As I was waking up this morning, I was thinking to myself what life was like just one month ago, and how much I wished it would come back. Times for the most part were good, and I was pumping out content out the wazoo (still am, too). Everybody for the most part was happy, my apartment building gym was open 24 hours a day, and I could workout at my normal time every day.
My main thoughts at the time were getting my taxes done and keeping up with the expansion plans for the business. The first has been done (luckily), and the second one is still continuing. I never thought in my wildest dreams that life would ever be like this, where businesses are shut down, and rationing has to take place at the grocery store.
I keep asking people when they think life will ever be normal again – truth be told, it is going to take a long time. We have to, as hard as it is, try to accept the new normal as they are now, and just taking things one day at a time. Perhaps the one upside to all of this, for lack of a better terminology, is that the Cybersecurity Industry should be booming in the coming months.
This won’t happen right now – as many budgets and spending are frozen, but once things open up, it will be a massive harvesting season for us in the coming months. Anyways, enough of my thoughts. So, speaking of what life was like before, what was the Cybersecurity Threat Landscape like just before all of this stuff happened?
Well, there have been numerous studies that have been conducted, and they have examined what Threat Landscape looked like for Corporate America, going back all the way to a 10-year period, from 2009-2019. Here are some of the key findings:
*There have been at least 8 large scale Cyber attacks that have occurred, all over the world;
*The average size of a data breach was 25,575 records with a cost of $150 per record on average, according to the Ponemon Institute;
*In a 2018 study conducted by Hiscox, 73 percent still remain unprepared for a Cyberattack. Over 4,000 businesses and corporations were polled from the United States, the United Kingdom, Germany, Spain and the Netherlands;
*From 2009-2019, over 7.7 Billion records were stolen (WOW!!!).
The illustration below examines the types of industries that have been most impacted by Cybersecurity breaches in this time period:
As one can see from the chart, it is the Web Services area that has been hit the most. You may be asking at this point why is this industry and not something more valuable, like the Financial Industry? Well, truth be told, many people don’t even visit anything that resembles a brick and mortar presence – whether it be the shopping local or even your bank. Everything is now done online, and with this, everybody is submitting their Personal Identifiable Information (PII).
So, anything that has a Web based interface is now a treasure trove for the Cyberattacker to prey their hands into. But no matter how much these Web based applications are fortified from the front end (which is the website that you actually engage in and see), it is the backend (these are the processes that drive the front end) which often lack in the levels of security robustness.
There are many reasons for this, which include the weaknesses that are now being found in Two Factor Authentication (2FA), there is no dedicated team to ensure the maintenance of them, there are no security audits being done of them (which includes the likes of both Penetration Testing and Threat Hunting), and simply not keeping up with the required deployment of the software patches and upgrades that required for the Web Server that hosts these applications.
But there is yet another key issue here – the source code that is used to develop these Web based applications are lacking in security themselves. For example, in today’ world, software developers are under enormous pressure to deliver a product that is one time and under budget, thus saving the client money.
The hope here is that with this, that same client will come back for more business. In this haste to get things done quickly, many backdoors are still left behind the source code, thus making them an easy entry point to get into and deploy all kinds of nefarious Malware. Also, software development teams never even really check the security of the source code that they are creating. If they do at all, it is very often at the end right before the Web based application goes live into a production mode, and then it is too late.
Also, in the rush to get things on time, the software development team very often makes use of what are known as “Application Programming Interface”, or “API” for short. Essentially, they are a set of routines, protocols, and tools for building software applications. Basically, it specifies how software modules and components should interact amongst one another. Also, APIs are utilized when developing Graphical User Interface (GUI) components.
But rather than developing their own set of APIs (which can take a lot of time to do), software developers are now using Open Source Libraries which consist of premade API modules. As a result, these can be downloaded, and quickly modified in order to keep with the tight time schedule. But very often, these are untested, and even have security holes in them as well.
So now, once the client gets their product that has not been tested, and say, six months down the road, this same application gets hacked into, guess who gets the blame? Yep, you got it, the business that made this particular Web based app for them. The end result are lawsuits, large expenses, and a horribly tarnished brand image.
The moral of the story here? Well, had the software development team tested their source code for any kind or type of security weaknesses, gaps, or vulnerabilities, this hypothetical security breach probably would never have even occurred. There is also another lesson learned to be learned here: Never wait until the very end to test the source code. Always do this as each source code module has been completed, so it does not become overwhelming at the end.
True, this may add more time to the final product delivery, but then you need to convey to the client the benefit and the risks that are associated with a quantity versus quality based job to be done.
The illustration below shows the kinds of Cyberattacks that have occurred during this ten-year period, from 2009-2019:
As one can see, a majority of the Cyberattacks (a total of 160 of them) came from direct hacks themselves.
My Thoughts On This
Well, here you have it, what life was like before the Coronavirus ever hit, on the Cybersecurity front. So, going forward, how can you protect all of your Web based assets and applications? Well, first and foremost, always conduct a security assessment of what is going on. As mentioned, this must include both Penetration Testing and Threat Hunting. These should be done at least 2X a year, and if feasible, it should be done every quarter.
Second, always make use of a good Cloud based provider such as that of the Amazon Web Services (AWS), or Azure to host your applications. They always have the latest security stuff on hand to protect your apps. But keep in mind, that they just manage it for you. YOU are ultimately responsible for making sure that whatever is safe and secure as much as possible.
Always make sure that you have a good team on hand you can count on. True, this can be an expensive proposition for an SMB, but keep in mind you can make use of other forms of virtualized services, such as a vCISO. They cost only a fraction of what it would take to hire an on staff, full time professional, and they typically work for only fixed engagements, but they can work longer periods of time if needed.
Finally, remember that even if you are hacked into, only one part of the damage has been done. The other part is if you are found non-compliant with data privacy laws such as those of GDPR and the CCPA. The fines in these circumstances are harsh and could even shut down your business entirely.
In the end, remember we all are at risk, from individuals to corporations. The only thing you can do is to be proactive STARTING NOW to mitigate that risk as much as possible. At least you can show that you went above and beyond in doing your due diligence, which will come very fruitful if you ever have to file a Cybersecurity Insurance claim.