New Tech -
New technologies are cool, they are sexy, and sadly are often put in places they do not belong. IoT or connected items are often put in corporate networks without regard to their security implications. The same can be said for automation items (control systems for hospitality, etc.) These technologies are often not secure (a massive understatement) but are put in admin or publicly accessible networks with no thought about the possible ramifications. While working for a hospitality company I was once informed by a vendor that their lighting control system HAD to be on the admin network as it could not support routing. This product was purchased without being allowed any security review or vetting. The fact that the vendor’s statement turned out to be false showed that even the people who built the product did not understand how it fit into a production network.
This is a theme I have observed over and over again. A technology is presented without fully understanding (or perhaps caring) about the security implications and is accepted. In some cases, it is accepted because it’s from an “industry standard” company, and in others it is a push from the business side of an organization. The net effect is still the introduction of something that weakens the overall security posture. When you add that to an environment that does not have, or want to pay, for competent security and network professionals you have a big problem.
Let’s think about what we have seen with some of the emerging technologies lately. The Auto Hacking Village at Def Con is full of examples of vendors not understanding security or even basic QA and testing processes in development. It is full bore: make something and get it on the street and fix the bugs later. It is like the gaming industry’s market strategy has invaded all of the other verticals. Even having security tools in place are often not enough. Frequently, this is due to improperly configured security tools, lack of patching those same tools, or an undertrained staff that is trying to use them.
Stale Tech -
Stale Technologies are almost as bad as new tech (possibly worse). With new tech you still have the possibility of patches to fix or mitigate security concerns, but stale tech rarely has that option. To throw out another anecdotal example (I know you guys love these): I encountered a client who had multiple switches in their environment that were End of Life, End of Sale AND End of Support. When I asked them about these items the response was that the Network Engineer was very familiar with them and comfortable. The switches had a lifetime replacement for failed hardware so they had not seen the need to change them. Now this is something of an extreme example, but it is not uncommon to see outdated hardware and software in place simply because the team supporting them cannot adjust to new standards. This is true on both the vendor and client side and it helps to depreciate the security posture of any organization.
Outside of the skill set or ability to change is the ever popular fiduciary excuse. Companies will not spend the money to replace old hardware or software as needed. And vendors will not spend the money needed to overhaul a product to meet the current threat landscape. Even basic patches for operating systems are often put off longer than acceptable to prevent financial losses due to downtime. This is one area where breach insurance has hurt many corporate security practices. If there is no major financial impact from not patching, then it gets pushed off. These little flaws in software and hardware are well known to attackers and are going to be exploited; even with security tools in place. In some cases this is due to improperly configured security tools, lack of patching those same tools, or an undertrained staff that is trying to use them. (Are you seeing the pattern here?)
Diminishing Skill Sets -
A few years ago, I asked multiple people at BlackHat and Def Con if they felt that there was a diminishing skill set in the security industry. The answer was interesting. For the most part I heard that it was not as simple as people not knowing what to do, but that they are becoming more and more reliant on their tools to feed them the correct information. The “skills” of manual threat hunting or manual security sweeps are not being taught as often and the people that have the skill are gradually exiting the work place. If we think about how often security tools are not properly configured, updated, etc. this means that many organizations are relying on bad, or at best, incomplete, data to maintain their security environment. With techs and analysts not able to pull back and validate the data or to ensure their tools are actually running correctly, we have a situation where they could be blind to things going on in their own backyard.
Now let’s add in another factor here. Far too many companies are not willing to invest in the time to train their people in more advanced skills. They are perfectly happy with only teaching them what they need to do to pull the data from the existing tools. They put the onus of education and training back on the individual employee while not providing the time or any extra compensation. You can end up with a couple of directions from the employee side. On the one hand the person stays and continues to work as taught and collect the 8-5 paycheck, and on the other they spend their time and money to get better trained and look for a better (and possibly higher paying) job. Neither of those really helps in the end. This is something of an oversimplification, but in looking at the reasons people have left former IT jobs, lack of access to training (while being required to stay current on new hardware/software) was nearly always mentioned. In most cases right after salary and work/life balance.
So where am I going with all of this? It’s simple: if you read some of the articles out there you might feel that a breach is inevitable and the attackers have the upper hand. This is a fairly accurate assessment when you consider the number of breaches per year and that, traditionally, the attacker does have the upper hand. However, there are real things that can and should be done in regards to properly vetting new tech (and pushing vendors to do so as well), retiring old and insecure software that cannot be properly patched, and investing in employees so they have the right training and can use more than the automated tools.