Why you should avoid security nihilism

I love reading about cybersecurity. However, I find articles a bit nihilist lately, especially with the rise of zero-click attacks and the rapid evolution of the threat landscape.

We’re living in a difficult time where a few advanced cybersecurity actors seem to control Pandora’s box, hacking anybody anywhere in minutes, despite the highest level of protection. Besides, Snowden revelations have highlighted the calculation power of security agencies, allowing them to crack passwords and gain access like finger-snapping.

This is the kind of situation that can lead to security nihilism.

Disclaimer

I don’t put the blame on anybody. I’d include myself in the critic as I wrote posts that mentioned Pegasus and its scary ability to exploit vulnerabilities.

NSO is watching you

The NSO Group is the international security group that created Pegasus, state-sponsored spyware that can perform zero-click attacks. NSO’s customers do not need their victims to do anything to gain unauthorized access.

NSO has been regularly on the headlines over the past months because of the unprecedented level of the hack, leaving the victims without defense despite security hygiene tips and measures.

Apple has sued NSO and its parent company “to hold it accountable for the surveillance and targeting of Apple users.”

Apple pleaded privacy violation against NSO, claiming they fight for their users’ rights, which might seem pretty daring coming from one of the Big Five, which are notorious privacy intruders.

Source: Apple

I think it might be an interesting strategy to destroy the economic model of their adversaries. NSO’s business provides an interface to perform high-level cyberattacks, a business approach to hacking at scale.

Don’t get me wrong. It seems pretty unethical business, and I’m not considering Apple as the leader of privacy rights, but fighting such a high-level threat requires lots of resources that only a few companies in the world can afford.

Is there anything we can do to resist the attack?

The answer is yes and no, and that’s why security nihilism is tempting. So far, nobody knows exactly how Pegasus works. Security specialists reported network injections, zero-days in applications, processes that disguise as iOS system services, but that’s still a bit vague.

Amnesty International did a fantastic Forensic Methodology Report about Pegasus that revealed more details about the attacks and the potential mistakes made by NSO, such as reusing the same DNS servers for different attacks.

Source: Amnesty

It won’t close all security holes, but that’s a great start. Amnesty teams even shared a toolkit to inspect devices.

Besides, it’s not entirely true that you can’t do anything against zero days. There are now solutions that could mitigate those attacks and preserve the sovereignty and integrity of data.

Those solutions can catch unconventional signals and approaches precisely what Pegasus uses. I’ve read about a French company called Tehtris specializing in this kind of protection.

Is security a losing game?

Not at all, IMHO.

Attackers have always been ahead of forensic teams, but blue teams (defenders) get better at fighting threats such as ransomware, privilege escalations, and other common attacks, making the hacker’s task even harder.

If you’re an activist or a whistleblower and you still use your iPhone or your Android device with a VPN, then you are probably doing it wrong. It’s not a bad practice, but you might take unnecessary risks not using alternative devices and Tor.

However, what you need most is an appropriate strategy. You don’t use the same tools when the risk is low and when you can end up in jail or risk your life. It’s an extreme example, but it’s always the same underlying logic.

That’s the best strategy for me. You need several layers of defense. While you can’t anticipate every possible attack, you can improve preparation.

Besides, there are solutions to allow privileged access as needed instead of permanently. The least privileged access, for example, is an efficient approach to mitigate attacks. The zero trust architecture might also help you fight against the threat.

Conclusion

While the danger is undeniably real and perfect security does not exist, you should resist the temptation of security nihilism, as it will only aggravate the situation.

See Also