The Sky Isn't Falling in IT Security, as Some Might Suggest

NEWS ANALYSIS: The long-held saying that "if it bleeds, it leads" holds true for information security reporting, but it really shouldn't. By Sean Michael Kerner Reporting on cyber-security can be a somewhat depressing endeavor—given the seemingly endless onslaught of exploits, breaches and statistics that preach doom and gloom on

NEWS ANALYSIS: The long-held saying that "if it bleeds, it leads" holds true for information security reporting, but it really shouldn't.

By Sean Michael Kerner

Reporting on cyber-security can be a somewhat depressing endeavor—given the seemingly endless onslaught of exploits, breaches and statistics that preach doom and gloom on a daily basis. The truth, however, is that modern cyber-security is not all darkness.

Many have long heard the adage in journalism that "if it bleeds, it leads," and all you have to do is watch the nightly news to see that's true in 2015. In information security, the same is true; the big breaches, the zero-day exploits, the large statistics that claim high levels of security weakness often crest at the top of the major news aggregators and social media, as well.

My own inbox is assaulted on a regular basis with all manner of security claims, each one more outlandish than the next. Often, those claims are based on statistically insignificant surveys or vulnerabilities that, quite simply, are not exploitable.

Related: How Cloud is Getting Security Right

That doesn't mean that there aren't vulnerabilities that are hyped and are actually exploitable. Case in point is the 2014 Heartbleed vulnerability, which eWEEK first covered before it was branded as Heartbleed and known as an OpenSSL Heartbeat flaw. In that case, an attacker was able to quickly make use of the flaw in Canada and was also promptly arrested.

Although there are certainly challenges in technology security today, the reality is that 2015 is much more secure than, say 1999. Back then, when the Melissa virus hit, many IT system administrators (myself included) were clueless and just didn't know what to do. In my own case, I pulled the Ethernet plug from the main Internet router in the server closet, as I had no other tools to stop the flood.

Today, it's a very different world. While information security is far from being a solved problem, there are, however, solutions in place for many problems. Operating system vendors have improved technologies, and security vendors have made billions from selling products that aim to protect organizations and their users. Perhaps more importantly, though, is that in 2015, there is a really solid understanding in the security research community of how exploits work and how to prevent them.

A few new classes of vulnerabilities in software have been reported in recent years, but what seems to be the case is that there are a number of persistent types of vulnerabilities that continue to reoccur. One such class of vulnerability is SQL injection, which enables a criminal to attack a database and potentially breach an organization's information. In the case of SQL injection, there are known defenses and best practices, which often boil down to making sure that all inputs are validated.
In the case of use-after-free (UAF) memory errors, which seem to continue to be common in Web browsers and in Web plug-in software like Adobe Flash, there is also a light at the end of the tunnel. Hewlett-Packard has done a lot of research to help prevent UAF errors, and that will improve security.

Related: Challenges to Stay Secure in the Era of Digital Business

There are many other areas for security optimism, where once-pervasive threats have become non-issues. One such example is Oracle's Java, which in 2014 was the scourge of information security, representing 91 percent of attacks. In 2015, Java's story is very different, with almost no zero-day exploits and a much stronger security posture.

If security technologies are improving, why then are organizations still being exploited?

The answer to that has much to do with patching and configuration. While zero-day exploits do occur, exploit kits typically only target known exploits and are effective against unpatched systems. There is reason for optimism on that front, too.

There are an increasing number of technologies with auto-updating and patching built in, including the popular WordPress content management system, which has been providing users with automatic updates since late 2013.

Many high-profile attacks also tend to involve some form of password theft and/or privilege escalation, both of which are attack types that are now also well-understood. With passwords, many modern Web applications and systems now support two-factor authentication systems, which provide an additional layer of protection. When it comes to privilege escalation attacks, user-behavior-based platforms and technologies are now entering the market, including Microsoft's Advanced Threat Analytics.
Often, many security statistics reports will lead with claims that some number of users or organizations are at risk from something, and that can sometimes be news.

Related: Security in the Age of Digital Transformation

However, what isn't news is when organizations aren't hacked and exploited. That's the theme of a really thoughtful new IBM security video that attempts to make light of the fact that not being hacked can be news, too.

For the first time, there are now also the beginnings of guarantees in security, which is something that hasn't existed before, either. WhiteHat Security, for example, now offers its customers a refund if they are hacked. WhiteHat founder Jeremiah Grossman wouldn't be doing that unless he was confident that he wouldn't have to give refunds to refund customers, as he knows that security can, in fact, be done properly and effectively.

Organizations in 2015 are being breached, and vulnerabilities in software exist and continue to be found. Chicken Little's proverbial "sky," however, is not falling, and technology can, in fact, be used securely. While often technology seems to be stuck in a dark tunnel of insecurity, there is a light at the other end.

comments powered by Disqus

What's New