By Hans Holmer
When you read about big breaches of corporate data, the breaches are generally described as the computer equivalent of “lightning,” something so fearsome and unstoppable that only the government and draconian laws could prevent those breaches.
To the cyber practitioner, the more apt analogy for breaches is potholes. Like potholes, vulnerabilities in software and hardware are ubiquitous, not that hard to fix, and new ones are discovered all the time. The sheer scales of devices that need to be patched and the number of patches and updates that need to be deployed is daunting but the actual installation of a patch is not complex. This is important because almost all breaches depend on unpatched computers to succeed. The lightning strikes, more properly called 0-days, are extremely rare.
The key to keeping a street pothole-free is first to know what streets you are responsible for and what kinds of road surface they use. The same is true of computer networks. You need to know all the devices and software on your network – PCs, printers, servers, routers, scanners, etc. Any devices and software that are not yours present a threat unless moved to a separate network. When you know your network you can patch it – all of it.
Once you know the roads you are responsible for, you can determine whether the road surfaces are appropriate for the traffic that uses them. You’ve noticed that highways have different surfaces than neighborhood roads. In IT network terms, you need to ensure that users and processes have credentials that are appropriate for the kind of work they do so that no users or processes have more access than they need. Only a small percentage of users should have administrative privileges, and those privileges should be allocated for particular purposes.
When it comes to detecting potholes, system administrators have an easier time than city managers. Most modern operating systems benefit from monthly patch-cycles. If you have computers that no longer receive patches, such as 13-year old Windows XP operating system, it might be time to repave that road. It is no surprise that breaches are ubiquitous given that 17% of computers still run Windows XP one year after Microsoft stopped issuing patches and it is hard to blame those vulnerabilities on hackers. By the way, the most common Windows operating system, with 58% of the total market, is Windows 7 which was released in 2009. It is now on “extended support” until 2020. There is a strong argument for re-paving the road before it becomes one giant pothole.
You already know that most urban streets have more potholes than are good for your car. In a nutshell, this is because inadequate resources are devoted to maintaining the streets and nobody wants to block the street while repaving it. The same is true of computer networks. The damage done to vehicles is not borne by the city and the cost of a network breach is similarly unpredictable, unlike the cost of securing the network. In both cases, high known costs outweigh uncertain, but almost certainly orders of magnitude higher, future costs.
If you had to track the pothole repair metrics, you’d track the number of streets that are completely patched. You can do the same for networks. If you compile the percentage of PCs that are fully patched plus the percentages of all other devices which are fully patched, that would create an indicator of the security of a network. Given that the vast majority of breaches exploit these fundamental vulnerabilities, it is an adequate proxy for the security of the network.
Once you have reached a state where your average security is predictably high, it is time to bring in experts who can help you defeat the lightning strikes. It is well known that 0-days seek your most valuable items, in whatever form it takes, be it intellectual property, customer specifics or money. By implementing expert countermeasures focused on protecting your critical data and processes, you can reach that rare state of having neither potholes nor lightning in your network.
Hans Holmer works in the Technical Counterintelligence Center of Intelligent Decisions. He can be reached at firstname.lastname@example.org or 703.599.4735.
Hans is a retired CIA officer with about 20 years in cyber, 26 years in intelligence and over 40 years in computers and similar technologies.