There are many areas within a company’s environment that can be targeted by hackers from the people and processes to the computer infrastructure and software.
When we focus on the technical architecture, one of the characteristics of many hacks is the complexity of the target environment. This post briefly explores how complexity often presents opportunity for hackers to exploit weaknesses created by overly complex systems.
Complexity is the enemy of any production system. When an environment becomes overly complex the interdependencies have upstream and downstream implications. These environments are vulnerable to hacking because as the complexity of the environment increases the number of elements in that environment creates additional risk.
There is also a direct correlation between complexity, security and stability. Environments that have multiple operating systems, data base and open source components require thorough testing and coordination and often introduce instability into the environment. Many companies also run a mix of old and new network devices which increases patching difficulty which adds to the risk profile.
Much has been written recently about how information is hacked from supposedly secure companies. Equifax will be studied carefully by industry analysts and government agencies to determine how and why something like this happened.
If you look at the Equifax external facing hosts it quickly becomes apparent the firm has an issue with the number of possible targets facing the outside world. There appears to be anywhere from 600 to 1500 domains with multiple sub domains and perimeter hosts facing the internet.
I believe that managing a footprint of that size and complexity requires a substantial security, network and production support team that have the ability to synchronize the patching, upgrading and ongoing maintenance of these systems. The security management and monitoring tools available today are also complex and require significant ongoing training, maintenance and upgrades.
Researchers have found that 37% of the sites surveyed included at least one library with a known vulnerability. This means that keeping up with simple patching is often very difficult for many companies. It remains to be see how Equifax managed their complexity and if they were on top of the critical maintenance necessary to keep the environment secure.
Recent press reports have put the blame on a vulnerability in the Apache Struts library. I would argue that even if the vulnerability was the Apache Struts library, identified in March, it would take the development team several weeks to even months to properly test the impact of the patch.
When looking at the disaster of the Equifax breach I think companies should learn from these mistakes and look at their own technical debt to understand where they are vulnerable. Patching systems is a basic foundation of a good cyber security strategy.
Making sure security decisions are incorporated into the architecture at the beginning of the design phase is critical, developers are not usually the best security experts.
Allowing your technology footprint to become overly complex and unmanageable is a problem that will be more expensive to remediate in the long run. A well managed, well documented and properly controlled environment is more difficult to penetrate.
I think the big picture is often lost in the details in an event like ‘the Equifax hack’ because it points to a larger issue that many companies focus on ‘business as usual’ and managing costs rather than being proactive about the security of the data is stored on their systems. If a company’s technology footprint grows organically without any design principles and without an ongoing threat and vulnerability assessment they are putting themselves and their clients at risk.
If I were to summarize the one responsibility Equifax has it would be to manage the ‘personal credit data’ for American consumers such that that data will never be leaked, exposed or shared without prior approval of the owner of the data. Clearly the focus on maintaining the existing environment and managing costs was prioritized over that single responsibility.
The US government’s own office of personal management (OPM) was hacked when an employee clicked on a phishing email and gave up his or her credentials. Ed Snowden succeeded by finding a hole in the credential and compliance processes of the contractor he worked for and the world knows the results of his actions. These are examples of processes and training that was lacking or missing, something that does not need a technical solution to remediate.
As I pointed out at the outset, cybersecurity is a discipline that incorporates every control aspect of a company’s environment. Non technical processes are the responsibility of every employee of the firm and if there is a lack of awareness of information security no technical solutions will help. Assuming that every company reinforces this awareness a focused assessment of the technical issues will yield a risk profile that can be managed.
A careful look at the complexity of the technical architecture of an environment will quickly show whether a companies risk profile is consistent with the business mission and goals. A single breach can have catastrophic consequences for your business and costs far more than investing in a robust cyber security review and re-architecture.
Thanks for reading
Best regards: Norman King
If you enjoyed this article, please hit the like button; leave a comment or share with your network. Also, please check out my other LinkedIn posts here, also on Medium here. email: normanking@brook-port.com. Available for consulting, advisory and speaking engagements