I am not a partisan of the FUD speeches (FUD = Fear, Uncertainty, Doubt). Today, however, I will pass on the negative side of the speech by sharing with you some thoughts about the tough days we are facing:
- ”Cyber battle apparently under way in Russia-Ukraine conflict” – remove the word “Cyber”, and this could have been a headline 150 years ago too. Unfortunately we are not talking about the armed conflict the Russians generated in October 1853 under the pretext of protecting the Russian Orthodox people. We are talking about the cyberwar that is emerging right now between Russians and Ukrainians for the high stake of controlling the communications in Crimean territory and not only there. A real cyberwar is carried out by disciplined “hattackers” and bringing casualties in the lines of servers and PBX-s. Any thoughts about what is or isn't protecting these key communication channels? How may this be affecting you? Surely there may be some emerging concerns over Russian-made technologies by now. Given the way the media is playing it, how are other organizations in other parts of the world of interest to these cyberarmies?
- ”Target announces technology overhaul, CIO departure” (Oh, no, again about Target.) There's nothing funny about one of the worst incidents in the payment industry history (Target Investigating Data Breach), and the people actually hurt are the customers, as usual, that pay with their information disclosed on the black market. Given the amount of customer information that passes through retailers, it’s very hard to imagine that Target wasn’t more vigilant in their security practices. However, somehow they got breached in a perfect storm of people, technologies and processes that failed. And seemingly the root cause was that they believed they have the best of breed technologies that would automatically protect them against anything bad.
You’d say: what do these stories have in common and what do they have to do with me?… The common ground is this: whether intended or unintended, reliance on classic security technologies and practices leaves organizations and people vulnerable. To avoid failed trust, security innovation, combined with vigilance, is key.
Security and comfort zones
We tell children to learn through the mistakes of others, but what are we doing about it? Are you in a comfort zone that allows you to look at several reports, buy a technology, implement it and live afterwards happy that you made the right choice and you are well protected? Good marketers will tell you “you are OK” and have nothing to worry about, and you remain assured that even though there are big hyenas outside, your fences are good and keep them out.
Then, one day, poof!, your data appears somewhere in a repository and the authorities are telling you that actually you have been breached weeks, months or even years before and you didn’t notice. And you have to work two months to remediate, your company loses credibility and eventually you are forced to resign.
Looking at the human aspect of decision making, it is in our nature to play on the safe side by buying some big brand that is recommended and consecrated – after all, they say that “nobody got fired for buying Cisco…”. And, once you’ve bought the big brand, it comes naturally to renew it automatically. Not to mention that change is a delicate process, and it also involves all those downtimes and learning curves etc… so, in the long run, some get lulled to remain with the “same ol’ stuff” and live happily ever after. But is it really so?
Some things age well with time – but not security
When it comes to security, old is bad. A colleague was telling me about one of her friends complaining about virtualization, saying that they didn’t reach the promised benefits and when she asked them what security they use, they came with the answer “well, you know, the same best solution we use in our physical environments”. Why? Because “it functions”, or “it integrates within the global console”.
Nowadays almost all decent antimalware vendors have a dedicated product for virtualization. But what happens in those moments when the VMs go to the limits because of the antimalware and you have to restart them; and it takes time until the scan engines are loaded, the time the attacker may need to put some malware there. This may sound paranoid but, for example, in the latest wave of attacks directed towards the big retailers almost all of them were targeted and used in-memory malware that would update after some time with other components. So, in this given case, “the ol’stuff” may have provided the window of opportunity needed to gain access.
I just invite you to think of the questions:
- Do you have a security defender that says that everything is OK and you are 100% protected?
- Do you have a product that you bought years ago and you maintained it because of the costs of changing it?
- Do you fear that the product you have is not in line with the new trends: virtualization, advanced persistent threats, sophisticated attacks, BYOD?
- Do you have new projects that are or may be impacted because of the old security technology?
If you have answered YES to at least one of these questions, maybe it’s time to consider a change – it may result less expensive and more beneficially than you may think!