At the annual DEFCON 2016 in Las Vegas last year, Chris Pogue, CISO of Nuix managed to gather a room full of hackers together and handed them a paper survey.
The intent? To help CISOs, CSOs and enterprise security teams understand which security countermeasures really do have an impact and which do not.
The results were surprising. The survey found that some countermeasures that enterprises believe will stop an attacker aren’t even slowing them down. Other countermeasures that are seen as little more than fluff can prove to be the greatest hindrance to a hacker. In fact, more than two-thirds of hackers can break through cybersecurity defenses within 12 hours, and 81 percent say they can identify and take valuable data within 12 hours as well.
Related: How Does a Cyber Attack Work?
Hacking and cyber attacks are threats that should concern every company. Here’s how they work.
The report includes insight and commentary from industry experts such as:
- Terry L. Sult—Chief of Police, Hampton, Virginia on A Police Chief’s Perspective on Cybersecurity
- Claire Ferguson—Lecturer, School of Justice, Queensland University of Technology on Why Hackers Hack
- Melissa K. Ventrone and Aleksandra Vold of Thompson Coburn LLP on Navigating the Legal Minefield of Post Incident Response
Key findings include:
- What security countermeasure presents the greatest challenge to you during a penetration test?
- Where do you think is the most/least effective place to spend security budget?
- How long on average do you estimate it takes for you to find and exfiltrate targeted data after your initial breach?
- What tools do Hackers rely on the most?
- How often is social engineering used to obtain information about a target?
- Favorite type of attack to execute
- Average estimated time to compromise a target environment?
- Once compromised, how often does the security team identify your presence
- How often do you encounter systems you can’t break into?
- How often do you change your attack methodologies?
- What is most common reason you change your attack methodologies?
- Where are security dollars best spent on and how likely are security programs to succeed?
TechDecisions also spoke with Chris Pogue to dig a bit deeper into his reaction to the survey:
Related: What is the Worst Case Scenario for Cyber Attacks?
Cyberattacks can have serious implications at the individual, company, and country-wide level.
TD: Why is it so important to get a hackers perspective on cyber security?
CP: Well, this is not a new concept.
The legendary Chinese General Sun Tzu served King Helu of Wu somewhere between the 5th and 6th century’s BCE – so what…roughly 2,500 years ago. In his book, The Art of War, he writes, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
So what’s the takeaway here? Know your enemy and know yourself and you need not fear.
Plenty of security solutions providers claim to help organizations know themselves, but that’s only part of the equation. If you don’t know the enemy as well, you will suffer a defeat for each victory you gain.
This is clearly true of the modern threat landscape as the headlines the world over are riddled with one breach after another in just about every business vertical that stores, processes, or transmits data.
Clearly, this approach is not working and something needs to change; and from the looks of it, General Sun Tzu had it figure out a very long time ago – we simply need to apply the same logic to the modern cyber battlefield.
TD: What was the most surprising thing you learned from conducting this study?
CP: Hands down the speed at which attackers can compromise a target, find critical value data, and exfiltrate it. Under 24 hours.
With most organizations struggling to detect an attack in eight to ten months, the attackers are in, out, and gone long before most organizations ever realize they were even there.
In the wake of some of the largest breaches in history (such as OPM, Yahoo, and Ashley Madison) this simply cannot persist. Organizations need to assume their perimeter defenses are going to fail, and they need to get better at detection – fast.
Related: The Ultimate Guide to Corporate Cyber Security
Cyber security can be confusing, but after reading our article you’ll be in the clear and ready to stay safe.
TD: What is the biggest thing that IT in corporations should take away from this study?
Defenders are up against a dynamic enemy whose technical capabilities and tools have far outpaced their own. In their efforts to make a better widget, many security vendors have relied on customer feedback to guide development.
While this may seem like a good idea from a business perspective, it’s lacking from a security perspective.
As Steve Jobs said, “But in the end, for something this complicated, it’s really hard to design products by focus groups. A lot of times, people don’t know what they want until you show it to them.”
The take away? It’s incumbent upon security vendors to understand the threat landscape in such a way that they are telling their clients what they need, and not necessarily what they want. The only way to do this in any meaningful way is to understand the nuances of the threats in such a way that your tools provide advanced protection or detection capabilities that your clients may not even be aware that they need.
Hackers don’t hack systems. Hackers hack people. Ninjio solves this with compelling and Engaging Security Awareness Training.
Watch Season 2: Episode 1.
Learn more at: https://www.ninjio.com/
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply