The challenges are greater than ever. But security pros have learned a lot – and with luck, the right strategic defenses can help even the highest-value targets withstand severe attacks.
Marc Andreessen had it right – software has eaten the world. As a result, the world can be hacked.
Just look at the past few months. The SolarWinds caper – the “largest and most sophisticated attack the world has ever seen” according to Microsoft president Brad Smith – gave its Russian perps months of free reign across untold US government agencies and private companies. But stupid also works: Last month in Florida, a water treatment plant’s cybersecurity was so lax, anyone could have been behind a clumsy attempt to poison the local water supply. Meanwhile, miscreants bearing ransomware have made hospitals their favorite target; in October 2020, six US hospitals fell prey within 24 hours.
Cybersecurity wins the award for Most Dismal Science. But if suffering attacks now amounts to a cost of doing business, then the time-honored approach of prioritizing risk and limiting damage when breaches occur still offers reason for hope. This collection of articles from CSO, Computerworld, CIO, InfoWorld, and Network World delivers specific guidance on best security practices across the enterprise, from the C-suite to developer laptops.
Writing for CSO, contributor Stacey Collette addresses the age-old question of how to focus upper management’s attention on security in “4 ways to keep the cybersecurity conversation going after the crisis has passed.” The thesis is that five-alarm debacles like the SolarWinds attack can serve as useful wakeup calls. Collette suggests seizing the moment to convince the board to match the company business model with an appropriate risk mitigation framework – and to use information sharing and analysis centers to exchange information on industry-specific threats and defensive measures.
CIO’s contribution, “Mitigating the hidden risks of digital transformation” by Bob Violino, surfaces a problem hiding in plain sight: Digital innovation almost always increases risk. Everyone understands the transformative power of the cloud, for example, but each IaaS or SaaS provider seems to have a different security model, raising the odds of calamitous misconfiguration. Likewise, digital integration with partners promises all kinds of new efficiencies – and by definition heightens third-party risk. And does it even need to be said that launching an internet of things initiative will vastly expand your attack surface area?
A second story written by Violino, this one for Computerworld, explores the cybersecurity obsession of our era: “WFH security lessons from the pandemic.” Some of the article covers familiar ground, such as ensuring effective endpoint protection and multifactor authentication for remote workers. But Violino also highlights more advanced solutions, such as cloud desktops and zero-trust network access. He warns that a new wave of preparation will be required for hybrid work scenarios, in which employees alternate between office and home to ensure social distancing at work. The pandemic has proven that remote work at scale is viable – but new solutions, such as pervasive data defense and response platforms, will be necessary to secure our new perimeterless world.
That goes for companies with many distributed offices as well. As contributor Maria Korlov reports in the Network World article “WAN challenges steer Sixt to cloud-native SASE deployment, adoption is accelerating for secure access service edge (SASE), an architecture that combines SD-WAN with various security measures, from encryption to zero trust authentication. According to Korlov, for the rental car company Sixt, the result was “a 15% to 20% reduction in costs for network maintenance, security, and capacity planning.” At Sixt’s 80 branch offices, downtime purportedly averages a tenth of what it used to be.
In “6 security risks in software development and how to address them,” InfoWorld contributing editor Isaac Sacolick reminds us that modern cybersecurity means secure code, too. An ESG survey cited in the article reveals that nearly half of respondents admitted they release vulnerable code into production on a regular basis. Thanks to Sacolick’s hands-on experience with development teams, he’s able to offer a trove of practical remediations for developer managers to embrace, from explicitly documenting code security acceptance criteria to ensuring version control repositories are fully locked down.
The SolarWinds fiasco has proven that enforcing such policies is no longer optional. Coverage of the attack has focused on the backdoor that Russian hackers inserted in SolarWinds’ Orion products, instantly compromising customers who installed the software. Less attention has been paid to the custom malware the hackers created to slip into SolarWinds development process undetected and implant that backdoor. Can any software development shop say with confidence that it can withstand such a sophisticated, concerted effort?
Software firms are asking themselves that question right now – while at the same time governments and private enterprises seen as high-value targets are furiously vetting their operations to see if they’ve fallen victim to other compromised code. True, this is merely the latest battlefront against a global horde of cybercriminals, from script kiddies to malicious hackers to state-sponsored masterminds. But no one can accept anything other than the strongest defenses affordable in a war without end.
This article originally appeared on CSO Online.