Have We Lost Sight of the Cyber Security Forest For the Trees?
It is only April and we have already witnessed too many examples of “techno-crime” laden news headlines. As the frequency of these events increase, I wonder, are we overlooking a much bigger issue that needs to be addressed while we spend time analyzing how each individual attack occurs and obsess over the details of how it destroys?
I won’t spend this entire blog post rehashing every detail of each attack, but for the sake of catching up those that may have not have heard all these incidents, let’s quickly highlight:
Major US Metropolitan City Government saw some of it’s essential applications including it’s Judicial System and Warrant processing systems locked down. As of the time of this writing some of those systems have yet to be fully recovered and the overall cost is being measured at ~ $2M.
Another US City’s 911 automated dispatching system is taken hostage for over 24 hours, forcing personnel to revert to manual procedures, adding vital seconds and minutes to the City’s emergency response times.
A Major US based aerospace manufacturer experiences lockdown of select systems controlling various aspects of its manufacturing line with some product QA and test operations included. Manufacturing is held up and disrupted. From the news reports of this attack, it could have been a lot worse if the ransomware used in the attack (Wannacry) was not already well known and analyzed.
Dutch machine builder Almi experienced a ransomware attack targeting manufacturing automation robotics (It Attacked the Robots!!!) and halting production. After paying an €8,000 ransom, the total destructive cost of this attack according to Almi was estimated to be around €60,000 and that estimate didn’t include indirect and consequential damage.
Healthcare and Philanthropic organizations are not exempt from being targeted by malicious ransomware. A dentist office was forced to report a successful attack to the Health and Human Services Department after finding systems containing data on 1500 patients was infected with ransomware.
Again, I’ll repeat, it’s only April…
So lets keep analyzing the trees in this forest just a little bit longer. When we analyze some of these attacks, the success of the attacks can be attributed to some form of human intervention, or lack thereof. For example, while troubleshooting servers to solve issues unrelated to the attack, network ports were open and mistakenly left open. Obviously, this makes the server more susceptible to incoming attacks from hackers. Now, let's look at an example where the lack of intervention can be equally dangerous. Operating systems of critical manufacturing process controllers were not upgraded to the latest vendor recommended releases and patch levels, allowing for hackers to take advantage and leverage known vulnerabilities already identified in older code. I could keep going here...
In other cases, no level of conservative IT process, rigorous checks and balances, and oversight can prevent an end user from clicking on one bad email attachment starting a chain of disastrous effects for that organization’s network and systems.
Which brings me to my overall point (hence the title) of this post. I think the Forest is being overlooked for the Trees.
We are advancing technology at a pace this world has never seen. We embrace new process and technology readily without a second thought. I am certainly not advocating that we slow the pace of technology adoption, as it definitely has its benefits and helps advance humanity. However, I do think that on the part of vendors, as well as consumers, awareness levels need to be heightened to assure that a certain level of knowledge is had about the technology and the potential risks.
As consumers, we should understand that cyber-attacks and ransomware will be around for the foreseeable future and be more commonplace. We need to assume the responsibility of being knowledgeable about these risks as we adopt the technology we use. More importantly, as we become more informed, we should hold our governments and organizations we do business with accountable, to assure they design and offer technology that keeps cyber security issues in mind.
As IT Directors leading a business IT organization, cyber-attack mitigation and remediation SHOULD NOT be treated in the same fashion that backup and recovery often is in the IT landscape.
Come on, don't deny it, we all know backup is often seen as the least sexy and most avoided aspect of solutions in IT. As new infrastructure and cloud applications are rolled out, high priority design goals should be put in place to keep cyber-attack risks at bay. Even more importantly, solution design should incorporate processes and technology that allow a business to RECOVER from a successful attack making the business more agile and resilient in today’s environment. As we can see from the example attacks I mentioned above, recovery processes and solutions were either not fleshed out, or non-existent.
Now you may be thinking... "But I already have a robust backup process and maintain multiple copies of production so I can recover!"
Unfortunately, I am here to tell you that you can't simply rely on your already existing backups to save you in every instance when we are talking about malicious hackers. Data protection systems should NEVER be confused with, or assumed to be, your only cyber-attack remediation plan. As we have seen in some attacks, the ransomware or malware sometimes targets the backup copies first before destroying production. Cyber-Attack recovery requires an additional architecture layer of protection which purposefully segments offline copies of production data from the surface of attack.
This security-based approach to IT solutions and process is what allow us to begin to see the whole forest and is what I have observed seems to be missing in many IT solution designs today.
With a more "cyber-attack aware" mindset ingrained in everything we do in IT, CIOs should lead their teams to adhere to solutions built on that mindset. Pair that with consumers being more aware and looking for more secure products and business partners, we can start to realize a much safer "IT forest" for everybody to compute in and enjoy.