm, nothing like people have ever known before.

So, it all boils down to being constantly on guard and finding new and innovative ways to be one step ahead of hackers and frauds.

Conclusion

We would like to thank all the people who participated in this expert roundup for taking the time to answer this question and provide the community with some necessary insights into the fascinating world of cybersecurity.

Do you have another perspective on why security is too complicated? Are you from a different background or feel the need to add to the topic?
We plan to keep this column updated, so if you want to contribute, drop us a line and let’s talk!