Why do we do so badly at security?
The year is 2018 and cyber security is not a new topic. So why is it that every day hacking makes the front page? Why are we doing so badly with what is, at this point, not a new problem?
There have been a couple of articles in recently that I think illustrate the problem quite nicely, firstly this one from El Reg and then this one about the NotPetya malware incident at Maersk in Wired.
Both triggered lengthy Twitter threads from me (here and here if you want to read them).
Also I think this from @halvarflake illustrates well the same sort of problem.
In short, I think we continue to be bad at security because for far too long the IT infrastructures that are crucial to modern companies (and indeed our day to day lives) have been hugely neglected. For decades the mantra has been to outsource to the cheapest provider, with no thought given to the long term sustainability or security of said infrastructures. And that is where we find ourselves now – dealing with the legacy of decades of short sighted IT policies and underinvestment.
The Maersk NotPetya disaster demonstrates this especially well – NotPetya was virulent and well designed, but relied on a vulnerability for which a patch already existed, and password harvesting techniques that are well known, and for which mitigations exist. Adding to that, the infection should not have been able to propagate unimpeded across a whole global network. Network segregation is not a new idea but doing it properly takes time and effort.
Indeed, a key passage in the Wired story shows how Maersk had actually identified all these weaknesses, but nothing was done. This is not an unusual situation, and certainly is consistent with my own experience of working with large organisations.
I’ve written more recently on cloud services, and how you can use them in an effective and secure way. One of the reasons services like Office 365 are good is that it takes the infrastructure management away from you, the customer, and leaves it with Microsoft. You don’t have to worry about upgrading and patching servers, you can just get on with doing business. And yes, I know I have already railed against outsourcing in this piece, but I have nothing inherently against outsourcing, I just think it has been misused. Modern service providers, like Microsoft, know how to manage large infrastructures and can do so at huge scale. It is this that makes it cost effective for you, whilst not surrendering security.
Lots of organisations are going to continue to have to manage large on-premise networks, full of kit of varying ages, and be unwilling to pay what it costs to make all this manageable, and hence secure.
I remain concerned that we have not learnt this lesson that well. IoT devices proliferate at an enormous pace – millions of devices, connected to the internet and always on, that were designed primarily to be low cost. Likewise, I am not convinced that some of the initiatives from governments at the moment are going to pay off – do we need more people with cyber security degrees, or would the money be better spent on improving training for developers, and better software development lifecycles which can properly include elements of security testing?
In an ideal world cyber security should be like fire safety. Very few people (in developed countries at least) die in fires at work, and it is not because every organisation has a huge fire safety department, or because the government pushed for lots of people to go and get a fire safety degree. It is because fire safety is woven into the fabric of a culture so completely it is more or less unseen – architects design buildings that can easy be escaped, and that contain fires, builders use fire retardant materials, fire alarms and fire escapes are mandated and lastly we expect organisations to have nominated fire marshals, fire extinguishers and conduct fire drills. This is what we should be aiming for with cyber security – having it woven into our infrastructures with organisations and individuals really only responsible for the last few components.