- Everyone Knows What "Cybersecurity" Means
- We Can Measure How Secure Our Systems Are
- The Primary Goal of Cybersecurity Is Security
- Cybersecurity Is About Obvious Risks
- Sharing More Cyber Threat Intel Will Make Things Better
- What Matters to You Matters to Everyone Else
- Product X Will Make You Secure
- Macs Are Safer Than PCs, Linux Is Safer Than Windows
- Open Source Software Is More Secure Than Closed Source Software
- Technology X Will Make You Secure
- Process X Will Make You Secure
- Faerie Dust Can Make Old Ideas Magically Revolutionary
- Passwords Should Be Changed Often
- Believe and Fear Every Hacking Demo You See
- Cyber Offense Is Easier Than Defense
- Operational Technology (OT) Is Not Vulnerable
- Breaking Systems Is the Best Way to Establish Yourself
- Because You Can, You Should
- Better Security Means Worse Privacy
- Further Reading
This chapter is from the book
This chapter is from the book
This chapter is from the book
Technology X Will Make You Secure
There is a well-known meme attributed to Internet pioneer Vint Cerf. It is a simple flowchart that starts with the decision point “Do I need a blockchain?” and points to a single endpoint: “No.” Blockchain is not the answer to every problem (it might not be the answer to any significant problem), and it certainly is not the perfect answer to cybersecurity.
Cloud. Quantum computing. Open source intelligence. Blockchains. Artificial intelligence and machine learning. Even encryption! Innovation and technological evolution continue to drive progress in cybersecurity by lowering risk, and these technologies can be powerful enablers. Technology plays a prominent and important role in cyber defense—however, it is a myth that any technology alone will eliminate cyber risk. Beware the hype.
Jackie Fenn coined the term hype cycle at Gartner in 1995. She observed a predictable path of over-enthusiasm and disillusionment for new technologies before they eventually provide predictable value. The graphical representation covers five phases:
Technology Trigger
Peak of Inflated Expectations
Trough of Disillusionment
Slope of Enlightenment
Plateau of Productivity
The hype cycle acknowledges the value of technology but never espouses that any will solve all problems.
The history of cybersecurity is full of examples of defenses we once thought were perfect. Address space layout randomization (ASLR) was created to prevent the exploitation of memory corruption vulnerabilities. So was Data Execution Prevention (DEP). They did have a positive impact and helped to cripple some malware. But ASLR and DEP did not stop attacks across the board. These technologies could not prevent phishing and other social engineering from affecting computers. Furthermore, attackers adapted and learned to bypass DEP and ASLR using Return-Oriented Programming (ROP).
This myth goes hand in hand with the myth that a single product will protect us. Nothing applies to all threats and all situations. Add into that the fact that these technologies and solutions often have their own vulnerabilities. Nothing is perfect in the cybersecurity world.
The key to avoiding the myth that any technology will solve cybersecurity is honesty about what it cannot do. Do not let that stop you from being excited about new technology. Evaluate, experiment, and deploy with open eyes, while acknowledging that it alone cannot save us. Also, be alert to any new vulnerabilities or exposures that might result from it!