To Patch or Not to Patch and to Patch with What? - That Is a Question
“Patching with technology”, to date, represents the most widespread way of dealing
with cybersecurity threats. A cybersecurity “patch” refers to a set or series of technological measures, changes or alterations of programming code, supporting data,
underlying algorithms, or programming system logic aimed at improving the system’s
security, fixing existing bugs, addressing vulnerabilities, and updating defense mechanisms. Technology-driven approach can be split into two main subcategories:
Reactive and Active. Reactive approaches are dealing with the problem of how to react
to a particular threat and how to prevent threats from happening by designing robust
systems which are difficult to infiltrate; whereas Active approaches address issues around designing mechanisms which allow to anticipate cybersecurity risk, effectively detect attacks, as well as mislead and catch adversaries.
Reactive technological tools currently represent the main frontier of cyberdefense. Since
most businesses outsource their cybersecurity issues to a range of large digital giants or
smaller and specialized cybersecurity companies, any discovered gap in the system (i.e.,
vulnerability) whether exploited or unexploited, is usually fixed by applying a technical
“patch”. For example, such “patches” are applied by Microsoft when companies spot
loopholes in the Microsoft Office or email systems. While technological patches are very
effective, the main issue is that they cannot be applied before the vulnerability is
discovered. Therefore, in many cases, patches are applied after the harm has already
1. Firewalls: physical and virtual
Firewall is another popular security measure. In the contemporary network security,
firewalls usually represent the first line of defense as they separate networks with
restricted access and valuable information or data from publicly accessible cyber spaces. While in the past it was rather obvious where firewalls were located in the cybersecurity architectures, contemporary systems allow for usage of firewalls which are not connected to the Internet-powered networks (i.e., “invisible” on the Internet). This creates an illusion that such firewalls are “unbreakable” or impossible to attack. It is certainly true that such measures as taking firewalls off the Internet make it more difficult to spot and compromise systems. Yet, it is important to remember that even the most sophisticated firewall, even if it is invisible on the Internet, offers only a temporary protection. In other words, while a firewall can definitely slow down a motivated adversary, if you have something very valuable to steal, it will not stop this adversary.
We have recently been called to consult a company, which suffered an unprecedented
breach of a “physical” firewall. While, for confidentiality reasons, we cannot describe the
particulars of this company’s cybersecurity architecture, we will, nevertheless explain the principle behind this firewall. Imagine that you have a highly secure building where you have two floors. Each floor operates a separate intranet network (not connected to the outside world) and there is a "physical firewall" in a sense that the two floors are
physically separated from each other and operate independent (unconnected) networks.
Therefore, in order to infiltrate the two networks, one has to physically go to a particular
floor and "plug" into the network. The building has very sophisticated entry requirement
and both floors are filmed 24-7. What if we told you that, despite all these precautions, it
was possible for adversaries (who are not malicious insiders) to infiltrate such a system?
This is what we mean when we say that firewall is only a temporary measure capable of
slowing down but not stopping the adversary.
2. Antivirus tech
Antivirus is also a popular measure which many companies as well as individuals believe
to protect them from malware. Yet, again, considering the level of sophistication with
which attacks are currently executed, it is highly unlikely that antivirus will offer you an
adequate protection. For example, if previously viruses were delivered to personal
computers using email attachments, currently, your computer can be infected by you
simply accepting a malicious calendar invite sent to you as a part of a spear-phishing
3. Multi-factor tech
Multi-factor authentication has recently become a new norm. When logging into your
email from a new device for the first time, you are usually asked to verify your identity
by typing in a code which is sent to you as a text message on your mobile phone. However, considering that mobile phones are also infiltratable, or keeping in mind that your mobile device can simply be stolen or hijacked, multi-factor authentication does not really offer a reliable defense. Although, by any standard, it is hard to disagree with the fact that adopting a multi-factor authentication does offer an additional layer of protection.
Back-ups are generally a good idea. However, it is important to remember that cloud back-ups can easily be accessed from a compromised device. Therefore, it is
important to keep several copies of your data files on an external drive or a CD not
connected to the Internet. It is also a good idea to encrypt those offline files. Zero-trust
refers to a security model where any attempt to access an organizational security system is treated as not trustworthy.
5. Zero trust solutions
Zero trust systems have recently gained momentum due to their “never trust, always verify” principle which implies having multiple checks of access and movement points. Yet, even such systems can be abused and loopholes for infiltration could be found. Finally, device solutions are also not the best way of dealing with cybersecurity problems. Speaking at a Cybersecurity Debate at the Alan Turing Institute in September 2018, Cal Leeming, formerly the youngest hacker prosecuted for cybersecurity crimes in the UK at the age of 12 and currently a cybersecurity consultant, maintained that Chromebooks were relatively secure compared to other devices. It is true, that Chromebooks are not very easy to compromise. However, by moving all your files
to Chromebook (i) you are placing all your security into the hands of Google and (ii) we
have recently seen a live demonstration from a White hat hacker who seemed to have
infiltrated and extracted valuable data from a Chromebook in a matter of minutes.
Active Cyber Defense solutions
Active Cyber Defense (ACD) technological solutions, unlike Reactive measures are
usually designed to proactively lure cybercriminals and mislead them to collect forensic
data on them as well as find out who they are. This is an exciting new direction in
cybersecurity. Yet, as Pete Cooper, a cybersecurity expert puts it, “ACD is not about
hacking back”. It is about a systematic approach to understanding the criminal mind.
Currently the most widespread methodology used for active cyber defense is the creation of a sophisticated net of the so-called “smart honeypots”, or traps, on the network which are intended to attract cybercriminals. The honeypots are usually machines on the network which look very attractive to an adversary but do not contain any valuable or interesting information and, most importantly, do not act as a gateway to anything important. By hitting these pre-set targets, cybercriminals waste their time and compromise their forensic data allowing the cybersecurity team to track them and, with luck, even identify them.
There are, however, several issues with this approach. First of all, engaging into active
cyber defense is not a route for all businesses. This path requires a great deal of “maturity” (i.e., understanding of the issue at a strategic level), resources, and technical capability from the organization. Second, recent advances in AI offer cybercriminals a variety of ways to detect honeypots on the system thereby destroying the whole purpose of honeypots being set up in the first place. Obviously, AI technology is available to both sides and several savvy businesses respond by using AI to set up the smart honeypot nets.
However, like any technological solution, it is only a matter of time before a motivated
set of adversaries will find a way to detect and avoid smart honeypots if the way in which they are set up is determined purely based on algorithmic logic. The reason for that is, if there is a purely mathematical logic behind setting up such systems, there is always a mathematical counter-logic which could be found to infiltrate them.
Takeways: from Patching with Tech to Patching with People
As we can see, technological solutions on their own are unlikely to solve cybersecurity
problems of businesses as they primarily focus on the Robustness goal, and it is next to
impossible to make the system robust. It is highly likely that despite all technology
available to an organization, sooner or later, highly motivated adversaries will find their
way in. Under these circumstances, it is important to shift the cybersecurity paradigm
from “patching with technology” to “patching with people” .