According to Colonial Pipeline CEO Tim Felt, paying ransom for the return of his company’s data was the hardest thing he had to do. However, the ransom represented less than two days of revenue, based on $1.3B generated by Colonial Pipeline in 2020.
Unmanaged System Leaves Colonial Exposed
The source of the breach was a virtual private network (VPN) account for a system that was supposedly no longer in use. Unfortunately, the VPN was still connected to Colonial Pipeline’s environment. It also seems that the password for the VPN was reused in other systems, which may have led to the breach. There are questions about how the password was obtained, as it wasn’t found in any leaked password dumps.
What we don’t know is if the VPN system logged and sent the activity to a SIEM. If there’s no logging and monitoring, the breach might be a case of a brute force attack.
Not long after the attack, Mr. Felt quickly asked for government support to protect critical infrastructure from the criminals launching ransomware attacks. While this is a reasonable request, it’s unreasonable to expect any government to efficiently police the Internet, or at least an open Internet.
Software Providers Play a Critical Role in Cybersecurity
Businesses and individuals must take responsibility for their digital security. That being said, solution providers (like CYDEF) can (and must) simplify the process.
Let’s take the automotive industry as an example. Cars were introduced as a new and novel way to move people from point A to point B. In the early days, little thought was given to driver and passenger safety. As the automobile became more popular and accessible, accidents increased in frequency. In response, carmakers started adding options like windscreens, bumpers, better brakes, better tires, seatbelts, crumple zones, airbags, and the list goes on and on. When shopping for a car today, we barely need to think about our safety; the technology is built into the vehicle. Most of the safety features are no longer options.
Why Aren’t We Doing This With Information Technology?
The Encyclopedia Britannica defines an information system as an integrated set of components for collecting, storing, and processing data and for providing information, knowledge, and digital products.
Yet, we commonly think of IT as part of the vertical it serves: Financial services, manufacturing, retail, and telecommunications. This implies that IT services, capabilities and architectures are drastically different. Based on the Encyclopedia Britannica definition, I would argue that IT is a vertical unto itself.
Every Business Requires Cybersecurity – Regardless of Vertical
Aren’t there important differences between a bank’s information system and a manufacturing plant?
Yes, absolutely. While the components may be different, we can agree that “collecting, storing and processing data” should be done securely. When that’s the case, cybersecurity settings should not be optional or conditional, but standard.
For instance, the following settings would increase the cybersecurity of any enterprise if set automatically to ‘on’:
- Disk encryption: ON
- Database encryption: ON
- Network protocols: Encrypted-Only
- Authentication: 2FA (min)
Many ransomware attacks start with a phishing campaign to compromise accounts. Using two-factor authentication would reduce the success rate of this part of the attack. Additionally, encryption can make data theft more difficult as criminals need to find an account with access to decrypt the contents. While this also infers implementing these measures correctly, we must take this continuous improvement path.
Creating a Use-Case for Software/Solutions Providers
While I’m over-simplifying for the sake of building my argument, the case for creating standard security settings is obvious.
Now, there’s the question of: how do we get vendors on board?
One option could, indeed, involve the government. By mandating a minimum level of security for any device or software with the capability to connect to a network, governments can influence the out-of-the-box cybersecurity settings offered by solutions providers.
Another option, perhaps the option that would cause more friction, requires corporate acknowledgment of the risk presented by their products and services. According to technology analysts at Canalys, companies like Microsoft, Google, and Amazon account for 58% of the worldwide cloud infrastructure spend. With that level of commitment, these companies contribute to significant business operations around the world. In that respect, they should be obliged to support the security of their clients – especially when cyberattacks influence businesses to the tune of $1 trillion in 2020. As a result, there’s a significant goodwill opportunity for these vendors to increase the minimum baseline security settings – for virtually little cost.
Bringing Offline Cybersecurity into the Mix
While I’m postulating on the possibilities of cloud-based solutions, the same approach can be applied to on-premise information systems.
For instance, Microsoft could revolutionize their user devices and servers with new OS versions configured with the same security defaults as their cloud-based solutions. Google could offer improved, security-focused OSes. Certifications can be designed for the Internet of Things (IoT) to provide secure user experiences. We can eliminate unprotected surveillance cameras, forgotten default passwords in routers
, and similar security mishaps.
The New Common Ground: Secure by Default
For now, a lot of marketing can be done around “secure by default”.
I would like to see the introduction of a star-rating system to provide users with an understanding of a solution’s out-of-the-box security level. This would give peace of mind without requiring user action.
It sounds simplistic, but we need to create a positive buzz around security. Think back to car safety: when was the last time you saw an ad for a car mentioning a 5-star safety rating? High safety ratings are so common that they no longer stand out as a selling point. Cybersecurity needs to go through the same evolution.