Why Smart Companies Still Get Hacked
If IT administrators know systems patches are a best practice, why do data breaches happen?
For IT admins, the concept of “cyber hygiene” is not new. Defined by the Center for Internet Security (CIS) and the Council on Cyber Security (CCS), cyber hygiene is a proactive method of implementing security best practices to protect and maintain IT systems and devices. Unfortunately for many IT admins, good cyber hygiene is often easier said than done.
An alarming 57 percent of cyberattack victims report their breaches could have been prevented by installing an available patch, according to a new ServiceNow study conducted by the Ponemon Institute. And 34 percent of those respondents were already aware of the vulnerability before they were attacked. That’s a staggering number. Put another way, nearly three out of every five companies would have saved massive amounts of time and money, not to mention the reputational harm, had they only upped their cyber hygiene game.
THE LACK OF CONSISTENCY
At the heart of a strong cybersecurity practice is just one word – consistency. Success of a proactive security posture means you keep up with the basics, not just once in a while when a fire drill occurs, but day in, day out, year after year. So if every IT administrator knows that keeping systems patched and configured is a best practice, why do data breaches and cyber attacks increase every year?
For starters, IT infrastructure today is highly complex and becoming more so every day. There is a mix of operating systems, software and locations that devices inhabit from the public cloud to the coffee shop. To make matters worse, each operating system and software vendor has their own schedule of updates, each with varying degrees of severity and urgency.
And then there are the tools.
Today’s tools are terribly misaligned for corporations with a cloud-first IT management strategy. Incumbent solutions are costly, require on-premise hardware, software downloads, lengthy configuration cycles and dedicated personnel. And, oh yes, you need a separate solution to support each of your Windows, Mac and Linux environments.
What about patching third-party software? Companies still need a separate solution. How about deploying and enforcing required software titles? Separate solution. And if companies need to manage and enforce specific device configurations? Yes, separate solution. It is no wonder that unpatched and misconfigured systems represent more than 80 percent of the corporate attack surface. IT administrators in organizations of every size are overwhelmed and need a better option.
THE RISK OF POOR CYBER HYGIENE
Without good cyber hygiene, bad actors (hackers) can easily access systems through unpatched vulnerabilities and misconfigurations. To illustrate the point, one of the most high-profile and devastating data breaches ever (Equifax) occurred thanks to a vulnerability found in the open-source Apache Struts web application framework. The Equifax breach was particularly problematic considering an official patch had been released two months earlier, but Equifax failed to apply it to all endpoints in a timely fashion.
AUTOMATING THE 4 FUNDAMENTALS OF CYBER HYGIENE
To stay ahead in the security game, IT administrators are turning more and more to automated solutions that save them time, money and strengthen their defensive posture. With hackers getting more sophisticated, the best preventive measure is nailing the four basics of cyber hygiene, day in day out, year after year.
Here, we’ll explain the four core basics and why automating these fundamentals is the only way to effectively scale security as infrastructures grow.
1. KEEPING OPERATING SYSTEMS PATCHED
Operating system patches are often the most obvious and critical updates that need to be applied. These updates characteristically deliver new functionality, but often remediate new found security vulnerabilities as well. Microsoft famously delivers a venerable pile of new patches on the second Tuesday of each month (Patch Tuesday) and follows it with additional releases on Exploit Wed. Each update has a different severity classification. How do IT managers know which patches to apply? How do they know and report that the updates were deployed? What if they have a mixed OS environment? Automated OS patching is the key to limiting casualties from zero-day exploits.
2. KEEPING THIRD-PARTY SOFTWARE PATCHED
Similar to operating system updates, third-party software patches present a significant problem for IT administrators. They may have one OS but hundreds of software titles. How do they keep popular software like Adobe, Java, Firefox or Chrome patched across their network? Do they leave it up to the end user, hoping they accept and apply the patch? Putting corporate security in the hands of employees is not a gamble that most corporations are willing to take.
3. DEPLOYING + ENFORCING REQUIRED SOFTWARE
Gaining visibility into the software that is installed on all corporate systems is also a big logistics challenge. Part of a strong security posture is not only knowing what software is installed but having policies in place to enforce the update, addition, or removal of that software.
4. MANAGING ENDPOINT CONFIGURATIONS
The final pillar of cyber hygiene is one that is often overlooked – configuration management. Each operating system has a variety of different security, privacy and personalization settings used to improve the experience and safety of the device. Most traditional tools struggle here due to their inability to meet the huge variance in customer requirements. Are USBs locked down to disable data transfer? Are passwords long enough? Do all screens time out on the same interval? You can see how this list of security parameters could go on forever. Automatically identifying and applying these settings across all endpoints can go a long way towards improving the cyber hygiene of an organization -- and saving the time and sanity of the IT staff.
Unfortunately, cyber hygiene is thought of as a fairly thankless, redundant, manual and time-consuming process. Many of the existing legacy tools are rather complicated, outdated, aren't cloud based, don't serve every operating system or just don't have enough features, so IT managers end up needing several tools or a large security team just to keep up with the basics of an effective cyber hygiene regimen.
Sixty-two percent of companies surveyed in the ServiceNow study say they can’t tell whether software vulnerabilities are being patched in a timely way, and 57 percent say their patching efforts fail because their teams are still using spreadsheets and emails to track and assign patching tasks.
Bottom line: If teams can make their security processes more efficient, they can optimize the efforts of the people they already have.
Whether you’re a small business or a large multinational organization, the shortage of cybersecurity professionals means you need all the help you can get. Establishing an automated cyber hygiene practice will not only leverage more of the resources you have but make them more effective, knowing they have the basics covered. While predicting threats can be challenging, preparing and preventing them becomes achievable with sound cyber hygiene practices.
Jay Prassl is the founder and CEO of Automox, based in Boulder. Automox has developed a cloud-based, automated patch managment solution that simplifies patching and configuration management across Windows, Linux, Mac OS X and third-party software.