At last count, more than 200,000 victims in 150 countries have been hit with the weaponized WannaCry ransomware worm. In the United Kingdom, , potentially threatening patients’ lives.
Haven’t we had enough? It’s time to stop pretending that lukewarm, poorly executed security measures are really doing something about the problem. Good computer security solutions exist that will absolutely diminish cybercrime. We just have to recognize and apply them.
We should already have been doing this for decades, but the criticality of the internet and the coming IoT era make the need for stronger solutions more urgent than ever. As Bruce Schneier says in my recently released book, “,, IoT represents a tectonic shift in security:
It’s one thing when a spreadsheet has a vulnerability and crashes or gets compromised. It’s something else when it’s your car. Weak computer security will kill people. It changes everything! I testified in Congress last month about this topic. I said now is the time for getting serious. Playtime is over. We need to regulate. Lives are at stake! We cannot accept the same level of crap software full of bugs. But the industry isn’t prepared to take it seriously, and it has to. How can the people working on better securing cars actually do that when we’ve never been able to stop hackers and vulnerabilities in the past? Something has to change. It will change.
Meanwhile, we’re still waiting for substantive action. For example, President Trump’s may seem like a step in the right direction, but it’s filled with much of the same language and broad focus that doomed previous initiatives. Until we have defined tactical requirements with specific accountability, not much will change. We already have enough frameworks and policies to shake a stick at.
So what can you do to significantly diminish the risk of computer crime? Start with these straightforward objectives:
1. Take security seriously
Sure, everyone claims to take computer security seriously, but that just isn’t true in most companies. In reality, operational considerations almost always win out and computer security is treated as a necessary, expensive evil that everyone knows will not work. It isn’t that computer security can’t work—it can. But If you want to succeed, you have to admit that what you are doing right now is not working, figure out why, and start focusing on the right things.
2. Use your data to drive defenses
Understand how your company is currently being broken into (social engineering, unpatched software, malware, etc.), which is usually predictive of how it will be broken into in the near future. Consider not just the number of incidents, but also damage impacts. Your company may have detected many attempts to implant malware, for example, but ends up suffering the largest monetary losses from social engineering.
Figure out your biggest causative agents of how badness gets into your environment and use that as your starting point. The amazing thing is that your data will often contradict not only your personally held beliefs, but also go against the most beloved computer security canons that everyone believes are true even when they really aren’t.
3. Use whitelisting
It’s time for every company to implement strict application control whitelisting, which will only allow predefined and integrity-verified applications to run. Application control is not easy to implement—it takes time, testing, and resources. But ultimately, you need to bite the bullet and do it.
I guarantee you application-control whitelisting will become commonplace in the near future. Every day you procrastinate about starting a whitelisting initiative, the less you can legitimately consider yourself serious about computer security. Luckily, many OS vendors, including Microsoft (using AppLocker and Device Guard), have long bundled application control applications with the OS. Plus, there are dozens of application control programs to choose from, including Lumension, McAfee, and Carbon Black.
Application control can’t stop all hacks, but it’s the single best thing you can do to significantly reduce the risk of successful attacks by malicious hackers.
4. Improve patching
In my entire career, I’ve never come across a fully patched computer. Some critical patch is always missing.
For three decades, unpatched software vulnerabilities have been either the No. 1 or No. 2 way hackers and malware break in, so I find it stunning that the world doesn’t do a better job at it. Even if you think you’re doing a pretty good job at patching, you probably aren’t. You want to do a perfect job—and be able to back that up with data.
5. Roll out more and better social engineering training
Social engineering, whether via phishing emails, sketchy webpages, or some other trick, is right up there with software vulnerabilities as an avenue for malicious hacking. Serious hacking jobs generally involve social engineering in some capacity. It’s a top risk. Treat it like one.
6. Get Rid of Passwords
Lastly, if you get rid of passwords and replace them with some sort of two-factor authentication, you’ll make social engineering and phishing attempts less successful—at least, those that involve stealing and reusing logon passwords. Remember that long, complex, and frequently changed passwords are probably not helping you as much as you think.