It often strikes me that the same reasons for a successful hacking attempt keep cropping up again and again: patches not installed, failure to check code, lack of strict access control, unable to spot a phishing attack. These aren’t particularly sophisticated attacks as they simply exploit the types of vulnerabilities that we’ve known about for decades, but we still allow them to happen. It makes me wonder what’s being done wrong.
When I was a young lad, I was often told all you needed to fix a car was a hammer, penknife and the silver paper from a cigarette packet to gap the points under the dizzy cap (yes, I’m showing my age, and if that technical description meant nothing to you, try Googling it). Anyway, the point is, car maintenance (like a lot of things) was a lot simpler back in the day.
Nowadays, cars are a lot more complex and filled with electronic gizmos which automatically adjust settings and flash up helpful warnings – low fuel, tyre pressure, engine management to name a few. If something isn’t exactly as it should be, you’ll know about it. The price we pay for all this helpful technology has increased over the years, but the benefits are easy to see and, provided we heed those warning displays, the chances of calling out the breakdown service or taking a long, cold walk home are dramatically reduced. Technical infrastructure has (likewise) seen many advances, becoming more complex in an effort to meet increasingly diverse requirements and combat progressively sophisticated attacks.
But while the automotive and other transport industries have recognised and embraced a safety culture and the need for better monitoring and control systems, the IT industry has not been so keen, despite sharing the same service ideal: hosting, transmitting and protecting something valuable. The tools are out there but the benefits in employing them aren’t always appreciated or understood. That’s not to say security starts and finishes with IT, but the vast majority of data is processed by IT infrastructure.
One key difference between these scenarios is the cost of investment. With your car you don’t get a lot of choice, they come as part of the package, whereas deploying protective monitoring and other methods on the network is not something included in the price and can therefore easily be ignored. Instead of a built-in cost, there’s the process of assessing the risk, determining the optimal choice of solution, seeking and gaining approval and THEN the pain of install and configuration.
Wouldn’t it make life easier if performance monitoring, IDS, firewalls, proxies, log aggregators, SIEMs, vulnerability scanners, malware detection and all the many other tools came pre-packaged, pre-installed and ready to go? Sure, they’d up the cost a fair bit but at least you’d have a much more secure network and some level of assurance that unwanted behaviours are identified and notified to you. It’d be just like driving your car today, as safe and secure as it can be made to be.
To me, this shows how the cyber security industry has still got a lot of growing up to do. We don’t have a legal standard we must comply with (although GDPR did make headway in that direction) and we don’t have a concrete set of rules we must obey. Despite being in business to protect assets, we often don’t insist on the right protective measures being put in place. Instead, we tend to take an approach based on reducing the highest risk rather than making safety our primary consideration, we balance what you could lose against what it would cost to stop it from being lost, effectively selling insurance instead of solutions. Sadly, that means there’s always that thought in the back of our minds about what’s the most affordable and therefore going to be the minimum protection acceptable.
We need to do some serious thinking. We need to look at other industries where big improvements in protective controls have been made and see what they do differently. We need to look at different approaches we could take. We need to start talking about compulsory standards and, ultimately, we need to acknowledge that we’re in the safety industry but we’re not effectively pushing safety.
Rome wasn’t built in a day and an entire industry won’t change overnight so what should be done right now? Review your security controls and processes, then go to the Board and tell them there’s a problem and you need the money to fix it. If they request cost-benefit analyses and justifications, tell them the cost is the loss of millions if not the entire business. The benefit is remaining as a viable organisation and the justification is in the daily headlines. If that doesn’t work, ask them what they’d do if their own car was subject to a recall due to the potential to catch fire and explode, would they be happy to ignore it, or would they get it fixed as soon as they could?