An insightful “hacker’s view” of cybersecurity.
RSA conference program chair Hugh Thompson, PH.D, recently introduced “Hackernomics,” a social science involving the description and analysis of attacker motivations, economics, and business risk, characterized by “five fundamental immutable laws.”
At a recent RSA Conference, Dr. Hugh Thompson presented a “hacker’s view” summary of the dynamics of cybersecurity. Dubbed “five fundamental immutable laws,” he surveyed the root causes of security breaches and the methods used to exploit weaknesses. These laws—while they may not necessarily be immutable—do have one very compelling feature in common: they all address the human endpoint. Here they are—with a little illumination:
1. Most attackers aren’t evil or insane, they just want something. In the fulfilment of those wants, cybercriminals seek out the weakest, easiest targets. And guess what? They’re not the targets you’ve spent untold thousands of dollars to protect. Not when you may be the path of least resistance attackers are looking for.
2. Security isn’t about security. It’s about mitigating risk at some cost.
Privacy pioneer Richard Purcell agrees, explaining, “When people talk about security they’re really talking about managing risk, whether applied to physical assets, financial assets, or anything else that is subject to theft or fraud.” Thompson, though, points out a potential danger in this view, as security professionals can tend to focus on risks that “are either familiar or recent.” In other words, putting all the effort into the technology aspects of risk and ignoring the people factor
3. Most costly breaches come from simple failures, not from attacker ingenuity.
“Insider risk”—even the non-malicious variety—is a terrific source of trouble. It turns out a little ignorance goes a long way: Dr. Larry Ponemon found that uninformed employee or contractor negligence are the leading causes of non-malicious breach incidents. Notwithstanding such insider “help,” Thompson adds, “The bad guys can still be VERY creative when properly incentivized.”
4. In the absence of security education or experience, we naturally make poor security decisions with technology. What’s more, bad training can be as bad—or worse—than no training at all. But who can blame you? This is really more of a failure of the executive team to recognize the crucial importance of instilling security competence in every single employee. After all, your vital information assets are in their hands.
5. Attackers usually don’t get in by cracking some impenetrable security control; they look for weak points like trusting employees. That pretty much sums it up. When you do, everything else will work so much better. A security-aware workforce creates the kind of culture cybercriminals will skip for easier, happier hunting grounds.