As organisations adapt to new ways of working during this pandemic crisis, certain topics continue to re-appear in news, social media feeds and in everyday discussions. Data breaches and cyber security problems are getting more prevalent and becoming more disruptive to both businesses and private individuals.
Covid-19 has rapidly changed the way we work and created a larger need than ever before for strong cybersecurity practices.
What would have taken most businesses five years in normal times to happen – i.e. moving an entire workforce to working 100% remotely – forcibly took place in a little over two weeks during March, and simultaneously has taken place throughout the office-based world.
Free to use application such as Zoom or offers of extended right to use normally chargeable platforms such as Cisco have now become commonplace. In fact, the growth of Zoom has gone from 10 million meetings in December 2019 to over 200 million in April alone.
However, with remote workers taking to these platforms, in most cases for the first time, the opportunities for data leaks, breaches or the compromising of sensitive information has never been higher.
This explosion in growth has not come without a price. ‘Zoombombing’ is a newly coined term describing how easy and frequently business meetings are being hijacked by opportunists who are freely compromising these cloud-based video platforms and calls. We personally know of several local organisations here in Wales that have had their team meetings compromised in recent weeks.
It hasn’t helped that even our own government and media have themselves publicly shared pictures online and on television of what are confidential meetings and posting meeting room numbers, potentially compromising national security – and highlighting how easy and frequently unintentional breaches can and do happen.
By why have these compromises happened so quickly after a world has chosen to adopt new ways of working?
There are several reasons and it falls in the main under the principal that patching (fixing or updating software after it has been released) is failing the world as a security strategy.
There are known issues or vulnerabilities in every piece of software, which are increasingly getting known and shared by hacker. In addition there are vast numbers of undiscovered vulnerabilities that are being discovered by both software vendors and malicious sources alike.
The key difference is one group wish to share these findings and improve, which are published regularly for users to update and apply.
Then think that the other group who can easily share exploits in anonymised chat rooms and want to use a short window of opportunity to exploit something (potentially for disruption but generally for some business financial gain) whilst the less than agile software vendor team attempts to replicate the fault, identifies a resolution that doesn’t create new exploits itself and then publishes to the world.
That gap is the window of opportunity for criminal activity.
It hasn’t helped that for decades the installation of patches was viewed hesitantly by users, especially by corporate networks. This was because they knew that patches were often poorly tested, and too often they broke more things than they fixed.
As a result ‘patch management’ as a security concept took some time to become a trusted component of any security strategy and even today many organisations simply still do not do this properly – that is from an end to end perspective today. This is how rolling out services such as free to use video conferencing has abdicated security responsibility from the IT support team to the cloud vendor, and with that predictably bad consequences for the unaware users.
This ‘late to the party’ for many and latency between the good guys and the bad guys is the essence of the problem. We have 20th century created business methodologies and organisational structures in IT departments around the world approving releases or patches in products versus the immediacy of instant messaging executable files shared easily in the hacking world community. As professionals working to formal rules and methods – we simply cannot compete effectively in this environment.
Software vendors today – even those born in the cloud – can be slow to release security patches. Even though things have improved in recent years still some 20% of all the vulnerabilities in the world’s top business applications do not have a patch the same day a vulnerability was disclosed.
Hackers that take advantage of these vulnerabilities (which are known as zero-day exploits), mean you are essentially wide open to being compromised until those doors are closed by the software vendors. Before this crisis hit this the average time from detection to fix was as much as 9 months. But we expect this to only increase in length to detect whilst IT support teams are being furloughed and IT projects been deferred as businesses across the UK struggle to cope with this crisis and primarily stay in business.
For instance, Zoom only later recognised – some weeks later in April – the problems that their security gaps had created, so applied a number of fixes and rolled out new releases to users – but they weren’t made mandatory, and rather hoped we all had forgotten about it.
What this means if you haven’t updated your application on your desktop ahead of your next Zoom meeting – especially if the invite was made public – your call might well be compromised.
What this all means is that it is counter-intuitive to cut back on critical IT investments in security at precisely the time the world is seeing a significant uptick in crime and disruption.
Your business simply cannot survive on a ‘fingers crossed’ security strategy or wait for all these patches to be fixed by all the world’s vendors and hope they get rolled out automatically, because they may not.
You must take responsibility for your own systems yourself and deploy your own automated patch management service to your users, checking the latest updates that are available and mitigate these types of problems from happening by proactively applying fixes in real time, and therefore help your systems and help you stay in business.
About Security Foundry:
Based in North Wales with over 20 years of experience in Business IT & Cyber Security solutions, Security Foundry have the track record to secure your business. From initial consultation through to a full managed service, Security Foundry work with the best throughout the UK to deliver business-based outcomes to become your trusted cyber security partner.