Cybersecurity: There's no such thing as a false positive

All alerts mean something, even if it's just that an employee needs more training. The threat of breach is constant, and those companies who make assumptions about alerts could be in big trouble.

Cybersecurity concept

Image: kerly chonglor/Shutterstock

The topic of false positives in the security realm is one that's been on my mind lately as a harried system administrator. A false positive entails an alert about a problem which is actually not a problem, is a known issue or is not as big a threat as it might seem.

SEE: Security incident response policy (TechRepublic Premium)

For instance, I got an alert that someone logged into a production server as root, which is forbidden. All users must rely on unique accounts for this access so all commands and actions can be tracked and linked to each individual. I checked the IP address involved, found it was a coworker I'll call Dave then talked with him to learn his own account had been locked on that server so he had to log in as root to unlock it and then immediately logged off.

The problem with false positives is that not only can they make IT or security staff complacent by assuming what's happening is no big deal, but they can distract you from the real threats by making you chase down the smaller fish for little to no purpose. I can't ignore the next root logon alert by assuming, "Dave is at it again, no biggie!"

The solution has a Zen-based approach: treat all threats equally, no matter where they lie. That alert from a test system might seem minor, but that same test system, if compromised, could potentially allow an attacker to piggyback from it into production.

I spoke about false positives with John Hammond, senior security researcher at Huntress, a cybersecurity solutions provider.

Hammond told me: "Last year was a wake-up call for so many organizations. We saw many issues with opening up remote desktop protocol to the internet as a band-aid approach to allow more productivity at home during the rapid shift to remote work. The silver lining is that it surfaced nuanced conversations about using security tools effectively. We are seeing a rising tide in the small business and value-added reseller communities. Though they need more attention when it comes to security resources and education, enterprises aren't immune either."

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

"When assessing their security tools, now more than ever, organizations must take a hard look at their dashboards for false positives/negatives," Hammond continued. "In 2021, there's really no such things as perfect tools or a false positive. If your security tool is alerting you, it's alerting you for a reason. Security controls aren't going to be tuned when you buy them so organizations will need to learn how to adjust and modify them to meet their security and business needs."

Scott Matteson: What sort of issues did we see with relaxed security among companies in 2020?

John Hammond: With the ongoing shift to remote work during the pandemic, all too often, RDP is opened to the internet while companies are concerned about how to allow employees to access the corporate network. Public-facing RDP is a bad move, but was unfortunately the knee-jerk reaction of many businesses and organizations. 

Scott Matteson: I've seen this same thing first-hand, and in many cases failed RDP logons that alerted were assumed to be legitimate users fat-fingering their passwords rather than actual attackers. Such assumptions are very dangerous. What was the reasoning behind this?

John Hammond: While the proper solution is to leverage a VPN service, some companies take the quick-fix route and open remote accessibility to some services for employees, even if this means that malicious actors can find a way in as well. Putting a bandage on will not heal the long-term effects, as threat actors are actively looking for situations like these to take advantage of.

Scott Matteson: What could have been done better?

John Hammond: Perhaps the simplest thing to remember—that often goes neglected—is the principle of least privilege and access controls to ensure that only employees at certain levels have access to the most sensitive information. Having another fragment team in place to properly set up security controls and avoid remote access from being a vulnerability is key.

SEE: Stop using your work laptop or phone for personal stuff, because I know you are (TechRepublic)

Scott Matteson:  Are there such things as perfect tools? Why or why not?

John Hammond: The short answer is no. A tool has to be developed and created by a human, and since humans aren't perfect, there are bound to be mistakes and unknown accidents that occur, creating software flaws that could slowly bleed into a tool or program. However, in the same token, people are smarter than machines, and the moment the next great security tool is built, someone is immediately trying to tear it down—this just goes to show that humans are needed on the defensive side to respond to such threats. 

If your security tool is alerting you, it's alerting you for a reason. Security controls aren't going to be tuned when you buy them, so organizations will need to learn how to adjust and modify them to meet their security and business needs.

Scott Matteson:  Is there truly ever a false positive? Why or why not?

John Hammond: Yes and no; it depends on your perspective. There is certainly a case to be made if an alarm is going off and the system administrator knows it is nothing to be concerned about if they've seen things like it before and it's a false positive. However, the other side of the coin is considering that the machine is programmed to administer an alert when something specific occurs or triggers, and considering that even if it is benign, there may still be something to be understood there.

Scott Matteson: How should this be addressed?

John Hammond: If companies can't afford a strong security arm, there has to be a team that is able to identify and remediate. It can't be just one IT individual, but rather a dedicated group that is sharp and trained. Even if the team is outsourced, it still serves the purpose of adding that extra layer of defense.

SEE: Working at a safe distance, safely: Remote work at industrial sites brings extra cyber risk (TechRepublic)

Scott Matteson: What does the remainder of 2021 hold in store for us?

John Hammond: As with most years, we will still see the same things we saw the last few years, and many of these threats, such as ransomware, will not stop and will only continue to get worse. Looking at SolarWinds in particular, we are starting to see that incident break and snap in other places. Off the tails of the election and the pandemic, this is overall an inopportune time for attacks to take place. Unless we get ahead of it and address decade-old vulnerabilities and replace outdated software, nothing will change.

Scott Matteson: What should IT professionals and businesses be focusing on?

John Hammond: All IT professionals and businesses need to be in the know. Security practitioners should be monitoring for various security advisories and actually taking the time to read them. We've seen a lot of CISA emergency directives released recently, and these are important to digest. Security has been an afterthought for too long, and it can't be anymore.

Also see