Wendy Nather: Why the Cybersecurity Industry Must Rethink Its Approach

At the RSA Conference 2017 in San Francisco, one voice stood out among the crowd: Wendy Nather, principal security strategist at Duo Security. Her provocative ideas on the security skills gap and the industry’s overreliance on complex technology sparked a fresh conversation. As a former CISO and analyst, Nather brings a unique perspective that challenges long-held assumptions. In this article, we explore her most controversial thoughts and what they mean for the future of cybersecurity.

The Self-Created Security Skills Gap

Nather believes the security skills gap is largely a self-inflicted wound. “We wouldn’t have a skills gap if we didn’t make technology so hard to run in the first place,” she argues. The industry has built layers of complicated systems that require multiple degrees to manage. This, in turn, fuels a demand for more specialists, creating a vicious cycle.

“We created the skills gap problem ourselves,” Nather explains. “This self-feeding skills gap is a result of the complicated technologies we’ve created that need so much manpower.” She points out that growth is often seen as positive, but the real question is why so many people are needed. The answer, she suggests, lies in the unsustainable complexity of modern security tools.

CISOs are increasingly looking to reduce their vendor portfolios, a trend echoed by Dr. Zulfikar Ramzan, CTO at RSA Security, in his keynote. Nather references the Bank of America’s cyber-defense metric—a scorecard that helps organizations rationalize their security products. “It’s a practical matrix that considers what requires the most time and people,” she says, offering a way out of the complexity trap.

Killing ‘Baby Anti-Virus’ and Rethinking Passwords

If Nather could travel back 25 years, she would “kill baby anti-virus.” She laments that AV put the industry on a path where security is treated as an add-on. “We built an industry completely separate from what it should be securing,” she says. This separation has made it difficult to integrate security seamlessly into technology.

On passwords, Nather is equally blunt. “We should never have told people not to write passwords down,” she declares. This advice led users to choose simple, memorable passwords instead of secure ones. While she doesn’t endorse sticky notes on laptops, she suggests that a secretly stored written password is better than a weak one. Password managers, she notes, act as an intermediary, protecting users from “the terrible malignant growth of passwords.”

Building on this, Nather argues that the industry must stop blaming users for security failures. “Maybe we built the ecosystem wrong, maybe we’re building technology wrong,” she says. Users misuse complicated technology because it’s not designed for them. The solution lies in making security tools that people actually want to use, not just tools that organizations want to buy.

The Role of Technology, AI, and Vendor Rationalization

Nather criticizes the tendency to throw technology at every problem. “Too many people look at adding and refactoring technology as a solution,” she says. This approach ignores the need to learn from past mistakes. The industry, she notes, always looks forward but never back.

On multi-factor authentication, Nather calls for a clearer definition. With over 80 vendors in the access management space, the market is crowded. “We need to secure access in a more flexible way and we need to authenticate systems and applications, not just humans,” she explains. Machine learning and AI have roles to play, but Nather is cautious. “AI is led by our intelligence to build it,” she says, questioning whether it will ever replace human decision-making.

As a former CISO, Nather recalls how purchasing decisions were driven by analyst quadrants. “When I was a CISO and wanted to buy a product, I’d take it to my CIO and he’d want it to be in top right of quadrant,” she says. This reliance on analysts highlights the marketing noise in the industry. However, she warns that analysts are burning out, with too many vendors to evaluate in too little time.

Reducing Choices for Better Security

Nather believes that the industry needs to reduce choice to improve security. “To make security better, we may need to reduce our choices,” she argues. Drawing a parallel to cars, she notes that there are only so many types of engines. In cybersecurity, everyone is writing their own “magnum opus,” making it hard to secure systems in a repeatable manner.

“We need to find and stabilize the things we know work and everyone else will have to live with it,” she insists. This approach might mean fewer jobs, but it would also reduce the security skills gap. “Taking the choice away will make people sad, but it will make people safer,” Nather concludes. “Artistic license shouldn’t threaten the safety of the general public.”

For more insights on cybersecurity trends, explore our analysis of industry shifts or learn about best practices for multi-factor authentication. Wendy Nather’s vision challenges us to think differently—and that’s exactly what the industry needs.

