Tenable wants to see the end of the 'nation-state attacked us' excuse

It's not necessarily that they broke into your house; it's that the door was wide open.

The "nation-state attacked us" excuse, according to Tenable chairman and CEO Amit Yoran, is not a valid excuse for having a weak system be compromised.

Speaking with ZDNet while in Australia this week, Yoran said there's an awful lot of money being spent on sophisticated security tooling, but organisations are still leaving the front door wide open for criminals to walk straight in. Compounding this, he said, is the excuse that the organisation was helpless, "making pretend" that they couldn't have prevented an attack as it originated from an advanced adversary.

Special feature

Cyberwar and the Future of Cybersecurity

Today's security threats have expanded in scope and seriousness. There can now be millions -- or even billions -- of dollars at risk when information security isn't handled properly.

Read More

"Nation-state attack in just about any instance is a pretty pathetic excuse for being comprised," he said. 

"When you look at a vast majority of the breaches that occur, whether they're nation-state actors or whether they're hacktivists or cyber criminals, if you look at a vast majority of these breaches, in the data that we've seen, it's well north of 98% -- these breaches are all caused by negligence."

He said many organisations claiming such attacks have important or critical systems that carry extremely sensitive information, but they have simply done a very lax job when maintaining hygiene and adequate security basics.

See also: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

"Nation-state adversaries, even the sophisticated hackers, aren't using all these super scary hyped-up, zero day pieces of original exploit code or malware, it's just the basics that we aren't doing well that they're taking advantage of," Yoran said.

According to Yoran, when looking at the causes of breach, it is almost always exclusively due to one of the two, or in many cases both, issues.

"It's either there's a known vulnerability with a patch available to which somebody just doesn't patch their systems, or they're implementing very poor authentication, identity management, access management practices and as a result get compromised by some form of spear-phishing. In many cases, it's both of these things at work," he said.

"There's spear-phishing because somebody is using poor passwords, and their underlying system they're being spear-phished from still has known, unpatched gaps."

See also: 10 tips for new cybersecurity pros (free PDF) (TechRepublic)

Rather than saying an organisation was the victim of a breach at the hands of a nation-state adversary, and pretend it was highly sophisticated, Yoran said the better conversation to have would be around why there was a breach.

"Was it something that was truly unpreventable or were you simply being lax and negligent in how you manage your systems?," he said.

"The truth is that preventing these things is exceptionally straightforward -- I'm not saying that it's easy to do, but it's at least straightforward ... the thing you have to do to protect yourself is maintain good hygiene with systems ... and users.

"If you can do those two things, you are in far better shape and I would say it's extremely unlikely you'll get breached -- and you certainly won't get breached with any of the popular techniques we're seeing today from nation-state actors or cybercriminals."

Before landing at Tenable as its CEO, Yoran had spent time within the US Department of Defense and previously served as founding director of the US-CERT program in the US Department of Homeland Security. Prior to that he was the president of network security firm RSA, as well as the co-founder and CEO of Riptech, which was acquired by Symantec in 2002.

Having spent 25-plus years in the security industry, Yoran made an observation that organisations are throwing money at security solutions "to no end", when what is actually required is a more disciplined approach to managing systems and users.

"I would say most of which you see from the security industry is a bunch of smoke mirrors, and hype ... there's no point in installing a super sophisticated security system when you aren't locking your door or closing your front door to begin with," he added.

As the number of exposed breaches grow, particularly with regulated requirements to disclose any activity relating to the personal data of people, Yoran said there is a sense of tolerance in the world.

"We're certainly breeding a sense of tolerance that may be counter-productive," he said. "I'm hopeful -- I'm optimistic -- that as we get more transparency, not just that you were breached, but how you were breached ... that we start seeing what is effective, what is necessary to exercise responsible security in today's era."

Touching briefly on the breach experienced by the Australian government earlier this year, Yoran said it's safe to assume that poor hygiene is at the crux of just about every high profile breach and headline in recent years.

RELATED COVERAGE