Back in the days before CDs and MP3s and streaming, people used to buy and listen to vinyl records (a trend that is coming back in some audiophilic circles). The practice of carefully removing an LP or 45 from its jacket and sleeve, handling it by the edge, placing it on the turntable, and lowering the stylus onto the selected track was a hallowed ritual for many. Occasionally a record would skip, thanks to some bit of dirt lodging in a groove. When that happened, a common fix would be to balance a nickel or quarter on the head of the tone arm. The added weight would often be enough to power the stylus through the obstruction rather than skip back.
In engineering we’d call that a “workaround.” Rather than take the time to clean the album and fix the problem, it was easier and quicker to grab a coin and get back to the music. Except you’d have to either keep a coin on the pitch arm, or remember to do it every time you wanted to hear a record with a skip. That’s the problem with workarounds. They’re temporary and, while they might be convenient in the moment, they do not work as long-term solutions.
Data Breaches Are Like a Skipping Record
When I hear about data breaches associated with the Accellion file transfer appliance vulnerability, it’s like a skipping record. I first heard whispers about a few breaches in December of 2020, but things kept getting worse as adversarial actors worked aggressively to take advantage of a weakness before the window closed. We wrote about the breach in April after disclosures from major brands like Kroger Supermarkets and Shell Oil.
Often after a major and negative public cybersecurity event, things get better. People are motivated by the publicity and it’s all-hands-on-deck to fix the problem. But since then, a number of other organizations from around the world—more than 100 to date—have gone public with data breaches associated with the Accellion appliance. The New South Wales Ministry of Health in Australia, Reserve Bank of New Zealand, Singapore Telecommunications Ltd., University of California, and many more.
Trust is Earned, Not Purchased
Our response then and now is that Trust is Earned, Not Purchased. And for the trusted, that is an ongoing process. Obsessive customer service, honesty, taking responsibility when things go wrong, responding to questions and concerns, and working toward continuous improvement are all a part of the process for any vendor who wants customers to put their trust in them.
For the customer, however, there should be no assumption that any product it purchases to become a part of their technology estate should trusted. This is known as “Zero Trust,” and if the term was unfamiliar to you before May 12, 2021, it was widely discussed when the White House issued its Executive Order on Improving the Nation’s Cybersecurity.
Zero Trust is mentioned throughout the executive order, and is defined in the document as:
“[A] security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever.”
Implicit Trust is a Vulnerability
I highlighted the portion on eliminating implicit trust because that is often the vulnerability most often exploited by cybercriminals. Whether it is an unpatched weakness in a product or the impulse to click on a malicious link in a phishing email, lax security awareness and a lack of vigilance will catch up to every organization that operates using the tools of the modern, digital economy.
Implicit trust is the quarter balanced on the tone arm of your cybersecurity program that ignores an issue you know you need to address because, at least for the moment, it isn’t affecting your operation. And until we all start to take cybersecurity seriously, news of data breaches will continue to run like a skipping record.