Ignoring basic information security practices can be an organization’s biggest threat
It was recently revealed that Facebook had allowed employees to access hundreds of millions of user passwords in plain text. Even if—as the company claims—this data was never leaked outside of the company, it still represents a severe breach of policy that will likely lead to investigations and fines.
But it raises an important point: Information security challenges are won and lost by fundamentals. However, both the industry itself and the wider population focus almost exclusively on the spectacular incidents. If you want to keep your organization secure, don’t fall into the same trap.
The Allure of the Novel
Ask a member of the general tech-savvy population to describe a specific hacking attack and you are likely to hear about Stuxnet. And why not? It certainly leaves an impression. An unknown government designed malware to jump across devices and platforms to then semi-organically make its way into target SCADA installations and subtly sabotage them. Or you may hear about North Korean cybersquads using zero-day exploits stockpiled by the reclusive country to break into even the most fortified networks despite vigilant defenses.
And to be clear: Those kinds of attacks happen. And they are among the most dangerous things in information security. But they are not the norm.
- Equifax was breached in 2017 because it ignored and didn’t patch publicly known critical vulnerabilities for several months.
- Emails and private data of German politicians was leaked in January 2019 because of weak and re-used passwords.
- During the U.S. presidential election of 2016, the Clinton campaign suffered a critical breach and setback because of a private email server kept in a basement.
- Facebook, a company affected by heavy regulations and with a strong security team, not only stored passwords in plain text but also made them available to employees.
All of the above exemplify that a majority of incidents, minor or critical, happen because absolute base-line information security practices were ignored.
A Real-World Example
When working with large enterprise customers, an extremely common meeting topic is the classification of risk and establishing of mitigation strategies. For example, should a cross-site scripting vulnerability be considered a medium or high threat? What if it is found in a site that handles financial information? What if it is actively being exploited? And how many days should developers be allowed to take to fix it?
To be sure, asking these questions is important. But it also masks something far less exciting yet much more critical: Most large enterprises don’t even have a comprehensive list of all of their servers. With acquisitions, mergers, shutdowns and transfers, servers and applications are forgotten about all the time. It is absolutely nothing unusual for a company to discover that an old application for a since-abandoned product has been quietly running on a forgotten web server for the past seven years without receiving any updates. The problem is so widespread that third-party companies have begun scanning the internet and offering to sell lists of services operated by a company to the company itself.
Of course, this does not invalidate the necessity of adequately classifying vulnerabilities and creating incident response protocols. But if there is no inventory of systems operated—let alone a detailed list of the software stack and versions they are running—then incident response plans can only go so far.
It is exciting to deal with the newest and greatest, to scenario plan for advanced persistent threats and design defense-in-depth strategies. It is so exciting that InfoSec vendors are happy to sell you training, tools and frameworks to do so. But the greatest risk to your company likely doesn’t come from one of these sources. If actual breaches are anything to go by, the biggest threat are likely fundamentals: hashing passwords, keeping inventory, applying updates, basic secure coding.
Both as an industry and on an individual level, we likely can greatly improve our preparedness for attacks by diverting at least some of the time and resources we invest into solving exciting new and advanced problems to strengthening the fundamentals.
Or in other words: The most intricate defense of your flagship system is worthless if an out-of-favor application tying into the same backend hasn’t received patches for five years.