The security industry has been urged to do more to help protect individuals from low-level attacks.
Ignore the hooded hacker stereotype -- low-level attackers should be more of a security priority for most companies. Image: iStock
Companies are far more likely to be attacked by low-level cybercriminals than sophisticated nation-state backed hackers. That means that it's possible to stop the crooks doing significant damage to your systems -- if you're following the right advice and working with the right cybersecurity mindset, that is.
One of the steps towards that is admitting that a significant amount of technology -- be it computers, smartphones or Internet of Things devices -- are built with vulnerabilities that hackers will be able to exploit.
However, instead of aiming for impossible ideal of entirely bulletproof security, IT security professionals should be working towards ensuring that exploiting these vulnerabilities does the least harm possible.
"The reality is the stuff we buy, the stuff we build is going to have vulnerabilities -- get over it. We should be building systems to manage harm, not vulnerability," says Ian Levy, technical director at the National Cyber Security Centre, the GCHQ unit dedicated to protecting the UK from cyberattacks.
Part of the problem, he said while speaking at CRESTCon & IISP Congress security conference in London, is how many cybersecurity companies drum up fear about nation-state attacks -- while these do occur, most companies are unlikely to face one.
If you listen to a lot of security companies, "most of the attacks we see are performed by ninja cyber monkeys", he said, "who can compromise my laptop in my bag just by thinking about it. That's not true".
That sort of approach only leads individuals and enterprises into trying to solve a problem that doesn't necessarily exist for them -- and in attempting to prevent nation-state attacks, it's entirely possible that the real threat posed by lower-level hackers could be missed.
"We're throwing things at a problem when we don't understand what to do. [We need to] understand the value proposition or the threat we're trying to fix," says Levy, who says honesty is needed about the identity of the attackers that pose a threat -- low-level hackers rather than so-called 'advanced persistent threat' groups backed by governments.
"They're adequate, they do the minimum necessary to achieve their aims; and a lot the time that is trivial. Adequate Pernicious Toerags is what we're really, really up against most of the time. Of course there are some very-high end actors using some very high-end techniques, but let's use them as the exception; the majority of the stuff we see is this," he says.
So why are organizations potentially ignoring this threat? Simple: "The reality is a lot of the guidance we give is terrible," Levy said, referring to the cybersecurity industry as a whole, citing recommendations of using long, complex, regularly-changed passwords and how some organisations -- particularly in finance -- don't allow customers to use password managers help with security.
"It's dumb advice -- let's stop giving dumb advice," he said. He urged security firms to "take the mystery out of cybersecurity" with the aid of evidence and useful advice to help people make better decisions that "protect the majority of people from the majority of attacks the majority of the time".
When it comes to nation-state back cyberattacks, Levy is blunt about the prospects of being a target -- "there's not a lot you can do about it" -- so urged organisations and individuals to concentrate on ensuring that low-level cyberattacks do the least harm.
"The majority of people in this country don't need to worry about nation-states, the majority of people get harmed by cybercrime, they get harmed by ransomware, they get harmed by script-kiddies," he said.
"Let's take away the crap so that skilled network defenders can work on the hard stuff. Target investment in the right way so people can understand what they're defending against," he added.