Resolutions for a secure new year

Once again, we have been deluged by articles predicting what we should expect in the world of cyber security in 2018. While I don’t intend to demean my fellow authors, I have a strong dislike for such articles. I have found in the past that they are either filled with predictions about trends are already happening, which hardly require any skill to foresee, or wild guesses, which are not much better than the result of rolling a 20-sided dice.

I try to offer an alternative approach this time of year, so, rather than trying to use my weak crystal ball skills to figure out 2018, I have decided to use one of my better abilities, 20/20 hindsight, to examine what we have learned, or should have learned, in 2017, which we can resolve to put into action in 2018.

Resolution 1: it’s the patching, stupid!

Borrowing a popular political expression, one thing we should have learned in 2017 is that we need to work on is our patching efforts, or perhaps the lack thereof. The WannaCry ransomware worm should have focused our attention on the importance of patching, but based on the success of NotPetya, which followed, many did not get the message. Bad Rabbit came next, and still managed to find many unpatched systems. And still, I personally run into many systems that continue to show the same underlying vulnerability.

If that is not convincing enough, you need look no further than Equifax. Their empire was shaken after the loss of data on more than 143 million US consumers, all for the lack of a simple patch.

As I have said before, patching is hard. New patches are released faster than we can keep up with them, and our users get positively grumpy when we take systems down to apply them. That being said, we have no choice. We must resolve to develop a plan, put it in place, and stick with it.

Resolution 2: physician, heal thyself

It is unlikely that any system or network exists without a vulnerability. It is futile, however, to just sit around waiting for some bad actor to find them. Instead, we need to find them ourselves, before we discover that the bad guys found them months ago, and taken up residence in our network.

Self-discovery is often unpleasant, and certainly time consuming, but it beats the alternative. You can accomplish this in a variety of ways, including penetration tests, either using a firm specializing in this service, or your own “red team”, a group of your own people that attempts to breach your defenses, using the same approaches a hacker would. Whichever approach you choose, be aggressive with it. The hackers will not take it easy on you for fear of interrupting your operations, so neither should you.

Resolution 3: make all of your employees part of the security team

The individuals and organizations attempting to penetrate your network usually go after your weakest link, which is often your employees. They frequently do this using social engineering techniques or phishing, which is particularly dangerous. According to Verizon’s 2017 Data Breach Investigations Report, “1 in 14 users were tricked into following a link or opening an attachment — and a quarter of those went on to be duped more than once. Where phishing successfully opened the door, malware was then typically put to work to capture and export data—or take control of systems.” 

The solution is to make all of your employees part of your information security team. You start by establishing a culture of security, ensuring that everyone understands their part in keeping the company safe, and the consequences of not doing so. This is reinforced by an ongoing security training program, and phishing and social engineering tests.

Unfortunately, we humans will likely always be the weakest link in any security design, so any effort to address this weakness will bear fruit.

Resolution 4: seek safety in numbers

I doubt that any hacker achieves significant success alone. They tend to work in groups, or share information with each other. One of the major concerns we face today is state-sponsored security attacks, involving a government generating such attacks.

There is one aspect of their techniques we can learn from — uniting our collective efforts to achieve more than we could individually. We can do this by sharing threat intelligence and participating in groups such as Infragard or an Information Sharing and Analysis Center (ISAC).

I was working with a major hospital system at the time of the WannaCry attack. The ongoing information received by various information security sharing organizations, particularly NH-ISAC, helped my team and I stay ahead of the crisis.

Resolution 5: choose to be an optimist

As I suggested in Don’t let the security hype get you down, it is important to maintain optimism and objectivity when fighting daily against the bad guys. It is easy to get discouraged by all of the bad news, and the hype about it, but if we assume we will lose, that will become a self-fulfilling prophecy. Instead, we need to start every day with a renewed belief that we can win the battle. I am convinced that we can and ultimately will prevail, so I see my daily efforts as not in vain.

Bottom line — I choose to wait and see what 2018 will bring, rather than trying to prognosticate the likely events. Instead, I will focus on learning what I can from industry experiences in 2017, and using that to improve my security performance in 2017. I hope you will join me in this approach.