Phishing, exploits, malware, ransomware – it seems that every time we turn around there's another threat, technique, APT, or “super-bug” that we need to gear up and fight yet again. To conduct and prevail in that fight, companies implement the latest security solutions to detect and eliminate threats.
Given that the majority of attacks are leveraging bugs in software applications, the patches that software firms issue should help to close these. It would follow that if you install the patch, you will be protected against the scourge that is plaguing users of those applications. Problem solved.
Actually, not. There are two reasons for this:
First, there are thousands of bugs in any given application. Considering the fact that there are millions of lines of code, there are bound to be mistakes here and there. Even the software firms themselves don’t know what many of the bugs are - hence the much feared “zero day” attack leveraging unknown vulnerabilities. So, even if a software firm patches its applications, there are most certainly still many bugs that they don’t know of that a sophisticated attacker can leverage.
Second, even when software firms issue patches, companies are often slow to apply them. According to Veracode’s State of Software Security (SOSS) report, up to 70% of vulnerabilities due to bugs or security issues remain unpatched for as long as four weeks after they first became known, and even after a year, some patches are ignored by 25% of companies.
What is going on here? Why would staff ignore, or at least delay installing important patches, without which their computers and servers are vulnerable to attacks? One reason could be cyber fatigue – a creeping feeling that no matter what defenses we implement, hackers will always find a way around them, so why bother?
A study by Cisco shows that this feeling is widespread. In a survey of CISOs, the company found that 30% of respondents claimed to suffer from cyber fatigue (defined as “having virtually given up trying to stay ahead of malicious threats and bad actors”) in 2019 – high, but significantly better than the 46% who felt that way in 2018. Despite that improvement, the fact that nearly a third of CISOs believe that they are essentially helpless against attacks by hackers, and thus there is no point in protecting themselves, is strong testimony to just how deeply feelings of cyber fatigue run.
In a sense, you can't really blame CISOs and security staff for feeling this way. Keeping up with the latest attacks, with new ones appearing nearly daily, and the need to keep updating operating systems and applications, all of which have their own patches and updates to administer, is a Sisyphean task. Today's update fixes the problem that appeared yesterday, but you're already behind the times. Hackers have already moved on and deployed a new attack that will have to be remediated tomorrow. Where does it end?
The key is to break the “cycle” that hackers have comfortably slipped into - dragging us along with them. Remediating a security risk via a patch or update only deals with “trees,” but for real cyber-safety, we need to deal with the “forest” of threats by keeping them our number one priority. Prevention is possible, if it’s done right.
To accomplish that, companies need security systems that can examine threats and anomalies in a holistic manner across channels, catching malware before it has a chance to act, regardless of its source or form. For example, if email is a prime channel for security compromises (according to studies, spear phishing accounts for 91% of all cyberattacks), then all email needs to be examined for threats and anomalies. Ditto for all files, content and elements entering a network or system from any source. While there are many methods, tricks and techniques hackers can use to spread their poison – whether via email, EC&C systems, file sharing, and more – the exploits these techniques carry out target systems in a similar manner.
A good security system will detect those exploits, and block them from attacking, regardless of how they are deployed and whatever vector they are delivered from. Once an exploit is identified, the security system will render it “powerless,” shining a light on its activity and keeping it away, regardless of the form it takes. Thus, the “treadmill” cycle of attack>remediation>attack is broken. Instead of applying patches or updates to deal with the newest attack, an advanced security system simply does away with the overall problem by diving deeper into malware and applying what it knows about threats and anomalies to anything and everything – providing an overall security solution.
Note that even when patches and updates are applied, security issues aren't necessarily resolved. For example, version 8 of a program may have been patched to prevent a security problem, but if a user still has version 4, the problem remains unremediated, and still poses a threat. Examining anomalies and threats in files designed to take advantage of security issues across the different versions of software – which an overall security system would do, without paying attention to version numbers – would effectively prevent an attack that may indeed have been caused by cyber fatigue, where someone forgot to update the organization's software.
The key here is to reduce the ”drudge work” of administering updates from security teams that often results in cyber fatigue, and to take a different approach, one that will cover a company and prevent attacks, even when a patch or update isn’t applied. By doing that, companies can ensure their safety, while ensuring the sanity of their CISOs and security staff.