Diligence may not be the most exciting items on our to-do lists, but it is a time-honored practice and should be a staple. This thought rises to the top as we read news reports about the security vulnerability in the Bourne Again Shell (Bash), which is now being referred to by many as Shellshock.
Some experts counsel that the impact of this vulnerability will only be moderate and that patches will be applied appropriately. At the same time, the potential severity of this vulnerability is high—it could allow hackers to take control of affected systems, thus allowing unauthorized disclosure of information, unauthorized modification and disruption. In addition, its severity is ranked as 10, while its complexity is considered low, which might not make it a “perfect” storm but at least a “close-to-perfect” storm.
I think we all agree that our future will contain many more vulnerabilities, bugs and other incidents with varying repercussions. Human error, changing times and needs, updates to technology and the ever-present desire in some people to cause havoc will ensure that we are all kept on our toes. A combination of planning, reviewing, monitoring and ongoing diligence is needed so we can be both proactive and prepared for rapid response when needed.
Diligence includes frequently reinforcing that processes and techniques must be in place to ensure that systems are appropriately patched and upgraded. This needs to be extended to the supply chain, including vendors and partners. We need to monitor complex interconnected environments to ensure that devices in manufacturing lines and elsewhere are maintained. Penetration testing is critical and should be regularly undertaken to ensure entry points to the organization are secure and monitored. Security awareness programs should be reviewed to ensure they are thorough, updated and—even more important—exist.
The fact remains that we will never be able to entirely prevent cyber incidents. The only secure machine is the one in the box not yet connected to a network. And even then it is subject to physical theft. If steps aren’t taken, though, the impact is potentially catastrophic—harm to people, compromised systems, lost data/intellectual property/revenue and perhaps even an end to the business. This is one reason ISACA offers the Cybersecurity Nexus (CSX), which provides cybersecurity guidance, career development, education and community for professionals at every stage of their careers.
There was a time, not that many years ago, that security was not a primary issue. Many programs and systems were vulnerable to hacking, and it was still assumed that they were still safe. We now know better.
Robert E Stroud, CGEIT, CRISC
International President of ISACA