- Everyone Knows What "Cybersecurity" Means
- We Can Measure How Secure Our Systems Are
- The Primary Goal of Cybersecurity Is Security
- Cybersecurity Is About Obvious Risks
- Sharing More Cyber Threat Intel Will Make Things Better
- What Matters to You Matters to Everyone Else
- Product X Will Make You Secure
- Macs Are Safer Than PCs, Linux Is Safer Than Windows
- Open Source Software Is More Secure Than Closed Source Software
- Technology X Will Make You Secure
- Process X Will Make You Secure
- Faerie Dust Can Make Old Ideas Magically Revolutionary
- Passwords Should Be Changed Often
- Believe and Fear Every Hacking Demo You See
- Cyber Offense Is Easier Than Defense
- Operational Technology (OT) Is Not Vulnerable
- Breaking Systems Is the Best Way to Establish Yourself
- Because You Can, You Should
- Better Security Means Worse Privacy
- Further Reading
This chapter is from the book
This chapter is from the book
This chapter is from the book
Product X Will Make You Secure
Repeat after me: No single product will make me secure. That’s not the reality of cyber threats, and it’s not how cyber defense works. It’s a lovely dream: find the magic product and ta-da! We are entirely secure; we have nothing to worry about!
People think (or vendors tell them to believe) that buying some product(s) will ultimately solve all of their cybersecurity problems. It does not matter what that product is—this statement will never be true. Cloud storage? No. Extended Detection and Response (XDR) platform? No. Next-Generation Firewall (NGFW)? No. Many individual solutions have value, but none alone is sufficient. This is not only because all products have vulnerabilities but because some problems have not been seen yet or resemble authorized use. Chapter 11, “Vulnerabilities,” will discuss the more prevalent issues of passwords, patches, and configuration errors.
Some organizations buy lots and lots of products, believing more must be safer. Simply throw money and tools at the problem! This is a problem, especially for organizations that equate the amount they spend on security to a measurement of their security posture.37 It leads to other adverse side effects, such as focusing too much on how our organization compares to other companies. Furthermore, piling on more tools might reduce our security.38 Simply because the competition has a fancy new tool does not mean it’s right for us. In Chapter 10, we will examine more myths about tools.
Too often, adding products is a reactive reflex after an incident. A company is attacked, and rather than consider the root cause of the problem, it throws money in an effort to prevent a repeat of that precise issue in the future. To use an old idiom, putting a lock on the barn after the horse has escaped is not a good approach to security. It leads to an overabundance of point solutions rather than broad strategies. Starting by considering the best way to keep the horse in the barn across various scenarios is a much better approach.
It’s also important to consider what we are throwing our money at. If we build a new barn door with all the bells and whistles, yet the barn itself is falling down, we are not getting a good value for our money.
This is not a problem only for businesses and cybersecurity professionals. Ordinary people also think that a single piece of software should provide security. Further, they often accept the default program shipped with their computer and expect it to be free for life. Why is there not an uber security product? One endpoint protection program to rule them all? A modern device—smartphone, laptop, server, automobile—is complex, and the attack surface is enormous. No single cyber defense can ever protect against all the ways that an attacker might try to attack, affect, or extract data from that system—not to mention predict all new attacks that might come.39
Avoiding this myth requires an appreciation for the complexity of technology and the diverse threats to it. No single security product can provide enough controls to lower all the risks present, especially in systems that are not designed well, are overly complex, and are poorly built.