Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Most Cyber-Security Reports Only Focus On the Cool Threats (zdnet.com) 27

The vast majority of reports published by the cyber-security industry focus on high-end economic espionage and state-sponsored hacking topics, ignoring threats to civil society and creating a distorted view of the actual cyber threat landscape that later influences policy-makers and academic work. From a report: In an article published in the Journal of Information Technology & Politics, a team of academics made up of some of today's biggest names in cyber-security and internet research fields analyzed 700 cyber-security reports published over the last decade, between 2009 and 2019. "The reports we collected were derived from two types of sources: first, commercial threat intelligence vendors (629 reports), and second, independent research centers (71 reports)," academics said. In addition, the team also examined helpline data from AccessNow, a digital rights advocacy group, in order to understand the true digital threats, as reported by the end-users themselves.
This discussion has been archived. No new comments can be posted.

Most Cyber-Security Reports Only Focus On the Cool Threats

Comments Filter:
  • by burtosis ( 1124179 ) on Monday September 07, 2020 @06:29PM (#60483226)
    So if the squeaky wheel gets the oil, the sexy security flaw gets the patch?
    • by raymorris ( 2726007 ) on Monday September 07, 2020 @09:49PM (#60483478) Journal

      Quoting the article:
      "most of the reports produced by independent research centers were focused on the threats to civil society".

      The researchers found that when commercial vendors selling security-related products send information to their customers (businesses), most of those updates focused on the threat to the business. That is, it discussed the information in the context of how it affects the reader. That's thr half that the headline is based on.

      Also, the researchers looked at updates coming from vendor-nuetral sources, sources used industry-wide, and found that most of those talked about threats to broader societal issues.

    • by phantomfive ( 622387 ) on Monday September 07, 2020 @11:12PM (#60483572) Journal
      tbh they don't even care if it gets the patch. Most security companies doing this kind of thing are doing it for the free advertising that comes with getting a high profile exploit. That is why sometimes you see an exploit with its own logo. They often don't care if it's a real exploit, as long as it gets attention, so that's why we have the phrase POC||GTFO.
  • by Lije Baley ( 88936 ) on Monday September 07, 2020 @06:41PM (#60483254)

    The way they stick to misusing the term "Cyber" pretty much says it all. There is little other purpose for calling computer security "Cyber Security". And of course they employ all sorts of other cool-sounding terms and procedures. That, along with their "cop talk", tends to make their "posing" kind of obvious. "We detected this individual individuating on the premises." "Roger that, Cyber Squad S1A deploying!"

    • by raymorris ( 2726007 ) on Monday September 07, 2020 @09:59PM (#60483492) Journal

      Fyi, it's actually the federal government that chose the term "cybersecurity". The feds dole out a lot of money for cybersecurity and have a lot of requirements for cybersecurity, from the Cybersecurity and Infrastructure Security Agency (CISA) and others. The feds set cybersecurity requirements and pay for cybersecurity programs , so it's called cybersecurity - and it doesn't matter if you or I like that term. We have to comply with "cybersecurity" requirements from CISA (the Cybersecurity agency), even if we wish they were called the Computers and Stuff Agency.

      As to the rest of the words, if you find the words "threat" or "espionage" hard to understand, I don't know what to tell you.

      I guess I can tell you that words matter when you're doing this professionally, because a threat is a very different thing than a risk, which is different from a vulnerability. They mean different things, and confusing them will get you all screwed up and make communication difficult. Kinda like some non-nerd in your office might use the word "memory" to mean "hard drive" and the word "CPU" to refer to the main enclosure and everything in it, but the distinction matters when you're ordering more memory and benchmarking CPUs.

      • Yeah, I'm aware of the government / military obsession with "cyber" and would say that it was caused by the kind of culture I am lamenting, as well as perpetuating it. I have no problem with precise and meaningful words. "Cyber", however, in this context, just means "I'm cool, so give me a blank check, and don't question anything I do with it". And I've heard this is pretty much why it came into use in government circles.
        I would say though, that I would gladly give computer security folk a free "cyber" p

        • The link you posted goes to an empty page. It appears the wiki you chose has never heard of your word. Which is actually kinda funny considering that you're complaining about the words my profession uses. :)

          Anyway, clearly you dislike the term cyber security to distinguish from physical security, economic security, etc. Do you prefer the original term, cybernetics, which means the study of control systems and communications between people and machines? (From the ancient Greek for ship pilot, who controls

          • AC is correct -- though not very nice about it. I ended up with an extra slash on the end of the link. https://rationalwiki.org/wiki/Whacker [rationalwiki.org]

            Yeah, I read a lot of books when I was younger, including something from Norbert Wiener, who coined the term "cybernetics", so I while I was always surprised and dismayed to see the level of abuse of that word that ensued in the 90's and beyond.

            As for a person being called a person, that's just a peeve from my anecdotal experience with sitting over the cube wall from

  • by gavron ( 1300111 ) on Monday September 07, 2020 @07:28PM (#60483302)

    When summarizing an article, include the point, not how researchers went at it.

    In an article published in the Journal of Information Technology & Politics, a team of academics made up of some of today's biggest names in cyber-security and internet research fields analyzed 700 cyber-security reports published over the last decade, between 2009 and 2019. "The reports we collected were derived from two types of sources: first, commercial threat intelligence vendors (629 reports), and second, independent research centers (71 reports)," academics said. In addition, the team also examined helpline data from AccessNow, a digital rights advocacy group, in order to understand the true digital threats, as reported by the end-users themselves.

