Last week I noted that most companies are either already hacked or could easily be hacked -- and, when they have anything worth stealing, are probably already owned by multiple APT (advanced persistent threat) groups. This is a shock only to people who don't work on the front lines of the cyber war.
The defenders fight this war poorly. If we were an actual army, the generals would be replaced far more often, and we'd have the right weapons in the right places. But we don't.
[ Watch out for 11 signs you've been hacked -- and learn how to fight back. Find out how in InfoWorld's PDF special report. | Keep up on the latest threats and solutions for your systems with InfoWorld's Security newsletter. ]
Why is cyber hacking so pervasive and so easy to accomplish? Here are five reasons that account for most of the problem:
1. Crime without punishment
The bad guys who commit cyber crimes seldom get convicted. Most cyber crime happens across country boundaries, which complicates or outright prevents the arrest of the perpetrator, even if he or she has been identified and a mountain of evidence has been collected. Such challenges make it awfully hard for law enforcement to catch and convict bad guys.
The good news: The situation is improving somewhat. But the fact remains that state-supported APT attackers are never arrested or convicted, and we still catch only the biggest and boldest financial attackers. Law enforcement doesn't even bother with 99 percent of them. But their malicious activities wouldn't be so destructive if it weren't for the other four reasons.
2. Poor understanding of risk relevancy
Computer security threats are numberless. The media pushes each new vulnerability as the end of the world: "This one is bigger than all the others." Even the savviest security defenders feel besieged by new attacks.
The reality is that few of these risks are likely to result in a successful compromise. Unpatched Internet browser add-ons and socially engineered Trojans lead the list in most organizations. Yet those same organizations tend to concentrate on other projects, such as two-factor authentication, biometrics, and supposedly advanced firewalls. Threats should be presented in bar charts, with the first two or three bars much bigger than everything that follows.
3. Bad communication
Most of the time, members of the IT security department can't name the top threats to the organization. You might think this is crazy, but I survey security groups all the time, and rarely do I encounter agreement on the biggest threats. How can the rest of the organization be alerted to the worst threats?
Who should the threats be communicated to? Nearly everyone. You have to educate end-users, so they make the right choices. Amazingly, I've never seen end-user education materials that explain what a company's legitimate antimalware program looks like when it finds malware, even though fake antivirus programs are rampant. None tell users how their favorite websites, which they trust, can be used against them to infect them. How can we expect end-users to make the right choices if we don't educate them?
Worse, the biggest problems are not clearly communicated to senior management. I often interview CIOs and senior managers to ask them about the biggest risks to their environments. They should tell me about unpatched Java or social engineering or something like that. Instead I hear about cloud computing unknowns, merger and acquisition problems, or compliance issues. These are valid strategic issues, but the war needs to be fought at a tactical level. Even if tactical solutions (such as patching Java) somehow filter their way up to senior management, they're generally seen as only one component of a larger strategic initiative, such as computer hardening or standardization projects.
4. Lack of authority
Because senior management doesn't understand the problems, it can't confer the right authority to the right people. You end up with a front-line tactical staff that understands -- but is powerless to implement fixes. They understand patching Java is one of the best things they can do for their organization but lack the authority to actually patch it (because it will cause operational problems). Instead, they shrug their shoulders and do the things they do have authority to do. IT security employees are like doctors who aren't allowed to make decisions to save patients' lives.
5. Organizational silos
Most organizations are broken up into silos, none of which trust the others. Long, hard-fought political battles have made each person understand the limits of authority -- and it stops at the silo wall. The leader of one silo may have an excellent way to reduce risk that would work across all silos, but the other silo leaders won't stand for it. You end up with a competent solution being deployed in only part of the company. It's tragic.
The real threats
It boggles my mind that even after the recent Target and Home Depot breaches, CEOs and CIOs still fail to take security threats as seriously as they should. Target's breach cost $1 billion and played a major role in the firing of both the CEO and CIO. Somehow, that wasn't enough to prevent Home Depot from being taken over by similar (slightly modified) malware used in the Target attack.
When Target got hacked, the world's CEOs and CIOs were understandably bothered. "We must do something to prevent that from happening to us or our customers!" Projects were started. Then attention flagged, and resources went to other places. Projects that were started with the best of intentions and would have worked toward real accomplishments got watered down to the point that they no longer supported the original objectives. They ended up over budget, delayed, and mostly ineffective. It has always been this way.
One of my readers asked if I thought Target and Home Depot amounted to the "security apocalypse" I've always said would occur one day to shake people out of their business-as-usual attitude. Not yet -- Target and Home Depot were merely disasters of the week. They were notable, newsworthy, and horrific, but quickly forgotten by most people.
Sooner or later, an uber-worm is going to take down the stock market, the government, or the entire Internet. We certainly don't have some superior computer security defense that could stop it when it does occur -- we have too many structural problems to solve before we get there.
The fallout from that mega disaster will finally mark the tipping point. Until then, keep fighting the good fight and prepare as best you can.