Originally published in Business Insider
By Steve Goodbarn
Imagine a lethal form of bird flu in the wild.
To prevent infestation, your solution is to station sharpshooters along the border to shoot each bird that flies into your territory and also analyze each bird already within that territory to determine if it is a carrier. But it only takes one breach of these defenses and a pandemic is underway.
That is the state of information technology security.
Maintaining secure computer systems is an almost impossible task given the current insecure, unauthenticated state of IT infrastructure. Even the best security profile cannot totally prevent breaches because the IT infrastructure, when taken as a whole, cannot be made impervious to determined attackers.
There is no single security solution, either – every element of security (intrusion detection, firewalls, endpoint security, DNSSEC, denial of service mitigation, analytics and artificial intelligence, diligent patching, etc.) may be essential but each component is by itself inadequate.
The exposure is huge. Besides the customer impact, a breach of any magnitude will likely destroy the careers of the top IT security people and probably their CEO. For many businesses it will also severely damage their reputation and possibly lead to bankruptcy or a low-ball merger offer.
An equally hard truth is some hardware-based vulnerabilities cannot be fixed with software patches, a major issue for the Internet of Things. Remember that Target was hacked through its HVAC systems.
The sheer number of systems and endpoints, volume of activity, lack of a perimeter due to mobile, numerous hacking methods and the speed of attacks all give hackers an overwhelming advantage. To extend the bird flu metaphor, information security is faced with a constant barrage of billions of potentially virus-carrying birds.
The best and most cost-effective approach to this bird flu-like problem is to vaccinate the population (and possibly the birds) so they are not susceptible.
Corporations, government and the public will continue to be vulnerable until systems are self-protecting.
In the now-infamous Equifax breach, personal information of about 145 million Americans was stolen by hackers. According to congressional testimony by its former CEO, Richard Smith, the attack was made by possible through an exploit of a vulnerability in the Apache Struts open source software that was used to build its website. This vulnerability carried the code CVE-2017-5638 and was reported by US-CERT on March 8, 2017.
CISCO found the bug and the open source community had a patch out within a couple of days – and kudos to them for their diligence. Patching critical vulnerabilities requires quick action, but software patches require testing to ensure the new software does not create other problems or vulnerabilities in the network. This can extend the patch window – and the window of vulnerability.
Smith said his IT department ran a scan of the system a week after the initial problem was found and did not detect anything was amiss. Meanwhile, now inside, the hackers removed the dependency on struts and from that point on the patch was irrelevant.
Smith said in his testimony that hackers probably first accessed sensitive client data around May 13 and had free rein until July 30, when Equifax detected suspicious activity and shut down the web application. Failure to patch quickly appears to be a major factor in this mega breach, but another vulnerability in Apache Struts disclosed on the same day as the Equifax breach had been outstanding for 9 years. Lots of time for exploits.
I do not know the full extent of Equifax’s IT security, but I do know they had not deployed DNS Security Extensions (DNSSEC), which for me is a quick indicator of an organization that is not fully on the ball. DNSSEC has been required for Federal agencies for over 5 years and it is inexpensive, and can be neither difficult nor time consuming to implement.
DNSSEC would not have prevented this breach. But as the first contact point on the internet, the DNS – often called “the phone book of the internet” as it directs people to the correct sites via the URL – has a unique knowledge of what is happening.
DNS-based security solutions can be used to detect and block malware and other threats, limit access to websites or site categories, implement agentless network security, report suspicious traffic and odd occurrences, and enforce web access policies by IP address or IP range. DNS-based security is also not expensive, is easy to implement and does not slow down the network.
Fundamentally, the real solution to IT security is to demand that systems are designed using sound security principles, including software, firmware and hardware. Network protocols such as DANE can be used to authenticate and even encrypt data using a chain of trust that extends to the DNS root servers.
In the meantime, freeze your credit, be diligent about access to your finances and private information, or go off-line and pay with cash.
Steve Goodbarn is co-founder and chairman of Secure64 Software Corporation.