In a year when bad news, pandemics, tragedy, and unrest have to compete for headlines, cyber security still managed to make a huge splash in an all-too-common and unfortunate way.
By now, unless you pay no attention whatsoever to information security, data privacy, and security breaches, you have heard something about the SolarWinds hack ( Solarwinds site) last updated December 31st, at 11:30am CST ), and the codenames for the hacks, “SUNBURST” and “SUPERNOVA”. This article will not redundantly cover the breaking news of this event, nor pretend to know enough about root cause or potential total effects, the likes of which will take years to begin to fully understand. The sad truth about the state of information security in the interconnected world is that there is absolutely no way we will ever know everything about this hack, all of the organizations and agencies affected, or the total data that was stolen, manipulated, or injected.
For too long businesses have held an inappropriately rosy view of the state of information security and the safety of their use of public networks, third parties both on-shore and off-shore, and their massive exposure to supply chain hacks. The trend to outsource as much as possible to vendors, cloud providers, and specialty technology companies has set us up for an exposure of this type as there are just too many threats to keep an eye on. Regardless of the size, talent, and budget of an organization’s, or even a government’s information security department, it is impossible to watch the sheer number of threat vectors to a modern internet-connected infrastructure.
Not to be outdone, the only view more inappropriately rosy of the state of information security is that of the consumer. The public goes about their business, be it social media or banking, on devices that are difficult to secure and a focus on things that are far from information security. Only an active and interested user can have a potential chance of keeping their data secure and their privacy uninvaded. However, the consumer’s reliance on the supply chain, vendors, and convenience features almost assures that the consumer is only secure by luck, not design.
The same need for convenience may lead to the integration of hacked software components into commercial products. Software development in a sales-focused, revenue-driven, stock market valuation-aware world may not take advantage of every available information security precaution. There are many potential vectors for malware to get into a code base. Conditions such as developers using their development credential accounts to conduct regular business activities, like reading email, or even worse, internet browsing or social media posting can potentially allow the machines they are working on, the code and data repositories they are working on or connected to, and the networks and cloud environments they are authenticated to potentially become infected. Sandboxing of the virtual machine being used for development, the credential / user account utilized for development, and the network or server environment is a powerful and simple technique for preventing infection, or truncating the effects of a hack. However, these techniques take time and effort, and are incredibly subject to momentary lapses of compliance even if they are generally used. Impeccable computing hygiene and perfect repulsion of phishing and spear phishing may have helped in this and similar hacking events. However, human nature tends to follow controls and policies less often over time as fatigue and laziness set in. Just breaking the rules once because of the sake of convenience, or because it’s 5:45pm on a Friday can lead to a severe security incident. A momentary lapse of critical thinking or absolutely-necessary paranoia may potentially lead to an information security incident or data breach.
If this year has taught us anything, and if we are willing to listen, it should be that our organization, our health and habits, our computing infrastructure, and potentially our country should take a closer look at how well we protect ourselves, how often we give in to convenience and fun over security, and how massive the implications or results of that lapse might be. Take a moment for reflection this New Years Eve and Day and consider which has a longer lasting beneficial effect; hard work and protection or convenience in the moment and the short term happiness from a social media posting, clicking on a suspicious email link because it looks funny or promises too much, or going out to a bar in the middle of a pandemic.