Not everything is sophisticated, let’s keep it simple

sophisticated threatI don’t have dandruff. But if I did, then I could use a new sophisticated formula to cure my condition. Whether the problem is dandruff or a malware-related threat, the term sophisticated gets used quite a lot. Now don’t get me wrong; I love the word. But is the term perhaps overused?

What started this train of thought was a question I was asked at the recent ISACA Conference in London. An attendee, perhaps in despair, asked what chance we defenders have when faced with the sophisticated attacks that appear to compromise systems at will. His example was WannaCry, an exploit that developed one of the most effective malware-propagation mechanisms we have seen in almost two decades.

Here’s the thing, though: Mitigating against this threat is far from sophisticated, because for almost 30 years the fundamentals of protecting systems have stood the test of time, and they generally still apply today. Yet the headlines we hear today are so far removed from reality that the very people we are hoping to influence and adopt better practices simply shrug their shoulders because “sophisticated, advanced” doesn’t apply to me. How many of us have heard people say “I am too small to be hacked”, or “this doesn’t apply to me.”

We have perpetuated the myth that there is a category of malicious actors, who just by their membership in cybercrime are sophisticated. Yet the modus operandi of most of them is to simply trick someone into clicking a link in an email. We also overuse the phrase highly targeted, which may really just reflect an individual willing to search profiles on LinkedIn rather than an industrial spy or cybercrime group.

A previous manager of mine, whom I respect enormously, would often tell me to keep things simple. In his own words, it was about “ducks and bunnies.” I will confess I had not heard of the phrase before, but I think his advice applies today. We need to keep things simple (as simple as ducks and bunnies), and find the simple explanation to the methodology behind “hacking your social media” or how that email “seemed to know so much about me.”