In a recent article “Who’s to Blame for Ransomware Attacks—Beyond the Attackers?” (SearchSecurity, July 2019, http://bit.ly/38txRda), Kevin McDonald of Avalka Networks discussed the issue of responsibility for the incredible growth of ransomware attacks and suggested that 70–80% of all attacks could be proactively stopped by more timely software patching.
He’s right.
The median period for software patching and updating is measured in years, and throughout that period, enterprises and systems remain vulnerable to a growing cohort of ransomware. Consider the BlueKeep attack threat, a vulnerability that affects Windows XP, Windows Server 2003, Windows Vista, Windows 7, and two variants of Windows Server 2008. In computer terms, these are ancient technologies. (Windows XP was released almost 19 years ago.) The patch for BlueKeep was released in early 2019, but as of this writing, millions of systems remain vulnerable and are being attacked with great frequency.
Where does the blame lie? Clearly the attackers are responsible, as they are the ones using malware to create the ensuing havoc from the attack. They are not the only ones, however; ransomware only works if it’s “invited” in by human action. Furthermore, and in many respects more importantly, IT organizations’ delays in patching and upgrading require them to assume some of the responsibility.
But IT organizations are always compelled, as cost centers, to do more, faster, and with fewer resources. Businesses constantly demand speed and never want to be inconvenienced by service outages, planned or otherwise. This unwillingness to allow for the hardening of infrastructure requires that businesses shoulder part of the blame as well.
Seeing Past the Potemkin Village
There is an analogy to the modus vivendi described above. It is called a “Potemkin village,” a structure built to deceive others into thinking that a situation is better than it really is. The Potemkin village construct feeds into the desire to believe the best about a situation, even if that belief is contrary to the facts.
In contrast to this view stands a frank overview of the cybersecurity and cybercrime landscape at the start of 2020. As reported in the December 3, 2019, Hacker News (http://bit.ly/2sfW7io), below are the top five issues confronting all organizations in 2020, along with this author’s comments.
“Compliance fatigue will spread among security professionals.”
Security professionals are severely overworked and overly blamed for the plethora of cybercrime incidents that occur. They are also challenged by the lack of support from businesses and the unwillingness to provide the time and money needed to address critical issues. These issues too often lead these professionals to depart, leaving critical vulnerabilities unremedied.
“Third-party data breaches will dominate the threat landscape.”
The software cybersecurity firm Symantec has reported that third-party supply chain attacks rose by 78% in 2019, as the outsourced supply chain market rarely has the time, money, or expertise to afford adequate cybersecurity controls on their clients’ data. Worse, according to IBM, the average time to identify a breach in this sector grew to 206 days. As previously noted in this column, the cost of a data breach doubles for every 100 days of dwell-time (the period between the breach and identifying the breach). Thus, the costs in 2019 average four times the initial liability of the breach.
“External attack surface will continue to expand without control.”
“Surface” refers to the “Internet of things” (IoT), which are all of a person or entity’s digital assets, connected devices, cloud-based assets, and the like. The technology media firm IDG reports that 61% of all organizations experienced IoT security incidents in 2018 (Josh Fruhlinger, “Top Cybersecurity Facts, Figures, and Statistics for 2018,” CSO, Oct. 10, 2018, http://bit.ly/2rAs4St), and the continued growth of the surface makes it ever more difficult to control these breaches.
“Cloud misconfigurations will expose billions of records.”
In the installment “Send in the Clouds” (August 2019, http://bit.ly/2XLaCXa), this column discussed the risk of placing critical data on the cloud and the subsequent loss of control of that data. This was underscored by the brutal CapitalOne breach, the largest PCI data breach in history, with more than 106 million records compromised. The fault for this breach lies not just with CapitalOne, but also with an employee of the cloud provider who deliberately compromised the environment and stole the information. That the perpetrator has been arrested and is now awaiting trial is little solace for either CapitalOne or the people whose data was stolen. Worse, errors by customers in provisioning cloud services appear to be a major source of these failures; once again, speed, agility, flexibility, and exhaustion are adding risk.
The outsourced supply chain market rarely has the time, money, or expertise to afford adequate cybersecurity controls on their clients’ data.
“Password re-use and phishing attacks will skyrocket.”
This column has previously discussed password failure and the risk it poses to all enterprises. As employees continue to exhibit poor behavior with regard to password privacy and safety, and as the continued complexities around passwords create an impossible task for anyone without an eidetic memory, the re-use of passwords that have been compromised in one venue will continue. As for phishing, empirical data says that phishing attacks fail only approximately 35% of the time—and that failure rate is not for companies, but employees. In other words, if XYZ Corp. is targeted by a phishing attack, and it has 100 employees, the hacker can expect 65 of them to fall for the phishing email—and a successful attack only requires one. A recent article posted on Microsoft’s website noted that companies that go passwordless enhance security and enjoy up to an 87% cost reduction (Joy Chik, “Go Passwordless to Strengthen Security and Reduce Costs,” Dec. 11, 2019, https://bit.ly/2Mg47al). If one is pass-wordless, it is far more difficult to successfully phish credentials.
The Blame Rises to the Top
Who bears responsibility for all of this? In eWeek’s “Predictions 2020: Will This Be the Year of Cybercrime-as-a-Service?” (Chris Preimesberger, Dec. 2, 2019, http://bit.ly/34bzZmv), Matt Kunkel, CEO of LogicGate, laid responsibility squarely at the feet of CEOs and boards of directors. While Kunkel also said that “cybersecurity ranks as the top concern for 1 in 3 CEOs who are most concerned about operational risk,” this speaks poorly to the other two-thirds of CEOs who do not seem to care. It also suggests that there will be growing instability in the marketplace as companies fail at an increasing rate due to cyberattacks.
Cybercrime and cybersecurity are and will continue to be everyone’s problem. The risks posed to businesses are existential, and it is time to think differently about cybersecurity and stop the runaway growth of cybercrime.