Researchers reveal how bias undermines your cybersecurity

Companies face a constant cybersecurity challenge. The risks they face are many and varied, but there is only so much time and money to go around. Choosing which cybersecurity risks to address is a pressing problem, and a new report suggests that they often get it wrong. At the virtual SecTor conference this year, researchers from cybersecurity company GoSecure will argue that long-held biases among defenders cause them to under-invest in key areas.

Working in conjunction with non-profit cybersecurity knowledge network Serene-Risc, the researchers surveyed 120 individuals ranging from CEOs to hands-on cybersecurity professionals. The report, Cybersecurity Perceptions versus Reality, analyzed their perception of cybersecurity risks and compared them to real-world penetration testers’ experiences.

One message came through clearly: those defending their networks against attack often invest too little time and budget in key areas. They emphasize some security threats at the expense of other more common risks, leaving them open to attack.

“Since the early 2000s we have talked about how security equates to patching, antivirus, and firewalls,” explains Laurent Desaulniers, director of penetration testing at GoSecure. “People have really understood that and acted upon this message.”

Those basic security principles remain valid, but there are other cybersecurity risks that companies don’t seem to consider part of a mature cybersecurity approach, warns GoSecure.

Mismatched priorities

The report asked respondents to rate the maturity of their cybersecurity practice on a scale of one to five. It then used a statistical model to correlate seven security measures against the maturity rankings. There were two measures in particular that companies didn’t equate with a mature cybersecurity operation.

The first one was the use of minimum password requirements such as password length and complexity. This is one of the oldest security measures in the book, and with good reason; default or obvious passwords are an easy way for attackers to get into a system with little effort.

60% of companies believe they have fully implemented an ‘ideal’ password policy according to the survey, yet weak passwords crop up a lot in pen tests. The researchers analyzed 192 vulnerability findings from 65 pen testing reports, ranking the vulnerabilities by commonality. They found password issues in 55% of reports.

The disparity could be down to what constitutes a secure password. ‘CompanyName2019’ could technically pass muster as a strong password according to some company policies because it mixes letters and numbers and meets a certain length requirement. Yet any decent pen tester would include this on their list of things to try.

The danger of insecure product features

The second measure that people didn’t associate with a mature cybersecurity practice is assessing the security of product features. The more features a product has switched on, the more potential vulnerabilities it creates. Some of these product features are legacy ones that aren’t needed in many newer systems, such as the NetBIOS and Link-Local Multicast Name Resolution (LLMNR) name resolution protocols. They still show up as a weakness in 33% of pen test reports.

Nearly two thirds of respondents said that they investigated the security of their product features, but the report questioned that figure. It suggested that pen testers successfully exploit vulnerabilities related to product features four times out of five.

The conflict stems from what GoSecure researcher Masarah Paquet-Clouston calls the free rider problem. For some companies, investigation might mean reviewing the product feature architecture or taking the vendor’s word for it. That often isn’t sufficient.

“When you buy a product, you expect it to be secure,” she says. After all, the vendor has presumably security tested the product in its own labs. “So you ‘free ride’ on the investment in that product security. You do not necessarily consider that when you implement it in your organization afterwards.”

The problem is that not all vendors are diligent about security. Even those that are will test in a lab that rarely reflects a customer’s own environment.

The tragedy is that in many cases, fixing these vulnerabilities is relatively straightforward. Strong password policies are well understood and can be implemented through network controls. Admins can even audit passwords with a scripted password hash cracking approach, suggests the report.

On the product feature side, it may be possible to turn off basic features like unused protocols and ports. Desaulniers recommends creating a baseline product configuration with features turned on or off by default and auditing against that. The report links to the CIS configuration benchmarks that offer baseline configurations for a variety of systems.

The challenge is getting defenders to think differently about these measures and overcome their own biases, he warns. “If we don’t change the bias, any IT organization that gets more money would more likely buy more firewalls,” he says. “Through research, we can find common cognitive security blind spots and notify people. We hope that will change how people invest in designing security throughout their organization.”

For a deeper dive into the findings of the report and strategies to overcome defender bias, check out Paquet-Clouston and Desaulniers’ talk at SecTor on October 21 this year.