An unfair threat is defined as a security risk posed by an organization, and with an average cost of $ 11,45 million, it is important for organizations to address this issue. Often, the risk is attributed to malicious or negligent employees, as well as others close to the organization, such as contractors and business associates. But companies and organizations believe that security software will prevent threats. However, this understanding of unfair threats carries responsibility to the human factor, in other words, exposes them as scapegoats.
While there are people actively seeking to harm an organization, according to a report by the Ponemon Institute called the "Report on Threats to the Cost of 2020", only 23% are internal threats.
Instead of blaming people then, why don't we turn our attention to the root of the problem? That is, the security software.
Whether embedded in vulnerabilities, corrupted by governments, or used as a channel to collect profit data, the use of security software is currently fraught with problems.
Double security agents
One of the largest and most frequently used security software providers is the Czech company Avast antivirus with over 435 million active users in 59 countries using antivirus. However, by the end of January 2020, Avast was collecting user data and selling it to third parties through its subsidiary Jumpstart. In this sense, they work as double agents against the very people who entrusted them with internet security and, in particular, their privacy.
In many cases, the software itself is defective. According to the report Veracode SOSS Vol. 10 published last year, found about 10 million vulnerabilities in 85.000 applications, and 83% of these applications had at least one defect in the original scan. Of these weaknesses, 20% were classified as "high" or "very high" severity. By exploiting these vulnerabilities, hackers are able to infiltrate an organization and access its data.
Complementing things further, the enormous scale and complexity of vulnerabilities make it much more difficult to determine whether a system has or has not been corrected. Indeed, the majority of data breaches (60%) occur because the software vulnerabilities were left unchanged. Equifax's 2017 data breach and Marriott's 2018 breach are two examples of this type, collectively exposing over 640 million records.
Monkey businesses in government
In some cases, the government is involved, not in a way that resolves violations of privacy rights or by arresting the criminals behind the attacks. On the contrary, they are the perpetrators themselves. The attacks carried out by APT5, also known as Manganese, on high-tech VPN servers are a clear example.
Since August 2019, it has been revealed that Chinese state-backed hackers have conducted online scans in search of a VPN server Fortinet and Pulse Secure. They then tried to exploit two vulnerabilities in these VPN servers to gain access to files without the need for authentication. This allowed hackers to gain access to passwords and session data VPNs from vulnerable devices. The Iranians again do not go back. A ClearSky report on cyber security revealed that Iranian government-backed hacking units took priority over exploiting VPN errors as soon as they were published.
Fortinet and Pulse Secure VPN servers are widely used, with hundreds of thousands of clients. Specifically, Pulse Secure is popular among numerous Fortune 500 companies, including some of the largest technology companies and government agencies. The use of a VPN server is mainly to protect their internal servers from unauthorized access. However, if they do not, how can we turn around and accuse employees of violating the law?
Phishing for a scapegoat
Finally, there is scareware. As the name implies, scareware is a form Phishing betting on your fear and perception of an impending threat. Through a pop-up ad, cybercriminals send out warnings that your computer is infected with malware or is running "slowly." They then leverage your anxiety and panic response to provide a "solution".
However, the "solution", which is of course fake, allows the malicious hacker to access your data and install malware on your computer, perhaps even ransomware. In this type of scenario, it's easy to point the person who clicked on the ad, but what about security software providers who allow it? Is it not the responsibility of security software programs to detect malicious ads and prevent them from appearing on screen?
The real threat
In the end, let us ask ourselves what the real threat is. Many times, people are labeled as the weakest link and responsible for exposing organizations to malicious threats. However, looking at the evidence, the problems seem to stem from security software and them providers their. Considering that they are supposed to protect us, both as individuals and as organizations, from a cyber attack, it is rather ironic that in fact they are the problem.