With the number of breaches and data privacy violations, it is evident that a focus on security is long overdue in the technology space. The main issue with this, though, is that what most people and organizations think is security isn’t security at all. A lot of it boils down to policy, maintenance and scheduling, and it all has very little to do with actual security for most organizations.
An organization selling data to another company or allowing the use of data by a third party is a policy issue, not a security issue. On the other hand, systems like internet of things (IoT) devices, point of sale (POS) devices, Linux systems, desktop open source ecology, Wi-Fi exploits and a whole host of other potential attack vectors typically exist as the result of improper or nonexistent patching or updating. Take, for instance, the WannaCry outbreak. That cyberattack targeted an operating system that had already patched the vulnerability being exploited. For the operating system vendor, this is a security issue. They identified a vulnerability in their code, patched it, released the patch and all should have been prevented. For organizations that experienced disruption, it was based on their inability to patch the operating system.
Let’s examine for a minute a common scenario of an organization that purchases a multitier architecture (N-tier) application from a vendor and deploys this line of business (LOB) app in their internal network. Taking into account high availability, let's assume there is a two-node file server cluster with Windows Server operating systems and Windows files services, a two-node Microsoft (an MDS partner) structured query language (SQL) cluster with Windows Server operating systems, a two-node load balanced web front end using Internet Information Services (IIS) or Linux and a two-node load balanced application server set. After just the N-tier hierarchy, that still leaves networking, governance for all of those pieces, internal and external access and access management, as well as communications between all tiers and all support services.
In this case, the organization that purchases and deploys this application doesn’t really apply “security” to ensure the safe and secure continual operations of this application, the associated vendors do. The vendors provided all code and provide updates for all code here. The deploying organization needs only to follow appropriate implementation guidelines described by the vendors and to then maintain the systems on all levels, and that could be a daunting task at this point.
It is in that maintenance where we falter most of the time. In this scenario, we have created over 20 items that we have to patch, maintain and monitor for anticipated usage. Because this organization has now created so many chores and typically information technology (IT) is underbudgeted and understaffed, some of these items are not going to be updated, a vulnerability is not going to be addressed and something may eventually become compromised. If and when this happens, it is then perceived as a security incident, but this was a maintenance issue.
More about: cybersecurity