Hanlon's Razor says, "Never attribute to malice that which is adequately explained by stupidity." In the wake of the Equifax data breach, 145.5 million Americans – and an unknown number of Canadians and Brits – must be wondering whether it's possible to fix stupid.
They, and the customers affected by the many other data breaches we've heard about this year (including the recent Deloitte breach), have been victimized not so much by bad guys, but by stupid, or at least sloppy, IT practices. Yes, the crooks cheerfully took advantage of those practices to steal data, but the real culprits are the folks who allowed vulnerable systems to remain in production.
I used to be an IT person. I know the pressures they're under, and the battles they face with management who doesn't comprehend the issues, and with technical roadblocks such as obsolete but mission-critical software with its own weird requirements. But there is no excuse for some of the silliness that has compromised the identities and financial security of millions.
If even the most junior IT person doesn't understand the need to take basic security precautions, his or her training is lacking. You don't walk out of your home without locking the door behind you. You don't leave your car unlocked, or "hide" a key in an obvious spot, at least in the city. You don't put your wallet down in a public place (or, sadly, in the office), and expect it to still be there a few hours later. It's common sense. So why should IT resources be left wide open? In today's environment, it makes no sense.
Consider these scenarios involved in recent data breaches: the person who thought that a user name of "admin" for a server's administrator account, with a password of "admin", was a good idea was either lazy or seriously lacking in common sense, and the fact that his or her supervisor, who, one would think, was also privy to the information, let it go without question raises serious doubts about the organization as a whole. How on earth can a company whose business relies on data permit such casual security practices when it comes to its lifeblood?
Deloitte was compromised through an email server whose administrative account, though it may have had an adequate password, did not have the added protection of two factor authentication (2FA). 2FA, which provides an additional level of security, is pretty much mandatory for critical systems. It relies on multiple authentication factors:
- Something you know – usually a password or PIN
- Something you have – perhaps a fob, or a phone
- Something you are – a fingerprint or a retina or iris print
Usually we rely on two out of the three, hence 2FA.
Consumers use 2FA on Twitter and Gmail and their Microsoft and Apple systems, and others. Enterprises for years used (and some still use) token-based 2FA; employees carry small devices that generate one-time codes. Today's 2FA sends those codes to users' cell phones. While it's not an absolute hack preventative (nothing is foolproof), 2FA makes it much harder for crooks to break into an organization. Even if they manage to phish a password, it's unlikely they will gain access to the second factor.
Then there's the age-old issue of patching. Experts have determined that a major factor in the Equifax breach was a recently-discovered software flaw for which there was an unapplied patch. The circumstances aren't clear – and we may never find out all of the details, despite Equifax's former CEO trying to throw an unnamed IT pro under the bus – but Equifax has said that it attempted to patch systems, but not all fixes succeeded. When they discovered the failures is unknown, and it may even have been during the breach.
Admittedly, not all flaws can be easily and quickly patched. After the retirement of Internet Explorer 6, which was fraught with problems, for example, many companies continued to use the software because their developers had written mission-critical programs that depended on it. Updating to more secure software meant application rewrites, which in turn meant trying to scare up the resources to do so.
Some operating system patches also break application software; the Windows 10 Anniversary Update, for example, caused many programs that needed USB functionality to stop working. That's why it's important to test patches and updates before wide deployment – but it shouldn't take months, as it often does. Putting patching at the bottom of the task queue qualifies – yes, as stupid. And management that refuses to allow reprioritization of outstanding tasks to allow for timely patching is shooting itself in the foot.
Another indication of, if not stupid, at least lack of expertise and/or poor training has shown up in recent point-of-sale (PoS) breaches. Point-of-sale systems have been targets of hackers because they're such attractive, lucrative, and, sadly, not terribly well secured systems. Data Breach Today noted, "The payment card data breach epidemic is being compounded by too many organizations failing to prepare for breaches by segmenting their networks, ensuring that POS devices do not have default settings, or putting in place proper detection and response capabilities, according to Verizon's 2017 Data Breach Investigations Report."
Whole Foods, at least, had things partly right. Although its taproom and restaurant PoS system was breached, compromising an unknown number of payment cards, the attacker was apparently unable to get into its main network or its retail systems, suggesting that the network was properly segmented.
Fast food chain Sonic has also been hit; its investigation is still in early stages, and it still doesn't know the extent of the damage, or how the attackers got in.
The breaches continue, and one thing is sure. Whatever we call it – carelessness, poor planning, lack of knowledge or skills, or even just plain stupid – it needs fixing. Companies need to put security at the top of their to-do lists, making sure that their staff are properly trained, and their systems and infrastructure are properly configured and secured. IT staff themselves aren't stupid, but often the procedures and practices they're forced to adhere to are.
Let's fix that.