Cybersecurity professionals are battling the same old problems as systems get more complex, further complicating security, a group of executives said last week on a concluding panel at Black Hat USA in Las Vegas.
Deep-rooted problems show no signs of letting up and it’s hard to imagine levels of complexity reaching a peak, said Chris Eng, chief research officer at Veracode.
This widely held view that things are going to get worse before they get better, if at all, pops up frequently, backed by recent experiences and hard data.
Phishing attacks recently targeted employees at Cisco, Cloudflare and Twilio, the latter of which spread fallout to at least 125 downstream customers. And the unrelenting pace of vulnerability discoveries and patches has become a chronic dilemma for cybersecurity professionals.
Software vulnerabilities accounted for nearly half of all cases of initial access used by threat actors to deploy ransomware during the last year, according to Palo Alto Networks’ Unit 42.
While changes in front-end frameworks or programming languages can reduce the frequency of common mistakes, the development of new languages and frameworks is creating entirely new ecosystems and additional complexity as a result, Eng said.
Some of these challenges are manifesting in different ways as it applies to new technology, but the cybersecurity community needs to be quicker at adapting the lessons it’s already learned collectively, he said.
“We already know about basic secure coding issues. We know what things to do in large part, and they’re just not getting done,” Eng said. “So, good job security.”
That discouragement met bits of sarcasm as he and other panelists held court with beers in hand to mark the event’s conclusion.
Misguided focus among cybersecurity professionals is partly to blame, the experts said.
The industry is so focused on endpoints that it’s missing actual problems and neglecting the need to address the motivations of attackers, according to Matt Suiche, director of memory and incident response research and development at Magnet Forensics.
Despite all of these problems, and there are many, Natalie Silvanovich, security researcher at Google, remains optimistic.
Much of the complexity in systems is unnecessary, and she’s confident people will eventually acknowledge the impact this has on security and make proper adjustments.
Silvanovich said she’s inspired and emphasized the need for a positive perspective. “I think everyone should keep at it,” she said. “I think one day we are going to solve these problems or at least make a lot of headway.”