🪠Unplugging in a Cyberstorm: The Flawed Strategy of Disconnecting During Cybersecurity Incidents 🛡️💥

🪠Unplugging in a Cyberstorm: The Flawed Strategy of Disconnecting During Cybersecurity Incidents 🛡️💥

Why Disconnecting During a Cyber Attack is a Bad Idea: Uncover the Truth About Cybersecurity Strategies


5 min read

In the world of Cybersecurity, the mantra of "disconnect and unplug" during a Cyberattack has been passed down like an ancient proverb. But is this strategy really effective, or is it a symptom of a flawed Cybersecurity approach? Let's dive deep into this controversial territory and challenge the status quo.

The Silver Bullet Fallacy

Picture this: your fancy pants firewall from Silicon Valley, armed with all the latest buzzwords and promises of impenetrable security, fails to hold back the Cyberstorm. All the extra moola you have spent on that silver bullet has been wasted, as it had one job to do and it failed. In South Africa it is even more moola ever since the infamous visit of the Lady R! Eish!

Suddenly, the recommended strategy is to disconnect everything, akin to retreating to a bunker during an onslaught. But does this tactic truly address the causation of the problem?

Layered Defense vs. Single Vendor SASE Approach

The fundamental flaw lies in the single vendor SASE (Secure Access Service Edge) approach advocated by industry giants and analysts. It's like putting all your eggs in one basket, a strategy we've seen fail catastrophically in other contexts (hello, Eskom loadshedding crisis in South Africa!). Just like the Maginot Line's fall in the face of the Blitzkrieg during World War 2, next-gen firewalls can become the modern-day equivalent of a misplaced defense. The single vendor strategy has been widely promoted by the discredited American analyst firm, Gartner, and blindly as well as ironically supported by a significant majority of Silicon Valley Cybersecurity and IT infrastructure vendors. No wonder their is still ongoing cyber Blitkriege and resultant breaches around the world.

The Disconnect Fallacy

The advice to disconnect from the internet during a Cyberattack is not only reactive but also fundamentally flawed. It's based on fear and myths rather than rationality and strategic planning. Most Cybersecurity strategies are a product of this fear-driven culture, perpetuated by Silicon Valley players eager to capitalize on uncertainty. As a result IT shops have embraced a culture of keeping mum and covering up. In South African it is common for any of the major banks to refer to a Cybersecurity attack or even an actual breach as a "glitch".

Rethinking Disconnecting: Is It Really Effective?

Let's dissect the reasons behind the disconnect strategy. Is it to stop remote access? But wait, wasn't that the firewall's primary function? And what about data exfiltration? By the time a ransomware attack is detected, the data may already be in the wrong hands. "Die koeël is deur die kerk" as the failure was one of strategy long before the breach actually happened.

The Dated Defense Dilemma

Many enterprise networks suffer from outdated cybersecurity products that are rarely updated. Meanwhile, attackers evolve at lightning speed, making real-time knowledge crucial. Blind trust in default settings and a reluctance to embrace DNS filtering only create more vulnerabilities. Many firewall administrators seem to have a misplaced faith in google's resolver and a perception that intercepting DNS is a "bad thing"? It is not, as its the outer layer of the onion. In actual fact, its less CPU cycles and more effective than SSL inspection. SSL inspection is another brainfart and chokes your traffic to a single point that can be ambushed on the firewall. There is zero reward is and the cost was wasted power consumption and processing on the firewall. It it was so good, why did it not stop all these breaches that keep on being published and reported on the wires?

Doubling down on incorrect strategies

As an example, Dimension Data, a well known South African IT service provider that has since been acquired by NTT was hacked precisely because of this reason. Ironically, they sold a DNS filtering product from Cisco named Umbrella that they themselves did not use. If they had eaten their own dogfood they would not have been hacked. In 1988, Microsoft manager Paul Maritz who hailed from South Africa sent Brian Valentine, test manager for Microsoft LAN Manager, an email titled "Eating our own Dogfood", challenging him to increase internal usage of the company''s product. From there, the usage of the term spread through the company. There are a number of solutions in this area now readily available including from such entities as Cloudflare and ControlD.

Ostrich Thinking

Turning off PCs and servers during a Cyberattack is akin to burying one's head in the sand, hoping the danger passes. It's ostrich thinking that ignores the need for transparent visibility and proactive defense strategies.

Ostrich thinking refers to the famous South African big bird's habit of putting its head in the sand when predators are around. The problem manifests itself in IT with the belief that restrained visibility constrains an attacker. Eish wena. That is totally incorrect. These same IT geniuses also love to break the Internet by disabling ICMP. Because if I can't see it, no-one else will. I would go as far as to say this isn't only ostrich thinking but putting your head up your ***.

What is required is transparent visibility. You need to see what is happening and to what and where your business is connecting to around the Internet and world. Every company that releases a media report saying they have been hacked and proudly reports that their IT team is dealing with it by turning off their network and servers is also admitting they are clueless about Cybersecurity and are basically blindfolded in their Cyberdefense.

Transparent Visibility and Response: The Key to Effective Cyber Defense

What businesses need is not blind disconnection but transparent visibility. Understanding what's happening on their networks and having proactive measures like DNS filtering and threat intelligence blocklists can significantly reduce the risk of breaches.

The defensive layer using blocking of communications by lists harvested from threat intelligence is significant. The probability of a breach if this threat intelligence is in play from either Alienvault or Talos is less than 0.000001% over a span of half a decade. There are also readily available OSINT sources available that can protect a wide range of IT infrastructure. As an example, on OpenWRT you can use BanIP.

Wrap: Embracing Transparency in Cyber Defense

It's time to debunk the disconnect myth and embrace transparency in Cyberdefense. Turning off computers during a Cyberattack is not a strategy; it's a symptom of a deeper problem. Let's move away from reactive fear-based tactics and towards proactive, layered defense strategies that truly protect businesses in the cyber battleground.

Ronald Bartels ensures that Internet inhabiting things are connected reliably online at Fusion Broadband South Africa - the leading specialized SD-WAN provider in South Africa.