- Everyone Knows What "Cybersecurity" Means
- We Can Measure How Secure Our Systems Are
- The Primary Goal of Cybersecurity Is Security
- Cybersecurity Is About Obvious Risks
- Sharing More Cyber Threat Intel Will Make Things Better
- What Matters to You Matters to Everyone Else
- Product X Will Make You Secure
- Macs Are Safer Than PCs, Linux Is Safer Than Windows
- Open Source Software Is More Secure Than Closed Source Software
- Technology X Will Make You Secure
- Process X Will Make You Secure
- Faerie Dust Can Make Old Ideas Magically Revolutionary
- Passwords Should Be Changed Often
- Believe and Fear Every Hacking Demo You See
- Cyber Offense Is Easier Than Defense
- Operational Technology (OT) Is Not Vulnerable
- Breaking Systems Is the Best Way to Establish Yourself
- Because You Can, You Should
- Better Security Means Worse Privacy
- Further Reading
This chapter is from the book
This chapter is from the book
This chapter is from the book
Færie Dust Can Make Old Ideas Magically Revolutionary
If the only way we learned about new technology was from vendors, we might have the misconception that one-of-a-kind, revolutionary solutions are appearing every day. Marketing, after all, is about promoting and selling products or services. Humans get pleasure at a biological level from novelty, even if it’s the repackaging of old goods.53 This is not an anti-vendor myth, although extravagant and intensive publicity or promotion—the definition of hype—are integral to some marketing. Given how few people practicing cybersecurity have ever bothered to study the field’s history, this technique is particularly effective.
The myth here is that renaming, rebranding, or repackaging an existing or slightly evolved technology magically makes it more effective or desirable. There is no magic færie dust that gives existing technology special properties. If someone tries to rebrand and sell you firewall54 technology as a new category of security products called Digital Sentinels, be skeptical.
Consider two contemporary examples: cloud computing and zero trust.55 Both of these phrases are used with abandon because we have been convinced that they are novel and magical. In reality, both cloud computing and zero trust are, in their own ways, old technology with a bit of færie dust. Without a doubt, they offer value, but over-exaggeration has given some people a false sense of hope.
In modern cybersecurity, the momentum of adoption is too often confused with novelty and value. Momentum is not harmful per se, as long as consumers understand a technology’s history. Jumping on the bandwagon because everyone is talking about it is misguided, however. By the time average consumers hear about technology such as cloud computing, it has percolated and evolved, often for years. Pay-as-you-go computing services did not emerge suddenly in the 2000s when Amazon, Google, and others introduced their offerings. Time-sharing systems were commercially available in the 1960s and 1970s. Today’s cloud services evolved from work done in the 1970s and 1980s on distributed computing. But it seems that overnight, everyone was talking about going to the cloud as if it was a revolutionary solution to all our needs!
Cloud computing is a form of resource-sharing, allowing users to use on-demand resources from a provider. If we store files online, we rent storage from a third party. These days we can hire vendors to do all sorts of online actions, including hosting databases and translating speech to text (think: Siri and Alexa). The self-service of commercial services also makes acquisition and adoption nearly seamless. But cloud services are not magic, and there are real disadvantages to consider. For instance, we have traded control and flexibility for convenience, vendor lock-in issues, and limits on transparency and control. There can still be downtime and breaches. Cloud computing might be the right choice in some cases, but think carefully before jumping on any bandwagons.
Zero trust is a modern description of the strategy of eliminating implicit trust, complete mediation, and compartmentalizing what is trusted rather than having a perimeter. Trust exists in many parts of the digital ecosystem, from the hardware of our devices to the networks that connect us to software and online services to other humans. Trust exploitation is the root of many types of cybersecurity compromises. Attackers target domain controllers because that’s a server that member computers trust. Many system owners also assume that if someone logs in with a legitimate username and password, all of that person’s actions can be trusted. When users log in to the GoodLife Bank app, they can deposit and withdraw money because they are trusted. An alternative is to validate every action, including the fact that a legitimate user might be using an untrustworthy device. If a user accesses GoodLife Bank from a new device or foreign country, maybe they should be scrutinized. The best practice is to limit trust, enforce least privilege, authorize all accesses, and compartmentalize that trust.56
But least privilege, complete mediation of access, and compartmentalization are old ideas dating back decades! Security professionals have been recommending these practices for many years. Modern implementations allow continuous analysis and adaptation that provide highly granular, real-time, least privileged access.57 If you think about it, there is no such thing as fully zero trust because the systems need to trust whatever does the authentication and access control; a system based on truly zero trust would be inert. In the end, there is no færie dust that makes zero trust revolutionary. . . or a magic solution to security needs.