As the clock struck midnight on 1 January 2018, the massiveEquifax breach, disclosed just a few weeks prior, was still weighing heavily on the minds of those in the information security profession. Sure, we’d seen breaches of gargantuan scale before, and we all knew that Equifax surely wouldn’t be the last, but something felt different this time.
The scale, combined with the fact that a non-trivial percentage of the millions of people caught up in the breach had little to know exposure to Equifax, and the level of detail the company stored about them, placed the credit reporting industry under levels of scrutiny that it had never experienced before.
There was shock, outrage, frustration and an overwhelming sense that corporations that handle our personal information need to truly be held accountable. Perhaps Equifax was the straw that broke the camel’s back, and inspired the change we all deserve? Some even opined that it might be the end for Equifax as an organisation altogether how couldit survive this disaster?
Yet here we are, 12 months later, and Equifax is still standing. There have been a few slaps on the wrists,from various public bodies, along the way. There have been fines, brought by private lawsuits and hamstrung government departments, but Equifax has survived, and has never looked like being brought down by a breach that was so poorly handled, and would have been so easy to prevent. The news cycle changed, and the world moved on to the next major breach. The accountability we all craved was found lacking.One thing that happened in 2018 that was not predicted
As 2018 rolled on, there were some positive signs that things were changing in this regard. One such example was in the US state of California, where, in direct response to the 2016Mirai botnet incident, in which thousands of devices making up the internet of things (IoT) were used to disrupt a non-trivial chunk of the internet, the state adopted new legislation. The Information Privacy: Connected Devices bill (otherwise known as Senate Bill 327 ) contained something that is often found lacking in cyber security legislation specific actions to be taken to improve the standard of information security. This was something many had hoped would happen, but few predicted they see so quickly; legislation moving in lockstep with current technology imagine that.
The bill lists a series of requirements for IoT device manufacturers, most notably the banning of hardcoded default credentials, the entry vector leveraged by Mirai and other IoT malware variants. It’s an extremely basic step, but one that required the passing of specific legislation to address. Although this law was passed in California, it’ll hopefully have a positive impact globally, as device manufacturers design their offerings around the new requirements.
You’d think that something as simple as a default password on a device would be a no-brainer, but clearly, given the need for such specific legislation, it’s not. You might also think the timely application of a patch to address a known software vulnerability on an exposed web server is a no-brainer too, but as Equifax showed us, it’s not. Which brings us to 2019.One thing that should happen in 2019, but probably will not
Next year, the cyber security industry will continue to pump out new offerings that use advanced technologies in the name of breach prevention. Solutions using machine learning , artificial intelligence (AI), anomaly detection and, dare I say it, blockchain (ugh, now I feel dirty) will all feature at trade shows and on airport billboards around the world. Companies will purchase these solutions, and will partially deploy them before getting bored, limited by cost or other business pressures, instead of doing something that would have a much more profound impact on security, such as getting back to basics.
This includes taking the time to rediscover your assets and data stores, deploying strong authentication, taking the time look at built-in settings in the operating systems and software you already have and hardening them, encrypting data, and patching promptly.
These are all things that should be top of mind in 2019, but won’t be. Instead, the buzzwords, graphical UI’s and overhyped marketing of the industry will serve to distract and confuse. Asset management isn’t sexy. Patching is boring. But, if we really want to stem the tide of significant incidents and breaches, then this back-to-basics approach is the right way to go. Let’s make 2019 the most boring year ever!
CW Security Think Tank contributors’ wish list for 2019 Prioritise multifactor authentication in 2019 .