Threat Management, Security Strategy, Plan, Budget

The downside of cybersecurity overconfidence

First Assistant U.S. Attorney Tracy Wilkison announces charges against a North Korean national in a range of cyberattacks on September 6, 2018 in Los Angeles. The complaint included the cyberattack against Sony Pictures in 2014, the WannaCry 2.0 ransomware attack and the 2016 cybertheft from the central bank of Bangladesh. Today’s columnist, Corey ...

A recent IDG survey found that many IT managers believe their existing network security equaled or surpassed their competitors, with 48% reporting their overall network security was “ahead of the curve.”

This data indicates that security teams are often overconfident in their security posture and may unintentionally expose themselves to threats, leading to gaps in visibility, misconfigurations, and blind spots. Add on risks stemming from today’s shifting landscape, including remote offices, a distributed workforce and more connected endpoints than ever before, and this overconfidence can truly harm an organization.

So what causes this overconfidence? Many organizations, especially SMBs, presume they aren’t targets, thinking: “I only run a small business. I don’t have much intellectual property. Who would target me?” They don’t realize that even the smallest business has monetizable information, including customer PII or computing resources, both of which could serve as potential jumping-off points for larger attacks.

Companies also suffer from a lack of awareness and training. It’s the “you don’t know what you don’t know” scenario seen in many companies, particularly SMBs, which often lack the resources and expertise to effectively secure a system. When businesses leave cybersecurity to the one IT person, there’s often a huge gap in knowledge and training that teams aren’t always aware exists.

Additionally, this cybersecurity overconfidence can arise from thinking that firewalls and traditional AV are enough to protect a company’s assets. They’re not. With every firewall companies are still letting web traffic and email into the system. Companies need additional network security services that scan and defend the web and email traffic. Likewise, signature-based AV only prevents known malware, and today’s malware gets re-packaged in real-time to avoid signatures. The business needs more proactive endpoint security controls like behavioral-based detection and endpoint detection and response (EDR) solutions that monitor for malicious software already running on the company’s computers.

But with this clear need for endpoint security controls, another issues arises with companies that rely solely on endpoint security. This also isn’t enough. For example, good network defense can help protect a business before threats even reach the endpoint. More importantly, many attackers and malware such as WannaCry and Petya leverage lateral movement tactics to fully infect an organization or reach the real intended target system on a network. If the team designs a flat network without internal segmentation, attackers and malware can move around freely, wreaking havoc on any device within the organization. Instead, leverage modern firewalls or unified threat management appliances to help physically or virtually (VLANS) segment the internal network based on various trust models. For instance, create networks where each department has its own network, or the most sensitive and important servers are on a different network than a normal user computer.

Beyond security controls, configurations also matter. Gartner reported that through 2023, firewall misconfigurations will cause 99% of firewall breaches, not firewall flaws. IT teams can easily harden and configure IT infrastructure fairly easily, but that means they can accidentally misconfigure network services to be overly permissive. Many past breaches resulted from misconfigured management portals where an administrator left a management portal open to anyone on the internet, opening up to unnecessary risk. Only allow access to these portals through secure mechanisms like VPN or minimal IP address control lists. Again, the lack of cybersecurity expertise leads to poor practices and overconfidence.

Additionally, many IT teams adopt disparate point solutions, “piecemealing” their security infrastructure. Lacking knowledge about the benefits of integrated, multilayer solutions, they may not know how multiple solutions from multiple vendors can leave huge gaps in visibility and leave doors wide open to attack.

To address this false sense of security, examine the company’s complete security posture and decide how well the solutions are working together. Suppose the IT-security team constantly shifts from one interface to another, constantly being trained on new vendors and products and wasting time dealing with a disparate mix of security solutions. In that case, consider a unified approach. This will offer more visibility and clarity, helping to close the gaps in security postures based on disparate solutions. A good, unified platform will not only aggregate logs and management of all these security controls, it will also correlate data between different layers to help find and remediate potential threats a single control may not have discovered.

Security pros are typically skeptics, so adopt that mindset and think like a hacker. Stay suspicious of unusual emails, communications, and files, and anything that appears out of the norm. This skepticism will help the team recognize certain threats before they happen. Most important, remain skeptical of the company’s own defense. Has it been tested empirically? If not, why such overconfidence? A small dose of skepticism lets the team actually prove that the defenses put in place work. That creates a little confidence, but maintain a skeptical mindset.

Taking these tips into account and focusing on training users can do wonders to avoid falling into the traps set by overconfidence in the company’s cybersecurity posture.

Corey Nachreiner, chief security officer, WatchGuard Technologies

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.