Research

The Myth of Absolute Safety

Security is a complex discipline. It is not just about buying the right hardware, software, and policies, as important as these might be. Maintaining an organisation's security requires vigilance, continuous monitoring... and an acceptance that your security is not guaranteed.

First Published 15th August 2017

The Myth of Absolute Safety

You have been visited by Saftey Doggo. Your systems will be 100% secure for the next 24 hours.

4 min read  |  Reflare Research Team

In this briefing, we will take a look at common misconceptions and how security may be practically improved. Recurring breaches of banks, media giants, and crypto markets in the past weeks exemplify a major problem in information security: Nothing is absolutely safe.

Unfortunately, many organizations of all sizes fall into the trap of thinking that a specific policy or purchase has made them invulnerable to cyber-attacks. Oftentimes it is precisely this misplaced belief that leads to the subsequent breach.

Snake-Oil and Easy Answers

Information security is still a relatively young field of IT. However, over the past years, it has drastically increased in importance for most organizations. This leads to a lack of experts and skyrocketing costs as the new demand can not be adequately met by the available workforce. Unfortunately, this scenario is an ideal breeding ground for shady companies willing to over-promise on their products.

The first wave of such snake oil products took place in the early 2010s when dozens of vendors started offering web application firewalls to corporate customers promising that these would make them invulnerable to hacking attacks against web applications. The pitch was enticing. “For a fixed price the quality of your developers and overall security of your infrastructure becomes irrelevant.” Some vendors even went as far as promising monetary payouts in case their firewalls were breached.

Of course, these promises could not be kept. Leaving aside the glaring problem that attacks against web applications are merely a fragment of cyber attacks, even the most sophisticated web application firewalls can only act to slow down a dedicated attacker. The traditional and reasonable role of web application firewalls is to detect cyber attacks early and thus give security teams more time to react to the emerging threat.

As expensively bought but shoddily written and heavily marketed web application firewalls started failing, customers quickly discovered that the fine print of their sales contracts either relieved the vendor of any responsibility (which is the case for almost any serious information security product) or that the company promising monetary compensation had long since been disbanded or lead into insolvency.

Similar patterns keep repeating every year. Whether it is web application firewalls, “fully automated” security scanners, identity theft protection, “bulletproof” security standards or “hacking teams” promising to protect companies from the outside, scammers and snake oil peddlers continuously push simplistic, inadequate, and often expensive technical answers to the incredibly complex issue of good information security onto uninformed buyers.

Cost and Value

To judge the security of any given system, it is important to compare the value of hacking it to the cost of doing so. Cyber attacks have a cost in time, talent, opportunity, risk and actual money if information or exploits have to be acquired.

If a private food blog and multinational bank both have a cost-to-hack of USD 1m, the blog is secure but the bank is vulnerable simply because the value of hacking the bank easily exceeds the cost. To increase information security, it is thus critical to increase the cost of attacks. While products such as web application firewalls can play an important part in doing so, the rational combination of different tools will always be more effective in the long run.

For example, web application firewalls combined with well-trained incident response and monitoring teams present a very real hurdle to an attacker. Staff-wide training to raise awareness about the multitude of attacks targeting employees and end users is another example of measures that while initially expensive, reap tremendous increases in overall security in the long run.

Summary

In information security, as in almost all complex areas of the world, there are no silver bullets. Anyone telling you they have a definite solution is trying to scam you out of money. Organizations are advised to spend the time and money to understand the complex process of preventing cyber-attacks and building appropriate defence mechanisms.

Subscribe by email