UK Cyber CTO: Vendors' Security Failings Are Rampant

BLACK HAT EUROPE 2023 – London – Modern cybersecurity solutions are not good enough to keep up with attackers' growing capabilities, allowing threat actors to operate without sufficient ramifications.

That's according to Ollie Whitehouse, chief technology officer of the UK's National Cyber Security Centre (NCSC). In the opening keynote of Black Hat Europe in London today, Whitehouse highlighted a number of challenges and opportunities that the industry faces and should be looking to address.

Vendors Foment Security Challenges

Among those challenges, Whitehouse named "asymmetric" threat actors, high levels of technical debt, and a misguided desire for one security solution that solves all problems as top concerns for overall business safety. But Whitehouse — who joined the NCSC in September and previously served as CTO of consultancy NCC Group and in research roles for BlackBerry and Symantec — specifically highlighted a number of issues caused by gaps in security vendor products and behavior that work against the goal of a more cyber-secure world.

For instance, he said there is a fundamental challenge around "closed ecosystems," especially where there is no option to get access to product telemetry. Whitehouse said this is "wonderful for those vendors because they monetize that [threat intelligence] and they create their walled gardens," but not so great for organizations looking to shore up defenses and make informed choices about security priorities.

Additionally, he highlighted security up-charges as "the saddest" vendor failing. Particularly when it comes to software-as-a-service (SaaS), how deep the security protections are depends on the tier, he pointed out — the more money spent, the more secure it is.

"That seems inexcusable in 2023," he said, adding that the extra costs "are not sustainable" for many businesses.

Whitehouse also said there is an opportunity for greater transparency from vendors, particularly those who sell both on-premises and SaaS products. Many times, a vendor will disclose a vulnerability in an on-premises solution, but not for the SaaS version of a product.

"I would suggest that they are not being entirely transparent about whether that [vulnerability] affected their SaaS version and if it was exploited and for how long," he said, adding that it's an issue plaguing IT and network infrastructure vendors in general.

"There is a set of behaviors here on behalf of SaaS vendors, and others, where they could be more honest," he noted.

And finally, looking ahead, he called for security vendors to pay more attention to attacks against industrial control systems (ICS). The recent spate of attacks on water treatment plants in the US, for instance, "remind us that there is a problem there, but it is not in our face every day like ransomware. But we really need to be mindful that this is the world we are potentially heading toward."

He added that there is no need to be alarmist about the threats, but advanced threat actors are preparing for these types of attacks, "and that is why we need to be ready."

Implement Basic Security Best Practices

In terms of how to shore up security without being held hostage by individual vendors, Whitehouse highlighted several items of low-hanging basic security fruit he would like to see addressed by organizations. These include securing legacy technology, as "we are good at focusing on the new and fancy," as well as forcing better password hygiene, putting focus on asset discovery and inventory, and getting rid of unsupported platforms.

Another item that's easy to focus on is Web security, he noted, adding that "we know how to solve cross-site scripting and SQL injection vulnerabilities."

And finally, there's the human element. There is a need to "make phishing a thing of the past" given that multifactor authentication (MFA) and WebAuth can already solve some parts of it, he said. While "it is clear we legitimately have a long way to go in this challenge," what tools are available should be deployed, along with focusing on user awareness.