Hindsight in/is 2020: Information Security Edition
By Bill Bernard
Wow, is it over yet? Did we make it? Were you able to keep your hands and feet inside the ride at all times?
At the risk of being reductive, or at simply being lost in the wash of 2020 retrospectives, I’d like to talk about what 2020 meant to me from an information security perspective.
I won’t belabor these too much, we can all go do our own searches over the past 12 months, but I do want to hit some of the highlights as this year felt like a long decade for many of us:
- In January we learned that Microsoft’s crypto API was accepting invalid certificates, starting the year off right.
- Throughout the year a number of major infosec players announced a number of the usual sort of important vulnerabilities – but each was unique in scope and mitigation as always.
- In March, millions of us learned that our homes would be our workplaces, schools, and recreation facilities for an indefinite period. We all got really familiar with web-conferencing software and Zoom’s stock price soared as we considered replacing the yellowing lumps of plastic that had been our home network devices with more modern and secure devices.
- “Zoombombing” became a thing, and we all got to learn the nuances of what Zoom described as “end-to-end” encryption vs. what many of us thought that term meant.
- The concept of the “security perimeter” hurtled itself towards retirement even faster than it had been as we entered April.
- That revelation was followed shortly by the awareness of what type of load existing vpn architecture could take.
- Twitter had a very bad day where many of their verified accounts were taken over.
- As usual, “quick-buck” focused hackers showed that they’re happy to extort hospitals, even during a pandemic, with ransomware.
- ZeroLogin came out, and we all thought we had our 2020 security issue winner right there.
- Election security seemed to be pretty resilient, looked like the rest of the year was going to be ok.
- Then came FireEye and SolarWinds and huge swaths of the US government to point out just how wrong we were.
This is a blog, so please don’t expect me to cure world hunger here, or even get you your 2021-2022 security budget or plan here, but let’s see what we can do to come to a few nuggets of truth here.
The perimeter is dead, long live triple-A!
Authentication, authorization, and accountability of course – not the people you call for roadside assistance or hotel discounts. If you didn’t get the hint when the cloud became a world-wide rainmaker, Q2 of 2020 put the nail in the coffin of the perimeter. Defenses need to be multi-layered, and must lead with strong AAA capabilities. Oh, and for the sake of your company’s brand make sure you’re making good use of all that data your security technologies are generating.
Advanced attacks are shifting to the supply chain.
This shouldn’t be a surprise to anybody who remembers the Home Depot PCI issues from a few years ago, but 2020 took this one up a notch. And with details coming out that SolarWinds was targeted by two different groups as an attack vector to the US government and thousands of businesses, we need to focus more on how we hold our vendors accountable. My hope is we can avoid a knee-jerk reaction here and put some thought into how we do this. We also need to realize that our vendors need money to improve their security programs, and that money has to come from somewhere – which is a polite way of saying that prices will go up as companies have to make security happen.
Every 3rd party app needs its own isolation.
If a solution, let’s take SolarWinds as an example (but let’s not pretend they’re alone here), is limited by your technical security controls to only be able to do what it is expected and needed to do without full access to perform tasks outside of its responsibility, the ability for it to be used as an infection vector is significantly reduced. Networking gear, host-based tools, etc. can isolate everything in your environment to their own security domains for the most part. Doing a better job of utilizing those controls will definitely lower your risk of being impacted by a breach of one of those 3rd party applications. Obviously this is both expensive and time consuming, and has to be done in conjunction with the business and the risks associated with that tool. So containerize. Firewall or segment things off. Practice least privilege access for your systems, not just your people.
The next security widget won’t save you, and even trusted technologies have unknown security flaws.
For me, one of this year’s themes was that security isn’t just about flashy technologies. Sorry, I should have warned you to sit down before asking you to read something that profound, but it seems to be overlooked far too often. Twitter’s bad day seems to have been about people. Many (not all – there were a number of notable exceptions) of the complaints about Zoom’s security boiled down to people not using the existing security features. Per reports, FireEye identified the intrusion into their environment because they noticed an extra MFA token being requested – which is an anomaly based on their MFA token policies and processes. The people and process side of InfoSec was certainly in the spotlight this year. In fact, I would argue that this year makes the case that we need to de-emphasize best of breed technologies unless and until we upgrade our monitoring, training, and governance capabilities which will require a shift in priority, budget, and likely paradigm.
So I realize none of that was particularly profound, at least not to those of us in InfoSec. I certainly didn’t solve all of your security problems. But I think that these few concepts can help guide you and your organization as you continue to mature your security program. We know this is a journey, something to continually improve. But maybe 2020 can help us decide to pick up the pace a bit and refocus our efforts.
Here’s to a 2021 of meaningful security improvements and minimal security incidents.