How We Need to Think About Any Breach News

Nearly every day, a new cybersecurity “big breach” story gets announced. It is always some story essentially inferring how we should all be shocked by what happened, how many records were stolen, or how long the attackers were in the compromised environment without being detected, etc. The horror of it all! We all need to be shocked, shocked, shocked!

I am not frustrated for someone writing about it or re-posting the latest cybersecurity incident news story. Heck, I often re-post them for a living. Stories and pictures move people and help make things happen. But, I am not a big fan of the narratives of most breach news because they teach the wrong lesson and point out just the known victim as an object of ridicule for supposedly not doing good enough cybersecurity.

Nearly every cyber breach news story misses the bigger point that we all are likely practicing poor cybersecurity somewhere and can be readily breached by an outsider. I have audited or been involved with accessing over a thousand organizations in my 34-year cybersecurity career. These organizations including Fortune 100 companies, small firms, hospitals, banks, and militaries around the world. And I have yet to meet an organization that wasn’t doing cybersecurity very well in some places, doing cybersecurity fairly average in the majority of places, and doing poor practices in a few others. No entity is perfect. No organization has ever gotten a computer security review where the auditor concluded, “No security issues found. Excellent! Continue doing exactly what you’re doing without changing a thing!” It is even funny to think that would ever be the written opinion of any computer security audit, because it’s so unthinkable as compared to reality.

We need to accept that nearly every…if not every…organization is either hacked right now or could be successfully hacked if a hacker concentrated on them. This is the “Assume Breach” mantra that is so popular right now. And it is the way we need to think because most organizations are porous, cyber security-wise, in some way, if not multiple ways. That is the reality that we all know, but possibly do not want to admit in public. And at the same time, we are putting more and more mission-critical operations on or making assessable from the Internet. It is like we know the Space Shuttle o-rings do not seal in cold weather and yet, we keep approving launches in colder and colder weather. Except instead of it being the fault of one person or a small group of people, we are all in on it.

Any breach you read about today is just the breach we all know about today. There are millions of active breaches all the time. One story is useful to remind us that we need to do better, but the reality of who and what is currently likely compromised is always much, much worse. For example, when you hear about a big bank compromised, think, “That's just the one we know about.” When you hear about XYZ organization compromised tomorrow, think, “That’s just the one we know about.” And so on, all the time.

Two weeks ago, when I heard about the water treatment plant hack, a lot of the world seemed surprised at the hack, even though it’s exactly what we had been discussing as a huge problem in our critical infrastructure for decades. There was definitely a lot of fingerpointing and “Oh, my gosh! How could they have such bad computer security!”

Yes, they had computer security issues, at least on that one computer, if not in other places. But that’s true of most organizations. The only difference is that involved county decided to be transparent about it. That’s really the shocking part. Instead of fingerpointing at a single entity I want to applaud them for the transparency they showed. They said the silent part aloud. And that helps all of us. I wish more organizations were as forthcoming. Sharing our issues is a way to make forward progress. Hiding things hinders progress.

When I heard about the water treatment attack, I didn’t think, “Oh, “ONLY” that organization has this issue!” I thought, tens of millions other organizations likely have the same issue, because it probably is the truth. Your organization would be lucky, despite you and everyone else’s best efforts, that you didn’t also have the same vulnerability that could lead to the same attack in your environment. I’d be lucky not to have the problem in my house. I only have 10 devices I need to secure these days and I try really hard not to have any vulnerabilities. But despite my best efforts and years of expertise, I probably have one or more vulnerabilities somewhere. And I can’t say for sure my kids can’t be tricked by social engineering despite my best efforts and warnings.

This is not to say that we are or anyone else is bad at computer security. It is just a very complex job with a lot of moving pieces. It is hard to be perfectly secure in the average business environment that seems juxtaposed with doing any computer security that slows down anyone or any process for more than a few milliseconds. Just ask your auditor if you need help with that reminder of how hard it is to be perfectly secure. And auditors usually miss tons of things that if they knew about, would be on your audit report. It is nothing to be ashamed of. It is just life. Most, if not all, organizations have multiple security issues that if discovered by a hacker or malware could result in a newsworthy compromise.

