History Repeats Itself in IT Security
"How can we live without our lives? How will we know it's us without our past?” ― John Steinbeck, The Grapes of Wrath
Okay, so the title doesn't make sense -- you try and rhyme something with wrath that makes sense for the title of this blog! :)
But, the quote above from John Steinbeck in Grapes of Wrath perfectly sets the stage for this week's article.
I've been working in IT security for over 16 years and am finding just as Jon Stewart has remarked recently after covering so many presidential elections, that it's just the same shit, brand new day -- repeated over and over again every 4 years in every election. I would dare to say the same about history repeating itself in IT security. We as humans keep tripping over the same damn rock over and over again, probably as frequently of a cadence as the 4-year term of a US president!
Why is ransomware so effective -- boasting a 1000% return on investment for those running them? Because we still, years later, are being haunted by the sins of years past by still not backing up our data in the enterprise, still not giving all users in our organizations proper information security awareness training, still not holding them accountable for when they repeatedly fail annual spear phish exercises, and still rely on traditional antivirus instead of application white listing. We're so arrogant that we actually believe we can continue to try and keep up with the latest zero-day "bad stuff" versus just allowing the "good stuff" we know should be running on our systems.
Why are we able to demonstrate the ability to remotely hack into connected automobiles and autonomous vehicles giving an attacker control of the steering wheel, brakes, and gas in the car? Because we aren't encrypting the data that we use for communication with the ECUs inside the cars or their head units. Worse yet, because we still keep putting IP addresses on things without first considering security or the ramifications of what we're doing. The same vulnerabilities we first discovered in IPv4 are appearing in attack vectors against connected cars.
Why is the recent xor.ddos bot claiming so many hacked root accounts on Linux servers around the world? Because we're still using weak passwords found in published wordfiles for superuser accounts and not switching to keys or multi-factor authentication.
Why have the number of credit card dumps being created from stolen retailers and hotel chains continued to go up and not down? Because despite what we've learned from the past, we're still not deploying effective anti-malware controls and worse yet, the prevalence of flat networks with no segmentation in place is still more common than not.
When will we learn? When will we finally learn from our past and stop repeating the same mistakes over and over again? The game of "cat and mouse" between hackers and the IT security industry will continue to permeate the cyber battle space because they will continue to engineer new ways to exploit our old mistakes that we keep introducing into the latest connected devices in this Internet of Things or newly written web apps we've moved to the cloud.
"Failure is instructive. The person who really thinks learns quite as much from his failures as from his successes." ― John Dewey