As Brian Krebs reported, “It remains unclear whether Republicans and Democrats can patch things up after a bruising and divisive election, but thanks to a special Election Day Patch Tuesday hundreds of millions of Adobe and Microsoft users have some more immediate patching to do.”
His article goes on to state how the regularly scheduled round of patches from Microsoft fell on election day this year, and this leaves us wondering if system administrators will remember that patching their systems is important and cannot be diverted from their responsibilities because they were up too late (as were many of us) watching the results of the election.
I heard a saying that goes something like this: “We have to be right every time, but our adversaries only have to be right once.” And no matter how you take this statement, to me, this means that we need to be vigilant in our efforts to keep systems secure, because leaving the door open even once to hackers and malware can lead to devastating effects.
So, are you feverishly working to patch your systems today with the latest patches available from vendors such as Microsoft and Adobe? Or are you spending your time unfriending people on social media sites since they voted for someone that you don’t approve of? What do you think the hackers are doing today? You can be sure that they are trying to find new ways to break into the unpatched systems that are out there, and unfortunately, there remain many systems in use in today’s IT world that haven’t been patched in months and maybe even years!
My guidance for President-elect Donald Trump is to spend some time assessing our nation’s “state of cybersecurity” and then take some real calculated measures to provide funding, support, and stronger regulations for businesses that handle any type of personal, health or financial data. Obviously, this is a big ask, but I know it can be done. We currently have several regulations such as HIPAA, PCI, FERPA, and others, that try their best to protect data handled by businesses, but as we all know by now, PCI is about the only one that really has “teeth.” It’s going to take the fear of not being allowed to conduct business anymore and/or the fear of some people losing their jobs (go ahead – say it… ‘you’re fired!’) for some companies (including the government) to really start to take cybersecurity measures more seriously.
President-elect Trump promises to “make our country great again.” One way to do this is to secure our data from foreign hackers, and to impose severe penalties via sanctions for countries that are found to help and support hackers. Another way to rebuild our country is to put our veterans to work and to ensure that we allow research and development to thrive in our country in the areas of cybersecurity. We need to get more young people interested in cybersecurity and not just so they can think that they can one day become “hackers.” We need to teach our youth that protecting critical assets from cyberthreats is of the utmost importance to national security, and who better than the commander-in-chief to deliver that message?
It’s also time that we get some real standards in place for the technology needed to properly protect our infrastructure from the threats of tomorrow. Gone are the days where you can run a computer or server without anti-virus software, so why not make it a law that all PCs and related devices (including mobile phones, tablets, etc.) must either come preinstalled with next generation anti-virus, or that the consumer or corporate entity running that device must install anti-virus software and keep it up to date? And why not do something for operating systems and third-party application patches?
We see Microsoft moving to a model where once per month they will release a set of patches that automatically install, and I think that is great. How about firewalls? Why aren’t firewalls a mandatory requirement in order to be allowed to connect to the internet, and for businesses that don’t have a dedicated security operations team of a certain size (depends on the company size), it should be mandatory that they outsource the monitoring and management of that firewall to a vendor who does this all day, every day. And finally – what about those logs? What I mean are the logs from computers, servers, network devices, firewalls, etc. Why aren’t there requirements that these be sent to a secure storage location for archival purposes, and consumed by a SIEM system with automated threat intelligence feeding the alerts and responses to any cyberthreats found?
Sure what I am proposing may sound very futuristic and maybe even a bit unrealistic, but what are our options? And if this year’s Presidential election has taught us anything, it’s that anything is possible!
President-elect Donald Trump also demonstrated an unwavering determinism and drive to achieve what appeared to be an un-winnable goal with all odds stacked against him. In the cybersecurity race so too must Mr. Trump demonstrate strong leadership to help drive new and strong regulations and oversight that makes cybersecurity measures a requirement, not an afterthought. The need to protect our digital assets and our critical infrastructure has never been more acute to ensure a cyber-secure transition and that our systems and data is safe for years to come.