I do not just mean obscure vulnerabilities that are hidden really well and would take an uber smart hacker to find. Anytime I want to be reminded of how many vulnerabilities are just sitting out there in the open, I just go to Shodan (https://www.shodan.io/), and put in a particular vulnerability or remotely advertised TCP IP port and let Shodan’s search engine return the millions to tens of millions of exploitable targets that anyone…a child…can easily find on the Internet. And certainly, resourced, dedicated hackers are finding lots of targets.

There are for sure many other organizations currently compromised that we do not know about...for every industry, all the time. Remember, every announced breach is a breach we did not know about in the past. But it did not stop the breach from being any more real while it was not public news. Two months ago, we did not know about the SolarWinds breach, but it was nevertheless active in thousands of compromised companies, including multiple top technology comanies, the U.S. Treasury Dept, and U.S. nuclear agencies (https://www.washingtonexaminer.com/news/nuclear-weapons-agency-hacked-solarwinds-cyberattack), etc. And they are among the best protected, most resource-intensive, security-focused organizations in existence. And those things did not help them.

I say this so we do not get worked up "only" about the latest breach to make the news. The reality of how bad things are is always much, much worse! Unfortunately, the media stories unwillingly create this false narrative that only a few, unlucky organizations supposedly have weaker computer security than the vast majority of organizations.

Instead, the reality is that a non-minor percentage of companies are just as weak and likely compromised all the time and we just do not know about it right now. Our job is to try to prevent all the breaches we can and not just the ones making the news this morning. We do not need to cast stones when many/most of our houses are made of glass. We need to improve computer security overall, for the entire world and improve security culture across the board. Because we will never significantly improve the problem until we realize this is a systematic problem that needs to be solved at the biggest common denominators (e.g., insecure Internet) and by changing the whole system.

The first step in fixing any big problem is recognizing that you have a problem and what the right framing of the problem is. Our problem is not that a minority of companies have bad security practices. It is that we all likely have some bad security practices and are likely susceptible to one or more forms of malicious hacking. It is hard to be perfect all the time. It has been that way since the beginning of computers and it will not change unless we do something to significantly improve the system. We are all doing the best job we can and throwing billions of dollars at the problem in aggregate. And yet the problem of malware and malicious hackers still exist, worse than ever. We have more smart people and more smart software and devices trained on computer security than ever before, and we are still losing.

So, what are the solutions? Well, we need to make the Internet a significantly safer place to compute. Right now, it is the Wild, Wild West, full of unpunished maliciousness. We need to create laws and policies that allow accountability to be enforced across international boundaries. We need policies that make business leaders and organizations more accountable for letting our data leak. We need to make a business case for computer security actually winning more often in more places where computer security and business interest conflict.

We need to create a far safer Internet, with built-in, default, assured identity, confidentiality, and accountability. We already have all the protocols and tools we need to do this. Nothing insanely new needs to be invented. We just need the political incentives and cultural will of the people to make it happen broadly before some tipping point event belatedly makes us have to do it.

Using airline travel safety for comparison, we already knew we had lots of huge vulnerabilities in our airline travel infrastructure for decades. Experts had been warning us for decades. Experts knew that bombs, guns, and knives could be taken onto airplanes. It just took 9/11 to cause enough bloodshed and industry downtime for the people and the political will to institute better fixes that we knew all along we needed.

The fixes did not focus on fixing one airline. Nope, they were industry-wide, much stronger than before, and accepted by the culture of those being governed. Before 9/11, most passengers would have rebelled at what we were all willing accept to get on a plane today. Now, we all “gladly” wait in line, take off our shoes, throw away our drinks, carry small toothpaste containers, and submit to full body scans, like we have been doing it all along. And despite many experts saying our airline travel safety infrastructure is not perfect…that it is really security theater, there still has not been a major successful terrorist attack using an airliner since. Despite the still existing flaws and vulnerabilities, something is working better than it did in the past.

Today, ransomware routinely takes down entire companies, hospitals, police stations, and even entire cities, for weeks at a time. Will it take an even bigger tipping point event to make us finally get serious about computer security, to realize the real problems are systematic and can only be solved by fixing the whole infrastructure? Or are we going to keep pointing fingers to the latest unlucky slob organization that ends up in the news this morning and hope that our organization does not end up there tomorrow?