New Year’s resolutions are funny things. I'd place a strong wager that as 2016 was put to bed and 2017 awoke, a great many IT professionals made promises to themselves regarding their roles, their IT environments, and how they'd make changes to ensure that the organization’s IT infrastructure would run smoother and safer than ever.
Now, deep into the latter half of the year, I'd be very surprised if all of these promises were kept. In fact, I'd guess that most were discarded within weeks. The unfortunate thing is that New Years' resolutions grant us a rare opportunity for self-reflection, and the promises we make, while fickle, often represent improvements that could, and should, be made.
With this in mind, perhaps it's time to shine an uncompromising light on the IT security failures of 2017—the sins we are guilty of as IT professionals—in a hopeful bid to inspire us to instigate change and maybe even prepare New Years' resolutions for 2018 that will actually be kept.
Patch things up
For IT professionals, the ability to stay on top of vulnerabilities within an environment is of utmost importance. This may be stating the obvious – IT professionals are well aware of how damaging a breach can be, with the escalating level of threat from attackers an often-told story uttered in hushed whispers around the IT professional campfire.
Yet, despite the fact that we should know better, far too many IT professionals neglect automated patch management—a method which can make your job easier and your IT environment safer.
In fact, patching is a sore subject in general. IT professionals should really have a dedicated team for patching the environment. After all, there's only so much a single IT professional can actually do and something is bound to slip through the net. It's unfortunate that "something" may be incredibly harmful to an organization.
Automated patch management, meanwhile, can help IT professionals compare configurations and provide a vulnerability database, showing which devices are in use and are being monitored, and what previous issues have existed. It can also tell IT professionals what needs to be updated and what security vulnerabilities exist, which is incredibly important information.
Now, you may be thinking that if your organization was breached, you'd recognize its cause immediately. But many times, if an attacker has found a way in, it's more likely that the vulnerability has existed for some time before you noticed it.
Despite the increasingly sophisticated tactics used by attackers, most breaches aren't a result of elegant, elaborate schemes hatched by cunning hackers.
Instead, it's usually the result of either social engineering, or a vulnerable part of the infrastructure which should have been patched months, or even years, before the breach took place.
This is a story that has been told many times before. Patch management isn't a new technique. Yet every year, more and more IT professionals shake their heads and wonder what's going wrong.
By having tools that actually assess an IT environment and bring these issues to light, IT professionals keep ahead of the game and actually prevent a lot of breaches occurring. Perhaps in 2018, we'll see more organizations realize this.
Failure to adapt
By and large, IT professionals are highly adaptable creatures. We have to be if we are to properly serve an organization and ensure that an IT environment is up to date, optimized, and safe.
In 2017, however, there has been an inflexibility in the way IT professionals, organizations, and society as a whole views people who are now being dubbed “security professionals,” but have in the past been more commonly referred to as “hackers.”
This year we have seen an emergence of security professionals who are building viruses, not for any criminally-minded purpose, but instead as a means to better understand attackers and help companies stop breaches taking place.
Take Marcus Hutchins, for example. Marcus Hutchins is a young cybersecurity researcher who is credited with temporarily stopping the WannaCry attack, a malicious software that would have had wide-reaching consequences for organizations such as the NHS. Hutchins found a supposed “kill-switch,” which stopped the attack in its tracks. In the months after, he was praised as something of an IT security hero.
Unfortunately, Hutchins' fall from grace was as dramatic as his ascendency. He was recently arrested following allegations that he was involved in the creation of Kronos, a separate piece of malware and, if found guilty, could face up to 40 years in prison. The arrest has been met with astonishment by the cybersecurity industry, with many experts protesting Hutchins' innocence.
This is a complex story and we just don't know whether Hutchins is innocent or guilty. However, what this story has revealed is that so-called “hackers” could play a pivotal role in protecting organizations from attackers.
It has also revealed that there is still an enormous amount of distrust around these “hackers” and an unwillingness from many IT professionals to adapt their views to accept that “hackers” and “security experts” can sometimes mean much the same thing.
In 2017, IT professionals have been guilty of many things, but there is still time to change. Whether it's adapting your views to suit a brave new world or incorporating a tool that's been overlooked for far too long, it's not too late to assuage your guilt and see out the year with a bang.