Why Cyber Security Advice Sometimes Seems Inconsistent
For Small Organisations and individual users it is often difficult to know what they should be doing, and when they find out and start doing it, they may then find that it is not what they should be doing. We explore some of the reasons behind this, as well as our own frustrations with what happens in practice.
This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.
- Introduction
- Password guidance inconsistencies
- Password issues extend beyond just basic logging on
- Vendors not following the same best practice
- Vendor responses to vulnerabilities
- Guidance around compensating for the lack of vulnerability updates
- Confusion or inaction
- Timely guidance vs simple guidance
- Organised crime has got more organised
- Specialisation of criminal expertise and activities
- Examples of service provider responses
- Risk-based approaches change over time
- Conclusion
Introduction
In this episode, we're looking at why cyber security doesn't appear to be an exact science for many non-cyber security professionals and why it sometimes seems very contradictory depending on where a user searches for the information.
"When the guidance for so long is one thing [...employees] find the changes disruptive to their behaviours."
Password guidance inconsistencies
One of the biggest areas where the issue of inconsistency is most apparent, is with passwords.
For years, the guidance was "you must change your password every 30 days, 60 days, or 90 days", depending on the password policy. Users often responded to this guidance by simply adding a "1" at the end of the password, then they would add a "2" then a "3" and so on at the end of each period.
When professionals realised that the easy password was effectively the same each time apart from the last digit, the guidance changed to stop this. There was also a recognition that changing passwords every 60 days actually reduced security, as it encouraged users to create insecure passwords where only the last digit changing from one period to the next.
This means that the basis of both sets of guidance was good, but in the first one, professionals under-estimated the inventiveness of users to find an easier method of remembering their many passwords.
However, when the guidance for so long is one thing and then changes to another, not only does it take time for users to get used to it, but they also find the changes disruptive to their behaviours to comply with policies, and not necessarily good practice.
This is further complicated where Organisations adopt the correct guidance, but the system they're using doesn't let them implement it. For example, for a considerable time, Microsoft users couldn't use a password for an Office365 administrator account that was longer than 16 characters. This was while the advice was “to use long, complicated passwords or passphrases.”
This is similar for people who try to add non-alpha numeric characters, and the system tells the user that they can't. Or the password is too long and/or has nonstandard characters. "But it's only 12 characters long. What do you mean it's too long?!"
Password issues extend beyond just basic logging on
Related to general password issues are those related to Wi-Fi standards used to protect passwords and logins for network devices. We were once told that a certain password encryption standard was secure, then when everyone had adopted it, the guidance changes to "it's not secure anymore it can easily be broken into, - we need to use this new more secure one now". Then once everyone had got used to the new one, it changed again: "that's not secure anymore". Users start asking "Well, what do we do? That old password standard is the only one on our equipment, we can’t use functionality on our systems that doesn’t exist – so now we are non-compliant with the guidance.”
"Guidance doesn't always trickle down to all ... the people responsible."
In some cases, the guidance on Wi-Fi changed due to technology changes in faster speeds, but users hardly ever know why guidance is changed.
As an Organisation, the guidance is to be followed until it changes again or is superseded. But often what happens is, that the information doesn't trickle down to everyone.
I know of incidents of disagreements with cyber insurance firms because the guidance doesn't always trickle down to all Small Organisations and the people responsible in them. In one particular case, it was the other way around, with the cyber insurance firm using outdated guidance. So, Small Organisations very rightly get confused and may either do the wrong thing or even worse, something that reduces security for their Organisation.
Vendors not following the same best practice
We’ve already mentioned vendors and technology providers, and even today the latest guidance on passwords hasn't reached Organisations and individuals - whether it's Microsoft (as in the previous example) a new service, or one that's been around for a long time. Each service provider may be working on a completely different set of authentication rules because there is so much guidance around, it just depends on which one they find and is easy to implement. So, they're either working on older guidance or they don't know which one or whose guidance to follow.
The guidance provided changes often, especially for example around clicking hyperlinks, because the only guidance other than "don't click that,” used to be to hover the cursor over a link and check where the URL was pointing to. But things changed with shortened links, criminals started using legitimate websites to forward users onto attack sites, where checking wouldn't have been much good as it wouldn’t have revealed anything obvious. Everything would look legitimate but would point users to a compromised website or service.
