Beware of False Conclusions in Cybersecurity

Photo by NeONBRAND on Unsplash

The growth in usage of computer systems and services has made it clear that the need for such systems is established in the daily lives of many people. But along with a good tool, comes the risk and dangers that come with the tool. With the vast and growing network of systems and programs, the practice of Cybersecurity is now a necessity to be able to securely make use of our software and hardware.

Cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes

Introduction

There are various type of cyberattacks that I won’t be discussing here, I’m sure there are enough write-ups about them in the vast expanse of the internet. But what I will get into is something anybody might be curious about when it comes to security in general — What happens when the security system makes the wrong conclusion ?

We already know that decisions made from right conclusions make everybody’s life better, an unauthorized face scan being rejected, the right PIN being accepted, your authorized fingerprint unlocking your phone (but rejecting your mom’s ? phew), a software being labeled safe for use, a website with security threats being blocked, etc.

But what if our security systems made the wrong call in the first place ? A factory halting it’s production because it’s security solution labeled part of the production line’s software as malicious and deleted it ? Your phone’s face ID wrongly labeling your dog as an accepted user ? (alright, maybe that’s just a cute threat), but the point is that decisions made from false conclusions are certainly not what anybody needs. To understand what kinds of errors are made here, let’s discuss about something called Confusion Matrix.

Confusion Matrix

Often used to describe the performance of classification on a set of test data, this table can help describe how accurate a system or model is based on true and predicted data. The table has two kinds of data — condition positive (P or 1) which is the total number of positive cases in the data, and condition negative (N or 0), which is the total number of negative cases in the data.

The basic terms related to the confusion matrix are:

• True Positives (TP) : The actual data is a Yes or Positive and the predicted data is also the same. It’s a correct prediction and when relating it to security, can be something like predicting that some malware exists in a program when it actually does exist.
• True Negatives (TN) : The actual data is a No or Negative and the predicted data is also Negative. Again a correct and favorable prediction. For eg. Concluding that no harmful agents are present in the program and labeling it safe for use when there really are none present.
• False Positives (FP) : Also called Type I errors, these occur when the actual data is Negative but the predicted data is Positive. This is an unfavorable outcome. For eg. Flagging a program as a security threat when it is actually safe for use.
• False Negatives (FN) : Also called Type II errors, these occur when the actual data is Positive but the predicted data is Negative. Again a very dangerous and unfavorable outcome. For eg. Allowing a potential security threat into a system after labeling it safe for use.

“In the cybersecurity universe, everything revolves around one basic question: is the detected sample malicious or clean?”

Type I Error : False Positives

Though you might think False Positives are not as big of a threat as False Negatives, they’re still a huge nuisance as they can increase noise for already over-worked security teams and can include software bugs, poorly written software, or unrecognized network traffic. Generally, most security teams choose to ignore false positives. But this practice of ignoring alerts — no matter how trivial — can create alert fatigue and cause teams to miss actual, important alerts related to real/malicious cyber threats.

The answer to — Is it safe or not ? — can be complicated, creating a vast grey area where good and bad resemble one another. With growing number of clients, the number of items that need to be evaluated also increases, along with the risk of causing false positives.

Such incorrect labeling can result in clean items getting blocked, quarantined and/or deleted. Not all such errors are a threat though, some can be resolved by adding simple exceptions. But other glitches can disrupt business continuity and thus potentially be even more destructive than an actual malware infection.

Type II Error : False Negatives

The above image might make a lot of sense regarding this type of error. False negatives are uncaught cyber threats — overlooked by security tools because they’re dormant, highly sophisticated or the security infrastructure in place lacks the technological ability to detect these attacks.

Such advanced/ hidden threats (hello there Trojans) are capable of evading prevention technologies, antivirus software, firewalls, and endpoint detection and response (EDR) platforms which are only trained to look for “known” attacks and malware.

False negatives have a higher chance of putting your data at immediate risk, unlike false positives. Though security systems can’t always be 100% effective, they’re being trained to handle unknown attacks and approaches more efficiently without putting user data at risk. False negatives can cause massive losses to businesses and can be a huge threat to User privacy.

Conclusion

Governing a cybersecurity approach to minimize both type I and type II errors can be done if some proactive steps are taken. Executing compromise assessments, inspection of assets, defining new policies and procedures, increasing the speed of detection, and reducing the time to respond are all factors that can help strengthen a system. Such errors must always be thought about and considered when it comes to safeguarding user data.

Hope, this was informative.
Thankyou :)