One of my least favorite things in cybersecurity is this almost obsessive need from marketing people to develop and push more and more terms and acronyms. It seems that every day we have a new one dropping, many of these are simply a rehash or an additive to an existing term. A good example of this is social engineering. This is typically defined as “The manipulation of people to share information or access systems that they shouldn't.” Yet we now have multiple terms which describe subsets of this larger item, like Phishing, Smishing, Vishing and even the terrible Quishing. Oddly enough, most of these new terms revolve around a protective product and/or service. As they say, therein lies the rub.
When a new or different method of breaking into an organization enters the fray, and the right “influencers” or “thought leaders” talk about it, there is a shift in the toolset marketing landscape. With social engineering this term was fine to cover most aspects or varieties of this type of attack until… well, until it wasn’t. This period of tranquility lasted about 3 years when a group called AOHell mentioned “phishing” in a usenet group in 1996. This term was more specific than social engineering in that it specifically mentioned the use of bait to entice people to give up the information back in the bad old days of AOL.
Another few years passed, and the terms evolved again. This time the evolution was not led by a threat group, it was marketing people who appeared to have coined the phrases Smishing (SMS Phishing) and Vishing (Voice Phishing). Both are still Phishing which is a social engineering tactic, but those are not as catchy and do not play well on an ad or banner at a conference. It is also worth nothing that the term “Social Engineering” goes all the way back to around 1842 when it was used to describe Top-down efforts to influence particular attitudes and social behaviors on a large scale—most often undertaken by governments or media. It wasn’t until the early 1990s that it was applied to cybersecurity.
But wait, there’s more! Even outside of social engineering or phishing the market has developed terms, beat them into the ground and then moved on with new terms. Take terms like Risk, Vulnerability, and Exposure. This should be easy right? Well, let’s take risk and break it down. What type of risk? Is this business risk, financial risk, cybersecurity risk, and so on. Folks, Risk is Risk full stop for that matter a business risk involves financial risk and cybersecurity risk is a subset of both financial risk and business risk. Talking about them like they are not connected is (in my personal opinion) done to either attempt to reject ownership of the risk, or to sell a product/service. I have news for the “business risk” people, getting hit with ransomware or even a business email compromise is going to have a business impact and lose you money.
Now Let’s talk about Vulnerability. When people hear (read) the term Vulnerability the first thing they are likely to think about is the CVE (Common Vulnerabilities and Exposures) Which then, all too often, gets to Scan and Patch. In reality, a vulnerability is any weakness in your environment that would allow for compromise, exploitation, or other failure. Not having proper diversity of services or redundancy is a vulnerability. Improperly trained staff is a vulnerability. Bad or incomplete configuration of a product is a vulnerability. You get the picture here. It is not just a software flaw, and the industry needs to stop acting like it is. Sadly, because this has been the push for so long, all too often ignore the other aspects of the term. I have been on calls with clients and had them ask, “if I just patch as soon as possible, can I drop my vulnerability scanner?” Or when I suggest one, I get “we patch often, so we do not need a vulnerability scanner.” This type of response illustrates how much bad marketing can impact cybersecurity.
Last word in the list there, Exposure. Exposure is a strategic term which indicates the likelihood of impact or interaction. It can also function as a tactical term when you are talking about a specific item (how exposed are we to that?) This term apparently was not so we had to create a few, like “attack surface” to sell more product. Exposure reduction includes an understanding of your attack surface (which also rolls into asset management, but that is for another article).
Cybersecurity is simple. However, it is very, very hard. Adding more and more terms to the mix does not help cybersecurity. Sure, it helps sell your product to people who are already suffering from toolset fatigue. Again, I have been on calls where a perspective client will list off all the tools they have, but cannot understand why they keep having compromised accounts or getting malware, etc. They bought the latest ‘$tool’ which they were told would fix all their problems, and yet things keep happening. They get frustrated and, in some cases, begin to wonder if it is all worth it. Some will stop spending on security, cut staff and just risk it.
Before any of my friends in marketing grab torches and pitchforks, I am not saying that all marketing is bad. I am saying that careless marketing, or snake oil type marketing (and sales) are bad. There is no product that is going to fix everything and marketing something in a manner which suggests that needs to be avoided. There needs to be something of a reset in the way the industry talks about and approaches cybersecurity, if we keep pushing on the way we are, little is going to change. People will stop buying your ‘$tool’ eventually when they realize that it does not fix everything and does not work the way it was marketed or sold. Sadly, the people who were there to step up and protect the environment might not be there (again due to “this replaces x number of FTEs marketing) and now another organization is left exposed along with their clients.
For me, I will continue to cut through the marketing hype and FUD in order to help people build security cultures which work and perhaps (via baby steps) there will be a larger shift because of it.
Ok, Soapbox put away,… for now.
