In 2015, we’re still making the same mistakes. Plus a few new ones.
Cybersecurity pros often suffer from a condition that we’ve come to call volarfaciem. This name comes from the volar, meaning the fleshy part of the hand in between the wrist and the fingers, and faciem, which is the latin for ‘face’.
In cybersecurity circles, face and palm often meet, as practitioners encounter case after case of bad security practice. Here are five security blunders that organisations often make that can leave practitioners with a nasty hand-shaped imprint.
Not patching software promptly
Lee Brotherston, who will be presenting at SecTor this year, groans when he hears that companies aren’t patching software promptly. The favourite quote that he has heard on the subject: “When your patches are six months out of date you don’t need to worry about zero-days, you’ve got another 180 or so days to worry about first.”
Evidence bears this out. The number one theme in HP’s 2015 Cyber Risk report is that well-known attacks are still commonplace. 44% of comprises found in 2014 were from vulnerabilities first documented in 2010.
Why aren’t companies patching? It’s well-understood process, Brotherston suggests. Patches that cause problems occur less often than they used to, and virtualization has made it easier to roll things back.
“The reasons for this are probably specific to many organisations and probably include lack of time/resources, lack of operational maturity, and large and complex testing and release programs,” he concludes.
2015 SecTor security speaker Ken Westin, senior security analyst at Tripwire, despairs when he sees companies blindly relying on security tools that they don’t even known how to use.
“I have seen organizations deploy expensive security tools where the business believes they are more secure, only to see that the systems are completely misconfigured to the point they would be more secure without the expensive tool,” he said.
This problem gets more common as cybersecurity tools become more complex. Security features sell, not least because buying tools with lots of bells and whistles suggests that you’ve covered all your bases. But relying on technology alone at the expense of people and process will lead organizations down a dark path, said Westin.
“A lot of this is both a management issue, but [it’s also down to] irresponsible vendors who sell technology and don’t see the deployment and success of the security program as a partnership,” he warned.
The bottom line: cybersecurity tools are becoming far more sophisticated. Understand how to configure them properly, ideally with a vendor or channel partner’s help.
You’d think this one would be obvious, right? But that’s why it’s a facepalm. It’s 2015, and companies still aren’t encrypting their data. Hilary Clinton may be under attack for her email strategy, but she isn’t the only one under fire. US government departments are still failing to encrypt email communications. The White House’s annual cybersecurity assessment found that the Small Business Administration, the National Science Foundation, Transportation Department, State, Labor and Agriculture Departments still aren’t encrypting emails.
Then, there’s mobile data. The US Department of Veterans Affairs had the lowest percentage of encrypted mobile assets (5%), six years after it paid $20m to settle a class action lawsuit over PII lost on a stolen laptop. That event, which compromised the data of 26.5m people, or 8.8% of the entire US population, happened in 2006.
Aiming for ‘100% security’
Facepalm number four: thinking that you’re invincible. This one was flagged by KPMG in its own list of cybersecurity blunders. Security pros know that it isn’t possible to be completely secure, and that security is typically a tradeoff. Confidentiality, integrity and availability are three broad components to security, and emphasising one of these aspects in the CIA triangle often means sacrificing an element of the other.
Thiinking that you’re completely secure can lead to other blunders, such as not bothering to check for indicators of compromise. And that leads us to facepalm number five…
Not listening to your tools
The flipside of this is not listening to data from properly-configured tools that might give you an early warning about impending attacks. This is another bugbear for Brotherston.
“Lots of companies have deployed tools which produce large volumes of useful operational data, but if nobody is looking at them then there is no point,” he said.
Target was a good illustration of this. The retailer spent $1.6m on threat detection services from FireEye, which spotted attackers uploading malware designed to steal credit cards. The FireEye team informed Target’s security team, which reportedly ignored the warnings and stood by while cybercriminals pilfered 40 million credit card numbers.
“I have seen instances of this with other tools such as SIEMs and DLP solutions,” said Brotherston. “People seem to forget that installing the tools is not enough to realize their value. The supporting people, processes and procedures are also required.”
Left untreated, volarfaciem can lead to other conditions, such as throbbing temple and jimmyleg syndrome. Come to SecTor’s 2015 conference to hear sage advice from speakers like Brotherston and Westin. It’s good for what ails you.