The fact that Colonial Pipeline is slowly reconnecting and replenishing the gas supply in the southeastern United States does not lessen the financial loss and sense of vulnerability that Florida citizens suffered in Virginia last week and still do. they are.
Piracy on Colonial Pipeline is the latest in a series of breaches that have affected a long and growing list of other companies, all ambushed by some individual or group that managed to hack through the industry’s “best practices.” “cybersecurity.
It only gets worse. Reports appear daily about new incidents involving prominent healthcare providers, government agencies or retailers affected by hackers, thus releasing millions or billions of sensitive information across the entire dark web.
Protecting these critical resources, healthcare providers and government agencies are a veritable army of information security professionals.
They have impressive credentials and certifications such as Certified Information Systems Security Professional (CISSP) and Certified Information System Auditor (CISA). Many even have academic credentials, including high school, master’s, and doctorate degrees in information security. They all embrace the latest “industry best practices”.
These professionals with impressive accreditation are skilled in the art of boredom. They know all about audits. They can absolutely push the paper.
They can painfully examine endless lists of accounts and identify exactly who needs and who doesn’t, needs access to the system or service. They can write impressive 100-page missives justifying a proposed new password policy.
They can argue with the developers why their work really needs to be harder.
And for when does it break its security strength? Finally, they may reach out to someone to blame. They can explain what the unknown user did wrong, whose computer has been exploited in a way that the user cannot understand. They can identify and blame “the seller” of equipment for malfunction.
So with all these experts with impressive credentials, we should improve in this “information security” business, right? So what happens?
The main problem is that “industry best practices” are not.
“Good industry practices” are not only “best” practices, but they are also dangerous practices.
“Industry best practices,” for example, dictate that network administrators should be administratively included. They should not be able to see what is happening on workstations, servers, or storage resources. Server administrators, likewise, should have administrative restrictions so that they can monitor network information or anything else that is not directly related to a specific niche job function.
These practices limit the opportunity for a technically skilled employee to identify anomalies – a key signal that perhaps someone has breached security and is roaming preparing to launch the next major cyber attack.
A network engineer, for example, does not have the tools or access to investigate the activity that occurs in a harmless workstation in the sales department at 3 p.m. A server administrator does not have access to explore why network performance seems painfully slow while trying to copy files.
Administratively, “good guys” are prevented from having a comprehensive view of systems, networks, applications, workstations, and other resources, when that holistic view is exactly what is needed to prevent cyberattacks.
It seems that the only person with a truly comprehensive view of a corporate network and data resources is the hacker. Unfortunately, hackers tend to fail to comply with the corporate information security policy.
What can companies and industries do right now?
Implement a “one-time strike and no longer have” hiring policy for information security employees. When they fail, don’t let it happen twice.
Also, never hire any information security employee who has ever worked for a company that has had a security incident. His “good industry practices” didn’t work for the previous employer, why would they work better for the next victim? These former employees bring disasters.
As for “industry best practices,” try to go against the flow. Return to existing practices before ransomware, infringements, and other information security disasters become commonplace.
Take “holistic” approaches to information security.
Instead of information security professionals with impressive paper knowledge, hire technically qualified professionals. Encourage collaboration with other technically qualified professionals and give them the tools and access they need to protect your company’s cyber resources.
Grant administrative access to network engineers in the server cluster. Provide access to developers so that network or workstation anomalies can be fully investigated.
The security approaches that existed before “industry best practices” really work. Ask the following hacker to breach security.
We can only hope that the information security industry will experience a renaissance. Until we realize that “industry best practices” continue to enable legions of hackers, we are doomed to further disruptions.