A few years ago, Jamie Oliver's website was compromised three times in one year where there appeared to be nothing suspicious whatsoever when a user looked at the link was going onto the website. Unfortunately, the only way for a user to find out was to click it, but when they did they would get compromised. This wasn’t Jamie Oliver’s website doing something wrong, but more about criminals abusing links in new ways to confuse users.
All this resulted in the guidance for identifying a suspicious link no longer being useful because there really was nothing obviously visible a user could identify. So, sometimes timely guidance may contradict the previous guidance, it can happen both ways.
Any guidance or change in guidance has to be simple because if it's not simple, no one is going to follow it and the message will be lost.
Vendor responses to vulnerabilities
One of the other factors that leads to inconsistent guidance is how vendors deal with vulnerabilities and the patches and updates for them. Patches and updates take some vendors a long time, while others may take even longer. However, the guidance in the meantime to deal with the vulnerability and to put additional controls in place are only relevant for a short period of time. By the time the guidance gets down to Organisations there might already be a patch, so they don't need the additional controls guidance. Equally, they may already have been compromised.
So, because all this guidance takes time to filter down, it may seem as if it's inconsistent even though that's not necessarily the case. Sometimes there is straight forward guidance which remains in place for a much longer period where an update may not be available for several years.
If Organisations take a risk-based approach, their response should be simple and straightforward for the risks faced.
Guidance around compensating for the lack of vulnerability updates
The last few years patching has been considered a nightmare for Microsoft Windows Updates. The guidance was to update as soon as possible, but Microsoft then pulled a Windows update because it was causing so many problems that it was nearly as bad as the malware exploiting the vulnerability being patched.
This caused issues. One minute the guidance is to update and the next it is don't update. Then its "just don't update this bit just yet, but that bit is okay" - it obviously confuses Organisations. We've raised these issues with vendors, but we don't know the complexities or the problems they are having.
Organisations just want things to be fixed without knowing how many other things it's going to impact.And if a patch is rushed, it can cause more problems. So, it's often a real balancing act and many vendors can get it wrong.
Confusion or inaction
Sometimes the guidance may clearly state to do certain things, and once it gets in-grained in how Organisations operate, then they may be told to stop doing it or to be doing something completely different. When Organisations are not provided with the background information as to why the guidance has changed, some Organisations may have found a work-around to the preferred approach because the guidance interferes with getting things done.
In some cases, the confusion or inaction some guidance has created is like leaving the backdoor of the kitchen open (because there's so much security at the front door) and everyone therefore uses that back door for convenience. That's effectively what many Small Organisations see happening, where the guidance changes from, "you mustn't do this anymore, you have to do this," and everyone's asking, "but why?" The confusion, or inaction caused by the confusion, is often down to a lack of an adequate explanation about why.
As security professionals it's frustrating for us too - we still see this regularly. Such inconsistencies between advice or guidance for certain actions and the system owner implementing that guidance into their technologies make the situation worse. So, for simplicity staff may end up using the same password because the system they log onto doesn't know that they've used that password somewhere else. And a user just thinks "this one has been accepted, I know this one, I'll just use it here as well,” and before we know, it is used for lots of logons and that causes a whole heap of problems.
Timely guidance vs simple guidance
Sometimes there is timely guidance and other times there is simple guidance. Getting the message out to Organisations from the National Cyber Security Council (NCSC) and all the other public channels can take a long time. So, when that guidance actually gets to the Small Organisation it may be several years after it was produced.
In the meantime, it's possible that alternative guidance has come through because people needed something quickly, which in itself has been another challenge. We mustn’t forget that guidance from the NCSC has only been available for the few years it has been set up. Before that there was next to nothing available for Small Organisations. For password guidance, that's definitely true, the NCSC does provide more useable password guidance now.
An example I’ve seen is where the guidance for the Cyber Essential Certification Scheme was that the Organisation's users had to change password every 60 days. However, research undertaken by NCSC (even though this is an NCSC scheme) found that changing password every 60 days is actually less secure because it led users to have to remember many new passwords every 60 days.
The challenge of this good practice guidance was that it took a while for that to be implemented into the Scheme before it was changed. These things do take time to filter down and because of the time it takes for the guidance to trickle down, we as security professionals are providing inconsistent guidance, and try to make it simple. The fact is, until everyone including all technology implementers, security standards bodies, and everyone else has made the changes, we are sometimes knowingly providing inconsistent guidance, even though it is not our intention. It happens, it’s not what we want, but it's just the way things are sometimes – which is not good enough.
