Security Fundamentals Still a Challenge

At this point, diverse industries have had mounting experience with data breaches; indeed, Verizon’s 2016 Data Breach Investigations Report reveals a significant increase (48%) of confirmed breaches this year among the nearly 70 organizations who participated in their survey.  Unfortunately, this experience has not as yet been any guarantee of change, of adaptation and improvements among companies.  Despite increased awareness and training, phishing scams continue to reap benefits for thieves, as 12% of targets clicked on the malicious links contained in the fraudulent emails (which is actually more than last year).  Since its efficiency doesn’t appear to be diminishing, cyber criminals don’t stop employing these phishing techniques.


Credentials remain another consistent culprit that can lead to security incidents, by virtue of being stolen or too simplistic.  Phishing is often involved in the theft of company credentials, but organizations continue to be obstinate about potential defenses like multifactor authentication or changing default passwords.  Such tools would be useful, but many insist that having multiple or more sophisticated passwords is too complicated, and so many usernames and passwords are still the name of an application, company, or administrator.  If I were a hacker, I’d be borrowing Darth Vader’s “All too easy.”  The report also reveals how traditional vulnerability disclosure might make managing these weaknesses overly difficult for most organizations, as they yield a massive number of vulnerabilities, which are all tagged as critical.  Filtering through the pile to find the legitimately critical items thus becomes an impossible exercise.


These continued trends are the more worrisome due to the advances hackers have made in recent years, sometimes just in mere effectiveness of pre-existing methods, and greater creativity therewith.  Specifically for the report, this means a rise in the number of multivector attacks: where, for example, a DDoS attack on a company’s site primarily serves as a smokescreen to draw attention away from the real attack vector, a backdoor created through malware.  “That’s the thing that is so maddening for security personnel,” says Christine Richmond, program director for worldwide security services at IDC, “because you can’t always tell where the fire is.”


Even giants like Google still have to contend with security issues, such as persistent problems with its Android mobile platform.  While improvements have been made on this front, troubles with rolling out security patches and upgrades to the more than 1 billion devices worldwide still exist, especially with numerous exploits out there in the ‘wild’ that can easily compromise an unprotected device.


Meanwhile, encryption remains a popular topic in Washington, as that great debate kept moving last month at a hearing in which experts on both sides testified.  The arguments differed little in content from the ones we all heard during the iPhone issue: the point on the encryption side was succinctly summed up by Bruce Sewell, Apple’s senior vice president and general counsel, who said, “Keep in mind that the people subject to law enforcement inquiries represent far less than one tenth of one percent of our hundreds of millions of users. But all of those users — 100% of our users would be made more vulnerable if we were forced to build a back door.”


It’s clear we have a long way to go, both on our policies and in the betterment of adhering to security fundamentals as well.