I’m writing this as the world is trying to recover from the WannaCry ransomware attack that hit over 100 countries and hundreds of thousands of computers. It’s made me think that perhaps Ben Franklin’s saying that the only thing certain in this world is death and taxes, needs to be amended to “death, taxes, and being hacked”.
The idea for this post did not actually originate in the global ransomware attack but in a special section in The Economist magazine a month ago. The salient sentence in the lead article from that section lays out the basic issue: "The vulnerabilities of computers stem from the basics of information technology, the culture of software development, the breakneck pace of online business growth, the economic incentives faced by computer firms and the divided interests of governments."
Let me expand a little bit on this:
- Remember that technology is made up of layers on layers of independently developed pieces; from code embedded in multiple hardware elements to the operating system to your friendly NAV implementation. Not only does this obviously multiply risk but an opening in one layer can expose other layers.
- Software development remains a little less of a science than an art – by one estimate, average programming creates 10 to 50 errors per 1,000 lines of code. Best case development drives this down to .5 errors per 1,000 lines. Microsoft Windows contains about 50 million lines of code. Doing the math that says the best case is that it could have a mere 25,000 errors – and who knows how many are exploitable.
- Innovation and growth are the keys in the technology business. It’s pretty much a role-it-out-fast-and-fix-it-later business. We’ve all become accustomed to this and complain a little about the bugs that affect our user experience but, much more importantly, this works directly against a culture that would ensure a secure environment. Oh and, by the way, the burgeoning Internet of Things only opens up a much larger world of vulnerabilities.
- Think about the not-too-distant controversy regarding unlocking iPhones. The truth is that governments don’t want things too secure. Even without giving into paranoia, there are legitimate law enforcement concerns about not being able to get to evidence in a criminal prosecution.
In other words, forget it. Not only is there no easy fix, there’s absolutely no comprehensive fix.
Before you sigh too loudly in resignation, think about basic things you can do to make your life a little safer.
For example, do you:
- Keep operating systems up to date, with updates that close off vulnerabilities installed? WannaCry particularly highlights this issue. I’ve been to far too many companies that have a patchwork of operating system levels, particularly on workstations, which makes this difficult to do, not to mention making it difficult and costly to support overall.
- Backup your data and secure your backup data? I’m going to assume you do this at your firm. But how often do you test your ability to recover that data? And at consumer level this is surprisingly easy to do but a lot of people just don’t bother. Get ready to learn how to use Bitcoin to pay ransoms if you don’t know your data is securely stored and recoverable.
- Use basic password discipline – like strong passwords and regular password rotation? Many of us (raising my hand on regular personal password rotation) and many firms consider this annoying (it is), but it’s pretty much security 101.
- Have policies and provide education that create a security culture? It’s amazing how many people click on e-mail links they’re not sure about. I did this the other day with an e-mail from a friend at a technology company that indicated he was sharing a Google doc. Fortunately I stopped before “signing in” to Google, sensing something was wrong. Inculcating a security mindset, even a good dose of paranoia, is very important.
- This isn’t so simple but do you perform security audits, particularly with trusted third-party firms? No offense to all the great network admins out there but security requires deeper and deeper expertise. It’s unrealistic, in my opinion, to expect those responsible for keeping things running at your firm to acquire and maintain that level of expertise.
This certainly isn’t meant to be a comprehensive list. I’ve run technology departments and lead IT assessment projects but I’m nobody’s idea of a security expert. But The Economist piece, followed by the WannaCry explosion, made me think about some basics we should all pay attention to so that we can provide a modicum of insurance in our daily digital life.
Remember, quoting Ben Franklin again, that an ounce of prevention is worth a pound of cure.
If you’re interested in the The Economist article, you find it at : http://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security ).