Patching with Tech: Why Does It Fail to Fully Secure Business Cyber Systems?

To Patch or Not to Patch and to Patch with What? - That Is a Question

“Patching with technology”, to date, represents the most widespread way of dealing

with cybersecurity threats. A cybersecurity “patch” refers to a set or series of technological measures, changes or alterations of programming code, supporting data,

underlying algorithms, or programming system logic aimed at improving the system’s

security, fixing existing bugs, addressing vulnerabilities, and updating defense mechanisms. Technology-driven approach can be split into two main subcategories:

Reactive and Active. Reactive approaches are dealing with the problem of how to react

to a particular threat and how to prevent threats from happening by designing robust

systems which are difficult to infiltrate; whereas Active approaches address issues around designing mechanisms which allow to anticipate cybersecurity risk, effectively detect attacks, as well as mislead and catch adversaries.

Reactive Tech

Reactive technological tools currently represent the main frontier of cyberdefense. Since

most businesses outsource their cybersecurity issues to a range of large digital giants or

smaller and specialized cybersecurity companies, any discovered gap in the system (i.e.,

vulnerability) whether exploited or unexploited, is usually fixed by applying a technical

“patch”. For example, such “patches” are applied by Microsoft when companies spot

loopholes in the Microsoft Office or email systems. While technological patches are very

effective, the main issue is that they cannot be applied before the vulnerability is

discovered. Therefore, in many cases, patches are applied after the harm has already


1. Firewalls: physical and virtual

Firewall is another popular security measure. In the contemporary network security,

firewalls usually represent the first line of defense as they separate networks with

restricted access and valuable information or data from publicly accessible cyber spaces. While in the past it was rather obvious where firewalls were located in the cybersecurity architectures, contemporary systems allow for usage of firewalls which are not connected to the Internet-powered networks (i.e., “invisible” on the Internet). This creates an illusion that such firewalls are “unbreakable” or impossible to attack. It is certainly true that such measures as taking firewalls off the Internet make it more difficult to spot and compromise systems. Yet, it is important to remember that even the most sophisticated firewall, even if it is invisible on the Internet, offers only a temporary protection. In other words, while a firewall can definitely slow down a motivated adversary, if you have something very valuable to steal, it will not stop this adversary.

We have recently been called to consult a company, which suffered an unprecedented

breach of a “physical” firewall. While, for confidentiality reasons, we cannot describe the

particulars of this company’s cybersecurity architecture, we will, nevertheless explain the principle behind this firewall. Imagine that you have a highly secure building where you have two floors. Each floor operates a separate intranet network (not connected to the outside world) and there is a "physical firewall" in a sense that the two floors are

physically separated from each other and operate independent (unconnected) networks.

Therefore, in order to infiltrate the two networks, one has to physically go to a particular

floor and "plug" into the network. The building has very sophisticated entry requirement

and both floors are filmed 24-7. What if we told you that, despite all these precautions, it

was possible for adversaries (who are not malicious insiders) to infiltrate such a system?

This is what we mean when we say that firewall is only a temporary measure capable of

slowing down but not stopping the adversary.

2. Antivirus tech

Antivirus is also a popular measure which many companies as well as individuals believe

to protect them from malware. Yet, again, considering the level of sophistication with

which attacks are currently executed, it is highly unlikely that antivirus will offer you an

adequate protection. For example, if previously viruses were delivered to personal

computers using email attachments, currently, your computer can be infected by you

simply accepting a malicious calendar invite sent to you as a part of a spear-phishing


3. Multi-factor tech

Multi-factor authentication has recently become a new norm. When logging into your

email from a new device for the first time, you are usually asked to verify your identity

by typing in a code which is sent to you as a text message on your mobile phone. However, considering that mobile phones are also infiltratable, or keeping in mind that your mobile device can simply be stolen or hijacked, multi-factor authentication does not really offer a reliable defense. Although, by any standard, it is hard to disagree with the fact that adopting a multi-factor authentication does offer an additional layer of protection.

4. Back-ups

Back-ups are generally a good idea. However, it is important to remember that cloud back-ups can easily be accessed from a compromised device. Therefore, it is

important to keep several copies of your data files on an external drive or a CD not

connected to the Internet. It is also a good idea to encrypt those offline files. Zero-trust

refers to a security model where any attempt to access an organizational security system is treated as not trustworthy.

5. Zero trust solutions

Zero trust systems have recently gained momentum due to their “never trust, always verify” principle which implies having multiple checks of access and movement points. Yet, even such systems can be abused and loopholes for infiltration could be found. Finally, device solutions are also not the best way of dealing with cybersecurity problems. Speaking at a Cybersecurity Debate at the Alan Turing Institute in September 2018, Cal Leeming, formerly the youngest hacker prosecuted for cybersecurity crimes in the UK at the age of 12 and currently a cybersecurity consultant, maintained that Chromebooks were relatively secure compared to other devices. It is true, that Chromebooks are not very easy to compromise. However, by moving all your files

to Chromebook (i) you are placing all your security into the hands of Google and (ii) we

have recently seen a live demonstration from a White hat hacker who seemed to have

infiltrated and extracted valuable data from a Chromebook in a matter of minutes.

Active Cyber Defense solutions

Active Cyber Defense (ACD) technological solutions, unlike Reactive measures are

usually designed to proactively lure cybercriminals and mislead them to collect forensic

data on them as well as find out who they are. This is an exciting new direction in

cybersecurity. Yet, as Pete Cooper, a cybersecurity expert puts it, “ACD is not about

hacking back”. It is about a systematic approach to understanding the criminal mind.

Currently the most widespread methodology used for active cyber defense is the creation of a sophisticated net of the so-called “smart honeypots”, or traps, on the network which are intended to attract cybercriminals. The honeypots are usually machines on the network which look very attractive to an adversary but do not contain any valuable or interesting information and, most importantly, do not act as a gateway to anything important. By hitting these pre-set targets, cybercriminals waste their time and compromise their forensic data allowing the cybersecurity team to track them and, with luck, even identify them.

There are, however, several issues with this approach. First of all, engaging into active

cyber defense is not a route for all businesses. This path requires a great deal of “maturity” (i.e., understanding of the issue at a strategic level), resources, and technical capability from the organization. Second, recent advances in AI offer cybercriminals a variety of ways to detect honeypots on the system thereby destroying the whole purpose of honeypots being set up in the first place. Obviously, AI technology is available to both sides and several savvy businesses respond by using AI to set up the smart honeypot nets.

However, like any technological solution, it is only a matter of time before a motivated

set of adversaries will find a way to detect and avoid smart honeypots if the way in which they are set up is determined purely based on algorithmic logic. The reason for that is, if there is a purely mathematical logic behind setting up such systems, there is always a mathematical counter-logic which could be found to infiltrate them.

Takeways: from Patching with Tech to Patching with People

As we can see, technological solutions on their own are unlikely to solve cybersecurity

problems of businesses as they primarily focus on the Robustness goal, and it is next to

impossible to make the system robust. It is highly likely that despite all technology

available to an organization, sooner or later, highly motivated adversaries will find their

way in. Under these circumstances, it is important to shift the cybersecurity paradigm

from “patching with technology” to “patching with people” .

#cybersecurity #humanfactor #cyberattack #cyberthreat #cyberrisk #infosec #cybermindset #cyberculture #resilience #robustness


© 2020 by Ganna Pogrebna and Boris Taratine