Digesting the Diversity of Data Breaches: Verizon’s 16 Scenarios and How to Tackle Them

Data breaches have become one of the most pressing concerns for businesses worldwide. The cyber threat landscape is no longer a simple battlefield; it is a complex maze of evolving tactics, diverse actors, and unpredictable outcomes. Each breach carries its own signature, making response and recovery a daunting task. But what if you could anticipate the most common scenarios? Verizon recently unveiled its Data Breach Digest, a comprehensive guide that categorizes 16 distinct data breach scenarios. This resource helps organizations understand the diversity of attacks and prepare more effectively.

During a press briefing in London, Bryan Sartin, executive director of the RISK Team at Verizon Enterprise Solutions, emphasized that breaches now affect every department, not just IT. “Data breaches are growing in complexity and sophistication,” he stated. “In working with victim organizations, we find that breaches touch every part of an organization up to and including its board of directors.” This underscores the need for a holistic approach to cybersecurity.

Understanding the Human Element in Data Breach Scenarios

Human error or malice remains a significant driver of security incidents. Verizon’s digest identifies four key scenarios under this category, each with distinct motivations and methods.

Financial Pretexting: The Golden Fleece

This scenario targets financial, information, and retail industries. Attackers use stolen credentials, phishing, and pretexting to manipulate employees into revealing sensitive data. The goal is purely financial gain.

Hacktivist Attack: The Epluribus Enum

Motivated by ideology or grudges, hacktivists target public and financial sectors. They often employ DDoS attacks, backdoors, and unknown hacking techniques to disrupt operations or steal data for public exposure.

Partner Misuse: The Indignant Mole

Trusted partners sometimes turn rogue. This scenario involves data mishandling, network misuse, or privilege abuse for financial gain or espionage. Industries like healthcare and retail are particularly vulnerable.

Disgruntled Employee: The Absolute Zero

An insider with a grudge can cause immense damage. These attacks often involve exporting data, disabling controls, or abusing privileges. Public, financial, and healthcare sectors are frequent targets.

Prevention tips: Know your threat actors and their methods. Sensitize employees to these tactics. Train your incident response teams to act cohesively.

Device Threats: When Hardware Becomes the Weak Link

Connected devices, from smartphones to IoT gadgets, open new attack vectors. Verizon’s digest covers four critical scenarios.

C2 Takeover: The Broken Arrow

Attackers use command-and-control servers to remotely hijack systems. This can be opportunistic or targeted, often for espionage or financial gain. Backdoors and rootkits are common tools.

Mobile Assault: The Secret Squirrel

Mobile devices are exploited to export data or capture stored information. Espionage is the primary motive, targeting professional and administrative sectors.

IoT Calamity: The Panda Monium

Internet of Things devices, often poorly secured, become entry points for DDoS attacks or brute force exploits. This scenario is opportunistic and can affect any industry.

USB Infection: The Hot Tamaale

Unapproved hardware, like infected USB drives, introduces spyware or backdoors. Accommodation and manufacturing industries are frequent victims.

Prevention tips: Monitor and log all device activities. Reduce exposure through regular patching.

Configuration Exploitation: Missteps in Setup

Improper configurations can leave systems exposed. Verizon outlines four scenarios that exploit these weaknesses.

Website Defacement: The Hedley Kow

Hacktivists or vandals deface websites using brute force or privilege abuse. Financial and retail industries are common targets.

DDoS Attack: The 12000 Monkeyz

Distributed denial-of-service attacks overwhelm systems, causing downtime. Motivations range from ideology to financial gain.

ICS Onslaught: The Fiddling Nero

Industrial control systems are targeted for espionage or sabotage. Utilities and manufacturing are at high risk.

Cloud Storming: The Acumulus Datum

Cloud services are exploited to export data or abuse privileges. This scenario often involves espionage and affects transportation and public sectors.

Prevention tips: Configure systems properly. Patch frequently and review code. Conduct regular security scans. Segment networks appropriately.

Malicious Software: The Persistent Digital Threat

Malware remains a constant danger. Verizon’s digest identifies four distinct software-based scenarios.

Crypto Malware: The Fetid Cheez

Ransomware attacks are opportunistic, targeting any industry. Phishing emails deliver the payload, encrypting data for ransom.

Sophisticated Malware: The Pit Viper

Advanced malware, including spyware and rootkits, is used for espionage. Public and manufacturing sectors are prime targets.

