[Posted on behalf of Steve King, Director, Cybersecurity Advisory Services Information Security Media Group (ISMG) ] (source)
By now, you’ve been inundated with security predictions from all the major vendors and talking heads. I won’t repeat what all of them have said, because well, why would anyone do that?
Instead I am offering my Christmas special predictions based on one of my favorite topics: Fundamentals.
2020 will reveal a continued increase in successful breaches and cyber-attacks that will be easily traced back to the overwhelming historical causes of all data breaches which is failed fundamentals.
We will continue to see misconfigured servers, unpatched vulnerabilities, mis-understood shared responsibility models for cloud computing, human intrinsics blocking rational responses to phishing attacks, partial patches, 900,000 Internet facing and exposed RDP servers with overly provisioned access privileges and poorly planned or completely unprepared recovery remnants following an increased quantity of successful Ransomware attacks.
We will witness the congenital failure of mid-cap businesses to spend the equivalent of a small Christmas party next year for security awareness training that would likely prevent a sizable percentage of the phishing attacks that will lead to Ransomware infections and even more costs. Why this doesn’t get done is beyond me.
We all have more work to do than can be done in the time allowed and we multi-task all day. This sets up a condition that enables all of our cognitive biases to control our response mechanisms to repetitive electronic signals (like email).
Our availability biases tell us that Ransomware is rare in our industry sector and only seems to be happening to municipal government in cities like Atlanta or New Orleans, so our little manufacturing company is likely not a Ransomware target. Thus, we lower our cautionary guard rails and fail to recognize the next phishing attack.
Our confirmation biases tell us that we have never been targeted before, so we are probably not going to be targeted in the future. Confirmation biases prevent the preparation for and acknowledgement of the possibility of Black Swan events.
And fundamental attribution errors tells us that other people are the ones who are prone to mistakes that lead to security breaches and not ourselves.
We have tons of social platform pressure to admonish our politically incorrect speech, but none that shame our security consciousness. Our largely crappy passwords are kept private. Our secret workarounds are not publicized beyond our departments or work groups. No one actually knows how badly vulnerable our individual workstations or workflows might be and we’re not about to be sharing any of that anytime soon.
The systems that we leverage to do our jobs were not designed with security in mind nor is security on the top of our minds as we go about our daily tasks. Without comprehensive and repeated awareness training, we will continue to perpetuate the human vulnerabilities that the bad guys seek to exploit. And that includes the actual information security practitioners as well as and most especially, the C-suite and Board members.
Those vulnerabilities that are caused by failed fundamentals and human intrinsics extend to misconfigured cloud servers, where breaches like the historic event at Cap-1 occur, inviting more to occur in the future.
If we examine the significant breaches of the past decade, we see that human failure either caused or exacerbated every one of them.
The Target breach resulted from a fundamental failure to vet third-party security and established the current trend toward third-party risk assessments.
The SONY breach as caused by a combination of weak passwords (3 instances of “password” were discovered), lack of server hardening (resulted in access to one server and thereby the entire network), not responding to alerts or not having the controls in place to set off such alerts, inadequate logging and monitoring, and lack of Security Awareness training (aka fundamentals) all contributed to the attack.
The huge NotPetya attack was a ransomware virus that jumped from unprotected network to interconnected networks across the world, bringing global production facilities and shipping operations to a halt causing lasting outages and significant damage not just to desktop computers, but to the systems that run large industrial equipment and logistics operations.
In the case of Maersk, their 150 domain controllers were programmed to sync their data with one another, so that in theory, any of them could function as a backup for all the others. But that decentralized backup strategy hadn’t accounted for one scenario: where every domain controller is wiped simultaneously, which is of course what happened in that attack.
NotPetya and WannaCry before it, introduced the world to ransomware, which has reverberated and is now one of the biggest threats to U.S. cities, educational institutions and health-care providers, most of whom do not have current, reliable and tested backups of their systems and data.
In March 2017, a vulnerability in an open source software platform known as Apache Struts was discovered, and the U.S. Computer Emergency Response Team released an urgent memo to companies to patch the problem. A memo that Equifax received yet chose to do nothing in response. The rest Is history.
The 2018 Marriott breach revealed a serious flaw not in their cybersecurity defense platform but in their workflow and process around merger due diligence. The acquisition of Starwood resorts included an infected database that led to the breach and theft of 500 million Marriott member accounts along with 5 million passport-related PII.
And finally, the CapitalOne breach resulted from a misconfigured cloud server that had over-provisioned access privileges, combined with a fanatical former AWS software engineer who knew where to look.
Though we have recognized, understood and acknowledged the causes, we continue to manage our cybersecurity programs on the animating principles of implementing the right point solutions and integrating miracle technologies while ignoring basics like patching, authentication, third-party vetting, network segmentation, backups, security awareness training, and vulnerability management.
