By Destiny Bertucci, SolarWinds Head Geek™
There’s one thing that the most high-profile security breaches have had in common: they were preventable. Yet, even in the face of increased incidents, most organizations are still in reaction mode when it comes to information security. And, they are often making the same three surprising mistakes — surprising because they involve foundational parts of an enterprise security plan. I’m talking about the fundamental processes of documenting, patching and investing in technology redundancy.
Bolstering the foundation: documentation
Being proactive about an information security strategy starts with documenting the processes that dictate patching policies. This is a basic, foundational step in IT — and skipping documentation is a basic mistake. After all, just pulling one block from a foundation could make it fall.
Documentation provides a chain of command, enables enforcement, and helps verify whether updates were made or not. Putting processes and policies on record takes testing, implementing, verifying, and recovery planning. Such work must get granular to be effective, so it’s often considered tedious, and that’s why the practice can be overlooked. On the other hand, backtracking and mitigating a breach takes a lot more time and effort.
Staying up-to-date: patching
In terms of making the updates dictated by the documentation, that action is frequently viewed as downtime by the business. Ironically, such an omission is exactly the cause of downtime and worse — customer loss, financial cost, and brand reputation damage.
Take WannaCry. Microsoft® discovered a vulnerability and issued a patch in March. News of the ransomware surfaced in April, and it took down organizations in May. A simple patching policy would have prevented the attack.
The same can be said for Equifax® — a breach resulting in the perpetual exposure of personal data, and one that may eventually cost billions of dollars. We’ll see the impact for so many years to come that later incidents will probably be blamed on something else.
Remember, when mass updates are issued, those with malicious intent find out as well. Cybercriminals get to work knowing that many enterprises make the mistake of not patching.
Security is a business issue: investment
One big obstacle to patching is that when IT says “updates,” the business often hears “downtime,” and foregoes patching in favor of 24/7 availability and uptime. IT must demonstrate how updates and uptime do not have to be mutually exclusive if the right systems are in place.
Since budget decisions that impact IT are made across functions, and because success is dependent on data integrity, security is clearly a business, and therefore, the C-level must become more vested in matters of information security. Looking forward into the new year, it’s likely that the steady proliferation of endpoints and more sophisticated cybercriminals will make hiring and managing security professionals more important than ever. IT can help by quantifying what a breach might look like long-term versus a short-term investment in technology. Those at the C-Level who are pressuring IT likely don’t realize they are breaking optimal security policy, and, in fact, hurting the business.
They are doing so because they falsely believe patching disrupts continuity. Still, when there’s a breach, executive leadership would (rightfully so) be the first to ask: why weren’t we up to date? Or if current fixes don’t work on legacy technology: why weren’t we upgraded?
The reality is, IT focuses on availability as much as the business, but is hindered by mistake No. 3 — a lack of budget investment by the business to ensure a secure, ever- on the environment. Funding instead tends to go toward customer-facing projects in marketing, for example, where ROI is more quickly measurable. An immediate capital expense dwarfs in comparison to the long-term cost of a breach and the harm to customers, though.
So, to achieve simultaneous updates and uptime, the business has to understand the necessity of duplicate infrastructure for critical applications. With one system on standby and one that’s active, updates can be made, and testing performed, then updated applications switched over without interruption. The result is 24/7 availability AND security.
Planned downtime and uptime can occur at the same time, without going offline, but this type of continuity requires capital investment in technology.
Preparation equals prevention
If the steps of documentation, patching, and redundancy seem obvious and simple, that’s because they are and should be the fabric of IT. Nevertheless, I’m continually dumbfounded by the number of organizations that bypass documentation, ignore patching, and don’t upgrade — especially when there is software available to automate patching and reporting and minimize service interruptions.
Given that breaches became almost commonplace in 2017, I expect the need for robust security tools to rise exponentially in 2018. Consider leveraging a comprehensive monitoring toolset that can outline a baseline of performance across systems, networks, and especially databases, which are particularly vulnerable to attacks.
Oddly enough, the rise in breaches is compounding the indifference around information security. Instead of raising the volume on better security practices, the regularity of incidents is turning them into noise. For everyday people, there’s a level of acceptance now, and the Band-Aid® of replacing credit cards, for example, is more of an inconvenience than a threat.
Now, we’re also seeing similar resignation bleeding into enterprises, as potential losses are accounted for in the annualized loss expectancy. The cost of a breach, however, far outweighs that standard number.
Plus, we are now entering a realm where those subjected to breaches will be considered criminals as well: the recently introduced Data Security and Breach Notification Act would require companies to report data breaches within 30 days. Anyone knowingly concealing an incident could be fined or go to prison.
The good news is, breaches at a large scale are preventable, but it takes collaboration. IT must ensure the foundation is strong and current, but that can only be achieved with executive support. The bottom line is: if you value your customers and your business, then you will value security.
About the Author
Destiny Bertucci is a Head Geek at SolarWinds® and a Cisco Certified Network Associate (CCNA), Master CIW Designer, and INFOSEC, MCITP SQL, and SolarWinds Certified Professional®. In her 15 years as a network manager, she has worked in healthcare and application engineering and was a SolarWinds Senior Application Engineer for over nine years. She started her networking career in 2001 by earning CCNA/Security+ certification and launching a networking consultant business.
After using SolarWinds tools for many years, she joined the company and continued earning certifications and degrees to expand her professional reach into database development and INFOSEC. Customizing SolarWinds products while working on setups and performance deepened her knowledge of the complete SolarWinds product line. She is now skilled and experienced in network, security, application, server, virtualization, and database management. https://www.solarwinds.com/