Computer security companies have been accused of “massively” exaggerating the abilities of malicious hackers. Dr Ian Levy, technical director of the UK’s National Cyber Security Centre, made the accusation in a speech this week reported by The Register.
The NCSC was set up in October 2016 to help protect the UK from cyber attacks. Dr Ian Levy made the accusation in a keynote speech in which he said the firms played up hackers’ abilities to help them sell security hardware and services.
He accused computer security companies of “massively” exaggerating the abilities of malicious hackers, saying the firms played up hackers’ abilities. Overplaying hackers’ skills let the firms claim that only they could defeat attackers, a practice he reportedly likened to “medieval witchcraft”.
Speaking at the Usenix Enigma security conference, Dr Levy said it was dangerous to listen only to firms that made a living from cyber security. He is reported to have said, “We are allowing massively incentivised companies to define the public perception of the problem.”
Dr Levy cited an attack in 2016 on an unnamed UK telecoms company that used a technique older than the teenager believed to have engineered the attack.
Security firms fight back
Commenting on this, Mike Ahmadi, global director – systems security at Synopsys said, “While Dr. Levy may indeed feel that security firms being creative in their marketing approach is tantamount to witchcraft, presenting that as some sort of supporting argument that hacker capabilities are overstated is not only nonsense, but is completely contradicted through empirical evidence one can gather through a simple web search.
“Hackers stopping a car while it is being driven, as Miller and Valasek demonstrated in 2015, or the Mirai BotNet infecting millions of devices, or the US OPM breach exposing millions of records, Yahoo having 1.5 billion records hacked, are all things that happened well outside of the world of witchcraft and were not overstated. The list goes on and on,” says Ahmadi, “and the fact that hackers are exploiting old and known vulnerabilities is not an indicator of (their) capability level by any measure I am aware of. His assertion is both misguided and pedantic.”
Brian Laing, vice president at Lastline, also commented on Dr. Levy’s assertions saying, “This is a very dangerous road to go down. While I don’t doubt some vendors overstate a multitude of different things in their sales and marketing, you only need to look at the number of breaches happening to clearly see that the attackers have a clear advantage. Almost every day a new breach is disclosed. Those breaches are happening in different market verticals, most of which have a layered security approach and yet are still breached.
“The fact is,” says Laing, “attackers have an unfair advantage which is not necessarily driven by their hacker skills.”
The networks they are targeting are complex systems which are difficult to fully understand and defend. Additionally, Laing believes, the system often works against itself through its users. Attackers need only get a malicious yet legitimate file through the email system to an unsuspecting user. Once that happens the attacker is in the network and can now spread to other machines. We don’t need to promote the level of their skill and you can certainly debate how many attackers out there have more skills than the defenders, but you cannot debate the fact that attackers have at least the minimum skills needed to breach networks.”
Gavin Millard, EMEA technical director of Tenable Network Security argues, “It doesn’t take long walking around the floor of any cyber security show to spot the embellishment of both the threat and a vendor’s capabilities to address them. With market opportunity, cyber security has become an industry where great technology can be trumped by a slick marketing message.”
“Whilst it’s true that some attacks that occur are incredibly advanced, using techniques only known by nation sponsored threat actors,” says Millard, “the majority of breaches that affect most organisations are far more mundane in nature. Luckily security professionals see through the marketing bluster of hackers in hoodies, dropping zero days all day to breach everybody, everywhere, and know that following independent best practices for security rather than buzz words is far more effective at reducing the probability of data loss.”
Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow