This post has been brewing for some time. I decided for sure to write it after digesting the press fallout from the most recent series of vulnerability research trade shows, colloquially known as hacker summer camp. With RSA behind us and CFP season beginning, I think this topic is ready for some discussion.
Can We Please Just Stop the Cyber Threat Hype Cycle Already?
A couple of the cyber threats that were announced at these events—with much fanfare—seemed to be more about self-promotion on the part of the researchers than any legitimate threat. The issue I have with this trend is that over-hyping contrived or improbable vulnerabilities is causing the security industry to lose focus, and thus potentially hampering our forward progress.
For example, one widely reported hack from DEF CON was the first-ever ransomware for a smart thermostat. I agree that it’s worthwhile to raise awareness among users and manufacturers about Internet of Things (IoT) device vulnerabilities. But this particular hack requires someone with physical access to the device to actually put malware on it. And then what? It’s a thermostat. If you don’t want to pay the ransom, just disconnect it and go grab another one at the nearest hardware store.
What I call the “cyber hype cycle” is going over the top lately—and I know I’m not alone in this view. Take Bruce Schneier’s cyber threat Movie-Plot Contest, which diffuses the hype by poking fun at it.
The problem is that if we’re focused on sexy-but-implausible hype-hacks, we’re probably spending less time discovering and addressing vulnerabilities that present actual, real-world risks in our environments right now.
A case in point is the recent massive Internet outage, in which droves of IoT devices like CCTV video cameras and digital video recorders were enlisted. Many of these devices were hacked with ease by automated malware because they had hard-coded default passwords. Compare the magnitude of that cyber threat with widely publicized but unexploited vulnerabilities pertaining to a smart thermostat model that has sold something like 50 units in the US.
I’m not trying to belittle the vital importance of security research in helping expose flaws so that we can all make better decisions about what products to buy and how to deploy them. Not to mention alerting manufacturers to vulnerabilities in their devices and helping put market pressure on them to build security in from the start.
But hyping some of these titillating hacks as “the next big thing” in cybercrime does us all a disservice. Basic security hygiene—things like patching, network segregation and access control—aren’t very sexy. But they’re effective in thwarting cyber attacks.
Until basic security issues no longer exist in your environment, this is where you need to put your focus. I don’t have to be a nation state assailant to own your network when there’s an eight-year-old vulnerability like MS08-067 on it.
To start a conversation with industry experts on how to get your InfoSec house in order (and yes, that includes cyber threats posed by IoT devices), contact Pivot Point Security.