Why are we so bad at cybersecurity? It's mostly neglect.
By Michael Trachtenberg, CTO
Today’s tech world is primarily infatuated with one thing — security. That is for good reason. With the number of breaches and data privacy violations, it is evident that a focus on security is long overdue in the technology space. The main issue with this, though, is that what most people and organizations think is security isn’t security at all. A lot of it boils down to policy, maintenance and scheduling, and it all has very little to do with actual security for most organizations.
An organization selling data to another company or allowing the use of data by a third party is a policy issue, not a security issue. On the other hand, systems like the internet of things (IoT) devices, point of sale (POS) devices, Linux systems, desktop open source ecology, Wi-Fi exploits and a whole host of other potential attack vectors typically exist as the result of improper or nonexistent patching or updating. Take, for instance, the WannaCry outbreak. That
Let’s examine for a minute a common scenario of an organization that purchases a multitier architecture (N-tier) application from a vendor and deploys this line of business (LOB) app in their internal network. Taking into account high availability, let’s assume there is a two-node file server cluster with Windows Server operating systems and Windows files services, a two-node Microsoft (an MDS partner) structured query language (SQL) cluster with Windows Server operating systems, a two-node load balanced web front end using Internet Information Services (IIS) or Linux and a two-node load balanced application server set. After just the N-tier hierarchy, that still leaves networking, governance for all of those pieces, internal and external access and access management, as well as communications between all tiers and all support services.
In this case, the organization that purchases and deploys this application doesn’t really apply “security” to ensure the safe and secure continual operations of this application, the associated vendors do. The vendors provided all code and provide updates for all code here. The deploying organization needs only to follow appropriate implementation guidelines described by the vendors and to then maintain the systems on all levels, and that could be a daunting task at this point.
It is in that maintenance where we falter most of the time. In this scenario, we have created over 20 items that we have to patch, maintain and monitor for anticipated usage. Because this organization has now created so many chores and typically information technology (IT) is underbudgeted and understaffed, some of these items are not going to be updated, a vulnerability is not going to be addressed and something may eventually become compromised. If and when this happens, it is then perceived as a security incident, but this was a maintenance issue.
While neglect is one element of cybersecurity, compatibility, fear of updates and scheduling maintenance windows are others. Sometimes the desire and capability to maintain all systems are there, but the business does not tolerate the time required to perform the needed due diligence. This can still be considered neglect, but policy and scheduling driven neglect that doesn’t come from a lack of ability or capacity. Then there are times when the vendor of the purchased application is holding you back. Maybe the vendor doesn’t support updated operating systems or newer versions of IIS, or they went out of business and there are no further updates and the organization is stuck with this legacy system that they can’t update, and they can’t update the supporting hierarchy either. A frustrating situation indeed.
While it is true that maintenance neglect opens a huge attack vector for cybercrimes, that’s not to say that all security incidents stem from self-inflicted wounds, but a lot of them do. There are still identity-driven cyber threats such as phishing, impersonation, spoofing, compromised credentials and over-provisioning of permissions, etc.
With these forms of attacks increasing year over year, new tools have rapidly been developed to combat them. Again here, we get in our own way. Take, for instance, the adopting of new security controls like privileged access management or introducing multifactor authentication. These are great security controls that prevent active security threats centered on identity. Organizations should adopt them right away. Yet these technologies have surprisingly low adoption rates, attributed to impacting individuals that are change-averse or the belief that introducing these items by IT will be seen as a hindrance to individuals that are change-averse. So even when cybersecurity threats require us to implement actual security controls, we stumble at times because of our failure to adopt.
Taking a look back over the course of the last decade, it is very difficult to identify large-scale cybersecurity incidents that were not attributed to self-imposed neglect, failure to modernize platforms or failure to adopt modern security technologies.
Don’t wait until company data is already in the sticky hands of hackers to react to a breach. Stay proactive with MDS and work with us to build out a custom, company-wide security protocol that is effective and easy to maintain.