The adage about what happens when people make assumptions is one that many in security would be wise to recall. Worse than making a donkey of themselves, security practitioners that make assumptions put the enterprise at risk.
Andrey Pozhogin, cybersecurity expert at Kaspersky Lab, said thinking they’re protected from DDoS attacks is one of the most dangerous assumptions businesses make.
A recent Kaspersky Lab survey found that 40 percent of organizations fail to put preventative measures in place because they think their Internet service provider will protect them.
In addition to those that assume their ISPs are protecting them, the survey found an additional one-in-three (30 percent) think their data center or infrastructure partners will protect them.
Pozhogin said, "While these organizations mostly protect businesses from large-scale or standard attacks, they will not suffice to protect against ‘smart’ attacks, like those using encryption or replicating user behavior."
On the surface many of the assumptions people make don't seem too dangerous, but they can lead to a breach. The survey found that a third of organizations fail to take any type of preventative action because they think they won’t be affected by these attacks.
In reality, Pozhogin said, "Any company can be targeted by a DDoS attack at any time, especially since these attacks are easy for cybercriminals to launch. It’s not a matter of if it will happen, but when it will happen."
Making assumptions happens across the production lifecycle of a company, said Safebreach CTO & co-founder, Itzik Kotler. They make assumptions with everything from password policies to their security architecture.
Depending on how a company states the complexity of its password policy, it could be handing out clues to hackers. "They assume that password complexity keeps them safer, but if they state that every password must begin with a digit and have five letters, they’re giving the hackers a hint about what should be the first key of a password," Kotler said.
In the broader picture, many businesses make dangerous assumptions in the way they think about architecting their security. "There is this assumption that they must do this or that to be secure. For example, they assume that if everything is done over SSL that they are protected," Kotler said.
What is most dangerous about that assumption is that they are not thinking about whether there are other ways around it, said Kotler. "What are all the other ways a hacker can try? They believe they are designing the best ways and those assumptions become poison."
They assume their connection is secure, but in reality that’s not always going to be the case. "The idea that users are behind a firewall, so they are safe makes a company believe they are not at risk, but hackers will work around it," Kotler said.
In addition to believing that their security solutions will protect them, many companies make the dangerous assumption that if they are compliant, they are secure, said Chris Camacho, Flashpoint's chief strategy officer.
"They think because they've invested in security, brought in a top consultant, and checked boxes, that they are secure, but they have done nothing to secure the operational network and overall security operations," Camacho said.
Often when these companies incur an incident, they then ask why they didn’t detect it or get an alert or have any details. "Usually an organization was prepared to meet regulatory compliance, not security," he said.
So what do enterprises need to do in order to avoid the potential harm that can come from making these assumptions?
"Start by hiring the right people," said Camacho. "Yes they need security, policy, governance, and risk people, but they also need SOC managers, network admins, people for anything that was 'operations' in the past. It's about having the right team."
A return to the basics will also allow them to see where they need to invest in their core network infrastructure. "Do they have a network firewall that hasn’t been updated? These need constant updates. Roles need to be updated. It’s so basic and trivial no one thinks of it until they have an incident," said Camacho.
One assumption that larger enterprises often make is that if they invest in a lot of technology, they are going to be secure. "They forgot the basics," Camacho said. If they are not scanning the network to see what holes exist, they won't have awareness around what is happening.
What might be one of the most dangerous assumptions that companies make is believing that the digital world is analogous to the physical world. It's not, said John Kindervag, vice president and principal analyst at Forrester Research.
"The idea that they are too small, and no one will ever want to hack them or they don’t have anything that anybody wants. These are some of the ideas that people don’t understand about the digital world," said Kindervag.
A big assumption now is that geography actually matters in the world of data security, which Kindervag said is probably an idea out there that helps drive employment. "They can build data centers and hire people so that the data will never leave Germany. That’s not the way an internet router works. It doesn’t respect geographical borders."
In order to best defend themselves against attacks, they need to both understand the digital world and eliminate trust. "The idea that people can be trusted is a dangerous assumption. As soon as you add trust to the mix, that actually creates a lot of problems," Kindervag said.
Trust, in both people and solutions, doesn’t actually exist in the digital world. "We can have confidence in a system—allow a system to work in a different way, but we don’t want to be complacent. The big thing that we do is anthropomorphize the digital world," said Kindervag.
Trying to liken the digital world to the analog world leads us to misunderstanding. The desire to identify the perpetrator of an attack is one example. This sense that knowing who did this matters is misguided, said Kindervag. "If it's a digital crime, they have choices. Investigate to figure out what happened or get back to work and get the systems up and running."
After they get back up and running, there’s a lot of information that has already been lost. "To go back six months later and do forensics and hunting, that’s not ultimately helpful. If they find one attacker, they don’t find them all. If they find one threat, they don't find them all," said Kindervag.
Protection, then, has to move closer to the assets they are trying to protect and away from trying to identify who committed the crime. Equate cybersecurity to the Secret Service, said Kindervag. "Come in really close and protect what needs to be protected. What data do we have, where is it, who has access to it at any given time?"
Despite the potential for damage and loss that comes with making these assumptions, Kindervag said, "I’m always amazed at how well things work. Having watched it from its infancy, I’m amazed. Even the problems we have with cyber crime are pretty minimal and manageable problems."