Are security professionals suffering from the Dunning-Kruger effect?
A new report highlights the disconnect between security professionals’ perception of their organization’s security maturity and the effectiveness of the policies they actually implement.
Researchers from threat detection firm GoSecure developed a survey in collaboration with Serene-Risc, a knowledge mobilization network for the cybersecurity industry.
The research project looked at a series of specific security measures or controls – including multi-factor authentication, password policies, patch management, asset inventories, and endpoint visibility – and examined whether they were rated as important by respondents, as well as whether or not they were implemented.
Survey results were then cross-referenced against what was actually needed, based on the attack vectors that GoSecure penetration testers see in the real world.
The team found that the more these security measures were implemented, the higher the respondents rated their organization’s security maturity. However, there were two exceptions – minimum password strength requirements and investigating products for features that could represent a risk.
These measures didn’t correlate with perceived security maturity, but were closely linked to major attack vectors found in penetration testing reports.
Cognitive blind spot
“The problem is two-fold,” Laurent Desaulniers, GoSecure’s director of pen testing, told The Daily Swig. “For some aspects of security, the issues are [that there is] not enough training or technical problems preventing us from putting the controls in place, but for other cases it’s a cognitive blind spot.
“When we’re talking to security people they tell us it’s not my (their) job, it’s a sysadmin job or it’s for HR to determine. It’s understood as a function, and that means it’s often underbudgeted or it’s not understood – and it’s difficult to fix a problem you don’t know about or understand as a problem.”
While 93% of security professionals said they valued multi-factor authentication, only 47% have implemented it.
Meanwhile patch management, rated as important or very important by nine in 10 respondents, is itself patchy – more than half of of those surveyed said it takes weeks or months to apply a security update once a patch is made available, and 3.1% said it took more than a year.
“Even though we perceive things are super-important, it’s hard to implement them in the enterprise because of barriers,” says GoSecure researcher Masarah Paquet-Clouson.
“If, for example, you want to implement multi-factor authentication, there’s a lot of work to do in terms of infrastructure and user acceptance, so they acknowledge the importance but are still blocked from implementing these measures.”
Password compliance headaches
Passwords were another area where there was a big mismatch between perceived security maturity and actual security.
This, says the GoSecure team, is because password selection policies are often just a tick-box effort, requiring only the use of at least one number or special character in a password, for example.
But, as Desaulniers points out, “We find out that the season of the year – Winter-2020 – would be suitable for most security policies, so we’re in a position where the most secure policy is really, really weak.”
A better policy, he says, would be to also exclude certain commonly used words, such as company name.
The report also warns of the risks associated with storing Windows passwords in memory and the presence of NetBIOS/LLMNR – both features enabled by default on Windows and frequently exploited by penetration testers.
Meanwhile, investigating products for features vulnerable by default should become a priority.
“There are a lot of missing controls – things that by themselves are not dangerous but that can become a problem, and while these things are much more expensive to fix, they are much, much more important in the long term,” says Desaulniers.
‘Basic security hygiene’
The gap between what survey respondents considered to be important controls and the measures actually implemented by their organization was described by one Reddit user as “the cybersecurity equivalent of the Dunning-Kruger effect”.
The findings chime with the experience of other security experts.
“There is definitely a tendency by many organizations to go for more advanced security controls, while not fully implementing what most security professionals would consider basic security hygiene. This can include the most fundamental of tools, such as email security and archiving solutions,” says Matthew Gardiner, principal security strategist at Mimecast.
“There are likely many reasons for this – basics often are related to process, not technology. Processes usually aren’t a technologist’s area of specialization, which can be heavily dependent on changing people’s perceptions.”
The GoSecure report suggests that budgets are often misallocated, with a tendency to go for the latest security products. Many organizations, for example, have effective firewalls and antivirus at the perimeter, but none internally.
“Security professionals see a layered defence as critical for comprehensive detection. It is crucial that each of these technologies plays a different role in how they protect the organization,” says Carolyn Crandall, chief deception officer at Attivo Networks.
GoSecure suggests that future research should focus more closely on the human element of cybersecurity.
“We need to study the human factor, that cognitive bias, and realign it,” says Paquet-Clouston. “You have to acknowledge your own bias and acknowledge that it’s shared, so there’s a need to study security more as a human factor.”