New Years Security Resolutions

by Jake Bennett

Seven steps that will make this year the most secure year yet.

Screen displaying Happy New Year

It’s the New Year, which means it’s time for the annual human ritual of making personal promises to give up bad habits and commit to living life better going forward. While most people are focused on renewing their gym memberships or cutting out carbs, my New Years resolution is to help make the Internet a safer place. As an industry, our collective security bad habits caught up with us last year, and it’s time for a change. Last year was a very bad year in terms of security. Here is but a small sampling of the headline-grabbing breaches that happened in 2015:

  • Toy manufacturer VTech suffered a breach that exposed 4.8 customer records, including personal information about kids, as a result of weak password security.
  • Security researchers published a method for hacking a Jeep Cherokee, giving attackers the ability to violently stop the car. Virginia State Policy revealed that their police cars could be compromised. Chrysler recalled 1.4 million cars to patch their in-car software to fix a security flaw.
  • CIA director John Brennan’s email was hacked by a teenager through a social engineering attack.
  • Credit agency Experian lost 15 million T-Mobile customer records to hackers, including names, addresses, social security numbers, birth dates and passport numbers.
  • Ransomware became a big deal in 2015. Cyber extortionists starting using it more prevalently and more broadly, expanding beyond the desktop to encrypt websites and mobile devices for ransom.
  • Infidelity match-maker Ashley Madison lost customer records on 30+ million registered cheaters. Poor software development practices, and bad password management were likely contributors.
  • Italian hacking consultancy Hacking Team was itself hacked, unleashing untold zero-day exploits into the wild and exposing its list of largely government clients.
  • The U.S. Office of Personnel Management suffered a breach affecting 22 million government workers, including the theft of entire background checks, fingerprint data, and other highly sensitive personal information. Great fodder for blackmail.
  • LastPass, a password management provider, was hacked, resulting in the theft of its customers’ passwords. Fortunately, the stolen passwords were encrypted, so it’s unclear if they were ever actually used. Adding to an already bad year for LastPass, security researchers then published multiple methods for compromising LastPass’s security.
  • The biggest hack of 2015, however, was the security breach of healthcare provider Anthem/Bluecross/BlueShield, which resulted in the theft of a whopping 80 million customer records, and an additional 19 million records of rejected customers. That’s about a third of the entire U.S. population.

2015 was abysmal for security—there is no denying it—but there is a silver lining. I’m hopeful that we’ll look back at 2015 as a watershed moment, the year the industry hit rock bottom, motivating us to get off the couch and start working our infosec muscles again. To that end, I’ve drafted a set of New Years security resolutions to get the ball rolling.

1. No Patch Left Behind

The bad guys are constantly scanning our networks for older software with known vulnerabilities. Even if a vulnerability shouldn’t be exploitable under normal circumstance or it only leaks a little information, it is still one piece of the puzzle that hackers are assembling to gain access. I want to take all of the these pieces off the board. That means maximizing the capabilities of vulnerability scanning tools (e.g. using agent-based or credentialed scans on every host), scanning every node on the network and getting every host to a “green” status. Think of this as the “broken windows” approach to patch management.

The challenge to patch management in the real world isn’t the time it takes to patch hosts (although that’s still a huge hurdle), it’s creating a process whereby we feel safe installing patches with minimal effort and little risk of breaking production systems. Effective patch management is a math problem:

Cost/time of patch management =
(# of hosts * time to patch) +
(# of hosts * time to fix post-patch problems) +
(lost productivity from post-patch problems)

If you feel a twinge of hesitation to install the latest patch on a mission-critical system, that would be you mentally calculating the last two terms of the equation. You need to reduce this hesitation if you’re going to get to “green.” This can be managed by classifying systems into three buckets: 1) systems that result in a call from the CEO if they break, 2) systems that result in a call from a VP if they break, 3) all others. The number of hosts in bucket #1 is going to be small. Focus your time and energy on these patches by running them on test systems first and testing them thoroughly before patching. Or, alternatively, have a good rollback plan if things go wrong. For the systems in bucket #2, do a quick assessment of the latest patches, and run them if there are no obvious breakers. As for the hosts in bucket #3, put those on autopilot, running patches automatically and asking for forgiveness later if they break.