Organised crime has got more organised
Cyber criminals are getting really organised and realising in some cases that instead of competing against each other, they can just sell or exchange services and knowledge share amongst themselves. For example, one group which is knowledgeable about a particular topic will collaborate in another to take advantage of ordinary Organisations.
With things like extortion and ransomware, some provide their tools and knowledge as a service to be used by others on a revenue sharing basis. Which makes it easier for less technical criminals to get in on the act because they may have other tools or assets like databases lists, which may also be a service and some may be freely shared on the basis of taking a percentage cut from the profits generated.
They run their operations like Organisations and even have a help desk where compromised Organisations can ring up and get information on how to pay them. This organisation collaboration is what the world has been up against. So, Organisations are not just trying to defend against single individuals who have invested in a lot of time and resources to get to a certain point, they are fighting and defending against many groups of criminals that have paid other criminals and so on who may be working together. They are sharing knowledge, buying the same security tools we are buying and testing against them. This is sometimes why all the security measures Organisations put in place to defend their themselves sometimes do not work very well.
Because goalposts often change, Organisations are up against that guidance seems contradictory where it has had to be adapted to criminals adapting what they are doing and how they are doing it – sometimes much quicker than security professionals can respond.
Specialisation of criminal expertise and activities
The specialisation by cyber criminals to the ‘nth degree also has an impact on the guidance provided. Because criminals are looking to make money and they know that these activities are illegal, they are very focused on protecting what they do. At the same time, there are many other technical criminals enabling each opportunist criminal to carry out their activities. For example, if there is one who harvests email addresses, another might bring several million of those email lists together as a package which can then be sold and used for different activities. Then a cut would be paid to those who did the harvesting of the original emails.
All this has made it far easier for the criminals to do more bad things than we as security professionals may be able to respond to, to secure our Organisation and ourselves. There's a war to see who's going to be able to achieve the better results.
Examples of service provider responses
That reminds me of the two factor authentication via mobile text messages where certain banks were using it because it worked, but then they didn't realise that - due to SIM swap fraud - criminals would have access to that one-time code or password. Highlighting that this wasn't necessarily a good idea. It only half worked as a good security control, so the guidance now is to avoiding using it where users can, and to prefer using an app.
Related to this is where service providers come up with a solution without necessarily exploring it in detail. For example, implementing their own encryption standard or encryption approach instead of using those that have been tried and tested as international standards. Where vendors have taken the wrong approach to such things, it always still comes across as if it is the security industry that's been advising Organisations to do the wrong thing even though it is just an individual vendor.
Another example is the mag locks on offices, which from a risk perspective, although they eliminate the need keys and proximity fobs, all anyone needs to do is to set the fire alarm off and it opens all the doors for the entire building. Although the solution addresses one set of risks, it also magnifies and introduces a whole range of other risks. That's the challenge when people look at risks, they may not look at the bigger picture and use cases from an attacker's point of view. This is what we have in our world of computers, cyber and internet, it can often seem too big a picture to understand.
This is also true of some of the use of biometrics. At one time we were told that biometrics are better than passwords because users don't have to worry about complexity or remembering them. But I've always argued against that because if my password gets compromised, I can change it. However, I can't change my biometrics data if somebody else has become me, by compromising the server collecting the biometric data. I can't change who I am, nor can I easily prove that the person in the database was me before the compromise.
"Guidance does change and will change regularly, as the approach is risk based."
Risk-based approaches change over time
In terms of guidance changing or being inconsistent, it should always be risk-based, even though how we think about risk over time may change as well. What is most important today may not even be important next year. And because it changed, guidance has often changed accordingly.
The way Organisations and the security industry approach security risk has changed from the idea of parameterisation to de-parameterisation and operating on zero-trust still hasn't reached Small Organisations. Making sure Organisations operate on a zero-trust basis where security controls are built around the assets to protect with the assumption that anything in the environment could potentially be hostile have not filtered down as simple guidance. This is another example of why cyber security seems inconsistent in its guidance that's coming down to ordinary Organisations.
Guidance does change and will change regularly, but as long as the approach is risk based, I'm happy with that.
Conclusion
All Organisations hopefully do what they set up to do, which is to make money focussing on running their Organisation to sell their products and services. They are not there to understand security risks and follow all the latest guidance, nor do they have the time to do so often. Many Organisations do understand the role of security in protecting their Organisation but are often left confused as to which guidance of the several options is the best for them. Although, this may not get better in the immediate term we hope to provide a forum for simple timely advice for Small and Medium-sized Organisations.
Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more.
Images from https://www.pixabay.com.