Currently, when trying to assess a computer/network security risk, key stakeholders and decision makers are forced to work with non evidentiary data, often relying on the claims of security product vendors, and therefore cannot articulate the risk(s) to the systems, intellectual property, or critical data they are responsible for protecting. A third party is rarely used to determine the true efficacy of security countermeasure products. Furthermore, consumers lack the technical know-how, or the high-cost equipment and manpower needed to test each security product within their infrastructure. The reality is that the human resources within an IT organization are used to build and maintain infrastructure not to test the security efficacy of that infrastructure, even though they are ultimately responsible for said security efficacy.
In most cases, the consumer of security products is using an old thought model that is based on two mistruths:
First, layered security countermeasures, especially when using disparate vendors, will result in better security because flaws in one product should not be present in the next product, but instead they will cancel each other's flaws. Mathematically this is represented as follows:Pa*b=Pa*Pb=X%
Second, by focusing on the most current and widely advertised/scary malware/exploit “in the wild” and addressing technologies that will help prevent this, the overall security is “better.” This is akin to snake oil sales.
In addition, current security testing focuses on “attacker-initiated” attacks. These are forceful attacks from the outside of the network, but current testing does not address the more prevalent source of security failures—those being “target-initiated” attacks. Target-initiated attacks are attacks that take place with the innocent assistance of internal employees who fall victim to phishing, malware, and other scam attacks.
Offensively speaking, groups such as the government must rely on old techniques, such as the Cyber Kill Chain™, that are tedious and very slow. This does not provide true operational capability for an effective offensive operation.