I’ve been in the cyber security business for most of my career, and while technology and threat vectors have changed, one thing has stayed consistent: FUD.
FUD is short for ‘fear, uncertainty and doubt’, and it is a common tactic used to cause panic and sell cyber security to organisations — many of which, frankly, don’t need what’s being sold and could do without the FUD.
Cyber threats are real, and system compromise can be devastating, but FUD has done little to make companies, individuals or our society more secure in practical terms. Instead, it taps into deep, primal wells of insecurity that cloud our best judgment, making it difficult to separate the signal from the noise.
The result is over-investment in one area, under-investment in another, and general security lopsidedness — a particular concern in the present economy where organisations need to be even more careful about ineffectual spending.
While it’s been great to see the Australian government get even more serious about cyber security, making its largest-ever investment in the space ($1.35 billion over the next decade), one of the keys for the future — at least for most organisations — will be a focus on modest, mature and measured improvements of cyber health, often achieved with simple and consistently applied principles.
The truth is good cyber security is boring.
It’s about the consistent application of basic principles.
It’s about balancing commercial reality with risk in a measured way.
The recent revelations about GoldenSpy malware — found during a threat hunt — demonstrate how significant, even dramatic, cyber challenges are best handled within this mature framework.
On the surface, GoldenSpy, and its twin threat GoldenHelper, could look like a business dealbreaker priming an extreme reaction. Trustwave’s SpiderLabs team of researchers discovered these backdoors hidden in tax software that is mandatory for any foreign business operating in China.
Experts around the world took this discovery seriously, including the FBI, which issued an alert on the vulnerability. There was good reason for this response. These backdoors gave potentially malicious actors wide-open network access with system-level privileges. In other words, whoever installed the backdoor could gain total control over the network to conduct reconnaissance, install additional malware, and extract files and data.
Again, this is serious.
But should we panic? No.
From one angle this looks like a no-win situation for an Australian business doing business in China. The FUD crowd will predictably ring the geopolitical alarm bells, point fingers, and make people ineffectually afraid.
The problem with this approach is no actor has been identified here, and, frankly, who cares.
Any nation-state actor is more than equipped to breach virtually any system it sets its crosshairs on given enough time. Some nation-states may spy differently than others, but we spy, they spy, everyone spies.
It’s what motivated Dwight Eisenhower at the height of the Cold War to advocate openly allowing Soviet spy planes access to American skies and vice versa.
Transparency isn’t a bad thing — spying is one way that nation-states try to level the transparency playing field so they can make decisions on more accurate data.
Espionage is just another information system.
Again, spying — and even the motives of adversaries — isn’t what matters here. In fact, you should probably be reassured that if you had GoldenSpy, it wasn’t targeted at you.
The point of GoldenSpy and GoldenHelper — just like our experience a few years back in Ukraine when servers for a popular tax software were hacked in the NotPetya attack — is to respond to this reality in a right-sized way instead of catastrophising.
Closing your doors to a big and vibrant market like China isn’t proportional.
A wrong-sized response looks like this:
- Stop doing business in China (there’s a high cost to closing your doors to such big and vibrant market);
- Buy millions of dollars worth of excessive cyber kit; and
- Assume a breach in the absence of evidence.
The right-sized response, on the other hand, looks something like this:
- Take China and politics out of the equation and ask what kind of third-party software you are putting onto your network without a review process at any point (and why);
- If you are using this software, don’t panic, engage a security resource to inspect the network for any lingering evidence of a backdoor; and
- If you do business in China, or any country which might have a similar tax software requirement, wall the software off from your network.
You should take these basics even further. Let’s call it minimum viable security.
Getting the most simple things consistently right is much better than doing the bright, shiny, new cyber thing perfectly.
In other words, be concerned that one of your team — unguided by fundamental cyber hygiene — might accidentally email out an Excel doc with the personally identifiable information of your customers triggering a massive and reportable privacy breach.
Don’t be concerned that an Estonian black ops team fronting for a shady European fixer might be trying to benefit a Middle Eastern plutocrat by hacking your systems for the personal record of a single customer.
And while we’re at it, with the brouhaha around video conference security, don’t be too concerned that someone is going to target your 9am all-hands meeting for their viewing pleasure. Your meetings are boring too, just like good cyber.
Want to take it even farther and improve your cyber for little to no cost?
- Use one of the large cloud-based email platforms, don’t run your own email server. They will be better at it.
- Turn on two-factor authentication everywhere you get the chance. It is one of the single most effective controls you can put in place.
- Have up-to-date security patches and a regular cadence for patching.
So when someone comes at you with FUD, come right back at them with boring.
Stay calm, weigh your options, and remember that most of the things that matter when it comes to cyber security are within your reach, your budget, and don’t require a drama degree.