Automatic updates have greatest value proposition vs. attackers, says researcher
Jason Healey presents at Black Hat.
Of all the security technologies and initiatives introduced to deter and defend against cyberattacks, automatic updates have the best value proposition – creating the most positive and widespread impact at the least cost to practitioners, according to Columbia University researchers.
Senior research scholar Jason Healey, who serves on the New York Cyber Task Force at Columbia's School for International and Public Affairs (SIPA), detailed his team's findings at Black Hat today in an effort to convey which cybersecurity measures delivery the most bang for their buck.
Healey noted that since the dawn of the Internet, attackers have always had the economic advantage over those trying to stop them. But Healey's ongoing research project seeks to flip this script.
If the infosec community spends “x” dollars and time developing a new cybersecurity technology or policy, it has to cost the hackers trying to overcome these initiatives “ten x, a thousand x, even a million [x]. I'm not kidding,” said Healey, who is also a nonresident senior fellow for the Cyber Statecraft Initiative of the Atlantic Council. As it turns out, automated updates are right at the top of the list.
“To me this is the classic example of a one million x,” said Healey. “Think of the amazing payout that we've gotten. I bet it's at least a million x that we've gotten from that initial investment… to make sure that systems are easily patched.”
According to Healey, other security advances with high value propositions that have helped white hats gain back ground on the black hats include: cloud-based architecture, encryption, secure default configurations, mass vulnerability scanning and the Kerberos network authorization protocol.
Conversely, cybersecurity compliance efforts and the Wassenaar Arrangement – designed to prevent the international exporting of weapons including cyber intrusion systems – both have had terrible value propositions, costing those in the infosec space far more than what it costs cybercriminals to carry out attacks, Healey noted.