IT Insecurity: “Bodge As A Service”

The world of IT is full of surprises, it’s exciting, it’s the catalyst that makes business goals tangible. However, is everyone aware that IT should be the cornerstone upon which companies are built on today?

Normally, computer security departments (or IT in general) are ignored and their resources are usually obviated and even belittled. There is a reason for this: Keeping an IT up-to-date is not cheap, and usually those who must expose the technological needs do not have the capacity nor the opportunity to pass those needs onto the right audience. An investment requires a profitability or, at least, an estimate of loss of opportunity (i.e. the company does not function properly) if it is not done. That said, it is much more expensive not to do anything with the department, running the risk of stopping working…that´s the time everyone remembers the IT department.

The need of computer security is increasingly evident in our society, although I should say that it is the failure to meet those needs that makes them appear on the front page:

  • Recently (12-15 May 2017) the “malware” Wannacry shocked all the companies in the world with its threat of computer-kidnapping: Ransomware spreading at World Wide level.
  • During the holiday weekend in England on 27-29 May 2017, British Airways (BA) had the dubious honour of being featured on all television news and newspapers as it was unable to fly its planes because of an IT electrical problem.

Honestly, neither should have been important news if companies really planned and did everything with professionalism and rigour. In the case of “Wannacry” rumour has it that it was originated when hackers used a tool previously robbed to the NSA (National Security Agency of the United States) which exploited a vulnerability for which Microsoft had already generated a patch in March:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

In the second case, with BA, when the actual cause of the “incident” is not yet known neither for how long users will still be affected (i.e. insurance claims, etc), the first official words of the company put the blame on an “electrical” problem, which does sound very convincing . Failing to know the resolution to the problem yet, it seems incredible that something like this could knock down the services of an entire institution like BA.

Sincerely, both “mishaps” fall under the same umbrella and it is none other than the final disinterest for doing the work well, either from a voluntarily or involuntarily perspective: It may be due to lack of knowledge, lack of control, lack of realism when it comes to managing risks, lack of investment or lack of planning that, for me, is the worst sin you can have. As I explained in the post “The day after the down: Malware & Ransomware, what to do next?hackers, intruders and pirates in general take advantage of those systems where technology, and everything around it, leaves a lot to be desired.

There is a saying that I have maintained throughout the years and which helps me avoid many headaches:

Control the situation or the situation will control you

As simple as it may look, not everyone seems to understand it. Everything that works will stop working sooner or later: there is no perpetual motion, no infinite energy or there isn’t a technology discovered yet which does not require revision or maintenance. In the case of BA it is odd that, as the electrical system stopped working (if that is the reason) another one did not come into operation in its place. In addition, should an additional system be damaged by a power outage, it would be even rarer if another system had not been automatically operated immediately. All this generates an environment of inefficiency and insecurity, no matter how they want to sell it.

These are just two examples of business life. The problem is not falling. The problem is to rise and not learn from past mistakes. In 1993 the IRA blew up a bomb in the financial district of London, destroying a large number of offices (1993 Bishopsgate bombing). 74% of the companies had a contingency and security plan, so they could start working soon after. The remaining 26% were hardly able to work and, half of these companies, those without a previous plan, closed in less than a year as they could not continue with their business as usual. Today it is unthinkable that there is a single company that does not have such a contingency and “disaster recovery” plan … except BA.

The reality is that the “day-to-day” needs are barely covered in hope that everything will work with the minimum investment, that no big effort. Normally, when the IT systems go down their departments have to do extra hours (if not extra days). If the necessary resources were really implemented, fewer incidents would happen … and yes, I say fewer incidents as always, always things will happen. It’s all about being prepared for when an incident occurs and managing risks. When preparing the budget for the department people always have the same conversation: “Why is needed so much investment?”,We are not Microsoft” or the so common “Could we not continue using what we already have?

Unfortunately in most cases, and as long as things continue to work, the budget will just be the minimum necessary, putting patches and trying to stretch the servers, switches, etc another couple of years … bodge jobs that, in the end, are expensive. This is an endemic disease established at worldwide level, which does not make it a correct practice. As we suffered recently a situation caused by a local problem will become global because of companies interconnections and the dependencies that exist in between institutions. Much still needs to be done as we are only at the beginning of a new era and thought should be given to implementing technologies of new wedge such, as the “Internet Of Things”.

Fortunately not all companies fail in the same. There are companies that really want to remedy critical situations that have been through before or want to improve their overall situation, either by the pressure of competitors, or by legal regulations that cause them to take action, etc. These measures go from the use of new technologies to the employment of personnel that will cover the technological spectrum obviated and that in each company may differ.

Following the misconception of “less is more” the danger will come from pretending to cover needs of several types with a single resource, which will clearly be insufficient. It is better to meet specific needs each time, establishing what is possible and what is not. Trying to reach goals that are too high too early is not always synonymous of success. Currently, due to market opportunities, we have multiple (new) security firms, infrastructure and cybersecurity experts, auditors, IT architects and professionals from all over the world. Those who try to sell us the scenario that a single person can do everything will do nothing more than confusing the situation.

With this way of acting, far from controlling the problem in its entirety by taking action at a strategic level to then focus on a more precise level, companies will leave many loose ends. Experts are experts on something specific. Trying to correct everything by applying the same recipe in any situation will mean that certain areas will not be treated as they should be. Furthermore, a valid solution in a market or in an industry may not give the same results if they are put in practice in other environments.

In general, unfortunately, very few learn from bad experiences, it is much easier to live in complacency avoiding change than to question how things are being done. “If we managed to survive after the last crisis, then we must be doing well” … we will be living in the eternal “Bodge As A Service”.

 

You can read the original post in Spanish at:

Inseguridad IT: La “Ñapa As A Service”

 

 

Be the first to comment

Leave a Reply