Paranoia Reigns Among Security Pros
Technology, machines, software, UFOs, spontaneous combustion, and crop circles don’t scare me. I’m an engineer, a code writer, a builder, a closeted mathematician and part-Vulcan some might say. I’m also someone who’s worked in hi-tech for almost 30 years. My pedigree, my lineage, and my persona are the elemental datum of a sandwich sign hung around my neck that essentially says, “John works with computers…maybe he can fix it?” And that’s the way I usually feel. Bring it on. I can get the Wi-Fi working, I can get the car started, I can figure out why the shower water is cold, and I know what every button in my car does.
Yet, in recent months, the idea of getting back to basics, ditching my computer, cutting my Internet connection, and disconnecting from technology altogether has begun to seem more appealing. What spawned these ideations, these half-hermit, half-anarchist “air-gap” fantasies? Well, much as I enjoyed the show, I’m pretty sure the turning point for me was this year’s RSA Security Conference in San Francisco.
Of course, my anti-technology thoughts faded as quickly as they had surfaced. Total electronic isolation is simply not a practical aspiration. I no longer remember even the dearest friend’s phone number or how to get to work without Waze or how to tie a bowtie. Technology and communication networks are the repositories and enablers of knowledge and learnings. Knowledge and learnings are a good thing. But the impressions that RSA left were much more indelible, and I will not soon forget them.
A stunning 700 vendors assembled for four days at great expense. They held a thinly-clad profit motive for sure but were also possessed by a benevolent imperative to help in every way imaginable in the raging cybersecurity battle that’s underway. The war is truly a fight between good and evil; between companies that want to leverage technology to improve the condition of humankind and the bad actors, cybercriminals, nation-states, hackers, phishers, social engineers, phreakers, and black hats who want to make a little cash, gain a little notoriety, or potentially destabilize a western democracy.
I’m in the business and don’t think that all this buzz is just hype. I’m actually more worried than ever about the threats we face. Nowadays, the attackers are able to evade detection, disappear without a trace, automate their attacks, never leave the same set of fingerprints, and fool even the savviest among us with spear phishing and social engineering schemes. What’s more, in the off chance someone is actually caught, they never seem to be in the same country as where their crime was committed or they don’t hatch their caper completely enough to bear the full brunt of the law.
This helplessness was reinforced by a survey that Lastline completed at that very same 2019 RSA conference that I mentioned above. We surveyed 136 random security professionals and the term that best comes to mind when reviewing the results is “paranoid.”
These are smart people who understand what they’re fighting against, and they’re distrustful, worried, and yes, paranoid.
The survey results speak for themselves:
- In a nearly unanimous response, 92 percent of respondents feel that cybersecurity is a bigger threat to the U.S. than border security. And yet government, and media, attention seems far more focused on the latter.
- Reflecting the impact that poor security practices have on overall trust, when asked which of the tech giants they trust the least with their data, not surprisingly 76 percent named Facebook. No other company even came close, while Amazon (25 percent), Apple (24 percent), Google (20 percent) and Microsoft (27 percent) all scored relatively evenly when asked who they trust most, essentially splitting the vote for most trustworthy.
- There’s a significant lack of trust in public Wi-Fi networks, likely driven by the audience’s deep understanding of the challenge of securing such networks and the risks introduced. To illustrate this, nearly half (45 percent) said they’d rather walk barefoot in a public restroom than connect to an unsecured public Wi-Fi network. This should be particularly alarming given the number of the employees they are charged to protect who use the Wi-Fi at coffee shops, airports, conferences, and numerous other public locations. As a side note, even the Wi-Fi at the RSA Conference was suspect. During the event, our own security team advised all Lastline employees to avoid the free Wi-Fi without a VPN connection, and only use the Internet access we had set up in our booth.
- Additional results further highlight the lengths to which security professionals go to protect their devices, their organization’s data, and themselves. As an example, while it’s been demonstrated that criminals can take over control of a laptop’s camera, the incidents are quite infrequent. Regardless, 69 percent of respondents cover their laptop webcam. And demonstrating a best practice that they likely encourage all employees to adopt, nearly half (44 percent) implement 2-factor authentication on all of their devices.
What’s the clinical definition of this behavior? Ummm, paranoia? Yes! They cover their webcams with tape, use 2FA everywhere, and prefer barefoot strolls in public restrooms vs. using public Wi-Fi. Sorry folks, that’s paranoia.
Lastline’s threat detection tools are making a difference and our multi-variant machine learning algorithms are no doubt part of the solution. In fact, many other vendors and governments are helping too – and that’s a good thing! The work is far from done and the technophile in me is as paranoid as everyone else, but perhaps my paranoia is salted with a hint of emerging optimism. As I type these words, my thoughts only rarely drift to who may be recording my keystrokes or shoulder surfing my screen.
The Lastline RSA survey confirmed many of the fears that we all suspected were out there. If the security professionals at RSA are this concerned, it’s a wake-up call that, as an industry, our work is just getting started. Personally, I am ready to take the plunge and dive back into the techno-sphere with renewed energy. There may be more cyber losses in 2019 than there were in 2018, but it’s not going to impact any of Lastline’s customers. I say, bring it on!
Latest posts by John DiLullo (see all)
- Lastline Donating File and Artifact Analysis Service - March 25, 2020
- Hiding in Plain Sight: Threats You’ll Miss Without AI - January 27, 2020
- Santa’s sleigh is probably brimming over with Malware - December 24, 2019