It was the mid-90s — the halcyon days of what was then known as computer security — and almost every briefing, presentation, discussion and overview began with a hacker “war story.” Some were true, but most were fables and technology legends.
After the hacker anecdote, it was pro forma to make the case that the plural of this anecdote becomes a statistical likelihood for your audience. This opening act was a constant — whether the purpose of the presentation was to educate, explain or sell. Eventually, audiences learned to recognize this hackneyed approach, and the anecdotal FUD (fear, uncertainty and doubt, for you n00bs) factor became a largely discredited approach by the turn of the century.
In retrospect, the old FUD anecdotes made sense. Computer security was a relatively new profession, and there weren’t any relevant large-scale studies or statistical analyses to aid organizational leaders in making informed risk decisions. Anecdotes are all we had at the time, so, we focused on finding and identifying malicious threats that could be encoded and updated in security software that would in turn detect and eliminate the culprit code. However, you can only do that after the malicious code had been discovered, then a signature was programmed and pushed out to the security applications for enforcement. It was (and is) a clumsy and inefficient system.
The other large data gathering effort was collecting and organizing lengthy lists of all possible technical vulnerabilities within operating systems, utilities, applications, protocols and software/firmware of all types. These lists are then used by IT managers to remediate the vulnerabilities as best they could, or as much as they could afford. It is a thankless, never-ending litany of problems to be resolved, or at worst, ignored.
The threat landscape has changed dramatically over the last several years, and the hacking stories have been reinvented as “big news.” Silicon Valley start-ups and venture capitalists are again in a committed relationship, as companies spring up to hire these next-generation hackers to seek out and identify the new, more stealthy threats that easily circumvent traditional preventive security technologies.
Some package their findings as services, while others use this intelligence to populate a variety of security products. It is something of a white-hat hacker rebirth.
The problem is that ultimately, no one wants to waste time tracking every possible human threat. There is little or nothing organizations can do to mitigate and prosecute them all — especially those originating in foreign countries.
Watch for technology to quickly move to automate this remediation, and the cycle will repeat.
John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. E-mail him at [email protected].