Vulnerable by Design

IT solutions that solve one problem by creating others can leave companies with crippling vulnerabilities.

Author: F-Secure Business Security Insider
Date: 16.07.2015
Read Time: 3 Minutes

One needs only to read the daily news to learn that hacks against companies occur quite regularly. But what isn’t so popular (maybe because it’s not such a glamorous story) is that crippling IT problems are not always the result of some kind of malicious activity. Recent events have shown that unreliable and insecure software can have essentially the same effect – both can produce vulnerabilities that can cripple critical IT infrastructure.

Vulnerabilities Don’t Need to be Exploited to Inflict Damage

IT solutions are supposed to solve problems – that’s why people call them “solutions”. People invest resources in developing solutions to solve certain problems, but not others. The dynamic nature of IT infrastructure complicates the efficacy of this principle, as solving one problem can often create others, and require additional solutions to ensure these problems stay managed and controlled.

Both United Airlines and the New York Stock Exchange experienced network outages in early July, and many were quick to attribute these outages as evidence of cyberattacks. Such speculation draws attention from what some people would say is the real culprit – poorly implemented IT solutions.

According to F-Secure Security Advisor Sean Sullivan, these incidents show how companies and organizations invest in IT systems that boost productivity or efficiency, but not security or reliability. “Companies invest in technologies to, in a broad sense, increase their profits. Security isn’t sufficiently prioritized, meaning these technologies are more likely to suffer from bugs and design flaws when implemented. The security community calls these flaws vulnerabilities because they make systems unstable, and tempting targets for attackers. But the truth of the matter is they don’t even need to be attacked to cause a system to crash – a system lacking in sufficient redundancies and other safety measures is a threat to itself.”

If one takes the time to consider Sullivan’s statements, it makes sense to evaluate whether or not your current cybersecurity software is really part of a solution, or just a new vulnerability.

From Vulnerabilities to Opportunities

While United Airlines and the New York Stock Exchange were able to address their issues (at least in the short term) within a few hours, the recent attack on the US Office of Personnel Management (OPM) highlights the long term risks in ignoring vulnerabilities.

OPM has been lambasted with accusations of neglect since news of the hack broke in June. Criticisms include things like an apparent lack of multifactor authentication protocols and the use of systems that haven’t been properly certified as secure, but one thing that’s apparent is that the hack wasn’t attributed to a revolutionary new strain of malware – it was good old-fashioned neglect.

Notable security blogger Brian Krebs pointed out that focusing on attacker attribution often distracts people from the efficacy of their security solutions – it displaces the responsibility for security onto attackers rather than addressing the risks associated with relying on vulnerable IT systems.

“The NSA is spending a ton of money on developing their surveillance capabilities, but what has it gotten them?” asked Sullivan. “National security would be better served by investing and developing more secure IT infrastructure. The OPM hacks tells us that these kinds of vulnerabilities continue to give attackers the opportunities they need to strike.”

Some people suggest that incidents such as the recent network outages are like natural disasters – they’re unavoidable. But preparing for natural disasters can help save lives, and this should be considered when designing IT systems. Some vulnerabilities can be managed by security tools which makes sure software is kept up-to-date with the latest security patches. Other vulnerabilities need to be considered as an aspect of design, so implementing software designed to provide a secure, reliable IT environment needs to be prioritized accordingly.

Post Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s