It is very interesting to see the Equifax report. Most pertinently that they had processes, tools and policies in place, yet still succumbed in a big way. Risk materialised. A risk that, with what most would deem the basics, and probably more, should have largely been mitigated.
Yet we have a serious problem in the industry. The Equifax story, or certainly situation, could easily be transposed to almost any organisation on the planet.
Many of us in the industry trot on about the basics regularly. I do and am guilty of the following. When we talk about the basics of security, we do forget to factor in that a lot of organisations already have the basics in situ. Don’t get me wrong, some still don’t! In 2018!!!
However, those basics represent a serious legacy that security has to address. The legacy is that the basics of security have been operated poorly for years.
Utterly out of step policies written by security, for security to the detriment of the customer, who lets face it barely bothers to read the nonsense we throw at them anyway. Once a year CBT awareness training that literally does nothing but waste money, time and effort.
Password governance and advice that almost forces the customer into ‘bad practice‘. A complete unknown in terms of assets, users, privileges, protocols, networks. Security, and poor IT, that has also bread ‘shadow IT’; or simply unmet user demand.
Technologies that are criminally underutilised in terms of the functionality that has been paid for, and frankly unloved and uncared for.
It is this legacy of poorly operated security that makes ‘doing the basics’ really, really hard. That is also confounded by a need to accelerate the adoption of new ways of working, technology, methodologies, digital et al.
So, with shaky foundations in dire need of restoration, whilst the house keeps shifting direction and changing shape and dynamics.
If doing the basics was easy, we’d all do it. Many have actually. Badly. With best intentions, albeit with, in all likelihood, poorly articulated risk based on theoretical one-off assessments, and left to drift.
Technologies that are poorly managed, if at all, once they have entered operation. Firewalls drift, we all know that. They start with necessary ports and protocols only and over time drift to, as near as damnit, ANY ANY.
Despite of change governance and risk management being in operation. Which does beg a question as to what use they serve.
The same can be said of most security controls, people, process and technological. We let them drift, whilst some still take comfort in the fact that they are there, but when we look in the cold light of day, how many would actually be deemed effective?
And that’s before we factor in the shifting risk landscape, which in the majority we fail to actually manage.
And now we find ourselves in the position of needing to retrofit basic security, that actually works in business operation (and not to the detriment of the customer), which is nigh on impossible. Or seemingly so.
And of course, it is damn hard to get budget to fix all the stuff that is already there and should be working optimally by now. If we are even aware of the sub-optimal nature of our comfort blanket of security controls.
This goes way beyond just patching, which in itself can be a bloody art form!
I’m sure if you could start again, you’d do things differently, but we do not get that luxury. We are where we are. That’s not a great place to be for many an organisation.
So, do not be surprised when the next big breach happens. Nor be quick to point the finger. This could be almost any organisation. The failings at Equifax are extremely serious, but in no way should they been seen in isolation.
There is a common denominator in the plethora of breaches, and it is not what certain groups will want you to think, which is that it is down to the continued rise in sophistication of adversaries.
It is down to a legacy of poorly defined and operated security. If one thing has to change it is this.
Adversaries are getting more sophisticated, as is technology, the tools at their disposal, their awareness, their abilities. The same can be said of defenders. However, adversaries are not held back by this overarching legacy that we in security often inherit.
We do need to get back to basics, but also empathise, in that we know the basics is bloody hard, especially so with a legacy of poorly operated security.
This is no quick fix. No magic bullet. No 5th generation widget that will solve our ills. There is incremental and well thought out change that leads to improvements. But that also needs to be maintained or it will simply drift too.
We can use things to our advantage, to accelerate the change, like existing digital transformation programmes, though this has to be with well-articulated risks, including the parameters that make up such risks and be built into the design………and operated well!