Don’t look back in anger
At the end of the 2014, as at the end of many years before it, our mailboxes were filled with various vendors’ security predictions for 2015. We saw them also in articles in industry magazines, and security gurus and experts presented their opinions on what they will be the biggest security trends for the new year in podcasts and webcasts.
Many of them focused on big data, cloud security, the Internet of Things, APTs, and many other acronyms and hot topics.
While keeping an eye on the future is always a prudent thing to do, I worry that instead of focusing on what we should be doing today to secure our systems, we are instead fantasizing about dealing with threats and risks that may not immediately impact our businesses.
If your organization is still running Windows XP then you have more to be concerned about than the impact the Internet of Things will have on your environment.
Instead of looking forward I believe we should look back at the year and see what 2014 – “the year of the breach” – (should have) taught us about how to improve security.
The year kicked in with the news of the Target breach. Target was the first of many retail organizations to be hit in 2014. Staples and Home Depot and many others soon followed.
More and more revelations came to light from former NSA contractor Edward Snowden about western governments’ mass surveillance efforts. The year ended with the infamous Sony attack, which is straining political relationships between the United States and North Korea.
As more and more details of all of these breaches come to light, it’s becoming obvious that many of them could have been avoided. Indeed, if we were to take all the predictions from this time last year and see how many of them can be applied to these breaches, I doubt we would see much correlation.
Instead, the traditional security measures that many of us cite time and time again, such as the implementation of effective security awareness programs and strong password policies and management, the proactive monitoring of networks and security logs, and strong patch management, could have prevented many of the breaches that happened this year.
Let’s not get caught up in the excitement of the start of a new year, and let’s not be distracted by all the shiny and bright things that vendors display. Instead, let’s focus on security basics.
Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland’s first CERT. He is a Special Advisor to the Europol Cybercrime Centre, an adjunct lecturer on Information Security in University College Dublin, and he sits on the Technical Advisory Board for several information security companies. He has addressed a number of major conferences, wrote ISO 27001 in a Windows Environment and co-author of The Cloud Security Rules.