Disappearing Act: What Magic Tricks Can Teach CISOs About Malware Prevention

August 29, 2019
| |
4 min read

If chief information security officers (CISOs) could wave a magic wand and make one cybersecurity issue vanish, malware would top the list. From massive growth in destructive malware attacks to steadily rising data breach costs, malware remains a top priority for organizations. If this threat pulled a disappearing act, CISOs would find their jobs significantly less stressful.

Unfortunately, there’s no spell, potion or poultice that will make malware evaporate — but classic magic tricks offer relevant insights for managing this threat vector and delivering improved malware prevention.

Rabbits and Hats — Outwardly Harden Your Enterprise Security

The rabbit in the hat is one of magic’s most venerable tricks. Everyone knows the basics: The hat seems empty and then, suddenly, out of “nowhere,” a rabbit appears. Onlookers know that sleight of hand is the true magic here, but a great performer can make it appear as if they’ve actually managed to break the laws of nature.

What does this mean for cybersecurity? Presentation counts, and onlookers shouldn’t see your magic at work. The best magicians have props that lend gravitas to their act — in cybersecurity, this means laying a solid IT foundation that convinces malicious actors that any attempted breaches would be a waste of time. In law enforcement parlance, it’s called target hardening — the practice of securing businesses and homes by installing window bars, motion-sensing lights and other obvious security clues.

Understandably, CISOs are often so focused on underlying security measures — effective approaches to cybersecurity such as improving visibility, uncovering vulnerabilities and ensuring data veracity — that they ignore the need for more obvious infosec appearances. But upfront indications offer significant value by convincing malicious actors that they have no hope of success. From the obvious security branding of a trusted automation or threat intelligence partner to the straightforward security boost of two-factor authentication (2FA), big gestures and obvious moves are essential for keeping data rabbits safe from would-be malicious magicians’ ministrations.

It’s also worth noting that great acts ensure there’s no trace of a rabbit before the big reveal. For infosec, this means leveraging artificial intelligence (AI) tools capable of detecting threats on-demand and stopping attackers on the fly, rather than giving them a chance to read network intentions and abilities in advance.

Keep it Secret, Keep it Safe — Manage Access and Permissions

Secrets are a magician’s stock-in-trade — the more people know about how a trick works, the greater the chance someone else will copy or exploit it. Effective malware prevention demands secrecy; specifically, companies must take steps to safeguard critical tools, services and assets from both everyday users and malicious actors. This is especially critical given the growing costs of corporate data breaches. As noted by the “2019 Cost of a Data Breach Report,” the average cost of a data breach now tops $3.9 million, making cybersecurity secret-keeping a top priority for organizations.

For magicians, this means using special tools that allow them to more easily cut card decks, perform sleight-of-hand maneuvers and even shoot fireballs from their hands, according to Wired. Their goal is to create distance between performer and participants by tapping the natural human conflict to both fully understand and be fooled by sleight of hand.

To achieve the same level of secret-keeping, companies must first require a combination of cutting-edge identity and access management (IAM) with granular permissions and networkwide policy enforcement. This enables security teams to ensure the right people have the right access to data at the right time, significantly limiting the chances of a breach.

However, there’s a key difference between street-corner magicians and their corporate counterparts: knowledge. Unlike passersby who might get roped into an illusion or two, staff must feel like part of the act. According to a report from ISACA and the CMMI Institute, 95 percent of businesses point to a “gulf” between desired and current cybersecurity states, owing in large part to a lack of communal infosec culture. As Computer Weekly noted, this trend suggests a need for a new cybersecurity triad — culture, structure and strategy — where each aspect supports the other two.

What does this look like in practice? Clear communication with staff about their role in preventing common attacks such as phishing, along with straightforward explanations about permissions, access and potential consequences. Put simply, employees must be informed assistants, not audience members.

Smoke and Mirrors — Protect Assets With Obfuscation and Encryption

Magic is all about misdirection — one hand captures onlookers’ attention while the other does the work. Bright colors distract from simple sleight of hand behind the scenes.

Attackers often leverage similar diversionary and distractive techniques with broad-specturm phishing attacks, social engineering and malicious programs that hide in plain sight. Organizations can do the same with a focus on encryption and obfuscation. This how-to-prevent-malware magic act is a two-parter:

  1. Obfuscation — Organizations can protect data and documents by obfuscating key information. As noted by FCW, “Obfuscation typically involves masking user and organizational data through a powerful ‘transit cloud’ of encryption and IP hopping capabilities.” In practice, this means obscuring file pathways, storage locations and app functions to hamper attacker efforts by leading them down obvious paths that turn out to be frustrating dead ends. Sure, they might be able to gain data access, but what they find will be useless.
  2. Encryption — Magicians have their own language for tricks and illusions, one they don’t share with audiences. It allows them to converse about their trade in relative secrecy, effectively encrypting their conversation from eavesdroppers. For organizations, the impact of encryption can’t be overstated — as noted by Stephanie Balaouras, research director for the security and risk team at Forrester Research, “You can never have too much encryption.”

How to Prevent Malware With the Tricks of the Trade

Wondering how to prevent malware? Wishing it would just disappear? While there’s no magic solution, classic tricks offer actionable benefits for improved cybersecurity. Capturing attention with obvious security measures deters opportunistic attackers, making staff part of the act reduces potential breach risks, and the two-part misdirection effort of obfuscation and encryption helps enhance overall malware prevention.

Douglas Bonderud
Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and innovation. In addition to working for...
read more