A leading British cybersecurity expert has hit out at over-hyped vendor “fear uncertainty and doubt” (FUD) as distorting the public perception of online risks.
Ian Levy, technical director of the newly formed National Cyber Security Centre (NCSC), told the Usenix Enigma conference in California last week that security firms are particularly bad at overstating the impact of advanced persistent threats (APTs).
“If you call it an advanced persistent threat, you end up with a narrative that basically says ‘you lot are too stupid to understand this and only I can possibly help you – buy my magic amulet and you’ll be fine’,” he said, according to The Register.
“It’s medieval witchcraft, it’s genuinely medieval witchcraft.”
In reality, hackers with limited technical prowess – referred to as “adequate pernicious toe-rags” – are more likely to pose a risk to the average organization, he’s reported as saying.
TalkTalk, for example, was reportedly breached by a teenager hacker exploiting an SQL injection flaw – one of the most common around, and easiest to mitigate.
The NCSC will play a key role going forward in developing security strategies and systems to help protect the UK’s critical infrastructure and private businesses.
Gavin Millard, EMEA technical director at Tenable Network Security, agreed with Levy that the majority of threats facing organizations are far from advanced in nature.
“Luckily security professionals see through the marketing bluster of hackers in hoodies, dropping zero days all day to breach everybody, everywhere, and know that following independent best practices for security rather than buzz words is far more effective at reducing the probability of data loss,” he argued.
However, Alex Mathews, lead security evangelist at Positive Technologies, claimed that both advanced and more commodity type threats pose a risk to organizations.
“Our research shows that a lot of people, even system administrators, still use simple passwords like ‘123456.’ If this is the case, then even advanced security can be defenseless from someone with a very low level of skill,” he added.
“However, with the breakneck pace of cyber-attacks, there will always be skilled threat actors using ever more inventive ways to breach companies. Going in low and quiet in this way, means they can stay hidden on networks for longer. This gives them a serious advantage that shouldn’t be overlooked.”