Newsletter

07.27.2021 | 8'' read

On apathy in cybersecurity

by Ryan Naraine


This newsletter is sponsored by Startup Secure, the go-to source on cybersecurity for start-up entrepreneurs, leaders, and individual contributors who need to select the right frameworks and standards at every phase of the entrepreneurial journey.  Buy the book.


The success of this independent journalism project relies on your feedback and suggestions so drop me a line at anytime. You don’t need a reason to reach out and say hello 🙂  Twitter DMs are open.

The most clicked link from last week’s issue was The rise and fall of NSO Group, one of the many sidebar stories accompanying the big NSO Group/Pegasus iPhone spyware saga.

Personal notes.

  • My thanks to Uptycs and Armorblox for generously supporting the Chris Castaldo Startup Secure book-signing event in Las Vegas on August 4, 2021. Sign up here to secure an invitation.
  • I’ll be attending and participating in SecurityWeek’s ICS Cybersecurity Conference (CFP is open) in Atlanta on October 26-28.  This is a long-running confab on securing ICS/SCADA and industrial networks. Register here and hopefully I’ll see some of you in the ATL.
  • Last week, I hosted two sessions at the Cloud Security Summit, including a Q&A with Forgepoint Capital managing director Will Lin. We talked about the surge in VC cybersecurity investments, the true size of the market, and the hype/trends worth watching carefully.  Catch it on-demand here.

Monday blues.

On these pages a few weeks ago, my exasperated tone touched a nerve with readers:

After years and years of spending billions on cybersecurity, here we are, on a zero-day patching treadmill while ransomware infections soar and vendors boast of successful IPOs and expanding revenue streams. So much is wrong.

While some folks shared my blunt assessment, I caught some flak for being overly pessimistic and dismissive of a lot of hard work to secure every layer of computing. I was reminded that we have biometric e-commerce on phones (“Don’t forget you can simply look at your iPhone and make a secure payment in a supermarket!”); we have solid foundational tech/processes in place (“the zero-trust security model works!”); and we have tools like password managers and multi-factor authentication apps to avoid ID-theft or phishing attacks.

True, we’ve seen decades of innovation that have truly raised the cost for attackers. Spam as a daily annoyance is mostly solved and modern web browsers do all the heavy security lifting to keep hackers at bay.

Yet, I can’t shake the disconnect between all that spending and innovation and the reality on the ground, where silent supply chain compromises wreak havoc, ransomware infections affect gas distribution in a major U.S. city, mercenary hacking groups sell zero-days to mysterious customers, and we still can’t click on links or open attachments with confidence.

As far as we’ve come, it feels like we’re chasing a tail that’s disappearing in the distance.  Attack surfaces are expanding faster than we can react to securing them and there’s still too much friction with adopting the best available security tools.  Twitter offers a wide range of MFA tools but barely 2.3 percent of users have enabled one form of password-verification and, even then, most choose the weaker, already-broken SMS method.

Beyond low-end ransomware infections (it’s really bad and getting worse!), zero-day attacks are surging against the most modern, hardened computing devices. Just this week, Apple responded to the 13th instance of actively-exploited zero-days in iOS and macOS devices.  At Google, the 2021 zero-day count stands at eight while attacks against products from Microsoft, Solarwinds and Kaseya remain easy targets.

Meanwhile, let’s not ignore how the money and hype cycle adds to the confusion and apathy. This New York Times story on venture capital investments may make you cringe.  Here’s a snippet:

“On a Friday evening in October, Mr. Chandna, the Greylock venture capitalist, introduced the chief executive of an email security company he had invested in, Abnormal Security, to another investor, he said. That investor, Venky Ganesan of Menlo Ventures, who had been pursuing a meeting with the chief executive, Evan Reiser, for months, immediately emailed Mr. Reiser to invite him to dinner that night.

Mr. Reiser drove, he said, from San Francisco to Mr. Ganesan’s home in Atherton, Calif., about 30 miles away. By the end of the weekend, Abnormal had signed a deal to raise $50 million at a $600 million valuation, putting its total funding at $74 million. Menlo’s $40 million check was the firm’s largest investment ever.

“As shotgun weddings go, it’s as shotgun as you can get,” Mr. Ganesan said.”

Even as data shows that users are rejecting multi-factor authentication tools, 1Password has a massive new funding round that values the company at $2 billion.  🤷‍♂️

It all makes my head spin. Hang in there and have a productive week.

_ryan


A word from our sponsor (Startup Secure)

Cybersecurity as a whole can be overwhelming for startup founders. Start-Up Secure by CISO Chris Castaldo breaks down the essentials so you can determine what is right for your start-up and your customers. You’ll learn techniques, tools, and strategies that will ensure data security for yourself, your customers, your funders, and your employees. Buy the book.  If you’re in Las Vegas for Black Hat, come to our book signing hangout.


The NSO and the mobile ‘surveillance list’

The explosive story on Israeli surveillance vendor NSO Group and the Pegasus malware has expanded in multiple directions since last week:

Tool of the week.

Important stories that may have gotten lost.

Some eyebrow-raising stories of cyber-attacks with real-world human consequences keep getting lost amidst all the noise:

Readables.

Leftovers.

* My thanks to Uptycs and Armorblox for generously supporting the Chris Castaldo Startup Secure book-signing event in Las Vegas on August 4, 2021. Sign up here to secure an invitation.

* Full Security Conversations podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhoneGoogle/AndroidSpotify and Amazon/Audible.

|

This site uses cookies and may process personal data based on our Privacy Policy