    That's your lede?

    It says NOTHING. If you can't be bothered to summarize the article, just don't post.

    E

  • by chill ( 34294 ) on Monday September 07, 2020 @09:34PM (#60483456) Journal

    Keep things patched aggressively. Configure systems to a baseline standard, like CIS. Don't use default passwords. Rinse, repeat.

    Patching and configuation are the blocking and tackling of the cyber security world. But telling someone to do that is like telling kids to eat their vegetables. No one wants to hear it. They want silver bullets, magic pills, and Hollywood blockbuster plot lines.

    The Ocean's 11 crew isn't coming for your data, but some kid will definitely be jiggling the knobs to see if you left the doors and windows unlocked.

    • by Tom ( 822 )

      Patching and configuation are the blocking and tackling of the cyber security world. But telling someone to do that is like telling kids to eat their vegetables. No one wants to hear it. They want silver bullets, magic pills, and Hollywood blockbuster plot lines.

      Not true anymore. ISO 27001, IEC 62443 (the new industrial standard) and both COBIT and ITIL put considerable stress on the operations site of cybersecurity. Yes, it's the boring stuff, but it's finally dawned on most people that cybersecurity isn't so much unlike physical security - in the end, you need someone to simply watch the door and walk around the fence every hour to check if things are ok. Also, a better lock beats a fancy alarm system.

      We know that, it's finally arrived in manager heads (thanks IS

    • > Patching and configuation are the blocking and tackling of the cyber security world.

      That's exactly right. Gotta do those.

      Of course if we're going to use a football analogy (blocking and tackling), we can also say that on many teams the kicker is the top-scoring player. For example last year, the Kansas City kicker scored 147 points (mostly field goals). So kicking is important. The receivers each got 42 points. So catching and passing is important.

      So yeah, week 1 - apply all security updates.
      Week 2

  • Things that are "high visibility" get attention over mundane activities. Implementing UI changes and flashy new features get worked on, fixing bugs and adding small/low-level features requests gets pretty much ignored. /me looks like Mozilla bugtracker

  • by CaptnCrud ( 938493 ) on Monday September 07, 2020 @11:50PM (#60483618)

    The .com extension is a convoluted mess of commercial entities, there is no clear separation of concerns for commercial and how each sector should deal with cyber threats targeting their industry. Everything in between tries to be a blanket fix that wont really address the problems until a clear separation of certain .com entities is done.

    They need to require segmenting the .com domain extension, "commercial" has become too broad of a topic and there is too much overlap and conflicting ideas on how to blanket address many security related issues.

    You want to do Social media? Fine you need to register as a .sm, news providers should be on .news...etc..., once you get people grouped they can form their own security committees to define the policies everyone needs to adhere to to participate in their extension. Now you can actually do something good and meaningful because everyone involved cares about the same thing, and not throwing half the book out because they don't care/or because it doesn't apply to them.

    Sometimes its not appropriate to apply the same rules to someone that's a textile plant just trying to advertise with a website vs someone like facebook with an almost global level of traffic to their site. In my experience its the small textile plants are likely to be infected with garbage and not even know it, segment that industry, its obvious they only want a billboard but since they hired the owners nephew to do it the site wasn't properly setup, these people might not now they are sending spam mail behind the scenes (and may not even care if it doesn't effect their site or business operations)...so no you have a company that chooses to be complacent its other peoples problem because it has no tangible effect on them....I've actually seen this exact scenario play out so many times its not even funny....

    • Forcing specific types of content by domain suffix is worthless, because you can't trust that they won't be owned and used to deliver other types of content. Completely pointless idea.

      • I don't know why you think its pointless, they audit domain names all the time to flag spam, pirate sites and to blacklist domains, is that pointless? How would this be any different except on a more granular level?

        You can reply if you wish but don't expect any further conversation....ts a completely pointless idea....

        • I don't know why you think its pointless, they audit domain names all the time to flag spam, pirate sites and to blacklist domains, is that pointless?

          You really can't see that auditing a specific domain is different than pretending a TLD is only going to have one kind of content on it because it's supposed to?

          • cloud based store fronts and self/partial and canned servers and services do exactly what I am talking about all the time within their own networks...so no, I don't see how its as vastly different as you are implying...

  • by Tom ( 822 ) on Tuesday September 08, 2020 @01:16AM (#60483740) Homepage Journal

    Almost all of those reports are compiled by some company which has something to sell. Typically and unsurprisingly, either a product or a consulting service to help you with... wait for it... your cybersecurity problems!

    They, obviously, focus on two kinds of threats: The flashy and dangerous-sounding ones that make people worry about cybersecurity (and ask for help), and the ones where they just so happen to have a product or service they can sell you.

    That's why in the reports issued by malware companies, the main danger is malware and anything related to it (say, phishing) while in the reports issued by consulting companies, process failures, human failures (social engineering) and other things that you can fix with a better security management, some awareness trainings, etc. take the spotlight.

    These reports are useful - I work in the sphere, I use them constantly - but you should never take them at face value and always look at several of them (and notice how they find different numbers for the same things).

    And, of course, some things such as the daily whatever are underreported.

  • Most Cyber-Security reports don't mention the OS. And Most cyber-security outfits are selling cyber-snakeoil.

    "This Russian influence campaign focusing on individuals and civil society caught most scholars and policy-makers off guard; it did not correspond to prevailing threat models focusing on critical infrastructure disruption and large-scale digital espionage"

    Yet more Cyber BS from the Microsoft Zdnet!

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...