Detecting and Protecting: Why Security Incidents Keep Surprising Us

  • Security Lock Blue Red

Why are we so bad at detecting and protecting against security incidents?

Attackers need only find a single flaw that will allow them to gain entry to a system. Those that protect them, on the other hand, have to think of every possible avenue an attacker can use. Logic dictates that this is simply not possible.

In fact, only 45% of the healthcare organizations sampled for our annual report were considered to have any level of maturity by NIST CSF standards. If we were better at detecting security incidents, we would also be better at preventing them. So why do we struggle so much with something that seems so simple? One need not look too far to see other examples of how security is difficult to measure and monitor.

Looking Back

Before we dive into the problems we are struggling with currently, we should really take a brief look into the past. Our mishaps are not something new and are often more closely tied to human nature than poor performance. History is full of failed efforts to secure a site or piece of data (even if on paper), and attackers are still able to find a way to infiltrate protective measures despite herculean efforts and virtually limitless resources.

Since as far back as recorded history goes there have been criminals who are more than willing to take advantage of human nature. Therefore, until we have developed “Minority Report” style pre-crime detecting technology, we will have to settle for vigilance and relying on a combination of human efforts and technology to find the bad guys before they can do too much damage.

Can We Do Better?

When I first started working in IT, most workers had a desktop with Windows XP connected to the local intranet and the internet, which was more than many of them had at home. At this time, most mobile phones were still “dumb” phones that took terrible pictures and lacked the plethora of apps and functionalities available today. However, we still struggled to keep tabs on the comparatively limited number of connected systems. Inventories have always been a major sticking point for enterprises, and the exponential growth in size and scope of the modern enterprise network are making it that much harder.

Today the landscape of an enterprise’s intranet is significantly different. For starters, there are many times more systems connected, many of which are portable. Each user has at least a laptop and a mobile phone that is more powerful than the desktops that were issued a decade ago. Many users have other devices assigned to them that are also endpoints: printers, VoIP phones, tablets, medical devices and a plethora of other IoT devices.

Not only are there exponentially more systems to track and manage, but speeds, processing power, and storage have also grown exponentially – meaning there is significantly more data to manage. Many large enterprises have begun to keep all data that is of any importance to their business forever. When memory was expensive backups had a lifecycle that led to them eventually going away. Now, every bit of data can be saved in massive cloud-based storage systems.

Accept Reality

All of these things are absolute signs of growth and improvement. However, this rapid growth has led to many of the issues discussed above. Fortunately, we have a lot of great minds working on these problems, and the people in charge (e.g. the ones with the money) are taking notice of the need to get our arms around this.

The modern attacker is capable of attacking the variety of different types of endpoints in many different ways. There are new vulnerabilities and methods of attack being developed every day. Because of this, even the most confident forensic security specialist would be hard-pressed to say for certain that a system is or is not compromised. There are so many variables that it is impossible to say with certainty that no one has attacked and/or compromised the system(s) in question.

We need to accept that we cannot stop all the attacks and threats, while also working hard to secure what we can. Some of the most important steps that an organization can take are:

  • Keeping thorough inventories
  • Patching systems
  • Segmenting less trustworthy systems onto separate virtual networks
  • Educating your users, admins, and patients

Even though history has shown us that security is hard, it also shows it is possible to better secure our systems and data. This is only possible when we are willing to accept reality and spend the time and money preparing for attacks instead of only trying to prevent them.

May 31st, 2018|

About the Author:

John Nye
John Nye is Senior Director of Cybersecurity Research and Communication for CynergisTek and has spent the majority of the last decade working in Information Security, half that time working exclusively as a professional penetration tester. Besides testing and improving security, John has a passion for educating and informing the public. He accomplishes this by presenting hacking demos regularly at industry conferences and groups as well as writing blog posts for CynergisTek and industry publications.Nye’s specialties include Wireless, web, and system penetration testing, user education and public speaking, information assurance, security auditing, policy compliance and writing, and security research and analysis. Some of his industry certifications include CISSP, Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH).