Why Are Hackers Winning The Security Game?


A lot of people and companies get complacent and don’t believe the hackers are winning, but trust me they are. So we have to ask, why are hackers winning the security game? What’s putting them ahead of the security teams and CISOs inside organizations.

Why Are Hackers Winning The Security Game?

It’s an old story anyway, the Hackers always win in some way or another as they have less to lose (unless they get arrested, which is rare) they have more angles to attack, they can use more methods/tools/vectors and have no limits on how far they can go to get what they want (especially for high value targets).

Comfortable illusions about how security is working are crippling the ability of government and industry to fight the threat, a former member of the FBI’s netsec team has told the BSides San Francisco 2017 security conference.

Society is operating under the illusion that governments and corporations are taking rational choices about computer security, but the fact of the matter is that we’re drowning under a sea of false positive, bad management, and a false belief in the power of technology to save us.

“The government is very reactive,” said Jason Truppi, director of endpoint detection and response at security firm Tanium and a former FBI investigator. “Over time we’ve learned it wasn’t working – just being reactive, not proactive.”

Truppi said we need to puncture the belief that government and industry are working together to solve online threats. In reality, he says, the commercial sector and government are working to very different agendas and the result is a hopeless mishmash of confusing loyalties.

On threat intelligence sharing, for example, the government encourages business to share news of vulnerabilities. But the subsequent investigations can be wide-ranging and lead to business’ people being charged for unrelated matters. A result companies are increasingly unwilling to share data if it exposes them to wider risks.


The trap most government bodies and corporations fall into is being reactive rather than proactive about their security, which sadly in most part is human nature.

We tend to do something about abstract threats only after they have proven themselves to be tangible, which is why selling security services in unreglated industries is so hard – very few people are interested.

The fact of the matter is that companies don’t get their own infosec problems and don’t care that much. Truppi, who has now moved to the commercial sector, said that companies are still trying to hire good network security people, but bog them down in useless false alerts and management panics.

The biggest illusion in computer security is that firms, and government, know what they are doing, Truppi said.

Five years ago everyone assumed that big finance houses knew what they were doing to lock down bank accounts. Now they are playing catchup.

But at least banks are better than most, Truppi opined. Far too many companies think that if they have a disaster recovery plan in place then they’re sorted. But it doesn’t work that way.

We’re only at the start of the distributed denial of service attack stage, he said. We’re going to see major internet outages thanks to botnets of things taking down sections of the internet. How we deal with that will be a deciding factor.

I’d agree banks are better than most, but only because that industry is heavily regulated and security controls are mandated (like PCI DSS, ISO27001 etc) plus 3rd party pen-tests on a regular basis and so on.

In other industries? There’s no real reason for companies to invest heavily into security other than from a place of fear of loss/exposure and some very rudimentary understanding of what kind of threats are out there.

Not a good place to be. That’s the reality though and it’s exactly why the hackers will KEEP winning.

Source: The Register

Posted in: Countermeasures, Hacking News

,


Latest Posts:


Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc


Comments are closed.