Published on the 15/03/2017 | Written by Anthony Caruana
We've all heard the usual security spiel; make life hard for the hackers, layered security, complex passwords, blah, blah, blah…
But layered security is hard to manage as it often requires products from multiple vendors that don’t always play nicely with each other. And anything that makes the life of users hard is met with resistance, or worse, workarounds that bypass corporate systems and processes – the dreaded “shadow IT”.
But rather than focusing attention inwardly, what about concentrating on the bad guys. What pisses hackers off?
Security company Nuix recently published its Black Report, which surveyed professional hackers (they call themselves penetration testers) about their pet peeves at last year’s DEFCON event in Las Vegas.
These white-hat hackers say the thing that most annoys them is coming back to a client to retest and learning that most of the issues previously found have not been addressed. Just one in ten clients fix all the problems which come to light in testing. And 5 percent do sweet blow all after learning of problems.
It’s hardly surprising that this is the case. Verizon’s 2016 Data Breach Investigations Report found over 99 percent of malicious hack used vulnerabilities that had been reported at least a year previously, and which had patches available to prevent them. The company’s report said “Hackers use what works and what works doesn’t seem to change all that often.”
Each year, infosec vendors try to convince us of how great they are by telling us how many zero-day vulnerabilities they have discovered. But it is quite damning to learn many of the breaches we suffer are our own fault.
We don’t fix what we know to be broken.
Purchasing and weaponising a zero-day vulnerability is expensive. But exploits that use known vulnerabilities are cheap, commodity items on the dark web. And if we don’t take the advice of experts and fail to patch our systems and address issues, then we are making the life of the malicious hacker easy.
And we make white-hat hackers cranky.
Security is not a checkbox exercise. It’s an on-going program. You’d think that’s obvious but the data coming from a number of security analysts and vendors suggests otherwise. The trick, perhaps, is to put in place techniques and measures which won’t annoy the good guys, but instead frustrate the bad guys.