RAM Scraping: The Bare Claw

Attackers scrape memory to capture payment card data. Retail and hospitality industries are frequent victims.

Unknown Unknowns: The Polar Vortex

Novel attacks that don’t fit known patterns. These can be specific, indirect, or opportunistic, targeting diverse industries.

Prevention tips: Stay updated on threat actor tools. Use file integrity monitoring and keep antivirus software current.

Building a Resilient Breach Response Strategy

As Laurance Dine, managing principal of investigative response at Verizon, noted, “Knowing which incident patterns affect a given industry more often than others provides a solid building block for identifying where attackers are coming from and understanding their motives.” This knowledge helps allocate cybersecurity resources effectively. For more insights, explore our guide on cybersecurity best practices and learn about incident response planning. By understanding the diversity of data breach scenarios, organizations can move from reactive to proactive defense.

Why the Philadelphia Eagles Lead the NFL in Password Choices—and Why That’s a Security Problem

When it comes to creating passwords, many people turn to their passions. Unfortunately, that often means using a favorite sports team—and the NFL Eagles password phenomenon is a prime example. According to data from password manager provider RoboForm, the Philadelphia Eagles are the most common NFL team used in passwords, based on an analysis of ten million leaked credentials. This trend highlights a broader security issue: sports team passwords are predictable and easy to crack.

The NFL Eagles Password Trend: A Closer Look

RoboForm’s research found that the Philadelphia Eagles top the list, followed by the Dallas Cowboys, Pittsburgh Steelers, and Oakland Raiders. Interestingly, the most popular teams in terms of fandom—like the Green Bay Packers—ranked lower in password usage, coming in seventh. This suggests that fan loyalty doesn’t always align with password popularity. However, the NFL Eagles password trend is a red flag for security experts.

Why Sports Teams Make Weak Passwords

Security consultant Tracy Maleeff from Sherpa Intelligence, a self-proclaimed Eagles fan, admitted that while she feels pride in seeing her team at number one, she recognizes the danger. “Then, I remember that I’m supposed to be an information security professional and know that I have a lot of awareness work to do here in the Philadelphia area,” she said. She recalled a past job where an assistant guessed her password by humming the Eagles fight song. This illustrates how easily attackers can exploit such predictable choices.

Lawrence Munro, senior director of SpiderLabs EMEA at Trustwave, echoed this concern. “Unfortunately it’s not at all surprising to find such easily identifiable password choices—we find most people pick a password based on how likely they are to remember it, rather than any consideration for security,” he said. He noted that attackers often scan social media for clues like favorite teams, making sports-related passwords particularly risky.

How Attackers Exploit Sports Team Passwords

Steve Manzuik, director of research at Duo Security, explained that in targeted attacks, adversaries gather information from public sources like social media and forums. “If password or security challenge questions are based off of any information you have shared, including your favorite team, it will be considered when attempting to guess or brute force the password,” he said. This means that using an NFL Eagles password or any team name is essentially handing attackers a key.

David Yates, information security consultant at MWR InfoSecurity, added that automated guessing tools make short work of common passwords. “A human being might get bored going through a list of the top 100 football players and trying different character substitutions, but a computer won’t,” he said. He recommends using random character strings or unusual sentences of at least 20 characters for true security.

Practical Steps to Improve Your Password Security

Given the risks, it’s time to rethink your password habits. Here are actionable tips to protect your accounts:

• Use a password manager: Tools like RoboForm or 1Password generate and store complex passwords, so you don’t have to remember them.
• Avoid personal information: Steer clear of names, birthdays, and especially sports teams. Even if you love the Eagles, don’t use them as a password.
• Enable two-factor authentication: This adds an extra layer of security beyond just a password.
• Create long, random passphrases: For example, “BlueHorseJumpsOverMoon2024!” is far stronger than “Eagles123”.

The Bottom Line: Sports Fandom and Security Don’t Mix

While the Philadelphia Eagles may be champions on the password list, that’s not a title any fan should celebrate. The NFL Eagles password trend is a stark reminder that convenience often comes at the cost of security. As you gear up for the next big game, take a timeout to review your passwords. A few minutes of effort now can save you from a data breach later. For more tips on staying safe online, check out our guide on password security best practices or learn about common cybersecurity mistakes to avoid.