Marc Andreessen was right – software has eaten the world. As a result, the world can be hacked.
Just look at the past few months. The SolarWinds attack – according to Microsoft President Brad Smith the “biggest and most sophisticated attack the world has ever seen” – gave its Russian perpetrators a free hand over countless US government agencies and private companies for months. But stupid also works: Last month, the cybersecurity of a water treatment plant in Florida was so weak that anyone could be behind a clumsy attempt poison the local water supply. Meanwhile, ransomware carriers have made hospitals their preferred target. In October 2020, six US hospitals were killed in a 24-hour period.
Cybersecurity wins the darkest science award. But if suffering attacks are now a business cost, then the long-established approach of prioritizing risk and limiting damage from breach is still cause for hope. This collection of articles from CSO, Computerworld, CIO, InfoWorld, and Network World provides specific guides on best security practices across the enterprise, from the C-suite to developer laptops.
Author, Stacey Collette, writer for CSO, explores the age-old question of how to get top management’s attention to security in “4 Ways to Keep the Post-Crisis Conversation Running”. The thesis is that five alarm debacles like the SolarWinds attack can serve as useful wake-up calls. Collette suggests seizing the moment to convince the board of directors to align the company’s business model with an appropriate framework for risk mitigation – and use information exchange and analysis centers to share information on industry-specific threats and countermeasures.
CIO contribution “Mitigation of the hidden risks of digital transformation“By Bob Violino reveals a hidden problem: Digital innovation almost always increases risk. Everyone understands the transformative power of the cloud, for example, but every IaaS or SaaS provider seems to have a different security model, increasing the likelihood of catastrophic misconfigurations. Digital integration with partners also promises all kinds of new efficiency gains – and by definition increases the third party risk. And does it have to be said at all that the start of a Internet of things Initiative will significantly expand your attack surface?
A second story written by Violino, this one for Computerworld, explores the cybersecurity obsession of our time: “WFH safety lessons from the pandemicPart of the article covers familiar topics such as ensuring effective endpoint protection and multifactor authentication for remote workers. But Violino also highlights more advanced solutions, such as Cloud desktops and zero trust network access. He warns that a new wave of preparation will be required for hybrid work scenarios, in which employees switch between office and home to ensure social distancing in the workplace. The pandemic has proven that teleworking is feasible on a large scale – but new solutions such as: pervasive data defense and response platforms, will be necessary to secure our new limitless world.
This also applies to companies with many branch offices. As contributor Maria Korlov reports in the Network World article “WAN challenges lead Sixt to cloud-native SASE provision, the adoption of Secure Access Service Edge accelerates (SASE), an architecture that connects SD-WAN with various security measures, from encryption to zero trust authentication. For the car rental company Sixt, according to Korlov, there was “a reduction in the costs for network maintenance, security and capacity planning by 15 to 20%”. In the 80 branches of Sixt, the downtimes should be on average a tenth of the previous value.
In the “6 Security Risks in Software Development and How to Counter Them“, InfoWorld editor Isaac Sacolick reminds us that modern cybersecurity also means secure code. A ESG survey The article cited in the article shows that almost half of the respondents admitted that they regularly release vulnerable code into production. Thanks to Sacolick’s practical experience with development teams, he is able to offer developer managers a plethora of practical remedial measures, from explicitly documenting acceptance criteria for code security to ensuring that version control repositories are completely locked.
The SolarWinds fiasco demonstrated that enforcing such policies is no longer optional. Reporting of the attack has focused on the backdoor that Russian hackers built into SolarWinds’ Orion products, immediately putting customers who installed the software at risk. Less attention has been paid to the custom malware that hackers have created to invade the SolarWinds development process unnoticed and implant this backdoor. Can any software development company say with confidence that it can withstand such an elaborate, concerted effort?
This is the question software companies are asking themselves right now, while governments and private companies, viewed as high-level targets, furiously review their operations to see if they have fallen victim to any other compromised code. True, this is just the latest battle against a global horde of cyber criminals, from script kiddies to malicious hackers to government sponsored wire pullers. But no one can accept anything other than the strongest defense affordable in an endless war.
Copyright © 2021 IDG Communications, Inc.