Breaking the Cycle: Embracing Change in Cybersecurity Practices

Joao Correia

November 14, 2023 - Technical Evangelist

While checking my cybersecurity news feed a couple of days ago, an account (re-)publishing stories from years gone by was highlighting a late 2000 (actual year 2000, not the decade) event involving Microsoft and a hack that affected the company. This breach was notable because Microsoft had issued a patch for the relevant vulnerability 10 weeks earlier but had failed to apply it to their own servers.

This incident from decades ago mirrors a problem still prevalent today: the reluctance of IT teams to adapt and evolve, even as the stakes in cybersecurity have never been higher. IT teams and cybersecurity professionals often find themselves trapped in a cycle of outdated practices and deeply ingrained processes that are simply too slow for the current landscape, (un-)ironically similar to what happened 23 years ago when a Dutch hacker exploited a vulnerability in Microsoft’s network.

The Context

In November, 2000, a website running on a Microsoft server was defaced. In fact, this was the third time it happened in the span of only two weeks. This time was different because the Dutch hacker made sure to alert the press and publicize the event – remember that this was before the social network phenomenon – and boasted of repeatedly abusing the same flaw each time.

Microsoft representatives acknowledged the issue, but were at a loss to explain why the underlying issue hadn’t been addressed yet. It was a known vulnerability that had had a patch available, from Microsoft itself, and customers were (strongly) advised to deploy on their own IIS servers.

The Perils of Stagnation

Fast forward 23 years, and today everything is much better and no one is falling behind on patching as that story tells us, right? Oh, wait…

Increased Threat Actors and Sophistication: In the past two decades, the number and sophistication of threat actors have increased exponentially. Unlike the early days of the internet, today’s attackers are often part of well-funded and highly skilled organizations, including state-sponsored groups. This evolution demands a corresponding advancement in our defensive strategies.

Faster Information Dissemination: Information about vulnerabilities now spreads at an unprecedented pace, thanks to social media and various online platforms. This rapid dissemination means that threat actors can exploit vulnerabilities sooner after they’re discovered, reducing the window for patching.

Higher Stakes for Security Breaches: The potential damage from successful breaches has skyrocketed. With more data online and businesses heavily dependent on digital infrastructure, the financial and reputational consequences of a breach are severe. This high-reward scenario for attackers makes it imperative for defenses to be more robust and proactive. It’s no longer simply about defacing websites – even if that still happens – it’s about data theft, ransoms, and much larger financial losses than before.

Inadequate Regulatory and Compliance Measures: Current regulations and compliance standards, like the often-cited one-per-month time frame for patching new vulnerabilities, are outdated. They do not reflect the urgency required in today’s fast-paced threat environment, where delays can be catastrophic.

Technological Advancements in Patching: The irony is that while threats have evolved, so have the solutions. Technologies like live patching offer more efficient and less disruptive ways to keep systems secure. However, the adoption of such technologies is slow, often hindered by resistance to change.

It’s very easy to acknowledge that all these points are common knowledge. What is harder to understand, then, is why companies continue to fail to adequately address them, as clearly shown by incident after incident where the root causes can be traced to something as avoidable as a missed patch being applied timely.

Log4j was one of the worst vulnerabilities to hit the IT world in the past couple of years, got press attention in mainstream media, and, to this day, there are still systems vulnerable to it, easily identified through public scanning services on the Internet.

The Root of Resistance

Cultural Inertia: The cybersecurity industry, like many others, can be resistant to change due to ingrained cultural practices. This inertia leads to repeating the same processes, even when they are no longer effective.

Aversion to Change: Change is often seen as risky or burdensome, especially when it involves learning new technologies or altering established procedures. This natural aversion is a significant barrier to adopting more effective cybersecurity measures.

Operational Challenges: Implementing new technologies or processes can be seen as a daunting task, requiring time, resources, and training that many organizations feel they can’t spare.

The Urgent Need for Evolving Practices

The story from 23 years ago serves as a familiar reminder of the dangers of complacency in cybersecurity. As professionals in this field, we cannot afford to be content with the status quo. The landscape has changed dramatically, and our strategies must evolve accordingly. It’s time to break the cycle of outdated practices and embrace innovation, not just for compliance, but for the genuine security of our digital infrastructures.

The future of cybersecurity depends on our ability to learn from the past and adapt for the future. After all, across the fence, rapid change is the norm rather than the exception. It’s time to stop being surprised by a cybersecurity incident and effectively work to prevent it in the first place.

Summary