Instead I am offering my Christmas special predictions based on one of my favorite topics: Fundamentals.
2020 will reveal a continued increase in successful breaches and cyber-attacks that will be easily traced back to the overwhelming historical causes of all data breaches which is failed fundamentals.
We will continue to see misconfigured servers, unpatched vulnerabilities, mis-understood shared responsibility models for cloud computing, human intrinsics blocking rational responses to phishing attacks, partial patches, 900,000 Internet facing and exposed RDP servers with overly provisioned access privileges and poorly planned or completely unprepared recovery remnants following an increased quantity of successful Ransomware attacks.
We will witness the congenital failure of mid-cap businesses to spend the equivalent of a small Christmas party next year for security awareness training that would likely prevent a sizable percentage of the phishing attacks that will lead to Ransomware infections and even more costs. Why this doesn’t get done is beyond me.
We all have more work to do than can be done in the time allowed and we multi-task all day. This sets up a condition that enables all of our cognitive biases to control our response mechanisms to repetitive electronic signals (like email).
Our availability biases tell us that Ransomware is rare in our industry sector and only seems to be happening to municipal government in cities like Atlanta or New Orleans, so our little manufacturing company is likely not a Ransomware target. Thus, we lower our cautionary guard rails and fail to recognize the next phishing attack.
Our confirmation biases tell us that we have never been targeted before, so we are probably not going to be targeted in the future. Confirmation biases prevent the preparation for and acknowledgement of the possibility of Black Swan events.
And fundamental attribution errors tells us that other people are the ones who are prone to mistakes that lead to security breaches and not ourselves.
We have tons of social platform pressure to admonish our politically incorrect speech, but none that shame our security consciousness. Our largely crappy passwords are kept private. Our secret workarounds are not publicized beyond our departments or work groups. No one actually knows how badly vulnerable our individual workstations or workflows might be and we’re not about to be sharing any of that anytime soon.
The systems that we leverage to do our jobs were not designed with security in mind nor is security on the top of our minds as we go about our daily tasks. Without comprehensive and repeated awareness training, we will continue to perpetuate the human vulnerabilities that the bad guys seek to exploit. And that includes the actual information security practitioners as well as and most especially, the C-suite and Board members.
Those vulnerabilities that are caused by failed fundamentals and human intrinsics extend to misconfigured cloud servers, where breaches like the historic event at Cap-1 occur, inviting more to occur in the future.
If we examine the significant breaches of the past decade, we see that human failure either caused or exacerbated every one of them.
The Target breach resulted from a fundamental failure to vet third-party security and established the current trend toward third-party risk assessments.
The SONY breach as caused by a combination of weak passwords (3 instances of “password” were discovered), lack of server hardening (resulted in access to one server and thereby the entire network), not responding to alerts or not having the controls in place to set off such alerts, inadequate logging and monitoring, and lack of Security Awareness training (aka fundamentals) all contributed to the attack.
The huge NotPetya attack was a ransomware virus that jumped from unprotected network to interconnected networks across the world, bringing global production facilities and shipping operations to a halt causing lasting outages and significant damage not just to desktop computers, but to the systems that run large industrial equipment and logistics operations.
In the case of Maersk, their 150 domain controllers were programmed to sync their data with one another, so that in theory, any of them could function as a backup for all the others. But that decentralized backup strategy hadn’t accounted for one scenario: where every domain controller is wiped simultaneously, which is of course what happened in that attack.
NotPetya and WannaCry before it, introduced the world to ransomware, which has reverberated and is now one of the biggest threats to U.S. cities, educational institutions and health-care providers, most of whom do not have current, reliable and tested backups of their systems and data.
In March 2017, a vulnerability in an open source software platform known as Apache Struts was discovered, and the U.S. Computer Emergency Response Team released an urgent memo to companies to patch the problem. A memo that Equifax received yet chose to do nothing in response. The rest Is history.
The 2018 Marriott breach revealed a serious flaw not in their cybersecurity defense platform but in their workflow and process around merger due diligence. The acquisition of Starwood resorts included an infected database that led to the breach and theft of 500 million Marriott member accounts along with 5 million passport-related PII.
And finally, the CapitalOne breach resulted from a misconfigured cloud server that had over-provisioned access privileges, combined with a fanatical former AWS software engineer who knew where to look.
Though we have recognized, understood and acknowledged the causes, we continue to manage our cybersecurity programs on the animating principles of implementing the right point solutions and integrating miracle technologies while ignoring basics like patching, authentication, third-party vetting, network segmentation, backups, security awareness training, and vulnerability management.
.png)
Comments