Maksim Kabakou - Fotolia
Security Think Tank: The more you buy, the less you protect
The most important lesson learned this year is that the more controls you have in place, the less secure you become, argues 2-sec’s Tim Holman
The most important lesson learned in 2022 is that the more security controls an organisation has in place, the less secure it is. The layered approach to security is broken!
“That’s not very festive!” I hear you say, but delving a little deeper, the point is that security layers are often not applied correctly and, more often than not, are applied to protect underlying layers that are already broken, unbeknown to the new layers.
“That’s zero trust!” I hear you say – something that was second nature when I started securing things back in the 1990s.
But if the fundamentals and basics (yup, the same word twice) are not applied properly in the first place, then even the latest Crowdtrace and Darkstrike technology won’t help, as even that is built (mostly) on the concept of being installed from a clean, green starting point.
Not that magic wonders don’t have their benefits, but that’s a huge price to pay when you could be investing money in time and people to secure the basics, and do this well.
As for lessons learned, let’s look at the huge security breaches that have cropped up in the media of late.
Uber was allegedly hacked through social engineering and compromise of a Slack account.
TAP Air Portugal was an alleged target of ransomware. But this time, the perpetrators claimed to have stolen 58GB of sensitive data, as well as probably asking for a ransom to get it back, and/or to provide the decryption key.
Who knows, but it sounds like the ransom wasn’t paid, otherwise the data wouldn’t have been leaked. That is not to say criminals received a ransom payment and just released the data anyway. We don’t know. But we do know how most ransomware gets onto systems – and that’s through phishing.
Even the best security controls in the world don’t protect against human error, negligence or just plain laziness. But that’s not a lesson from 2022, that’s a lesson from 1992, when I needed the root password for the university’s Unix systems to install an XPilot server.
Recommendations? Start peeling back those layers, don’t blindly trust the work of past employees or contractors. Ask yourself why they left, or were asked to leave.
Start rebuilding security from the ground up, which will implicitly address the zero-trust issues that suppliers are jumping all over at the moment, and get it sorted.
Need help? Join a non-profit (like the ISSA) and start thrashing out these challenges with your industry peers. This will give you the knowledge and confidence to ask your senior managers or board directors for the funds and support you need to become an effective security leader.