Ashley Walker's Blog

Phishing as performed in a pantomime

Cybersecurity Pantomime

, ,

There are times when I say to my clients, “That sounds like security pantomime”, and I realise that quiet a few have not understood what I mean. Cybersecurity Pantomime, also known as Cybersecurity Theatre1, is a term that encapsulates the scenario where security measures, despite their flashy display, fail to reduce risk in a substantial manner. It’s akin to a theatrical set of a pantomime, which, while appearing realistic and substantial from one perspective, is merely an illusion created by plywood and actors, when viewed from another angle it is clear that it is all an illusion.

This concept is characterized by the implementation of security efforts, products, or controls that, despite their flashy and impressive presentation, do not effectively mitigate the risk. They create an illusion of robust security, much like the convincing yet illusory world of a pantomime, but their actual impact on enhancing security posture is minimal.

In essence, Cybersecurity Pantomime underscores the gap between the perceived and actual effectiveness of security measures. It serves as a reminder that the true measure of a security solution lies not in its superficial appeal, but in its ability to tangibly decrease risk and enhance security.

And it can be very difficult to identify if what is presented is a genuine increase in your security posture, or if it is all smoke and mirrors. Generally, the ways that I attempt to determine is by asking some simple questions:

  1. What is the threat profile this is attempting to mitigate?
    • Does the threat model apply to us? Our situation?
  2. How can you prove that this is more secure?
    • Is there evidence that the threat model is real?
  3. What other ways could this be mitigated?
  4. Has this threat already been mitigated?
    • Are there other tools that we already use that mitigate this sufficiently?

A few common ones I see at regular intervals include:

  1. Your upstream or downstream vendor/partner wants you to self-fill in a security audit without and checks or verification on their behalf.
    • Self-assessed audits may leave you legally liable if you misstate the security. But they do very little to increase your security, other than being aware of what you do not have.
    • Tick boxes audits have no nuance show only a single possible way, instead of asking how you are mitigating the risk and threat to demonstrate risk management.
  2. VPN products that “increase your security” by creating a “secure tunnel” that prevent eavesdropping.
    • The overwhelming majority of SaaS applications use TLS/HTTPS that prevents eaves dropping.
  3. The vendor is selling it as a tick box resolving solution.
    • An Intrusion Prevention System that has no update mechanism, or notification system. You can tick that on your next audit, but does it really make you more secure?
  1. https://en.wikipedia.org/wiki/Security_theater ↩︎