Seeking the Root Causes of Cyber Insecurity, Part I

First in a series of articles about the underlying factors that affect security posture

Can the elephant ever be so big we’re not even aware it’s in the room? In cybersecurity today, it feels like the elephant is the room. Consider the following: The world spends $134 billion a year on cybersecurity (a figure projected to grow to near a quarter of a trillion dollars in five years) and employs thousands of brilliant minds—only to suffer devasting breaches on a nearly constant basis. How could this be happening? How is it that the bad guys are always a few steps ahead of us, despite this immense investment of money and brainpower?

After asking these questions to hundreds of industry veterans, a persistent theme emerged: The technologies we are trying to protect were built with innate security flaws. This is almost always by accident, though sometimes laziness and greed are also to blame. The end result is the same, however. It’s extremely difficult to defend a digital asset that was built without security in mind.

The Cyber Insecurity Root Cause Survey

To test this hypothesis, I conducted a small survey of industry experts. I asked three questions that seek to identity the root causes of poor security posture. My panel consisted of 46 experts. This is not a statistically significant sample. However, in my view, it’s large enough to reveal the general direction of industry thinking on these matters. The follow is a summary of the answers.

Question 1: “What factors are inhibiting industry solutions from providing the best protection for users?” The survey respondents were asked to rate the impact of four factors: User experience level and training, security budget constraints, security policy deficiencies, and inherent security problems in the technology being protected, e.g. operating system vulnerabilities, poorly-designed system architecture or network anonymity.  For each factor, respondents assigned a rating that ranged from “no impact at all on security” to “an extremely serious factor affecting security.”

As the chart shows, the biggest proportion (50%) of experts chose inherent security problems as being an extremely serious factor affecting security. Eighty-two percent of respondents ranked inherent security problems as either a major or extremely serious factor affecting security. This was the highest percentage, followed by user experience level and training, which 80% of respondents ranked as major or extremely serious factor.

Question 2: On a scale of 1 to 5, where 1 means “I completely disagree” and 5 means “I totally agree,” to what extent do you agree with the following statement: “Security vulnerabilities are inadvertently designed into digital technology, making it difficult to protect.”

The experts surveyed tended to agree with the idea that security vulnerabilities are accidentally designed into the technologies they are charged with protecting. Almost 37% totally agreed. Forty-three percent rated the issue a 4 on a scale of 1-5, in terms of agreement. Only four percent completely disagreed.

Question 3: Please rank, in order of impact, the following factors that affect security posture: Cyber threats, cyber defenses, built-in security flaws in the digital assets being defended.

The highest proportion of survey respondents, over 47%, ranked built-in security flaws as the number-one factor affecting security posture. Twenty-eight percent ranked cyber defenses number one. Twenty-two percent assigned the top ranking to cyber threats. As the chart reveals, all three are important. Threats and defenses are also serious factors in security posture. However, the ranking shows how significant industry experts feel built-in security flaws can be in affecting security.

Expert Insights into the Root Causes of Poor Security Posture

The survey respondents shared their insights into the root causes of cyber insecurity. Rene Kolga of Nyotron felt the “asymmetry of the approach” was to blame. He said, “Attackers are creating attacks. Defenders are studying those attacks. Defenders build up defenses… then repeat the process. With this approach defenders are and will always be behind.”

The design of the Internet itself stood out to Jason Kent of Cequence Security, who remarked, “I’ve heard it said that most of the Internet is someone’s abandoned master’s degree project.” The half-baked architecture of the Internet allows for unauthenticated connections and unverified input to exposed endpoints, according to Yael Citro of Odo Security. “It could lead to logical flow vulnerabilities or memory corruptions in applications,” she said. Richard Blech of Secure Channels similarly voiced a concern that the Internet was “allowing far too much access to data from unnecessary apps or services.”

Passwords, VPNs and Cryptography

“The most frustrating kinds of vulnerabilities are self-inflicted wounds,” explained Mike Jordan of The Santa Fe Group. For him, “Password authentication, especially with dumbed down requirements are designed into software because we have not yet evolved the culture past it.” Craig Lurey of Keeper Security felt recent flaws in VPN hardware and software make it very difficult for companies to defend themselves. “They rely on these core technologies,” he said. Keyfactor’s Mark Thompson framed the issue in terms of cryptography. He said, “Management of cryptographic keys, and the lack thereof, is the largest contributor to cyber security issues by far.”

“The most frustrating kinds of vulnerabilities are self-inflicted wounds,” explained Mike Jordan of The Santa Fe Group

Deficiencies in testing

Other experts surveyed pointed to testing as a root cause of cybersecurity troubles. Craig Lurey shared that the “lack of adequate and large-scale security vulnerability testing by third-party and internal teams is the primary cause, in my opinion. Tom Garrubba, of Shared Assessments expressed the view that security would only come from “performing consistent and constant penetration tests against network, systems, application, and database code.”

Craig Lurey shared that the “lack of adequate and large-scale security vulnerability testing by third-party and internal teams is the primary cause.”

APIs as a root cause of insecurity

The structure of modern software applications themselves comprises a built-in vulnerability, according to survey respondents who are well-versed in the risks of Application Programming Interfaces (APIs). “Companies need to become aware of the new attack surfaces and threat models that emerged from modern application architectures,” said Dmitry Sotnikov of 42Crunch. He added, “Security can no longer be treated as an afterthought. Instead, security should be “shifted left” and become inherent part of systems design and evolution: through education, tooling, policies, and DevSecOps automation.”

“Companies need to become aware of the new attack surfaces and threat models that emerged from modern application architectures,” said Dmitry Sotnikov of 42Crunch.

Isabelle Dumont of Cowbell Cyber echoed this sentiment, commenting that “APIs with no proper authentication and forced encryption” were a root cause of security weakness. Sotnikov further noted, “The fundamental issue that companies need to realize today is that there is no longer a clear-cut boundary between safe internal environment and unsafe external one. Systems became massively disaggregated. Instead of a relatively small number of relatively monolithic applications, we are building applications in which all components are microservices, that are hosted in various clouds, that invoke 3rd-party services, and that have rich web- and mobile clients and devices. This has fundamentally changed the nature of the web.” He cited Gartner, which predicts that APIs will become the number-one attack vector by 2022.

Subsequent articles in this series will share further expert insights into the root causes of cyber insecurity. Stay tuned for discussions of innate security weaknesses arising from authentication, IT department management and organization, people issues, product design flaws and software development practices.