Colt 45 and Two ZigZags, Baby
Steve King, CISM, CISSP
Cybersecurity Marketing and Education Leader | CISM, Direct-to-Human Marketing, CyberTheory
OK. This whole world of Cybersecurity can now be declared officially insane.
Sonatype research claims that 57% of the Global Fortune 100 has yet to address the flaw in Apache Struts that led to the most expensive and damaging breach in history. The list included seven technology companies, eight auto manufacturers and fifteen financial services and insurance companies.
That would be 30% of the Fortune 100 just in those three sectors. And seven technology companies? Come’on man.
Equifax not only failed to fix the vulnerability once but did so again later, earning it the Stooge of the Year award (up until now). As a reminder, these were the folks who brought us 148 million compromised PII records and a quarter of a Billion dollars in expense to date (tally still going). This of course, prompted the FBI to issue a flash “alert” warning to everyone paying attention that we need to patch the software.
Apparently only half of the Fortune 100 was paying attention. Because an astounding 8,780 Apache Struts downloads have occurred in the wake of the Equifax breach, and yes, everyone of them is vulnerable to the same attack.
Why we haven’t applied the patches and why we keep downloading older vulnerable versions is a mystery to many. Last year, known vulnerabilities remained the leading cause of data breaches accounting for almost 50% of all incidents. We have been harping here for what seems like forever about the need to apply critical security patches immediately upon notification. Instead, it appears that most businesses (judging by the statistics) would rather keep changing their door locks to the coolest ones they can find at RSA each year, while insisting on leaving all of their windows open.
This is a clear indication that business would rather intentionally favor continuity of application and network connectivity and availability over security. I guess that’s a choice one could make, but so is unemployment.
How about instead, if one is so determined to continue introducing known vulnerabilities, we at least couple those acts with proactive security best practices so that access can be managed and minimized and even eliminated where it is unnecessary.
I can’t believe I just wrote that.
It’s like saying to a Fentanyl addict, let’s go ahead with those daily injections, but at least let me clean the syringe in between pops.