There is a saying that experience is something you don’t get until just after you need it. I can’t think of a better application of that quote than with IT and information security. You see it is time to take off the blinders. You know the ones that say things like: “We don’t have anything a hacker would want,” “We’re compliant and therefore secure,” or “We trust our employees to do the right things.”
What’s the big deal? Just look at the headlines over the past couple of months. We have never seen so many high-profile security breaches against the likes of RSA, Epsilon, Lockheed, Sony and numerous federal government agencies. This onslaught of malicious attacks is unlikely to let up any time soon — that is, unless and until we do something about the basics of information security.
It appears that many business executives are heading in the wrong direction with information security. The new belief is that when you get hacked, it is merely an “inconvenience” rather than an indicator of choosing to ignore the obvious. In fact, “We got hacked” has become the new scapegoat presumably absolving business leaders of any responsibility or accountability in an area that they know is creating business risks.
What is interesting about most breaches we are seeing today is that they do not require “mad hacker skills” to exploit. They are simply glaring oversights of basic security flaws that we have known about for at least a decade, such as:
• Missing patches that lead to external hackers or rogue employees gaining full admin-level access to systems they do not even have login accounts for;
• Default, blank and shared passwords that, well, provide unfettered access to everything;
• Lack of input validation on Web sites and applications that lead to cross-site scripting and SQL injection;
• No drive encryption on laptops that enable anyone in possession of a lost or stolen system to view sensitive files, connect to your network VPN remotely, recover passwords and more stored in Web browsers; and
• No power-on passwords on smartphones that, like laptops, enable full access to e-mail, files, VPN, remote desktop connections and more.
As German writer and philosopher Johann Wolfgang von Goeth once said, “Nothing is as terrible to see as ignorance in action.” That is exactly what we are seeing with so many of these security incidents — ignorance of the very basics of information security.
With the maze of IT complexity you have in your environment — network infrastructure hosts, servers, workstations, mobile devices, databases, Web applications, the cloud and more — everything is fair game for attack. The potential for exploitation of these basic flaws is limitless.
If you as an IT manager or network administrator simply took the next six months and focused on these fundamental security flaws that should not be there — especially knowing what we know in 2011 — you could easily eliminate 85 percent of IT-related vulnerabilities. If you are able to get your arms around the problem of gullible users making bad choices (I’m not convinced that this is possible, but it is good to have goals) that would be good for another 10 percent security risk reduction. It is a matter of the right people making the right decisions to do the right things.
I’m not saying that hack attacks will suddenly stop if all businesses got their security ducks in a row. Criminal hackers and computer gurus starving for attention will always make bad choices. That said, I think the attacks will become more sophisticated, yet fewer and further between. I also believe we will see more and more attacks against other targets such as the power grid, our buildings and even our automobiles so the attention will move further away from computer operating systems, applications and databases.